The Pension Fund Regulatory and Development Authority (PFRDA) has issued Circular No: PFRDA 2024/06/Sup-CRA/03, dated 15th March 2024, announcing a significant security enhancement for accessing the Central Recordkeeping Agency (CRA) system for National Pension System (NPS) related tasks. Effective from 1st April 2024, all password-based users logging into the CRA system are required to undergo mandatory 2-Factor Aadhaar Authentication.
The introduction of mandatory 2-Factor Aadhaar Authentication for CRA system access signifies a proactive step towards enhancing the security posture of the National Pension System. By leveraging Aadhaar-based authentication, the PFRDA aims to fortify the integrity of transactions, mitigate risks, and uphold the trust of subscribers and stakeholders in the system. It is imperative for all stakeholders to adhere to the prescribed guidelines and swiftly implement the necessary framework to ensure a seamless transition to the enhanced security paradigm.
Pension Fund Regulatory and Development Authority
Circular No: PFRDA 2024/06/Sup-CRA/03
15th Mar 2024
To
All NPS Stake Holders
Subject: Mandatory 2 – Factor Aadhaar Authentication for CRA System Access w.e.f. 1st April 2024
Government and Corporate Nodal offices, including PrAO/DTA/PAO/DTO/DDO, are granted with access to the Central Recordkeeping Agency (CRA) system for conducting National Pension System (NPS) related tasks, perform activities and generate various reports. The additional security layer, 2-Factor Aadhaar-based authentication, is being compulsorily implemented for all password-based users logging into the CRA system, effective from 1st April 2024 as communicated vide our earlier Circular dt 20th Feb 2024.
2. Benefits of 2-Factor Authentication:
i. Increased Security: The two-factor approach significantly reduces the risk of unauthorized access to the CRA system.
ii. Enhanced Protection: This additional layer safeguards NPS transactions and protects the interests of both subscribers and stakeholders.
3. Additional Security Feature: Currently, Nodal Offices under Central and State Governments, including their underlying Autonomous bodies, use a password-based login to access the CRA for NPS transactions. To bolster security features and protect the interests of Subscribers and Stakeholders, it has been decided to introduce additional security features through Aadhaar-based authentication for login to the CRA system. This Aadhaar-based login authentication will be integrated with the current User ID and Password-based login process, enabling 2-Factor Authentication for accessing the CRA system.
4. Aadhaar Mapping: User IDs of Nodal offices under the Government Sector (Central/State/CAB/SAB) shall be permitted to login to the CRA system (CRA & NPSCAN) using 2-Factor Authentication through Aadhaar OTP (One-time password). The Oversight office (PrAO/DTA) must initially link their Aadhaar with their respective CRA User ID, enabling underlying users to initiate Aadhaar Mapping. Similarly, PAO/DTO must link their Aadhaar with their respective CRA User ID, allowing underlying DDOs to initiate Aadhaar linking.
5. Performance of NPS Activities: All offices under the Government Sector and Autonomous Bodies are required to implement the necessary framework for the additional feature of Aadhaar-based login and authentication in the CRA system to carry out all NPS related activities.
6. Standard Operating Process: The attached document outlines the process for Nodal offices attached with Protean CRA to link their Aadhaar and proceed with functional activities using the CRA system and covers the following points:
i. One-time registration of Aadhaar number against Nodal Office User ID
ii. Authentication of Aadhaar Mapping to Nodal Office User ID
iii. Status view for Aadhaar Mapping
iv. Procedure for regular (Aadhaar-based) access to CRA system
Government and Corporate Nodal Offices, along with Autonomous Bodies, are requested to implement the necessary framework for the new Aadhaar-based login and authentication and ensure seamless execution of all NPS-related activities.
Yours sincerely,
K Mohan Gandhi
Chief General Manager
Acronyms and Abbreviations
The following definitions, acronyms & abbreviations may have been used in this manual:
| ACRONYM | DESCRIPTION |
| NPS | National Pension System |
| Protean | Protean eGov Technologies Limited |
| PFRDA | Pension Fund Regulatory & Development Authority |
| PRAN | Permanent Retirement Account Number |
| NPSCAN | National Pension System Contribution Accounting Network |
| CRA | Central Recordkeeping Agency |
| Pr.AO | Principal Accounts Office |
| DTA | Directorate of Treasury and Accounts |
| PAO | Pay and Accounts Office |
| DTO | District Treasury Office |
| DDO | Drawing and Disbursing Office |
| PAO Rag. No. | Unique PAO Registration Number allotted by CM |
| DDO Reg. No. | Unique DDO Registration Number allotted by CM |
| PAN | Permanent Account Number |
| I-PIN | Internet Personal Identification Number |
| T-PIN | Tele-query Personal Identification Number |
Overview
Government Nodal offices (PrAO/DTA /PAO/DTO/ DDO ) and Corporate Nodal offices are provided login access to the CRA system for executing the NPS related activities and generate/view/download various reports. As per PFRDA directives, 2-Factor Aadhaar based authentication, an additional layer of security feature, is being mandatorily introduced for all password based users while logging-in to CRA system, effective, 1stApril 2024.
The Nodal Offices under Central and State Governments including their underlying Autonomous bodies currently utilize a password-based login to access the Central Recordkeeping Agency (CRA) for NPS transactions.
To enhance the security measures in accessing the CRA system and safeguard the interests of Subscribers and Stakeholders, it has now been decided to bring in additional security features through Aadhaar-based authentication for login to the CRA system. The Aadhaar-based login authentication will be integrated with the current User ID and password-based login process so as to make the CRA system accessible through 2- Factor Authentication.
