Consent Template CT019, finalized by the AA Use Case Council, defines the upper bounds for consents intended to help individuals access and analyze their own financial data within Account Aggregator (AA) apps.
Consent Template CT019 was created as a separate template to specifically address self-use scenarios on AA apps—where the customer is the direct consumer of their financial data. Unlike PFM (CT008) or WMS templates, which involve regulated Financial Information Users (FIUs) offering services like advisory or wealth management based on the customer’s data, CT019 is strictly for viewing and analyzing one’s own data, with no third-party involvement.
Guardrails for Usage of CT019
Guardrail: Security Preconditions for Enabling Self-Use Functionality
Self-use functionality enabled through CT019 must only be activated in AA apps (mobile or web) after implementation of robust security controls, including:
- Mandatory two-factor authentication (2FA)
- Device SIM binding to ensure account integrity
These controls are essential to prevent unauthorized access, especially in cases of device theft or SIM reallocation. The self-use feature must not be activated unless these minimum standards are met across the app ecosystem.
Guardrail: Download Restrictions and User-Controlled Sharing
While CT019 allows users to view their financial data, download functionality (if provided by the app) must adhere to the following safeguards:
- All downloaded files must be password-protected, with the password set or confirmed by the customer
- The app may allow manual file sharing, but auto-fetch or auto-sharing features are strictly disallowed
These measures ensure that customer data remains under the user’s control and is not inadvertently exposed or shared.
For Sahamati's internal records and explanation to the community
| Sl. No | Consent Template Information | Description | Further Explanation |
|---|---|---|---|
| 1 | Consent Template ID | CT019 | For Sahamati's internal records and explanation to the community |
| 2 | Status | Active | For Sahamati's internal records and explanation to the community |
| 3 | Use Case Category | Self Use consent on AA Apps | For Sahamati's internal records and explanation to the community |
| 4 | Use case | To access one's own financial information for self use | To analyze and generate insights on your financial data for your personal use, presented through an analytics dashboard on the Account Aggregator app. |
| Last published on: | 8th Apr 2025 |
Fair Use Template Attributes - CT019
| Sl. No. | Consent Details (Attributes) | Values (as agreed in the Council | Rationale |
|---|---|---|---|
| 1 | Purpose Text | To view your financial position on AA As per ReBIT: Customer spending patterns, budget or other reportings | To ensure the purpose explicitly communicates the self-use intent of the template and excludes advisory or distribution elements, and to emphasise on the view only (not download) |
| 2 | Purpose Code | 102 | In line with the only purpose code for personal finance management |
| 3 | Purpose Code Category Name | Personal Finance | In line with the purpose code |
| 4 | FI Types | DEPOSIT, TERM_DEPOSIT, RECURRING_DEPOSIT, SIP, CP, GOVT_SECURITIES, EQUITIES, BONDS, DEBENTURES, MUTUAL_FUNDS, ETF, IDR, CIS, AIF, INVIT, REIT, GSTR1_3B, NPS | All FI types enabled on AA, to ensure customer is able to view them on their App |
| 5 | Consent Types | Profile, Summary, Transactions | Profile information is added to ensure customer is able to validate that the account is indeed his/her account. |
| 6 | Fetch-type | Periodic | In line with PFM template CT008 rationale, match up the offerings of other apps which provides similar solutions or services to customers |
| 7 | Maximum Frequency | 45 per month | In line with PFM template CT008 rationale, match up the offerings of other apps which provides similar solutions or services to customers |
| 8 | Maximum FI Data Range | 13 months for Non-SEBI FI Types 10 years for SEBI FI Types | Trend analysis of the financial position requires historical data, - as available in the FIPs records. Should not have any upper bound for this use case. |
| 9 | Maximum Consent expiry | 1 year | In line with CT004 and CT008 rationale |
| 10 | Maximum Data Life | 7 Days | Data should be stored on Customer's Device and not on the AA |
| Last published on: | 8th April 2025 |
Please note that the parameters of the individual consent templates in the Consent Template Library represent upper bounds for the respective use cases, as decided in the relevant User Councils. The parameters in the consent templates should be treated by participant(s) as outer limit(s) and not be construed as legal advice in any manner. Participants are encouraged to review their use case(s) and ensure compliance with applicable laws, including the RBI Master Directions on NBFC-AA and the DPDP Act.
Sahamati will publish additional consent templates as the AA ecosystem evolves based on discussions in the relevant Use Case Councils and the Fair Use Committee. Existing consent templates may also be revised based on statutory and regulatory guidance, including the DPDP Act and the Rules issued thereunder.