Friday, October 2, 2020

Takeaways & Observations of Direct-API EInvoicing Users

On Oct 1 2020, GSTN went live with eInvoicing, i.e., registering of invoices with NIC, for companies with 500 Cr+ turnover. We have earlier written about the "Direct-API", which allows tax-payers to connect to the NIC servers directly and make the API calls.

We have enabled many of our partners to go live with this Direct-API on Oct 1. These were companies with 500Cr+ turnover, and used several different ERP systems, including SAP and Oracle. We have been getting a lot of queries about the Direct API and the go-live experience. This note is to document our observations across the many partners who have successfully started eInvoicing with the Direct-API.

My overall observation is that GSTN & NIC have done a good job with the Direct API and the on-boarding process. The process was clearly documented by GSTN / NIC, and everything worked as promised without a hitch. 

Moreover, in the last 60 hours, tens of thousands of eInvoices have been registered by our partners, and not a single case of failure has been reported as of this time.

Specific Observations:

1) The documentation provided by GSTN for consuming the direct API is clear, and all the REST API calls work as described.

2) A sandbox has been made available for testing. Taxpayers can register on the sandbox to obtain their API credentials and then begin to test the API. The sandbox behavior is as documented. (Few weeks ago, there was a delay of a few hours between new schema changes being announced and the sandbox behavior. In the recent weeks, there has been no such mismatch).

3) NIC requires Direct-API users to run a number of tests (both success and failures)  per each API call prior to Production access. The purpose is to ensure that Taxpayers actually try out all their use-cases on the sandbox, and handle success & failures, prior to accessing the Production servers. There is a spreadsheet available on the GSTN site. It is clear on the number and type of the tests to be performed. The spreadsheet takes about 10 mins to fill once you run the required number of tests on Sandbox.

4) NIC also requires Taxpayers to allocate maximum up to 4 public IPs for whitelisting. In other words these are the IPs from which requests will be permitted to hit the NIC Production servers.

5) The request for Production access can be made by logging in to the https://einvoice1.gst.gov.in portal with Admin credentials. You have to select Direct Access, then enter the Whitelisted IPs, and then upload the filled spreadsheet mentioned in item 3 above (after converting XLS to PDF).

6) Once the above request is made, the taxpayer needs to await approval from NIC. The statistics based on the experience of our partners is: 

Maximum days for getting approval: 6 days

Minimum days for getting approval:  < 1 day (!!!)

Average number of days for getting approval: 3 days

Approval received in first attempt: Approx 78% of applicants

Application rejected in first attempt: Remaining 22% of applicants (NIC provided reasons for rejection)

Applications approved on second attempt (of the 22%): 100%.

This means that a majority of applicants received their approval in the first attempt and fairly quickly. The remaining ones got approval after they fixed the errors in their application.

7) Applicants received a clear email with next steps for production access. This required the taxpayer to create API users from the https://einvoice1.gst.gov.in portal, along with their credentials. These credentials are to be used in the Production API.

8) Process of creating say 10 API users (one for each GSTN corresponding to a single PAN) takes about 10 mins.

9) Process of going live only requires the user to change the API end-points from Sandbox to NIC production server, and using the Production credentials.

10) Out of more than 100 IPs that we saw whitelisted, only 1 failed to work on production as expected. Other than this singular case, IP whitelisting by NIC worked as expected for all taxpayers.

11) There is no difference in the behavior of the Sandbox and Production servers. This is good. All API work as expected on Production, if they worked on the Sandbox.

12) Only one taxpayer faced connectivity issues for a few hours, but it was an issue on the taxpayer side, not on NIC side. The lesson for the taxpayer is to ensure good internet connectivity.

13) Direct taxpayers have been receiving responses to emails from NIC on a fairly regular basis. 

14) The schema validation changes announced by GSTN 4 days prior to go-live did require some work on our side, but we observed that many of those changes were already live on the sandbox prior to their announcement.

To be honest, we had mentally prepared our partners (taxpayers) for possible glitches after go-live. However these apprehensions proved to be unfounded and everything has worked well as of this time, with no latency issues being reported either.

To summarize, our partners have had a smooth journey going into Production with Direct eInvoicing API from a variety of ERP systems. Every single one of them went live on time, with no disruption to their business users.


(Note: The earlier note on Direct-API, background & benefits is here)














The Direct API for eInvoicing

NIC provides a Direct-API for registering eInvoices. "Direct-API" means that the API endpoints on the NIC servers can be accessed directly by the tax-payer (i.e., without having to route the data via any intermediary or GSP). 

GSTN has recognized that eInvoice data is confidential & embodies trade secrets. Pricing information in particular is something that companies protect zealously. Large companies often spend an enormous amount of money on implementing on-premise ERP solutions precisely for this reason. Invoice data is too precious to be stored on a cloud-based ERP.

