Skip to content
KYC Onboarding Spec by Rakesh Waghela

MeitY / CCA Circulars

Why this page is structured this way: All in-window entries are listed descending by date so the most recent regulatory state is the first thing a reader sees. Use Cmd-F / Ctrl-F for ID-based lookup. Cross-references from the rest of the site point at anchors on this page.

TL;DR

Section titled “TL;DR”
  • 29 circulars indexed in this issuer’s section.
  • 9 issued in 2025 or later.
  • 4 entries flagged [unknown — verify] in at least one field.
  • All entries trace to a primary issuer URL (or Wayback fallback) where research could verify the source.
  • AI-generated; read the linked PDF before acting on any provision.

Conceptual overview

Section titled “Conceptual overview”

This page is the complete listing of MeitY / CCA circulars in the project’s 2020–2026 sweep window. Each entry contains the verbatim circular ID, issue date, in-force date, status (in-force / superseded / withdrawn), applicable entity types, impact-area tags, a 2–4 sentence summary traceable to clauses, and the primary URL. Where the primary URL could not be re-fetched, an archive URL is provided in its place.

Entries (descending date)

Section titled “Entries (descending date)”

CCA-IOG-4-0-2026

Section titled “CCA-IOG-4-0-2026”
  • date_issued: 2026-02-10
  • issuer: MeitY
  • title: “Interoperability Guidelines for Digital Signature Certificates Version 4.0”
  • applies_to: all-intermediaries
  • in_force_date: 2026-02-10
  • status: in-force
  • impact_areas: esign, file-format
  • primary_url: https://cca.gov.in/sites/files/pdf/guidelines/CCA-IOG.pdf

Updated DSC interoperability specification (v4.0) prescribing certificate profile, OIDs, key usage and revocation-information requirements for DSCs issued by all licensed CAs. Brokers’ KYC-acceptance, e-contract and order-confirmation systems must validate signatures against this profile.

CCA-IVG-2-5-2026

Section titled “CCA-IVG-2-5-2026”
  • date_issued: 2026-02-06
  • issuer: MeitY
  • title: “Identity Verification Guidelines Version 2.5”
  • applies_to: all-intermediaries
  • in_force_date: 2026-02-06
  • status: in-force
  • impact_areas: onboarding, esign, kyc-modification
  • primary_url: https://cca.gov.in/sites/files/pdf/guidelines/CCA-IVG.pdf

Current CCA identity-verification guideline (v2.5) for DSC issuance and Aadhaar-based eSign authentication. Specifies video-verification window (last 2 days for DSC issuance), permissible substitutes via Aadhaar biometric authentication, and document-matrix for applicant-identity proofs. Brokers using eSign for onboarding are downstream consumers of this standard.

Aadhaar-Auth-Offline-Verification-Amend-2025

Section titled “Aadhaar-Auth-Offline-Verification-Amend-2025”

Gazette of India Extraordinary Part III Section 4 dated 9 December 2025 substantially amends the Aadhaar (Authentication and Offline Verification) Regulations, 2021. Introduces “Aadhaar Application”, “Aadhaar Verifiable Credential” and “Offline Face Verification” definitions; restructures permissible offline-verification modes (QR, paperless e-KYC, verifiable credential, e-Aadhaar, paper-based) with optional facial verification; mandates registration of Offline Verification Seeking Entities (OVSEs) and surrender procedures. Brokers using DigiLocker-fetched offline-Aadhaar XML or e-Aadhaar for KYC are OVSEs under this framework.

DPDP-GSR-843-E-2025

Section titled “DPDP-GSR-843-E-2025”

MeitY notification under section 1(2) of the DPDP Act, 2023 appointing 13 November 2025 as the commencement date for sections 1(2), 2, 18-26, 35, 38-43 and sub-sections (1) and (3) of section 44 of the Act. These provisions establish the Data Protection Board of India and its powers — the regulator that brokers will report breaches to and be subject to enforcement by under the DPDP regime.

DPDP-Rules-2025-Notification

Section titled “DPDP-Rules-2025-Notification”

Final DPDP Rules notified via gazette G.S.R. 844(E)/845(E)/846(E) on 13 November 2025. Operationalises Data Fiduciary obligations (Rules 3, 5-16, 22, 23) including notice content, security safeguards, breach reporting to the Data Protection Board, retention/erasure standards, child-consent verification, Significant Data Fiduciary obligations and consent-manager registration. Substantive compliance window of 18 months means brokers (Data Fiduciaries) must comply by 13 May 2027; Data Protection Board provisions take effect immediately and consent-manager registration is required within 12 months.

