The NBFC – Account Aggregator framework explained
The Reserve Bank of India had issued the Non-Banking Financial Company – Account Aggregator (Reserve Bank) Directions, 2016 (“the Directions”) on September 2, 2016. In this article, we highlight key provisions and takeaways.
Who may be an account aggregator?
A non-banking financial company (“NBFC”) may undertake the “business of an account aggregator.” (Section 3(1)(i))
What is account aggregation/ “the business of an account aggregator”?
Two components: (a) Retrieving/collecting a customer’s financial information; and (b) presenting this to the customer in a collated/consolidated format. (Section 3(1)(iv))
Who can carry out the business of an account aggregator?
The Directions stipulate, “No entity other than a company shall undertake the business of an account aggregator. Further, no company shall commence or carry on the business of an account aggregator without obtaining a certificate of registration from the Bank”
(Sections 4(1)(a) & 4(1)(b))
Who are the institutions involved in the entire account aggregation process?
(Sections 3(1)(i), 3(1)(ii) &3(1)(ix))
- Financial Information Providers: Including but not limited to mutual fund units, money exchanges and insurance agents
- Banks: Financial institutions that let individuals deposit and borrow money
- Account Aggregators: Non-banking financial institutions tasked with aggregating a user’s data between the Financial Information Providers and the Banks
What rules govern the data flow between the three parties?
Although this has not been explicitly stated in the Directions, we infer from Sections 6.3, 6.5, 7.4 that the three main principles which guide data interaction are:
- a strictly-defined process to access the data needed,
- a strictly-defined time period for when the data needs to be accessed, and
- a strictly-defined purpose for use of the data during that time period
Does the account aggregator own the user’s financial information?
No. The Directions explicitly state that the user’s financial information is not “the property of the account aggregators.” (Section 3(1)(iv))
As seen in the illustration below, the account aggregator sits right in between a user and the financial information providers & banks. The data shown by the account aggregator to the user is a mere reflection of the data accessible by the financial information providers & banks, authorised by the explicit consent of the user. (Section 5(a))
How is user consent given and stored?
The user gives their consent to the account aggregator when either the financial information provider or the bank wishes to access a particular data set. The data received from the user and the financial information providers & banks shall be stored by the aggregator in a ‘consent artefact’. (Section 6.3)
Account aggregators shall ensure user privacy by enabling users to authorise the use of their financial data by building in a consent layer between the interactions users may have with financial information providers and banks. (Sections 6.5 and 6.6)
What is a consent artefact and what shall it include?
A consent artefact is a standardized digital document. A consent artefact essentially records the user’s explicit consent to the NBFC-AA for account aggregation.
This consent artefact shall include the Identity of the user, the nature of the financial information requested, purpose of collecting financial information, identity of the recipients of the financial information, consent creation date, consent expiry date and a digital signature of the account aggregator. (Section 6.3)
What are the precautions that are needed to be taken before implementation?
It is very essential that a thorough verification of cross-registered records be conducted before they are fed into account aggregators.
As per the Directions, there have been companies undertaking the role of account aggregators before the official release of the Directions. Also, financial information providers and banks have a wealth of user information including personal details, financial records and holdings.
Aggregations have a high tendency to be inefficient when presented with duplicity of records. Moreover, especially since the data being dealt is highly secure in nature, all caution must be exercised before we look to integrate the data flows.
The success of a system lies in the fact that all nodes within the system function simultaneously. In the instance where a user has taken an insurance with the pay-out to be made directly to the bank, both the insurer and the bank must be registered and actively share the use of the data with the system. Thus, it is necessary to get all related financial parties on-board simultaneously to ensure network effects and data security.
This post has been authored by Nehaa Chaudhari, Public Policy Lead, TRA Law, and Anish Krishnan, Final Year Law Student, Jindal Global Law School and Intern, TRA Law
 RBI Press Release on Account Aggregators https://www.rbi.org.in/scripts/BS_PressReleaseDisplay.aspx?prid=38807