India’s imminent regulation will give financial data ownership to the individual
The Reserve Bank of India (RBI) has been preparing customer-focused data sharing regulation that will allow the individual to access their data and have it sent elsewhere at their, and only their, request.
The regulatory framework [PDF], Non-Banking Financial Company – Account Aggregator (Reserve Bank) Directions, 2016, which was last updated in November, details the role of the Account Aggregator (AA) — the intermediary service, essentially, that verifies the individual, their consent, and gathers the information for the individual, as well as the responsibilities of firms that hold financial information and what expectations the individual should have.
Consent at the centre
The RBI is putting data ownership in the hands of the individual, with financial information providers — banks, insurance companies, and other financial institutions — and the AA being at the mercy of the customer at all times.
The official line is that no financial information of the customer shall be retrieved, shared, or transferred by the AA without the explicit consent of the customer.
The mandate will require consent via an electronic consent artefact, which is to contain the identity of the customer and optional contact information; the nature of the financial information requested; the purpose of collecting such information; the identity of the recipients of the information; a URL or other address to which notification needs to be sent every time the consent artefact is used to access information; and consent creation date, expiry date, identity, and signature of the AA.
There will be the ability to revoke consent, either in parts or throughout the whole artefact. Upon revocation, a fresh consent artefact will be required.
The customer can at any time access a record of the consents provided, and who to.
Duties of an Account Aggregator
An Account Aggregator is a non-banking financial company (NBFC) that undertakes the business of an account aggregator and they must not undertake any other business.
A certificate of registration from the RBI is required and the list of requirements the AA must meet include having the necessary resources and wherewithal to offer such services to customers; adequate capital; and a robust IT system.
RBI approval will last 12 months, and within that period, the company is required to put in place the technology platform, enter in all other legal documentation that are required to be ready for operations, and report on its position of compliance.
The AA is to provide services to a customer based on the customer’s explicit consent; they also can share information only with the customer to whom it relates or any other financial information user as authorised by the customer.
Third-party arrangements are also not permitted, and AAs are not permitted to keep any customer data once it is accessed. They also cannot request or store customer credentials such as passwords, PINs, or private keys.
A Citizen’s Charter that explicitly guarantees protection of the rights of a customer must be in place and it is the responsibility of the AA to ensure appropriate mechanisms for proper customer identification exists.
An AA is only permitted to access information detailed in the consent artefact in the way it is detailed.
The business of an AA, the RBI states, will be entirely IT-driven.
“Account Aggregator shall adopt required IT framework and interfaces to ensure secure data flows from the Financial Information providers to its own systems and onwards to the Financial Information users,” it says in the direction document.
The technology should be scalable and boast adequate safeguards to ensure that it is protected against unauthorised access, alteration, destruction, disclosure, or dissemination of records and data.
With APIs being the centre of the regulation, the AA is the party responsible for accepting data from different IT systems and presenting it in a method defined by the RBI.
Responsibilities of banks
Financial information providers, after being verified by the RBI to provide such activity, will be required to digitally sign the financial information and securely transmit it to the AA in accordance with the terms the individual set out in the consent artefact.
The banks will need to respond in real time and in order to provide the data, they’ll be required to implement solid IT capabilities, including interfaces that allow an AA to submit consent artefacts and authenticate each other.
The financial firms will need robust security protections, as the interface will be the method for information to be sent. It needs to also contain the capability to verify the consent, including the digital signatures it contains, and also digitally sign the information it is sharing.
A go-live date for the mandate is yet to be set, but the RBI as of November has given seven companies an “in principle” AA licence: Aditya Birla, Jio, Perfios Software, CAMS FinServ, Cookiejar Technologies, NESL Asset Data Limited, and Yodlee Finsoft.