Data Governance for the Account Aggregator Framework

The technical architecture and specifications for the Account Aggregator were built by a team of volunteers, who aim to build Digital Public Goods for India. With the Account Aggregators set to be operationalized soon, we also aim to have robust governance frameworks in place. 

To enable this we are setting up working groups and sub-committees, and invite volunteers for the same. Each sub-committee will comprise of an anchor and committee members.

We request you to read the details below carefully and write to us at info@sahamati.org.in only if you have the required expertise. 

Do keep in mind that volunteering might require a significant commitment of time and expertise, given that this is a pioneering initiative and there are emerging issues to be thought through.

The volunteers we are looking for should be technical experts with domain expertise in privacy-enhancing technologies, cryptography, enterprise architecture, lawyers with expertise in privacy, and information privacy auditors.

The DGWG has the following sub-committees with deliverables as follows:

Legal Sub-Committee

1.  Compile a list of all Indian laws along with corresponding rules that have a bearing on Data Governance, including the Personal Data Protection Bill, which has been tabled in the Indian Parliament. 
2. Similarly, compile a list of the regulations announced by the four regulators of the BFSI industry namely RBI, SEBI, IRDA and PFRDA.
3.  Based on points 1 & 2 prepare a master list.
4. Check for discrepancies and prepare a list which can be uniformly applied by all legal entities and regulators.

Technology Sub-Committee

1. Recommend best technology practices that can ensure data governance by all participants in the DEPA ecosystem.
2. Encourage the ecosystem to build Open Source tools for self-audits and self-regulation to ease the cost of audits for small businesses. Eg: Run a script to ensure all PII data is masked or anonymized as required.
3. Collaborate with organizations such as ReBIT and NPCI, to build a common logging framework defining minimum requirements for logs and metadata for all parties involved.
4. Prescribe a common set of tools & utilities for continuous compliance on principles and SLAs by FIPs, FIUs, and AAs. Apple’s App Store has a lightweight automated utility called “Notarization”.
5. Engage hardware vendors for secure generation of keys. For system-level implementations, keys should be generated securely from the hardware.
6. For customer purposes, commonly available software key generators (Eg: Google Authenticator) should be adopted as standard practice.
7. OTP-based authentication has several flaws at the telecom operator level. It is good for first-time transactions but should be replaced with software-based keys (eg: Google Authenticator) to ensure better security.
8. Establish a technical working group to deliberate, design, and evangelize technology and product roadmaps amongst all stakeholders. This group should curate and endorse certain common tools such as Postman, RAML, GraphQL.
9. Mandate public utilities, SDK integrations, and other technology distribution formats under permissive licenses, which encourage innovation and monopolies. The compliance should be extended to FIPs, FIUs, and AAs to ensure that none of the components used across the stack has licenses that may potentially conflict with the principles of the organization.
10. Advocate data collected from AA is used as per the consent artefact.  Set out Procedural Guidelines and Data Governance Guidelines for use of data.  Sahamati to audit and penalize violations.  Set out standards for tech solutions to store, monitor usage, control & limit data access, enforce consent and provide audit logs.  
11. No longer the data encryption alone is sufficient.  Data must be embedded with usage policies and Data Owner’s consent.  AA although is maintaining the consent of the consumer, when the data object comes to FIU, there is no disciplined way of enforcing the consent of the user. 
    
    It is the responsibility of the FIU to demonstrate the data collected from the consumer is used as per the consent that was provided. 
    
    You could get audited and penalized for any violations, details of which can be found in the Procedural Guidelines.
    
    Design an ecosystem based on RegTech for ensuring that data is used as defined in the consent artefact. Set out key principles and standards for such tech solutions that limit data access and usage based on consent.

Outreach Sub-Committee

1. Work with various industry bodies such as NASSCOM etc., empower industry bodies and to evangelize with the government and regulatory agencies to bring uniformity regarding data governance.
2. Publish white papers on data governance and conduct regular training programs.
3. Annual awards system for entities following the best practices should be instituted.

Audit Sub-Committee

1. Work with agencies such as IDRBT, DSCI etc., and prepare an audit checklist for FIPs, FIUs and AAs to follow based on regulatory requirements.
2. Prepare a policy for certification of technology service providers who are providing data governance products or services.

Do you have any feedback? Would you like to be part of any of the sub-committees? Write to us at info@sahamati.org.in only if you have the required expertise.