In today’s fast-changing digital world, data has become the new currency, and managing it securely is paramount. In India, the Account Aggregator (AA) framework emerges as a game-changer in the financial ecosystem, giving individuals control over their financial information.
Through its efforts to simplify data sharing, address consent challenges, and establish a standardized approach, the AA framework proves to be of substantial value for FinTech companies. Its role in implementing key rights outlined in the Digital Personal Data Protection Act, 2023 (“DPDPA”) positions it as a contributor to a user-centric, secure, and efficient approach to future financial data management. This article aims to examine the benefits that the AA framework offers, highlighting its role in shaping financial data management practices in India.
Empowering financial data sharing:
AAs play a vital role in ensuring secure and authorised sharing of financial information across various entities within the financial ecosystem. These entities operate as licensed intermediaries and mediate the real-time transfer of financial data, facilitated by the explicit consent of the individual whose data is being shared. AAs are regulated by the Reserve Bank of India (RBI) under the Non-Banking Financial Company – Account Aggregator (Reserve Bank) Directions, 2016 (“AA Master Directions”). They operate within a framework overseen by Sahamati, an industry umbrella organisation providing self-regulation.
Partner
JSA
Global context and uniqueness:
India’s AA framework is the first of its kind. Globally, there is no open infrastructure for financial data sharing, like the AA framework in India. Its closest parallel is the Singapore Financial Data Exchange. However, unlike the AA framework, it is set up and run by the government and is not based on an open, interoperable infrastructure or open for private participation. Other countries like the US, UK, China and Middle Eastern countries have open banking frameworks which facilitate financial data sharing, but such frameworks do not contemplate the setting up of separate entities to undertake such data sharing. India’s AA framework thus emerges as a unique and innovative approach, reshaping global paradigms by introducing transparency, interoperability, and accessibility to financial data sharing on an unprecedented scale.
Origins and objectives of the AA framework:
Introduced by the RBI in 2016 as a part of the Data Empowerment Protection Architecture (DEPA), the AA Master Directions’ primary objective is to facilitate the aggregation of an individual’s entire financial data and make it secure, transparent, and efficient. This is achieved by establishing an intermediary responsible for managing customer consent, utilising technology to ensure a user-friendly process. The RBI developed the AA framework with a dual purpose. Firstly, it aimed to decentralize the data sharing ecosystem, creating an open, inclusive space for new participants. Notably, RBI prohibits AAs from undertaking any business apart from the AA business. This furthers RBI’s goal of discouraging monopoly, removing dependency on one or few entities and ensuring free access to the data and infrastructure. Secondly, the framework sought to streamline the flow of information, ensuring that individuals across India have convenient access to a wide range of financial services.
General Counsel
Setu
Consent mechanism and data security:
AAs operate as tech-first intermediaries, enabling financial information users (RBI-regulated entities) to access user data available with financial information providers with the user’s consent. It eliminates the need for physical documentation and cumbersome verification processes. Consent in the AA framework is obtained through a standardised ‘consent artifact,’ a file containing all details related to the consent, forming an audit trail. A notable feature of the AA framework is the data-blind nature of AAs, ensuring encryption of all handled data, with AAs having no visibility on its contents.
Interplay with DPDPA:
The AA framework, designed to facilitate secure financial data sharing with user consent, bears significant parallels to the recently enacted DPDPA. Both frameworks prioritize the central concept of user consent, with the DPDPA introducing ‘consent managers’ akin to AAs. This alignment establishes a standardized approach to data sharing and protection. The AA framework also provides technical standards which could serve as a valuable reference for establishing consent mechanism and setting up consent managers. FinTech companies stand to benefit by leveraging the established practices of the AA framework, potentially easing compliance burdens under the DPDPA. AAs, already implementing key rights enshrined in the DPDPA, create a harmonized and integrated approach to data privacy, transcending industry boundaries. This interplay not only reinforces user-centric consent management but also positions AAs as valuable references for establishing consent mechanisms, thereby streamlining compliance efforts for FinTech firms.
Conclusion
The AA framework empowers individuals with greater control over their financial data, fosters FinTech innovation, and paves the way for a robust data privacy ecosystem in India. With continued refinement and collaboration, the AA model can be a shining example of how technology can empower individuals and usher in a new era of data-driven prosperity.
