openapi: 3.0.3 info: title: Know Your Customer Fill-in description: | This API provides the customer with the ability request and receive the information for a particular user, which on file (and verified) by the user's Operator in their own KYC records, in order for the SP to confirm the accuracy of the information and provide a specific service to the user. ## Relevant Definitions and concepts * **KYC**: stands for Know Your Customer and it is the process of a business verifying the identity of their clients and assessing their suitability, along with the potential risks of illegal intentions towards the business relationship. ## API Functionality This API allows API clients to request for API provider / MNO to provide information related to a mobile phone user, derived from the account data bound to their phone number. The API is intended to be used in the following scenario, for example: * To fill-in the user personal data during the digital registration of an account to a 3rd party service. The following figure is the generic high-level flows of this API. KYC_Match_flow

Note: * Before calling this API, 3rd parties / enterprise customers who want to use this API should make contract with API provider/ Operator for use of this API. As that will depend on each API provider / MNO's business processes as well as GSMA Open Gateway standard process, it is out of scope of this API definition. * When calling this API, at the beginning, there should be required processes for Authentication / Authorisation / End User Consent capturing. As those processes are to be defined as CAMARA commonality standards, they are out of scope of this API definition, however, use of the OpenID Connect (OIDC) is stated as security scheme. **As an important note**, capturing end user consent is necessary, because this API provides end user information (PII). * The above mentioned AuthN/AuthZ/End User consent capturing processes can give the API provider/ MNO the 3rd party identity (with the Access Token) and the end user identity (with the ID Token), so the API provider/ MNO can identify the 3rd party / enterprise customer and the end user. Then, it is up to API provider/ MNO to decide which information the 3rd party will receive by calling the API, and also the API provider / MNO is responsible for security and privacy issues. * For example, below is a potential operation: * when making contract with API provider/ MNO, a 3rd party / enterprise customer receives its 3rd party identity and also decide which information (attributes) it will receive for its API call * then, API provider / MNO will provide information (attributes) which the 3rd party / enterprise customer is allowed to receive by the contract. ### Special Scopes This API uses the following special scope kyc-fill-in:set-all which means that the API provider returns an API response as if all these scopes were specified in the scope value in the request: `kyc-fill-in:phoneNumber kyc-fill-in:idDocument kyc-fill-in:name kyc-fill-in:givenName kyc-fill-in:familyName kyc-fill-in:nameKanaHankaku kyc-fill-in:nameKanaZenkaku kyc-fill-in:middleNames kyc-fill-in:familyNameAtBirth kyc-fill-in:address kyc-fill-in:streetName kyc-fill-in:streetNumber kyc-fill-in:postalCode kyc-fill-in:region kyc-fill-in:locality kyc-fill-in:country kyc-fill-in:houseNumberExtension kyc-fill-in:birthdate kyc-fill-in:email kyc-fill-in:gender` ## Resources and Operations overview The API provides the following endpoint: * An endpoint to request information related to an end user against the account data bound to their phone number. ## Authorization and authentication The "Camara Security and Interoperability Profile" provides details of how an API consumer requests an access token. Please refer to Identity and Consent Management (https://github.com/camaraproject/IdentityAndConsentManagement/) for the released version of the profile. The specific authorization flows to be used will be agreed upon during the onboarding process, happening between the API consumer and the API provider, taking into account the declared purpose for accessing the API, whilst also being subject to the prevailing legal framework dictated by local legislation. In cases where personal data is processed by the API and users can exercise their rights through mechanisms such as opt-in and/or opt-out, the use of three-legged access tokens is mandatory. This ensures that the API remains in compliance with privacy regulations, upholding the principles of transparency and user-centric privacy-by-design. # Identifying the phone number from the access token This API requires the API consumer to identify a phone number as the subject of the API as follows: - When the API is invoked using a two-legged access token, the subject will be identified from the optional `phoneNumber` field, which therefore MUST be provided. - When a three-legged access token is used however, this optional identifier MUST NOT be provided, as the subject will be uniquely identified from the access token. This approach simplifies API usage for API consumers using a three-legged access token to invoke the API by relying on the information that is associated with the access token and was identified during the authentication process. ## Error handling: - If the subject cannot be identified from the access token and the optional `phoneNumber` field is not included in the request, then the server will return an error with the `422 MISSING_IDENTIFIER` error code. - If the subject can be identified from the access token and the optional `phoneNumber` field is