Introduction

Given the importance of data to the emerging fin-tech ecosystem, the RBI has introduced a new regulated entity, the “account aggregator”. An account aggregator provides, retrieves or collects financial information of a customer from financial information providers (“FIP”) and consolidates, organises and presents the information to such customer or any other RBI- approved financial information user (“FIU”), under a contract. A consent broker, in other words.

Only Non-Banking Financial Corporations that are registered with the RBI and have a minimum net-owned fund of ₹2 crores are permitted to undertake the business of account aggregation. These NBFCs are required to first receive the RBI’s in-principle approval, subject to any conditions that may be imposed, and are required to put in place the necessary technology, enter into operational tie-ups, and fulfil such conditions as imposed, within a period of 12 months from receipt of the RBI approval for grant of the certificate of registration to operate as an account aggregator.

An application form for registration should be submitted to the Department of Non-Banking Regulation of the RBI in Mumbai. The RBI considers the application for registration only if it is satisfied that:

• the company has the necessary resources and wherewithal to offer such services to customers;
• the company has an adequate capital structure to undertake the business of an account aggregator;
• the promoters of the company are fit and proper;
• the general character of the management or proposed management of the company are not prejudicial to the public interest;
• the company has a plan for a robust information technology system;
• the company shall not have a leverage ratio of more than seven;
• the public interest shall be served by the grant of the registration certificate; and
• any other condition specified by the RBI.

If the RBI is satisfied with the criteria above being fulfilled, it would grant an in-principle approval with conditions, if any, to the account aggregator. This approval is valid for 12 months. During these twelve months, the account aggregator must set up a technology platform, execute all legal documentation required for its operations and report the

compliance of the same with the conditions of grant of the approval to the RBI. The RBI would then issue a certificate of registration with or without conditions.

The RBI’s directions also specify the duties and responsibilities of an account aggregator in carrying out its functions. This includes but is not limited to providing services based on the customer’s explicit consent, backed by appropriate agreements/authorisations between the account aggregator, the customer and the FIPs; ensuring appropriate mechanisms for proper customer identification; not storing any financial information of the customer accessed by the account aggregator from the financial information providers; not using the services of a third-party service provider for undertaking the business of account aggregation; having a citizen’s charter that explicitly guarantees protection of the rights of a customer.

Consent Architecture

The consent architecture envisaged under the directions stipulates that financial information of the customer shall be retrieved, shared or transferred by the account aggregator only with the explicit consent of the customer. The data of the customer is to be collected in a standardized format (consent artefact) containing identity and contact details (of both discloser and recipient of data), nature of data, the purpose of collection, etc. The customer is entitled to revoke her consent at any point, which would allow customers to share specific information, instead of sharing the entire history. The customer also has the right to access a record of the consents provided by her and the FIUs with whom the information has been shared.

The directions prescribe that FIPs will only share financial information of a customer on being presented a valid consent artefact by the account aggregator.

Data Security

The directions require that the business of an account aggregator be entirely Information Technology (“IT”) driven, with the adoption of necessary IT framework and interfaces to ensure secure data flows from the FIPs to its own systems and onwards to the FIUs. In addition, the directions mandate that the account aggregator builds adequate safeguards in its IT systems to ensure that it is protected against unauthorised access, alteration, destruction, disclosure or dissemination of records and data. Further, an ‘Information System Audit’ of the Account Aggregator’s internal systems is also required to be undertaken at least once every two years by certified external auditors.

Other Obligations

The RBI’s directions mandate that an account aggregator must have in place a board-approved policy for handling/disposal of customer grievances/complaints. It is also required to have in place a board-approved policy for pricing of services, which will be in strict conformity with the internal guidelines adopted by the account aggregator which needs to be transparent and available in the public domain. Further, it is compulsory for the account aggregator to have adequate internal mechanisms for reviewing, monitoring and evaluating its controls, systems, procedures, and safeguards.

The directions make it imperative for an account aggregator to constitute an audit committee, and a nomination committee to ensure ‘fit and proper’ status of proposed/existing directors.

The establishment of a well-documented risk management framework which must include – a sound and robust technology risk management framework; strengthening system security, reliability, resiliency, and recoverability; and deployment of strong authentication to protect access to customer data and systems is mandatory under the directions.

For any comments or queries, do reach out to us