Introduction
In continuation to our previous blog on Introduction to Account Aggregator – The Ecosystem, in this blog, we shall discuss about the framework of Account Aggregator platforms in detail.
Non-Banking Financial Companies – Account Aggregator (NBFC-AA)
Reserve Bank of India (RBI) is one of the regulatory bodies, which governs the functioning of Non-Banking Financial Companies (NBFCs) in India via circulars, master directions, and notifications from time to time. Therefore, keeping in mind the stringent framework of NBFCs, the RBI requires the Account Aggregator platforms to be registered as a NBFC under Section 45-IA of the RBI Act, 1934.
NBFC-Account Aggregator (NBFC-AA) acts as a financial entity, which provides service of financial data aggregation to the customer using various products of NBFC, such as insurance, mutual funds etc. Under this, NBFC-AA collects, compiles, consolidates and organizes all their financial data on a single platform and shares it with Financial Information User (FIU), in accordance with the explicit consent of the customer, in order to provide various services such as financial advice, wealth management, credit assessment etc.
Who can be a Participant?
In this ecosystem of Account Aggregator (hereinafter referred to as “AA”), Customers and all the other entities, which are governed by RBI, SEBI, IRDAI and Pension Fund Regulatory and Development Authority (PFRDA), can participate as a Financial Information Provider and Financial Information User as briefly discussed below:
- Financial Information Provider (FIP)
As per Section 3 (xi) of the NBFC-AA Direction, 2016 (the Regulation), FIP is a regulated entity, who have access to the financial information of a person and agree to share that financial data upon request of a Financial Data User. FIP’s are banks, banking company, NBFCs, asset management company, depository, depository participant, insurance company, insurance repository, pension fund and such other entity as may be identified by the bank for the purposes of these directions, from time to time.
- Financial Information User (FIU)
According to Section 3 of (xii) of the Regulation, FIU’s is a regulated entity by a financial regulator i.e., RBI, SEBI, IRDAI and Pension Fund Regulatory and Development Authority (PFRDA), which requests access of the financial data of a person from a FIP in order to provide services to the end customer, such as market assessment, customer analysis, creditworthiness assessment etc.
- Customer
Section 3 (vi) of the Regulation states that a Customer is a person who provides his explicit consent to AA vide contract to access all the financial data from FIPs and share it with the FIUs in order to avail services provided by the AA platform.
In the case of an AA, a Consumer can be either an individual or an enterprise, which has the explicit right to manage his consent.
- Account Aggregator (AA)
AA is an entity, which provides a digital platform to collect, compile, and synthesize all the financial data of a customer from FIPs as specified by the bank from time to time and then present it to the customer or to the FIU in order to provide services. The AA acts as an intermediary, which connects FIPs with FIUs in order to seamlessly and securely transfers financial data.
Procedure of Sharing Financial Information:
Under the system of AAs, once the Customers grant their consent to the AA, they can share their financial information with different FIU. However, in order to share such information, they require to first collect such information from the FIPs and in order to do that, they are required to send request to these FIP’s along with the consent artefact prepared by the AA.
Thereafter, when FIP’s receives such requests, they are required to comply with the conditions mentioned under Clause 7 of the Regulation, in order to make sure that information being shared is safe and secure.
Clause 7 of the Regulation states that –
1. The FIPs can only share financial information of its customers, when:
a. The validity of consent is verified;
b. Consent artifact provides specific dates and extent of its usage;
c. Credentials of the AAs are verified.
2. After verifying that all the essential requirements have been met, the FIP digitally signs the financial information and securely transmits it to the AA.
3. The FIPs must also make sure that the responses are in ‘real-time’.
4. After the AA receives the information from FIPs, it must:
a. Verify the identity of Financial Information Providers
b. Transfer this information to the recipient securely
5. To make sure that the data flow is smooth and secure, the FIP’s must make sure the following is complied with –
- Implementation of proper interfaces allowing the AA to submit consent artifact and authenticate each other that confirms the secure transfer of the data;
- Implementation of all the Technical Specifications provided by the Reserve Bank Information Technology Private Limited vide Notification BI/2019-20/96 DOR NBFC (PD) C.No.104/03.10.001/2019-20;
- Adopting techniques that ensure the verification of the consent and digital signature;
- Implementing measures that enable signatures digitally;
- Maintaining a record of all the requests of information required to be shared, and its reply, thereof. This record must be submitted to the AA.
