NACH E-Mandate eSign Variant

Faq

What is the online eSign electronic signature service?

eSign electronic signature service is an innovative initiative for allowing easy, efficient, and secure signing of electronic documents by authenticating signer using Aadhaar eKYC services. With this service, any Aadhaar holder can digitally sign an electronic document without having to obtain a physical digital signature dongle. Application Service Providers (ASP) can integrate this service within their application to offer Aadhaar holders a way to sign electronic forms and documents. The need to obtain digital signature certificate through a printed paper application form with ink signature and supporting documents will not be required.

The digital signature certificate issuance and applying of signature to electronic content is carried out in few seconds with eSign. Through the interface provided by the Application Service Provider (ASP), users can apply electronic signature on any electronic content by authenticating themselves through biometric or OTP through eSign Service Provider. The interfaces are provided to users on a variety of devices such as computer, mobile phone etc. At the backend, eSign service provider facilitates key pair generation and Certifying Authority issues a Digital Signature Certificate. 

What is the purpose of using eSign - online electronic signature service?

An Application Service Provider (ASP) can integrate eSign online electronic signature service so that the users of that ASP will be able to use eSign. A physical paper form/document which is currently used to obtain digital signature certificate can be replaced by its electronic form and thereby facilitate electronic signature of the signer through eSign. 

ASPs who can be potential users of eSign include Government agencies, Banks and Financial Institutions, Educational Institutions etc.

What are the objectives of eSign online Electronic Signature Service?

E-Sign Online electronic signature service, offers applications, a mechanism to replace manual paper based signatures by integrating this service within their applications. An Aadhaar holder can electronically sign a form/document anytime, anywhere, and on any device. E-Sign service facilitates significant reduction in paper handling costs, improves efficiency, and offers convenience to customers.

How the data privacy is protected

Yes. Document content that is being signed is not sent in the clear to eSign service provider. The privacy of signer's information is protected by sending only the one-way hash of the document to eSign online electronic signature service provider. Each signature requires a new key-pair and certification of the new public key by a certifying authority. This back-end process is completely transparent to the signer. In addition, Aadhaar eKYC data is not sent back to the Application Service Provider and is retained only within the eSign provider as eKYC audit record.

Whether it is a legally valid signature?

Yes. The electronic signatures facilitated through eSign online electronic signature services are legally valid, provided the eSign signature framework is operated under the provisions of Second schedule of the Information Technology Act and guidelines issued by the controller. Please refer electronic signature or electronic authentication technique and procedure rules, 2015 e-authentication technique using Aadhaar e-KYC services.

Who can provide eSign- online electronic signature service?

At present, eSign online electronic signature service is offered by CAs. The security requirement for this service is mandated at the same level as currently mandated for CAs. A CA should sign KYC User Agency (KUA) agreement with UIDAI to enable access to e-KYC service.

What are the requirements for integrating eSign- Online electronic signature service in an application?

The ASP can apply to eSign service provider for integrating eSign online electronic signature service in their application as mentioned in the on-boarding process manual. The ASP should be a sub-KUA of eSign service provider. The eSign- online electronic signature service provider allows access to ASPs after fulfilling the criteria mentioned in the on-boarding process manual. An agreement is needed to be executed between eSign- online electronic signature service provider and ASP.

ASPs have to deploy hardware and software for deployment of eSign service across various delivery channels. For biometric authentication, these should be STQC certified biometric scanners at ASPs customer interface locations as per UIDAI specification.

ASPs have to develop a software application that should integrate eSign API as per the eSign API specifications issued by the controller of certifying authorities and to develop the capability to generate E-Mandate xml file as per the technical specifications issued by NPCI.

What are the requirements for using eSign- online electronic signature service for application users?

The user should have 12 digits Aadhaar number. For OTP based authentication, the mobile number should be registered with Aadhaar database.

Where does someone get assistance for integration of their application with eSign- online electronic signature service?

The communication between Application Service Provider and eSign- online electronic signature service is operated in accordance with eSign API specifications issued by CCA.

Did customer consent is mandatory for linking Aadhaar with account number and to avail the eSign mandate?

Customer’s consent is mandatorily prompted before electronically signing the document. As per the Aadhaar Act 2016, the consent of the customer shall be prompted before authentication with UIDAI.

Also customer consent is must for linking Aadhaar number with bank account number.

How can one ensure that the authentication to application and to eSign service is by the same person?

In the application implementation, an individual is identified using a code or number instead of name. For example in the case of income tax e-filing, the person is identified by a PAN number. It is a challenge for application to ensure that the individual who has logged in using PAN id is the person who has signed the documents. Mapping (seeding) the individual’s application specific ID with their Aadhaar number in the ASP database is recommended to enable the authenticity of the signature.

What are the different classes of certificates used in eSign mandate?

OTP and biometric class.

How the trustworthiness of the eSign online electronic signature service is ensured?

Upon the biometric or OTP authentication of the individual with the already verified information kept in the database of UIDAI, key pairs are generated and public key along with information received from UIDAI are submitted to CA for certification. Immediately after signature is generated with the private key of individual, the key pairs are deleted.  The key pairs are generated on secure hardware security module to ensure security and privacy. Audit log files are generated for all events relating to the security of the eSign- online electronic signature service.   The security audit logs are automatically collected and digitally signed by ASPs. All security audit logs, both electronic and non-electronic, shall be retained and are audited periodically.

