Home / Technology / App News /  No relief for Karza on DigiLocker ban

NEW DELHI: Karza Technologies Pvt. Ltd still faces a ban over know-your-customer, or KYC, violations on DigiLocker, almost a month after a probe was initiated against the e-KYC solutions provider, said two people in the know.

In October, DigiLocker sent a letter to partners saying there was a violation of DigiLocker terms of services and the Aadhaar Act by Karza, and one of its partner firms was found bypassing DigiLocker’s redirection signin-signup flow and capturing Aadhaar data directly on its user interface. Subsequently, the firm’s account was blocked on the portal pending investigation. Mint has reviewed a copy of the letter.

DigiLocker is now consulting with UIDAI and is awaiting its response before taking a call on Karza’s ban, one of the two people said seeking anonymity.

DigiLocker offers electronic storage of KYC documents and is an initiative of the electronics and IT ministry. It is also the de-facto Aadhaar verification interface for most e-KYC solutions. DigiLocker terms of services say the signin-signup process happens on the platform’s page and any user getting their KYC processed through DigiLocker or access their account must do it on the platform.

“Karza was required to log on to the Digilocker page to enter user information, but the firm created a blank page and asked users to key in their information on the page. Then it populated the data on the DigiLocker site, which is in complete violation of the terms," he added. “Basically, Karza was in violation of the terms of services as it used automation to initiate Aadhaar consent on another web page, and not on DigiLocker directly, without the customers knowledge," he added.

DigiLocker found Karza was also extending its services to other entities. “This is also in violation, as all entities must directly integrate with the DigiLocker portal for the services."

“Karza automated the web page and then extended it to their clients. DigiLocker found Razorpay, who was one of Karza’s clients, doing this," one of the persons aware of the matter said. Questions sent to Razorpay did not elicit any response.

However, there was no security and privacy violation as such. Karza was “adhering to it in spirit but in the letter of it they did not adhere. And, that’s why their account was suspended," said the person quoted above.

The DigiLocker letter further noted, “Unfortunately, it was subsequently found that Karza started using DigiLocker services symbiotically through their clients, who had DigiLocker Partner account. Accounts of two such organizations have since been blocked and reported to UIDAI. Partners are requested not to initiate any DigiLocker integration with Karza till further notice."

"Once Karza got blocked, they started using another KYC provider SurePass in the backend and that Digilocker blocked that URL too," said an industry participant declining to be named.

SurePass founders didn’t respond to Mint queries sent to them over LinkedIn and WhatsApp.

Since Karza is not allowed to use DigiLocker services, most of its partners are partnering with either other KYC startups or DigiLocker directly. The seven-year-old Karza was acquired by Perfios for about 600 crore in March this year.

An e-mail seeking comment from Karza's new parent Perfios did not elicit any response.


Arti Singh

Arti Singh has been a business journalist for 15 years. Over the last five years, she has closely tracked India's fintech space and written important deep-dive stores. As deputy editor, she covers the intersection of finance and tech at Mint.
Catch all the Technology News and Updates on Live Mint. Download The Mint News App to get Daily Market Updates & Live Business News.
More Less

Recommended For You

Trending Stocks

Get alerts on WhatsApp
Set Preferences My ReadsWatchlistFeedbackRedeem a Gift CardLogout