A Brief Overview of NBFC Account Aggregator Compliances
The concept of account aggregator was conceptualised by the Reserve Bank, and in furtherance of which a framework for the registration & operation of Account Aggregator in India was notified by the RBI. Account aggregators have a slew of compliances that they need to meet in order to operate smoothly. NBFC Account aggregator compliances range from ensuring data security to having a board approved policy, among others.
Who are Account Aggregators and what do they do?
An account aggregator is regulated by the Reserve Bank of India that helps a person to access and share information securely and digitally from one financial institution they have an account with to other regulated financial institution in the Account Aggregator network. One of the things to note here is that the data cannot be shared without the consent of the individual. There would be various Account Aggregators an individual can choose from. With the onset of Account aggregators, it replaces the terms and conditions form of ‘blank cheque’ acceptance with a step-by-step permission and control for each use of an individuals’ data.
What are the various NBFC Account Aggregator Compliances?
NBFC Account Aggregator Compliances range from ensuring data security to having a board approved policy and setting up committees, among various other compliances.
Compliances after obtaining in-principle approval
The bank shall grant an in-principle approval which will be valid for 12 months, within which the company should set up a technology platform, enter into legal documentation needed to be ready for operations and report compliance position to the bank. If the bank is satisfied that the company can commence operations now, it will grant a certificate of registration as NBFC account aggregator.
The account aggregator needs to ensure that the company maintains accounts, publishes and discloses its financial position as per the legal requirements or direction or order from the bank. Further, it should also submit or offer for inspection of its books of account or other documents when it's demanded.
- With respect to data security, the account aggregator business must be IT driven.
- The technology must be scalable to cover any other financial assets or financial service provider.
- Adequate safeguards should be put in place in its IT systems in order to ensure that it’s protected from any unauthorised access, alteration, destruction, disclosure etc.
- There should be appropriate measures in place for Disaster Risk Management and Business Continuity.
- Information system audit of the internal system and processes shall be conducted at least once every two years' time by external auditors. The external auditor's report has to be submitted to the regional office, Department of Non-Banking supervision of the bank within a month of submission of the report by the external auditor.
Board Approved Policy
- Customer grievance
An account aggregator should have a board approved policy in order to handle/dispose customer grievance. The customer grievance should be handled/disposed of within such time, and manner as specified under its board approved policy. However, it should not take more than a month.
The account aggregator needs to display- name and contact details of the grievance redressal officer on the website and at the place(s) of the business.
The Account Aggregator should also have a Board approved policy for pricing of services. Pricing of services should strictly conform to the internal guidelines adopted by the Account Aggregator, which must be transparent and available in public domain.
The account aggregator must put in place an internal mechanism to review, monitor and evaluate its controls, systems, procedures etc. the IT systems' integrity should be ensured at all times, and precautions should be taken so that the records are not destroyed, lost or tampered with.
Set up Committees
- Audit Committee and Nomination Committee
An audit committee needs to be constituted of not less than 3 board of directors members.
A nomination committee needs to be formed of not less than 3 members of its board of directors.
- Risk Management Committee
To control the integrated risk, Account Aggregator needs to form a Risk Management Committee. It shall consist of not less than 3 members of its Board of Directors.
The account aggregator must establish a well-documented risk management framework which should include a sound and robust technology risk management framework, strong authentication to protect access to customer data and system, system security, reliability, resiliency etc.
Fit and Proper Criteria
An Account Aggregator is required to ensure that a policy is in place with the Board of Directors’ approval to ascertain fit and proper criteria of the directors/managing director/CEO at the time of appointment, and on a continuing basis.
Further, the account aggregator also needs to obtain a declaration and undertaking from directors/managing director/CEO providing additional information on directors/managing director/CEO.
The account aggregator should obtain a Deed of Covenant signed by the directors/managing director/CEO. They also need to furnish to the Bank an annual statement on change of directors/ managing director/ CEO, which needs to be duly certified by Statutory Auditors that fit and proper criteria in the selection of the directors has been followed.
The account aggregator platform runs on technological platform and involves the transmission of sensitive financial data between Financial Information Providers and Financial Information Users hence the AA Platform setup in India should comply with the account aggregator compliances as specified by the RBI.