RBI’s Account Aggregator Framework: Financial Convenience or Threat To Sensitive Data?
Khushi Jain (The Leaflet) 24 September 2021
The RBI’s new Account Aggregator framework aims to ensure convenience to customers in availing loans and establish a fool proof mechanism for the financial institutes to check the creditworthiness of the loanee. However, several concerns must be taken care of to protect users’ data privacy and prevent this framework from turning into yet another pyrrhic victory, writes KHUSHI JAIN.
Earlier his month, the Reserve Bank of India (RBI) launched its new account aggregator (AA) framework, a project that had been in the pipeline since 2016.
As of 2 September 2021, eight Indian banks had already joined the AA network to pool financial data about their customers to be shared with the account aggregators. These include the State Bank of India, ICICI Bank, HDFC Bank, Axis Bank, IndusInd Bank, IDFC First Bank, Federal Bank, and Kotak Mahindra Bank.
Stakeholders in the Network
Besides the customers, the network includes AAs, financial information providers (FIPs), and financial information users (FIUs).
The AA is a non-banking financial company (NBFC) approved by the RBI to render the service. Its primary responsibility is to collate the financial data of its customers under a contract signed with customer consent and provide the financial information to the customer or any FIU.
This would allow for an easy flow of the customers’ financial data between FIPs and FIUs – the providers and the users of this data, with AAs acting as intermediaries.
FIPs, as the name suggests, are data fiduciaries that store the data of the customers. These include NBFCs, banks, pension fund repositories, and so on. FIUs, which also include banks, and NBFCs, apart from fintech companies, use the data stored by FIPs to provide financial services such as loans to the customers.
This would mean that if one applies for a loan at a bank, with their consent, the bank can acquire and analyse their financial history stored by the FIPs via an AA to judge their creditworthiness.
Understanding the framework
Prima facie, the mechanism is based on a simple, consent-based collation and transfer of a customer’s financial data to equip various FIUs to provide services to customers, with proper data at their disposal that will help them analyse a customer’s financial history and position.
Licensed AAs, working as technologic service providers, will act as middlemen by sharing the customers’ information with institutions, seeking to use the same to provide certain services to the customer. The data is encrypted to protect the privacy of customers and can only be decrypted by the recipient, which means that the AAs would be blind to such data.
This will ensure low transaction costs and speedy grants of loans and equip various institutions to provide tailor-based services. Easy loans and low transaction costs will significantly benefit micro, small and medium enterprises (MSMEs) that do not maintain sophisticated records of their financial performance and transactions. Financial history pooled by the FIPs will enable banks to grant them loans based on their creditworthiness.
The new framework will also help investment companies offer customised investment advice to the more affluent class of citizens by judging their previous records. Assuming you are one to invest big in risky investments like crypto assets, or hedge funds, to name a few, the investment company would then offer you tailored portfolios that match your investment attitude.
This is convenient and expected to enhance competitive services in the market with the institutions shaping their services according to your previous track record.
This account aggregation system is intended to ensure the safety of sensitive financial information, which might otherwise be compromised in the physical submission of documents. This safety measure is achieved via end-to-end encryption of the information and the affixation of digital signatures to the same.
Considering the threat involved in the physical submission of documents and the limitations on the physical mode of running the formalities due to COVID-19 restrictions, the account aggregator framework acts as a saviour for ordinary citizens who can now avail themselves of efficient loan facilities.
Concerns to be acknowledged
At the outset, the primary concern that arises with such a system is the imminent risk to data privacy. The gravity of such apprehensions is exacerbated when it concerns data that is sensitive in nature.
There is always a threat of hijackers obtaining the data illegally from the account aggregation site. This information could then be fraudulently used to compromise the financial position of the customer.
Storage of all financial records at a single focal point aggravates the risk even more, as it makes it a single point of vulnerability and is thus exposed to severe risk in case the data security wall gets breached. Such apprehensions might inhibit consumers from subscribing to the framework as they await more clarity and development in the system.
Another issue that arises with such a system is the possibility of it becoming yet another case of Aadhaar. Currently, the framework operates on a consent-based system, where the customers are not obligated to avail of this service, and they have a right to decide what information can be shared to a particular FIU, if at all.
It is pertinent to note that the Aadhaar system was also a voluntary scheme where no citizen was obligated to be an Aadhaar number holder. Be that as it may, Aadhaar is now de facto required at every step for availing most public or private services, even when it concerns services as essential as applying for a ration card.
Even though it isn’t a mandatory requirement for getting a new SIM card, it is common for telecom operators to refuse the same without an Aadhaar. The same situation can be anticipated for the AA system in the long run.
There is a real possibility of banks refusing to lend loans unless a customer consents to provide access to their financial information with the account aggregator. In cases where the customer has not subscribed to account aggregation, they may be refused even basic banking facilities. Such misuse of dominant position by banks would defeat the entire consent-based mechanism of the AA system.
The account aggregator framework is new to the Indian fintech market, which gives good reasons for the abovementioned apprehensions.
As stated by RBI’s deputy governor M Rajeshwar Rao at an event, “the account aggregator ecosystem is still in a nascent stage of development. But given the sensitivity of the platform on account of the nature of data handled by it, it becomes imperative to ensure that the growth is orderly.”
While the advantages of having an AA network possess the potential to outweigh the costs, the framework must be integrated into the system prudently, keeping data privacy and the core concept of consent in mind.
At its nascent stage, AA network needs to be developed into a reliable and robust system that benefits all. For this to happen, concerns around privacy and consent must be acknowledged and addressed to make the framework efficient.
(Khushi Jain is a second-year undergraduate law student at the Hidayatullah National Law University, Raipur. The views expressed are personal.)
Free Helpline
Legal Credit