FinTechSphere of Regulatory Compliances for Account Aggregators

INTRODUCTION

The Account Aggregator (AA) Platforms as discussed earlier is an entity engaged in the activity of aggregation of financial data on a single platform scattered between different financial institutions to facilitate digital delivery of financial services.

Since AA acts as an intermediary between Customers, FIPs and FIUs, it is crucial for the AA Platform to ensure that transmission of such financial data is seamless, hassle-free, safe and secure and therefore, in order to ensure such safety and security AA Platforms are required to comply with the regulations and norms provided under NBFC-AA Master Direction in a strict manner.

In continuation to the previous Blogs on the Account Aggregator Ecosystem, this Blog shall elaborate upon the Regulatory Framework applicable on such Account Aggregators. 

REGULATORY FRAMEWORK

1. Reserve Bank (NBFC – Account Aggregator) Direction, 2016 (‘Master Direction’)

RBI keeping in mind the usability and functionality of the AA Platforms, introduced the Master Direction in order to provide them a seamless, hassle free and secured platform for transfer of financial data between FIUs and FIPs, after receiving the explicit consent of the Customer, whose data is going to be shared. 

However, in order to establish NBFC-AA, there are a few requirements which needs to be complied with, such as:

Registration:

I. Eligibility

• It should be a company registered under Section 3 of the Companies Act, 2013. Under these directions, no entity other than a company can file an application for registration as an NBFC-AA.

• Company should have a net owned fund of Rupees Two Crore.

II. Application Stage 

Upon clearing the eligibility criteria, the company should file an application in accordance with Annexure 1 of the Master Direction before the Department of Non-Banking Regulation, Mumbai, provided the following conditions are fulfilled by the company, such as –

• It should have appropriate resources to provide services to the Customer.

• It should have the required capital structure to undertake the work of AAs.

• It should have a promoter who is fit and proper to undertake the work of AAs.

• It should have a robust plan for its Information Technological System.

• It should have a management, who is not prejudicial towards public interest.

• It should not have a leverage ratio of more than seven.

III. In-Principle Stage 

Once the Department of Non-Banking is satisfied with the application of the company, it will grant In-Principle registration to set up AA for a period of twelve months. Provided, within period of twelve months AA is required to fulfil the following condition:

• It should set up the Technological Platform to collect and share the financial data of Customers in order to provide the promised services.

• It should complete all the legal formalities and documentation and should be ready for operation, in regards with the terms and conditions mentioned, under In-Principle certificate.

IV. Registration 

Once the RBI is satisfied that the company has complied with all the required conditions mentioned at the time of In-Principle approval and conditions provided under Section 45-IA of Reserve Bank of India Act, 1934 it will grant Certificate of Registration to the AA to be registered as a NBFC.

2. The Information Technology Act, 2000

The AA platform is a completely technology driven framework. Therefore, it is essential for them to ensure that the data submitted by Customers is completely secured as required under Clause 8 of the Master Direction.

In order to ensure the protection and security of data/information, it is important for the AA Platform to comply with the Information Technology Act, 2000 and Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, such as –

Under the Data Privacy Policy, AAs are required to ensure that they comply with the following conditions –

• It should clearly state what kind of practices and policies they undertake, to ensure safety of the information provided by Customer.

• It should clearly specify that explicit consent of the Customer will be taken before collecting their information and the information collected form them is for lawful purpose.

• It should clearly specify that information (including sensitive personal information) as classified under Rule 3 is going to be collected by company, which is – Passwords, Financial Information such as Bank Account detail, Debit Card or Credit Card detail, Sexual Orientation, Medical records, Biometric Information, Physical and Mental orientation etc.

• It should clearly specify what is the purpose of collection of such information and how it is going to be disclosed, shared and transferred with other institutions present in the market.

• It should clearly specify the kind of reasonable security practices they are undertaking to ensure safety of information stored with company, such as, whether they have International Standard IS/ISO/IEC 27001 “information security management system” present in company.

3. Information Technology (Intermediaries Guidelines) Rules, 2011

AA Platform acts as an intermediary between Customer, FIPs and FIUs, as it compiles the Financial Data of its Customer on a single platform, stored with different FIP and then shares such information with the FIUs, upon request. Therefore, in order to ensure safety and security of Financial Data, Ministry of Electronics and Information Technology (MeitY) introduced the Information Technology (Intermediaries Guidelines) Rules, 2011.

These Intermediary Guidelines were released as an addition to the rights and liabilities of intermediaries provided under the Information Technology Act, 2000. Ministry of Law and Justice have also stated that these guidelines will be applicable to all kinds of intermediaries regardless of their functions or domain of work.

