FinTechData Privacy Norms for Account Aggregators

September 18, 20230


The rapid development of technology, upsurge in demand for digital delivery of financial services, and change in expectations in regards to speed, safety, security, and convenience of digital services, the majority of online users have become comfortable with the idea of sharing their sensitive financial data in return for benefits of digital delivery of financial services. The financial industry has seen one of the fastest and best quality digitisations of all the other industries and thus more and more of consumer data is now available online.

However, unlike consumer data from other applications which may track one’s your shopping habits, areas of interests and connections, data from Fintech companies can show the financial situation, assets and investments of a person which calls for security measures in this industry to be proactive and stringent.

Standing on these expectations the Reserve Bank of India (hereinafter, “RBI), as if having premonitions of the leaps to be made in a digitally enabled financial sector, introduced the Non-Banking Financial Company-Account Aggregator (hereinafter, “NBFC-AA) framework in the year 2016, to securely collect, compile, consolidate, synthesize and organize various categories of the financial data on a single platform and present the information in a manner, which makes it easy for the financial service providers to analyse and utilize it.

To understand who Account Aggregators are we must fist take a look at how digital financial applications work. Financial data using entities are divided into two groups

  • Financial Information Provider (hereinafter, FIP’s) consisiting of companies such as Banks,, NBFC’s, Mutual Fund Depository, Pension Fund and Insurance Fund Repository etc.
  • Financial Information Users (hereinafter, FIU’s) consisiting of entities which use the information collected by the FIP’s to suggest and provide further services to the users

Therefore, an Account Aggregator acts as a data blind consent manager where, if the user chooses to opt in, the Account Aggregator retrieves data in encrypted form from FIP’s, collate and sort the various data sets and finally send it to the FIU’s which have the encryption key and display the data in unencrypted form.

Although at present Account Aggregators are only able to display collate basic information such as bank balance in both savings and current accounts, however, there is exponential potential for cross sector collation of data in the future.


The framework is primarily aimed towards having NBFC’s register as Account Aggregators and seeks to regulate them to ensure that personal financial information is kept confidential. The procedure prescribed under the NBFC-AA makes sure that the data collected by the FIP entities are transmitted with encryption to theFIUs who need it to evaluate the person’s financial trustworthiness.

The FIU can then choose make a more comprehensive image of the user on the basis of which, depending on the nature of the FIU, they can choose whether or not to lend the user the money, allow the user a loan, issue the user a credit card etc. The method makes sure that nobody may access or view the data, not even the Account Aggregator, to reduce the risk of data theft. The conveyed information can only be decrypted by the FIUs.

The framework puts the data security on a pedestal by relying heavily under the proection of encryption. According to the International Business Machines Corporation (IBM) Security’s report titled ‘Cost of a Data Breach Report’, 95% of the organisations have experienced data breach more than once. Furthermore, the past half decade country has experienced major financial information data breach. Encryption is a primary protection of data which must conjointly have a robust data protection regime with specific and effective regulations to protect such crucial corelated identifiable information.


1. Data Empowerment and Protection Architecture (DEPA)

In order to give consumers seamless, secure, and unrestricted access to personal data, NITI Aayog (National Institute for Transforming India) launched the DEPA (Data Empowerment and Protection Architecture) initiative in August 2020. Users had access to this framework, which allowed them to exchange data only after giving their permission. It uses a system that goes beyond data protection PET’s (Privacy Enhancement Technology).

2. Information Technology act, 2000 (hereinafter, “IT Act”)

  • Section 43A specifies to adopt and document reasonable security practices and procedures for body corporates dealing with sensitive personal data.
  • Section 72A prescribes punishment and penalty for non-compliance with same and data breach.
  • Section 69 prescribes the Information Technology (Procedures and Safeguards for Interception, Monitoring or Decryption of Information) Rules, 2009.

3. Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011

  • Rule 4 specifies the documentation of privacy policy and disclosure of information.
  • Rule 8 prescribes Reasonable Security Practices and Procedures.


As re-assuring as encryption of data can be, the fact remains that even encrypted data has been breached in the past. Be it symmetric encryption or asymmetric encryption, skilled hacking groups all over the world have successively breached the most secure and well-protected databases in the world.

It is in this context where it becomes clear that the best protection is to have more control over the data that is available in the first place. This is where the DPDPA will have a significant impact.

The following are the major compliances given under the act which would make the entities accountable. It suggests preparing a non-invasive data protection management system by the entities who collect, process, share and retain the sensitive data.

1. Consent: an informed, specific and free consent should be taken by the entities at every step data processing, collection, sharing and retention.

2. Data collection: this must be clearly specified and mentioned to the user even if the entity is acting as an intermediary.

3. Data retention/storage: mention where the data is being stored, policy for retention specifying when it will be deleted and the security measures taken to protect the storage of the data.

4. Data processing and sharing: the user must know how the data is being processed after collection and whom it is shared and mention the purpose it is being used.

5. Grievance redressal details: mention the contact details of grievance redressal officer or data protection officer and express the procedure for the same in detail.

6. Data security measures: mention the practices and procedure adopted to keep the data safe

7. Rights of data principal: inform the customer/user about their rights, for example; right to forget, rectify and use of the data, right to withdraw consent etc.

Compiling to the above measures would assist the fintech cos seeking to gain the Account Aggregator license to establish a data protection management system to protect such crucial corelated identifiable data.


The system of account aggregators is beneficial for the fintech industry and. As the economy continues to grow more and more dependent on technology the demand comprehensive and effective for data protection efforts is growing continuously. To the financially savvy and diversified users who maintain accounts and assets in multiple streams data protection, data protection laws alone are not enough as they are only punitive i.e. can only punish the wrongdoer once the damage is done. Therefore it is the companies in the Fintech sector that need to put in place security protocols, SOP’s and contingency plans to prevent breach in the first place.

The principle-based DPDPA would help bring about this self-regulating change in the NBFC-AAs but separate data protection guidelines and regulations catered specifically toward the Fintech companies would help the sector be more trustworthy.

-Team AMLEGALS, assisted by Ms. Khanak Sharma (Intern)

For any query or feedback, please feel free to get in touch with or

© 2020-21 AMLEGALS Law Firm in Ahmedabad, Mumbai, Kolkata, New Delhi, Bengaluru for IBC, GST, Arbitration, Contract, Due Diligence, Corporate Laws, IPR, White Collar Crime, Litigation & Startup Advisory, Legal Advisory.


Disclaimer & Confirmation As per the rules of the Bar Council of India, law firms are not permitted to solicit work and advertise. By clicking on the “I AGREE” button below, user acknowledges the following:
    • there has been no advertisements, personal communication, solicitation, invitation or inducement of any sort whatsoever from us or any of our members to solicit any work through this website;
    • user wishes to gain more information about AMLEGALS and its attorneys for his/her own information and use;
  • the information about us is provided to the user on his/her specific request and any information obtained or materials downloaded from this website is completely at their own volition and any transmission, receipt or use of this site does not create any lawyer-client relationship; and that
  • We are not responsible for any reliance that a user places on such information and shall not be liable for any loss or damage caused due to any inaccuracy in or exclusion of any information, or its interpretation thereof.
However, the user is advised to confirm the veracity of the same from independent and expert sources.