This article is written by Pratik Shandilya, pursuing a Diploma in Cyber Law, FinTech Regulations, and Technology Contracts from LawSikho. The article has been edited by Prashant Baviskar (Associate, LawSikho) and Ruchika Mohapatra (Associate, LawSikho).
Technology has received paramount importance in business and commerce. One of the most profound benefits of the amalgamation of digital technologies is that the various data spread across the world can be brought together in a consolidated format to make commerce and business effective. With the advent of cutting-edge technology, consumers have their own expectations with respect to safety, security, and speed as dealing in the digital world involves struggling with privacy and consent issues. This expectation of customers have evolved to a new concept called Account Aggregation (AA)
Account Aggregator (AA) is a new structure of technology infrastructure which helps ease the sharing of the digital financial data of any person from one financial institution to another financial institution within the AA network. In India, the Reserve Bank of India (RBI) governs AAs. Non-banking financial company (NBFC) may conduct the business of an account aggregator.
Through the initiative of the Financial Stability and Development Council (FSDC) and through inter-regulatory decisions by RBI and other regulators such as the Securities and Exchange Board of India (SEBI), Insurance Regulatory and Development Authority (IRDA), and Pension Fund Regulatory and Development Authority (PFRDA), the framework of Account Aggregator was created
The customer data is completely fragmented across India and it is in isolation in the records of banks, insurance companies, government bodies, lenders, and other entities. This was the essential and foremost reason why RBI announced this Account Aggregator framework in 2016.
In pursuance of the new framework, many fintech entities have been given licenses to operate as Account Aggregators. Prominent 8 (eight) banks also consented to share financial data about their Customers with account aggregators. Presently some banks such as ICICI, Axis, HDFC and Induslnd are live on account aggregators whereas State Bank of India, Kotak Mahindra Bank, and Federal Bank are in process of joining the framework.
The consent managers are sector-specific and it is likely and logical that sectoral regulators will devise regulations for consent managers in their sectors. For example, consent managers in the financial world are referred to as Account Aggregators, consent managers in telecom, health, and skill departments are referred to by other names. AAs are governed by the RBI’s ‘Master Direction on the non-banking financial company – Account Aggregator Directions’ issued in 2016. It is also possible that the National Skill Development Corporation or National Health Authority may come up with their own guidelines to regulate consent managers in respective sectors. NITI Ayog recently published a DEPA draft with the purpose of expediting the development of such sector-specific consent managers.
AA as consent managers
The “Consent” forms the basic ethos of contract law. Similarly, the “Consent” of the customer before sharing the customer’s financial data is an essential requirement in dealing in the digital financial world. Consent of the party involved is the most important aspect of the framework. Unless expressed consent is obtained no financial institution can share any details of such customer with any other institution. The NITI Aayog recently released a draft document “India’s Data Empowerment and Protection Architecture (DEPA) – A push towards data democracy” discussing the DEPA framework where it also discussed the role of consent managers. The Aayog explained that a consent manager will ensure that individuals can provide consent for every granular piece of data they provide, through the DEPA, and will also protect an individual’s data rights.
The diagram below describes how consent managers facilitate the flow of information between the data principal, information provider, and information user:
Customers who are registered with an account aggregator platform, have the sole authority to grant/refuse consent for sharing financial data, stored with different financial information providers. The process of registration of AA is prescribed by RBI. The RBI’s directions also provide the scope of responsibilities and duties of AAs, their required data security practices, customer grievance redressal mechanisms, as well as corporate governance, and audit and pricing requirements. To be eligible to participate in the AA ecosystem, entities must be regulated by the financial sector regulator. By implication, any entity if it is an unregulated fintech entity, then such players will not be able to participate. All such fintech entities shall abide by the technical specifications mentioned by RBI.
Digital Sahamati Foundation (known as “Sahamati” is a non-profit collective of Account Aggregators and is mainly engaged in evangelizing the framework and encouraging existing financial institutions to install and be fully equipped with the latest technical standards to Participate in the ecosystem. Financial institutions can voluntarily participate in the AA ecosystem, however, Sahamati issued a certification to such entities confirming that the entities are in full compliance with RBI’s technical, legal, and security guidelines regarding the framework thereby facilitating the financial entities to speed up the certification process from RBI
Benefits of Account Aggregators
The account aggregator framework is helping scattered financial data to collate and consolidate, thereby easing the process to assess the creditworthiness of both-the individuals or entities. It is expected of the account aggregator network to resolve the existing credit crunch in the Indian economy due to the lack of organized data sharing mechanisms. The network can streamline the lending process, leading to a rise in consumption and investment.
It also prevents financial institutions from lending money to unworthy loan applicants thereby reducing the bad loans and non-performing assets. It is also expected that this framework will eventually expand the borrower base of these financial institutions. For users, the new framework is beneficial as it will simplify the otherwise tedious and lengthy procedures while seeking a loan. The users can also expect better customised financial products once their personal financial data is available with these financial institutions.
What are consent artifacts?
RBI released Non-Banking Financial Company – Account Aggregator (Reserve Bank) Directions, 2016. Generally, AA performs two functions :
1) Retrieving/Collecting a customer’s financial information;
2) presenting the financial information to the customer in collated/consolidated format (Section 3(1)(iv) of RBI directions in 2016. As per Section 1(1)(i) 3(1)(ix) of the Reserve Bank Directions 2016, the following institutions such as financial information providers (such a insurance, money exchange, mutual funds, banks, account aggregators are responsible for aggregating a user’s data between banks and the financial information.
