Guideline No. | FUR001 |
Purpose | To clarify the definition of FIUs |
Description | As per RBI Master Directions, only entities that are both “Registered with and regulated by” one of the four financial sector regulators (RBI, SEBI, IRDAI, PFRDA) are eligible to be an FIU.
Conversely, entities that do not carry a certificate of registration from any of the four financial sector regulators cannot participate as an FIU. Further, it is implicitly understood that the use case/purpose that an FIU is seeking to process the citizen’s data for, is permitted as per the licence charter of the FIU. It is the FIU’s responsibility to assure itself and the rest of the ecosystem of the permissibility of its use case/purpose. |
Stage | Finalised |
Guideline No. | FUR002 |
Purpose | To clarify the fiduciary obligation of an FIU |
Description | The term “fiduciary obligation”, in the context of an AA, implies that an FIU has an obligation to prudently take care of the data principal’s data (the “asset”) and establish a relationship of trust.
This also means that the FIU has an obligation to not profit from its fiduciary duty, without knowledge and consent of the data principal. The direct implication of this, on an FIU’s behaviour, is:
The key question to be deliberated by the community: The FIU may not have a fiduciary relationship with a citizen, for the regular business that it is chartered to perform. E.g. an insurance web aggregator does not have a fiduciary relationship with an insured party, while an insurance broker has. Both however can be FIUs since they are registered with a regulator. Can an insurance web aggregator seek consent from citizens to procure data and discharge its fiduciary obligation towards safe-guarding data, although the larger context of what it offers citizens (a portal to discover offers) is not on the basis of a fiduciary relationship? |
Stage | Under deliberation |
Guideline No. | FUR003 |
Purpose | To clarify if an FIU may have multiple entries in the central registry |
Description | An FIU may have multiple deployments of its FIU gateway, either to serve different departments within its FIU or as a technical redundancy measure.
Each such gateway may have its own public IP, public keys. In the current version of the central registry and token service, each such gateway will have its own entry, with its own unique FIU ID. |
Stage | Finalised |
Guideline No. | FUR004 |
Purpose | To clarify if a holding company that is not a registered and regulated entity itself can be considered an FIU |
Description | Only entities that are directly “Registered with and regulated by” a financial sector regulator can be considered an FIU.
Any other entity, including parent/holding companies of such an entity are not considered an FIU. |
Stage | Finalised |
Guideline No. | FUR005 |
Purpose | To clarify if an FIU is obligated to integrate itself with all licensed AAs or not |
Description | Citizens should be free to choose which AA they set up a profile with. Once the choice is made, all FIUs ought to respect that choice and redirect their consent requests to the citizen’s AA.
This implies two principles to guide FIU user journeys:
It is further therefore necessary that FIUs find out if citizens already have an AA profile or not, to enable implementation of the above principles. This is being discussed in the AA community. |
Stage | Under deliberation |
Guideline No. | FUR006 |
Purpose | To clarify if FIUs can “discover” which AA a citizen already has a profile with, in order to direct citizens by default to their AA |
Description | AAs may offer a standard API that allows FIUs to verify if a citizen (identified through the mobile number) is already registered with them or not.
This would enable FIUs to avoid asking the citizen to recollect his/her VUA or worse, enforce citizens re-registering with a different AA altogether. This is currently being discussed within the AA community. |
Stage | Under deliberation |
Guideline No. | FUR007 |
Purpose | To clarify if AA handles issued by AAs can include the brand-name of an FIU or not |
Description | FIUs play an important role in terms of encouraging citizens (their customers) to use AA.
FIUs also partner with one or more preferred AAs, for new customer registrations, initiated in the course of their own digital journeys. FIUs may be interested in ensuring AA handles issued, post-registration, include the brand name of the FIU. This serves as encouragement to FIUs to further use the “AA Handle” as a marketing tool to nudge further usage, within their own products and services. This needs to be discussed further within the AA community. |
Stage | Under Deliberation |