Explained: RBI's Account Aggregator Framework

tl;dr

The Reserve Bank of India’s Account Aggregator framework went live on 2nd September this year. The government has claimed that the framework will have a transformative impact on the financial ecosystem, and the financial sector is abuzz with hype about the revolutionary potential of Account Aggregators. However, are things really going to be that hunky dory? In this explainer, we take a look at what this framework really is and highlight certain issues that may arise.

What are Account Aggregators?

The Account Aggregator framework, introduced by the RBI, aims to make financial data more accessible by creating data intermediaries called Account Aggregators (AA) which will collect and share the user’s financial information from a range of entities that hold consumer data called Financial Information Providers (FIPs) to a range of entities that are requesting consumer data called Financial Information Users (FIUs) after obtaining the consent of the consumer.

For example, if a user wishes to apply for a loan, the lender (an FIU) will require access to the previous financial statements of the user - which reside with the user’s Bank (an FIP) - in order to check their creditworthiness. Here’s how an AA will facilitate the flow of information:

  1. The FIU will request the AA to share the desired financial information

2. The AA will request the user for their consent to share financial information with the FIU. The Account Aggregator must interact with the customer using either a web-based or a mobile app-based client.

3. If the user consents, the AA will request the FIP (the User’s bank in this case) to share the financial information.

4. The FIP will transfer the information, which will be encrypted, to the AA, which will then transfer it to the FIU.

What are people saying about this?

Supporters of the AA framework believe that it is a big step towards a connected financial ecosystem. The framework will provide a secure and efficient way of sharing financial data, which will help in reducing transaction costs and financial frauds while giving primacy to the consent of the user. If these cost savings are passed on to the user, they will be able to access swift baking services at a reduced cost.

Critics, on the other hand, argue that the AA framework allows for sharing of potentially unlimited amounts of sensitive personal data with an unbounded set of entities for no specific purpose. Policy researchers have also questioned the role of the RBI in regulating the flow of sensitive personal data, especially since here the sharing of financial information is not related to the provision of any financial services.

What are the issues with the AA framework?

Several key issues with the AA framework are yet to be addressed:

  1. Data security: Under this framework, AAs would have access to a vast amount of consumers' financial information, and RBI can specify any further information which can be shared through this framework. Further, the AAs can share the financial information of consumers with a vast number of entities which can be further increased by the RBI. There is no requirement that the sharing of financial information be linked to the provision of a specific financial service. The regulatory framework, thus, allows for sharing of vast amounts of sensitive personal information to a potentially unlimited number of entities for no specific purpose.
  2. Self regulation: Now, since AAs are proposed to be self-regulated under the industry body Sahamati, the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 require AAs to be prescribed best practices for data security by Sahamati. However, financial self-regulation remains fraught with danger. Issues of collusion and corruption remain, with many models failing due to a propensity for self-regulatory organisations to allow its members to make standards lax and overlook cases of fraud. In the Indian context, fintech based microfinance already faces several challenges. Localised delinquencies and repayment crises have already been witnessed as early as the start of the last decade. These have extremely damaging economic and social consequences.
  3. Beyond remit of RBI: Lastly, the RBI has categorized Account Aggregators as NBFCs. NBFCs - which are companies registered under the companies act and are licensed by the RBI - play an important role in fulfilling financial needs and gaps that have not been filled by banks. Currently, there are 11 types of NBFCs in India, out of which, Account Aggregators (Called NBFC - AA), are the only NBFC that is not directly tied to any financial service and only facilitates the flow of financial information. Thus, there does not exist a strong rationale for regulation by the RBI.
  4. True informed consent: India is a diverse country, with both IT savvy urban hubs and the barely digital rural villages. Swathes of Indian citizens possess low levels of education, with digital literacy a distant dream. In such a context, millions of users would be unable to freely choose whether to share their consent especially when strong financial incentives exist for AAs. Furthermore, progress on reducing the digital divide has been slow. Unaware of their rights as users and citizens, they may not be able to fully comprehend the implications of consenting to sharing their data, and thus risk a breach of privacy and security, leading to financial loss.

What do we recommend?

In light of all these issues, we have the following recommendations:

  1. Independent regulator: We recommend that the RBI and the future Data Protection Authority proposed by the Personal Data Protection Bill, 2019 set up an industry-independent body to regulate AAs and prescribe robust security practices to secure confidential financial information.
  2. Digital literacy: We recommend that digital literacy programmes be scaled up to ensure that citizens can make use of data architecture in an informed manner.
  3. Consent guidelines: We recommend that explicit safeguards be specified for ensuring that consent managers comply with the principle of informed consent as stated in the European Union’s General Data Protection Regulation, 2016.

This blogpost is just a sneak peak. For more details about the Account Aggregator and a more in depth look at the issues with the framework as well as our recommendations for rectifying them, please look at the full explainer here!

Important documents

  1. IFF's Explainer on the Account Aggregator framework (link)
  2. RBI’s 2016 draft Directions regarding Registration and Operations of NBFC–Account Aggregators (link)
  3. RBI’s final Master Direction- Non-Banking Financial Company - Account Aggregator (Reserve Bank) Directions, 2016 (Master Directions) (link)

This post was drafted with the help of Simrandeep Singh, who is a 4th year student at Tamil Nadu National Law University and currently interning at IFF.