Become a Member
Become a Member
DPDP Act

Reconciling the Account Aggregator and Consent Manager Frameworks

18 Mar 2025

India’s emerging data protection framework adopts a distinct techno-legal approach, combining robust technological standards with well-defined legal principles to safeguard user data. The Account Aggregator (AA) ecosystem, designed to empower individuals with secure and consent-driven financial data sharing, aligns closely with this regime.

The Digital Personal Data Protection (DPDP) Act, 2023 embeds the concept of a consent manager as integral to deploying the new data protection regime in the country. The much anticipated Draft DPDP Rules, 2025 (“Draft DPDP Rules”) shed more light on the conditions and process of registration of Consent Managers, as well as their obligations and nature of activities. 

Consent Manager regime:

Section 6(7) of the DPDP Act creates an enabling framework to allow Data Principals to give, share, review and withdraw their consents with a Data Fiduciary through a Consent Manager. Notably, such Consent Managers are defined such that they must act as a single point of contact for the Data Principal, and provide an ‘interoperable platform’. 

Part A of the First Schedule of the Draft DPDP Rules provides the requirements for registration with the Data Protection Board (“DPB”) – these include requirements as to minimum net worth and independent certification of their platform against the data protection standards and assurance framework notified by the DPB, apart from other fit and proper criteria. 

The Draft DPDP Rules shed light on the role(s) and responsibilities of Consent Managers vis-a-vis Data Principals. Among other things, the illustrations to Item 1, Part B, First Schedule of the draft DPDP Rules suggest two broad models that Consent Managers can enable: 

  1. Provide a consent management platform, while data is shared asynchronously
  1. Provide a consent management platform which also allows synchronous data sharing

Consent Managers are envisioned to empower Data Principals over their digital personal data by providing a single point of contact to control their consent, i.e., the ability to give, manage, review and withdraw their consent for sharing/using their digital personal data. They have the potential to play a key role in India’s context, across its range of Data Principals spanning languages and varying levels of digital literacy. 

Account Aggregator framework – An existing population-scale consent management framework in the financial sector

While the DPDP Act recognises the Consent Manager framework as integral to India’s data protection regime, the financial sector regulators have, under the Master Directions – Non-Banking Financial Company – Account Aggregator (Reserve Bank) Directions, 2016 (“‘RBI Master Directions on AA”), introduced consent management for the financial sector, through specialised regulated entities i.e.  NBFC-AAs. Today there are 17 NBFC-AAs with an operational license from RBI and another 1 NBFC-AAswith in-principle license from RBI.

The AA ecosystem, today is a Digital Public Infrastructure (DPI) operating at scale:

  • More than 600 financial institutions (regulated entities) participate in the AA framework, including large public and private financial institutions regulated by the Reserve Bank of India, Securities and Exchange Board of India, Insurance Regulatory and Development Authority of India, Pension Fund Regulatory and Development Authority, and Department of Revenue (DoR) under the Ministry of Finance, Government of India. 
  • With all large financial institutions joining the AA framework, around 60% of the financial accounts (2.12 billion out of more than 3.5 billion financial accounts) of the country have the facility of sharing data and managing consents using AAs. 
  • 16 financial information types can be shared via the AAs.
  • More than 140 million consent requests have been successfully fulfilled using AAs as of December 2024 and it is estimated that almost 7-8% of the Indian population has already registered with AAs to give and manage their consents for sharing financial data.
  • The AA ecosystem is rapidly growing at a month-on-month growth rate of 13% in relation to cumulative consent requests.
  • The entire AA framework is based on open standards and APIs which allow population-scale implementation, designed for competition amongst Consent Managers, and enable easy technical interoperability.

Operationalising the cross-regulatory framework for finance:

Given the cross-regulatory nature of the AA ecosystem, there were several areas of technical, operational and legal alignment across the 4 financial sector regulators. Sahamati, as an industry-led organisation, worked extensively with all relevant regulators and stakeholders, including Reserve Bank Information Technology Pvt Ltd (ReBIT) a wholly-owned subsidiary of the RBI) to play a guiding role for the healthy development of the AA ecosystem, including through various participatory governance forums. In our experience, the AA ecosystem could not have scaled without a strong technical foundation, rooted in well thought-out and comprehensive consent artefacts and data schema for various kinds of financial data across the AA ecosystem. 

Sahamati parallelly worked with the industry to develop various participatory governance tools such as the Fair Use Template Library, a collection of industry-driven set of templates for various known use cases in the AA ecosystem, representing upper thresholds for the values embedded in the ReBIT schema.  

Institutionalising Account Aggregators as Consent Managers for the financial sector:

Introduction of the Consent Manager paradigm under the DPDP regime presents a huge opportunity to operationalise, and further institutionalise Account Aggregators as the Consent Managers for financial data. Below is a quick analysis of the key aspects from both frameworks:

Application and Registration criteria: These are largely the same for AAs and CMs. Considering AAs are regulated entities having demonstrated credentials on implemented infrastructure, it would be crucial to ensure business and regulatory certainty for the ecosystem. In this construct, ensuring that the DPB deems and/or registers all operating AAs as Consent Managers under the DPDP Act is important. 

