We have been receiving many queries about the Account Aggregator ecosystem. Many of the questions we have answered here are from the workshops we have conducted so far. We will continue to update this as and when required.
- Introduction to DEPA and AA
- The Account Aggregator Framework in India
- AA Data Flows
- Technical Support to Operationalise AA
- The Account Aggregator App
- Providing Consent in AA Framework
- Sahamati AA, FIP, FIU Certification
- Revenue Model
- Legal
- Membership
Introduction to DEPA, AA
The Data Empowerment and Protection Architecture (DEPA) empowers every Indian with control over their data. It democratises access and enables secure portability of trusted data between service providers. It involves the creation of a standardized technology architecture implemented within the right institutional constructs.
DEPA’s technology architecture is an interoperable, secure, and privacy-preserving framework for data sharing through,
1. A technology standard for a machine-readable Consent Artefact;
2. Open APIs for data sharing; and
3. A standard for Financial information.
The consent artefact is designed to be Open, Revocable, Granular, Auditable, provide Notice, and maintain Security by design (ORGANS). Since data security and protection is a critical prerequisite for empowerment, DEPA also relies on the adoption of related standards for data storage and processing techniques.
DEPA’s institutional Architecture involves the creation of new market players knowns as Consent Managers who play the role of enabling consent management for the user. These Consent Managers are ‘data blind’ and will not see user data themselves; rather they will serve as a conduit for encrypted data flows.
The role of Consent Managers has been called out in the Economic Survey 2019, and has been termed in the Justice Srikrishna Committee Report as a ‘consent dashboard’. Consent Managers in the financial sector are known as Account Aggregators.
DEPA forms the final layer (more commonly known as the Consent Layer) of India Stack, a series of digital public goods designed to enable private market innovators to introduce improved digital services for India across a range of sectors. The other layers of India Stack include Aadhaar (including authentication and eKYC), the Unified Payments Interface, DigiLocker, and eSign.
An Account Aggregator is a Consent Manager for Financial Data: a new class of NBFC approved by RBI to manage consent for financial data sharing.
It was created through an inter-regulatory decision by Reserve Bank of India (RBI), Securities and Exchange Board of India (SEBI), Insurance Regulatory and Development Authority (IRDAI), Pension Fund Regulatory and Development Authority (PFRDA) through Financial Stability and Development Council (FSDC). RBI licenses the AAs.
The market will have many AAs competing to cater to different users.
Account Aggregator Ecosystem Participants
What is the process of applying for an NBFC-AA license?
Please refer to the Master Directive issued by the RBI for complete details on getting an Account Aggregator license (NBFC-AA license).
Who are some of the Account Aggregators in India?
The list of account aggregators approved by the RBI is here. Also see the list of Banks, NBFCs using AA Framework.
The AA market has a number of competitors now. Why should one enter this market and how can an AA differentiate its business?
We believe there is enough space in the Indian market for many Account Aggregators.
- India’s scale & diversity needs many AAs to serve its needs
- There are a number of niche use cases and diverse user profiles with unique requirements
- There will always be room for innovations on modes of gathering informed consent to constantly improve the user experience
- AA can be a springboard to becoming a consent managing organisation for other sectors as they adopt similar frameworks (e.g. health)
What is a FIP?
FIP stands for ‘Financial Information Provider’ – the data fiduciary. FIPs are the institutions which hold your data, for e.g. For example, your Bank, NBFC, Mutual Fund Depository, Insurance Repository, Pension Fund Repository, etc
What is an FIU?
FIU stands for “Financial Information User’. An FIU consumes the data from an FIP to provide various services to the end consumer. For e.g. a lending Bank wants access to the borrower’s data to determine if a borrower qualifies for a loan. The lending Bank is the FIU. Banks play a dual role – both as a FIP and an FIU.
Is the Account Aggregator for individual consumers only?
No, AA is for any data controller – individuals and enterprises.
Which entities can participate in the AA ecosystem?
Companies regulated by any of the 4 regulators – Reserve Bank of India (RBI), Securities and Exchange Board of India (SEBI), Insurance Regulatory and Development Authority (IRDAI), Pension Fund Regulatory and Development Authority (PFRDA) can be a FIP or FIU.
Are all banking entities mandated to join AA ecosystem?
No, players regulated by Reserve Bank of India (RBI), Securities and Exchange Board of India (SEBI), Insurance Regulatory and Development Authority (IRDAI), Pension Fund Regulatory and Development Authority (PFRDA) are not mandated to be part of AA ecosystem.
However, the advantages of being part of AA will likely drive a pull based decision to join the AA ecosystem.
We are a Fintech startup not regulated by any of the regulators, but we have an excellent Use Case for our consumers which require the usage of AA. Can we be an FIU?
No, you cannot be an FIU or FIP if you are not regulated by one of the four regulators. Also, see Use Cases for AA framework.
As an AA, does an AA have to seek out, build partnerships with, and integrate with each new FIP or FIU separately?
No. The AA ecosystem is designed so that each FIP and FIU is enabled to work with every AA in the ecosystem network, rather than only with those with whom they have a bilateral situation. AA ecosystem is designed to support interoperability.
Once any FIP/FIU is certified and added to the Central Registry, any approved AA can connect with them. This Central Registry is akin the DNS server of the internet world.
We are in the home loan lending space. We are regulated by NHB. Can we be part of the AA ecosystem?
Under the present guidelines you cannot. However, please do contact us at info@sahamati.org.in
Data Flows
What kind of data can an FIU access through an AA?
Currently only asset based data is available (bank accounts, deposits, mutual funds, insurance policies, pension funds). Other data types are likely to be added over time.
