F.No. : DGIT(S)/CPC(TDS)/Corp_Authentication Mech 2015-16/14557-14690

Government of India
Ministry of Finance
Central Board of Direct Taxes
Directorate of lncome-tax(Systems)
New Delhi

Notification No. 3/2015

New Delhi, 1st of December 2015

Subject: Stringent Authentication mechanism through Corporate Head Quarter Server for filing of Correction statements & download of TDS certificates, Consolidated files etc. by Banks/Corporates-regarding

Section 200 .of the Income tax Act provides for filing of TDS statements. The manner of filing 'Such statements and the particulars have been laid down in Rule 31A of the Income tax Rules. Vide Sub Rule 5 of Rule 31A (placed at DFA-11) of the Income Tax Rules, it .has been specified that he Director General of Income Tax (Systems) shall specify the procedures, formats and standards for the purposes of furnishing and verification of the statements or claim for refund in Form 26B and shall be responsible for the day-to-day administration  in relation to furnishing and verification of the statements or claim for refund in Form 26B in the manner so specified.

In exercise of the powers delegated by the Central Board of Direct Taxes (Board) under Explanation to Sub Rule 5 of Rule 31A of the Income-tax Rules 1962, the Principal Director General of lncome-tax(Systems) lays down the authentication mechanism for filing of correction statements & download of TDS certificates, Consolidated files etc. by Banks and Corporates deductors as under:

1. Need of Authentication Process
1.1 CPC-TDS initiated "corporate connect" with an intent to pursue TDS compliance related issues of all branches of a corporate with their corporate headquarter. This initiative has multiplier effect as TDS defaults of over 2 lac deductors can be addressed by following it up with only 4000 PAN .entities. CPC-TDS also rolled out functionality for corporate headquarter at PAN level to provide summary of TDS defaults of its branches. The criticality of this initiative can be understood from the fact that 30% of total TDS defaults and 80% of total PAN errors pertain to only 4000 PAN entities.

1.2 During this exercise, the banks were finding it hard to resolve the TDS defaults in case of closed branches arid branches merged with other banks. The banks were not able to retrieve old records for FY 2007-08, 2009-10 etc. in order to file correction statements to resolve the outstanding defaults.  Further banks also found challenge procuring digital signatures for each branch for filing online correction on TRACES portal. The genesis of the modified access process  lies in strategy to address the above challenges  of retrieval of old data without  use of digital signature. As discussed above, 80% of total PAN errors pertain to banks. The modified access process will bring in discipline to the correction process as only the authorized bank official would be able to work on TRACES system. The concept of involving head quarter as a  "corporate connect"  drive will help in bringing in better TDS compliance as the headquarter will have complete picture of the TDS compliance of each branch.

2. Mechanism involved
2.1 This mechanism is based on the concept of routing the access requests of various TAN branches of a particular entity through its corporate headquarter's server. The deductor branch will pass-on the login credentials to the relevant bank/corporate Headquarter's (HQ) server and HQ server will validate the login credentials & IP address of the user's system. After necessary validations, HQ server will send the digitally signed string, in form of encrypted information, to TRACES server. TRACES server will authenticate the defined particulars referred in para 2.2.2 provide access to the concerned TAN account. This mechanism has three benefits:
(a) Secured access of sensitive third party data: Only authorized representative of banks/corporates will be able to access TRACES portal as the login would be through corporate server only
(b) Corporate headquarter can keep track of the will help in enforcing discipline among the branches.
(c) No need to procure separate digital signature for each bank/corporate branch to access TRACES portal on account of routing of request through corporate server.

2.2 The detailed process in this regard is as under:

2.2.1 Deductor Functionalities Access Service URL
For accessing the deductor functionalities through corporate servers, corporate banks need to send request data via HTIP Post Method. Access of deductor functionalities through corporate bank server will be provided over SSL.

2.2.2 List of Request Parameters

#	Parameter	Data Type	Parameter Description
1	Data*	Text	PAN of Deductor, TAN of Deductor, Transaction Timestamp, IP, Email ID, Mobile Number of AP etc.
2	Signature	Text	Digital signature in PKC57 for with base 64 encoding

Data from website needs to be submitted only using POST method through HTIPS request using the following parameters.

2.2.3 Structure of "data" field

#	Field Name	Data type	Field Length	Mandatory/Optional	Sample Value
1	PAN of Deductor	Character	10	Mandatory	AAAAA9999A
2	TAN of Deductor	Character	10	Mandatory	AAAAA9999A
3	PAN of AP	Character	10	Mandatory	As entered during login (PAN of authorized person)
4	Mobile No. of AP	Numeric	10	Mandatory	9999999999
5	Email Id of AP	Character		Mandatory	Email ID having bank’s/corporate domain number e.g. (__@sbi.co.in)
6	Transaction Timestamp	Character (YYYY-MM-DD-hh24.mi.ss.ffffff	26	Mandatory	2009-10-26-15.07.40.071658

* The above fields in the data will be separated by “^”

2.2.4 List of unauthorized access scenarios
a Bank request data not in proper format
b Bank URL through which bank is accessing traces application is not correct
c Incorrect digital certificate
d Request parameters not valid
e Timestamp will be used for checking staleness

3. CPC (TDS) will gradually migrate banks and corporates to the modified authentication process of accessing TRACES portal. Durir)g transitional period of on boarding of banks/corporates normal access to TRACES portal will remain available to the users of respective banks/corporates . The normal access will be discontinued only after complete on boarding of the entity and all its branches.

(P. S. Thuingaleng)
Dy. Commissioner of Income Tax (CPC-TDS)
O/o The Pr. Director General of Income-tax (Systems)