| Guideline No. | CR001 |
| Purpose | To clarify the mechanics of an FIU placing a consent request for a citizen (natural person) that has not yet registered with an AA |
| Description | New-to-AA customers will either choose an AA or be presented with a recommendation by an FIU.
Once such a customer chooses the AA he/she wishes to use, the FIU may send a consent request to that AA, using the “Mobile Number” in the “Customer Identifier” attribute of the consent request, as per version 2.0.0 of the NBFC-AA Specifications. This guideline is anchored on the principle that a customer, wishing to use an AA service, is in possession of a mobile device and an active SIM card. |
| Stage | Finalised |
| Guideline No. | CR003 |
| Purpose | To clarify if a request can be placed for an irrevocable consent, by an FIU |
| Description | There is currently no scope for a consent artefact to be deemed “irrevocable”. Consequently, there is no scope for a consent request to be placed, with the additional constraint that consent once given, should be irrevocable.
It is understood that there may be adverse consequences in terms of service availability from an FIU, if the consent provided to that FIU is revoked. The same is expected to be dealt with separately between the FIU and the FIU’s customer. All consent requests placed in the AA ecosystem are deemed revocable. |
| Stage | Finalised |
| Guideline No. | CR004 |
| Purpose | To clarify what the max period of “data storage” is for an FIU and the difference between “Data Life” and “Data Storage”. |
| Description | The consent request placed by an FIU includes a parameter called Data Life. This represents the period that the FIU may “process” the data, once consented to, by the customer.
This is however different from the “Data storage” policy that the FIU has. This policy stems from existing regulations and defines the maximum period that the FIU may keep the data, to aid in any queries, grievances or disputes that may arise later, much beyond the period for which the data is being processed. The AA guidelines do not, in any manner, influence applicable data storage regulations. |
| Stage | Finalised |
| Guideline No. | CR009 |
| Purpose | To clarify what the term “FI Data Range” represents, for a use case that needs a look-ahead data-fetch (i.e data fetches in the future) |
| Description | If the purpose of seeking consent is to process data for a time-period into the future (e.g. a personal finance use case), the FI Data Range represents the entire range of time for which data is expected to be fetched.
E.g. If on August 1st 2022, the consent is being sought, for data to be fetched for 6 months prior and till 12 months into the future, the FI Data Range will be “From Jan 1st 2022” and “To July 31st 2023”. |
| Stage | Finalised |
| Guideline No. | CR011 |
| Purpose | To clarify if any consent request parameter can be modified by the citizen, on the AA interface, prior to approving the same |
| Description | Modifying one or more parameters in the consent request may adversely affect the ability of the citizen to avail herself of the financial service from the FIU.It is therefore best for the AA to enable a simple “Reject” option, which the citizen can exercise in case he/she does not agree to any parameter value in the consent request placed.The FIU is then expected to send a fresh, corrected consent request. The interaction between the FIU and the customer, to do so, is outside of the purview of the AA’s role. |
| Stage | Finalised |
| Guideline No. | CR013 |
| Purpose | To clarify norms for how consent request attributes should be presented on AA Client interfaces to citizens |
| Description | RBI Master Directions direct AAs as follows:
6.5 At the time of obtaining consent, the Account Aggregator shall inform the customer of all necessary attributes to be contained in the consent artefact as per paragraph 6.3 above and the right of the customer to file complaints with relevant authorities in case of non-redressal of grievances. The “inform customer of all necessary attributes” is to be implemented on AA client (web app, mobile app, e.g.) screens in a manner which neither overwhelms the citizen nor makes it incomprehensible. The community has devised a set of norms as available here: https://github.com/Sahamati/customer-experience-guidelines/blob/main/consent-guidelines.md |
| Stage | Finalised |
