Account Aggregators-not quite there yet
2016: RBI approves a new class of non-banking financial companies to function as Account Aggregators (AA) to extract, aggregate, and transfer financial data with the express consent of users.
2019: Personal Data Protection Bill 2019 (PDPB) introduced in the Indian parliament to provide the legal backbone for AAs.
2020: PDPB yet to come into force, with Covid-19 throwing a huge spanner in the works. Not to mention the looming lack of clarity on AAs adding to the delay.
So, how long should we have to wait? There is resounding silence that greets us. In this backdrop, here is a ready reckoner on what AAs are. AA platforms are, at their simplest form, tools that connect to multiple banks through a single API (Application Programing Interface). While their very existence depends on the availability of shareable data, there exists no formal system yet to provide it. The existing methods such as screen scraping, emails, or even credential sharing are cumbersome, limited in reach, and prone to physical paper-chasing-led pilferage and misuse.
On the other hand, the AA system is based on a consent mechanism that ensures that data is shared only when it is requested for by a specific Financial Information User (FIU) for a specific purpose for a specific time period. All this enables a hassle-free experience for the customer, who does not have to run between multiple touchpoints to furnish the data. Neat.
More importantly, the financial Information Providers (FIPs) and FIUs are strictly regulated, with adequate controls on data storage and usage, reducing the risk of data misuse. In fact, an important provision (some call it a limitation) in the AA regulations is that only a regulated entity (by one of the four regulators RBI, SEBI, IRDA and PFRDA) can be an FIU or FIP.
Today, many countries have launched AAs on the back of Open Banking, which was itself mandated by the PSD2 directive, although Open Banking is much more than only PSD2 APIs.
In India, the RBI announced the AA policy in 2016, inviting licenses to set up AAs as NBFCs. So far, 4 players have received licenses (CAMS FinServ, CookieJar technologies, FinSec AA solutions, and NESL Asset data LTD) while 3 others have received in-principle approvals (Perfios, Jio Information Services, and Yodlee Finsoft). Further, there are reportedly 8 banks and 4 NBFCs lined up to become FIPs and FIUs. Though the RBI makes it sound like AAs are limited to only financial data, it is not so. Its framework is expected to be extended to other domains such as healthcare and telecom in due course.
Adoption-wise, India’s approach seems one of gradualism – the first phase will be only asset-based data (bank accounts, deposits, mutual funds, insurance). Even here, the initial play would be restricted to opening of current and savings accounts, and later term deposits. So it could be a long while before we get to see loans or other asset products such as mutual funds, or insurance.
But on the flip side, quite a few things are already in place. The regulations/guidelines, for one, are quite overarching. Here are some key pointers:
- Explicit and informed consent of individual clients is required before data is moved.
- Client data cannot be stored or processed by the AAs and can only be transferred.
- The AAs would be ‘data-blind’, as the data that flows through is encrypted, and can be processed only by FIUs.
- The system should support interoperability.
The next steps are quite clear. Firstly, the PDPB needs to become law, and banks and financial Institutions need to prepare for their obligations. Next, a viable business model needs to evolve for the system to be kickstarted.
A moot point is that many banks are still reluctant to part with customer data gathered over years. Oh, so precious! But trials have been going on and the initial set of players have already got together to form a Collective of Account Aggregators called Sahamati, set up as a nonprofit private limited company. Many of the banks involved have also created Innovation Centers and API gateways to accelerate experimentation and collaboration.
On the way, there are many challenges that are unique to India:
- Given the low levels of literacy and multiple languages, the issue of consent, not to speak of informed consent, will be tricky. Add to that the known issues of ‘consent fatigue’ and friction that we already experience in real life.
- The lack of clarity on the business model is probably the biggest challenge, unless viable business models become visible. This could be a non-starter.
- A few key operational issues are still unclear: For instance, who would perform aggregation? As AAs are currently not allowed to store data, they would be able to deliver only data dumps, which, unless in a readable format, could be useless for the consumer. The regulations permit AAs to perform analytics, but only on the client side, on the mobile apps, which may then be limited by the capabilities of the user devices.
As of now, none of the RBI-approved account aggregators have completed building a live, fully operational app. They need to demonstrate a working system to RBI’s technical arm, the Reserve Bank Information Technology Pvt Ltd, or ReBIT, before they get their final licenses. Looks like there is still a long way to go before we can get to see operational AAs in India.