CCA-CALIC-2-2-2025

Section titled “CCA-CALIC-2-2-2025”

Updated CCA licensing framework (v2.2) for Certifying Authorities replacing v2.1 of April 2024. Refreshes audit, security and renewal obligations for licensed CAs that issue DSCs and operate as eSign Service Providers used by brokers for paperless client-onboarding signatures.

CCA-CP-1-10-2025

Section titled “CCA-CP-1-10-2025”
  • date_issued: 2025-07-01
  • issuer: MeitY
  • title: “X.509 Certificate Policy for India PKI Version 1.10”
  • applies_to: all-intermediaries
  • in_force_date: 2025-07-01
  • status: in-force
  • impact_areas: esign, cyber-security
  • primary_url: https://cca.gov.in/sites/files/pdf/guidelines/CCA-CP.pdf

CCA’s certificate-policy document (v1.10) governing the India PKI hierarchy and DSC classes (including Class 3 individual / organisation DSCs used in financial signing). Brokers’ signature-validation infrastructure must trust certificates conforming to this policy.

Aadhaar-Auth-Good-Governance-Amend-2025

Section titled “Aadhaar-Auth-Good-Governance-Amend-2025”

Gazette notification G.S.R. 88(E) dated 31 January 2025 amending the 2020 Rules to permit non-Government entities (subject to MeitY/UIDAI approval) to perform Aadhaar authentication for specified public-interest purposes (digital-platform good governance, ease of living, prevention of welfare leakage, innovation, knowledge dissemination). Opens a parallel pathway for private brokers and other regulated entities to access Aadhaar authentication outside the AUA/KUA arrangement, subject to the per-purpose approval process.

Draft-DPDP-Rules-2025-Consultation

Section titled “Draft-DPDP-Rules-2025-Consultation”
  • date_issued: 2025-01-03
  • issuer: MeitY
  • title: “Draft Digital Personal Data Protection Rules, 2025 (released for public consultation)”
  • applies_to: all-intermediaries
  • in_force_date: immediate
  • status: superseded
  • superseded_by: DPDP-Rules-2025-Notification
  • impact_areas: dpdp, onboarding, reporting
  • primary_url: https://www.pib.gov.in/PressReleasePage.aspx?PRID=2090048

MeitY released the draft DPDP Rules for public consultation on 3 January 2025 with feedback window until 18 February 2025. Drafts (consent, notice, breach reporting, children, SDF, cross-border) were largely retained in the final 13 November 2025 notification; capturing the consultation milestone is relevant for traceability of broker-implementation timelines.

CCA-CRYPTO-2-2-2024

Section titled “CCA-CRYPTO-2-2-2024”

Updated CCA security-requirements specification (v2.2) for cryptographic devices used by Certifying Authorities and eSign Service Providers. Tightens cryptographic algorithm, key-length and HSM-assurance baselines applicable to PKI infrastructure that underpins broker DSC issuance and Aadhaar OTP eSign on KYC forms.

DigiLocker-Partner-SOP-2024

Section titled “DigiLocker-Partner-SOP-2024”
  • date_issued: 2024-06-05
  • issuer: MeitY
  • title: “Partner Organisation Onboarding Standard Operating Procedure”
  • applies_to: all-intermediaries
  • in_force_date: 2024-06-05
  • status: in-force
  • impact_areas: digi-locker, onboarding, dpdp
  • primary_url: https://cf-media.api-setu.in/resources/Partners-SOP.pdf

MeitY-issued Standard Operating Procedure for onboarding Partner Organisations (Issuers and Requesters) onto DigiLocker via API Setu. Covers identification, evaluation, verification, agreement, technical integration, testing, launch and ongoing support. Brokers seeking DigiLocker-fetched OVD-based KYC (Aadhaar XML, PAN, driving licence) and post-2025 unclaimed-asset notifications follow this onboarding pathway.

CCA-FT-1-0-2024

Section titled “CCA-FT-1-0-2024”
  • date_issued: 2024-05-31
  • issuer: MeitY
  • title: “CA Functional Testing and Verification Version 1.0”
  • applies_to: all-intermediaries
  • in_force_date: 2024-05-31
  • status: in-force
  • impact_areas: esign, cyber-security, system-audit
  • primary_url: https://cca.gov.in/sites/files/pdf/guidelines/CCA-FT.pdf

CCA-issued guideline prescribing the functional-testing and verification protocol for Certifying Authorities issuing Digital Signature Certificates and operating eSign services. Establishes the test-suite, evidence-collection and reporting requirements that ESPs used by brokers must satisfy at empanelment and during periodic re-audit.

