Ikigai LawIkigai LawIkigai LawIkigai Law
  • About Us
    • About
    • Our Team
    • FinTales
    • Tech Ticker
  • Practice Areas
  • Blog
  • News & Events
    • Ikigai Law in the news
    • Ikigai Law at events
    • Ikigailaw on the social media
  • Careers

Consent Managers in the financial space: Account Aggregators

    Home Fintech Consent Managers in the financial space: Account Aggregators
    NextPrevious

    Consent Managers in the financial space: Account Aggregators

    By Ikigai Law | Fintech | 0 comment | 11 November, 2020 | 5

    This blog post examines the evolution of the AA Framework, and its role in the India Stack ecosystem.

    Our earlier blog was a primer to the NBFC account aggregator framework (“AA Framework”). In this one we take a closer look at the evolution of the AA Framework. And its role in the India Stack ecosystem.

    What is the India Stack?

    It is a set of APIs made available by the government to public and private players. They can use the APIs as baseline infrastructure on top of which they can innovate. Saving them time and money to create their own (baselevel) APIs. It also helps build an open ecosystem, where public and private entities can coordinate, collaborate, and innovate.

    The India Stack aims to transform India into a presence-less, paperless, and cashless economy (more on this below). It was developed by iSPIRT (a think tank) in collaboration with the Indian government. This is how iSPIRT envisages the India Stack:

     So, the India Stack has four layers –

    • Presence-less layer: a universal biometric digital identifier through which citizens can access services. Implemented through the Aadhaar infrastructure.
    • Paperless layer: digitising records, eliminating paper collection and storage. Implemented through Aadhaar e-KYC, E-sign, and Digital Locker.
    • Cashless layer: a single interface connects the country’s bank accounts and wallets to democratize payments; this has been implemented through IMPS, AEPS, and UPI, among others.
    • Consent layer: allows data to move freely. Giving people control over their data and how it is used, stored and shared. Implemented through the Data Empowerment and Protection Architecture (“DEPA”).

    What is DEPA?

    The DEPA is a technical framework which allows people to determine how their data is accessed, collected, stored shared and for how long, through a single platform (a dashboard of sorts). In doing so, it allows people to access more tailored services, while maintaining their privacy.

    But the DEPA is only a technical architecture and needs to be run by someone. This will be done by ‘consent managers’, i.e. organisations who will build their consent management solutions on top of the DEPA.

    The NITI Aayog recently released a draft document discussing the DEPA framework where it also discussed the role of consent managers. The Aayog explained that a consent manager will ensure that individuals can provide consent for every granular piece of data they provide, through the DEPA, and will also protect an individual’s data rights.

    But what do consent managers exactly do?

    This screenshot has been taken from the NITI Aayog’s DEPA draft, and describes how consent managers facilitate the flow of information between the data principal, information provider and information user:

    A regulated entity may require some information about an individual to provide her a new or better service. If so, it can inform the consent manager with which that person has an account that it requires x, y, z pieces of information. The consent manager then requests that person’s consent to collect the relevant information from another regulated entity which already has this information; if she consents, this information will be sent from one regulated entity to another in an encrypted manner.

    Think of it as a Dunzo for your data. Much like the delivery service, the consent manager will seek information from one party on what it needs to go forward, then run to the person for her consent to share the relevant information with that party, then go to the party which is storing such information, and then carry this information back to the initial entity which needed this information. However, the consent manager cannot see what is being delivered. It will be a dumb pipe whose role is securing consent and transporting data from party A to party B.

    Will there be one consent manager for all of India or multiple? Will these be sector specific or sector agnostic?

    Consent managers will be specific to each sector, and it is likely that sectoral regulators will come up with regulations for consent managers in their sector. For instance, consent managers in the financial ecosystem are referred to as Account Aggregators; consent managers in the health, telecom, and skill development sectors may be called by different names. Further, AAs are governed by the RBI’s ‘Master Direction on Non-Banking Financial Company – Account Aggregator Directions’ issued in 2016; similarly, it is possible that the National Health Authority, or the National Skill Development Corporation may release their own guidelines to regulate consent managers in their respective sectors. In fact, the NITI Aayog’s recently released a DEPA draft is aimed at expediting the development of such sector specific consent managers.