It is one thing for one data-point (pricing of a particular item at a particular time) to be compromised. It is much worse when detailed invoicing data ends up being gathered over a period of time into a database. Significant analysis can be performed and inferences drawn from such databases. ("Big Data", "Data Harvesting"). Needless to say, this data is of immense competitive value. 

Many CIOs, CFOs and Information Security professionals understand this, and are reluctant to route data via third-parties. There are other benefits to going direct as well. It reduces the number of hops, and therefore reduces the latency and minimizes the points of failure. Further, you are at no risk of being charged annual or per-transaction fees by anyone.

Given these significant concerns, it is logical for NIC to provide an API which tax-payers can consume themselves, and route the data to NIC directly. Hundreds of Companies (500Cr+ turnover) have adopted the direct route to implement their eInvoicing. GSTN has also included eWayBills in this API, which means Taxpayers can now generate eWayBills along with eInvoicing as well.

Saturday, September 5, 2020

E-Invoicing

IN a month from now, the Indian Govt will enforce a tax regulation that will have significant business impact for decades to come. GSTN  will make it mandatory for companies (initially those with over Rs 500 crore annual revenue) to register each B2B invoice with GSTN before goods are shipped. This is called "EInvoicing". Companies will have to electronically register / communicate to GSTN every detail of every invoice in real-time prior to shipment. GSTN will return a QR code that will have to be inserted on the invoice when it is printed / emailed and goods shipped.

This is a remarkable piece of regulation in many ways. In an era where businesses are already complaining of excessive compliance and regulatory burden, EInvoicing takes this burden to an entirely different level.

Firstly, this is a real-time compliance. Goods cannot be shipped unless the EInvoice is registered. Many companies issue several hundreds if not thousands of invoices daily, and these are usually created in real-time i.e., just when goods are ready to ship. EInvoicing adds a variable delay to every single invoice issued. If for any technical / connectivity reasons the EInvoice cannot be registered, shipments will be delayed. 

Secondly, the benefit to the Govt of a regulation like this are unclear. Given that it imposes a significant compliance cost on thousands of honest tax-paying companies, the Govt should have made public a detailed cost-benefit analysis. It is not clear what specific types of evasion this regulation would stop, or the perceived magnitude of the problem. GSTN has referred to 'spurious invoices', but no one has laid out a specific scenario which would be remedied by this regulation. That is because every such scenario is already covered by an existing regulation, or will be easily managed by a bad actor. GSTN has not published any estimates of the increased GST collections it expects as a result of this regulation. This is much like Demonetization, whose costs were visible and borne by the common man, but whose benefits are in the realm of conjecture. The effects of demonetization were temporary. The regulatory burden imposed by EInvoicing will be permanent.

Thirdly, there is the issue of privacy. The data sought from companies represents a whole different level of disclosure by private entities. The Govt wants to know the exact nature of goods sold, their quantity and price at which they were sold and to whom. Pricing of goods, and particularly services, is often a secret. Companies may sell the same product at different prices to different clients - for a variety of valid business reasons. This is confidential information. The information gathered by the Govt will hereafter allow the Taxman to ask you why a particular item was sold at Rs 100 per unit to buyer A, and at Rs 103 per unit to buyer B. (From there its a short jump to "deemed revenues". Those aware of the logic behind "deemed rent" will be worried). Conversely, the information on all inputs (incoming goods) into a company will also be known (because your suppliers will have to do EInvoicing too).

By implementing EInvoicing, Companies will be sharing their most sensitive data with the IRP and perhaps an intermediary. Imagine a radiator manufacturing company whose data of all radiators sold, to whom, at what price point, seasonal pricing variations, and much more being compromised. A competitor would love to get their hands on this data.

The fourth issue with EInvoicing is the enforcement. The only way to enforce this regulation is to have GST inspectors stop trucks en-route, to verify if EInvoice has been created and if the goods in the truck match those listed in the EInvoice. Such a verification can become absurdly complex depending on type of goods. What if the GST inspector declares that there is a mismatch? Can the poorly educated truck driver be expected to challenge the GST inspectors on the technical points of EInvoice? Can any company afford its trucks to be held up in transit? What recourse does the truck-driver or the company have?

Given the plethora of issues with EInvoicing, it is surprising that businesses and trade associations have not pushed back aggressively against it. Perhaps they are taken in by the Govt's assertion that it is only creating a 'framework' for electronic exchange of data between private parties. That however, is NOT the job of the Govt. 

Given the burden it imposes on honest businesses, GSTN is requested to consider the following:

a) It should revisit the schema and determine if it really needs to collect all the information it wants to.  

b) Announce an alternative to real-time EInvoicing.

c) Address the concern of trucks being stopped in transit.

It would be a favor to businesses struggling to recover from COVID.







