The “Data Privacy-Risk” in Account Aggregators

Posted on January 17, 2024 by Vijayashankar Na

(Continued from previous article)

One of the major issues of AAs (Account Aggregators) is the need to ensure the strict following of the “Fit and Proper” criteria to ensure that the valuable personal data that may come into the hands of the AA from the Banks is not used in contravention of DPDPA.

While the RBI is responsible to check the “Fit and Proper” criteria at the time of providing provisional license, REBiT is responsible for ensuring that the technology platform is set up as per the RBI directives. In the coming days the system needs to be compliant also with DPDPA.

We are not aware that RBI and REBiT are taking adequate steps to ensure that personal data of the Indian public which may be accessed by AAs are adequately secured from the perspective of Data Privacy.

There is also a distinct possibility that the “Fit and Proper” adherence of an organisation may change after the licensing. Hence it has to be followed up at periodical intervals and monitored continuously.

We may recall the experience with CIBIL which started as a trusted organization of Indian Banks and once it accumulated nearly 500 million data sets of Indian Bank customers, quietly sold itself to a US private company. Who benefitted in this multi billion dollar deal remains a mystery which even the ED has ignored.

There is already an attempt by some US based tech companies to enter themselves into NPCI and it is not known how successful they have been at present. If they are accommodated like TransUnion was, in the original CIBIL capital structure, they will eventually take over NPCI control. We should remember the famous story of the Arabian Camel getting into the tent and guard against it.

Similar possibility exists in the AA system and the risk of inadequate fitness at the time of licensing and change in the “Fit and Proper” criteria after licensing as well as change in the “Security posture” after REBiT audit needs to be flagged and countered.

Presently there is no publicly accessible report about the licensed AAs and how RBI documented the “Fit and Proper” criteria or recorded the technology audit.

We donot see the AAs subjecting themselves to the “Right to Information Act” and provide for any information disclosure on their websites.

Some quick observations indicate:

Anumati ownership has already changed hands from Agya Technologies Pvt Ltd to Perfios AA pvt Ltd.

CAMS FinServ grievance redressal page does not seem to work.

Finvu has a Grievance redressal officer contact but no DPO at present. The escalation of the grievance is to RBI which needs to change if DPB becomes the authority under law.

CRIF CONNECT is a company with parentage in Italy and operates in data analytics indicating the potential conflict.

Privacy Policies of all the companies are not in compliance with DPDPA 2023 and some are not even updated after August 11th 2023 nor even under the CERT In guidelines.

Owners of Saafe seem to have co-interest in some FUPs .

I am sure that if I go through with all the 14+3 entities listed by RBI, every one of them may have some conflicting interest, lack of compliance to ITA 2000 or insufficient disclosure.

The system of AA licensing may be under equipped to meet the requirements of DPDPA 2023.

We are not aware if Meity will consider the sensitivity of information gathered by AAs as a criteria to classify them as Significant Data Fiduciaries when the rules are finalized. We have a feeling that the “Consent Manager” rules to be notified by MeitY can be a repetition of the RBI rules for AAs and hence all AAs will automatically be also recognized as Consent Managers.

Will Meity ignore the deficiencies in the AA licensing system and let AAs be completely under the sectoral regulation or subject them to the rigours of Significant Data Fiduciaries?

Let us wait and watch. If MeitY cannot resolve these turf related issues, they may chose not to release the draft rules and let things drift. We also need to watch whether the DPB does not get infiltrated with vested business interests.

Naavi

PS: It appears that more I look at the way AAs are being regulated now, I will be mentally disturbed. So I am stopping further exploration on this issue for some time. Assuming that RBI as well as the AA s are aware that there is now a law to catch up with and some body to watch what they are doing, we hope that they will take corrective steps themselves asap.

We may therefore wait and pray that responsible actions will be initiated by RBI soon. For the time being until the Ram Mandir in Ayodhya is inaugurated, Naavi.org would prefer not to raise such issues. Let us all spend time in saying Jai Shriram.

About Vijayashankar Na

Naavi is a veteran Cyber Law specialist in India and is presently working from Bangalore as an Information Assurance Consultant. Pioneered concepts such as ITA 2008 compliance, Naavi is also the founder of Cyber Law College, a virtual Cyber Law Education institution. He now has been focusing on the projects such as Secure Digital India and Cyber Insurance
This entry was posted in Cyber Law. Bookmark the permalink.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.