Guideline No. UR001
Purpose To clarify the roles that an unregulated entity can play in the AA ecosystem
Description Entities that are not “registered and regulated” by one of the four financial sector regulators CANNOT be FIUs (as per RBI Master Directions) themselves. 

Such an entity however, can provide one or more of the following services to AA network participants (FIUs, FIPs, AAs):

  • Technology services – such as offering ready-implementations of API specifications, data analytics and user experience middleware, certification services.
  • Commercial services – such as being a reseller for an AA, offering reconciliation, billing and settlement services to AAs, FIUs, FIPs, e.g.
  • Lead generation services – such as providing a marketplace for FIUs and enabling AA front-end integration on behalf of FIUs
  • AA registration services – such as facilitating AA registrations (issuance of AA handles) via marketing partnerships and technical integrations with AAs, with AAs strictly in charge of authenticating and authorising citizens themselves before issuing handles
Stage Finalised
Guideline No. UR002
Purpose To clarify if unregulated entities can access the raw data of citizens, in any of the roles mentioned and guard rails thereof
Description Technology Service providers that offer data gateway and/or data processing services to FIUs are expected to get access to the raw data that citizens share with the FIUs. 

FIUs are expected to take explicit, informed consent from citizens for them to share raw data with such data processors. This is in addition to the consent that the citizen gives to the FIU, via an AA, and is expected to be taken by the FIU separately.Further, FIUs are expected to ensure all such outsourcing arrangements are in line with extant regulatory norms they are subject to.

Also, FIUs are expected to ensure that their data processors are legally bound to:

  • Delete all raw data, once the processing is done for the FIU
  • Not share the raw data or the insights therefore with any entity other than the FIU
  • Not store or use the raw data or insights therefore for its own purpose

Should a TSP offering just data gateway services (and not data processing) also be named by the FIU to the citizen and explicit, informed consent taken?

Stage Under deliberation
Guideline No. UR003
Purpose To clarify if a lead generator’s brand name can be displayed along with the FIU’s name, to provide context to the citizen on consent artefacts
Description A citizen may engage with an unregulated entity – such as a marketplace for financial services or a parent company’s app – for a financial service. During the course of the interaction, the citizen may provide consent to an FIU – that the unregulated entity serves. 

In such a situation, it would be useful for the citizen to see both the name of the FIU (to whom the consent is provided) and the unregulated entity (through whom the consent has been provided) on the AA’s interface.

The current version of the specifications do not provide for a separate field, other than FIU.

This has to be discussed within the community as to how to be resolved.

Stage Under Deliberation

Back to AA Community Guidelines Summary