Thursday, November 14, 2019

How to insert a digital signature in a PDF file?

[A recap post for new users]

In order to digitally sign a PDF file, you need a couple of things.

  1. Your digital signature certificate (DSC) that usually comes in the form of a USB token.
  2. A software tool that uses your DSC and signs the PDF file.

You can get the free TRUESigner tool after filling out the form http://www.truecopy.in/truesignerdsc.php and install it on your PC. Here are the simple steps to follow -
  1. Connect your DSC token in the USB port of your PC and launch the TRUESigner tool.
  2. Browse and select the PDF file you wish to sign.
  3. Select the output folder in which you would like to save the signed file.
  4. Select your signature certificate from the drop-down menu.
  5. Click on Submit.
  6. Your signed PDF will be available in the output folder.

If you would like to apply for your DSC token or sign PDF files in bulk in one go then you can contact us using http://www.truecopy.in/contact.php


Wednesday, December 19, 2018

eSign Paused (14 Dec 2018)

Aadhaar-based ESign services have paused since 14 Dec 2018 because UIDAI has said that these would be used only for purposes of DBT / Subsidies or those permitted by law. Earlier, the Supreme Court had invalidated Section 57 of Aadhaar Act essentially preventing private companies from performing eKYC.

 In this regard:

1) A Gazette notification of Jan 28, 2015 documents a rule made by Department of Electronics and Information Technology mentioning eKYC-based eSignatures. But this is a rule and not a law (as required by SC judgement).

2) Neither UIDAI nor CCA has issued a statement saying general eSignatures are valid after Dec 14 2018 other than for DBT / Subsidy purposes.

3) At least one Certifying Authority has avoided answering questions regarding the legality of eSignatures issued by them (!). They have actually asked their subscribers to provide a declaration which indemnifies them.

This is an absurd scenario, where the service-provider himself is not ready to vouch for the validity of the service he provides, but wants his consumer to do so, and indemnify the service-provider.


4) The Govt has announced it will bring in suitable laws that will permit use of eKYC by private players. (This implies that such a law doesnt currently exist.)

Given all of the above, it is unwise to use eSignatures beyond Dec 14 2018 for agreements / contracts / forms / etc because their validity is uncertain.

It is hoped that the authorities will soon provide clarity and guidance so that there is no ambiguity.


Monday, October 8, 2018

Offline e-KYC API

The SC has in its judgement on the validity of Aadhaar. As a part of the judgement, it struck down Section 57, which allowed private companies to access the Aadhaar database. Subsequently, has been promoting "Offline eKYC".

Offline eKYC refers to uing either eAadhaar or QR code to authenticate an individual. The eAadhaar is a Digitally Signed PDF that has the individual's information as available in the Aadhaar database. This PDF also has a QR code that has the same information (and which can be scanned and verified by mobile apps developed by UIDAI). There is also an XML equivalent (instead of a PDF format), which allows faster processing by automated algorithms.

The eAadhaar PDF as well as the XML are downloadable by the individual from the UIDAI website.

Automated API for processing eAadhaar PDF or for processing the XML ("paperless offline eKYC" as UIDAI calls it) are now available from Truecopy. For more information, email sales@truecopy.in

Wednesday, September 26, 2018

SC decision on Article 57 of Aadhaar Act

The SC delivered its judgement few hours ago on the validity of Aadhaar. This is a landmark judgement because it sets right several aspects of the way UIDAI had permitted Aadhaar data to be used.

The most important part of of the judgement is the one pertaining to Article 57 of the Aadhaar Act.

About Section 57, the judgement says (Below excerpt from livelaw.in)

Insofar as Section 57 in the present form is concerned, it is susceptible to misuse inasmuch as: (a) It can be used for establishing the identity of an individual ‘for any purpose’. We read down this provision to mean that such a purpose has to be backed by law. Further, whenever any such “law” is made, it would be subject to judicial scrutiny. (b) Such purpose is not limited pursuant to any law alone but can be done pursuant to ‘any contract to this effect’ as well. This is clearly impermissible as a contractual provision is not backed by a law and, therefore, first requirement of proportionality test is not met. (c) Apart from authorising the State, even ‘any body corporate or person’ is authorised to avail authentication services which can be on the basis of purported agreement between an individual and such body corporate or person. Even if we presume that legislature did not intend so, the impact of the aforesaid features would be to enable commercial exploitation of an individual biometric and demographic information by the private entities. Thus,
this part of the provision which enables body corporate and individuals also to seek authentication, that too on the basis of a contract between the individual and such body corporate or person, would impinge upon the right to privacy of such individuals. This part of the section, thus, is declared unconstitutional.


