India is now moving to a new protocol on data-sharing with user’ consent as its centrepiece. Like with the Unified Payments Interface (UPI), it will usher in an era of digital transactions, this new class of non-banking financial institutions called Account Aggregators (NBFC-AA)holds the potential to be a Game-Changer.
What is an Account Aggregator (NBFC-AA) ?
Account Aggregatorsare the NBFCs that enable structured financial data sharing for a fee or otherwise from Financial Information Providers to Financial Information Users, while maintaining a log of consent given (called “consent artifacts”), and providing the ability to revoke and manage consent. Any financial sector regulated entity currently offering these financial products and services is classified as “Financial Information Provider” (FIP). Any entity that is registered and regulated by any Financial Sector Regulator (across banking, mutual fund / equity investments, insurance, pensions — RBI, SEBI, IRDA, PFRDA) is also classified as “Financial Information User” (FIU).
The data being shared covers 18 classes of financial informationthat have been defined across banking, investments, insurance, pensions, as per the master directions issued by RBI’s Department of Non-Banking Regulation (DNBR).
NBFC-AAs are building systems to allow users to digitally share their data with service providers in exchange for easier access to credit, insurance and other financial products, or to just keep track of all their investments. Account aggregators , essentially, will act as , “Consent Brokers”, taking user permission to access their financial accounts and aggregate and organise all their financial information in one place.
Basic Requirements for NBFC-AA :
- The basic requirements demarcated in the Directions for registering an NBFC-AA are as follows:
- It should be a company registered under section 3 of the Companies Act, 1956 or a company registered under sub section (20) of section 2 of the Companies Act, 2013;
- Mandatorily required to obtain Certificate of Registration (CoR) from RBI for doing business of account aggregator under section 45-IA of the RBI Act, 1934;
- The minimum net owned funds of the company to be Rs. 2 crores or more;
- Equipped with necessary resources and wherewithal to offer such services to customers such as information technology system;
· Promoters are fit and proper;
· Management character not to be prejudicial to the interest of the public;
· Leverage ratio of the company should not be more than 7 times.
Financial Information means information in respect of the following with financial information providers:
a. bank deposits including fixed deposit accounts, savings deposit accounts, recurring deposit accounts and current deposit accounts,
b. Deposits with NBFCs
c. Structured Investment Product (SIP)
d. Commercial Paper (CP)
e. Certificates of Deposit (CD)
f. Government Securities (Tradable)
g. Equity Shares
j. Mutual Fund Units
k. Exchange Traded Funds
l. Indian Depository Receipts
m. CIS (Collective Investment Schemes) units
n. Alternate Investment Funds (AIF) units
o. Insurance Policies
p. Balances under the National Pension System (NPS)
q. Units of Infrastructure Investment Trusts
r. Units of Real Estate Investment Trusts
s. Any other information as may be specified by the Bank for the purposes of these directions, from time to time;
This means that an NBFC doing business of AA will only be allowed to collect and provide financial information in relation to any customer either to the bank or any other financial user. AAs shall not be undertaking any financial activities or say any fund based activities as such which is a basic test of eligibility to be termed as an NBFC as per section 45I of RBI Act, 1934.
Conclusively, AAs will simply be agents holding information on financial assets of customers and will disseminate such information only under contractual obligation or under express consent of the customers whose information they hold. They cannot use the information for any other purpose. This ultimately brings us to the moot question – whether the new class of NBFC floated by RBI is actually an NBFC or not? Prima facie looking at the scope of operations and activities that shall be carried out by AAs makes it apparent that they will not be undertaking any financial activities and hence, are not to be considered by NBFCs by nature; except the fact that it has RBI certified label of being called as NBFC.
Consent Manager for Financial Data Transfer :
Unified Payments Interface made monetary payments accessible to a large number of users, newer intermediaries (Payment Service Providers) enabled users to make / receive payments on various accounts held by them through a single app (like BHIM, PhonePe, Google Pay etc) and use bank agnostic payments identifier (called VPA; An example of a VPA: abc@xyzbank) as payments identity to send and receive payments.
Similarly, an NBFC-AA is an entity that will allow a user to make data payments or transfer user data of financial nature of various accounts (held by that person in banks deposits, equity, mutual fund, pension funds etc) to any entity wanting access to that data (an FIU). An FIU can initiate a consent request with details of information requested by sending a request to user through the NBFC-AA identifier (user@accountaggregator). NBFC-AA will ensure requested data will be shared after consent is obtained using NBFC-AA app, similar to authorizing collect request in an UPI application.
The Financial Information Users (FIU) (any regulated entity under RBI, SEBI, IRDA, PFRDA) can use that data to offer services / products like giving access to credit, offer 360 view of personal finance, or use investment data to offer wealth management advice through emerging financial services.
