NBFC Compliance

RBI Compliance for NBFC AA

In recent years, RBI disclosed and displayed publically that the NBFC AA (Account Aggregator) network is a financial data-sharing system that has revolutionized investing and credit, giving to millions of consumers with greater potential in terms of keeping financial records and expanding potential among customers for lenders including the fintech companies. However, the RBI itself determines the concept of an account aggregator, and thus, a framework for its registration and business operation was further notified. The RBI compliance on NBFC AA starts initially from ensuring data security to having a board-approved policy among others. An account aggregator allows a person to access data securely and share such information digitally in the network from the end of one financial institution where customer have their account to the other financial institution existing in the network of an account aggregator. Such account aggregators are prohibited from sharing such data without obtaining the consent of the customer.

The Reserve Bank of India, exercising its conferred power specified under Section 45 JA of the RBI Act, 1935, issued a Master ‘’Direction DNBR.PD.009/03.10.119/2016-17’’ dated 2^nd September 2016 and such direction in terms of registration and operation of AA, need to be complied by all non-banking financial companies operating the business of Account Aggregator.

Definitions under RBI Master Direction

The Reserve Bank of India, in its master direction of NBFC AA, has laid down some definitions for better understanding the direction-

Account Aggregator

Account Aggregator or NBFC AA refers to non-banking financial companies operating in an account aggregator’s business for a fee or defined within the Master direction section 3 (1)(iv).

Bank

Bank refers to those banking companies such as a newly incorporated bank, the State Bank of India, a subsidiary bank, or any other type of bank that requires further notification to comply with such directions or maybe a cooperative bank specified under section 5 (CCI) r.w.   Section 56 of the Banking Regulation Act, 1949.

Business of AA

Business of an Account Aggregator refers to that business duly performed under a contract or for the service to either retrieve or collect financial information of the customers specified by the bank from time to time, and further, the same data could be consolidated or organized in such a way to present information either to the customers or any other financial institution as when required by the bank to do so. The financial information being collected from the customers is not held to be the property of such an account aggregator to use in a way for making profits. 

Company-

Company refers to those entities registered under the Companies Act 2013/1956.

Customer

Accordingly, this RBI master direction refers to a person who engaged in a contract with the NBFC AA in order to benefit from the services duly provided by an account aggregator.

Depository

It refers to those companies under section 12 (1A) of the Securities and Exchange Board Act, 1992, and given a certificate of registration. A Depository Participant is a person duly registered through the Securities and Exchange Board Act of 1992.

Financial Information

The term financial information includes information related to the financial world, such as bank deposits with fixed deposit accounts, savings, recurring deposits, and current deposit accounts. It also includes deposits under NBFCs, Structured Investment Products (SIP), Commercial Paper (CP), certificates of Deposit (CD), Government securities, Mutual funds, Equity shares, Insurance Policies, and many more, along with any other information if specified by the bank from time to time, etc.

Financial Sector Regulator

Under this master direction, it refers to all those regulatory bodies that are making rules and regulations to govern the financial sector, such as RBI, SEBI, IRDAI, and PFRDA.

Financial Information Provider

It includes all those entities that act like a bank, such as non-banking companies, asset Management Companies, insurance repositories, pension funds, and many more, along with some other entity if specified by the bank from the time being, etc.

Leverage Ratio

It refers to the outside liabilities with excluded borrowings and loans from the group of entities to owned funds.

Person

It refers to an individual, undivided Hindu family, company, and firm, an association of individuals instead of its incorporation or not, and includes every judicial person falling from the preceding sub-clauses.

Registration with Eligibility for NBFCAA

Stage 1 Eligibility for NBFC AA 

• RBI strictly prohibits those entities, rather than the incorporated company, to commence the business operation of NBFC AA.
•  It is also stated that without a proper certificate of registration, no company is allowed to start business operations as NBFC AA.
• It is included under this Master direction of RBI for those entities who are governed or regulated by any other financial regulators, and aggregators are restricted with a certain limitation to commence their business on only such aggregated information pertaining to their customers within the same sector, where they are operating and will be excluded from registration purpose.
• It is further stated by the RBI that those entities who are regulating their business operations prior to this master direction are now required to apply for the registration of an NBFC AA after complying with other specified regulations by the RBI within a period of a month since the implementation of this direction.
• It is applicable for the NBFC AA who has applied for the certificate of registration will be allowed to operate their business operations as an NBFC AA till their application for the certificate of issuance is rejected either allowed for 12 months from the date of filing such application or which may be early. 
• In case the companies applied for the certificate of approval from the RBI lacking the minimum valuation of Net worth INR 2 crores at the time of making the application, they are hereby required to comply with the net owned fund of INR 2 crores before the expiry of the grant of in-principle approval period provided by the RBI.

