SECTION 200 OF THE INCOME-TAX ACT, 1961 – STRINGENT AUTHENTICATION MECHANISM FOR FILING OF CORRECTION STATEMENTS & DOWNLOAD OF TDS CERTIFICATE, CONSOLIDATED FILES ETC. BY BANKS/CORPORATES
NOTIFICATION NO.3/2015[F.NO: DGIT(S)/CPC(TDS)/CORP_AUTHENTICATION MECH/2015-16/14557-14690], DATED 1-12-2015
Section 200 of the Income tax Act provides for filing of TDS statements. The manner of filing such statements and the particulars have been laid down in Rule 31A of the Income tax Rules. Vide sub-rule 5 of rule 31A (placed at DFA-II) of the Income Tax Rules, it has been specified that the Director General of Income Tax (Systems) shall specify the procedures, formats and standards for the purposes of furnishing and verification of the statements or claim for refund in Form 26B and shall be responsible for the day-to-day administration in relation to furnishing and verification of the statements or claim for refund in Form 26B in the manner so specified.
In exercise of the powers delegated by the Central Board of Direct Taxes (Board) under Explanation to sub-rule 5 of rule 31A of the Income-tax Rules 1962, the Principal Director General of Income-tax(Systems) lays down the authentication mechanism for filing of correction statements & download of TDS certificates, Consolidated files etc. by Banks and Corporates deductors as under:
1. Need of Authentication Process
1.1 CPC-TDS initiated “corporate connect” with an intent to pursue TDS compliance related issues of all branches of a corporate with their corporate headquarter. This initiative has multiplier effect as TDS defaults of over 2 lac deductors can be addressed by following it up with only 4000 PAN entities. CPC-TDS also rolled out functionality for corporate headquarter at PAN level to provide summary of TDS defaults of its branches. The criticality of this initiative can be understood from the fact that 30% of total TDS defaults and 80% of total PAN errors pertain to only 4000 PAN entities.
1.2 During this exercise, the banks were finding it hard to resolve the TDS defaults in case of closed branches and branches merged with other banks. The banks were not able to retrieve old records for FYS 2007-08, 2009-10 etc. in order to file correction statements to resolve the outstanding defaults. Further banks also found challenge. In procuring digital signatures for each branch for filing online correction on TRACES portal. The genesis of the modified access process lies in strategy to address the above challenges of retrieval of old data without use of digital signature. As discussed above, 80% of total PAN errors pertain to banks. The modified access process will bring in discipline to the correction process as only the authorized bank official would be able to work on TRACES system. The concept of involving head quarter as a “corporate connect” drive will help in bringing in better TDS compliance as the headquarter will have complete picture of the TDS compliance of each branch.
2. Mechanism involved
2.1 This mechanism is based on the concept of routing the access requests of various TAN branches of a particular entity through its corporate headquarters server. The deductor branch will pass-on the login credentials to the relevant bank/corporate Headquarter’s (HQ) server and HQ server will validate the login credentials & IP address of the user’s system. After necessary validations, HQ server will send the digitally signed string, in form of encrypted information, to TRACES server. TRACES server will authenticate the defined particulars referred in para 2.2.2 provide access to the concerned TAN account. This mechanism has three benefits:
|(a)||Secured access of sensitive third party data: Only authorized representative of banks/corporates will be able to access TRACES portal as the login would be through corporate server only.|
|(b)||Corporate headquarter can keep track of the access requests of the branches and this will help in enforcing discipline among the branches.|
|(c)||No need to procure separate digital signature for each bank/corporate branch to access TRACES portal on account of routing of request through corporate server.|
2.2 The detailed process in this regard is as under:
2.2.1 Deductor Functionalities Access Service URL
For accessing the deductor functionalities through corporate servers, corporate banks need to send request data via HTTP Post Method. Access of deductor functionalities through corporate bank server will be provided over SSL.
2.2.2 List of Request Parameters
|#||Parameter||Data Type||Parameter description|
|1||data*||Text||PAN of Deductor, TAN of Deductor, Transaction Timestamp, IP, Email ID, Mobile Number of AP etc.|
|2||signature||Text||Digital signature in PKCS7 format with base 64 encoding|
Data from website needs to be submitted only using POST method through HTTPS request using the following parameters:
2.2.3 Structure of “data” field
|#||Field Name||Data Type||Field length||Mandatory/Optional||Sample value|
|1||PAN of Deductor||Character||10||Mandatory||AAAAA9999A|
|2||TAN of Deductor||Character||10||Mandatory||AAAA99999A|
|3||PAN of AP||Character||10||Mandatory||As entered during login (PAN of Authorised Person)|
|4||Mobile number of AP||Numeric||10||Mandatory||9999999999|
|5||Email ID of AP||Character||NA||Mandatory||email ID having bank’s/corporate’s domain name e.g. (@sbi.co.in)|
|6||Transaction Timestamp||Character (YYYY-MM-DD-hh24.mi.ss.ffffff)||26||Mandatory||2009-10-26-15.07.40.071658|
* The above fields in the data will be separated by “A”
2.2.4 List of unauthorized access scenarios
|a.||Bank request data not in proper format|
|b.||Bank URL through which bank is accessing traces application is not correct|
|c.||Incorrect digital certificate|
|d.||Request parameters not valid|
|e.||Timestamp will be used for checking staleness|
3. CPC (TDS) will gradually migrate banks and corporates to the modified authentication process of accessing TRACES portal. During transitional period of on boarding of banks/ corporates normal access to TRACES portal will remain available to the users of respective banks/corporates. The normal access will be discontinued only after complete onboarding of the entity and all its branches.