DigiSahamati Foundation (Sahamati) is a Collective of the Account Aggregator ecosystem being set up as a non-Government, private limited company. The RBI approved a new class of NBFCs in 2016 to act as Account Aggregators, whose primary responsibility is to facilitate the transfer of user’s financial data with their explicit consent. This primarily includes transfer, but not storing, of a client’s data.
Account Aggregator (AA) is the construct/framework that addresses the above pain points and provides a digital platform for easy sharing and consumption of data from various entities with user consent. The architecture of AA is based on the Data Empowerment and Protection Architecture (DEPA) framework.
An Account Aggregator (AA) provides data to a Customer or Financial Information User (FIU) from a Financial Information Provider (FIP) based on the user’s explicit Electronic/Digital Consent. No financial information of the user is retrieved, shared or transferred by the Account Aggregator without the explicit consent of the user.
An AA merely acts as a conduit between FIUs and FIPs and does not process the data. An AA is ‘data-blind’ as the data that flows through an AA is encrypted and can be processed only by the FIU for whom the data is intended.
Financial Information Providers (FIP’s) are the institutions which hold user data, for example, user’s Bank, NBFC, Mutual Fund Depository, Insurance Repository, Pension Fund Repository, etc.
Financial Information User (FIU) consumes the data from an FIP to provide various services to the end consumer. For e.g. a lending Bank wants access to the borrower’s data to determine if a borrower qualifies for a loan. The lending Bank is the FIU. Banks play a dual role – both as an FIP and an FIU.
This document defines the certification requirements for each of the AA ecosystem members.
2. Certification Requirement and Scope
To become a part of the Account Aggregator Ecosystem, the entities- FIPs, AAs and FIUs need to adhere to ReBIT guidelines for API & functional flow.
Only certified FIP/AA/FIU entities shall be included in the Central Registry and be able to seamlessly connect with a network of AAs. The certification shall help organisations demonstrate that they have fulfilled the specified technical and security controls as defined in the NBFC-AA API specifications published by ReBIT.
Hence, Sahamati has empanelled Aujas Network as an authorised body to conduct the mandatory certification process for all the AA ecosystem partners. Entities are required to get in touch with Aujas for undertaking the certification process.
This document provides the certification framework for:
- Financial Information Provider (FIP),
- Account Aggregator (AA) and
- Financial Information User (FIU) to be part of the AA ecosystem
The scope of assessment and certification is limited to the FIP/AA/FIU Infrastructure only.
|FIP||Financial Information Provider|
|FIU||Financial Information User|
|NBFC||Non-Banking Financial Company|
|DEPA||Data Empowerment and Protection Architecture|
|RBI||Reserve Bank of India|
|SEBI||Securities and Exchange Board of India|
|IRDA||Insurance Regulatory and Development Authority|
|PFRDA||Pension Fund Regulatory and Development Authority|
|ReBIT||Reserve Bank Information Technology Private Limited|
|API||Application programming interface|
|AES||Advanced Encryption Standard|
4. Eligibility Criteria
Currently, only entities who are registered with and regulated by either of the four regulators – RBI, SEBI, IRDA, PFRDA, are allowed to be FIPs and FIUs.
- No entity other than a company shall undertake the business of an Account Aggregator.
- No company shall commence or carry on the business of an Account Aggregator without obtaining a certificate of registration from the RBI.
Provided that, entities being regulated by other financial sector regulators and aggregating only those accounts relating to the financial information pertaining to customers of that particular sector will be excluded from the above registration requirement.
5. Certification Path
The following section describes the certification path for AA ecosystem partners.
5.1 Certification Planning & Pre-requisites
Entities interested to be part of the AA ecosystem must:
- Qualify as per the “Eligibility Criteria” section of this document (Section Eligibility Criteria)
- Comply with the latest ReBIT requirements for FIP/AA/FIU
Pre-requisites for the Self-assessment kit:
- Windows/Linux VM with a minimum of below configuration and accessible from UAT environment of the test application
- Docker to be pre-installed in the VM
- 4 core CPU
- 8 GB of RAM
- 50 GB HDD
5.2 Automated Self-Assessment
The self-assessment is a mandatory and automated assessment performed by the AA ecosystem partners (both existing and new) via a self-assessment kit.
The self-assessment kit comprises of checks for:
Technical controls: API specification adherence and Function flow specification adherence are tested in line with the controls/specifications as defined by ReBIT for FIP/AA/FIU module, respectively.
The output of the self-assessment check is a PASS/FAIL based on the evaluation of technical controls.
The technical controls must be evaluated quarterly to ensure compliance with ReBIT specification. The self-assessment report must be shared with Sahamati every quarter.
A certificate will be issued by the empanelled vendor, after evaluation of the output of the self-assessment check. Once a certificate is issued after the very first successful run of the toolkit against the FIP/AA/FIU system, it will be deemed valid unless the quarterly reports indicate a major non-compliance with the NBFC-AA specifications, as applicable at that point in time.
In the event of a non-compliance, appropriate opportunity for remediation will be available for the entity to rectify any issues found. Sahamati will facilitate discussions required for such remediation, keeping the interests of the entity and the overall AA ecosystem in mind.
We welcome technical feedback from developers and security researchers. Please contact us with your feedback.