FinTechDeep Dive into India’s Account Aggregator Framework: Consent Architecture, Data Fiduciaries, and Legal Safeguards

INTRODUCTION

India is rapidly positioning itself as a global leader in digital public infrastructure (DPI), with initiatives like Aadhaar, Unified Payments Interface (UPI), DigiLocker, and now, the Account Aggregator (AA) Framework. Launched in September 2021, the AA framework represents a groundbreaking innovation in data governance and financial inclusion, enabling secure, real-time, and user-consented data sharing between financial institutions.

The AA system is not just a policy intervention; it is a foundational piece of India’s next-generation digital economy. It aims to democratize access to financial services, especially for underserved individuals and micro, small, and medium enterprises (MSMEs), by creating a transparent and efficient data-sharing ecosystem that eliminates paperwork, fraud, and information asymmetry.

This framework aligns with India’s vision of being a data-empowered society and supports the broader goals of financial inclusion, open banking, and fintech innovation. By shifting the ownership and control of financial data to individuals and businesses, the AA framework is transforming how fintech companies, lenders, wealth managers, and insurers design and deliver services.

UNDERSTANDING THE AA FRAMEWORK

The AA Framework, launched in September 2021, is a Non-Banking Financial Company (NBFC) model regulated by the Reserve Bank of India (RBI). It enables secure, real-time, and consent-based sharing of financial data between institutions, forming a key part of India’s DPI alongside Aadhaar, UPI, and DigiLocker.

The AA system replaces traditional, fragmented data-sharing methods with a standardized and user-controlled process, giving individuals and businesses complete authority over how their financial data is accessed and used.

The AA Framework includes four key participants, each playing a distinct role in enabling secure and user-consented data sharing:

1. Financial Information Providers (FIPs)

FIPs are entities that hold users’ financial data. These typically include regulated financial institutions such as banks (e.g., SBI, HDFC, ICICI), NBFCs, mutual fund registrars (such as CAMS and KFintech), insurance companies, and pension funds regulated by the PFRDA. FIPs are responsible for providing user data when specifically authorized through an AA.

2. Financial Information Users (FIUs)

FIUs are organizations that seek access to users’ financial data to deliver services. These include lenders, credit institutions, wealth management firms, insurance providers for underwriting purposes, and fintech platforms offering services like budgeting, investing, or tax filing. FIUs can only access this data after obtaining the user’s explicit and granular consent via an AA.

3. Account Aggregators

AAs are licensed by the Reserve Bank of India and serve as secure intermediaries facilitating the transfer of data between FIPs and FIUs. AAs do not store the data themselves but enable its flow strictly based on user consent. They offer digital interfaces—such as apps or web portals—where users can view, manage, or revoke their consent. Prominent AAs include CAMS Finserv, Finvu, OneMoney, Anumati, and PhonePe’s AA platform.

4. Individuals and Businesses (Data Principals)

These are the owners of financial data, including individuals, self-employed professionals, and MSMEs. As data principals, they have full control over their data—deciding what is shared, with whom, for what purpose, and for how long. They can revoke consent at any time through the AA interface. This structure empowers users, making them active participants in the data-sharing process rather than passive data providers.

CONSENT DESIGN: POWER IS IN THE USER’S HANDS

The AA framework represents a shift from traditional models by making the process more user-friendly and giving users greater control over their financial data. This control is facilitated through two key elements:

1. Granular Consent Parameters

When a FIU requests data via an AA, the user must approve the following details explicitly:

• Purpose of the data being requested
• Specificity of the data to be shared
• Time Boundaries for how long the data access remains valid
• Frequency of access, whether it is a one-time request or recurring

This approach ensures that users have a clear understanding of what they are agreeing to, helping to prevent misuse of their data.

2. Digital Consent Artifacts

Each time consent is granted, a digital consent artifact is created. This is a tamper-proof electronic record that serves multiple purposes:

• It documents all the parameters of the consent
• It provides an audit trail for regulators
• It ensures accountability for all participants
• It enables the revocation of consent at any time

These features work together to safeguard the user’s data and maintain transparency in the consent process.

