eSign electronic signature service is an innovative initiative for allowing easy, efficient, and secure signing of electronic documents by authenticating signer using Aadhaar eKYC services. With this service, any Aadhaar holder can digitally sign an electronic document without having to obtain a physical digital signature dongle. Application Service Providers (ASP) can integrate this service within their application to offer Aadhaar holders a way to sign electronic forms and documents. The need to obtain digital signature certificate through a printed paper application form with ink signature and supporting documents will not be required.
The digital signature certificate issuance and applying of signature to electronic content is carried out in few seconds with eSign. Through the interface provided by the Application Service Provider (ASP), users can apply electronic signature on any electronic content by authenticating themselves through biometric or OTP through eSign Service Provider. The interfaces are provided to users on a variety of devices such as computer, mobile phone etc. At the backend, eSign service provider facilitates key pair generation and Certifying Authority issues a Digital Signature Certificate.
An Application Service Provider (ASP) can integrate eSign online electronic signature service so that the users of that ASP will be able to use eSign. A physical paper form/document which is currently used to obtain digital signature certificate can be replaced by its electronic form and thereby facilitate electronic signature of the signer through eSign.
ASPs who can be potential users of eSign include Government agencies, Banks and Financial Institutions, Educational Institutions etc.
E-Sign Online electronic signature service, offers applications, a mechanism to replace manual paper based signatures by integrating this service within their applications. An Aadhaar holder can electronically sign a form/document anytime, anywhere, and on any device. E-Sign service facilitates significant reduction in paper handling costs, improves efficiency, and offers convenience to customers.
Yes. Document content that is being signed is not sent in the clear to eSign service provider. The privacy of signer's information is protected by sending only the one-way hash of the document to eSign online electronic signature service provider. Each signature requires a new key-pair and certification of the new public key by a certifying authority. This back-end process is completely transparent to the signer. In addition, Aadhaar eKYC data is not sent back to the Application Service Provider and is retained only within the eSign provider as eKYC audit record.
Yes. The electronic signatures facilitated through eSign online electronic signature services are legally valid, provided the eSign signature framework is operated under the provisions of Second schedule of the Information Technology Act and guidelines issued by the controller. Please refer electronic signature or electronic authentication technique and procedure rules, 2015 e-authentication technique using Aadhaar e-KYC services.
At present, eSign online electronic signature service is offered by CAs. The security requirement for this service is mandated at the same level as currently mandated for CAs. A CA should sign KYC User Agency (KUA) agreement with UIDAI to enable access to e-KYC service.
The ASP can apply to eSign service provider for integrating eSign online electronic signature service in their application as mentioned in the on-boarding process manual. The ASP should be a sub-KUA of eSign service provider. The eSign- online electronic signature service provider allows access to ASPs after fulfilling the criteria mentioned in the on-boarding process manual. An agreement is needed to be executed between eSign- online electronic signature service provider and ASP.
ASPs have to deploy hardware and software for deployment of eSign service across various delivery channels. For biometric authentication, these should be STQC certified biometric scanners at ASPs customer interface locations as per UIDAI specification.
ASPs have to develop a software application that should integrate eSign API as per the eSign API specifications issued by the controller of certifying authorities and to develop the capability to generate E-Mandate xml file as per the technical specifications issued by NPCI.
The user should have 12 digits Aadhaar number. For OTP based authentication, the mobile number should be registered with Aadhaar database.
The communication between Application Service Provider and eSign- online electronic signature service is operated in accordance with eSign API specifications issued by CCA.
Customer’s consent is mandatorily prompted before electronically signing the document. As per the Aadhaar Act 2016, the consent of the customer shall be prompted before authentication with UIDAI.
Also customer consent is must for linking Aadhaar number with bank account number.
In the application implementation, an individual is identified using a code or number instead of name. For example in the case of income tax e-filing, the person is identified by a PAN number. It is a challenge for application to ensure that the individual who has logged in using PAN id is the person who has signed the documents. Mapping (seeding) the individual’s application specific ID with their Aadhaar number in the ASP database is recommended to enable the authenticity of the signature.
OTP and biometric class.