TOI reports that as per the judgement  Private companies can't ask for Aadhaar

IE reports:
Section 57 of the Aadhaar Act refers to the use of Aadhaar data by any “body corporate or person” to establish the identity of an individual. Justice Sikri, in his judgment, found this section to be unconstitutional. It was under this provision that private companies like Paytm and Airtel Payments Bank sought Aadhaar details from customers.




This would suggest that UIDAI should not be sharing any information from the Aadhaar database with any private entities (AUA / KUA). As we had said in an earlier post:

Unique ID Authority of India is "Unique" for one reason. It is the ONLY National Database in the world that GIVES OUT citizen information to private entities. 

Hopefully, the SC order corrects this anomaly and perhaps UIDAI will stop giving information from its Database to private entities.

The other major takeaway from the judgement was that the Supreme Court upheld the validity of Aadhaar. Clearly, every country requires a unique identifier for its residents and so does India. Further more, the SC asked the Centre to bring a robust law for data protection as soon as possible. Again, this is absolutely needed, because there is no control on how entities treat confidential data of third parties.

PS>> Congress Party seems to have a view on section 57 as well, and they are in agreement with us!


Wednesday, July 18, 2018

Excerpts from CGST Guidelines on Invoices

Signing invoices is a matter of interest for a large number of users of Digital Signatures. It is therefore interesting to take a look at what CGST guidelines say about the use of Digital Signatures for signing invoices, and the Type of Signatures that can be used.

The Central GST Rules are available on the GST Council website. The latest guidelines as of today are available here:

http://gstcouncil.gov.in/sites/default/files/NOTIFICATION%20PDF/CGST-Rules-06072018.pdf

[Link moved. New link as of 10/07/2019:
https://cbic-gst.gov.in/pdf/23042019-CGST-Rules-2017-Part-A-Rules.pdf
]

Chapter VI deals with TAX INVOICE, CREDIT AND DEBIT NOTES.

Section 46 begins:





and continues...




specifically (Color added to draw attention to specific words):

"digital signature of the supplier or his authorised representative."


The definition of supplier is found in the CGST Act 2017, as it appears in the Gazette of India, which is available from the GST Council website link below.

http://gstcouncil.gov.in/sites/default/files/CGST.pdf



The definition of supplier in section 2(105) is below:




The definition of person in Section 2 (84) of the CGST Act is below:





Lastly, we could not find any specific mention of whether Class 2 or Class 3 signatures have to be used for signing invoices. However, we know that for various tax filings, corporate filings, EPF and other Government filings, Class 2 signatures are used.

Certifying Authorities issue Class 3 Corporate Document Signing Certificates on an HSM only. However, for Class 2 Corporate Document Signing Certificates, HSM is not required, although security precautions are to be taken in their usage.



Sunday, July 15, 2018

31 July 2018 - eSignatures will need VID (Virtual ID)

31 July 2018 is the date from which eSignatures will be done using Virtual ID and Aadhaar numbers will no longer be used. TRUECOPY has been supporting VID-based signing since June 30, and a large number of VID users have already signed documents using VID instead of Aadhaar.

Here is a re-cap of the process.

How to obtain your VID?

An individual can obtain his / her VID from the UIDAI website:

https://resident.uidai.gov.in/web/resident/vidgeneration

The individual enters his / her Aadhaar number and obtains and OTP on registered mobile. After entering the OTP, a VID is communicated to the individual.

A VID is also generated by downloading an eAadhaar document. (It appears under the Aadhaar number on the eAadhaar document)


How to use a VID for eSignatures?

During the eSign process the individual is directed to the ESP gateway, and the VID has to be entered on the ESP page. An OTP is received (as earlier) and the eSign process goes forward.


Saturday, June 30, 2018

Will Aadhaar-based eSigning continue indefinitely?

UIDAI has just released a Circular ("Circular 9 of 2018") that extends the date for compulsory usage of VID for eSigning. This circular has generally been interpreted to mean that VID will be compulsory for eSign beyond 31 July 2018 (instead of 30 June 2018 - basically an extension of 1 month). One ESP has communicated "All ASPs are requested to migrate to new eSign API 2.1 on or before July 31, 2018."

A closer look at the wording of the circular seems to suggest that potentially, Aadhaar based eSigning can continue to be used later by making additional payment per transaction.


The relevant section is reproduced below:




The notification does not explicitly say that users should stop using Aadhaar for eSigning after July 31. If extra charges are going to be waived for those migrating by July 31, it means that extra charges would not be waived for those who continue to use Aadhaar for eSigning after July 31. It seems to suggest that UIDAI expects there to be people who would continue to use Aadhaar beyond July 31.

It would be good to have clarity on this matter. The question is:
Will VID be compulsory for eSignatures after July 31 2018 or can Aadhaar be used by paying an extra amount per transaction thereafter?

Of course, irrespective of what we think, the interpretation of ESPs / CCA / UIDAI would be final.