Scope of coverage: While registered Consent Managers may engage with Data Fiduciaries and Data Principals in respect of any personal data, the RBI Master Directions on AA limit the scope for AAs by restricting them to ‘financial information’ as defined therein. There does not appear to be any requirement under the DPDP regime for Consent Managers to handle every kind of personal data. To this extent, both regimes can be read harmoniously by registering AAs as Consent Managers for the financial sector. This is especially relevant in the context of Illustration 2 to Item 1, Part B, First Schedule of the Draft DPDP Rules, which describes the role and function that may only be carried out by an entity holding a valid NBFC-AA license. 

Restriction on business activity: While the RBI Master Directions restrict AA from carrying out any other business other than the business of account aggregation, such restrictions do not appear to be imposed on CMs. That said, the two regimes can be harmoniously read by permitting AAs to operate as specialised CMs for the financial sector.

Restriction on outsourcing: Both AA and CM regimes have similar restrictions on outsourcing their statutory functions and obligations. 

Restriction on reading underlying personal data: The RBI Master Directions read with the ReBIT specifications impose a similar restriction on AAs, as that on CMs under Item 2, Part B, First Schedule, Draft DPDP Rules. To this extent, the two regimes are aligned. 

Maintaining logs of consent artefacts: Both the RBI Master Directions on AA and the Draft DPDP Rules obligate the AA and CM respectively to maintain logs/ records of the consent artefacts created/ managed through it. 

Standard setting: ReBIT has laid down detailed technical specifications and requirements for AAs. This responsibility for CMs has been entrusted to the DPB. To avoid any disruptions in the AA ecosystem, it is crucial to ensure that the DPB adopts existing standards prescribed by ReBIT for financial data, and to adopt similar efforts on the part of National Health Authority (NHA) for health data. 

Notice/ Consent Requirements: All the principles underlying notice and consent are built-into the AA framework through the RBI Master Directions on AA and the ReBIT specs in terms of purpose limitation, usage limitation, collection limitation, explicit consent etc. Further prescriptions under the DPDP regime will only help enhance the existing operations of the AA framework, which has adopted the notice and consent regime since the very beginning. Thus, both regimes are aligned in this respect. 

Mode of interoperability: The AA framework is based on federated interoperability, in which all AAs operate on standard open protocols and APIs which makes it technically easy for all FIUs and FIPs to integrate with all AAs. FIPs are not mandated to work with all AAs and cite operational and compliance challenges as a hurdle to work with all AAs. MeitY has further clarified that it is not mandatory for Data Fiduciaries to integrate with CMs. Hence, to this extent, interoperability can be guaranteed under both regimes, as long as all AAs/ CMs operate on common underlying technical specifications such as those laid down by ReBIT, and those to be prescribed by the DPB. 

Grievance Redressal: The RBI Master Directions as well as the DPDP Act read with the Draft DPDP Rules require AAs and CMs respectively to publish details of their grievance officer, and have a policy on the timelines for resolution of grievances received. To this extent, the two regimes are aligned. That said, it would remain to be clarified where an appeal may lie. In this context, it is important to note that the recourse under the RBI Master Directions on AA is broader as it covers appeal by all customers, not limited to natural persons, unlike the DPDP Act which only provides recourse to a natural person. 

To this extent, additional legal clarity would be important to streamline the appeal process. One potential way to harmonise the two frameworks could be based on a reading of Section 38 of the DPDPA – such that recourse to the DPB could serve as an avenue for a Data Principal in addition to an appeal before the RBI. In other contexts of regulatory overlaps, there are judicial precedents stating that the relevant sectoral regulator, i.e., the RBI in this case, would take precedence over the subject matter regulator/adjudicator, i.e., the DPB in this case. Such a reading would also ease the burden on the DPB which may further investigate and make a determination based on the findings of the RBI in respect of a particular matter. This interpretational clarity can be built over the course of time through the decisions of relevant fora and does not require any amendments in the Draft Rules per se.

Other existing frameworks for consent management

It is worthy to also take note of other consent management frameworks at this point, notably the Health Locker, an initiative of the National Health Authority, and Agri Stack driven by the Ministry of Agriculture and Farmer Welfare – these too, are in advanced stages of sandbox in their respective domains to empower data principals, enabling them to manage their consents and sharing of health and agri data respectively. In these sectors too, much work has been done to lay out comprehensive consent artefact and data schemas. 

Conclusion

Given the Account Aggregator and other frameworks which are built to operate on population scale, allowing registration of sector-specific consent managers should make most sense. The existing frameworks also present an opportunity for the DPB to leverage the learnings from these sectors while imagining and building the framework for operationalising consent managers in India more widely.

In this context, it would be crucial to ensure that RBI, MeitY, the upcoming DPB and all relevant ministries remain aligned on the vision for Consent Managers in India, avoiding disruptions and ensuring continuity and a harmonious blending in of the Account Aggregator and Consent Manager regimes in India. 

Sahamati has also shared detailed inputs with MeitY on the Draft DPDP Rules specifically in the context of reconciling the Account Aggregator and Consent Manager frameworks, which can be found here.

******