How Consent Managers Work in India’s Account Aggregator Ecosystem

Introduction

In the Account Aggregator framework, the term “consent manager” refers to the Account Aggregator entity itself, which is a licensed NBFC that manages the consent artefact, maintains the consent record, and routes encrypted data between Financial Information Providers and Financial Information Users.

Understanding what consent managers do and do not do is essential for institutions building on the AA ecosystem. It clarifies the architecture, defines the roles and limitations of each participant, and explains why the consent manager is simultaneously the most powerful and most restricted entity in the data flow. To understand the broader system context, here’s what an account aggregator is in India.

The Consent Manager’s Core Function

The consent manager’s primary job is consent lifecycle management. This covers creating the consent request object when an FIU initiates a data request; presenting the consent to the borrower (or facilitating its presentation via the FIU’s interface); generating the cryptographically signed Consent Artefact when the borrower approves; storing the artefact and tracking consent status throughout its lifecycle; routing data requests from FIUs to FIPs with the consent artefact as the authorization token; and managing revocation when the borrower withdraws consent.

To understand how this lifecycle operates in practice, refer to account aggregator consent flow.

What the consent manager does not do: it does not store the underlying financial data it routes. It does not read the encrypted data packages that flow through it, nor does it make credit decisions. It is purely an infrastructure layer, a consent registry, and a secure data routing service.

This restriction is structural. RBI’s Master Directions explicitly prohibit AA entities from storing or accessing the financial data they route. The prohibition ensures that the AA cannot accumulate a financial data profile of individuals; it knows who consented to what, but not what the data revealed.

Role of Consent Managers in the AA Ecosystem

The AA ecosystem consists of three core participants: Financial Information Providers (FIPs), Financial Information Users (FIUs), and the consent manager (AA). The consent manager acts as the intermediary coordinating data exchange through user-approved consent.

These roles exist within a structured regulatory framework governing the AA ecosystem. These roles are defined within the Reserve Bank of India account aggregator framework.

To understand these interactions clearly, refer to FIP vs FIU roles in the account aggregator ecosystem.

Licensed Consent Managers in India (2025)

RBI has granted NBFC-AA licenses to eight entities. The operationally active consent managers as of early 2025 include:

OneMoney (Yodlee Finsoft): One of the most widely integrated AAs with major banks and lending institutions. Broad FIP connectivity and stable API infrastructure.

Finvu (Cookiejar Technologies): Developer-friendly with a well-documented sandbox. Strong adoption in the fintech lending segment.

CAMS Finserv: Backed by CAMS’ existing position in the mutual fund registry space. Particularly strong for securities and investment data access.

Perfios Account Aggregation Services: Backed by the Perfios analytics group. Strong commercial lending client base.

Saafe (formerly Aadhaar e-Signatures): Relatively newer operator with growing FIP connectivity.

Each AA operator has slightly different FIP connectivity, commercial terms, and API quality. FIUs integrating with multiple operators improve both redundancy and data coverage.

The Consent Manager’s Role in the Data Flow

In a complete AA transaction, the consent manager participates in three stages:

Consent initiation: The FIU sends a consent request to the AA. The AA validates the request format, generates the pending consent object, and delivers the consent request to the borrower via notification.

Data session management: After consent approval, the FIU initiates a data session through the AA. The AA generates a session ID, forwards the data request (with the consent artefact) to the relevant FIPs, and routes the encrypted data packages from FIPs back to the FIU.

Lifecycle management: The AA maintains the consent status, responds to revocation requests, and notifies the FIU of any consent status changes. It also maintains the audit log of consent events.

At no point in this flow does the AA access the content of the financial data. The data packages are encrypted with the FIU’s public key before leaving the FIP. The AA sees only an encrypted blob.

To understand this full interaction clearly, here’s how the account aggregator works step-by-step.

Compliance and Data Privacy

Consent managers operate under strict requirements around user consent and privacy safeguards. This aligns with the Digital Personal Data Protection Act, 2023.

To understand the full compliance framework, refer to the DPDP Act and the account aggregator.

Consent must be

• Purpose-specific
• Time-bound
• Revocable
• Granular

These principles ensure transparency, accountability, and user control in financial data sharing.

How to Choose Between AA Operators for Your Integration

When selecting an AA consent manager for FIU integration, evaluate:

FIP coverage: Does the operator have live connectivity to the specific banks and financial institutions most relevant to your borrower profile? Larger operators typically have broader FIP coverage.

API quality and documentation: Well-documented APIs with active sandbox environments reduce integration time significantly. Finvu and Onemoney are known for developer-friendly documentation.

Uptime and reliability: Check the operator’s publicly available uptime records. AA infrastructure downtime directly affects your loan processing TAT.

Commercial terms: Per-consent pricing, volume discounts, and minimum commitment thresholds vary across operators. Negotiate terms appropriate to your projected volume.

Regulatory standing: Confirm the operator holds an active NBFC-AA licence from the RBI. Sahamati maintains a current list of licensed AA entities.

Support quality: Evaluate the technical support responsiveness, and AA integration issues require prompt resolution, given their impact on live lending workflows.

✅  Key Takeaways

• Consent managers (Account Aggregators) are RBI-licensed NBFCs that manage the AA consent lifecycle, creating, storing, routing, and revoking consent artefacts.
• They do not store or read the underlying financial data. Their roles are infrastructure, consent registry, and encrypted data routing.
• Eight NBFC-AA licenses have been granted; Onemoney, Finvu, CAMS Finserv, and Perfios are the primary active operators as of 2025.
• FIUs should evaluate operators on FIP coverage, API quality, uptime reliability, commercial terms, and support quality.
• Working with multiple AA operators improves redundancy and maximizes FIP coverage for diverse borrower profiles.

Frequently Asked Questions

Conclusion

The consent manager is the AA ecosystem’s trust anchor. Its regulatory constraints, no data storage, no data access, and a single-purpose license are precisely what make it trustworthy. Borrowers can grant financial data access through the AA, knowing that the intermediary managing their consent has no incentive or ability to misuse the data it routes.

For institutions building on the AA ecosystem, selecting the right consent manager and managing the integration carefully is among the most important infrastructure decisions in the lending technology stack. The consent manager’s reliability, coverage, and API quality directly determine the reliability and coverage of the institution’s AA-based data workflows.

A deeper look at account aggregator ROI for lenders highlights the broader business impact of making the right integration choices.