    Account Aggregators

    Now let’s deep dive into the AA framework. A consent manager operating in the financial sector is called an AA. The vision of the AA Framework is to enable financial data to flow from parties who have it to those who need it to help create more, better, and tailored financial products and services for people.

    The RBI allows companies with a net operating fund of INR 2 crores to apply for registration as a Non-Banking Finance Companies (“NBFC”) – Account Aggregator torun AAs. A good example of an AA is Onemoney which was the first company to receive their licence from the RBI, followed closely by CAMS FinServ and FinVu.

    This role enables them to collect financial data from institutions which hold such data, like your bank, an NBFC, mutual fund depository, insurance repository, pension fund repository, etc. (collectively financial information providers or “FIP”). After collecting this data, they transfer it to the financial institutions which have sought it, also termed as Financial Information Users (“FIU”). This may include a lending bank which wants access to the prospective borrower’s data to determine if she qualifies for a loan.

    In the AA Framework, both FIUs and FIPs can only be entities which are regulated by a financial services regulator i.e. the Reserve Bank of India, Securities and Exchange Board of India, Insurance Regulatory and Development Authority and Pension Fund Regulatory and Development Authority. Hence, AAs collect financial information generated by entities regulated by the RBI, the SEBI, the IRDAI, or the PFRDA. Such regulated entities can participate in the AA ecosystem, either as an FIP or an FIU.

    The RBI released the technical specifications for AAs in November 2019. Since then, seven AAs have received in principle licenses from RBI, out of which four have received operational licenses, and approximately ten banks and NBFCs are in various stages of adoption of the FIP and FIU technical modules. Further, in July – August 2020, a competitive AA Hackathon with over 550 participants was organised seeing start-ups, fintech’s, and product teams at financial institutions innovate and build on consent management or FIU designs.

    Process of Registration As an AA

    • No entity other than a company can apply to become an AA[1]. And such a company must have a net owned fund of not less than INR 2 crores or such higher amount, as the RBI specifies[2]. Further, no company can start or continue undertaking the business of an AA without procuring a certificate of registration to this end from the RBI[3]. The form which must be filled to procure the certificate is here. The only exception being entities which are already being regulated by other financial sector regulators and are aggregating financial information from customers only in that sector – such entities do not need to register with the RBI separately[4]. We understand that this means that if an entity is regulated by SEBI, and only wants to convey financial information between other entities regulated by the SEBI, then this registration will not be needed.
    • The RBI’s directions also specify the duties and responsibilities of AAs, their required data security practices, customer grievance redressal mechanisms, as well as pricing, corporate governance, and audit requirements.[5]
    • To participate in the AA ecosystem, one must either be an FIP or an FIU, both of which must be regulated by financial sector regulators. This indicates that if an unregulated fintech player wishes to participate in the AA ecosystem, it will not be able to. This is possibly a guardrail instituted by the RBI to protect the financial data of users from falling into the hands of, or being exploited by, malicious actors. Both FIPs and FIUs must comply with the technical standards released by the RBI; these may be found here.

    Sahamati – a self-regulatory organisation for AAs

    A non-profit collective of Account Aggregators – the DigiSahamati Foundation (known as “Sahamati”) is evangelising the Framework and mobilising existing financial institutions to adopt technical standards to participate as FIPs and FIUs in the AA ecosystem. Participation in Sahamati is voluntary. However, Sahamati does provide a certification to interested FIPs, AAs, and FIUs. This certification is aligned with the RBI’s technical, legal and security guidelines regarding the Framework, and so will help interested FIPs, AAs, and FIUs, demonstrate their compliance with the RBI’s requirements, which may in turn expedite their RBI certification. Sahamati has members from industry, academia, and regulators. and ensure that users interests are also represented on the board.

