This blog post examines the evolution of the AA Framework, and its role in the India Stack ecosystem.
Our earlier blog was a primer to the NBFC account aggregator framework (“AA Framework”). In this one we take a closer look at the evolution of the AA Framework. And its role in the India Stack ecosystem.
What is the India Stack?
It is a set of APIs made available by the government to public and private players. They can use the APIs as baseline infrastructure on top of which they can innovate. Saving them time and money to create their own (baselevel) APIs. It also helps build an open ecosystem, where public and private entities can coordinate, collaborate, and innovate.
The India Stack aims to transform India into a presence-less, paperless, and cashless economy (more on this below). It was developed by iSPIRT (a think tank) in collaboration with the Indian government. This is how iSPIRT envisages the India Stack:
So, the India Stack has four layers –
- Presence-less layer: a universal biometric digital identifier through which citizens can access services. Implemented through the Aadhaar infrastructure.
- Paperless layer: digitising records, eliminating paper collection and storage. Implemented through Aadhaar e-KYC, E-sign, and Digital Locker.
- Cashless layer: a single interface connects the country’s bank accounts and wallets to democratize payments; this has been implemented through IMPS, AEPS, and UPI, among others.
- Consent layer: allows data to move freely. Giving people control over their data and how it is used, stored and shared. Implemented through the Data Empowerment and Protection Architecture (“DEPA”).
What is DEPA?
The DEPA is a technical framework which allows people to determine how their data is accessed, collected, stored shared and for how long, through a single platform (a dashboard of sorts). In doing so, it allows people to access more tailored services, while maintaining their privacy.
But the DEPA is only a technical architecture and needs to be run by someone. This will be done by ‘consent managers’, i.e. organisations who will build their consent management solutions on top of the DEPA.
The NITI Aayog recently released a draft document discussing the DEPA framework where it also discussed the role of consent managers. The Aayog explained that a consent manager will ensure that individuals can provide consent for every granular piece of data they provide, through the DEPA, and will also protect an individual’s data rights.
But what do consent managers exactly do?
This screenshot has been taken from the NITI Aayog’s DEPA draft, and describes how consent managers facilitate the flow of information between the data principal, information provider and information user:
A regulated entity may require some information about an individual to provide her a new or better service. If so, it can inform the consent manager with which that person has an account that it requires x, y, z pieces of information. The consent manager then requests that person’s consent to collect the relevant information from another regulated entity which already has this information; if she consents, this information will be sent from one regulated entity to another in an encrypted manner.
Think of it as a Dunzo for your data. Much like the delivery service, the consent manager will seek information from one party on what it needs to go forward, then run to the person for her consent to share the relevant information with that party, then go to the party which is storing such information, and then carry this information back to the initial entity which needed this information. However, the consent manager cannot see what is being delivered. It will be a dumb pipe whose role is securing consent and transporting data from party A to party B.
Will there be one consent manager for all of India or multiple? Will these be sector specific or sector agnostic?
Consent managers will be specific to each sector, and it is likely that sectoral regulators will come up with regulations for consent managers in their sector. For instance, consent managers in the financial ecosystem are referred to as Account Aggregators; consent managers in the health, telecom, and skill development sectors may be called by different names. Further, AAs are governed by the RBI’s ‘Master Direction on Non-Banking Financial Company – Account Aggregator Directions’ issued in 2016; similarly, it is possible that the National Health Authority, or the National Skill Development Corporation may release their own guidelines to regulate consent managers in their respective sectors. In fact, the NITI Aayog’s recently released a DEPA draft is aimed at expediting the development of such sector specific consent managers.
Account Aggregators
Now let’s deep dive into the AA framework. A consent manager operating in the financial sector is called an AA. The vision of the AA Framework is to enable financial data to flow from parties who have it to those who need it to help create more, better, and tailored financial products and services for people.
The RBI allows companies with a net operating fund of INR 2 crores to apply for registration as a Non-Banking Finance Companies (“NBFC”) – Account Aggregator torun AAs. A good example of an AA is Onemoney which was the first company to receive their licence from the RBI, followed closely by CAMS FinServ and FinVu.
