Guideline No. | SD001 |
Purpose | To clarify the difference between “Data Life” and “Data Storage” for an FIU |
Description | Data Life – as defined in the open API specification of the electronic consent artefact, refers to the time window declared by an FIU for “processing” or “using” the data shared by a citizen, for the purpose declared.
E.g. a lender may declare a data life of 24 hours, to process the data shared by a borrower and underwrite the loan application. FIUs are expected to “delete” the data, after the Data Life time-window expires. However, the term “delete” is to be interpreted as a “Soft delete”, since it cannot contravene existing regulatory directives regarding long-term archival of data collected by the FIU. Thus, an FIU is expected to continue adhering to existing regulatory norms with respect to “storage of data”, where it is understood that such stored data is not meant to be “processed” or “used” in any manner, other than dictated by existing regulatory norms. |
Stage | Finalised |
Guideline No. | SD002 |
Purpose | To clarify if an AA stores financial data in its servers |
Description | AAs may operate in a “Store-and-forward” mode, i.e. in order to serve a data fetch request from an FIU (or from the citizen herself), the AA may fetch data from an FIP, store in its servers and notify the FIU to pick such data up.
All data stored on the AAs servers is encrypted by the FIP using the ECDH algorithm, using key material generated by the FIU. ThIs prevents the AA from being able to decrypt any data stored on its servers. Further, a maximum period of 6 hours has been codified as a best practice by the AA community, for any such store-and-forward mechanism employed by the AA. This implies that if an FIU is not able to pick the data up within 6 hours of the AA notifying it, the AA is expected to delete all data stored. Such a “Delete” is expected to be a hard-delete and not a “soft-delete”, i.e. the data is not expected to be “archived” in a separate area by the AA. If the FIU picks the data up within 6 hours, the AA is expected to delete the data immediately after that. |
Stage | Finalised |
Guideline No. | SD003 |
Purpose | To clarify storage norms for data that an AA collects or generates (PII, consent artefacts, transaction logs) |
Description | PII (Personally identifiable information)
An AA does not perform KYC of citizens and as such, does not collect any KYC information – such as OVDs (officially valid documents), proving identity or address. An AA however collects and stores identifiers of its users – such as mobile numbers, email addresses, Date of birth, PAN – as mandated by FIPs to facilitate discovery and linking of FIP accounts. All such PII (Personally Identifiable Information) is expected to be stored securely (employing IT best practices for data-at-rest and data-in-transit) by the AA. If a citizen closes his/her profile with an AA, all PII is expected to be archived as per extant regulatory norms applicable to NBFCs, i.e. for a period of 6 years. Consent artefacts All consent artefacts generated on behalf of citizens by an AA are expected to be stored, beyond the expiry of the artefact, for a maximum period of 6 years, as per extant regulatory norms. This is to be discussed and Finalised within the AA community. Transaction logs All transaction logs spanning API interactions with FIUs and/or FIPs – and citizens’ activity logs spanning registration, discovery, linking, consent management – are expected to be stored as per extant information security best practices. This is to be discussed and Finalised within the AA community. |
Stage | Under Deliberation |
Guideline No. | SD004 |
Purpose | To clarify storage norms for FIPs and FIUs for data generated or collected by them |
Description | FIPs and FIUs collect copies of consent artefacts and generate transaction logs of API activity. FIUs, in addition, generate activity logs on their front-end pertaining to integrations with AA clients.
Consent artefacts All consent artefact copies received from AAs are expected to be stored, beyond the expiry of the artefact, for a maximum period of 6 years, as per extant regulatory norms. This is to be discussed and Finalised within the AA community. Transaction logs All transaction logs spanning API interactions with AAs are expected to be stored as per extant information security best practices. This is to be discussed and Finalised within the AA community. AA-integration activity logs All activity logs pertaining to citizens getting redirected to AA client interfaces have to be stored as per extant information security best practices. This has to be discussed and Finalised within the AA community. |
Stage | Under deliberation |