    For now, Sahamati is raising awareness about the AA model, providing technical support to new AAs, FIPs, and FIUs, laying down a code of conduct, audit guidelines, and interoperability standards for stakeholders in the AA ecosystem. It is also establishing standards for reporting to regulators, creating a grievance redressal framework for all customer complaints, ensuring that members adopt regulatory tools for self-reporting of data and monitoring member compliance, amongst other things. These functions are similar to those of a self-regulatory organisation for a given ecosystem. However, we must clarify that Sahamati was not formed by regulatory mandate, despite having regulatory representation. If you are looking to participate in the AA ecosystem, you may consider getting in touch with Sahamati to get a better understanding of the compliances and technical requirements.

    AA enabled innovations

    The AA framework provides a base for developing tailormade products and services. Some of these tailormade products and services are briefly discussed here.

    Wealth management and financial planning applications – Earlier, wealth managing applications would vaguely assess the risk bearing capacity of a user by asking them questions pertaining to investment in high risk ventures, their risk appetite, return preferences etc. However, now, with the advent of AAs, the planner can check the investment track record, spending habits, frequency of online and risky transactions etc. Additionally, the user can share their bank statement with financial planning applications which can further analyse the financial behaviour of the user and recommend solutions to help save money. Moreover, in cases where the user’s bank history shows that they often go into overdraft, the service provider may prompt them to save a specific amount every month or suggest them to change the bank where the overdraft norms and charges are lenient.Some examples of wealth and finance management advisories which would be able to benefit from the AA Framework are Aditya Birla Finance Limited and Adani Capital Private Limited.

    Investment advisory – By engaging an AA, the full view of the finances can be shared instantly with a wealth manager. Further, investors can get real-time prices of their investments, and can get a bird’s eye view of her entire wealth, allowing the entire portfolio to be analysed quickly. Along with these advantages, once data from different accounts is aggregated under one roof through APIs, banks can create various add-on services such as (a) liquidity management services – by informing individuals and businesses of their cash flows and account balances at various intervals; (b) cash flow management for small and medium enterprises – by providing a full view of the business’ finance based on the consolidated information about payments, invoices, loans, insurance premiums etc. Some investment advisory firms which would benefit from the AA Framework include SBI DFHI Limited, and Paisabazaar, amongst others.

    The way forward

    Even though the AAs have enabled substantive developments in the financial market, it still suffers from some glaring ambiguities. For instance, there is no clarity over how data privacy norms would be applied to the FIUs.This is because, the AA framework does not prohibit the FIUs from combining existing data sets with the financial information to profile users. This makes the account aggregator system conducive for data mining and raises the associated ethical issues. Similarly, there is no guidance on how the FIU is required to store and manage data that it has acquired from the AA. Further, there may be overlaps between the RBI’s AA guidelines and its other regulations vis-à-vis the proposed personal data protection law. For instance, the RBI may propose a different duration for processing certain kinds of data outside India, while the PDP law may not permit this at all. It is therefore unclear how the data privacy and security norms introduced by the RBI’s AA guidelines are to be read with the PDP Bill. Lastly, a mechanism must be devised to ensure that consent flow for users is more accessible, understandable, and secure. This can be done by designing consent flows for low literacy users containing more pictures and developing a text-free, image-based and voice assisted technology.

    You can read more about the AA Framework here.


