Section 19 in AADHAAR (AUTHENTICATION AND OFFLINE VERIFICATION) REGULATIONS, 2021
19. Roles, responsibilities and code of conduct of Authentication Service Agencies.—
An Authentication Service Agency shall have the following functions and obligations:—(a)provide secured connectivity to the CIDR to transmit authentication request from a requesting entity inthe manner as may specified by the Authority for this purpose;(b)perform basic compliance and completeness checks on the authentication data packet before forwarding itto CIDR;(c)on receiving the response from CIDR, transmit the result of the transaction to the requesting entity thathas placed the request;(d)only engage with the requesting entities approved by the Authority and keep the Authority informed ofthe list of requesting entities that it serves;(e)communicate to the Authority, all relevant information pertaining to any agreement that it may enter intowith a requesting entity;(f)ensure that the persons employed by it for performing authentication and for maintaining necessarysystems, infrastructure, processes, etc., possess requisite qualifications for undertaking such works;(g)ensure that its operations are audited by an information systems auditor certified by a recognized body onan annual basis, and provide a certified audit report, to the Authority, confirming its compliance with thepolicies, processes, procedures, standards, or specifications, issued by the Authority in this regard, fromtime to time;(h)ensure that all infrastructure and operations including systems, processes, devices, software and biometricinfrastructure, security, and other related aspects, are in compliance with the standards and specificationsas may specified by the Authority for this purpose;(i)at all times, comply with directions, specifications, etc. issued by the Authority, in terms of network andother Information Technology infrastructure, processes, procedures, etc.(j)comply with all relevant laws and regulations relating, in particular, to data security and datamanagement;(k)any value added service that an ASA provides to a requesting entity under a contract shall not form partof the Aadhaar authentication process;(l)shall be responsible to the Authority for all its authentication related operations, even in the event theASA sub-contracts parts of its operations to other entities, the responsibility shall remain with the ASA;(m)in case of investigations relating to authentication related fraud or dispute, the ASA shall extend full co-operation to the Authority (or their agency) and/or any other authorized investigation agency, includingproviding access to its premises, records, systems, personnel, infrastructure, any other relevant resource orinformation and any other relevant aspect of its authentication operations;(n)may agree upon the authentication charges for providing services to a requesting entity, with suchrequesting entity, and the Authority shall have no say in this respect, for the time being; however, theAuthority’s right to prescribe a different mechanism in this respect in the future shall be deemed to havebeen reserved;(o)shall, at all times, comply with any contractual terms and all rules, regulations, policies, manuals,procedures, specifications, standards, and directions issued by the Authority.
