Towards the beginning of 2020, high-ranking government officials will preside over the launch of India’s Data Empowerment and Protection Architecture (DEPA). These high-profile launch plans for DEPA are commensurate with the high level of impact this system can generate. Similar to how UPI changed the payments landscape of India, DEPA has the potential to completely change the data landscape of the country.
This document offers a thesis on why venture capitalists should invest in the DEPA ecosystem, specifically in Account Aggregator (AA) companies. The latter part of the document addresses some common investor concerns around AAs.
Introduction: Data Protection And Consensual Data Sharing As A New Paradigm
Digitization has led to a rapid proliferation in the amount of data generated by each business and individual. While the number of online services and applications storing this data has increased dramatically, the fundamental architecture for managing it has not changed in equal measure. Most of the data generated by online activity still lie in closed silos, and individuals to whom the data pertains (the data principals) are not given much transparency into or control over their data flows.
Globally, there is consumer backlash over these antiquated data protection measures. Thanks to several high profile data breaches, data principals have become aware that not only is their data seldom protected adequately, it is also mined for the value that doesn’t accrue back to them. Popular documentaries like The Great Hack have helped contribute to an increase in demand for data protection policies, products, and services. New kinds of social networks and web browsers are tapping into the data empowerment zeitgeist by offering users a percentage of revenue earned from the use of their data.
In the Indian context, legislators have proposed groundbreaking personal data protection laws. Under the proposed Personal Data Protection Bill (Srikrishna Bill), data principals shall enjoy many new rights, including the rights to data confirmation/access, data correction, data portability, and the right to be forgotten (data deletion). The proposed laws also make consent a cornerstone of data processing workflows. Of particular relevance to this article is the emphasis on consent and the right to data portability (which means “securely move my data out of your silo to another location of my choosing”).
Although the Srikrishna Bill has not yet been enacted, regulators have already taken steps to presage it. RBI, SEBI, PFRDA, and IRDAI – the four financial service regulators in India – have made provisions for companies within their respective jurisdictions to conform to the DEPA framework. Under this framework, data principals will be able to easily and securely port their financial data between different service providers in a seamless and interoperable manner.
When hitherto closed data becomes open, users will have more freedom to protect their data as well as derive empowerment and value from it. From a business perspective, the greater availability of data will lead to a reduction in information asymmetry and a corresponding increase inefficiency. Individuals, small businesses, and enterprises will all find reasons to share their data with service providers in exchange for automation, aggregation, security, easier management, or some other form of value.
Under the DEPA guidelines, all data flows must occur only with the explicit consent of data principals. The Indian technology regulator has defined an electronic standard for consent, and RBI has created a new class of regulated entities called Account Aggregators (AAs) to serve as conduits through which data principals will manage their consensual data flows. Since AAs will serve as the bedrock of this new data empowerment and protection paradigm, it is important that they receive the understanding, funding, and support that they deserve. The rest of this article is concerned with reasons why investors should look seriously at funding AAs.
In summary, data protection and data empowerment are important trends that are emerging from both bottom-up (consumer demand) and top-down (regulator led) pressures. The Indian economy, in particular, is primed for a transformation in its data landscape. As a result of data portability rights, individuals and businesses will be able to unlock the value of their data that presently lies in silos.
As more data flows out from within these walled gardens, more efficiency will be generated for consumers and businesses, and this will result in a virtuous cycle necessitating a greater number of data protection and consent management platforms. Therefore, VC investors should be taking a keen and immediate interest in AAs and other participants of the DEPA ecosystem.
A Venture Capitalist’s Key Concerns Around Account Aggregators
This entire ecosystem and paradigm is still taking shape – why invest now when the Personal Data Protection Bill hasn’t even been enacted?
It is true that the ecosystem is still taking shape and that the right to data portability is not yet enforced across the entire economy. Nonetheless, it is being built out across the financial sector. RBI has issued a master directive which defines the responsibilities of AAs and Financial Information Providers (FIPs).
In effect, all entities regulated by RBI, SEBI, IRDAI, and PFRDA are being encouraged to open up their silos. Unlike UPI, which saw very little participation from big banks at launch time, DEPA already has the support of the major banks and NBFCs even pre-launch.
SBI, HDFC, ICICI, Indusind, Kotak, Axis, IDFC First, Bajaj Finserv, and DMI Finance are some of the players embracing DEPA from the get-go. These companies will be ready with their APIs for a developer launch by February 2020. As the system matures, it is expected that the long tail of smaller financial institutions will also follow suit.