Data Security:
Under this ecosystem, it is essential for AAs to ensure that the Financial Data shared by Customers is safe and secure. To ensure such safety and security of Financial Data, RBI requires AAs to comply with the conditions mentioned under Clause 8 of the Regulation, such as:
1. AA’s business is entirely IT driven which requires a secure and robust framework and Application Programming Interface (API) to ensure safe transmission of financial data from FIP’s to AA and from AA to FIU’s.
2. Under this ecosystem, AAs are prohibited to store any kind of Customer data, including passwords, PINs, private keys, etc. as these are used for authentication with FIPs. However, if the Customer has given consent, then AAs will be authorized to have access to such information.
3. The scalability of the technology should be such that it is able to include any other FIP as the bank may specify from time to time.
4. The IT framework should be safeguarded from unauthorized access, alteration, destruction, disclosure or dissemination of data.
5. AAs should have a Risk Management Committee as defined under Clause 14 of the Regulation. Now, in order to create Risk Management Committee, AAs should formulate a well-documented risk management framework, which should include-
a. A sound and robust technology for risk management framework, which should have strong system security, reliability, resiliency, and recoverability.
b. A strong authentication mechanism to protect access to customer’s financial data and systems.
6. There should be regular audits (at least once in 2 years) of the information system by CISA certified external auditors. The registered office of the AA should be located under the jurisdiction of Regional Office of Department of Non-Banking Supervision of the Bank, where the report of auditors shall be submitted within one month.
7. In order to manage integrated risk, the formulated Risk Management Committee should comprise of not less than three members as its Board of Directors.
Following are the prerequisite of the Committee:
- It should give due consideration to risk factors to ensure safety of the financial data such as, reputation, customer confidence, consequential impact and legal implications, in regards to the investment made by them in controls and security measures for computer systems, networks, data centres, operations, and backup facilities.
- It should ensure that it has an eye over technological risks and ensure that the organization’s IT infrastructure is capable of handling its business strategies and objectives.
Rights of Customer
If the customers grant access to the AA to share their financial information with any third party, then they must ensure that the Customers have certain rights associated with such consent. These rights ensure Customers about security of their data that they are sharing. Therefore, Clause 10 of the Regulation ensures that Customers have the following rights –
- Right to access their consent
- Right to have knowledge about the FIU’s that require their information
- Right to ensure that the information they are sharing will not be used for any other purpose than the purpose for which an explicit consent is given.
Grievance Redressal Mechanism
Each AAP in accordance of Clause 11 of the Regulation must have a board approved policy to manage grievances of its Customers and it must ensure that Customers have knowledge about the forum, which they can approach, in case they have any issues or grievances.
AAPs must also comply with the requirements mentioned below to ensure grievances of Customers are resolved in appropriate manner –
- The board of Grievance Redressal Committee must approve complaint of the Customer. AA must ensure that they have a detailed guide for handling customer grievances.
- AAs must ensure that, they provide name and details of the Grievance Redressal Officer to whom customer can approach.
- The policy of Grievance Redressal Mechanism must specifically explain the time in which such grievances should be handled and disposed of, but such period should not be beyond a period of one month of its receipt.
- AA’s policy of Grievance Redressal Mechanism must also provide that in case grievances are not resolved within a period of one month, then Customers can appeal to the Bank.
AMLEGALS Remarks
The ecosystem of AA was introduced in India to solve the problems of data portability in banking, investment, insurance and other sectors of NBFC’s so that it can compile financial data on a single platform to make Consumers’ life convenient on daily basis.
Therefore, keeping in mind the interoperability, increase in demand for digital delivery of financial services and paradigm shift in consumer expectation, India Stack introduced the concept of AAs. AA acts as entity, which deals with compiling and sharing of sensitive Financial Information. Therefore, in order to understand the ecosystem of AA platforms in India, it is important to understand the framework of the platforms as it forms the crux of the working mechanism of AA platforms.
All the AA platforms should ensure to follow the due framework by incorporating grievance redressal mechanisms, taking due diligence in maintaining data security, looking after the rights of the customers, and so on.
In our upcoming blog, we shall discuss about how Account Aggregators work as consent managers and the role of Data Empowerment and Protection Architecture (DEPA) in the Account Aggregator ecosystem.
For any query or feedback, please feel free to connect with arushi.vyas@amlegals.com or tanmay.banthia@amlegals.com
Leave a Reply