DigiLocker-Issuer-API-1-13-2024

Section titled “DigiLocker-Issuer-API-1-13-2024”

Technical specification (v1.13) for the Issuer-side APIs that allow government bodies, regulators and SEBI-registered intermediaries (KRAs, AMCs, Depositories) to publish documents into DigiLocker. Underpins SEBI’s March 2025 mandate (separately tracked in SEBI circulars) that AMCs, Depositories and KRAs register with DigiLocker as Issuers by 1 April 2025 to facilitate transmission of unclaimed assets.

CCA-CALIC-2-1-2024

Section titled “CCA-CALIC-2-1-2024”

CCA licensing framework for Certifying Authorities under the IT Act, 2000 (Rule 8 of IT(CA) Rules, 2000). Specifies eligibility, capital, security-audit, Common Criteria EAL4+ expectation and annual audit obligations. Brokers are indirectly affected because all CA/ESP entities (e.g. eMudhra, Protean, CDSL Ventures) servicing broker KYC must hold a valid CCA licence under this framework.

DPDP-Act-22-2023

Section titled “DPDP-Act-22-2023”

Parliament-enacted, presidentially assented data-protection statute that governs processing of digital personal data of Data Principals in India by Data Fiduciaries. Imposes notice-and-consent, purpose-limitation, security-safeguard, breach-reporting and grievance-redressal duties; creates the Data Protection Board of India and penalty regime up to INR 250 crore. Brokers, depositories, KRAs and exchanges fall within “Data Fiduciary” scope. The Act was operationalised by phased commencement under G.S.R. 843(E) of 13 November 2025.

CCA-IVG-2-3-2023

Section titled “CCA-IVG-2-3-2023”
  • date_issued: 2023-02-15
  • issuer: MeitY
  • title: “Identity Verification Guidelines Version 2.3”
  • applies_to: all-intermediaries
  • in_force_date: 2023-02-15
  • status: superseded
  • superseded_by: CCA-IVG-2-5-2026
  • impact_areas: onboarding, esign, kyc-modification
  • primary_url: https://www.ncodesolutions.com/images/pdf/CCA-IVG.pdf

CCA identity-verification guidelines (v2.3) governing how Certifying Authorities verify DSC applicants’ identity (Aadhaar OTP, biometric, video verification, in-person verification). These rules cascade into broker Aadhaar-eSign onboarding flows: ESPs apply this verification standard when issuing the single-use signing certificate used to sign the KYC form.

CCA-CRYPTO-2-0-2022

Section titled “CCA-CRYPTO-2-0-2022”
  • date_issued: 2022-11-14
  • issuer: MeitY
  • title: “Security Requirements for Crypto Devices Version 2.0”
  • applies_to: all-intermediaries
  • in_force_date: 2022-11-14
  • status: superseded
  • superseded_by: CCA-CRYPTO-2-2-2024
  • impact_areas: esign, cyber-security
  • primary_url: https://www.ncodesolutions.com/images/pdf/CCA-CRYPTO.pdf

CCA technical guideline specifying FIPS 140-2/3 level requirements for cryptographic modules (HSMs, tokens) used by Certifying Authorities and eSign Service Providers in performing digital-signature key generation, storage and signing operations. Relevant to brokers indirectly because all eSign-based broker onboarding signatures rely on ESP-side HSMs that must meet these requirements.

CCA-ESAIG-1-0-2022

Section titled “CCA-ESAIG-1-0-2022”
  • date_issued: 2022-10-21
  • issuer: MeitY
  • title: “Electronic Signature - Application Integration Guidelines Version 1.0”
  • applies_to: all-intermediaries
  • in_force_date: 2022-10-21
  • status: in-force
  • impact_areas: esign, onboarding, file-format
  • primary_url: https://cca.gov.in/sites/files/pdf/guidelines/CCA-ESAIG.pdf

CCA application-integration guideline (v1.0) for entities embedding electronic signatures into their applications. Defines minimum signing-document conventions, signature-placement, hashing and verification semantics required by relying parties such as brokers archiving KYC PDFs with eSign certificates.

CERT-In-Ext-27-06-2022

Section titled “CERT-In-Ext-27-06-2022”
  • date_issued: 2022-06-27
  • issuer: MeitY
  • title: “Extension of timelines for enforcement of Cyber Security Directions of 28.04.2022 for MSMEs and for implementation of mechanism for validation of subscribers/customers details by Data Centres, VPS providers, Cloud Service providers and VPN Service providers”
  • applies_to: all-intermediaries
  • in_force_date: 2022-06-27
  • status: in-force
  • impact_areas: cyber-security, reporting
  • primary_url: https://www.cert-in.org.in/PDF/CERT-In_directions_extension_MSMEs_and_validation_27.06.2022.pdf

CERT-In extends the compliance deadline for its 28-April-2022 cyber-security directions to 25 September 2022 for MSME-classified entities and for the subscriber/customer-validation obligations applicable to data-centre, VPS, cloud and VPN service providers. The six-hour incident-reporting timeline and log-retention requirements remained effective from 27 June 2022 for all other entities, including stock brokers.