Tax platforms such as CBDT and GSTN will become part of the network, bringing to the table millions of e-invoices and tax returns which can be used to underwrite and build efficient new financial products. Digilocker will become part of the network as a provider of KYC data.
RBI has also started awarding approvals to companies wishing to become AAs, so the ecosystem is maturing quickly for banks, startups, regulators, and Fintechs.
While the financial sector is already heading towards a full citizen launch of DEPA in mid-2020, the rest of the economy will likely follow suit once the Srikrishna Bill is enacted. When this happens, the total addressable market of Account Aggregators will be broadened exponentially.
Investors who dive in early will likely be rewarded with the best data and positioning capabilities as this ecosystem matures.
How big is the market size for AAs? Can an investment in an AA become big enough to return my entire fund?
First, consider an AA’s primary business model: AAs get paid when they facilitate a consent transaction. This means that when a user’s data flows out from a FIP (either to a storage location specified by the user eg. device/Dropbox or to a third party Financial Information User called an FIU), the AA is paid by the FIU for generating the consent required for the data flow. It is possible for AAs to create supplemental business models, but in this section, we will only consider the primary business model.
The fee an AA charges an FIU for a consent transaction is not standardized. There are some transactions which may cost more, and some transactions which may cost less. For this thought experiment, take an expensive transaction like a bank statement analysis. Today’s lenders pay Fintech companies around Rs. 250/user/month to scrape or parse financial data from bank statements, SMS, emails, or net banking accounts. This amount may be on the higher end for most transactions, so let’s say it costs a lender Rs. 100/month to get the data needed to effectively underwrite a new loan or manage an existing one.
The introduction of AAs will make accessing the same data easier and cheaper for lenders. Although the cost per consent request will probably start high and eventually lower as competition increases, let’s assume that a steady-state price of data collection comes down to Rs. 10/user/month for a lender using an AA. This is already 10x better than the current pricing, plus there will be extra efficiencies as the data coming from AAs will be standardized across different financial institutions and structured from the get-go.
Anyway, there are around 216 million active outstanding loans during a given month (according to RBI data), and a further 20 million new requests per month which hit the credit bureaus. Let’s round down the figure and say that in an average month, there will be 200 million requests for data coming from lenders towards AAs. This works out to 2.4 billion requests per year. At a price of Rs. 10 per transaction, that is 2,400 crores or $330m worth of potential business for AAs. If a unicorn is defined as a company which has $100m in ARR, the lending industry alone could finance the creation of 3 unicorn AAs.
It must be conceded that many of the assumptions in this example might be extreme (eg. 100% of new and existing loans make a call to AAs for data), but there are some balancing factors we have not considered in this thought experiment, including:
- How the short-term, low-ticket lending industry might explode with the introduction of AAs as well as the new real-time Public Credit Registry
- Other use cases for AAs including collecting consent for robo-advisory, personal finance management (PFM), aggregated buying, price comparison/savings, multi-insurance, and more
- Any revenue earned from outside India (if DEPA goes global the way UPI might do)
- Any revenue earned from outside the financial sector (once the Srikrishna Bill is passed and DEPA rolls out to healthcare, telecom, social media, entertainment etc)
- Any revenue from other business activities such as affiliate marketing, advertising, subscriptions, etc
In summary, the market size for AAs is definitely big enough to support a few unicorns. Although the example we chose here was rough-hewn, it illustrates that even a single use case for AAs can become big enough to create large companies which can return an entire venture fund.
Account Aggregators are utilities, and utilities don’t make money. All the value will accrue to FIUs who leverage the data.
As demonstrated in the previous answer, the market size for AAs is quite large even if we only consider revenue earned from a single-use case. We will challenge this revenue constraint in the next section but imagine for a moment that AAs can only operate as utilities. A keen observer might make out that several utilities have grown into massively profitable businesses.
Leaving aside successful digital utilities such as Verisign, let us focus on the example of credit bureaus. Credit bureaus provide data to FIUs, so the analogy with AAs makes sense.
Although the bureaus do provide a quantitative judgement along with the data they provide, most FIUs use the credit reporting agencies just to build a base layer of data upon which they run their own underwriting algorithms. Therefore, Experian, Equifax, and TransUnion are all effectively utilities, but each of these companies has net income > $400m.
