| Guideline No. | CDR001 |
| Purpose | To clarify if a citizen can be a recipient of his/her own data via an AA |
| Description | As per the RBI Master Directions, an AA’s charter is to enable (amongst other things) presentation of a citizen’s data to herself.
Given that an AA is data-blind, this implies that an AA service can deliver encrypted data to the device owned by a citizen. Further, to enable presentation of data received by the device, an AA client (front-end application) that is resident on the device of the citizen (such as a mobile app) may offer the feature of decrypting and presenting data. Under no circumstances is the decrypted data allowed to be stored on the servers of the AA, since that is in contravention to the principle of the AA being data-blind. |
| Stage | Finalised |
| Guideline No. | CDR002 |
| Purpose | To clarify if the citizen’s access to her own data also is based on the structure of an electronic consent artefact |
| Description | All sharing of data via an FIP’s service is to be done on the basis of an electronic consent artefact, regardless of whether the recipient of data is an FIU (a registered/regulated entity) or the citizen herself.
Hence, an AA must generate an electronic consent artefact even if the recipient of the data is the citizen herself and share the same with the citizen’s FIP. When the recipient is an FIU, a copy of the consent artefact is also shared with the FIU. When the recipient is the citizen herself, it is left to the AA to determine if the citizen (i.e. the device owned by the citizen) gets a copy of the artefact approved by her or not. This is to be discussed within the community. |
| Stage | Under deliberation |
| Guideline No. | CDR003 |
| Purpose | To clarify if a citizen may share her data with any other party, on her own through an AA’s mobile app installed on her device |
| Description | An AA’s mobile app may decrypt data, once data has been delivered by the AA service to the device of the citizen.
Such decrypted data may be presented to the citizen on the AA’s mobile app. It may also be shared by the citizen with any party of the citizen’s choice using commonly accepted digital methods – such as via email, whatsapp or any other sharing service that the citizen prefers. This feature is akin to what may be available to a citizen through the citizen’s own banking application, e.g. This is to be discussed within the community. |
| Stage | Under Deliberation |
| Guideline No. | CDR004 |
| Purpose | To clarify if a citizen may share her data with any other party, on her own, through an AA-owned library embedded within the third-party app. |
| Description | In addition to the guideline described in CDR003 (which applies to even this scenario), an AA must also ensure its fiduciary duty towards the citizen is met, if and when the AA partners with a third-party to offer a deeply-embedded journey.
Given that the charter of the AA is to enable either FIUs or the citizen’s device to be the destination of the citizen’s data, AAs are expected to serve only FIUs or the citizens with data-sharing capabilities. If an AA partners with an entity that is not an FIU (i.e. is not a registered and regulated entity) and enables convenience-mechanisms for citizens to share their data with such entities, does the AA have a fiduciary duty of ensuring safe-handling of data by such entities? Can the AA discharge such a duty, even if it has one? This is to be discussed within the community. |
| Stage | Under deliberation |