A user registering an account with NBFC-AA will be able to grant or revoke consent to share data from any accounts held by him/her in any FIP, or even export data in a structured format.
Duties & Responsibilities of AAs
With the limited scope of operations, the main responsibility of the AAs is to procure and disseminate financial information of any customer under explicit consent and to keep it safe so as to not let it pass from one hand to another freely. The Directions lay down the duties and responsibilities of the AAs for:
· obtaining consent of customer;
· obtaining authorisations for providing the services;
· method of proper identification of customers;
· laying down Citizen’s Charter for protection of rights of customers; and
· safeguarding financial information of customers and ensuring no retrieval and no transfer of such information happened without explicit consent of customer
Does RBI defines the fit and proper criteria for promoters/directors?
Yes, clause 12.5 of the Directions specifies the criteria for promoter and directors to ensure that they are fit and proper to assume such roles. For this purpose, an AA shall:
i. have a policy for ascertaining the fit and proper criteria of the directors/ managing director/ CEO at the time of appointment, and on a continuing basis. The policy on the fit and proper criteria shall be on the lines of the Guidelines contained in Annexure 4 of these Directions;
ii. obtain a declaration and undertaking in format given in Annexure 5 of these Directions from the directors/ managing director/ CEO giving additional information on the directors/ managing director/ CEO.
iii. obtain a Deed of Covenant signed by the directors/ managing director/ CEO, which shall be in the format as given in Annexure 6 of the Directions;
iv. furnish to the RBI an annual statement on change of directors/ managing director/ CEO duly certified by the Statutory Auditors that fit and proper criteria in selection of the directors has been followed within 15 days from the closure of year.
Data Security :
Since the AAs will be bestowed with a lot of financial information of various customers, it becomes very essential to have proper IT infrastructure in place to provide for adequate security of such data.
The AAs shall adopt sound IT framework which is commensurate with the amount of financial information being held by them. They will be responsible for the safe storage as well as safe transfer of data from financial information providers to their own systems and from their systems to the financial information users. It will be the duty of AAs to ensure safety of data when at the same time they need to ensure that their systems do not retrieve or store any customer credentials. The Directions specify the following for safety of data:
· protection from unauthorised access, alteration, destruction, disclosure, or dissemination of records and date
· scope to upscale the technology with respect to any financial information or financial information provider
· appropriate measures for Disaster Risk Management and business continuity
· timely Information System Audit by CISA certified external auditor
Other Provisions for NBFC-AAs
Apart from the specific provisions as made applicable to NBFC-AA in these Directions, the normal provisions as applicable to NBFCs at large have also found a place in the same Directions so that one may not need to look beyond these Directions for the provisions applicable to this class of NBFCs. The following are the other provisions which have been incorporated in the Directions:
a) Customer Grievance Policy for handling/disposing of customer complaints within a specified time period not exceeding later than 1 month.
b) Pricing of services of AAs shall also be done by a policy and shall be in conformity with internal guidelines in this regard of the AAs.
c) Corporate Governance – AAs shall have adequate internal mechanisms for reviewing, monitoring and evaluating its controls, systems, procedures and safeguards for which it shall have the following committees:
· Audit Committee – in line with section 177 of Companies Act, 2013
· Nomination Committee – in line with section 178 of Companies Act, 2013
· Risk Management Committee – for designing a framework for risk management and strengthening system security to protect access to customer data, etc.
d) Provisions with respect to change/ acquisition of control over the management of the companies.
e) Returns shall be filed in by AAs as may be specified by RBI from time to time.
f) Inspection may be carried out by RBI or any of its authorised officers at such intervals as it may deem fit.
g) Exemption from provisions of these Directions may be granted by RBI to any company or class of companies subject to such conditions as it may impose.
Account aggregators have to connect with banks and financial institutions to pull the data of their customers so they can then share this with financial information users (FIUs) such as Reliance Capital, Bajaj Finance and other lenders. While the technical specifications for such pull and push requests are specified, it is unclear as to which entity will do the job of data aggregation. There are more than 350 registered financial institutions in India.
As on date, there are five entities who have gotten in-principle approval from RBI to be account aggregators, NeSL Asset Data, CookieJar Technologies, Finsec AA Solutions (Onemoney),CAMS Financial Information Services and Abcap Trustee Company (MyUniverse) who were conducting pilots and were at various stages of building software and integrating with data providers.
Account Aggregators can act only as pipes through which data from financial information providers are passed on to users of the information. While requesting data from banks and financial institution, the account aggregators will have read-only access to customer data and will not be able to store, change or process the information.