The Account Aggregator framework operates under a detailed regulatory architecture. Understanding that architecture, specifically, what RBI’s directions require and how they interact with other regulators’ rules, is essential for any institution participating in or planning to participate in the AA ecosystem.
This guide provides a clear, implementation-oriented explanation of RBI’s regulatory framework for Account Aggregators: the Master Directions that govern AA entities, the data governance requirements they impose on FIPs and FIUs, and the compliance obligations for lenders using AA data. To ground this in basics, here’s what an account aggregator is in India.
The Regulatory Foundation: RBI’s Master Directions
The Account Aggregator framework was established by RBI’s Master Direction, Non-Banking Financial Company, Account Aggregator (Reserve Bank) Directions, 2016 (updated periodically since). This direction classifies Account Aggregators as a specific type of NBFC subject to RBI supervision and defines the operational parameters of the AA business.
Key provisions of the Master Direction:
Licensing requirement: Any entity operating as an Account Aggregator must hold an NBFC-AA licence from RBI. The application process involves a detailed business plan, technology architecture review, and demonstration of consent management capability.
Capital requirement: AA entities must maintain a minimum net-owned fund of Rs. 2 crore, a relatively low bar that reflects the AA’s role as a consent manager rather than a lender or deposit-taking institution.
Business restriction: AA entities are prohibited from carrying on any financial activity other than account aggregation. They cannot lend, invest, or hold deposits; the NBFC-AA license is a single-purpose license.
Data restrictions: AA entities must not store the underlying financial data they transmit. They are restricted to storing consent artefacts and routing metadata, not transaction records or account details.
Multi-Regulator Architecture: How Four Regulators Coordinate
The AA framework’s breadth, covering banking, securities, insurance, and pensions, required all four financial sector regulators to issue corresponding directions enabling their entities to participate.
Reserve Bank of India’s directions enable banks and NBFCs to act as FIPs and FIUs.
The Securities and Exchange Board of India’s circular (2021) enables depositories, depository participants, and mutual fund RTAs to act as FIPs, providing access to securities and mutual fund data.
The Insurance Regulatory and Development Authority of India’s circular enables insurance companies to act as FIPs, making insurance policy data available through the AA pipeline.
The Pension Fund Regulatory and Development Authority’s directions enable pension fund managers and the NPS system to act as FIPs. Understanding FIP vs FIU roles in the account aggregator ecosystem helps clarify how these entities operate within the framework.
The Financial Stability and Development Council coordinates these regulators, while Sahamati maintains technical standards and governs the AA network. To understand how these roles interact in practice, here’s how the account aggregator works step-by-step.
Consent Requirements Under RBI’s Framework
RBI’s directions are explicit about consent requirements. Key provisions:
Consent must be purpose-specific: The consent artefact must specify the exact purpose for which data is being collected. Vague or catch-all consent purposes are not compliant.
Consent must be time-bound: The artefact must specify an expiry date for the consent and a data life for the information collected. Indefinite consents are not permitted.
Consent must be revocable: The borrower must have a clear and accessible mechanism to revoke consent at any time. The AA is responsible for providing this mechanism.
Consent must be granular: The borrower must be able to consent separately to different data types and accounts. Bundled, take-it-or-leave-it consent is not permitted.
These requirements align closely with the DPDP Act 2023’s consent principles, creating a consistent regulatory expectation across both frameworks. To see how these requirements operate in practice, refer to the account aggregator consent flow.
Data Governance Obligations for FIUs
Institutions using AA data as FIUs bear specific data governance obligations beyond the consent requirements:
Data use restriction: Use AA data only for the consented purpose. Do not reuse loan data for other products without fresh consent.
Security requirements: FIUs must implement adequate security controls for AA data, including encryption at rest, access controls, and audit logging of data access events.
Breach notification: Report any breach of AA-sourced financial data to the RBI as per incident reporting requirements.
Third-party data sharing: Do not share AA data with third parties without explicit borrower consent.
Retention and deletion: Retain AA data only for the consented period and delete it afterward. Implement automated deletion workflows to ensure compliance.
What the RBI Guidelines Mean for Lenders Practically
For lending institutions integrating AA data, the regulatory framework has several practical implications:
Consent design review: Every consent screen used in the lending journey must be reviewed against RBI’s purpose-specific consent requirement. Generic consent language is a compliance risk.
Privacy notice updates: The institution’s privacy notice must accurately describe the AA data collection process, its purpose, and the borrower’s right to revoke consent.
Data mapping: Maintain a data map showing storage locations, access controls, and deletion timelines for AA data.
Vendor management: Assess and contractually govern the vendor’s data practices when using third-party analytics like Fineye.
Audit trail maintenance: The consent artefact for every data pull must be retained for the duration of the data retention period. This artefact is the legal authorization for the data collection.
✅ Key Takeaways
- RBI’s Master Directions classify Account Aggregators as a specific NBFC type; therefore, they cannot lend, invest, or store financial data.
- Moreover, four regulators—RBI, SEBI, IRDAI, and PFRDA—enable participation, thereby creating a cross-sector data network.
- Further, RBI mandates purpose-specific, time-bound, revocable, and granular consent, aligning with the DPDP Act 2023.
- Additionally, FIUs must enforce use restrictions, security controls, breach reporting, sharing limits, and retention protocols.
- Consequently, compliance requires consent design, privacy updates, data mapping, vendor governance, and audit trails.
Frequently Asked Questions
RBI does not mandate AA use. However, the 2022 Digital Lending Guidelines require explicit, specific consent for data collection and prohibit unregulated data practices. AA is the most compliant available mechanism for financial data collection, making it the practical standard for digital lenders.
RBI has broad supervisory powers under the Banking Regulation Act and the RBI Act. Therefore, non-compliance with data governance requirements can result in penalties, operational restrictions, or licensing consequences. Additionally, the DPDP Act 2023 introduces an independent penalty regime for data protection violations.
Yes. AA operators can deregister FIUs for violations of data governance requirements. RBI can also take regulatory action against FIUs for non-compliance with the Master Directions.
RBI has updated the AA framework periodically since 2016, typically expanding the scope of participating institutions or clarifying consent requirements. Institutions should monitor RBI’s website and the Sahamati network’s communications for framework updates.
The AA framework and the DPDP Act are complementary. The AA framework governs the data sharing mechanism (how data flows). The DPDP Act governs data processing practices (what can be done with data once received). Both must be complied with simultaneously by FIUs using AA data.
Conclusion
The regulatory framework governing the AA ecosystem is detailed, multi-layered, and evolving. For lenders, navigating it requires understanding not just the AA-specific rules but how they interact with the broader data protection, digital lending, and sector-specific regulatory frameworks.
Institutions that adopt this framework benefit from front-loaded compliance work; moreover, they invest upfront in consent flows, privacy updates, and governance controls and consequently build a scalable, defensible data infrastructure aligned with future regulations. This is how an account aggregator enables digital lending ecosystems.