The ‘Big 3’ have effectively created a worldwide oligopoly in the credit reporting industry, despite the fact that many countries have their own homegrown firms.
A similarly large opportunity could await Indian AAs once data protection and consent management become global industries.
Account Aggregators have a unidimensional business model
Account Aggregators primarily earn revenue from facilitating consent transactions. Having said that, there is nothing precluding a sister company of an FIU from building out complementary use cases and revenue streams.
- An AA could charge subscription fees to offer a differentiated high-trust service (similar to how ProtonMail charges a fee for providing a highly secure implementation of a free protocol – SMTP).
- An AA could also provide developer tools and middleware to FIPs and FIUs, such as API gateways for FIPs to manage their outbound data or a data governance tool to help FIUs manage their data properly.
- Additionally, AAs could also partner with companies to create an affiliate marketplace the same way PhonePe does. An AA with lots of users may find it lucrative to create discount or loyalty points tie-ups with brands.
- Lastly, advertising and other forms of attention mining could provide yet another source of revenue.
Startup AAs face very tough competition from the large corporate AA players
Businesses which are expected to be strategically and financially valuable will always face competition. The presence of large conglomerates such as Aditya Birla Group and Reliance Jio in the AA space indicates that there is indeed financial and strategic value in the industry.
An investor disheartened by the presence of these giant competitors may draw solace from Amazon’s victory over Barnes & Noble. In a rapidly evolving market, nimble and focussed companies will have an advantage over their slower and more diversified counterparts.
Startup investors who fear large corporate competitors may find that there are very few worthwhile businesses who do not at some point compete with the much larger and better-funded competition.
Account Aggregators all provide the same data, so there is no way for them to differentiate themselves
Although AAs all provide the same core service – gathering user consent to facilitate the flow of user data – there are several ways that AAs might differentiate themselves from one another.
For starters, AAs may choose to target different user bases. One AA might target wealthy, urban customers. Another might target poor, vernacular language or low-literacy customers. Yet another AA may target SMEs, while a competitor chases large enterprise customers. Each of these companies might have a different design, distribution, and product strategy, even though the core offering is the same.
Furthermore, as discussed above, AA sister companies can provide complementary solutions in addition to their customer-facing consent-collection application. These complementary solutions could be aimed at FIUs and FIPs, or they could be aimed at users. An example could be an analytics layer for FIPs and FIUs or a PFM application for users that would allow them to give consent and view/manage their finances all in one place.
Lastly, AAs will differentiate themselves based on the quality of their product. Design, UI/UX, compatibility, and technical reliability/uptime will all be factors upon which an AA can differentiate themselves.
To conclude, consider the analogy of the airline industry. Every airline in the world has the same underlying product (either an Airbus or a Boeing plane), but the companies in this space still find ways to differentiate themselves and create strong business and brand moats.
Global sentiment is turning increasingly in favour of secure and consensual systems for managing personal data. Countries have already begun implementing open banking standards as a means of empowering consumers to take control of and monetize their financial data.
Through its DEPA framework, India has gone beyond open banking to create a standard that will initially apply to the entire financial sector but will soon extend to the whole economy.
In order for this system to achieve its gargantuan potential, entrepreneurs and risk-takers must be encouraged to build upon the open infrastructure. Venture capital is the raw material for entrepreneurship and risk-taking. Therefore, venture capitalists have a crucial role to play in advancing innovation and accelerating the growth of an India-first industry which will almost certainly go global.
The gatekeepers who stand to benefit the most from the introduction of DEPA are the Account Aggregators who manage consent and enable secure data sharing to take place. Not only will these companies earn considerable revenues from their primary business, but they will also benefit from their vantage point as consumer-facing intermediaries in data flows.
For these reasons, VCs would be well advised to begin incubating and funding entrepreneurs to go out and begin building businesses in the account aggregation industry.
- Overview of Data Empowerment and Protection Architecture (DEPA)
- Account Aggregators in India
- Electronic Consent Framework by MeitY
- Technical Specifications of AA Ecosystem
- Nandan Nilekani introducing the Account Aggregator at CUG on July 25, 2019
About the Author
Aaryaman Vir is the founder of Prophetic Ventures, an early-stage investment company. Aaryaman is a believer in the power of open platforms; since September 2019, he has been volunteering with the iSPIRT Foundation to spread awareness of DEPA and the massive potential borne of this open public infrastructure.