Account Aggregator

In September 2016, RBI announced master directions for a new class of non-banking
finance companies called Account Aggregators (NBFC-AA). These entities will enable
sharing of data from across various financial sector institutions, and act as “consent
brokers”, that is, mediate data transfers across financial entities with the user’s consent.
RBI had conceptualized this around July 2015

What is an Account Aggregator?

Usually, people may have different financial products from the financial institutions –
savings bank deposits, fixed deposits, pension, insurance policies, Mutual Funds et.
Customers may have only vague idea about their holdings of these products and
services.

“At present, financial asset holders such as holders of savings bank deposits, fixed
deposits, mutual funds and insurance policies, get a scattered view of their financial
asset holdings if the entities with whom these accounts are held fall under the purview
of different financial sector regulators.” – says the RBI about the rationale for NBFC -
AA.

Account Aggregators will be entities that enable structured financial data sharing from
Financial Information Providers to Financial Information Users, while maintaining a log
of consent given (called “consent artifacts”), and providing the ability to revoke and
manage consent. Any financial sector regulated entity currently offering these financial
products and services is classified as “Financial Information Provider” (FIP). Any entity
that is registered and regulated by any Financial Sector Regulator (across banking,
mutual fund / equity investments, insurance, pensions — RBI, SEBI, IRDA, PFRDA) is
also classified as “Financial Information User” (FIU).The data being shared covers 18
classes of financial information that have been defined across banking, investments,
insurance, pensions, as per the master directions issued by RBI’s Department of Non-
Banking Regulation (DNBR).
 Consent manager for financial data transfer

Unified Payments Interface made monetary payments accessible to a large number of

users, newer intermediaries (Payment Service Providers) enabled users to make /
receive payments on various accounts held by them through a single app (like BHIM,
PhonePe, Google Pay etc) and use bank agnostic payments identifier (called VPA; An
example of a VPA: abc@xyzbank) as payments identity to send and receive payments.

Similarly, an NBFC-AA is an entity that will allow a user to make data payments or
transfer user data of financial nature of various accounts (held by that person in banks
deposits, equity, mutual fund, pension funds etc) to any entity wanting access to that
data (an FIU). An FIU can initiate a consent request with details of information
requested by sending a request to user through the NBFC-AA identifier
(user@accountaggregator). NBFC-AA will ensure requested data will be shared after
consent is obtained using NBFC-AA app, similar to authorizing collect request in an UPI
application.

The Financial Information Users (FIU) (any regulated entity under RBI, SEBI, IRDA,
PFRDA) can use that data to offer services / products like giving access to credit, offer
360 view of personal finance, or use investment data to offer wealth management
advice through emerging financial services like robo banking aided by artificial
intelligence.
A user registering an account with NBFC-AA will be able to grant or revoke
consent to share data from any accounts held by him/her in any FIP, or even
export data in a structured format.

NBFC-AA Licenses

CashlessConsumer asked the RBI regarding licenses issued for NBFC-AA class
of entities and got a reply stating 9 entities has applied for the licenses and 5 of
them have been given in-principle approval and final approval for commencing
operations will be put on website.

We also learn through sources that NeSL Asset Data Limited, a subsidiary owned
by NeSL(National eGovernance Services Limited,  a private insolvency information utility
jointly held by banks and regulated by IBBI ) is likely to be among the in-principle
licensees of NBFC-AA license.
The above list of 5 companies are the first to receive license from RBI as account
aggregators

What are the Duties & Responsibilities of NBFC Account

Aggregators?

The prime responsibility of the NBFC-AAs is to collect information of any customer

under explicit consent and disseminate such information.