CERT-In-20-3-2022

Section titled “CERT-In-20-3-2022”
  • date_issued: 2022-04-28
  • issuer: MeitY
  • title: “Directions under sub-section (6) of section 70B of the Information Technology Act, 2000 relating to information security practices, procedure, prevention, response and reporting of cyber incidents for Safe & Trusted Internet”
  • applies_to: all-intermediaries
  • in_force_date: 2022-06-27
  • status: in-force
  • impact_areas: cyber-security, reporting, bcp-dr, system-audit
  • primary_url: https://www.cert-in.org.in/PDF/CERT-In_Directions_70B_28.04.2022.pdf

Directions issued by CERT-In under section 70B(6) of the IT Act, 2000. All service providers, intermediaries, data centres, body corporates and Government organisations (which includes stock-broking firms) must report listed cyber incidents to CERT-In within six hours of noticing, synchronise ICT clocks to NPL/NIC NTP servers, maintain ICT system logs in India for 180 days, and respond to CERT-In orders for information. Effective 60 days after issue. KYC and transaction-record retention for five years is mandated for virtual-asset providers.

IT-Intermediary-Rules-2021

Section titled “IT-Intermediary-Rules-2021”

Base IT Rules 2021 notified on 25 February 2021 under sections 79 and 87 of the IT Act, 2000. Imposes due-diligence obligations on intermediaries (which can include brokers’ digital platforms and apps) — content take-down within statutory timeframes, grievance officer, Chief Compliance Officer for significant intermediaries, traceability for specified messaging platforms. Brokers’ chat/app-based investor channels and any user-generated content surfaces must satisfy the grievance and take-down framework.

SO-3472-E-2020

Section titled “SO-3472-E-2020”
  • date_issued: 2020-09-29
  • issuer: MeitY
  • title: “Amendment to the Second Schedule of the Information Technology Act, 2000 - eSign (remote key storage / trusted third party)”
  • applies_to: all-intermediaries
  • in_force_date: 2020-09-29
  • status: in-force
  • impact_areas: esign, onboarding, dpdp
  • primary_url: https://cca.gov.in/eSign_gazette_notification.html

Gazette notification S.O. 3472(E) amends the Second Schedule of the IT Act, 2000 to add an e-authentication technique and procedure for creating and accessing a subscriber’s signature key facilitated by a trusted third party. The amendment formalises remote / server-side signature-key custody by licensed eSign Service Providers (ESPs), which underpins paperless onboarding by stock brokers using Aadhaar OTP eSign.

Aadhaar-Good-Governance-Rules-2020

Section titled “Aadhaar-Good-Governance-Rules-2020”

Notification G.S.R. 490(E) of 5 August 2020 framing rules under section 4 of the Aadhaar Act for ministry/department-level Aadhaar authentication “in the interest of good governance, preventing leakage of public funds, promoting ease of living”. Defines permissible purposes (digital-platform good governance, prevention of social-welfare leakage, innovation, knowledge dissemination) and approval pathway. Foundation for subsequent expansion permitting non-Government requesting entities relevant to broker onboarding.

IT-DigiLocker-Rules-2016

Section titled “IT-DigiLocker-Rules-2016”

Notified via G.S.R. 711(E) on 8 February 2017 (rules titled 2016) establishing legal status of documents preserved in DigiLocker. Rule 9A specifies that issued documents in DigiLocker are at par with original physical documents — the statutory basis on which brokers and KRAs accept DigiLocker-fetched OVDs (Aadhaar XML, PAN, driving licence) without insisting on physical originals.

IT-SPDI-Rules-2011

Section titled “IT-SPDI-Rules-2011”
  • date_issued: 2011-04-11
  • issuer: MeitY
  • title: “Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011”
  • applies_to: all-intermediaries
  • in_force_date: 2011-04-11
  • status: in-force
  • impact_areas: cyber-security, dpdp, onboarding
  • primary_url: https://www.dataguidance.com/sites/default/files/in098en.pdf

Pre-DPDP privacy regime under section 43A of the IT Act. Mandates body corporates handling Sensitive Personal Data or Information (financial / bank-account / credit-card / biometric / health data) to publish a privacy policy, obtain consent for collection, follow purpose limitation and adopt reasonable security practices (e.g. ISO 27001). Remains operative until section 43A is repealed when the DPDP Act fully commences; broker KYC, bank-account and biometric data are SPDI here.

