Regulation November 25, 2020
NBFC-AAs make a requirement like a loan application easier for customers by providing financial access to their data with consent.
Even though the introduction of NBFC-AA was in 2016, the concept existed prior as well. Account aggregators like Perfios and Yodlee were engaged in consolidating financial data and analysing it for customers or institutions. Recently the Government decided to bring into effect entities that keep track of scattered financial data. These entities are scrutinised by multiple financial regulators(like RBI, SEBI, IRDAI). This was an official statement of transparency.
Why are Account Aggregators needed?
Most of an individual’s financial data is scattered due to accessing multiple financial products from multiple financial institutions. The customer herself would be confused about her financial data.
Another significant factor relates to data security. For the customers, there is no way to provision data securely to distinct entities. Current modes include:
- Account credentials are shared through third-parties.
- Data is provided as hard copies.
- Limited exchange of data through paperless transactions.
These modes are highly volatile as secure data acquirement and privacy can be compromised to a greater extent.
Thus the purpose of an NBFC-AA becomes to give a collective idea of the customers’ holdings and products. It provides information on multiple accounts held by the customer in a consolidated, organised and retrievable format. This will be exclusively voluntary and would not be done without the consent of the customer.
An NBFC is usually associated with transactions in financial assets by the customer. But An NBFC-AA does not have such a role in the process. It’s the only role is in account aggregation avoiding all financial transaction-oriented involvement.
NBFC-AA’s services are backed by necessary authorisations among customer, aggregator and financial service provider(FIP). This restriction along with most others have been introduced by the Financial Stability and Development Council (FSDC). This is where the part of an NBFC-AA covers not just the sphere of financial data but extends into other domains.
How does NBFC-AAs ease financial transactions?
NBFC-AAs can retrieve financial data of a customer from any financial regulator. This is consolidated and organised in a single portal. It can be shared with an FIU(Financial Information User), who must be regulated by a financial sector regulator like RBI, SEBI, IRDAI, etc. All data transfers should be consented by the customer without which no action will occur. For this, a detailed ‘Consent Architecture’ is to be implemented by the NBFC-AA.
In the pragmatic speech, this plethora of information is a gold mine for the FIUs(NBFCs) as it allows them to retrieve, with consent the customer’s data from the NBFC-AA. But, RBI had ruled that account aggregators can access customer data, but not store them.
The process is explained with the following illustration –[reference. Image 1]
Some aspects of the process:
- If a customer’s loan application is through a digital lending app, the NBFC requires the applicant’s financial data to execute a credit evaluation and determine its approval or denial.
- NBFC-AAs would ease the process by not demanding all financial holdings data individually and in hard copy. Instead, the customer can provide consent allowing data to be revealed from the NBFC-AA to the NBFC involved(customer can even determine to what extent in time this data is to be shared). This process takes a minuscule period, usually merely seconds.
- More than the time this saves, the information sharing impedances are considerably reduced while not compromising security.
What about when the Fintech Company is involved?
There are two partners and an entity in the process:
- The Sourcing Partner- a fintech company
- The Funding Partner- Usually an NBFC that provides the funds
- The Third entity- Account Aggregators(NBFC-AA) that provide the information required with consent.
The role of a fintech entity in the triangle would be its capacity to apply for an NBFC-AA license by itself or incorporate a new entity who has applied for the license and is capable of carrying out the role of an NBFC-AA in the proceedings. The former option will require the fintech company to maintain Rs. 2 crores as Net Owned Fund (NOF) for eligibility and registration.
This image illustrates the process with a fintech entity — [reference. Image 2]
Why is Consent Architecture the most important aspect of NBFC-AAs?
It is the most significant part of an NBFC-AA. An absence of customer’s consent will render the NBFC-AA’s capacity void. The obtainment, submission and managing of consent should strictly be consonant with the Master Directions offered by the RBI. The prescription has specifically denoted the consent to be a standardized consent artefact containing:
- Customer’s identity.
- Contact information.
- Requested financial information’s nature.
- Specified purpose of obtaining such information.
- The identity of information recipients.
- URL or other address to be notified every time the consent artefact is utilised to access the information
- Consent creation date and expiry date.
- Account Aggregator’s identity and signature/ digital signature.
- Any other attributes prescribed by RBI.
The artefact can also be in an electronic form capable of being logged, audited and verified.
The customer can revoke the consent any time she desires rendering the artefact utility null. Once revoked, a fresh consent artefact is shared with the FIP.
Which are The Prevalent NBFC-AAs
RBI provided operating licenses to four AAs in 2016:
- CAMS FinServ
- Cookiejar Technologies Pvt Ltd. (Product titled Finvu)
- FinSec AA Solutions Private Limited (The Product titled OneMoney)
- NESL Asset Data Limited
RBI provided in-principle approvals to three AAs in 2016:
- Jio Information Solutions Limited
- Perfios Account Aggregation Services Pvt Ltd
- Yodlee Finsoft Pvt Limited
Sahamati, a collective of the AA ecosystem has reported that currently, Axis Bank, Bajaj Finserv, Bank, Kotak Mahindra Bank, ICICI Bank, IDFC First Bank, HDFC Bank, and State Bank of India are developing their FIP/FIU implementation. Of these, Indusind Bank has already gone live. The reluctance exhibited by FIPs to share data with consent is considerably reducing with the evolving account aggregation domain.