Stage 2 Application Stage

Under this RBI Master direction, all companies desirous of an approval certificate to operate as an NBFC AA must make an application in the name of the Department of Non-banking Regulation, Mumbai, in accordance with the specified format Annex-1 duly for the same purpose.

The Concerned authority will consider the application for registration as an NBFC AA after being satisfied with the following conditions-

• It is necessary for the companies seeking NBFC AA approval to mention their proper resource in order to provide services to the customers.
• It is required to mention sufficient capital funds to undertake the business operations as an NBFC AA.
• The promoter or directors of the companies must be sound, fit, and proper.
• From the end of the companies, it is required to have management who is not prejudicial towards public interests.
• The companies are required to have an adequate plan for their robust Information Technology System.
• It is required for the company to have at least a leverage ratio exceeding 7.
• The companies are required to comply with other regulations if passed by the RBI and thus required for compliance by the NBFC AA in order to commence their business operation in the interest of the public at large from time to time are required to comply accordingly upon a timely manner.

Stage 3 In-Principle Approval Stage

• Once the Department of Non-banking within the RBI is satisfied upon the application, then it grant-in-principle approval to those companies seeking NBFC AA, and such grant-in-principle approval will be valid for 12 months.
• Now, the AA is required to fulfil the requirements specified by the RBI before the expiry tenure of 12 months. NBFCs are required to set up a respective technological platform to receive or collect the customers’ financial information in a way that provides the promised services. They are required to complete all the legal formalities and any other documents and be ready to start their operations as an NBFC AA according to the terms and conditions specified by RBI under the in-principle approval.

Stage 4 Final Approval or Registration

• Suppose the Reserve Bank of India deems fit and satisfied that the company has completed all the terms and conditions required, per the In-principle-Approval. In that case, RBI will allow such company to be registered and operate its business operation as NBFC AA.
• The RBI has also vested the same rights to cancel the certificate of NBFC AA in case it finds that the company is now not capable of performing its business operations as NBFC AA or
• Either the concerned company further fails in complying to the rules and regulations for the NBFC AA registration certificate issued and required,
• In case RBI dims fit and finds that the NBFC AA company is not able to hold such certification anymore,
• Either fail to comply with the basic eligibility for NBFC AA, such as proper resources, technological support leverage ratio, etc., as specified under Paragraphs 4.2.2 and 4.2.5
• The companies can also lose their certificate when they fail to comply with any direction issued by RBI, either fail to maintain their accounts, or publish and cannot disclose financial positions according to any law or order issued by the RBI.
• In case a company fails to furnish its books of accounts, including other relevant documents, for inspection purposes at the time of its demand by the authorities.

Duties and Responsibilities of NBFC AA (Account Aggregator)

• NBFC AA is required to procure their services to those customers only from whom they have given consent in writing.
• NBFC AA is more likely to engage in an agreement between the customers, the account aggregator, and the financial information service provider and ensure approvals from their customers before providing them any services.
• NBFC AA are prohibited from taking monetary benefits from their customers.
• NBFC AA must ensure appropriate measures are taken for the identification of their customers.
• NBFC AA is required to share only the information specified under paragraph 3(iv) of the master direction issued by RBI in such a manner as to retrieve or to collect only customer-based financial information, as per the bank directions from time to time with prior permission of their customer consent based on the terms and conditions laid in the agreement executed in between them.
• NBFC AA is strictly prohibited from operating any other business other than an Account aggregator. Moreover, their deployment of investible surplus rather than trading purposes will be further allowed by RBI.
• NBFC AA is debarred from using the acquired financial information of customers obtained from the financial information providers for their personal benefit.
• NBFC AA must have their own formulated documents of commitments specially made with an intent to guarantee their customers’ rights protection. NBFC AA will not be a part of that information or share it accordingly, which has been obtained with the consent of customers.

Consent to Be Taken By NBFC AA

It is specifically suggested by the RBI that either a single piece of information or data be obtained and shared by NBFC AA without the consent of customers. However, NBFC AA will perform their business operation in such a manner to obtain, submit, and further manage their customer consent as per the RBI Master direction. 

It is necessary to ensure that the consent obtained from the customers must be acquired through a standardized consent form by the NBFC AA in such below specified manner-

• Such consent must include the specific identity of the customer with optional contact details.
• The consent form must include the request for the nature of financial information.
• The consent form must include the intention behind the collection of financial information.
• It also includes the specific identity of the recipients of such financial information.
• Such consent forms must include the URL or any other details from which notification for taking consent might be easily forwarded to the customer at each required moment for consent.
• Consent must include its creation date of consent with an expiry period, identity, affixed digital signature, and other attributes if specified by the RBI to include in the same consent format.

Consent can be taken using the electronic form, and the NBFC AA must inform about all the ingredients of the consent form and the customer’s rights to raise any complaints related to any future dispute with the concerned authorities for the time being if their dispute is solved.

NBFC AA must support their customers with a facility to revoke or cancel their consent if they find it or can revoke it for some specific parts. NBFC AA will offer a newly made agreement with the financial information service provider in case of consent cancellation requests.

Information Sharing from Financial Information Providers Based on a Valid Consent

• Financial Information service providers are allowed to share information about their customers with an NBFC AA (account aggregator), getting a valid contract/consent from an NBFC AA as per clause 6 of the master direction (complying with all the basic structure of consent).
• After the presentation of such consent, the financial information provider must scrutinize the validity period of such consent, check the specific dates and purpose while taking such consent, and verify the credentials details of such NBFC AA using any appropriate method.
• After the completion of such verification from the end of the financial information provider, the customer’s required information will be forwarded securely and safely to the NBFC AA by affixing a digital signature on the same.
• The financial information provider must respond to all required information on an immediate basis.
• The financial information service provider must establish such a mechanism (to sign digitally on information and maintain records on shared information), etc. This can easily allow NBFC AA to make requests for customer information and update the concerned consent for that customer information only so that it can be verified properly from the end of both parties.

Collected Customer Information used by NBFC AA and Financial Information User

• When financial-related information is being shared from a financial information service provider to an NBFC AA (account aggregator) for transferring such shared information to the financial user upon the customer’s consent.
• In that situation, it is mandatory for the NBFC AA (account aggregator) to first verify the identity of such financial user and if it gets successfully verified.
• Then NBFC AA (account aggregator) will most probably find a secure method to share such financial information of customers to the intended financial user according to the specified terms and conditions of consent.

Customer’s Right

• It is the right of the customers that NBFC AA (account aggregator) will allow the customers to access their duly provided consent at any time, along with the permission to know about the financial user with whom their financial information has been shared.
• NBFC AA (account aggregator) is strictly prohibited from operating on that business rather than its primary-based business of NBFC AA, even if it is requested from their customers’ end to provide access to such information.

Data Security Guidelines for NBFC AA

NBFC AA platform is completely based upon technology, thus requiring ensuring that the data collected or submitted from the end of the customers is secured as required under clause 8 of this master direction. The NBFC AA must comply with the Information Technology, Act 2000 along with the Information Technology (Reasonable Security practices and Sensitive Personal Data) Rules, 2011.

NBFC AA platforms are required to make sure that they are complying with the given RBI directions below-

• NBFC AA (account aggregator) platforms must mention their suitable practices, including policies, implemented by them to ensure the safety of customer information.
• It is required for NBFC AA platforms to clarify specifically about the customer’s consent while collecting any financial information from them and need to mention that such collected information is meant for lawful purposes only.
• NBFC AA Platforms are restricted from making requests to store customers’ credentials such as passwords, PINs, private keys, bank account, credit- -debit card details, etc., used to authenticate customers to the financial information providers.
• NBFC AA platform must specify the kind of technology used to save the customer’s sensitive data and further comply with the directions of RBI in the future.
• NBFC AA Platforms are required to adopt an appropriate disaster risk management system, and business continuity must be performed in the same place.
• RBI directed the NBFC AA platform to cooperate with the information system audit of their internal systems, which will be performed once every two years duration through a CISA (Certified External Auditors). Such externally conducted reports must be furnished within a period of 1 month to the Regional Department of Non-banking Supervision of the bank as per the jurisdiction-based NBFC AA.

Customer Grievance Mechanism

• NBFC AA Platforms are more likely to opt for a board-approved policy to handle customer grievances or disputes.
• NBFC AA platforms must comply to resolve their customers’ disputes according to the time frame provided in the board-approved policy. Further, address the same complaint for not more than a period of 1 month.  
• NBFC AA platform must disclose customer-based information affixed on their business website in a clear and simplified manner. Such conditions need to be published in English, Hindi, or any other local language as preferred by customers.
•  Customers are required to easily access Toll- the free number or any customer helpline, including the nodal officer contact details to raise disputes. If any dispute is still unresolved, customers are free to appeal before the bank.

Pricing For NBFC AA

NBFC AA (account aggregator) is required to have its own board approval policy based on pricing services. In order to commence pricing services, NBFC AA must comply with transparent guidelines (as per board policy) for pricing offerings that must be in the public domain.

