Tag Archives: KYC

Overseas forex trading through electronic / internet trading portals by Indian Residents


The internet is full of schemes highlighting get quick schemes through forex trading. As the reach of internet is huge, and the actual players can hide behind layers of companies, most of the forex trading through portals are done on a margining basis with huge leverage or on an investment basis.

The public is being asked to make the margin payments for such online forex trading transactions through credit cards or deposits in various accounts maintained with banks in India.

Reserve Bank of India, has advised all  Authorised Dealer Category – I (AD Category – I) banks too adhere to its instructions as in  A.P. (DIR Series) Circular No. 53 dated April 07, 2011 and A.P. (DIR Series) Circular No. 46 dated November 17, 2011. As per the above two circulars,  AD Category I banks were advised to exercise due caution and be extra vigilant in respect of the margin payments being made by the public for online forex trading transactions through credit cards / deposits in various accounts maintained with banks in India.

Even after two years of the Circular, RBI observed that some banking customers continue to undertake online trading in foreign exchange on portals / websites offering such schemes wherein they initially remit funds from Indian bank accounts using credit cards or other electronic channels to overseas websites / entities and subsequently receive cash refunds from the same overseas entities into their credit card or bank accounts.

As such online transactions are in violation of FEMA, 1999, AD Category I, RBI vide Circular No. RBI/2013-14/265 A.P. (DIR Series) Circular No. 46 dt.September 17, 2013 has directed banks as under:


  1. All AD Category I banks who offer credit cards or online banking facilities to their customers should advise their customers that any person resident in India collecting and effecting / remitting payments directly /indirectly outside India in any form towards overseas foreign exchange trading through electronic/internet trading portals would make himself/ herself / themselves liable to be proceeded against with for contravention of the Foreign Exchange Management Act (FEMA), 1999 besides being liable for violation of regulations relating to Know Your Customer (KYC) norms / Anti Money Laundering (AML) standards.
  2.  As and when any AD category I bank comes across any prohibited transaction undertaken by its credit card or online banking customer the bank will immediately close the card or account of the defaulting customer and report the same to Chief General Manager-in-Charge, Forex Markets Division, RBI.
  3.  If it is observed that the concerned AD category I bank has failed to carry out the measures as outlined above, Reserve Bank of India may proceed against the defaulting bank under section 11(3) of FEMA, 1999 and take any action as may be deemed necessary.

Aadhaar is a valid address Proof – Review of KYC Instructions


          RBI in its Second Quarter Review of Monetary Policy vide Para 101, had committed itself to – to review the existing KYC norms for simplifying them within the provisions of Prevention of Money Laundering Act/Rules (PML Act/Rules) and international standards.

          This was necessary as there were numerous correspondences addressed to RBI, that the existing norms for KYC were not customer-friendly.

          Hence, RBI vide its Notification No RBI/2012-13/322 DBOD.AML.BC. No. 65 /14.01.001/2012-13                 dt. December 10, 2012, has simplified the documents to be obtained under the KYC norms.

          The contents of the complete circular can be accessed at this URL.

          In brief:

01) A single document is sufficient for address and identity proof, if the address declared in the account opening form is same as the address mentioned in the document.

02)                 Introduction not Mandatory for opening accounts – Since introduction is not necessary for opening of accounts under PML Act and Rules or Reserve Bank’s extant KYC instructions, banks should not insist on introduction for opening bank accounts of customers.

03)                 Acceptance of Aadhaar letter for KYC purposes – Unique Identification Authority of India (UIDAI) has advised Reserve Bank that banks are accepting Aadhaar letter issued by it as a proof of identity but not of address, for opening accounts. RBI has clarified that, if the address provided by the account holder is the same as that on Aadhaar letter, it may be accepted as a proof of both identity and address.

The above 3rd step is the most important part of the whole notification. UIDAI since a long time was trying to motivate RBI to advise Banks to accept ‘Aadhaar Card’, as a valid document for Identity as well as Address proof. It seems UIDIA has succeeded in its plan.   

A quick reading of various articles on the Internet shows that the addresses mentioned on the ‘Aadhaar’, cards’ could only be located by Postal Delivery Agents. Does this mean that the Indian Post, will be the chief network for delivery of physical financial documents?

eKYC – AADHAAR slowly moving to reality.

English: Diagram illustrating how a simple dig...
English: Diagram illustrating how a simple digital signature is applied and verified. (Photo credit: Wikipedia)


Over 19.50crs Aadhaar numbers have already been issued, and the number is increasing day by day.

Hence, every fortnight, there is a new development on the UIDA-Aadhaar front.  The quicker the ecosystem is in place, the faster will the benefits be visible.

The digitally stored data can only be useful when it can be employed as an Authentication tool. The authentication can be for the ‘identity’, or ‘data’ against the particular Aadhaar number.

Hence today’s post is on the eKYC concept. Yes, the physical KYC (Know Your Customer) process can be migrated to the electronic mode.

In August 2012, UIDAI released the API SPECIFICATION – VERSION 1.0 (DRAFT) outlining in detail the approach to be adopted by Software Companies to incorporate Aadhaar eKYC API into their applications.

The simple purpose of Aadhaar Authentication is to enable Aadhaar-holders to digitally prove their identity. The Authentication is done online.