Any user of the online financial facility gives their consent to AA when either the bank or any financial information provider seeks any financial information from the customer. It is the responsibility of the AA to properly store the information collected from the user and banks in a “Consent artefact”. AA handles all the sensitive financial data of the customers and therefore it is the paramount duty of the AA to seek prior voluntary permission of the customer. It is the statutory responsibility of the AA to allow users to authorize the use of their financial database by the banks and financial information providers
The consent from the customer has to be obtained under terms and conditions of the Non-Banking Financial Company – Account Aggregator (Reserve Bank) Directions, 2016. Interalia, the responsibility involves:
Formulating a standardised consent artifact, containing the following details
- Identity of the customer,
- Particulars of financial information,
- Purpose of collecting the information,
- URL or other address to which notifications need to be sent every time the consent artefact is used to access information.
Consent managers can obtain consent through electronic framework
Keeping the objectivity of “Digital India”, the Reserve Bank of India, has allowed AAs to procure consent through electronic platforms/modes. To enable this the Department of Science and Technology has issued Electronic Consent Framework which defines artifacts as “a machine-readable electronic document that specifies the parameters and scope of data shared that a user consents to in any data sharing transaction.” Electronic consent allows its users to share data, after procuring free, informed and specific, clear and revocable consent of the customer with the facility to trace the trail or source from where such information was received. Such trails can be audited in the future.
Limitations/risks and concerns
The principal concern highlighted by stakeholders and experts is that of financial data security, given the risk of data theft. The digital infrastructure is always susceptible to hacking; this makes millions of customers susceptible to financial data fraud. Therefore, the success of the framework will rest on multiple factors, including establishing resilient systems, cybersecurity safeguards by the RBI, and consumer adoption.
Furthermore, as of today, it is not mandatory for financial institutions to seek details from account aggregators, however, financial institutions in the future might compulsorily require access to data available through account aggregators as a condition for individuals to receive loans and other services. Then the financial institutions shall be of utmost diligence in confirming the authenticity of the services provided by the Account Aggregator. If the financial institutions do not carry out this process properly, it will allow dangerous agents to enter its systems, but it can also lose the trust of its customers by sharing their information with unauthorised Account Aggregators/Consent Managers.
Another technological challenge for financial institutions is creating an interface that allows customers to authorise access to their data. Financial institutions will have to simultaneously create and manage consent tokens securely. And yet, the customer will have the possibility to revoke their consents, that is, financial institutions will have to create a digital mechanism to revoke the consents as the client wishes.
In conclusion, it can be seen that it is essential to develop a consent management system in India as the future of financial institutions is vested in digital technology. Indeed there will be some pitfalls relating to technological infrastructure issues but humans are solution-oriented and therefore the consent management system in India will surely reach its advanced stage.
Even though the AAs have enabled substantive developments in the financial market, it still suffers from some glaring ambiguities. For instance, there is no clarity over how data privacy norms would be applied to the FIUs. This is because the AA framework does not prohibit the FIUs from combining existing data sets with the financial information to profile users. This makes the account aggregator system conducive for data mining and raises the associated ethical issues. Similarly, there is no guidance on how the FIU is required to store and manage data that it has acquired from the AA. Further, there may be overlaps between the RBI’s AA guidelines and its other regulations vis-à-vis the proposed personal data protection law. For instance, the RBI may propose a different duration for processing certain kinds of data outside India, while the PDP law may not permit this at all. It is therefore unclear how the data privacy and security norms introduced by the RBI’s AA guidelines are to be read with the PDP Bill. Lastly, a mechanism must be devised to ensure that consent flow for users is more accessible, understandable, and secure.
- How Account Aggregators Are Fast Becoming Consent Managers in India’s Financial Landscape – Finezza Blog (21st January 2021)
- Section 3(1)(i) of the Non Banking Financial Company- Account Aggregator (Reserve Bank) Directions, 2016
- Account aggregators: These banks have joined it, how it will benefit customers (livemint.com)
- India’s Data Empowerment and Protection Architecture (DEPA) – A push towards data democracy (jishnusanyal.com) (Nov 2020)
- The NBFC- Account Aggregator framework explained 9th January 2018.
- Consent Management and Data Protection in the Account Aggregator Ecosystem, (September 24, 2021)
- Direction regarding Registration and Operations of NBFC- Account Aggregators under Section 45-IA of the Reserve Bank of India Act, 1934
- Vide Clauses 6, 7, 8, 9, and 10, Reserve Bank of India, Directions regarding Registration and Operation of NBFC Reserve Bank of India – Database (rbi.org.in)
- NBFC -Account Aggregator (AA)API Specification ReBIT | Industry Initiatives; How is DEPA transforming India’s Financial Landscape? Available at How is DEPA transforming India’s Financial Landscape? – The Digital Fifth
- Section 6.3 Non-Banking Financial Company – Account Aggregator (Reserve Bank) Directions, 2016
- (Naina Bhardwaj, 2021) India’s Account Aggregator Network Makes Financial Data More accessible, Allows Individual Consent; 15th September 2021
- The Challenges for Consent Managers for Banks available at https://olhardigital.com.br/en/2021/05/06/colunistas/o-desafio-da-gestao-de-consentimento-para-os-bancos/
Students of Lawsikho courses regularly produce writing assignments and work on practical exercises as a part of their coursework and develop themselves in real-life practical skills.
LawSikho has created a telegram group for exchanging legal knowledge, referrals, and various opportunities. You can click on this link and join: