| Guideline No. | AL001 |
| Purpose | To clarify if the identifier used an FIP to authenticate and authorise account linking has to be the same as the identifier used by the FIP for discovery |
| Description | Discovery of an account, at an FIP, has to be on the basis of at least one STRONG identifier (mobile, email) AND one or more additional identifiers (DOB, PAN, etc.).
Account linking has to be authorised by an FIP on the basis of the account owner getting authenticated through an identifier that the FIP’s records have. Currently, the authentication is through a single-factor. For all practical purposes, an identifier used for enabling a discovery call will be the same as that used to authenticate and authorise a linking request. However, strictly speaking, it is not necessary for these to be the same. It is possible, e.g. for a discovery call to happen via an email ID seeded in the FIP’s records while linking may be authorised via a mobile number seeded in the FIP’s records. Further, if and when multi-factor authentication becomes necessary for authorising linking, additional identifiers will be sought during linking but not during discovery. |
| Stage | Finalised |
| Guideline No. | AL002 |
| Purpose | To clarify if de-linking of an account also needs the FIP’s authorization |
| Description | No authentication and authorization is needed to be performed by the FIP, when it receives a “Delink” instruction from the citizen via the citizen’s AA. |
| Stage | Finalised |
| Guideline No. | AL003 |
| Purpose | To clarify if linking of accounts can be authorised by an FIP if the account status is NOT active |
| Description | If the status of an account is NOT active (i.e. it is either dormant or suspended or closed, e.g.), it is in the interest of the citizen for additional services (such as the sharing of account information) to NOT be authorised by the FIP. Hence, linking of such an account should not be authorised. |
| Stage | Finalised |