CCA-ASP-Onboarding

Section titled “CCA-ASP-Onboarding”
  • date_issued: [unknown — verify]
  • issuer: MeitY
  • title: “ASP On-Boarding Guidelines”
  • applies_to: all-intermediaries
  • in_force_date: [unknown — verify]
  • status: in-force
  • impact_areas: esign, onboarding
  • primary_url: https://cca.gov.in/sites/files/pdf/esign/CCA-ASP.pdf

CCA guidelines for Application Service Providers (ASPs) — entities integrating eSign into their workflows. A stock broker offering Aadhaar-eSign-based digital account opening is an ASP for the purposes of this document and must comply with the on-boarding KYC, agreement, audit and operational obligations before going live with an ESP.

CCA-EAUTH-eSign

Section titled “CCA-EAUTH-eSign”
  • date_issued: [unknown — verify]
  • issuer: MeitY
  • title: “e-authentication guidelines for eSign - Online Electronic Signature Service”
  • applies_to: all-intermediaries
  • in_force_date: [unknown — verify]
  • status: in-force
  • impact_areas: esign, onboarding, aa
  • primary_url: https://cca.gov.in/sites/files/pdf/esign/CCA-EAUTH.pdf

CCA-issued operational guideline governing eSign Service Providers (ESPs) and Application Service Providers (ASPs) — i.e. brokers integrating eSign. Specifies the e-authentication mechanism (Aadhaar OTP, Aadhaar biometric, video, etc.), ASP-ESP communication protocol, audit-trail, and on-boarding obligations. Directly applicable to every broker offering paperless KYC via eSign.

CCA-ESF-Framework

Section titled “CCA-ESF-Framework”
  • date_issued: [unknown — verify]
  • issuer: MeitY
  • title: “Framework on eSignature”
  • applies_to: all-intermediaries
  • in_force_date: [unknown — verify]
  • status: in-force
  • impact_areas: esign, onboarding
  • primary_url: https://cca.gov.in/sites/files/pdf/guidelines/ESF.pdf

CCA-issued framework document setting out the legal, technical and operational architecture for eSignature in India — Root CA hierarchy, licensed CAs, ESP empanelment, eSign-with-eKYC service flows. The Aadhaar-eKYC-based eSign service described here is the predominant signing mechanism for paperless broker account-opening forms.

CCA-ESP-Empanelment

Section titled “CCA-ESP-Empanelment”
  • date_issued: [unknown — verify]
  • issuer: MeitY
  • title: “ESP Empanelment”
  • applies_to: all-intermediaries
  • in_force_date: [unknown — verify]
  • status: in-force
  • impact_areas: esign, onboarding
  • primary_url: https://cca.gov.in/sites/files/pdf/esign/CCA-ESP.pdf

CCA criteria and procedure for empanelment of eSign Service Providers (ESPs). The empanelled ESPs (eMudhra, Protean eGov, CDSL Ventures, CSC e-Governance, Capricorn, C-DAC, Verasys) are the providers brokers must contract with for Aadhaar-eSign-based KYC.

Practical notes

Section titled “Practical notes”
  • [gotcha] Circular IDs are case-sensitive and the issuer’s exact punctuation matters when looking them up on the official site.
  • [industry practice] Most ops teams subscribe to the issuer’s email distribution list rather than scraping the site — leads to more reliable real-time tracking.
  • [risk trade-off] Some entries are marked [unknown — verify] where the agent could not re-fetch the primary URL or the document used informal numbering; treat those as leads, not citations.

Verified through

Section titled “Verified through”

2026-05-14

AI-generated and not legal advice. See the project README for the full disclaimer.

Built by Rakesh Waghela — Technology & Product Consultant

LinkedIn @webiyo Topmate

Available for consulting and collaboration on technology, product strategy, and system architecture. Connect on LinkedIn.

· We respect your privacy and comply with GDPR

Disclaimer: This documentation was generated using Claude Code, an AI-powered LLM by Anthropic, as a research and capability estimation exercise. AI models can hallucinate — information here may be inaccurate, incomplete, or outdated. Any resemblance to the products or documentation of any specific vendor or organization is purely coincidental and unintended. This project is not directly inspired by any particular product, vendor, or proprietary system, and no plagiarism is intended. All content is based on publicly available information. This is not legal, financial, or compliance advice.