Who owns the eSign electronic signature service and who are the beneficiaries?

eSign service providers offer the eSign online  electronic signature service. Application Service Providers and individuals availing service of ASP are the beneficiaries. eSign online electronic signature service enables ASP to create paperless environment and individual beneficiaries of ASP save cost and time by using this remote signature capability.

What is the usage time validity of digital signature certificate?

The digital signature certificate used to verify the signature is valid for 30 minutes and the private key will be immediately deleted after signing. This eliminates any misuse of the certificate and simplifies the need for checking revocation list during signature verification.

Whether the digital signature certificate is revocable?

Revocation of certificate is not necessary as the certificate validity is 30 minutes and private key is deleted immediately after signature creation.

Whether providing my personal identity information like biometric is secure?

The ASPs and eSign online service providers of CAs are bound by the agreement with UIDAI for the confidentiality of information in line with UIDAI agreement.

Is it mandatory to mention the utility code in the mandate?

Yes. The mandate cannot be initiated without a utility code in the MMS system. The utility code helps to identify the corporate for which the mandate is belongs to.

Who will issue the utility code?

Utility codes are issued by NPCI at the request of the corporate.

What is the process for obtaining utility code from NPCI?

Corporate creation form should be submitted by the corporate or the government department to their banks. The request should be routed through the sponsor bank with their due authentication. NPCI after scrutinizing the documents, if found ok, will issue a utility code to the corporate.

What is the cap on the mandate amount?

As per the RBI directive the cap on the mandate amount currently is Rs.1.00 lakh.

What if any data provided by the customer is not as per NPCI specifications?

The mandate will be rejected. The customer should be intimated with the SMS with the rejection reason by the destination bank.

Whether the customer receive online confirmation of mandate registration?

The bank should build validations in such a way that the status of the mandate will be known to the customer at the end of the mandate initiation process in the website.  It is suggested that the bank should automate the process till submission to NACH and provide the UMR number online to the customer.

Is there any change in the file format?

There is no change in the file formats. Only the image is optional.

What is the TAT for the destination bank and acceptance by the sponsor bank?

The current TAT is 2 days for initiating the mandate by the destination bank and it 2 days for the sponsor bank to authorize/accept the mandate.  This is subject to changes.

Is there any identification to know if a mandate is initiated through eSign?

Yes. The UMR number which is 20 digits will have the 5th digit as “6”, when initiated using eSign.

How will the customer come to know whether the mandate is accepted by his bank?

SMS should be sent by the destination bank to the customer intimating the successful registration of the mandate.

What if the mandate is returned by the destination bank?

If the mandate is rejected by the destination bank then the destination bank should send SMS to the customer along with the reason for rejection.

How will the corporate get to know of the mandates have been authorized by the destination bank?

Corporate’s bank/sponsor bank should send daily report to the corporate with the details of the mandates successfully accepted in the system.

When can the corporate initiate the debit transaction to the customer’s account?

Debit transaction, to the customer’s account, cane be initiated only after mandate is accepted by the sponsor bank.

Who can amend / cancel the mandate?

Amendment/Cancellation can be done either by the sponsor and destination bank.

How to initiate an amendment to an already registered mandate?

Customer can approach either the corporate or his banker for amending a mandate. The bank should follow the amendment procedure detailed in the business specification document.

When will the amendment comes in to effect?

It will be effective after the acceptance of the receiver bank.

What is the procedure for cancellation of a mandate?

Customer should approach the corporate for cancellation of a mandate. Based on the request, corporate will intimate the sponsor bank for initiating the request. The bank should follow the cancellation procedure detailed in the business specification document.

What is the period for which the mandate record should be maintained?

As per RBI guidelines the records should be retained for a period of 10 years. Record maintenance is governed by RBI, therefore if the stipulated period changes the member banks should follow the guidelines issued by RBI from time to time.

What is the period for which the mandate record should be maintained?

As per RBI guidelines the records should be retained for a period of 10 years. Record maintenance is governed by RBI, therefore if the stipulated period changes the member banks should follow the guidelines issued by RBI from time to time.

What is difference between signed content tag and signature tag in the eSign mandate file?

Signed content tag: Clear text of customer mandate details is captured in the XML (Pain 009) format and encoded using Base-64 format.

Signature content tag: Clear text of the customer mandate detail is captured in the XML (Pain 009) format and hashed prior sending to ESP. ESP will sign the hashed data and give it as Signature content tag.

Whether mandate details given in plain text in eSign mandate and Signed content to be exactly same?

Yes, all mandatorily fields available as clear text in the eSign mandate file to be exactly same in the Signed content tag. It is responsibility of destination bank to ensure properly verified.

What are the mandatory verifications to be carried at destination bank end to accept customer mandate?

The eSign validation system performs below mentioned checks mandatorily.

  1. Signature Integrity Check: The validation system performs the eSign signature validation to ensure that the data has not been tampered upon transferring. Thus the system will make sure that the data initiated by the customer for signing is the same data that has been sent by sponsor bank/corporate for verification.
  2. X509 Certificate Check: The validation system performs the X509 certificate validation, Trust verification and Certificate revocation check to ensure that the X509 certificate that has been created by a licensed Certifying Authority and sent by sponsor bank on behalf of the customer is of perfect X509 format and it has been issued by a legal authority.
  3. Aadhaar Verification:
    Verification 1: At the time of linking the Aadhaar number to account number, bank is verifying the documentary proof as per the internal process and then only liking the Aadhaar number. This process is independent of eSign mandate registration.
    Verification 2: It validates Aadhaar number available at bank CBS with hashed Aadhaar number provided in the X509 certificate (OID 2.5.4.45).