Meity regulations under DPDPA may clash with RBI regulations

(This is a continuation of the previous article)

RBI has been a powerful sectoral regulator and has assumed leadership for regulating the entire financial sector including the FinTech companies. In the process, some of its regulations clash with the implementation of DPDPA 2023. It would be interesting to know how MeitY will proceed in the framing of rules regarding “Consent Manager” which has a direct conflict with the Account Aggregator licensing system that RBI has introduced and the Cross Border transfer of data.

Just as overlapping regulations between CERT-In and DPB affect Data Breach Notification, RBI regulations on Account aggregators have overlapping effect on the “Consent Manager” concept as well as the Data Fiduciary concept.

Account Aggregators are a category of licensed bodies from RBI as per the Master Directions of 2016. They may be referred to as NBFC-AAs by RBI. The list of NBFC-AA s licensed by RBI is not easily accessed on the RBI website. As of 30th October 2023, RBI website records that there are 12 registered AAs . However lists the following AAs as of date.

Sr NoAA Company NameContact Person
1Agya Technologies Private LimitedNikhil Kumar
2CAMSFinServTejinder Singh
3Cookiejar Technologies Private Limited (Product titled Finvu)Manoj Alandkar
4CRIF Connect Private LimitedKshitij Talwar
5Dashboard Account Aggregation Services Private Limited
(Product titled Saafe)
Vijayan Rajasekar
6Digio Internet Private LimitedAbhinav Parashar
7FinSec AA Solutions Private Limited (Product titled OneMoney)A Krishna Prasad
8NESL Asset Data Limited (NADL)Nirmal Sebastian
9Protean (formerly NSDL E-Governance Account Aggregator Limited) (Product titled Protean SurakshAA)Ranjit Saraf
10Perfios Account Aggregation Services Pvt Ltd (Product titled Anumati)Kantharaju H G
11PhonePe Technology Services Private LimitedVidhi Jain
12Tally Account Aggregator Services Private Limited (Product titled TallyEdge)Debashish Raut
13Unacores AA Solutions Private Limited (Product titled INK)Ravi Doshi
14Yodlee Finsoft Private LimitedAnuj Rai

AAs with In-Principle Approval

Account Aggregators which have received In-Principle approval from RBI are listed below.

Sr NoAA Company NameContact Person
1Cygnet Account Aggregation Private LimitedNiraj Hutheesing
2OMS Fintech Account Aggregator Private LimitedNitin Sawant
3PB Financial Account Aggregator Private LimitedTBA

RBI in its Master Direction of 2016 has indicated certain criteria for registration of an entity as an Account Aggregator and obtain the Certificate of Registration.

Various conditions prescribed in the Master Directions include the following.

  1. Entity must be a NBFC, registered as a “Company” with a net owned funds of a minimum of Rs 2 crores. (Registration under SEBI, IRDAI and PFRDA and restricting its activities to the sector is excluded from registration with RBI)
  2. Initially an In-Principle approval would be provided and needs to be converted to a full registration within 12 months after setting up the technology platform.
  3. Account Aggregator shall not undertake any other business other than the business of account aggregator. Deployment of investible surplus by an Account Aggregator in instruments, not for trading, shall however be permitted.
  4. No financial asset related customer information pulled out by the Account Aggregator from the financial service providers should reside with the Account Aggregator.
  5. Appropriate agreements are to be entered into between the AA and the customer.
  6. The entity shall satisfy the “Fit” and “Proper” criteria for the proposed/existing directors

RBI has delegated the authority for managing the required architecture to REBiT. The technology architecture could be subject to an audit by REBiT

The NBFC-AA is envisaged to be a “Data Gateway” between a “FIU” or Financial Information User who needs certain financial information about an individual and one or more “FIP” s (Financial Information Providers” who may have that information .

Normally the individual (prospective client of the FIU) has to fetch the information from FIPs and provide it to the FIU. AA system tries to provide an alternative for a data exchange system which helps the Data Owner who is a customer of the AA and FIP and a prospective customer of the FIU.

In order to simplify this process, the Account Aggregator (AA) provides his service to the individual (Customer of AA). If the individual has an account with an AA, the information required by FIU can be re-directed to AA who in turn will fetch it from the FIP and provide it to the FIU. This entire mechanism needs to have a “Consent” framework which has been defined under the scheme.

The customer of an AA can be an individual or a non-individual. The Financial assets maintained by FIPs may therefore be personal or non personal information and FIUs may request for both types of information.

Where the requested information is related to an individual, the information becomes personal information under DPDPA 2023 and therefore needs to be compliant with the DPDPA 2023 requirements.

The RBI master direction has set a “Consent Artefact” as a standard format in which information has to be collected by the FIU from the Customer. This being a standard format can facilitate the data flow through the different participants such as the FIU, AA and the FIP.

The DPDPA is recognizing “Consent Manager” as a special kind of Data Fiduciary with all the obligations under DPDPA 2023 and the corresponding penalty possibilities. The legal basis for processing any personal data under DPDPA 2023 is “Consent” and hence there is a direct link between what a Consent Manager under DPDPA does and what the Consent Artefact under the AA framework represents.

We are yet to know the criteria to be fixed by MeitY for the Consent Managers under DPDPA 2023. It is presumed that there is already some pressure being brought upon Meity that all the entities already registered as Account Aggregators are to be considered as registered Consent Managers under DPDPA 2023.

The objective of our discussions is to debate if the activity of AA conform to the Consent Manager’s duties under DPDPA 2023 and whether the two services are similar. In the process we may be pointing out why the current functions of AAs as “Data Gateway Managers” do not fit into the requirements of Consent Managers under DPDPA who are Significant Data Fiduciaries.

For this purpose, apart from drawing the attention of the readers to the AA scheme as it exists now and integrated into the business of the 16 AA registered entities, we can explore the details of their operations to see if they are compliant with DPDPA 2023 as of today.

(To Be continued)

(Comments welcome)


About Vijayashankar Na

Naavi is a veteran Cyber Law specialist in India and is presently working from Bangalore as an Information Assurance Consultant. Pioneered concepts such as ITA 2008 compliance, Naavi is also the founder of Cyber Law College, a virtual Cyber Law Education institution. He now has been focusing on the projects such as Secure Digital India and Cyber Insurance
This entry was posted in Cyber Law. Bookmark the permalink.

1 Response to Meity regulations under DPDPA may clash with RBI regulations

  1. The Digital Personal Data Protection Act (DPDPA) 2023 is a game-changer for data privacy in India. This law gives individuals, known as ‘Data Principals,’ significant rights over their personal data. The Consent Manager, a key player in the DPDPA, is especially useful in India, where people might not fully grasp the intricacies of Privacy as a Right. Smart data handlers could exploit this lack of understanding to gather unnecessary information. The DPDPA’s Consent Manager stands out from the one in the Data Empowerment and Protection Architecture (DEPA) framework. It goes beyond the basics, offering services like de-identification, pseudonymization, and anonymization. It acts as a gatekeeper, filtering disclosure requests based on their purpose and pushing back when excessive permissions are sought. This means the data principal doesn’t have to navigate complex consent decisions; the Consent Manager steps in to determine what’s reasonable. In essence, the Consent Manager under DPDPA emerges as a fresh type of Data Fiduciary, enhancing the Data Protection landscape in India and beyond.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.