The Nodal office User IDs under the Government Sector (Central/State/CAB/SAB) shall be allowed to login to CRA system (CRA & NPSCAN) with 2-Factor Authentication using Aadhaar OTP (One time password). The Oversight office (PrAO/DTA) needs to link their Aadhaar against their respective CRA User ID initially, so that the underlying users can initiate Aadhaar Mapping. Similarly PAO/DTO needs to link their Aadhaar against their respective CRA User ID, so that the underlying DDOs can initiate Aadhaar linking.
All offices under Government Sector and Autonomous Bodies have to implement the necessary framework for implementation of the additional feature of Aadhaar-based login and authentication in CRA system to perform all NPS related activities.
This document covers the process to be followed by the Nodal offices to link their Aadhaar and proceed with the functional activities using CRA system.
The following points are covered in the document:
A. One time registration of Aadhaar number against Nodal Office User ID
B. Authentication of Aadhaar Mapping to Nodal Office User ID
C. Status view for Aadhaar Mapping
D. Procedure for regular (Aadhaar based) access to CRA system
A. One Time Linking of Aadhaar with Nodal Office User ID
1. Nodal Office User will login to the CRA system with existing Login ID and Password and will have to check in Password policy and enter Captcha and Submit as displayed in Image 1.
2. The CRA System shall prompt for the Aadhaar number as displayed in Image 2. The User will enter the Aadhaar number, check the declaration box and click on submit.
The following text shall be displayed and the User will have to place a check across the text after providing Aadhaar number:
> Use my Aadhaar details for National Pension System (NPS) and authenticate my identity through the Aadhaar Authentication system (Aadhaar based e-KYC services of UIDAI) in accordance with the provisions of the Aadhaar (Targeted Delivery of Financial and other Subsidies, Benefits and Services) Act, 2016 and the allied rules and regulations notified thereunder.
> Use my Demographic details (Name, Gender and Date of Birth) and OTP for authenticating my identity through the Aadhaar Authentication system for obtaining my e-KYC through Aadhaar based e-KYC services of UIDAI.
> I understand that the Aadhaar details (physical and / or digital, as the case maybe) submitted for availing services under NPS will be maintained in NPS till the time the account/User ID is not inactive in NPS or the timeframe decided by PFRDA, the regulator of NPS, whichever is later.
> I understand that Security and confidentiality of personal identity data provided, for the purpose of Aadhaar based authentication is ensured by Protean eGov Technologies Ltd till such time it is acting as CRA for NPS.
3. System will validate the Aadhaar number and ask for additional details (in case the same Aadhaar is not linked to the same User ID) as displayed in Image 3
The User shall enter the Name, Date of Birth, Mobile Number and Gender as recorded in Aadhaar. It is mandatory to upload at least one or all of the following documents (as per the requirement of the approving office) with maximum size of 5 MB.
1. Appointment letter
2. Authority letter
3. Identity Card
4. On submission of details, an OTP shall be delivered to Aadhaar registered mobile number and the user needs to enter the OTP as displayed in Image 4
In case of delay in the delivery of OTP, the user can regenerate OTP by clicking on “Resend OTP” tab.
5. On Submission of OTP and Successful data verification, Acknowledge number shall be generated and request shall be submitted for authorization (refer image 5).
Once submitted the message will be displayed that “Your request has been submitted successfully”. Further, this request has to be authorized by the respective oversight office.
B. Authentication of Aadhaar linking request submitted by Nodal Office:
The oversight office needs to authorize the Aadhaar linking transaction for underlying offices.
| Aadhaar Linking for | Authorised by |
| PrAO/DTA | CRA |
| PAO/DTO | PrAO/DTA |
| DDO | PAO/DTO |
The underlying office cannot complete Aadhaar linking request till the time the authorizing Nodal officer has completed the Aadhaar linking for his/her User ID. Therefore it is required that the PrAO/DTA gets his/her Aadhaar linked prior to initiating any authorization of requests.
Further, it is important to note that the authorizing office needs to verify the documents uploaded by underlying office before authorizing any Aadhaar linking request.
1. On successful creation of Acknowledgement number for Aadhaar mapping, the nodal office initiating the request shall receive an intimation on registered email.
2. The Authorizer is required to login to the CRA system and authenticate his/her Aadhaar details using OTP and authorize the request under “User Maintenance”
3. On selecting “Authorize Mapping Request”, the list of pending Acknowledgement number’s with related details shall be displayed as shown in Image 6, on entering the “Entity Registration number / Acknowledgement number / Date range”
4. The details of the data entered by the User for Aadhaar linking shall be displayed with last four digits of the respective Aadhaar number (Image 7).
5. The authorizer can ‘Accept’ or ‘Reject’ the Acknowledgement. If request is accepted then the office needs to ‘Approve’ and proceed further. If request is rejected then appropriate comments have to be provided.
6. On successful acceptance of request, the following screen is displayed (Image 8).
C. Status view for Aadhaar linking
The users can view the Status of the request created, by logging-in to the CRA system and providing Acknowledgement ID under the “User Maintenance” tab.
D. Procedure for regular (Aadhaar based) access to CRA system
1. Nodal Office User will login to the CRA system with existing Login ID and Password and will have to check in Password policy and enter Captcha and Submit as shown in Image 9.
Figure 9
2. The system will ask for Aadhaar number as shown in Image 10. The user shall provide the Aadhaar number, check the declaration box and click on submit.
3. On submission of details, an OTP shall be delivered to Aadhaar registered mobile number and the user shall be required to enter the OTP as displayed in Image 11
In case of delay in delivery of OTP, the user can regenerate OTP by clicking on Resend OTP tab. Once, OTP is submitted, User will be able to login and perform required functions.
