FinTechIntroduction to Account Aggregator – The Ecosystem

INTRODUCTION

In this modern era of technology, everything is available in a blink of an eye. One of the greatest advantages of this technology is that most of the things are connected digitally nowadays, such as banking services, e-commerce services, educational services, medical services etc.

This rapid growth of technology and interconnectedness, has led to an increase in demand for digital delivery of financial services and shift in customer expectation with regards to speed, safety, security and convenience of these digital services. However, we have been successful in delivering digital services in a few factors, such as providing loans to borrowers through Digital Lending Platform, still there is a long journey to cover.

Therefore, keeping in mind the increase in demand for digital delivery of services and paradigm shift in Customer expectations, India Stack, the public digital infrastructure behind UPI, introduced the concept of Account Aggregators (AAs) in India to fill the gap and fulfil demands of several billion.

Account Aggregator is an entity which is engaged in the activity of financial data aggregation, under which it gathers financial information as defined under Section 3 (ix) of NBFC-AA Direction, 2016 (“The Regulation”) of the Customer on a single platform and then shares it with explicit consent of the user with the financial information user via Open Application User Interface (API).

Moving forward, in the upcoming weeks, we shall discuss the several facets of Account Aggregators in detail.

NEED FOR ACCOUNT AGGREGATORS

Since the dawn of the digital economy, online users have increasingly become more and more tech savvy and comfortable with the idea of sharing data in exchange for financial services. Therefore, this rapid growth of technology has led to an increase in demand for digital delivery of financial services and benefits.

However, the problem with the digital delivery of these financial services is that the data of Customers is scattered across several institutions, such as Securities and Exchange Board of India (SEBI), Reserve Bank of India (RBI), Insurance Regulatory and Development Authority of India (IRDAI) etc., with no framework in place to collect, compile, synthesize and share that financial data on a single platform.

These institutions face problem of information asymmetry, as they have to use variety of ways for collection of information, including scraping of online accounts, manual uploading of statements, partnerships with banks etc., to collect and verify the financial data of individuals, which often resulted in collection of incomplete data and a cumbersome process.

Gathering the data which is scattered between these different institutions and consolidating it, in order to avail financial service is a time-consuming task, which may even require some level of expertise for an individual.

Thus, keeping in mind the above-mentioned problems, policymakers have been exploring different ways to streamline the process of collection, verification, and processing of financial data and hence the introduction of Account Aggregator Platforms will help solve the problem by introducing a space, where scattered financial data of a customer can be compiled on a single platform.

DUTIES AND RESPONSBILITIES

In accordance with Section 5 of the Regulation, Account Aggregator Platforms are required to fulfil the following duties –

1. AAs work, as a platform is to compile the scattered Financial Data of the customer on a single platform. Therefore, it is essential for them to ensure that the customer’s explicit consent is obtained before providing any service to them. The whole functioning of an AAs depends on whether the customer has given their consent or not.

2. AAs should ensure that they formulate appropriate agreements/authorizations while dealing with customer or Financial Information Providers. Further, AA must ensure that they do not provide any service to them unless AA have back up with respect to an agreement.

3. Under this mechanism, AAs must ensure that the identity of customer is verified by them while providing services. Further, it has been established that ecosystem of the AAs is completely IT driven. Therefore, it is important for AAs to ensure that data security mechanisms are in place to ensure safety of the data.

4. Under this ecosystem, AAs are allowed to share information to the extent of its business only. Therefore, AAs can indulge into the service of collecting, cataloguing, and organizing financial information of a customer only in such manner as specified by the bank may time to time.

5. Under this ecosystem, any company, which is registered as an AA Platform is prohibited from indulging in any other business than that of AAs. However, AAs can invest their surplus in instruments, provided, it should not be done for trading.

6. Under this ecosystem, AAs are strictly barred from storing any financial information of the customer received from Financial Information Providers.

7. Further, AAs being an intermediary, they are not allowed to bring any third party to perform transaction on their behalf in any way. Further, AAs are not allowed to grant access of credential of their customer accounts to third parties in any manner.