also included in the request, then the server will return an error with the `422 UNNECESSARY_IDENTIFIER` error code. This will be the case even if the same phone number is identified by these two methods, as the server is unable to make this comparison. license: name: Apache 2.0 url: https://www.apache.org/licenses/LICENSE-2.0.html version: 0.3.0 x-camara-commonalities: 0.5 servers: - url: '{apiRoot}/kyc-fill-in/v0.3' variables: apiRoot: default: http://localhost:9091 description: API root, defined by the service provider, e.g. `api.example.com` or `api.example.com/somepath` tags: - name: Fill-in description: Operations to provide information related to a customer identity stored the account data bound to the customer's phone number. paths: /fill-in: post: tags: - Fill-in summary: Providing information related to a customer identity stored the account data bound to the customer's phone number. operationId: KYC_Fill-in security: - openId: - kyc-fill-in:set-all - openId: - kyc-fill-in:phoneNumber - openId: - kyc-fill-in:idDocument - openId: - kyc-fill-in:name - openId: - kyc-fill-in:givenName - openId: - kyc-fill-in:familyName - openId: - kyc-fill-in:nameKanaHankaku - openId: - kyc-fill-in:nameKanaZenkaku - openId: - kyc-fill-in:middleNames - openId: - kyc-fill-in:familyNameAtBirth - openId: - kyc-fill-in:address - openId: - kyc-fill-in:streetName - openId: - kyc-fill-in:streetNumber - openId: - kyc-fill-in:postalCode - openId: - kyc-fill-in:region - openId: - kyc-fill-in:locality - openId: - kyc-fill-in:country - openId: - kyc-fill-in:houseNumberExtension - openId: - kyc-fill-in:birthdate - openId: - kyc-fill-in:email - openId: - kyc-fill-in:gender parameters: - $ref: '#/components/parameters/x-correlator' requestBody: content: application/json: schema: $ref: '#/components/schemas/KYC_FillinRequest' examples: KYC_FillInBodyExample: value: { "phoneNumber": "+34629255833" } responses: '200': description: OK headers: x-correlator: $ref: "#/components/headers/X-Correlator" content: application/json: schema: $ref: '#/components/schemas/KYC_FillinResponse' examples: KYC_Fillin200Example: value: phoneNumber: '+34629255833' idDocument: 66666666q name: Federica Sanchez Arjona givenName: Federica familyName: Sanchez Arjona nameKanaHankaku: federica nameKanaZenkaku: Ｆｅｄｅｒｉｃａ middleNames: Sanchez familyNameAtBirth: YYYY address: Tokyo-to Chiyoda-ku Iidabashi 3-10-10 streetName: Nicolas Salmeron streetNumber: 4 postalCode: 1028460 region: Tokyo locality: ZZZZ country: JP houseNumberExtension: 36 birthdate: '1978-08-22' email: abc@example.com gender: male "400": $ref: '#/components/responses/Generic400' "401": $ref: '#/components/responses/Generic401' "403": $ref: '#/components/responses/Generic403' "404": $ref: '#/components/responses/Generic404' "422": $ref: '#/components/responses/Generic422' components: securitySchemes: openId: type: openIdConnect openIdConnectUrl: https://example.com/.well-known/openid-configuration headers: X-Correlator: description: Correlation id for the different services required: false schema: type: string pattern: ^[a-zA-Z0-9-]{1,55}$ example: "b4333c46-49c0-4f62-80d7-f0ef930f1c46" parameters: x-correlator: name: x-correlator in: header description: Correlation id for the different services schema: type: string pattern: ^[a-zA-Z0-9-]{1,55}$ example: "b4333c46-49c0-4f62-80d7-f0ef930f1c46" schemas: KYC_FillinRequest: type: object properties: phoneNumber: type: string description: A public identifier addressing a telephone subscription. In mobile networks it corresponds to the MSISDN (Mobile Station International Subscriber Directory Number). In order to be globally unique it has to be formatted in international format, according to E.164 standard, prefixed with '+'. pattern: '^\+[1-9][0-9]{4,14}$' example: "+123456789" KYC_FillinResponse: type: object properties: phoneNumber: type: string description: A public identifier addressing a telephone subscription. In mobile networks it corresponds to the MSISDN (Mobile Station International Subscriber Directory Number). In order to be globally unique it has to be formatted in international format, according to E.164 standard, prefixed with '+'. pattern: '^\+[1-9][0-9]{4,14}$' example: "+123456789" idDocument: type: string description: Id number associated to the id_document of the customer stored on the Operator's system. name: type: string description: Complete name of the customer stored on the Operator's system. It is usually composed of first/given name and last/family/sur- name in a country. Depending on the country, the order of first/give name and last/family/sur- name varies, and middle name could be included. It can use givenName, middleNames, familyName and/or familyNameAtBirth. For example, in ESP, name+familyName; in NLD, it can be name+middleNames+familyName or name+middleNames+familyNameAtBirth, etc. givenName: type: string description: First/given name or compound first/given name of the customer on the Operator's system. familyName: type: string description: Last name, family name, or surname of the customer stored on the Operator's system. nameKanaHankaku: type: string description: Complete name of the customer in Hankaku-Kana format (reading of name) for Japan, stored on the Operator's system. nameKanaZenkaku: type: string description: Complete name of the customer in Zenkaku-Kana format (reading of name) for Japan, stored on the Operator's system. middleNames: type: string description: Middle name/s of the customer stored on the Operator's system. familyNameAtBirth: type: string description: Last/family/sur- name at