The RBI’s new Account Aggregator framework is aimed at ensuring convenience to customers in availing loans and establishing a foolproof mechanism for the financial institutes to check the creditworthiness of the loanee. However, several concerns must be taken care of in order to protect the data privacy of users and prevent this framework from turning into yet another pyrrhic victory, writes KHUSHI JAIN.
EARLIER this month, the Reserve Bank of India (RBI) launched its new Account Aggregator (AA) framework, a project that had been in the pipeline since 2016.
As of September 2, 2021, eight major Indian banks had already joined the AA network to pool financial data about their customers to be shared with the Account Aggregators. These include the State Bank of India, ICICI Bank, HDFC Bank, Axis Bank, IndusInd Bank, IDFC First Bank, Federal Bank, and Kotak Mahindra Bank.
Stakeholders in the Network
Besides the customers, the network includes AAs, Financial Information Providers (FIPs), and Financial Information Users (FIUs).
The AA is a Non-Banking Financial Company (NBFC) approved by the RBI to render the service. Its primary responsibility is to collate financial data of its customers under a contract signed with customer consent, and to provide the financial information to the customer or any FIU.
This would allow for an easy flow of financial data of the customers between FIPs and FIUs – the providers and the users of this data, with AAs acting as intermediaries.
FIPs, as the name suggests, are data fiduciaries that store the data of the customers. These include NBFCs, banks, pension fund repositories, and so on. FIUs, which also include banks, and NBFCs, apart from fin tech companies, among others, use the data stored by FIPs in order to provide financial services such as loans to the customers.
This would mean that if one applies for a loan at a bank, with their consent, the bank can acquire and analyse their financial history stored by the FIPs via an AA to judge their creditworthiness.
Understanding the framework
Prima facie, the mechanism is based on a simple, consent-based collation and transfer of financial data of a customer to equip various FIUs to provide services to customers, with proper data at their disposal that will help them analyse a customer’s financial history and position.
Licensed AAs, working as technologic service providers, will act as middlemen by sharing the customers’ information with institutions, seeking to use the same to provide certain services to the customer. The data is encrypted to protect the privacy of customers and can only be decrypted by the recipient, which means that the AAs would be blind to such data.
This will not only ensure low transaction costs and speedy grants of loans, but will also equip various institutions to provide tailor-based services. Easy loans and low transaction costs will especially benefit Micro, Small and Medium Enterprises (MSMEs) that do not maintain sophisticated records of their financial performance and transactions. Financial history pooled by the FIPs will enable banks to grant them loans based on their creditworthiness.
The new framework will also help investment companies offer customized investment advice to the more affluent class of citizens by judging their previous records. Assuming you are one to invest big in risky investments like crypto assets, or hedge funds, to name a few, the investment company would then offer you tailored portfolios that match your investment attitude. This is not only convenient, but is also expected to enhance competitive services in the market with the institutions shaping their services according to your previous track record.
This system of account aggregation is intended to ensure the safety of sensitive financial information, which might otherwise be compromised in the physical submission of documents. This safety measure is achieved via end-to-end encryption of the information and the affixation of digital signatures to the same.
Considering the threat involved in physical submission of documents as well as the limitations on the physical mode of running the formalities due to COVID-19 restrictions, the Account Aggregator framework acts as a saviour for ordinary citizens who can now avail themselves of efficient loan facilities.
At the outset, the primary concern that arises with such a system is the imminent risk to data privacy. The gravity of such apprehensions is exacerbated when it concerns data that is sensitive in nature.
There is always a threat of hijackers obtaining the data illegally from the account aggregation site. This information could then be fraudulently used to compromise the financial position of the customer.
Storage of all financial records at a single focal point aggravates the risk even more, as it makes it a single point of vulnerability and is thus exposed to severe risk in case the data security wall gets breached. Such apprehensions might inhibit consumers from subscribing to the framework, as they await more clarity and development in the system.
Another issue that arises with such a system is the possibility of it becoming yet another case of the Aadhaar. The framework, as of today, operates on a consent-based system where the customers are not obligated to avail of this service and they have a right to decide what information can be shared to a particular FIU, if at all.
It is pertinent to note that the Aadhaar system was also a voluntary scheme wherein no citizen was obligated to be an Aadhaar card holder. Be that as it may, Aadhaar is now de facto required at every step for availing most public or private services, even when it concerns services as basic as applying for a ration card.
Even though the Aadhaar isn’t a mandatory requirement for getting a new SIM card, for instance, it is a common practice for telecom operators to refuse the issuance of the same without an Aadhaar Card. The same situation can be anticipated with respect to the AA system in the long run.
There is a real possibility of banks refusing to lend loans unless a customer consents to providing access to their financial information with the Account Aggregator; and in cases where the customer has not subscribed to account aggregation, they may be refused even basic banking facilities. Such misuse of dominant position by banks would defeat the entire consent-based mechanism of the AA system.
The Account Aggregator framework is new to the Indian fin tech market, which gives good reasons for the abovementioned apprehensions.
As stated by RBI’s Deputy Governor M. Rajeshwar Rao at an event, “the account aggregator ecosystem is still in a nascent stage of development. But given the sensitivity of the platform on account of the nature of data handled by it, it becomes imperative to ensure that the growth is orderly.”
While the advantages of having an AA network possess the potential to outweigh the costs, the framework must be integrated into the system prudently, keeping data privacy and the core concept of consent in mind.
At its nascent stage, AA network needs to be developed into a strong and steadfast system that benefits all. For this to happen, concerns around privacy and consent must be acknowledged and addressed to make the framework efficient.
(Khushi Jain is a second-year undergraduate law student at the Hidayatullah National Law University, Raipur. The views expressed are personal.)