BG Mahesh (Co-founder of Sahamati) said that AA platforms are in the final stage of the ‘wave one marathon. They passed the proof-of-concept stage last year. State Bank of India and a few big private banks are in the pre-production stage. In the next month, they will go into production,”
FIPs like GST, CBDT and TRAI are expected to join the ecosystem once the framework is implemented to success. The total AAs are expected to increase in number in the coming years with tech giants keeping a close eye to join in on the next wave of this evolution.
What is Sahamati and how does it further help NBFC-AAs?
DigiSahamati Foundation (Sahamati) is a not-for-profit collective of account aggregators established as a private limited company under Section 8 (of the new Companies Act of India). Sahamati came into existence as a response to the massively scattered financial data of customers and its need to be consolidated and organised.
Sahamati seeks to bring together people with versatile backgrounds in finance and technology to determine and achieve India’s Account Aggregator network, Protection Architecture and Data Empowerment. These goals and actions include examples such as ensuring banks implement proper consent architecture, FIP certifications to be robust or design novel methods for data sharing without compromise.
How do we register an AA license from RBI?
Companies with Net Owned Fund (NOF) more than 2 crores are eligible to apply for an AA license. AAs regulated by other sector regulators can not obtain a license from RBI if they are aggregating accounts and consolidating information on customers of only that sector.
Procedure for obtaining the NBFC-AA license — [reference. Image 3]
How NBFC-AAs Led to The Formation of DEPA
After the establishment of NBFC-AAs, an entity for a collective of Account Aggregators was expected. DigiSahamati Foundation(Sahamati) fulfilled this. Started as a private non-profit organisation, with the advice of RBI and other regulatory bodies, Sahamati was also one of the pioneers of new data architecture. This led to a more tight-knit and secure form of data architecture to be developed. This was later strategized and formulated as DEPA(Data Empowerment and Protection Architecture) in 2020.
DEPA, introduced as a draft policy by NITI Aayog is an approach or paradigm shift in managing personal data. It proposes a framework for consent approval that permits users to access and share data with third-party institutions. The policy involves RBI, SEBI, IRDAI, PFRDA and the Ministry of Finance operating together for implementation.
DEPA puts forth the concept of User Consent Managers in the data architecture. They are entities that manage consent for data sharing. They work to protect data rights. They obtain selected data from FIPs and deliver it to FIUs for a specified time. What data is to be shared and for what time it is to be shared is determined by the customer. Without the customer’s consent, no process will start.
Under DEPA, the individual, potential user and the institution holding the individual’s data will interact through consent managers. These consent managers are ‘data blind’ and can not view or use the individuals’ data themselves. All information is encrypted.
How Will NBFC-AA Help Users and Their Privacy?
The idea to collate and transfer data with strict consent architecture will help a data-rich country like India towards becoming more economically rich. As interactions like verification and lending become quicker and simpler with the help of Account Aggregators, the economy with increased motion will be churned to an essence.
The major concern regarding NBFC-AAs was the issue of privacy. How safe were we with transferring data through a data manager? Once the proper structure of DEPA and how the privacy will be protected was elaborate, more companies and organizations have initiated their FIU plans. The real trust comes from the fact that none of the NBFC-AAs can breach the privacy of the user even if they collate and transfer user data. This is because:
- No action can be initiated without the consent of the customer.
- Customers can determine the specific data to be transferred.
- Customer can determine the Specified time for the data to be transferred( be it a week, a month or the time he prefers).
- The content is not revealed to NBFC-AAs.
- The transfer is directly from FIP to FIU and NBFC-AA merely organises the interaction for a specified fee or otherwise.
- With the help of Collectives like Sahamati grievances of all parties can be swiftly addressed.
- Oversight by regulators provides superintendence.
Most modern NBFCs prefer to acquire the license or avail the services of an NBFC-AA as this would enable them to provide easier and quicker services for the customer and help themselves cut down on the expenses and manpower required, otherwise. The customer not requiring to even exit an app on her phone increases her affinity towards an institution that provides such a facility.
Nonetheless, it must be ensured that the revenue model should be constructed for the NBFC-AA to benefit from the services it would provide to other NBFCs. This would include easier approval and sanction methodology for lending.
The recent steep increase in interest for acquiring an NBFC-AA license provides sufficient evidence as to how this relatively new entity would change the financial transactions in this era.
The concerns of privacy being breached and other malpractices occurring due to the easy accessibility of personal financial data need to be considered. But one must keep in mind that the data is accessed easily, the operative word being ‘Easily’. This does not imply that it will be accessible unsafely or irresponsibly. With an impeccable consent architecture, the data accessibility is exclusive for selected entities for a selected time. The final call for all of this is for the customer.
Signzy is an AI-powered RPA platform for financial services. No matter how complex your workflow or operational complexity, Signzy is able to completely automate your back-operations decision-making process into a real-time API. This is possible due to a combination of Nebula — Our no-code AI model builder and our Fintech API Marketplace of over 200+ APIs. Today we work with over 90+ FIs globally including the 4 largest banks in India and a Top 3 acquiring Bank in US. Globally we have a strong partnership with MasterCard and offices in New York and Dubai to serve our customers in the 2 geographies. Our Product team of 120+ people is building a global AI product out of Bangalore.
Visit www.signzy.com for more information about us.
You can reach out to our team at firstname.lastname@example.org
Reach out to our team: email@example.com
For sales queries: Swati Saxena
Email : firstname.lastname@example.org
Author: Mahesh Mohan
A Creative Writer intent on conveying relevant information with precision and caliber.