Corporate Governance For NBFC AA

NBFC AA platforms are required to adopt a suitable internal mechanism to review, monitor, control, and evaluate their internal system, procedures, and safeguards. Their internal system should be maintained and checked in a regular manner and follow suitable measures to ensure that collected customers’ information may not be lost, destroyed, or tampered with.

Audit Committee For NBFC AA

NBFC AA platforms are bound to establish an audit committee compromising its 3 members (especially from the board of directors). Such an Audit committee must be constituted according to section 177 of the Companies Act 2013 and hold the same power, functions, and duties accordingly.

Nomination Committee For NBFC AA

NBFC AA (account aggregator) platforms must constitute a Nomination committee within their organization consisting of its 3 members from their board of directors under section 178 of the Companies Act, 2013 so as to check out the fit and proper status of their existing directors.

Risk Management Committee For NBFC AA

• NBFC AA platforms must adhere to a drafted framework for managing their business operation risk and must ensure that they are equipped with a sound or advanced robust technology framework, with a highly rated security system with more reliability and information recovering abilities in order to protect customer-based financial information, etc.
• NBFC AA risk managing committee must consider factors such as reputation, customer confidence, consequential impact, and complying with other legal aspects regarding investment controls and computer security measures with operational back facility, etc. 

Fit and Proper Criteria

• NBFC AA must make sure about the board-approved policy to discover the fit and proper criteria of the existing directors and CEO during their appointment and based on their continuance. Such policy formulated must be laid according to the guidelines of Annex 4.
• NBFC AA is required to take an undertaking with a declaration from their directors and CEO end, along with some additional information related to them in a specified format under Annex-5.
• NBFC AA requires a signed deed from the directors and CEO in a specified format under Annex-6.
• NBFC AA is required to submit the annual statements based on the change of their directors and CEO within a period of 15 days to the Regional bank office, duly certified by a CA, and mention that a proper fit criterion has been adopted during the entire process of selecting a new director etc.

Prior Approval From Bank in Case of Acquisition or transfer of control of Account Aggregator (AA)

• NBFC AA is required to obtain prior permission from the bank in case any takeover or acquisition of control of an NBFC AA might result from a management change. Any change in the shareholding of NBFC AA, in terms of an increase over time, might result in the acquisition or transfer of 26 per cent shares of such NBFC AA.
• NBFC AA is not required to take any prior permission from the bank if any shareholding gets increased by more than 26% due to its buyback of shares or resulting from an order of the court. Then, it would be required to report about the same to the bank within a period of 1 month since its valuation date, etc.

NBFC AA Application Format for Prior Approval

• NBFC AA (Account Aggregator) is required to draft an application consisting of the basic details specified below on their company letterhead to get such prior approval from the bank.
• The application must include the information related to proposed promoters, directors, and shareholders of the company according to the specified format (Annex 2 & 3, respectively).
• NBFC AA must specify in the application the sources of proposed shareholders’ funds acquiring shares in an account aggregator along with the banker’s report (financial statement) of both proposed directors and shareholders.
• The said application must be made in the name of the Regional office jurisdiction of the Department of Non-banking Supervision of the bank.

Public Notice for Change in Control or Management

• NBFC AA (account aggregator) is bound to serve a public notice 30 days before the commencing of the date of sale of share ownership transfer or transfer of control with or without share sales. It is required from the end of NBFC AA along with other associated parties jointly to serve a public notice after getting permission to conduct such changes in the process of management by the bank.
• Such served public notice attributes the intention of NBFC AA to make a sale, transfer in control, or ownership of shares accordingly. And the same notice needs to be published in one leading country’s newspaper, including the address of such operations, etc.

NBFC AA Information Regarding Operation Changes to Inform RBI (Regional Office)

• Each NBFC AA (account aggregator) must communicate about the changes within a month from its occurrence date to the Regional Department of Non-banking office based on their jurisdiction.
• The changes might be possible in the address of the company, contact details, fax number of the corporate office, office name and address of the company’s auditors, authorized official to sign on the company’s behalf, and many more, etc., need to be reported immediately beyond the time limits. 

Returns

It is the responsibility of the concerned bank under whose jurisdiction NBFC AA comes and will communicate about the returns timely to such NBFC AA.  

Supervision

The concerned bank is free and capable of initiating an inspection on NBFC AA by assigning tasks to their officers, employees, or any other NBFC AA when required.

Conclusion

 Although the NBFC AA (account aggregators) platform completely depends on technology, it would be better to call it technology-driven. It becomes very crucial for them to take appropriate measures to secure their customer’s financial information. Moreover, the Reserve Bank of India has laid down this Master’s direction to comply with all NBFC AA. It must operate their business operations accordingly to make customer’s life convenient on a daily basis. 

RBI-Compliance-for-NBFC-AA