RBI has been a powerful sectoral regulator and has assumed leadership for regulating the entire financial sector including the FinTech companies. In the process, some of its regulations clash with the implementation of DPDPA 2023. It would be interesting to know how MeitY will proceed in the framing of rules regarding “Consent Manager” which has a direct conflict with the Account Aggregator licensing system that RBI has introduced and the Cross Border transfer of data.
Just as overlapping regulations between CERT-In and DPB affect Data Breach Notification, RBI regulations on Account aggregators have overlapping effect on the “Consent Manager” concept as well as the Data Fiduciary concept.
Account Aggregators are a category of licensed bodies from RBI as per the Master Directions of 2016. They may be referred to as NBFC-AAs by RBI. The list of NBFC-AA s licensed by RBI is not easily accessed on the RBI website. As of 30th October 2023, RBI website records that there are 12 registered AAs . However Sahamati.org.in lists the following AAs as of date.
|AA Company Name
|Agya Technologies Private Limited
|Cookiejar Technologies Private Limited (Product titled Finvu)
|CRIF Connect Private Limited
|Dashboard Account Aggregation Services Private Limited
(Product titled Saafe)
|Digio Internet Private Limited
|FinSec AA Solutions Private Limited (Product titled OneMoney)
|A Krishna Prasad
|NESL Asset Data Limited (NADL)
|Protean (formerly NSDL E-Governance Account Aggregator Limited) (Product titled Protean SurakshAA)
|Ranjit Saraf firstname.lastname@example.org
|Perfios Account Aggregation Services Pvt Ltd (Product titled Anumati)
|Kantharaju H G
|PhonePe Technology Services Private Limited
|Tally Account Aggregator Services Private Limited (Product titled TallyEdge)
|Unacores AA Solutions Private Limited (Product titled INK)
|Yodlee Finsoft Private Limited
AAs with In-Principle Approval
Account Aggregators which have received In-Principle approval from RBI are listed below.
|AA Company Name
|Cygnet Account Aggregation Private Limited
|OMS Fintech Account Aggregator Private Limited
|PB Financial Account Aggregator Private Limited
RBI in its Master Direction of 2016 has indicated certain criteria for registration of an entity as an Account Aggregator and obtain the Certificate of Registration.
Various conditions prescribed in the Master Directions include the following.
- Entity must be a NBFC, registered as a “Company” with a net owned funds of a minimum of Rs 2 crores. (Registration under SEBI, IRDAI and PFRDA and restricting its activities to the sector is excluded from registration with RBI)
- Initially an In-Principle approval would be provided and needs to be converted to a full registration within 12 months after setting up the technology platform.
- Account Aggregator shall not undertake any other business other than the business of account aggregator. Deployment of investible surplus by an Account Aggregator in instruments, not for trading, shall however be permitted.
- No financial asset related customer information pulled out by the Account Aggregator from the financial service providers should reside with the Account Aggregator.
- Appropriate agreements are to be entered into between the AA and the customer.
- The entity shall satisfy the “Fit” and “Proper” criteria for the proposed/existing directors
RBI has delegated the authority for managing the required architecture to REBiT. The technology architecture could be subject to an audit by REBiT
The NBFC-AA is envisaged to be a “Data Gateway” between a “FIU” or Financial Information User who needs certain financial information about an individual and one or more “FIP” s (Financial Information Providers” who may have that information .
Normally the individual (prospective client of the FIU) has to fetch the information from FIPs and provide it to the FIU. AA system tries to provide an alternative for a data exchange system which helps the Data Owner who is a customer of the AA and FIP and a prospective customer of the FIU.
In order to simplify this process, the Account Aggregator (AA) provides his service to the individual (Customer of AA). If the individual has an account with an AA, the information required by FIU can be re-directed to AA who in turn will fetch it from the FIP and provide it to the FIU. This entire mechanism needs to have a “Consent” framework which has been defined under the scheme.
The customer of an AA can be an individual or a non-individual. The Financial assets maintained by FIPs may therefore be personal or non personal information and FIUs may request for both types of information.
Where the requested information is related to an individual, the information becomes personal information under DPDPA 2023 and therefore needs to be compliant with the DPDPA 2023 requirements.
The RBI master direction has set a “Consent Artefact” as a standard format in which information has to be collected by the FIU from the Customer. This being a standard format can facilitate the data flow through the different participants such as the FIU, AA and the FIP.
The DPDPA is recognizing “Consent Manager” as a special kind of Data Fiduciary with all the obligations under DPDPA 2023 and the corresponding penalty possibilities. The legal basis for processing any personal data under DPDPA 2023 is “Consent” and hence there is a direct link between what a Consent Manager under DPDPA does and what the Consent Artefact under the AA framework represents.
We are yet to know the criteria to be fixed by MeitY for the Consent Managers under DPDPA 2023. It is presumed that there is already some pressure being brought upon Meity that all the entities already registered as Account Aggregators are to be considered as registered Consent Managers under DPDPA 2023.
The objective of our discussions is to debate if the activity of AA conform to the Consent Manager’s duties under DPDPA 2023 and whether the two services are similar. In the process we may be pointing out why the current functions of AAs as “Data Gateway Managers” do not fit into the requirements of Consent Managers under DPDPA who are Significant Data Fiduciaries.
For this purpose, apart from drawing the attention of the readers to the AA scheme as it exists now and integrated into the business of the 16 AA registered entities, we can explore the details of their operations to see if they are compliant with DPDPA 2023 as of today.
(To Be continued)