First things first: Starting January 1st 2018, Mobile operators are expected to roll our an IVR based means of linking Aadhaar numbers to mobile numbers, for those people who have their mobile number registered with Aadhaar. The process, outlined by the Department of Telecom, via a notice (PDF) on Friday:
Process for IVR
– Subscriber has to call an IVR number of the telecom operator from the mobile number that needs to be verified.
– Consent to proceed: A message which says “I hereby give my consent to verify my mobile number and this should be considered as my consent for demographic authentication through UIDA under Aadhaar Act 2016”. Also, note the typo in the DoT notice. Sheesh. Consent will be taken by pressing a particular digit.
– Telecom operator sends the Aadhaar number to UIDAI and UIDAI checks if there’s any mobile number registered with that Aadhaar number. If yes, then an One-time-password (OTP) is sent to the registered mobile number.
– Consent to pull data: Consent message is played on the IVR, which says:
- I am the existing user of mobile number ****** and the SIM card of this mobile number is under my possession.”
- By sharing of Aadhaar OTP, I hereby give my consent to fetch my name, Date of Birth, Address, Gender, Photo from UIDAI to verify my mobile number
- This OTP authentication can be treated as my signature.
– Subscriber then types the OTP, which is sent by Telecom operator to UIDAI for retrieving e-KYC details.
– The IVR gives the subscriber the option of keying in other alternate mobile numbers.
– The subscriber is told that the reverification process has been initiated, and then another confirmation from the subscriber is sought after 24 hours, via SMS. If the subscriber does not respond within “3 daylight hours” to the SMS, the TSP shall treat the re-verification as positive, and overwrite the subscriber database.
A few points:
- It’s circular: if you’ve declared a number during enrolment, then this just verifies the number with the number at the time of enrolment. It does not verify that you are who you say you are.
- This process means you don’t need to be physically present to verify details, nor authenticate using fingerprints, and this is going to speed up linking. It’s probably better than SMS based linking.
- What if someone has 2 numbers, and has declared another number at the time of enrolment? How does the person verify a second number using this method? The process of keying in alternate numbers isn’t very clear. What if someone gives an incorrect number at the time of keying in alternate numbers?
- Importantly: if the purpose of KYC, say, at banks and mobile numbers, is to ensure that the government has access to the persons KYC data when they need it, then what is the need for giving this data to the banks/mobile operators? Essentially, a YES/NO response should suffice. It appears that the purpose of eKYC is to give that data to banks and mobile operators, rather than do eKYC.
Trusted person verification for Foreigners / Senior Citizens
- Foreigners have to open a web portal of the telecom operator for NRIs, enter their mobile number, and agree to the declaration that they’re an Indian national, but an NRI; they do not have Aadhaar, or their Aadhaar does not have any mobile number associated with it; the documents uploaded by them are authentic and if found forged, can lead to actions as per the law of the land.
- An authentication code is sent to the mobile number, to verify that the mobile number is with the subscriber, which is submitted by the subscriber on the website.
- An e-CAF form is displayed, and the subscriber is required to upload copies of passport, visa/green card etc, and latest colored photograph
- The TSP sends a unique transaction ID with 8 characters to the subscriber, which will have to be shared by the subscriber with a “Trusted person” having an Aadhaar and a registered number.
- The Trusted person uses this transaction id to initiate an OTP based authentication, by entering that transaction ID and the NRIs mobile number on the TSP website.
- The Trusted Person then has to enter her Aadhaar number, and if she doesn’t have more than 5 connections reverified, an OTP for verification is sent to the Trusted Person. If the OTP matches, the eKYC details are sent by the UIDAI to the TSP.
- The process takes 96 hours to confirm whether the mobile number has been reverified.
The process is similar for senior citizens
Re-verification of foreigner not having Aadhaar
If there isn’t a “Trusted person” in the mix, and the foreigner is in India, then they have to reverify in the following manner:
- Telecom operator agent authenticated herself through Aadhaar based eKYC, for starting the reverification process.
- Subscriber gets an authentication code SMS to verify that the mobile is physically with her.
- TSP validates authentication code, fills up relevant information in an e-CAF form, takes a scanned copy of the passport and VISA/OCI card, and captures a “live” photo of the subscriber.
- Consent: Another verification code is sent to the subscriber, which is used for the declaration that:
- The information provided by me is correct
- This OTP authentication can be treated as my signature
- I am the existing user of mobile number ********** and the SIM card of this mobile number is under my possession.
- Post this, the agent has to authenticate herself.