In 2016 the Reserve Bank of India (RBI) sought stakeholder comments on the Draft Regulatory Framework for Account Aggregator Companies to Facilitate Consolidated Viewing of Financial Asset Holding of 3 March 2016, which envisaged the creation of a new class of non-banking finance companies (NBFC) known as 'account aggregators'. In furtherance of this framework, on 2 September 2016 the RBI issued the Master Directions Non-Banking Financial Company – Account Aggregator (Reserve Bank) Directions (AA Master Direction). Although the framework for account aggregators was conceptualised in March 2016, publicly available sources show that, to date, only five applicants have received in-principle approval to operate as account aggregators.
Account aggregators aim to consolidate the financial data spread across various financial institutions and regulate access to such data by acting as 'consent brokers' (ie, entities which mediate consensual data transfers between financial entities such as banks or mutual fund companies, which are known as financial information users (FIUs)).(1) In this regard, account aggregators are registered entities that enable the sharing of structured financial information following the retrieval or collection of financial data pertaining to their customers from financial information providers (FIPs),(2) including insurers. The financial information collected by account aggregators is subsequently consolidated, organised and presented to the individual customer or an FIU. A consent log is maintained and individuals can revoke or amend their consent at any time.
Account aggregators allow individual customers to transfer financial information pertaining to their various financial accounts to any entity requiring access to such information (ie, an FIU). There are 19 categories of 'financial information', as defined by the AA Master Direction, which span various types of information, including insurance policies.
To share financial information, an FIU must initiate a request for consent – which must include details of the categories of information required – by way of a platform or mobile application maintained by the account aggregator. The customer must receive such a request through an account aggregator, which will share the information once the customer's consent has been duly obtained. Customers may also export data in a structured format.
Only NBFCs that are registered with the RBI and have a minimum net-owned fund of Rs20 million (approximately $290,000) can undertake account aggregation business. These NBFCs must first receive the RBI's in-principle approval, subject to any conditions that may be imposed. They must also:
- implement the necessary technology;
- enter into operational tie-ups; and
- fulfil any conditions imposed within 12 months of receiving RBI approval for the granting of a certificate of registration to operate as an account aggregator.
The technological evaluation of applicants is expected to be carried out by Reserve Bank Information Technology Private Limited (ie, ReBit, the RBI's recently created IT and cybersecurity arm).
Account aggregators must also establish a board-approved policy for the pricing of their services and proper systems for disaster risk management and business continuity.
The AA Master Direction stipulates that an account aggregator's business will be entirely IT driven (ie, it will pertain only to financial assets whose records are stored electronically). Account aggregators must adopt an adequate IT framework and interface to ensure the secure flow of data from FIPs (eg, insurers) to the aggregator's systems and onwards to FIUs.(3)
In addition, account aggregators must have adequate IT safeguards to ensure protection against any unauthorised access, alteration, destruction, disclosure or dissemination of their records and data. Further, a so-called 'information system audit' of an account aggregator's internal systems must be undertaken at least once every two years.
Although no specific regulatory body governs the transfer or security of data in India, the Personal Data Protection Bill 2018 is expected to be tabled during the ongoing budget session of the Lower House of Parliament. The bill provides for the creation of a national Data Protection Authority (DPA), which can supervise and regulate the processing, storage and transfer of all forms of data and information. It therefore remains unclear how the data security and privacy obligations under the AA Master Direction will align with the corresponding obligations in the bill once it has been passed and the DPA has been established.
As noted above, it appears that to date only five entities have been granted in-principle approval by the RBI, and concerns remain regarding the viability of the account aggregation business model in the market.
The AA Master Direction specifies that any financial information relating to customers which is accessed by an FIP's (eg, insurer's) account aggregator will not "reside" with such account aggregator.(4) The impact of this restriction is unclear, since it is widely understood that copies of all data must be stored on the processing entity's servers in order for any computing, analytics or other forms of sophisticated processing to take place. The storage restrictions under the AA Master Direction therefore impose an obstruction on the processing and analysis of the data carried out by an account aggregator, to its maximum extent.
Further, unlike other NBFCs, account aggregators cannot support any transactions made by customers via their platform. However, account aggregators may deploy their investible surplus in instruments, albeit for trading purposes.(5)
The account aggregator ecosystem was introduced to solve the problems of data portability in the insurance sector, among others. However, the question of whether the account aggregation business model is viable will largely hinge on the successful implementation of the consent architecture envisaged under the AA Master Direction and the terms of the contractual arrangements that are entered into with the various regulated entities.
Further, while the account aggregator ecosystem remains primarily a technology platform for financial information and consent sharing which requires significant IT capabilities, it is unclear how the data privacy and security norms introduced in the AA Master Direction will harmonise with the Personal Data Protection Bill and the norms that may be introduced by the DPA. Further, the restrictions imposed on storing financial information, facilitating customer transactions and providing other financial services to customers may hinder the adoption of the account aggregation model.
At present, no entity has been accorded a final certificate of registration by the RBI. It remains to be seen how the account aggregator ecosystem will be finally implemented and whether it will help to fill the information gaps prevalent across the various data systems controlled by regulated entities.
bank, banking company, non-banking financial company, asset management company, depository, depository participant, insurance company, insurance repository, pension fund and such other entity as may be identified by the Bank for the purposes of these directions, from time to time.
This article was first published by the International Law Office, a premium online legal update service for major companies and law firms worldwide. Register for a free subscription.