Account Aggregators in India — An Introduction
Most new borrowers have no credit history or collateral to offer. Lenders need to assess alternate data — bank statements, cash flow, GST / direct tax returns, insurance, investments etc. — to assess and price the risk of lending to them. However, borrowers’ data are spread across silos in banks, insurers, telcos, healthcare providers and other institutions. Using these data is crucial in delivering relevant, affordable, and timely financial products.
Today, there is no institutional framework for data owners to share their data with service providers. Most solutions involve significant user effort and friction. Data are usually shared with providers through physical statements — a time consuming process that introduces risks of information leakage and document tampering.
Empowering citizens to use their data safely, securely, and with their consent requires:
- A data protection law (Justice SriKrishna Committee Report, expected to be enacted as law)
- A transparent and auditable consent architecture that puts data owners in control of sharing their data
- A standards-based, interoperable and scalable network of providers and users of data
The RBI approved a new class of NBFCs in 2016 to act as Account Aggregators (AAs) to provide data aggregation services based on data owners’ explicit consent. Account aggregators can extract, aggregate, and transfer — but not read or store — users’ encrypted data. RBI and other Financial Services Regulators (FSRs) are providing the required regulatory support and guidance for the rollout of AA.
The following principles guide the functioning of AAs
- AAs are data fiduciaries that manage customer consent
- AAs fetch, consolidate, and aggregate data from Financial Information Providers (FIPs)
- Basis customer consent, AAs present these data to Financial Information Users (FIUs)
- AAs cannot read or store customer data
- AAs can charge a fee for the service (commercial model WIP)
- AAs cannot undertake any other business
Account Aggregation — a high level view
Copyright © 2019 DigiSahamati Foundation
- FIP — Financial Information Provider: Bank, NBFC, AMC, depository, depository participant, insurance company, insurance repository, pension fund …
- FIU — Financial information user: an entity registered with and regulated by any financial sector regulator
- AA — Account Aggregator
- FSR — Financial Sector regulator; RBI, SEBI, IRDAI, PFRDA
- CR — Central Registry: A centrally hosted (under one of the FSRs) repository of Key/Certificate of FIU, FIP & AAs
- Consent is a digitally signed artefact collected by AA from a User (account holder) to be used to request the user’s financial information from their FIP
- A user can query, pause, revoke consent at any time
- Consent is generated and valid for only linked accounts at the FIP
- AA acts as consent collector. The FIP maintains the most recent status of Consent, and verifies it before servicing FIU requests.
- Consent is always associated with a recorded Purpose. The FIU is bound to use data thus fetched only for the stated Purpose.
Status Today and Plans
The RBI has issued in-principle approval to eight entities to offer AA services. These entities are loosely organized under the DigiSahamati Foundation — a self-regulatory organization (SRO) that manages operating and technical standards, and evangelizes the AA framework with Financial Institutions.
iSPIRT (India Software Product Industry Roundtable) has worked with ReBIT (RBI’s IT arm) to define and publish technical standards and API documentation for AAs, FIPs and FIUs
On July 25, 2019, iSPIRT presented a CUG demo of the AA solution. Axis Bank, ICICI Bank, IDFC First Bank, and SBI participated. Banks are engaged in multiple POCs. Sahamati is spearheading the effort of preparing the ecosystem for a commercial launch, and has aggressive targets for onboarding FIs to kick-start the ecosystem.
What needs to happen?
- Financial Institutions need to prepare for their obligations once the Data Protection & Privacy Bill becomes law. Given the impact on their information security policies, risk management, operations, and technology, this is a good time to establish a consultative ecosystem of industry experts, regulators, and government bodies.
- Kick-starting a two-sided network is always a challenge of who moves first, and why large incumbents should part with troves of data compiled over many years at significant cost. While these concerns are valid, experience — from credit bureaus and UPI — suggests that early movers gain long-term advantages of scale, efficiency, and differentiation.
- Financial Institutions need to develop a framework that allows rapid execution, maximizes financial inclusion, while minimizing disruption to current operations. Many banks have created Innovation Centers and API gateways to accelerate experimentation and collaboration. However, mainstreaming successful experiments still needs significant risk, compliance, and IT effort to “integrate with the mothership”.
We are in the very early days of creating yet another India-first, disruptive and transformative ecosystem. What UPI did to the transfer of money, AA can do to the transfer of data. UPI, in 3 short years, has scaled to 1 billion transactions and 100 million users. Given the virtually unlimited addressable market, institutional support, and learnings from UPI, there’s every reason the AA ecosystem can scale to 10X what UPI has achieved in far lesser time.
The author is President, Perfios Software Solutions (P) Ltd., whose subsidiary, Perfios Account Aggregation Services Pvt. Ltd. is one of eight entities awarded an in-principle approval by the RBI to offer Account Aggregation Services. Contact the author of this whitepaper: LinkedIn | email: firstname.lastname@example.org