Upon the biometric or OTP authentication of the individual with the already verified information kept in the database of UIDAI, key pairs are generated and public key along with information received from UIDAI are submitted to CA for certification. Immediately after signature is generated with the private key of individual, the key pairs are deleted. The key pairs are generated on secure hardware security module to ensure security and privacy. Audit log files are generated for all events relating to the security of the eSign- online electronic signature service. The security audit logs are automatically collected and digitally signed by ASPs. All security audit logs, both electronic and non-electronic, shall be retained and are audited periodically.
eSign service providers offer the eSign online electronic signature service. Application Service Providers and individuals availing service of ASP are the beneficiaries. eSign online electronic signature service enables ASP to create paperless environment and individual beneficiaries of ASP save cost and time by using this remote signature capability.
The digital signature certificate used to verify the signature is valid for 30 minutes and the private key will be immediately deleted after signing. This eliminates any misuse of the certificate and simplifies the need for checking revocation list during signature verification.
Revocation of certificate is not necessary as the certificate validity is 30 minutes and private key is deleted immediately after signature creation.
The ASPs and eSign online service providers of CAs are bound by the agreement with UIDAI for the confidentiality of information in line with UIDAI agreement.
Yes. The mandate cannot be initiated without a utility code in the MMS system. The utility code helps to identify the corporate for which the mandate is belongs to.
Utility codes are issued by NPCI at the request of the corporate.
Corporate creation form should be submitted by the corporate or the government department to their banks. The request should be routed through the sponsor bank with their due authentication. NPCI after scrutinizing the documents, if found ok, will issue a utility code to the corporate.
As per the RBI directive the cap on the mandate amount currently is Rs.1.00 lakh.
The mandate will be rejected. The customer should be intimated with the SMS with the rejection reason by the destination bank.
The bank should build validations in such a way that the status of the mandate will be known to the customer at the end of the mandate initiation process in the website. It is suggested that the bank should automate the process till submission to NACH and provide the UMR number online to the customer.
There is no change in the file formats. Only the image is optional.
The current TAT is 2 days for initiating the mandate by the destination bank and it 2 days for the sponsor bank to authorize/accept the mandate. This is subject to changes.
Yes. The UMR number which is 20 digits will have the 5th digit as “6”, when initiated using eSign.
SMS should be sent by the destination bank to the customer intimating the successful registration of the mandate.
If the mandate is rejected by the destination bank then the destination bank should send SMS to the customer along with the reason for rejection.
Corporate’s bank/sponsor bank should send daily report to the corporate with the details of the mandates successfully accepted in the system.
Debit transaction, to the customer’s account, cane be initiated only after mandate is accepted by the sponsor bank.
Amendment/Cancellation can be done either by the sponsor and destination bank.
Customer can approach either the corporate or his banker for amending a mandate. The bank should follow the amendment procedure detailed in the business specification document.
It will be effective after the acceptance of the receiver bank.
Customer should approach the corporate for cancellation of a mandate. Based on the request, corporate will intimate the sponsor bank for initiating the request. The bank should follow the cancellation procedure detailed in the business specification document.
As per RBI guidelines the records should be retained for a period of 10 years. Record maintenance is governed by RBI, therefore if the stipulated period changes the member banks should follow the guidelines issued by RBI from time to time.
As per RBI guidelines the records should be retained for a period of 10 years. Record maintenance is governed by RBI, therefore if the stipulated period changes the member banks should follow the guidelines issued by RBI from time to time.
As per RBI guidelines the records should be retained for a period of 10 years. Record maintenance is governed by RBI, therefore if the stipulated period changes the member banks should follow the guidelines issued by RBI from time to time.
Signed content tag: Clear text of customer mandate details is captured in the XML (Pain 009) format and encoded using Base-64 format.
Signature content tag: Clear text of the customer mandate detail is captured in the XML (Pain 009) format and hashed prior sending to ESP. ESP will sign the hashed data and give it as Signature content tag.
Yes, all mandatorily fields available as clear text in the eSign mandate file to be exactly same in the Signed content tag. It is responsibility of destination bank to ensure properly verified.
The eSign validation system performs below mentioned checks mandatorily.