The 21st century is rightly called the ‘Information Age’ or ‘Digital Age’, due to the rapid shift from industrial economy to an economy based on Information Technology (IT), which has taken place in this time period. Consequent to this shift, people have become more comfortable with sharing their data online. This has furthered digital development, such as online banking, payment wallets, etc.
Despite this shift toward an IT economy, the financial sector still suffers from data inequity. Financial companies today use methods such as scraping of online accounts, manual uploading of statements, partnership with banks and directly connecting to the payroll software of employers to collect financial data of individuals[1]- all of which are cumbersome and time-consuming methods.
As a solution to this problem, the Reserve Bank of India had introduced the Non-Banking Financial Company- Account Aggregator (NBFC-AA) Framework in 2016. The framework was launched recently in September, 2021. This article discusses the Account Aggregator System, its features, challenges, role and its impact on the Indian economy and the fintech sector.
The Account Aggregator System
As per the RBI Notification, an account aggregator is a non-banking financial company that undertakes the business of an account aggregator, for a fee or otherwise.[2] “Business of an account aggregator” is further defined as providing under a contract, the service of retrieving or collecting such financial information pertaining to its customer, as may be specified by the Bank from time to time, and consolidating, organizing and presenting such information to the customer or any other financial information user as may be specified by the Bank.[3] In layman terms, an account aggregator is a financial entity that obtains and consolidates all financial data of an individual, and presents it in a way that makes it easy to understand and analyze a person’s financial holdings. The process is consent-based, and the account aggregator manages the consent for data sharing.
An individual may have several financial holdings that may be scattered across different financial instruments, different financial intermediaries and even different financial regulators. For example, a person X might have a fixed deposit with the State Bank of India, which comes under the purview of RBI; and life insurance cover with the Life Insurance Corporation of India (LIC), which comes under the purview of IRDAI. Additionally, X might have mutual fund investments in Aditya Birla Sun Life AMC, which is regulated by the Securities Exchange Board of India (SEBI). When X wants to file for a loan, he will have to consolidate all his financial data scattered across these different instruments and then submit to the institution he wishes to take a loan from. This is a cumbersome and time-consuming process. It is at this stage where the account aggregator steps in.
The Account Aggregator system has three main components – the Financial Information Provider (FIP), Financial Information User (FIU) and the account aggregator. FIP is the party having the financial information or data of the customer. Examples of FIP include a bank, NBFC, mutual fund repository etc. FIU is the party that seeks the financial information or data of a customer. Example of FIU is the lending bank. Thus, banks can be both FIPs and FIUs. The account aggregator system follows the process:
On a global level, several countries have a similar system. In the EU, the second Payments Services Directive mandated that banks offer customer account access to third parties. This is called Open Banking System.[1] The Directive was adopted by EU Parliament in 2015, but API access was opened to the third parties in 2019. In Hong Kong, the Open API Framework was launched for the banking sector in July 2018 by the Hong Kong Monetary Authority.[2] Open Banking was also introduced in Australia in the year 2018.[3]
1. Regulation of the account aggregation system
The account aggregator framework is regulated by the RBI, SEBI, the IRDAI and Pension Fund Regulatory and Development Authority (PFRDA). Any company registered and regulated by these bodies can be eligible as FIP or FIU. It is not mandatory for any registered entity to join the AA ecosystem. The account aggregator system is a separate process and is elaborated on under the RBI master directive.[1] Only a company may undertake the business of an account aggregator, unless such entity is regulated by another financial sector regulator and the entity aggregates only the financial information pertaining to the customers of that sector.[2] The process of registering a company under NBFC-AA is elaborates under section 4.2. Additionally, the company registering as account aggregator should have a net owned fund of at least Rs. 2 Crore.[3]
The directions also list out the various duties of an account aggregator.[4] Chief among them include the necessity for explicit consent of the customer to provide services; sharing information only to the customer to whom it relates or to the FIU authorized by the customer; not to take up any business other than the business of the account aggregator; not to use third-party services for the business of account aggregator; and not to retain financial data of customers provided by the FIPs. Along with these duties and responsibilities, the directions provide the users with the right to revoke their consent to obtain certain information.[5] Users also have the right to access the records of the consents provided by them and the FIU users with whom the financial information has been shared.[6]
In order to give more power to the customers, the master directions have laid down a specific consent architecture.[1] Consent of the customer is of primary importance for retrieving, sharing or transferring the financial information. Such consent is to be collected by a standardized ‘consent artefact’ containing a set of details.[2] Such consent artefact can also be obtained in electronic form.[3]
The directions also lay down a framework for data security[4] and technical specifications[5] for smooth and secure movement of data. An additional set of guidelines for APIs have been framed by Reserve Bank International Private Limited.[6]
AA system is also available through the “account aggregator” app, which is available on the mobile or desktop.[7] Users can sign in to their account through this app and keep track of their consents, revoked consents and data requests made by the FIU.