birth of the customer stored on the Operator's system. address: type: string description: Complete address of the customer stored on the Operator's system. For some countries, it is built following the usual concatenation of parameters in a country, but for other countries, this is not the case. For some countries, it can use streetName, streetNumber and/or houseNumberExtension. For example, in ESP, streetName+streetNumber; in NLD, it can be streetName+streetNumber or streetName+streetNumber+houseNumberExtension. streetName: type: string description: Name of the street of the customer's address on the Operator's system. It should not include the type of the street. streetNumber: type: string description: The street number of the customer's address on the Operator's system. Number identifying a specific property on the 'streetName'. postalCode: type: string description: The postal code or Zip code of the customer's address, stored on the Operator's system. region: type: string description: Region/prefecture of the customer's address, stored on the Operator's system. locality: type: string description: Locality of the customer's address, stored on the Operator's system. country: type: string description: Country of the customer's address stored on the Operator's system. Format ISO 3166-1 alpha-2. houseNumberExtension: type: string description: House number extension of the customer stored on the Operator's system. Specific identifier of the house needed depending on the property type. For example, number of apartment in an apartment building. birthdate: type: string format: date description: Birthdate of the customer, in ISO 8601 calendar date format (YYYY-MM-DD), stored on the Operator's system. email: type: string format: email description: Email address of the customer in the RFC specified format (local-part@domain), stored on the Operator's system. gender: type: string description: Gender of the customer stored on the Operator's system (male/female/other). enum: - MALE - FEMALE - OTHER ErrorInfo: type: object required: - status - code - message properties: status: type: integer description: HTTP response status code code: type: string description: Code given to this error message: type: string description: Detailed error description responses: Generic400: description: Bad Request headers: x-correlator: $ref: "#/components/headers/X-Correlator" content: application/json: schema: allOf: - $ref: "#/components/schemas/ErrorInfo" - type: object properties: status: enum: - 400 code: enum: - INVALID_ARGUMENT examples: GENERIC_400_INVALID_ARGUMENT: description: Invalid Argument. Generic Syntax Exception value: status: 400 code: INVALID_ARGUMENT message: Client specified an invalid argument, request body or query param. Generic401: description: Unauthorized headers: x-correlator: $ref: "#/components/headers/X-Correlator" content: application/json: schema: allOf: - $ref: "#/components/schemas/ErrorInfo" - type: object properties: status: enum: - 401 code: enum: - UNAUTHENTICATED - AUTHENTICATION_REQUIRED examples: GENERIC_401_UNAUTHENTICATED: description: Request cannot be authenticated value: status: 401 code: UNAUTHENTICATED message: Request not authenticated due to missing, invalid, or expired credentials. GENERIC_401_AUTHENTICATION_REQUIRED: description: New authentication is needed, authentication is no longer valid value: status: 401 code: AUTHENTICATION_REQUIRED message: New authentication is required. Generic403: description: Forbidden headers: x-correlator: $ref: "#/components/headers/X-Correlator" content: application/json: schema: allOf: - $ref: "#/components/schemas/ErrorInfo" - type: object properties: status: enum: - 403 code: enum: - PERMISSION_DENIED examples: GENERIC_403_PERMISSION_DENIED: description: Permission denied. OAuth2 token access does not have the required scope or when the user fails operational security value: status: 403 code: PERMISSION_DENIED message: Client does not have sufficient permissions to perform this action. Generic404: description: Not found headers: x-correlator: $ref: "#/components/headers/X-Correlator" content: application/json: schema: allOf: - $ref: "#/components/schemas/ErrorInfo" - type: object properties: status: enum: - 404 code: enum: - IDENTIFIER_NOT_FOUND examples: GENERIC_404_IDENTIFIER_NOT_FOUND: description: The phone number is not associated with a CSP customer account value: status: 404 code: IDENTIFIER_NOT_FOUND message: The phone number provided is not associated with a customer account Generic422: description: Unprocessable Content headers: x-correlator: $ref: "#/components/headers/X-Correlator" content: application/json: schema: allOf: - $ref: "#/components/schemas/ErrorInfo" - type: object properties: status: enum: - 422 code: enum: - SERVICE_NOT_APPLICABLE - MISSING_IDENTIFIER - UNNECESSARY_IDENTIFIER examples: GENERIC_422_SERVICE_NOT_APPLICABLE: description: Service is not applicable for the provided phone number value: status: 422 code: SERVICE_NOT_APPLICABLE message: The service is not applicable for the provided phone number GENERIC_422_MISSING_IDENTIFIER: description: No phone number has been provided either explicitly or associated with the access token value: status: 422 code: MISSING_IDENTIFIER message: No phone number has been provided GENERIC_422_UNNECESSARY_IDENTIFIER: description: An explicit phone number has been provided when one is already associated with the access token value: status: 422 code: UNNECESSARY_IDENTIFIER message: An explicit phone number has been provided when one is already associated with the access token