Can the Account Aggregator view the customer’s data as it is shared to FIUs?
No. The data being transmitted through the AA is encrypted. Also, AAs are not allowed to store, process and sell the customer’s data. This is designed to ensure AAs do not have a conflict of interest when designing processes to obtain consent for access to user data.
As an AA, can it obtain access to individuals data with their consent to perform analytics?
An AA application, not the AA itself, will have access to the balances of your accounts. The decrypting of this happens on the device of the end customer. Very basic analytics can be done on the user’s device but will be limited because of the device’s horsepower.
Can an entity consume data but not share data. Can it be just an FIU and not a FIP?
Although initial market players will want to only be information users rather than providers, for the ecosystem to thrive players will need to be both information providers and users.
As per the principle of reciprocity, the entity needs to be a FIP first and then an FIU to ensure sustainability of the ecosystem
Examples include issuer/acquirer in UPI or a bank must report to then access credit bureau data.
Technical Support to Operationalise AA
Is any technical documentation related to being an AA available?
Please refer to our Resources section of the website. It has all the required technical and policy documents.
Please explain the technical steps for a FIP to connect with an AA.
Please see this document for the detailed steps.
Please explain the technical steps for an FIU to connect with an AA.
Please see this document for the detailed steps.
Our company is regulated by one of the four regulators mentioned above. We want to integrate with AA but we don’t have the technical expertise. How do we go about it?
- FinVu – Contact manoja@cookiejar.co.in
- Mindgate – Contact krishnakumar.c@mindgate.in
- OneMoney – Contact kp@onemoney.in or vamsi@onemoney.in
- Perfios – Contact srikanth@perfios.com
The Account Aggregator App
What does the AA app do?
Users sign up with an Account Aggregator on their mobile app or desktop app. This AA app shows the user all the consents given, revoked consents and a log of all data requests made by the FIU. You can revoke consents through this AA app.
Is an AA app specific to a particular account aggregator or is it a common app which will work across all Account Aggregators?
The AA app is designed by and specific to a particular account aggregator. For a user to access or work on another account aggregator they need to use the app of that particular account aggregator. Hence, the Account Aggregator login ID is not reusable across multiple AAs.
What does the linking of accounts mean in an AA app?
In the AA app, users need to link with their FIPs (bank accounts) by which a user can share the data from that FIP with an FIU.
The linking process requires users to enter a unique identifier by which the FIP can discover your account (e.g. PAN number, Customer Registration Number or mobile number – this is FIP specific).
The FIP will verify that the user is the owner of that account by sending an OTP.
Can the linking a user bank account to AA app be skipped when signing up with an AA?
Yes. An individual or business can create an account in an AA app and not decide to link any of their accounts. However, when a user gives consent to share data with an FIU, users will need to link accounts in your AA app.
Assuming the FIP has the data requested for, are they obligated to share it with the Account Aggregator? For e.g. FIU asks for 1 year of data, can FIP refuse to provide 1 year of data?
The FIP, if it has the requested data, is obligated to share the data.
How do you ensure that the FIU doesn’t use your data for other reasons than the reasons mentioned in the Consent Artefact?
The FIUs will have to adhere with the Data Governance guidelines to prevent misuse of data. The guidelines are being finalised together with ecosystem players and will be shared when complete.
How do you ensure that the FIU doesn’t use your data for other reasons than the reasons mentioned in the Consent Artefact?
The FIUs will have to adhere with the Data Governance guidelines to prevent misuse of data. The SriKrishna Report is the gold standard on Data Governance. Existing guidelines on security and privacy already exist for regulated entities by their sectoral regulators.
What is the unique identifier used by FIPs for discoverability? Is the unique identifier standardised across all Banks?
The identifier used for discovery is a verified Mobile Number, PAN, or a FIP Customer ID.
Can an user shut his/her Account Aggregator account?
Yes, the user can decide to close the account.
Providing Consent
Joint accounts which need authorization from multiple authorized signatories is common. How do you plan to get consent for such accounts?
The authorisation chain is derived from each FIP. The Account Aggregator will have workflows to support multi-stakeholder authorisation. The authorisation chain is derived from each FIP. The Account Aggregator will have workflows to support cases.
Can users revoke consent to share data?
Yes. All consent provided through AA is designed to be revocable, though revocability is Use Case dependent.
Can users port their Consent from one AA to another?
No.
What happens if the user revokes before the loan cycle is done?
For all business loans the consent will be irrevocable. For the loans given to individuals, initially the FIUs will raise a revocable consent (in the spirit of getting individuals accustomed to AA). If the individual revokes a consent, then the lender needs to engage with the borrower offline to find a remedy.
Certification
Why should a AA or FIP or FIU get certification?
Only certified modules of FIP/AA/FIU will be included in the Central Registry and able to seamlessly connect with a network of AAs.
What is the process of getting certification?
The automated API certification toolkit will help test the modules before the process of certification starts with an external auditor. Please contact us at info@sahamati.org.in for more information.
Revenue Model
What is the revenue model for Account Aggregators?
An Account Aggregator can charge the FIU or the end consumer (owner of data) for the data requested. An AA may not charge the FIP for the data, as this creates perverse incentives for the ecosystem.
Is the pricing standardised?
Each AA is free to fix the price it wishes to charge the FIU or consumer.
Legal
Getting agreements in place with all Account Aggregator for each FIU will be laborious. Can Sahamati help FIUs and AAs with the commercial agreements?
Please contact us at info@sahamati.org.in regarding the templatised legal agreements which the ecosystem could use.
Membership
If you are interested in becoming a member of Sahamati please fill this form.