NBFC Account Aggregator Compliances

Since account aggregators handle and transfer customer-sensitive financial data, they need to conduct audits. Some key audits include statutory, IS, VAPT, internal, compliance, and RBI inspection.

Well, that depends on the type of operation. As per RBI rules, you can outsource tech infrastructure, cloud hosting, software, customer support, call centres, and related activities, subject to your company’s approved policy, data security, audit rights, and on-time reporting.
You cannot delegate core business functions like retrieving, sharing, and transferring customer information. Although you can take assistance from a compliance service provider, you will still need to appoint a PMLA officer, nodal officer, and other key managerial personnel.

Yes, we not only help you register with the RBI, but also make sure that you run successful business operations post-registration. Our experts will assist you with RBI, FIU-IND filings, internal audits, IT security audits, corporate governance, MCA/ROC compliance, DPDP data privacy, and appointment support.
Book a virtual meeting to get more information on our packages for NBFC account aggregator compliances.

• Yes, the Reserve Bank of India can revoke your registration if you:
• Fail to operate within the scope of your license. 
• Violate the RBI guidelines. 
• No longer meet the regulations of the authorities. 
• Indulge in money laundering and CFT.
• Fail to maintain the net-owned funds. 
• Engage in unauthorized access to customers’ financial data.
• Don't submit your returns on time. 
• Have weak cybersecurity standards that make the regulator skeptical about your capabilities for protecting client data and preventing cyberattacks. 

• Heavy fines for violating the terms of your license and non-fulfilment of your obligations. 
• You may receive an order restricting you from onboarding new customers or suspending certain operations.
• Expect full license cancellation if you are no longer under the scope of your AA registration, violate AML/CFT guidelines, or commit data protection violations. 
• Additional monetary damages may be imposed by the FIU-IND under the PMLA Act of 2002. 
• Investigation of security incidents and controls.
• Penalties by the MCA under the Companies Act of 2013 for delayed board meetings, ROC filings, statutory registers, and financial statements. 

Not at all. An account aggregator can only transport the data in an encrypted form from a financial information provider to a user (FIU). They don’t have the authority to store, process, or view any financial data.

They retrieve data from an FIP like a bank or an NBFC loan company, then pass it to the FIU like a lender or a wealth manager. The entire transfer is unreadable to the AA, and the data is only shared based on the explicit consent of the customer.

As of 2026, your minimum fund needs to be INR 2 crore at all times since the date of operations until you cease acting as an account aggregator. Also, note that the requirement is low compared to other RBI-registered non-banking companies, given that an AA is a data-first company and doesn’t really perform fund or lending activities.

The Reserve Bank of India governs an account aggregator NBFC as per the master directives and the RBI Act of 1934. They have the right to issue and revoke your license. Also, you will deal with the Financial Intelligence Unit- India for AML and MCA for corporate-related compliance.

• Fintech and startups that rely on embedded consent frameworks in their customer-facing apps.
• RBI-registered AA companies
• Financial Information Providers (FIPs) and Financial Information Users (FIUs).

You will have to file the suspicious transaction reports with the FIU-IND within 7 days of the incident being tracked. Also, there's no limit on the monetary value of the transaction to be reported to the authority.