This role enables them to collect financial data from institutions which hold such data, like your bank, an NBFC, mutual fund depository, insurance repository, pension fund repository, etc. (collectively financial information providers or “FIP”). After collecting this data, they transfer it to the financial institutions which have sought it, also termed as Financial Information Users (“FIU”). This may include a lending bank which wants access to the prospective borrower’s data to determine if she qualifies for a loan.
In the AA Framework, both FIUs and FIPs can only be entities which are regulated by a financial services regulator i.e. the Reserve Bank of India, Securities and Exchange Board of India, Insurance Regulatory and Development Authority and Pension Fund Regulatory and Development Authority. Hence, AAs collect financial information generated by entities regulated by the RBI, the SEBI, the IRDAI, or the PFRDA. Such regulated entities can participate in the AA ecosystem, either as an FIP or an FIU.
The RBI released the technical specifications for AAs in November 2019. Since then, seven AAs have received in principle licenses from RBI, out of which four have received operational licenses, and approximately ten banks and NBFCs are in various stages of adoption of the FIP and FIU technical modules. Further, in July – August 2020, a competitive AA Hackathon with over 550 participants was organised seeing start-ups, fintech’s, and product teams at financial institutions innovate and build on consent management or FIU designs.
Process of Registration As an AA
- No entity other than a company can apply to become an AA[1]. And such a company must have a net owned fund of not less than INR 2 crores or such higher amount, as the RBI specifies[2]. Further, no company can start or continue undertaking the business of an AA without procuring a certificate of registration to this end from the RBI[3]. The form which must be filled to procure the certificate is here. The only exception being entities which are already being regulated by other financial sector regulators and are aggregating financial information from customers only in that sector – such entities do not need to register with the RBI separately[4]. We understand that this means that if an entity is regulated by SEBI, and only wants to convey financial information between other entities regulated by the SEBI, then this registration will not be needed.
- The RBI’s directions also specify the duties and responsibilities of AAs, their required data security practices, customer grievance redressal mechanisms, as well as pricing, corporate governance, and audit requirements.[5]
- To participate in the AA ecosystem, one must either be an FIP or an FIU, both of which must be regulated by financial sector regulators. This indicates that if an unregulated fintech player wishes to participate in the AA ecosystem, it will not be able to. This is possibly a guardrail instituted by the RBI to protect the financial data of users from falling into the hands of, or being exploited by, malicious actors. Both FIPs and FIUs must comply with the technical standards released by the RBI; these may be found here.
Sahamati – a self-regulatory organisation for AAs
A non-profit collective of Account Aggregators – the DigiSahamati Foundation (known as “Sahamati”) is evangelising the Framework and mobilising existing financial institutions to adopt technical standards to participate as FIPs and FIUs in the AA ecosystem. Participation in Sahamati is voluntary. However, Sahamati does provide a certification to interested FIPs, AAs, and FIUs. This certification is aligned with the RBI’s technical, legal and security guidelines regarding the Framework, and so will help interested FIPs, AAs, and FIUs, demonstrate their compliance with the RBI’s requirements, which may in turn expedite their RBI certification. Sahamati has members from industry, academia, and regulators. and ensure that users interests are also represented on the board.
For now, Sahamati is raising awareness about the AA model, providing technical support to new AAs, FIPs, and FIUs, laying down a code of conduct, audit guidelines, and interoperability standards for stakeholders in the AA ecosystem. It is also establishing standards for reporting to regulators, creating a grievance redressal framework for all customer complaints, ensuring that members adopt regulatory tools for self-reporting of data and monitoring member compliance, amongst other things. These functions are similar to those of a self-regulatory organisation for a given ecosystem. However, we must clarify that Sahamati was not formed by regulatory mandate, despite having regulatory representation. If you are looking to participate in the AA ecosystem, you may consider getting in touch with Sahamati to get a better understanding of the compliances and technical requirements.
