In September 2016, RBI announced master directions for a new class of non banking finance companies called Account Aggregators (NBFC-AA). These entities will enable sharing of data from across various financial sector institutions, and act as “consent brokers”, that is, mediate data transfers across financial entities with the user’s consent. RBI had conceptualized this around July 2015.

What is an Account Aggregator?

Account Aggregators will be entities that enable structured financial data sharing from Financial Information Providers to Financial Information Users, while maintaining a log of consent given (called “consent artifacts”), and providing the ability to revoke and manage consent. Any financial sector regulated entity currently offering these financial products and services is classified as “Financial Information Provider” (FIP). Any entity that is registered and regulated by any Financial Sector Regulator (across banking, mutual fund / equity investments, insurance, pensions — RBI, SEBI, IRDA, PFRDA) is also classified as “Financial Information User” (FIU).

The data being shared covers 18 classes of financial information that have been defined across banking, investments, insurance, pensions, as per the master directions issued by RBI’s Department of Non-Banking Regulation (DNBR).

Consent manager for financial data transfer

Unified Payments Interface made monetary payments accessible to a large number of users, newer intermediaries (Payment Service Providers) enabled users to make / receive payments on various accounts held by them through a single app (like BHIM, PhonePe, Google Pay etc) and use bank agnostic payments identifier (called VPA; An example of a VPA: abc@xyzbank) as payments identity to send and receive payments.

Similarly, an NBFC-AA is an entity that will allow a user to make data payments or transfer user data of financial nature of various accounts (held by that person in banks deposits, equity, mutual fund, pension funds etc) to any entity wanting access to that data (an FIU). An FIU can initiate a consent request with details of information requested by sending a request to user through the NBFC-AA identifier (user@accountaggregator). NBFC-AA will ensure requested data will be shared after consent is obtained using NBFC-AA app, similar to authorizing collect request in an UPI application.

The Financial Information Users (FIU) (any regulated entity under RBI, SEBI, IRDA, PFRDA) can use that data to offer services / products like giving access to credit, offer 360 view of personal finance, or use investment data to offer wealth management advice through emerging financial services like robo banking aided by artificial intelligence.

A user registering an account with NBFC-AA will be able to grant or revoke consent to share data from any accounts held by him/her in any FIP, or even export data in a structured format.

NBFC-AA Licenses

CashlessConsumer asked the RBI regarding licenses issued for NBFC-AA class of entities and got a reply stating 9 entities has applied for the licenses and 5 of them have been given in-principle approval and final approval for commencing operations will be put on website.

RTI Response from RBI on NBFC-AA licenses

We also learn through sources that NeSL Asset Data Limited, a subsidiary owned by NeSL (National eGovernance Services Limited,  a private insolvency information utility jointly held by banks and regulated by IBBI ) is likely to be among the in-principle licensees of NBFC-AA license.

Observations / Comments

  • The data sharing ecosystem through NBFC-AA and subsequent mandatory credit reporting of all sizes to the proposed Public Credit Registry makes RBI control a large portion of financial data flows, regulate entities that deal with financial data, beyond its original mandate to regulate banking. The poor track record of regulatory governance including lack of regulatory accountability, lack of participatory nature of regulation making in RBI is a deep concern even as it broadens its regulatory mandate into data regime.
  • Reserve bank of India’s newly created IT arm – ReBIT (Reserve Bank Information Technology Pvt Ltd), owns the technology standard for real-time financial information aggregation, NBFC-AA is a part of consent layer of IndiaStack, evangelized by software products lobby organization iSpirt.
  • While it is important for users to have access to their data and have the right to use them with anyone they want to, there needs to be clear set of guidelines, regulations from financial sector regulators for consumer protection. Denying of access to products or services, differential pricing and other financial data harms (definition of data harms itself must be clearly drafted and agreed upon) that Financial Information Users as well as account aggregators can potentially cause to the user. The minimum data required to access to each class of financial services / products must be clearly defined for users, in order to spot exploitative consent requests. Denying access to critical financial services (such as health insurance) must be prevented.
  • The regulatory structure has multiple issues:
    • The RBI regulating financial data sharing platforms might be sub-optimal, where the nature of operations are purely technical and consumer protection in such data sharing platforms might be better suited under Data Protection Authority or a focused data regulator. Giving regulating agency to RBI just because data is financial in nature might not be ideal.
    • The NBFC-AA also gives RBI a financial super regulator position amidst other financial sector regulators through the ability to regulate data sharing entities. The RBI is currently fighting a turf war on keeping payments regulation to itself and dissenting on accountability provisions of the new Payments & settlements bill 2018, which put the decisions of payments regulator under securities appellate tribunal (SAT).
    • The ecosystem is primarily a technology platform for consented data sharing. Auditing and regulating licensees would require significant IT capabilities and RBI cannot both own technology standard through ReBIT and be a regulator. As large technological platforms are implemented, there is an urgent need for an independent technology regulator to oversee technology aspects like  technology design, cyber security from conceptual stage, privacy by design. Leaving technology regulatory capabilities to a product owning organization poses a great risk, as has been seen in case of the UIDAI.
  • While financial service providers seek information beyond minimal regulatory KYC to offer products and services (salary slips/bank statements for personal loan, portfolio details for wealth management advisory services), NBFC-AA provides a technical framework for users to share information digitally vetted by financial institutions as against paper statements submitted by individuals. Even as this could mean potentially low risk for entities using data through financial information providers, it also means that users won’t have real control over their personal data, especially the ability correct their records. That would entail a great risk for them, since poor quality data would risk in raising barriers to access to financial services.

Cashless Consumer publishes PaymentsTransparency series based on RTI responses to queries to improve transparency in payments regulation and help consumers better understand, track regulation, policy making and their impact, both desired and actual.