8. In this ecosystem, AAs are required to formulate a Citizen Charter, which guarantees protection of the rights of their customers. Now, the purpose of this Citizen Charter is to inform customers, that what they can expect in case of any grievance or how they will be provided a service with the intent of protecting them. If the AAs have any information acquired from/on behalf of the customer, it shall not part with it without the consent of the customer.

9. Under this mechanism, the information provided by Financial Information Provider will be considered as final record in case of any dispute between the information provided by AAs or Financial Information Provider.

CHALLENGES WITH ACCOUNT AGGREGATOR

1. Consent and Privacy Issues

The AA’s mechanism inherently delegitimizes the agency of the Customer by shifting their responsibility of authenticating data to a third party. Customer’s role under this mechanism is limited to providing consent, but they often do not understand the terms of the privacy policy and its possible repercussions, such as, they mistake a disclaimer policy for protection or suffer from ‘consent fatigue’.

Customers not only lose control over their data while sharing, but they could also expose themselves to get profiled, which will leave them vulnerable to targeted advertising, differential pricing and other privacy-related risks. However, there are provisions restricting such usage, there is no way to prevent FIU from overreaching and asking for a wider spectrum of permissions.

Moreover, there are also several issues in the process of consent collection. For beginners it might be too simplified. The Ministry of Electronics and Information Technology (MeitY), in Electronic Consent Framework, suggested that a Consent Collector can possibly obtain the consent by merely having the user click a button or by signing a paper form.

2. Monopoly over Data

AAs as a singular way of accessing Financial Data are problematic. However, even if users have the choice of using a different mechanism to access and share their data, an Account Aggregation ecosystem could cripple the customers’ ability to use alternative methods.

This was witnessed when Aadhaar was first introduced. It is important for users to have access to their data and have the right to share them with anyone they want to, but even the definition of ‘data harm’ itself has not yet been clearly drafted or agreed upon by financial institution regulators.

The minimum data required to access to each class of financial services/products still has to be clearly defined and there are no clear set of guidelines or regulations for customer protection.

Therefore, keeping in mind the possibility of AAs as well as FIU’s denying customers access to products or services, differential pricing and other financial data, there is immediate need to address such issues and take preventive measures, so that AA’s and FIU’s cannot deny customers access to critical financial service.

3. Dual Role of RBI

The RBI has created a new cyber security IT arm called Reserve Bank Information Technology Pvt. Ltd (ReBIT), which is tasked with employing a technology standard for real-time financial information aggregation. Therefore, now NBFC-AA has become part of a consent layer of India Stack, converted by ISpirt, a well-known software products lobby organization.

Now, RBI possesses significant IT capabilities to audit as well as regulate licensees and it should not be allowed to do both: own the technology standard through ReBIT and then act as a regulator for the same technology, as witnessed in the implementation of UIDAI, technology regulatory bodies who owns the organization and also regulate it. This poses a great risk towards accountability of that organization.

Therefore, there is a need for independent regulator to be appointed to oversee the implementation from the initial stage of aspects like design, cyber security and privacy.

4. Infrastructure Issues of the Regulating Authority

Now, one must understand the fact that, data sharing platforms would be better suited if a designated Data Protection Authority regulates them.

Originally, RBI’s role was restricted to regulate banking sector. Since the credit reporting of all sizes to the proposed Public Credit Registry became mandatory, it became role of RBI to regulate non-banking sector also.

RBI now has control over large chunk of financial data as well as the entities that deal with such financial data. However, expecting RBI to act as a data regime regulator just because the data in question is financial in nature is not the best solution, as the infrastructure and personnel of RBI may not be the best suited, given that nature of operations is of technical nature.

5. No Provisions against Combining of User Data

The specifications provided by AAs programme as well as proposed Data Protection, both of these regulations does not have any provisions, which provides any standards, that how an FIU, after acquiring financial data from an AAs, is required to store and manage such data.

