NBFC

Sphere of Regulatory Compliance for Account Aggregators

Account Aggregators (AA) are a new category of financial intermediaries that enable customers to share their financial data across various financial institutions. They are licensed and regulated by the Reserve Bank of India (RBI) under the Non-Banking Financial Company – Account Aggregator (NBFC-AA) framework. The AA framework was launched in 2016, and the first AA entity was licensed in 2020. The primary objective of the AA framework is to provide customers with better control over their financial data, enable data-driven decision-making, and enhance the efficiency of the financial ecosystem. In this blog, we will discuss the sphere of regulatory compliance for Account Aggregators.

Registration and Licensing – Regulatory Compliance for Account Aggregators

The first and foremost regulatory compliance for Account Aggregators is to obtain a license from the RBI. The RBI has prescribed a set of eligibility criteria, including minimum net worth, fit and proper criteria for directors and senior management personnel, and compliance with various regulatory and statutory requirements, to obtain a license. Once the AA has obtained the license, it must ensure compliance with various ongoing regulatory and statutory requirements, such as filing of periodic reports, maintenance of minimum net worth, etc.

Customer Consent

AAs enable customers to share their financial data across various financial institutions. However, such sharing of data can be done only with the customer’s explicit consent. The customer must be informed about the purpose and scope of data sharing, the types of data that will be shared, the financial institutions with whom the data will be shared, and the duration for which the data will be shared. The customer must also have the right to revoke the consent at any time. The AA must ensure that it obtains the customer’s consent in a clear and unambiguous manner and maintains records of the consent obtained.

Compliance with Other Regulatory and Statutory Requirements – Regulatory Compliance for Account Aggregators

AAs must comply with various other regulatory and statutory requirements, such as the Prevention of Money Laundering Act (PMLA)^[1], Foreign Exchange Management Act (FEMA), Income Tax Act, etc. The AA must ensure that it collects and shares customer data only with the financial institutions that are compliant with these requirements. The AA must also maintain records of the transactions carried out through its platform and provide such records to the relevant regulatory authorities upon request.

An Account Aggregator (AA) is required to comply with various other regulatory and statutory requirements in addition to the guidelines set by the Reserve Bank of India (RBI). These requirements include but are not limited to:

1. The Indian Contract Act, 1872: The AA must ensure that the contracts it enters into with customers and FIPs are legally binding and enforceable.
2. The Information Technology Act, 2000: The AA must ensure that its operations comply with the provisions of the Information Technology Act, which governs electronic transactions and data privacy.
3. The Companies Act, 2013: If the AA is registered as a company, it must comply with the provisions of the Companies Act, which governs the formation and operation of companies in India.
4. The General Data Protection Regulation (GDPR): If the AA collects or processes personal data of customers located in the European Union, it must comply with the GDPR, which is a comprehensive data protection regulation that applies to all organizations that collect or process personal data of EU citizens.
5. The Payment and Settlement Systems Act, 2007: If the AA provides payment or settlement services, it must comply with the provisions of the Payment and Settlement Systems Act, which governs the regulation and supervision of payment and settlement systems in India.

Data Privacy and Security – Regulatory Compliance for Account Aggregators

One of the primary objectives of the AA framework is to provide customers with better control over their financial data. Hence, it is crucial for AAs to comply with data privacy and security requirements. The RBI has prescribed various guidelines and standards for data privacy and security, such as the Personal Data Protection Bill (PDPB) and the RBI’s Master Direction on Data Sharing and Privacy. The AA must ensure that it collects and uses customer data only for the purposes specified in the customer consent, and takes adequate measures to secure and protect the data from unauthorized access or misuse. Some of the key measures that an AA must take to ensure data privacy and security include:

1. Encryption: The AA must use appropriate encryption techniques to protect customer data in transit and at rest.
2. Access Controls: The AA must implement appropriate access controls to ensure that only authorized personnel have access to customer data.
3. Incident Response Plan: The AA must have an incident response plan in place to respond to data breaches or other security incidents.
4. Data Minimization: The AA must collect only the minimum amount of data necessary to provide its services and must delete or anonymize data when it is no longer needed.
5. Risk Assessment: The AA must conduct regular risk assessments to identify potential threats and vulnerabilities and take appropriate measures to mitigate them.
6. Training and Awareness: The AA must provide training to its employees on data privacy and security best practices and must create awareness among customers about the risks associated with sharing financial data.

Cybersecurity and IT Infrastructure – Regulatory Compliance for Account Aggregators

This is one of the most important Regulatory Compliance for Account Aggregators. AAs must have robust cybersecurity and IT infrastructure to ensure the security and integrity of customer data. The RBI has prescribed various guidelines and standards for cybersecurity and IT infrastructure, such as the Cyber Security Framework for Banks and the Master Direction on Digital Payment Security Controls. The AA must ensure that its IT infrastructure is secure and protected from cyber threats, and that it has adequate backup and recovery mechanisms in place. The AA must also conduct periodic cybersecurity audits and tests to identify and mitigate any vulnerabilities or risks.

Compliance Monitoring and Reporting – Regulatory Compliance for Account Aggregators

AAs must have a robust compliance monitoring and reporting mechanism to ensure that they comply with various regulatory and statutory requirements. The AA must have a designated compliance officer who is responsible for monitoring and reporting compliance. The compliance officer must ensure that the AA complies with various requirements, such as customer consent, data privacy and security, KYC norms, etc. The compliance officer must also prepare periodic compliance reports and submit them to the RBI.