Here are the following duties and responsibilities of the NBFC-AAs (NBFC Account
Aggregators) as per the directions laid down by the RBI:

 Obtain customer consent;

 Obtain in principal approval to render such activities;
 Method of proper customer identification;
 For the protection of customer’s rights laid down Citizen’s Charter; and
 Safeguard financial information of customers
 Ensure that no information is retrieved and transferred without obtaining the
proper consent of the customer
 Process of NBFC-AA Registration
The process of NBFC-AA registration is carried out on the basis of master directions
issued by the RBI. This type of entity shall not hold public funds and will not have any
customer interface. For NBFC-AA (NBFC Account Aggregator) registration, the
following steps need to be undertaken:

 The first step is company registration as per Companies Act, 2013.

 The company must have the necessary resources to offer such type of services.
 To undertake the business of account aggregator, the company had made proper
arrangement of adequate capital structure.
 The general character of the management is not prejudicial of public interest.
 For carrying out the activities of account aggregator it is mandatory to obtain
Certificate of Registration (CoR) from RBI.
 For obtaining Certificate of Registration (CoR), an application is required to be
made with the RBI by the applicant.
 There is a requirement of a minimum of Rs. 2 crore.
 Equipped with information technology system in order to carry out services of
account aggregation
 Promoters of the NBFC-AA must be fit and proper
 Leverage ratio should not be more than 7 times

What needs to be done by the NBFC-AA (NBFC Account

Aggregator) during the validity period of in-principle
approval?
During the validity period, the company shall make arrangement for an information
technology platform and complete all the legal documentation which is necessary to
carry out operations. However, in the case of noncompliance, RBI may cancel the CoR
of NBFC-AA:

 If the company cease to carry the operation of account aggregation;

 The company is not complying the conditions subject to which the certificate of
registration has been issued by the RBI; or
 If it is found that NBFC-AA (Non-Banking Financial Company-Account
Aggregator) is no longer eligible to hold the certificate of registration; or
 If the company fails to comply with the following conditions:
 Directions issued by RBI; or
 Maintaining accounts;
 Publish and disclose its financial position in accordance with the law;
 Inspection of books of account.
Fit and Proper Criteria for Promoters as per RBI
 Draft a policy for ascertaining the fit and proper criteria of promoters.
 The policy will be completely based on the guidelines issued by RBI.
 A declaration shall be obtained from the directors/ managing director/ CEO as
per the format provided under directions.
 A covenant deed shall be obtained by the directors/ managing director/ CEO as
per the format provided under directions.
 Furnish annual statement on change of directors/ managing director/ CEO duly
certified by the Statutory Auditors regarding the fit and proper criteria within 15
days from the closure of the financial year.

Norms for Data Security by NBFC-AA (NBFC Account

Aggregator)
It is mandatory for NBFC-AA to have proper IT infrastructure as they carry a lot of
financial information of various customers. These types of entities shall be solely
responsible for the safe storage & transfer of data from financial information providers to
financial information users. They would also have to ensure that customer credentials
cannot be retrieved or stored in their system.

 Protection from unauthorized access, alteration, destruction, disclosure, or

dissemination of records and date
 Use the technology platform in relation to keep financial information;
 Take necessary action for risk management
 Information System Audit by CISA certified external auditor timely

The Bottom Line

Here, the purpose of the NBFC – AA is to provide information to the customer about the
various products he has in a common format. It will provide information on various
accounts held by a customer in a consolidated, organized and retrievable manner. The
option to avail the services of the account aggregator will be purely voluntary for a
customer. The activities of the AA will be IT oriented, implying that digital information will
be provided to the customer). Unlike other NBFCs, the AA will not provide any
transaction in financial assets by its customers. His only role will be that of account
aggregation. At the same time, deployment of investible surplus by the aggregator in
instruments, not for trading, will be permitted. Pricing of services will be as per the
board-approved policy of the account aggregator.

Services of the AA should be backed by appropriate agreements/authorizations

between the aggregator, customer and financial service provider. The AA has to follow
the terms and conditions of the license (such as customer protection, grievance
redressal, data security, audit control, corporate governance and risk management
framework).