Account Aggregation: Consent Driven Consolidation And Sharing Of All Financial Information Through One Application

In today’s time, we all deal with a number of financial service providers each one of them providing one or more services which makes it certainly inconvenient for the users to keep track of their finances since all the information cannot be provided at the same place and there is no framework for consolidation of all such financial information. With an aim to resolve this inconvenience, in 2016, the Reserve Bank of India had proposed setting up a framework for account aggregators. These Account Aggregators are expected to fill this gap by collecting data from, Financial Information Providers (FIP) that hold your personal financial data like banks and providing the information of customers’ financial assets in a consolidated, organized and retrievable manner to the customer or any other Financial Information Users (FIU) like lending agencies etc. Earlier this month, India unveiled the Account Aggregator (AA) network with eight of India’s largest banks participating in the network marking the first step towards bringing open banking in India.

Participants And Creation Of Central Registry Of Information

 The service of AA is available for both individual and enterprises and any financial institution registered with RBI, SEBI, IRDA and PFRDA can be FIP or FIU. The network also has technical service providers (TSPs) participating in the ecosystem who collaborate with other participants to deliver vide range of fintech products and services.

Sahamati is a self-organized Account Aggregator ecosystem collective that is facilitating the ecosystem and it prescribes standards, promotes interoperability, and prevents participants from engaging in anti-competitive behavior, as well as serves as a source of information for the AA ecosystem. The AA ecosystem is designed so that each FIP and FIU is enabled to work with every AA in the ecosystem network, rather than only with those with whom they have a bilateral agreement. Once any FIP/FIU is certified and added to the Central Registry, any approved AA can connect with them. Registering with AA network is not mandatory for all participants and the network allows complete unmasked information unlike other central registries.

Collection And Sharing Of Financial Information

Financial Information means information about all kinds of financial services availed by the user including all kinds of bank/ NBFC deposits, mutual funds, stocks, insurance policies etc. However, currently, only asset-based data is available and other data types shall be added over time.

Every aspect of the AA network will be consent driven. The consent architecture includes one consent artefact to authorize the AA to obtain information from the FIP and other artefact authorizes the FIU/Customer to request aggregated information from the AA. The customers shall also be provided an option to revoke consent to obtain information that is rendered accessible by a consent artefact, including the ability to revoke consent to obtain parts of such information.

Upon receipt of the request with consent and only after the verification of the consent is done, the financial information provider shall digitally sign the financial information and transmit the same to the Account Aggregator in a secure manner in real-time. The customers will also be able to view a dashboard and a list of consents given and revoked in the application to track the information shared with financial institutions.

Data Security Aspects

The data being transmitted through the AA is encrypted by the sender and can be decrypted only by the recipient and AA cannot see the data, they merely take it from one financial institution to another based on an individual’s direction and consent. Also, AAs are not allowed to store, process and sell the customer’s data. This is designed to ensure AAs do not have a conflict of interest when designing processes to obtain consent for access to user data. AAs are not expected to aggregate customer’s data and create detailed profiles however, an AA application, not the AA itself, will have access to the balances of your accounts. The decrypting of this happens on the device of the end customer and very basic analytics may be done on the user’s app/ device.

Further, in order to ensure greater security and protection of the information the Account Aggregators are prohibited from accessing user credentials, keeping or “residing” with itself the financial information of the customer accessed by it and indulging in activities such as supporting transactions by customers or undertaking any other business other than the business of account aggregator. This also seems to suggest that the Account Aggregators has no role to play in verifying or reconciling the correctness of the financial information retrieved and shared.

The AA network is primarily based on Data Empowerment and Protection Architecture (DEPA) framework which is built on the premise that users have control over their data, which can be used for their empowerment. The framework for business of an Account Aggregator is designed to be entirely Information Technology (IT) driven and AAs are required to adhere to IT framework and interfaces to ensure secure data flows from the financial information providers to their own systems and onwards to the financial information users. The IT systems are also expected to have adequate safeguards to ensure they are protected against unauthorized access, alteration, destruction, disclosure or dissemination of records and data. The AAs shall be subjected to Information System Audit at least once in two years and report is to be submitted to the RBI.

Role In Lending Space

The launch of the AA network has received a positive and welcoming response among the financial service providers especially the lending institutions and is being longed to bring in a revolution in the nature and form of the financial information sought and the manner in which it was shared to the lenders for processing a loan application. An applicant will now be able to share all his financial and transaction information required by a lending institution seamlessly through the AA which shall equip the lender with granular information and facilitate the lender to make quick and more informed decision. Being a completely technology driven network it will reduce the time taken by FIUs to access, verify and analyze the financial information. However, one hitch is that, to understand a customer’s credit behavior a lender is supposed to have all of the requisite information and since here the customer has the control and option to pick and choose the information he wants to be shared, the customer may avoid to sharing a particular crucial financial information that would impact the lender’s decision or it may have to again resort for traditional mode of submission.

To conclude, at the framework and programmatic level, the system of Accounts Aggregators is prepared to achieve its dual goal, first to consolidate the financial information for users and vest with them full control over its information/ data which is being shared through the ecosystem customers and second to digitalize the way in which financial information is shared with financial institutions thereby facilitating real time sharing of information and speedier provision of financial services. The ensuing status of this ecosystem will depend on several factors like participation of all the stakeholders, the security of the financial data, working of the consent architecture of the customers, different aspects of technology at the end of the Account Aggregators, etc.

Note: We at Inc42 take our ethics very seriously. More information about it can be found here.