None of the above-mentioned provisions explicitly prevents FIU’s from combining their existing data sets with other financial data sets and profile their customers. This lack of regulation raises some serious ethical concerns as witnessed in the Facebook–Cambridge Analytica Data Scandal, wherein Analytica harvested personal data from millions of Facebook user’s profiles without their consent and used it for political advertising.

BENEFITS OF ACCOUNT AGGREGATOR

1. Interconnectedness of the Data

Usually data of an individual’s or enterprise’s is spread across several institutions, such as banks, NBFC, Insurance institutions etc. which becomes very difficult for the customer to manage. Therefore, keeping in mind these difficulties, the concept of AAs was introduced as this platform focuses on providing ease to its customer to manage and access several accounts at once. However, under this ecosystem customers are required to either physically or electronically provide consent to the AAs to collect information stored with different FIPs.

A customer with the assistance of an AA, can get credit approvals seamlessly based on their underlying financial, government and socio-economic data. Financial advisors who require a 360-degree-view of customers financial data, are also benefitted under this platform as AAs provided detailed information about a customer such as credit worthiness, financial holdings etc.

2. Speedy, Convenient and Cost Effective

Usually Financial Data of a customer is collected using “screenscrapping” method, under which, they collect information by using software, which reads text data from a terminal screen. However, this method of collection of information is prominent one but it provides incomplete, time-intensive and inaccurate data, which is expensive and prone to data breaches and leakages.

Whereas, AA’s don’t require any input from customers except consent, the cost of AA’s is expected to be low, and most importantly it generates “realtime data” within a moment’s notice.

This mechanism is very convenient for Customer as all that he is required to do is register himself withan AA Platform through desktop or mobile application, which displays details about all the consent provided, rescinded and data requests made by the FIU, thus making the process very convenient.

3. Safety and Security

Earlier, traditional customers were required to share data through different mechanisms, which include sharing credentials i.e., username and password, physical delivery of hard copy of data and emailing non-encrypted data with third party. All of these mechanisms pose a great threat towards the safety and security of data.

Introduction of AAs has resolved this problem as under this mechanism of AA’s, they take several measures to keep data of the Customer safe and secure, such as, AA’s are not allowed to make transaction on behalf of the Customer but they can only view the data generated.

Data is shared through encrypted data flow between FIP and FUI. Other than when AA’s have taken consent of the Customer to share such data as under this mechanism, AA’s are not allowed to share data without consent of their Customer.

4. Informed Choice of Products & Services and Increased Depth of Services

Originally, AAs were introduced to solve the huge problem of information asymmetry between Customers and financial institutions by consolidating data on a single platform, in order to generate effective and accurate financial strategies and specific, sub-industry information in useful reports but now that has extended to the domain of personalization.

AAs provide customers with an understanding of their own financial records, spending habits, net worth, etc., to meet personal goals as well as to provide a number of value-added services by recommending tailor-made products.

AMLEGALS Remarks

The Ecosystem of Account Aggregator has been introduced in India to solve the problems of data portability in banking, investment, insurance and other sectors of NBFC’s so that it can collect, compile, synthesize and share that financial data on a single platform. This will make customers’ life convenient on daily basis. For example, it will help customer to compile data on a single platform for banking functions i.e., availing loan, credit score, etc.

Introduction of AA raises a big question that whether such mechanism is a viable and successful option or not, but answer to this bigger question will depend largely on the successful implementation of the consent architecture formulated under the Account Aggregator Master Direction and the contractual arrangements that are entered with various regulated entities.

However, the Ecosystem of Account Aggregators is interoperable and has a great potential in the Fin-Tech market. Eight Indian Banks (Axis, Bajaj Finserv, ICICI FIRST, HDFC, IndusInd, Kotak Mahindra, and State Bank of India) have also launched AA to centralize its consumer’s financial data for easy access.

In our next blog, we shall delve further into the framework of the Account Aggregator systems.

For any query or feedback, please feel free to connect with arushi.vyas@amlegals.com or mridusha.guha@amlegals.com.