AA enabled innovations
The AA framework provides a base for developing tailormade products and services. Some of these tailormade products and services are briefly discussed here.
Wealth management and financial planning applications – Earlier, wealth managing applications would vaguely assess the risk bearing capacity of a user by asking them questions pertaining to investment in high risk ventures, their risk appetite, return preferences etc. However, now, with the advent of AAs, the planner can check the investment track record, spending habits, frequency of online and risky transactions etc. Additionally, the user can share their bank statement with financial planning applications which can further analyse the financial behaviour of the user and recommend solutions to help save money. Moreover, in cases where the user’s bank history shows that they often go into overdraft, the service provider may prompt them to save a specific amount every month or suggest them to change the bank where the overdraft norms and charges are lenient.Some examples of wealth and finance management advisories which would be able to benefit from the AA Framework are Aditya Birla Finance Limited and Adani Capital Private Limited.
Investment advisory – By engaging an AA, the full view of the finances can be shared instantly with a wealth manager. Further, investors can get real-time prices of their investments, and can get a bird’s eye view of her entire wealth, allowing the entire portfolio to be analysed quickly. Along with these advantages, once data from different accounts is aggregated under one roof through APIs, banks can create various add-on services such as (a) liquidity management services – by informing individuals and businesses of their cash flows and account balances at various intervals; (b) cash flow management for small and medium enterprises – by providing a full view of the business’ finance based on the consolidated information about payments, invoices, loans, insurance premiums etc. Some investment advisory firms which would benefit from the AA Framework include SBI DFHI Limited, and Paisabazaar, amongst others.
The way forward
Even though the AAs have enabled substantive developments in the financial market, it still suffers from some glaring ambiguities. For instance, there is no clarity over how data privacy norms would be applied to the FIUs.This is because, the AA framework does not prohibit the FIUs from combining existing data sets with the financial information to profile users. This makes the account aggregator system conducive for data mining and raises the associated ethical issues. Similarly, there is no guidance on how the FIU is required to store and manage data that it has acquired from the AA. Further, there may be overlaps between the RBI’s AA guidelines and its other regulations vis-à-vis the proposed personal data protection law. For instance, the RBI may propose a different duration for processing certain kinds of data outside India, while the PDP law may not permit this at all. It is therefore unclear how the data privacy and security norms introduced by the RBI’s AA guidelines are to be read with the PDP Bill. Lastly, a mechanism must be devised to ensure that consent flow for users is more accessible, understandable, and secure. This can be done by designing consent flows for low literacy users containing more pictures and developing a text-free, image-based and voice assisted technology.
You can read more about the AA Framework here.
(Authored by Ratul Roshan, Associate, and Aparajita Srivastava, Partner, Ikigai Law, with assistance from Shrishti Rai, fourth year student from NLU-Jodhpur, and Rushika Patil, fourth year student from Amity Law School, Noida during externships with Ikigai Law)
For more on topic, please get in touch at contact@ikigailaw.com
[1] See Para 4.1 (a), Master Direction- Non-Banking Financial Company – Account Aggregator (Reserve Bank) Directions, 2016, https://www.rbi.org.in/Scripts/BS_ViewMasDirections.aspx?id=10598
[2] See Clause 4.1 (c), Reserve Bank of India, Directions regarding Registration and Operation of NBFC, https://m.rbi.org.in/Scripts/bs_viewcontent.aspx?Id=3142
[3] See Para 4.1 (b), Master Direction- Non-Banking Financial Company – Account Aggregator (Reserve Bank) Directions, 2016, https://www.rbi.org.in/Scripts/BS_ViewMasDirections.aspx?id=10598
[4] Proviso to Para 4, Master Direction- Non-Banking Financial Company – Account Aggregator (Reserve Bank) Directions, 2016, https://www.rbi.org.in/Scripts/BS_ViewMasDirections.aspx?id=10598
[5] See Clauses 6, 7, 8, 9, and 10, Reserve Bank of India, Directions regarding Registration and Operation of NBFC, https://m.rbi.org.in/Scripts/bs_viewcontent.aspx?Id=3142