    (Authored by Ratul Roshan, Associate, and Aparajita Srivastava, Partner, Ikigai Law, with assistance from Shrishti Rai, fourth year student from NLU-Jodhpur, and Rushika Patil, fourth year student from Amity Law School, Noida during externships with Ikigai Law)


    For more on topic, please get in touch at contact@ikigailaw.com


    [1] See Para 4.1 (a), Master Direction- Non-Banking Financial Company – Account Aggregator (Reserve Bank) Directions, 2016, https://www.rbi.org.in/Scripts/BS_ViewMasDirections.aspx?id=10598  

    [2] See Clause 4.1 (c), Reserve Bank of India, Directions regarding Registration and Operation of NBFC, https://m.rbi.org.in/Scripts/bs_viewcontent.aspx?Id=3142

    [3] See Para 4.1 (b), Master Direction- Non-Banking Financial Company – Account Aggregator (Reserve Bank) Directions, 2016, https://www.rbi.org.in/Scripts/BS_ViewMasDirections.aspx?id=10598  

    [4] Proviso to Para 4, Master Direction- Non-Banking Financial Company – Account Aggregator (Reserve Bank) Directions, 2016, https://www.rbi.org.in/Scripts/BS_ViewMasDirections.aspx?id=10598  

    [5] See Clauses 6, 7, 8, 9, and 10, Reserve Bank of India, Directions regarding Registration and Operation of NBFC, https://m.rbi.org.in/Scripts/bs_viewcontent.aspx?Id=3142

    #accountaggregator, Consent, DEPA, Fintech, Ikigai Law, RBI

    Ikigai Law

    More posts by Ikigai Law

    Related Post

    • What will be the fate of TRAI recommendations and the RBI circular after the PDP Bill is enacted?

      By Ikigai Law | 0 comment

      An edited version of this piece by Nehaa Chaudhari was first published by Inc42 and is available here.   About ten days ago, the Ministry of Electronics and Information Technology (MEITY) appointed Committee of Experts chairedRead more

    • Whatsapp Payments: A timeline

      By Ikigai Law | 0 comment

      In February 2017, Whatsapp had announced its plans to introduce a UPI-based payments service in India. Since then, a number of developments have taken place with respect to the payments service, including a discussion onRead more

    • A call to regulate cryptocurrency exchanges in India

      By Ikigai Law | 0 comment

      The Government’s Position on Cryptocurrency While the novelty factor of cryptocurrency and the blockchain technology has not abated since 2009, Indian regulators have only recently begun evaluating the financial and security risks posed by virtualRead more

    • RBI Restricts Access to Card Transaction Data

      By Ikigai Law | 0 comment

      An analysis of RBI’s card directions that restrict fintech’s access to card transaction data and their interplay with RBI’s outsourcing guidelines.  In April 2022, RBI notified the directions on Credit and Debit Cards. In these directions,Read more

    • FinTales 2022 Round-Up

      By Ikigai Law | 0 comment

      The best stories of 2022 from our monthly fintech newsletter, FinTales. February 2022: The Hassleocracy of Crypto-taxes “Cryptos have no underlying assets, not even a tulip.” –Shaktikanta Das Ouch. That’s the RBI Governor, not mincingRead more

    Leave a Comment

    Cancel reply

    Your email address will not be published. Required fields are marked *

    NextPrevious

    Tags

    #DataProtection #Fintales bitcoin Blockchain Budget Consent Consultation Consultation Paper cryptocurrency data Data Controllers data governance Data localisation Data Protection Data Subjects digital economy Digital India Drones E-Commerce Facebook Fintech Government Government of India healthtech Ikigai Law India Indian government Innovation MeITY Notice Payments Personal Data policy Privacy RBI Recommendation Regulation Srikrishna Committee Stakeholders Startups Surveillance Technology Tech Policy TechTicker TRAI

    Connect with Ikigai Law

    Copyright 2018 Ikigai Law | All Rights Reserved             

    Information

    • Practice Areas
    • Blog
    • Careers
    • Contact Us
    • Privacy Policy

    Contact us

    Office
    T-7/402, Commonwealth Games Village Apartment,
    New Delhi, Delhi 110092 India.

    Email Address

    contact@ikigailaw.com

    • About Us
      • About
      • Our Team
      • FinTales
      • Tech Ticker
    • Practice Areas
    • Blog
    • News & Events
      • Ikigai Law in the news
      • Ikigai Law at events
      • Ikigailaw on the social media
    • Careers
    Ikigai Law