Benefits and Issues of Account Aggregator System (AA System)
Just like every system, the AA system also faces its own set of benefits and challenges.
The AA System is a single portal system. A customer has access to multiple financial services from multiple financial institutions at one place. Further, since this is a process based on the customer’s consent, the customer gets to choose which data to share with whom and when.[1] The customer has the full control of his data. The AA system process is a simpler process than existing methods for financial data collection; and the easy availability of financial data will allow lenders to make a thorough assessment of the customer’s eligibility to borrow.[2] It also reduces confusion between the customers and the bankers. The master directions by RBI further give adequate privacy and security measures to protect the data held by the account aggregators.[3] Most importantly, the account aggregators themselves are data-blind. The data that flows through them is encrypted, hence, can only be processed by the end party (FIU).[4] The automated nature of the AA system makes it more accurate as compared to a manual process; since it is less prone to oversights and errors.
However, the benefits of the AA system also give rise to the issues with the system. Broadly, the challenges that arise from the system can be categorized into upending user agency; problems related to data privacy; Problems due to consent collection; and problems with respect to adaptation.
Upending user agency: the traditional method of financial data collection required the user to directly share the information with the entity requesting it. But in the AA system, the user shares the information with a third party (i.e. account aggregator). This third party then takes shares the information with the entity requesting it in place of the user. Hence, the AA system places a mandate on the users to share their information with a third party and forces them to use an intermediary.[1] Although the RBI master directions have specific provisions on technical standards to be maintained, there is a still a chance for technical glitches that could cause erroneous responses.
Problems related to data privacy: The AA system can be used by the FIPs and FIUs for data mining. User information such as income and account statements are shared as part of the registration process. Hence, spending history of a user can be traced by FIUs for purposes like targeted advertising.[2] There is no provision in the master direction to prevent profiling of users by FIUs. The directions by RBI specify how the FIU can access the information, but do not clarify on where the data is to be stored and how it is to be managed post the collection.
Problems with consent collection: AA system is a consent-based process and as per the directions of RBI, it is mandatory for FIPs to share information only when presented with a valid ‘consent artefact’ by the user.[1] FIPs also need to verify the consent artefact before the information is shared with the account aggregator. But the grey area here is that there is no provision regarding how this consent artefact will be manifested. Users consenting online to terms and conditions often ignore the content and click the consent button without reading what they are consenting to. If there is no substantial manifest for collecting consent from the users, it will merely be a step with procedural value, and lose all meaning as a ‘consent layer’ or ‘safety layer’.[2]
Problems due to adaptation: many financial institutions are not AA-system friendly. Hence, the information is ‘scraped’ out, using a computer program that visits the bank’s website, logs in using client credentials, and then ‘reads’ code to get information. This system is arduous and causes overload of the system servers.[3]
2. What the AA system means for the Fintech world
The fintech sector will be the most affected sector with the arrival of the account aggregator framework. Since the framework links financial information with technology, this system may well become the standard of reference for the fintech sector. The architecture of the AA system will bring a standard format for financial information across fintech players. It will also help in making a uniform set of data security and privacy rules which will be compliant with the provisions of the master directions. Integration of fintech players into the AA system will also help with building a higher level of trust with their customers.
