Monday, July 16, 2018

About Global AUA, Local AUA, Vitual IDs, UID Token and their impact on your business

In the Aadhaar ecosystem, the companies that use authentication alone get registered as an Authentication User Agency (AUA) and those companies that need to use electronic KYC or eKYC go on to become KYC User Agency (KUA).  Those were the only two differentiation for user agencies in the Aadhaar ecosystem but this changed very recently with the introduction of Global AUA and Local AUA.

Recently, UIDAI had introduced several measures that allowed the Aadhaar holder to get the benefits of Aadhaar services without having to share their Aadhaar Number.  It also limited the KYC data set that gets shared with the parties in the Aadhaar ecosystem. As part of these measures, existing AUAs are classified into Global AUA and  Local AUA. UIDAI has also introduced concepts such as Virtual IDs and UID tokens as part of the Aadhaar API version 2.5. All existing AUAs and KUAs will have to implement the latest API by August 31st 2018. That is a lot happening in a short time frame which many businesses are finding it to be confusing. This post intends to give you a better understanding of the changes happening and help you understand its impact on your business.

Global And Local AUAs

The Global AUA and Local AUA classification are based on whether an organisation has the privilege to store the Aadhaar number in their local database or not. A Global AUA is allowed to store the Aadhaar numbers in their local database. Therefore, the Aadhaar number will be part of the response XML UIDAI returns as part of the API calls made by the Global AUA. The Global AUA, in turn, will have to store this data in secure, encrypted datastores called the Aadhaar Data Vault.
A Local AUA is an organisation that is not allowed to store the Aadhaar number in their datastore. The data returned by UIDAI to the Local AUAs will be devoid of the Aadhaar number.  So this data can be stored within their datastore in plain text.

Limited eKYC

If a Local AUA is also a KUA, then the KYC data is called "limited eKYC" and it will only have a limited data set.

The limited eKYC will have the following data elements:
  • Name
  • Address
  • Masked Aadhaar Number
  • UID Token

It will not have the following data elements:
  • Photo
  • Aadhaar Number
  • Date of Birth
  • Gender

Virtual ID and UID Token

Virtual ID is a provision that enables the Aadhaar holder to avail the benefits of Aadhaar services without revealing their Aadhaar number. A Virtual is 16 digit number that can be generated on demand by the Aadhaar holder using UIDAI's Virtual ID Generator.
An Aadhaar holder can generate any number of Virtual ID and share it with different companies without sharing his actual Aadhaar number.
UID Token is a 72 character unique token created by UIDAI for a particular AUA for a given Aadhaar number. UID Token is created and returned along with the response when the AUA\KUA performs authentication or eKYC transactions.  The Local AUA should use the UID Token to replace existing Aadhaar numbers in their database.

Business Impact

UIDAI has classified all banks coming under RBI, Life Insurance Companies, Housing Finance Companies regulated by National Housing Bank as Global AUAs. In case of  Govt Agencies and PSUs, it has given Global AUA status to some of them based on their need to store Aadhaar number of the beneficiary for effective delivery of services. All other companies, including NBFCs, have been classified as Local AUAs.

All existing AUA\KUA will have to implement the Aadhaar API version 2.5 which provides the support for Virtual ID, UID token and Limited eKYC. An existing AUA  that got classified as a Local AUA will have to take measures to replace all instances of Aadhaar numbers with 72 character UID token allocated to the AUA for an Aadhaar number.  UIDAI would provide an API that would enable AUAs to generate UIDs in a batch process in order to expedite the transition process.  Apart from that, the Local AUA can use only Virtual IDs for OTP authentication and biometric authentication can be done using Aadhaar number or virtual ID. This means all web applications that are using Aadhaar Authentication should be modified to accept Virtual IDs alone. Local AUAs that are KUAs too, will only be getting limited eKYCs. 
In all transactions, the AUA should be prepared to accept Virtual ID, if the Aadhaar holder wants to use it in place of her Aadhaar number.

In the case of Global AUAs,  life is almost the same as what it used to be.  They will have to implement Aadhaar API version 2.5. They too should be prepared to accept Virtual ID, if the Aadhaar holder wants to use it in place of her Aadhaar number. Global AUAs are allowed to store Aadhaar numbers only in an Aadhaar Data Vault. They can either use an Aadhaar Data Vault reference token or, UIDAI provided, UID Token to represent Aadhar number in their data stores.

The Global and Local AUA classification is not permanent, UIDAI can review the status as they see fit in future. So all AUAs should design their systems such as way that it can handle any reclassification smoothly.

For more information contact us. We, Finahub, are experts in Aadhaar related products and services like eSign, eKYC, Authentication etc. If you want to know how your enterprise can start using it, please give us a call @ 0484 2388285 or email us at [email protected]