AAs under these guidelines are required to observe due diligence while sharing or accessing any data, to ensure that the transactions undertaken between Customer, FIPs and FIUs are safe and secure. Rule 3 stipulates that Due Diligence must be undertaken by the AA platform –

Due diligence:

I. To ensure safety and transparency, an intermediary is required to make its privacy policy public along with its user agreement, rules, and regulations, so that the Customer interacting with AA has complete knowledge about his rights.

II. If any unauthorized person tries to use this resource,, then he/she shall be informed through these policies, rules, regulations and user agreement that they are not permitted to host, display, upload, modify, publish, transmit, update or share the information, such as –

• If it does not belong to the Customer and he does not have the right to access such information.

• Information is grossly harmful, harassing, defamatory, blasphemous, obscene, pornographic, paedophilic, libellous, hateful, racially or ethnically inappropriate, relating to money laundering or gambling, harmful to minors or in any way unlawful or invades privacy of any person.

• If such information infringes any intellectual property rights such as, patent, trademark, copyright or any other proprietary right.

• If such information is deceiving or misleading about the origin of the messages or if any offensive information is communicated.

• If such information tries to impersonates another person.

• If such information has any virus or programs, which is designed to interrupt or limit the functionality of the resource.

• If such information is threatening unity, integrity, defence, or security of India or its relations with other states or it tries to insult other country.

• If such information is against the public order or it causes any cognizable offence or it tries to prevent investigation of any crime.

III. Under these Rules, AA shall not knowingly publish, initiate or modify such information mentioned under sub-Rule (b). Provided, the following actions does not fall under the category of above listed activities –

• Temporary or transient storage of information, which is conducted automatically, without any human control and is transmitted to other computer resources.

• The person authorized by AAs will remove access to any information, data or communication if instructed to do so under any order or direction as per the provisions of the Information Technology Act, 2000.

IV. If the AA suo moto or if any person who is affected by such act informs the AA, through email with electronic signature or by writing, that the information published by them falls under the category of activities, mentioned under sub-Rule (b), then the AA is are required to take action within 36 hours and work with the Customer or owner of such information to disable it. For investigation purposes, the intermediary is also required to keep the information stored for 90 days.

V. The Customers registered on the AA Platform are instructed that they have right to terminate their access to such information and remove such information, if they do not comply with the rules and regulations provided by AAs.

VI. AAs are instructed to share all the information with Government agencies when required by law for any investigative, protective or cyber security concern, provided, the agency requesting such information give it in writing. The purpose of sharing such information is to ensure identity of Customer and to prevent, protect, detect, investigate, prosecute or punish any person for any cyber security offence under the law in force.

VII. AAs are required to undertake all the reasonable security measures and practices, under the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Information) Rules, 2011, to ensure that the information shared by Customer is safe and secure.

VIII. AAs are required to report all cyber security incidents and related information to the Indian Computer Emergency Response Team.

IX. AAs are prohibited to indulge in any activity, which deploy, install or modify the technical configuration of a computer or change the normal course of operation of that computer, leading it towards the ignorance of law. Provided, the AAs are permitted to develop, distribute or employ such means, if it is done with the intention to enhance security of the computer resource and its information.

X. AAs are required to publish name of the Grievance Officer on their website along with his contact details and the procedure of registering complaints by affected Customers or victims. Further, the Grievance Redressal Officer shall resolve such complaint within period of one month of receiving it.

AMLEGALS REMARKS

The introduction of AA Platform in India has paved the way for transformation of digital delivery of financial services in an efficient and secured manner, which makes Customer’s life convenient on daily basis, since the AA Platforms acts as entity which collects, compiles, consolidates and organizes financial data on a single platform and shares such sensitive financial data with the FIUs, in accordance of the explicit consent provided by the Customer, in order to avail varied services.

Since, AA Platform functions entirely on technological platform and deals with transmission of sensitive financial data between FIPs and FIUs, it is pivotal that the AA Platform being setup in India, is in compliance of the regulations provided under NBFC-AA Master Direction, in order to ensure that such AA Platform has robust and secured platform.

Further, the ecosystem of AA is interoperable and have a great potential in the Fin-Tech market. Though obtaining a license is not easy, as we have seen, it has great benefits for Customer in terms of innovation and quality of services. Account Aggregation also paves the way for open banking with RBI and is announcing technical specifications as well.

For any query or feedback, please feel free to connect with arushi.vyas@amlegals.com or tanmay.banthia@amlegals.com.