NBFC-AA framework is a necessity given the transition of this era to an IT era. Not only is it a technological innovation that will simply what was previously a time-consuming prospect, but is also a level-up for India, enabling it to be one step closer to being a fully developed country. The AA system and architecture may have flaws and issues, but a comparison of the same with the benefits makes it clear that the faults and issues are process and adaptability based and can be rectified; whereas the benefits of the system are far-reaching and long-term, thus outweighing the issues; especially in case of the fintech sector. Hence, it can be concluded that the account aggregator system is definitely the new fintech revolution in India.
[1] Apurva Singh, Reserve Bank of India’s Account Aggregator Network, Nasscomm, 23rd Sept, 2021, Reserve Bank of India's Account Aggregator Network | NASSCOM Community | The Official Community of Indian IT Industry – Last accessed on 26th Sept, 2021 at 1.30 AM. [2] All you need to know about Account Aggregators, BFSI Economic Times, news article on 26th Oct, 2020, Account Aggregators: All you need to know about account aggregators!, BFSI News, ET BFSI (indiatimes.com) – last accessed on 26th Sept, 2021 at 1.30 AM. [3] Supra notes 16 and 17. [4] Blog article, Account Aggregator System in India explained: game changer in Banking system, BuddyLoan, Account Aggregator System in India Explained - A Game Changer in Banking System (buddyloan.com) – last accessed on 26th Sept, 2021 at 1.30 AM.
[1] Supra note 2, at S.6. [2] Supra note 2, at S.6.3 [3] Supra note 2, at S.6.4 [4] Supra note 2, at S.8 [5] Supra note 2, at S.9 [6] Supra note 2, at S.9.1 [7] Sahamati FAQ portal, Account Aggregator Frequently Asked Questions | FAQ | Account Aggregator (sahamati.org.in) – Last accessed on 26th Sept, 2021 at 1.30 AM. [1] Supra note 2, at S.4.1. [2] Ibid. [3] Supra note 2, at S.4.1(d). [4] Supra note 2, at S.5. [5] Supra note 2, at S.6.6. [6] Supra note 2, at S.10(a) and (b).
[1] Mohammed Patel, PSD2: the European Payments Revolution? Part 4a: Introduction to Open Banking, CMPSI, 22nd July, 2021, PSD2: The European Payments Revolution? Open Banking | CMSPI Insights | CMSPI – Last accessed on 25th Sept, 2021, at 11.30 AM [2] Hong Kong Monetary Authority Press Release, 18th July, 2018, Hong Kong Monetary Authority - Open API Framework for the Banking Sector and the Launch of Open API on HKMA’s Website – Last accessed on 25th Sept, 2021 at 11.30 AM. [3] Australian Government Treasury report on Review into Open Banking, Dec, 2017, Review-into-Open-Banking-_For-web-1.pdf (treasury.gov.au) – Last accessed on 25th Sept, 2021, at 11.30 AM.
[1] Rohan Jahagirdar, Praneeth Bodduluri, Digital Economy: India’s Account Aggregator System is plagued by Privacy and Safety Issues, EPW, Vol No. 55, Issue No. 22, 30th May, 2020, pdf (epw.in), - last accessed on 25th Sept, 2021 11PM. [2] S. 3(1)(i), Non-Banking Financial Company - Account Aggregator (Reserve Bank) Directions, 2016 (Master Directions., Reserve Bank of India - Notifications (rbi.org.in) – Last accessed on 25th Sept, 2021 at 10.30 AM. [3] Ibid, at S.3(1)(iv).