The eKYC process flow:

a)    The interested resident authorizes UIDAI (through Aadhaar authentication) to provide their basic demographic data for PoI (Proof of Identity)  and PoA (Proof of Address)  along with their photograph (digitally signed) to service providers.

b)   The resident’s record is first selected using the Aadhaar Number and then the demographic/biometric inputs are matched against the stored data which was provided by the resident during enrolment/update process.  Another option for authentication can be done on the basis of the OTP sent to the registered mobile number.

c)     KYC front-end application captures Aadhaar number + biometric/OTP of resident.

d)    KUA forms the Auth XML using the PID block, signs it, and uses that to form KYC XML and signs it (if this is delegated to KSA, KSA also could form the KYC XML and sign it) sends to KSA

e)     KSA forwards the KYC XML (if KSA forms the KYC XML on behalf of KUA, KSA needs to form the KYC XML, and sign it) to Aadhaar KYC API

f)     Aadhaar KYC service authenticates the resident and if successful responds with digitally signed and encrypted demographic and photograph in XML format

g)     Demographic data and photograph in response is encrypted with either KSA or KUA public key (based on the setup at CIDR)

h)    KSA sends the response back to KUA enabling paper-less electronic KYC

i)     For security reason data collected for Aadhaar KYC must not be stored in the devices or log files. It’s essential for ASA and AUA to maintain audit records for all the authentication request metadata along with the response

j)    KYC front-end application must ensure it takes an explicit “resident consent” authorizing the AUA to retrieve the resident data. Only if the resident has provided the consent (in the application UI, either in self-service mode or operator should prompt the resident and get consent), this should be populated as “Y”. No other values are valid.

k)    The process can be for confirmation of proof of identity or confirmation of the information provided by the resident.

l)     Resident’s privacy is of utmost importance, hence in the Aadhaar authentication service can only respond with a ‘yes/no’ nothing more, nothing less.

m)  No Personal Identity Information is returned as part of the response.

The Response:

  • The encrypted response is just “0” or “-1”.
  • If the status is “0”, it means that the encrypted response data is valid.
  • If the status is “-1”, it means the data should not be decrypted and used
  • There will be a unique alphanumeric response code for each request received by CIDR.
  • The AUA is expected to store this for future reference for handling any disputes.
  • Aadhaar KYC server will retain KYC trail only for a short period of time as per UIDAI policy.


Like all digital interaction, there are failure chances too.

In case of a failure, an error code is generated. Typical failure codes are:

  • “K-100” – Resident authentication failed
  • “K-200” – Resident data currently not available
  • “K-540” – Invalid KYC XML
  • “K-541” – Invalid KYC API version
  • “K-542” – Invalid resident consent (“rc” attribute in “Kyc” element)
  • “K-543” – Invalid timestamp (“ts” attribute in “Kyc” element)
  • “K-544” – Invalid resident auth type (“ra” attribute in “Kyc” element does not match what is in PID block)
  • “K-545” – Resident has opted-out of this service
  • “K-551” – Invalid “Txn” namespace
  • “K-569” – Digital signature verification failed for KYC XML (means that authentication request XML was modified after it was signed)
  • “K-570” – Invalid key info in digital signature for KYC XML (it is either expired, or does not belong to the AUA or is not created by a well-known Certification Authority)
  • “K-600” – AUA is invalid or not an authorized KUA
  • “K-601” – ASA is invalid or not an authorized KSA
  • “K-602” – KUA encryption key not available
  • “K-603” – KSA encryption key not available
  • “K-999” – Unknown error (the most famous of all errors!!!)

Legal Framework: UIDAI will develop necessary legal framework and processes around the Aadhaar e-KYC service. These documents will also specify KUA/KSA eligibility criteria, registration process, and the operating model.

Aadhaar eKYC API Usage: The eKYC API can be used (only with the explicit authorization of the resident) by an agency to obtain latest resident demographic data and photo data from UIDAI. There are primarily two scenarios under which this API may be used:

1. New customer/beneficiary:

a. In this case, KUA should use capture resident authentication data, invoke e-KYC API through a KSA network;

b. The KYC data returned within the response of the e-KYC API is digitally signed by UIDAI and can be used for electronic audit at a later stage; and

c. Using the resident data obtained through this KYC API, the agency can service the customer.

2. Existing customer/beneficiary

a. In this case, KUA should use capture resident authentication data, invoke e-KYC API through a KSA network;

b. The KYC data returned within the response of the KYC API is digitally signed by UIDAI and can be used for electronic audit;

c. Since the resident is already a customer/beneficiary, the agency can use a simple workflow to approve the Aadhaar linkage by comparing data retrieved through the e-KYC API against what is on record (in paper or electronic form); and

d. Once verified, the existing customer/beneficiary record can be linked to the Aadhaar number.


In layman terms:

API – API is the abbreviation for Application Program Interface. API can said to be the building blocks available to the Software Programmer to develop a good software application.

All software operating environments have to provide an API on public domain to boost their usage of the respective operating environment. The API’s are primarily targeted towards programmers, but are good for the end users too, as any software program developed with a common API will have related interfaces. This makes it easier for users to embrace new programs quickly.

ASA – Authentication Service Agency.  This is an agency which has already established secure leased line connectivity to the UIDAI CIDR (Central Information Data Repository).  KYC Service Agency (KSAs) are ASAs that are eligible to provide access to the e-KYC service through their network.

AUA – Authentication User Agency. This is an agency which enters into an agreement with UDIAI to function as an UIDAI-Aadhaar Authentication agency. KYC User Agency (KUAs) are AUAs that are eligible for the e-KYC service.

CIDR -Central Identities Data Repository. This is the UIDAI repository wherein all the Aadhaar data is stored.


Re-dessiminated by Prashant N. Banker by daytime, Blogger by night.