Operational Guidelines

Operational guidelines are a set of guidelines and standards that an Account Aggregator (AA) must follow in order to operate in compliance with regulatory requirements and ensure the security and privacy of customer data. The operational guidelines cover various aspects of the AA’s operations, including data privacy and security, technical standards, customer onboarding, and dispute resolution. Below are some of the key operational guidelines that an AA must follow:

1. Licensing and Registration: The AA must obtain a license from the Reserve Bank of India (RBI) to operate as an AA. The AA must also register with the Financial Data Management Centre (FDMC) and obtain a Unique Identification Number (UIN).
2. Customer Onboarding: The AA must follow the RBI’s customer onboarding guidelines, which include obtaining the customer’s consent for data sharing and verifying the customer’s identity using Know Your Customer (KYC) procedures.
3. Data Privacy and Security: The AA must follow the RBI’s guidelines for data privacy and security, which include implementing appropriate security measures to protect customer data, ensuring that customer data is stored securely, and having a data breach response plan in place.
4. Technical Standards: The AA must follow the RBI’s technical standards, which include using Application Programming Interfaces (APIs) to connect with the Financial Information Providers (FIPs) and implementing appropriate technical measures to ensure the security and privacy of customer data.
5. Dispute Resolution: The AA must have a dispute resolution mechanism in place to resolve disputes between the AA, the FIPs, and the customers. The AA must also have a grievance redressal mechanism in place to address customer complaints.
6. Financial Reporting and Audit: The AA must maintain accurate and up-to-date financial records and submit regular reports to the RBI. The AA must also undergo regular audits to ensure compliance with regulatory requirements.
7. Data Retention: The AA must retain customer data only for as long as necessary and must delete or anonymize customer data after the retention period has ended.
8. Data Portability: The AA must provide customers with the option to download their financial data in a portable format and must allow customers to request the deletion of their data.
9. Customer Education: The AA must provide customers with adequate information about the AA’s services, the risks associated with sharing financial data, and the measures taken by the AA to ensure the security and privacy of customer data.

Financial Reporting and Audit – Regulatory Compliance for Account Aggregators

As per the RBI guidelines, Account Aggregators (AAs) must maintain accurate and complete financial records and prepare financial reports as per the RBI’s prescribed format. The purpose of financial reporting is to provide a transparent and accurate picture of the financial health and performance of the AA to its stakeholders, including the regulator, customers, investors, and other interested parties.

To ensure the accuracy and completeness of the financial records, AAs must undergo periodic financial audits by a qualified auditor. The financial audit report must be submitted to the RBI along with the annual financial statements. The auditor must verify the accuracy and completeness of the financial records and provide an opinion on the financial statements prepared by the AA.

The financial statements must comply with the Generally Accepted Accounting Principles (GAAP) and the RBI’s prescribed format. The financial statements must provide a true and fair view of the financial position, performance, and cash flows of the AA. The financial statements must include a balance sheet, profit and loss account, and cash flow statement, along with other relevant disclosures.

The financial reporting and audit requirements are essential to ensure the financial stability and sustainability of the AA. By maintaining accurate financial records and preparing financial statements as per the RBI’s guidelines, AAs can ensure the trust and confidence of their stakeholders, including the customers, investors, and the regulator. The financial reporting and audit requirements also provide a mechanism for the regulator to monitor and regulate the activities of the AA and ensure compliance with the regulatory requirements.

Dispute Resolution

The Account Aggregator framework is designed to provide customers with greater control over their financial data. However, there may be instances where customers may have grievances or disputes with the AA or the Financial Information Providers (FIPs) whose data is being aggregated. To address such grievances and disputes, AAs must have a robust dispute resolution mechanism in place.

The RBI has prescribed guidelines for the dispute resolution mechanism, and AAs must ensure that they comply with these guidelines. AAs must have a designated grievance redressal officer who is responsible for resolving customer grievances and disputes. The grievance redressal officer must have the necessary skills and knowledge to resolve customer grievances effectively.

AAs must also have a clear escalation process for disputes that cannot be resolved at the grievance redressal level. The escalation process must be transparent and well-defined to ensure that customers understand the process and their rights.

AAs must maintain records of all customer grievances and disputes, including the nature of the grievance, the action taken to resolve the grievance, and the time taken to resolve the grievance. AAs must also report customer grievances and disputes to the RBI on a regular basis.

By having a robust dispute resolution mechanism in place, AAs can ensure that customer grievances and disputes are resolved promptly and effectively. This can help build trust and confidence among customers and can also prevent legal and regulatory penalties for non-compliance with the dispute resolution guidelines.

Conclusion

The sphere of regulatory compliances for Account Aggregators is quite comprehensive and covers various aspects such as registration and licensing, data privacy and security, customer consent, compliance with other regulatory and statutory requirements, cybersecurity and IT infrastructure, compliance monitoring and reporting, operational guidelines, financial reporting and audit, and dispute resolution. The AA must ensure that it complies with these requirements to ensure the efficient and secure functioning of its platform. The RBI has prescribed various guidelines and standards for each of these aspects, and the AA must ensure that it complies with them to avoid any regulatory or legal penalties. Overall, the AA framework is a welcome step towards providing customers with better control over their financial data, and it is essential that AAs comply with the regulatory requirements to ensure the success of the framework.

Also Read:
How NBFC – Account Aggregators Ease Financial Processes And Protect Privacy?
All you need to know about Account Aggregator System in India
Eligibility Requirements and Procedure of obtaining NBFC AA License