DATA FIDUCIARIES: RESPONSIBILITIES AND OBLIGATIONS

The AA framework introduces the concept of data fiduciaries—entities that collect, store, and process data with specific obligations toward the data principal (the user). This concept is drawn from India’s broader data protection framework.

Key Fiduciary Obligations Include:

1. Purpose limitation: Data can only be used for the specific purpose for which consent was granted
2. Storage limitation: Data must be deleted after the consented purpose is fulfilled
3. Transparency requirements: Clear disclosure of data usage practices
4. Security safeguards: Implementation of robust technical and organisational measures to protect data

AA themselves operate under a unique “data blind” model—they facilitate data transfer but cannot view or store the actual content of the data, functioning purely as consent managers and data flow enablers.

LEGAL ARCHITECTURE AND COMPLIANCE LAYERS

The AA system is built on a foundation of multi-tier legal and technical safeguards.

1. Regulatory landscape

• RBI regulates AAs under Master Directions (2016), focusing on licensing, cybersecurity, and operations. These directions define licensing requirements for account aggregators, establish technical standards for secure data processing and mandate grievance redressal mechanisms.
• Sectoral regulators oversee FIUs and FIPs for compliance within their domains.
• With the passage of the Digital Personal Data Protection Act, 2023, the entire framework is set to be aligned with India’s formal data protection regime and Consent Managers like AAs may be recognised under the Act.

2. Integration with Data Protection Frameworks

• The AA framework aligns with the principle of notice and consent by ensuring that users receive clear information and provide explicit permission before any data is shared.
• It follows the principle of purpose limitation, where data is used strictly for the specific purposes that the user has consented to.
• The framework adheres to data minimization, meaning only the minimum necessary data is collected and shared to fulfill the intended service.
• It incorporates security safeguards by using strong technical measures to protect user information from unauthorized access or misuse.

3. Real World Impact and Use

• Lenders can now access verifiable financial information directly from multiple sources, enabling more accurate credit assessments and reducing reliance on self-reported or outdated data.
• This access also leads to faster loan processing with a significantly reduced documentation burden, improving the overall efficiency of credit delivery.
• Financial advisors benefit by being able to view a client’s consolidated financial position across institutions, allowing for more personalized and informed investment advice.
• Individuals gain from a unified view of their financial assets, empowering them to make better financial decisions and manage their portfolios more effectively.

CHALLENGES AND WAY FORWARD

Despite its innovative design, the AA framework faces several implementation challenges.

One key issue is the broad adoption of the framework across financial institutions, requiring technical integration and user awareness about data subject rights. Without proper understanding, the framework’s potential could be limited. As data volumes grow, there is a need for technical optimizations to ensure secure, high-volume exchanges, which are crucial for the AA framework’s scalability.

Another challenge is the limited participation of public sector banks and insurers in the framework. Their inclusion is important for making the system more inclusive. While the AA framework empowers users, low user awareness of consent mechanisms and data rights remains a concern. Increasing user trust is vital for its success.

Lastly, there is a need for legal harmonization with the DPDP Act, especially regarding the role of Account Aggregators as consent managers, to ensure clear responsibilities and a trustworthy data-sharing environment.

AMLEGALS REMARKS

India’s AA framework represents a major advancement in financial data governance by combining robust consent mechanisms, clear fiduciary responsibilities, and comprehensive regulatory oversight under the RBI. This system empowers users with control over their financial data, ensuring data is shared only for specific, lawful purposes, with safeguards against misuse.

As digital financial services continue to grow, the AA framework’s principles of user control, purpose limitation, and fiduciary responsibility offer a model for responsible data-sharing. These principles not only protect individual rights but also promote market efficiency. The framework sets a global standard for how regulatory innovation can foster both innovation and privacy protection in the digital economy.

– Team AMLEGALS assisted by Mr. Vansh Dhingra (Intern)