An Account Aggregator (AA) is a Non-Banking Financial Company. These non-banking entities are regulated by the Reserve Bank of India (RBI). In order to perform the job of an account aggregator, these entities should obtain a license from the regulating body i.e., RBI. Such entities act as a bridge or a medium for transmitting the financial data between the data-requesting institution and data-providing institution also known as Financial Information User (FIU) and Financial Information Provider (FIP) respectively. This process of sharing the user data from FIPs to FIUs will only be carried out after explicit consent from the user. The AAs will never facilitate any kind of transaction involving money made by users or customers. The AAs will not be undertaking any other business other than the business of an account aggregator.
The RBI, being the regulatory body, has prescribed a Master Directive for AA (RBI/DNBR/2016-17/46 Master Direction DNBR.PD.009/03.10.119/2016-17), as AAs are involved in the transmission of users' financial data. It is necessary for all the entities carrying out the business of Account aggregators to be compliant with the Master Direction document which is considered a regulatory requirement.
As per the Master Directions defined by RBI, an Account Aggregator shall transmit the financial data about or of the user only after receiving formal consent from the user. The consent from the users can be obtained in electronic format by the AAs. AAs should store the consent obtained by the users for transmitting the financial data to the FIUs. The AAs shouldn’t store any other financial data other than the data for which the consent is received by the user.
The consent received by the AAs should include the Identity of the customer and optional contact information, the nature of the financial information requested, the purpose of collecting such information, if necessary the identity of the recipients of the information, URL or other address to which notification needs to be sent every time the consent artifact is used to access information, consent creation date, expiry date, identity, and signature/digital signature of the Account Aggregator and any other attribute as may be prescribed by the Bank at any point of time.
The latter-mentioned attributes should be displayed to the user at the time of receiving the consent form the user. The AAs Shall(Shall not), not request/access/store the user credentials of the users which may be manipulated/utilized for authenticating the customers to the FIP(s). The AAs should allow the customers/users to access the consents given by them and should be bestowed with the ability to revoke the consents provided by them for FIU(s) to access their financial information or parts of such information. Once the consent is revoked, a fresh consent artifact shall be shared with the FIP(s). An AA should have the request(s) and response(s) logs maintained by the FIP(s) recorded at the time of transmitting the data.
It is necessary for the AAs must enable secure data transfers of the requested data from the FIP(s) to its own systems and then to the FIU(s), to achieve such secure data transfer AAs shall employ the necessary IT framework and interfaces(s). The technology adopted by the AAs should be scalable to cover any other financial information or financial information provider as may be specified by the Bank in the future. An Account Aggregator is mandated to ensure adequate safety is built into its IT systems to protect against unauthorized access, data alteration/tampering, destruction, disclosure, or dissemination of records and data. An AA should adopt appropriate measures/controls for Disaster Risk Management and Business Continuity in order to provide a prolonged service to the customers/users without any disruptions. Information System Audit of the internal systems and processes shall be in place and shall be conducted at least once in two years.
An AA should constitute various internal mechanisms for reviewing, monitoring, and evaluating its controls, systems, procedures, and safeguards. The integrity of the IT systems should be maintained at all costs, and all necessary precautions should be taken to ensure that the records of the consents explicitly received by the users are not lost, destroyed, or tampered with. The account aggregator should establish a well-documented risk management framework which shall include a sound and robust technology risk management framework, strengthening system security, reliability, resiliency, and recoverability and deploying strong authentication to protect access to customer data and systems. AAs should formulate a Risk Management Committee consisting of not less than three members of its Board of Directors. AAs shall conduct a self-assessment of their existing outsourcing arrangements to validate the risk inherited from the outsourced vendor.
An Account Aggregator should not outsource any core management functions including Internal Audit, Strategic and Compliance functions, and decision-making functions such as determining compliance with KYC norms for opening deposit accounts, according to sanction for loans (including retail loans) and management of investment portfolio. The AAs are not permitted to outsource the service of an account aggregator from any vendor.
As prescribed by RBI, all AAs should comply with the master directions as prescribed by the regulatory body and the report must be submitted to the bank to obtain the license to perform the business of an account aggregator in India. This would call out the need for Subject matter expertise in Information Security to align the business controls to be in adherence with the regulatory requirements. Such firms/entities are assisted by CyRAACS (Cyber Risk Advisory and Consulting Service) in achieving information security compliance with the necessary documents as regulated by RBI.
CyRAACS will assist an AA in fulfilling the requirements set by the regulator by ensuring compliance readiness. CyRAACS provides internal audit services to AAs, supported by a team of trained professionals in providing an unbiased observation to the AAs by assessing their IT systems, applications, or processes in scope and ensuring adherence to the regulatory and statutory requirements. CyRAACS also assists an AA in assessing the security of their applications and web applications through vulnerability assessment and penetration testing, which provides the AA with an overview of the risks and vulnerabilities that need to be rectified in the application's development phase. CyRAACS will also offer a source code review of the applications in scope to ensure application quality assurance from the source code perspective.
The Process flow of an AA is exhibited below the Flow chart.
Step 1: The user registers with an Account Aggregator application providing his details.
Step 2: The user registers with a Financial Information User (FIU) to receive a particular service.
Step 3: The user links his Account Aggregator with the FIU application.
Step 4: The Account Aggregator authenticates the linking via OTP.
Step 5: Once the Account Aggregator is linked to the FIU application, The list of linked Bank accounts i.e., the Financial Information Provider (FIP) of the respective user is fetched by the Account Aggregator.
Step 6: The user Selects the specific FIP from the list of FIP fetched.
Step 7: An Authentication is done by the FIP via OTP to verify the user prior to sharing data.
Step 8: The User Review the Type of Financial Information to be shared, the purpose of sharing, and the duration of data being shared by the FIP to the FIU.
Step 9: Once the user accepts and proceeds, the requested financial data is shared by the FIP in an encrypted form to the aggregator which in turn is shared with the FIU.
The below picture depicts the AA ecosystems as of August 2021.
Keep Your Data Secure with CyRAACS Cyber Security Solutions. Our experts offer tailored solutions for businesses of all sizes. Contact us today!