Given the importance of data to the emerging fin-tech ecosystem, the RBI has introduced a new regulated entity, the “account aggregator”. An account aggregator provides, retrieves or collects financial information of a customer from financial information providers (“FIP”) and consolidates, organises and presents the information to such customer or any other RBI- approved financial information user (“FIU”), under a contract. A consent broker, in other words.
Only Non-Banking Financial Corporations that are registered with the RBI and have a minimum net-owned fund of ₹2 crores are permitted to undertake the business of account aggregation. These NBFCs are required to first receive the RBI’s in-principle approval, subject to any conditions that may be imposed, and are required to put in place the necessary technology, enter into operational tie-ups, and fulfil such conditions as imposed, within a period of 12 months from receipt of the RBI approval for grant of the certificate of registration to operate as an account aggregator.
An application form for registration should be submitted to the Department of Non-Banking Regulation of the RBI in Mumbai. The RBI considers the application for registration only if it is satisfied that:
If the RBI is satisfied with the criteria above being fulfilled, it would grant an in-principle approval with conditions, if any, to the account aggregator. This approval is valid for 12 months. During these twelve months, the account aggregator must set up a technology platform, execute all legal documentation required for its operations and report the
compliance of the same with the conditions of grant of the approval to the RBI. The RBI would then issue a certificate of registration with or without conditions.
The RBI’s directions also specify the duties and responsibilities of an account aggregator in carrying out its functions. This includes but is not limited to providing services based on the customer’s explicit consent, backed by appropriate agreements/authorisations between the account aggregator, the customer and the FIPs; ensuring appropriate mechanisms for proper customer identification; not storing any financial information of the customer accessed by the account aggregator from the financial information providers; not using the services of a third-party service provider for undertaking the business of account aggregation; having a citizen’s charter that explicitly guarantees protection of the rights of a customer.
The consent architecture envisaged under the directions stipulates that financial information of the customer shall be retrieved, shared or transferred by the account aggregator only with the explicit consent of the customer. The data of the customer is to be collected in a standardized format (consent artefact) containing identity and contact details (of both discloser and recipient of data), nature of data, the purpose of collection, etc. The customer is entitled to revoke her consent at any point, which would allow customers to share specific information, instead of sharing the entire history. The customer also has the right to access a record of the consents provided by her and the FIUs with whom the information has been shared.
The directions prescribe that FIPs will only share financial information of a customer on being presented a valid consent artefact by the account aggregator.
The directions require that the business of an account aggregator be entirely Information Technology (“IT”) driven, with the adoption of necessary IT framework and interfaces to ensure secure data flows from the FIPs to its own systems and onwards to the FIUs. In addition, the directions mandate that the account aggregator builds adequate safeguards in its IT systems to ensure that it is protected against unauthorised access, alteration, destruction, disclosure or dissemination of records and data. Further, an ‘Information System Audit’ of the Account Aggregator’s internal systems is also required to be undertaken at least once every two years by certified external auditors.
The RBI’s directions mandate that an account aggregator must have in place a board-approved policy for handling/disposal of customer grievances/complaints. It is also required to have in place a board-approved policy for pricing of services, which will be in strict conformity with the internal guidelines adopted by the account aggregator which needs to be transparent and available in the public domain. Further, it is compulsory for the account aggregator to have adequate internal mechanisms for reviewing, monitoring and evaluating its controls, systems, procedures, and safeguards.
The directions make it imperative for an account aggregator to constitute an audit committee, and a nomination committee to ensure ‘fit and proper’ status of proposed/existing directors.
The establishment of a well-documented risk management framework which must include – a sound and robust technology risk management framework; strengthening system security, reliability, resiliency, and recoverability; and deployment of strong authentication to protect access to customer data and systems is mandatory under the directions.
For any comments or queries, do reach out to us
This website is owned and operated by Spice Route Legal, and is exclusively meant to be a source of information on the firm, it’s practice areas, and its members.
It is not intended and should not be construed as any form of advertisement, solicitation, invitation or inducement of any sort from the firm or its members.
Spice Route Legal does not warrant that any information provided on the website is accurate, complete or updated, and further denies liability for any and all loss or damage caused to the user as a result of their reliance on the content provided.
The information made available on this site must in no way be relied upon, or construed, as legal advice. If you need legal assistance, we recommend you seek help from competent counsel licensed to practice and advise in the relevant jurisdiction.