Mar 25, 2019

Consent brokers: India’s new data-sharing model can be a game-changer but has several loose ends

BYNilesh Christopher

India is inching closer to a new protocol on data-sharing with user consent as its centrepiece. At least three of the five entities that have secured provisional licences to access and distribute personal financial data have begun testing ways to securely share customer information. But for all the hype, the final stretch is riddled with pits and bumps that could keep the model from being truly transformative.
Like with the Unified Payments Interface (UPI) that ushered in an era of digital transactions, this new class of non-banking financial institutions called account aggregators (NBFC-AA) holds the potential to be a game-changer.
These new businesses are building systems to allow users to digitally share their data with service providers in exchange for easier access to credit, insurance and other financial products, or to just keep track of all their investments. Account aggregators, essentially, will act as consent brokers, taking user permission to access their financial accounts and aggregate and organise all their financial information in one place.

The account aggregator apps act as pipes through which your data is securely shared for access to credit, loans and other financial services

Importantly, they are required to build a framework that will allow users to choose whom to share their data with, what data they want to share, for what purpose, what time period, as well as revoke permissions to access their data.
This is how it would work: Say you approach a bank for a loan. The loan officer would need details on your credit history, income and tax payments to process your application. It’s a tedious process arranging those documents. With account aggregators, all that a lender would have to do is initiate a consent request to access the required information. This request would reach an app on your phone and once you give your consent, the account aggregator will pull only the requested data from different entities and share it with the bank. This data will be with the bank or an NBFC only as long as it is needed to process your application.
“If you wanted a snapshot of all your financial assets in one place on your mobile or to share information securely with a lender, it was previously not possible,” says Atluri Krishna Prasad, chief executive of Onemoney, one of the five entities that have secured in-principle approval from the Reserve Bank of India to operate as an account aggregator. “Now, if you give Onemoney your consent, we will fetch all your financial information from different sources, aggregate it and give you a single window with the consolidated information.”
A dashboard with all your accounts, active consents and new requests for consent.

To be sure, data aggregation services exist in India but not in the form as prescribed by RBI. The data is to be released in a secure, standardised format so that it can be shared more easily between authorised organisations online.
The regulator has standardised the data format to be machine-readable as well as allowed the use of open application programme interfaces that connect to banks directly to provide data feeds for account aggregators. (APIs are software that allow different applications to interact.)
“The entire process of data transfer will be similar to authorising a collect request in a UPI application,” says Siddharth Shetty, a volunteer at technology think-tank iSPIRT Foundation, which helped put together the technical documents for the creation of this system of account aggregators. “Account aggregators will allow users to make data payments. Users can transfer financial data of various types held as bank deposits, mutual funds, equity, pension funds, etc., to any entity wanting access to that data, with just a few clicks.”
That’s not all. As India evolves from a ‘data poor’ to a ‘data rich’ nation, the concept of account aggregation could help solve some of the most fundamental problems involved in consent-based data-sharing across sectors such as finance and healthcare. The concept is also being extended to health account aggregators, which consolidate a patient’s diverse and fragmented health data split over multiple doctors, hospitals, and pharmacies.
But while all this sounds hunky dory, the proof of the pudding will lie in the implementation of the consent architecture and bank partnerships that the account aggregators have to weave together.

Birth pangs galore

There exist several hurdles on the path to the Promised Land — mostly regulatory and some operational. The most worrying among them are:

  • The existential question of whether the idea of consent is broken and if it works

  • Banks hesitant about opening up their data

  • Account aggregators struggling to build the tech and a viable business model

  • The absence of a government-backed entity to spearhead the initiative

For starters, not everyone can be an account aggregator. Companies face a high entry barrier, needing a minimum bank balance of Rs 2 crore to be granted an AA license. While the applicants consider this to be a hurdle, other stakeholders see this as a screening process that allows only high-integrity players into the system.
RBI has approved only five entities so far to demonstrate the workings of this new data-sharing business. However, even these aren’t final. The regulator has to be convinced of their operations before they are granted a final licence to set up shop.
The bigger concern has to do with individuals’ understanding of what consent and data privacy means, and if the system has robust checks to prevent data misuse.
“In a country like India with large illiterate populations speaking multiple languages, consent is very dicey, leave alone informed consent,” says Supratim Chakraborty, partner at law firm Khaitan & Co. “The approach of AA is great, which solves the problem of ‘data portability’ in banking, insurance and other sectors. However, sensitisation and the culture of privacy and consent has to be imbibed for us to understand and implement this correctly.”
Another huge worry is the lack of clarity on the business model.
“Currently, what is clear is that we have been given the APIs for FIPs (financial information providers such as banks, mutual funds, etc.) to move the data. We are building software for this. But on the actual report generation/aggregation — how will it be done, how are these to be delivered, is it on the client side or us — there is no clarity from RBI,” says N Mohanram, chief technology officer of NeSL Asset Data, another entity with an in-principle licence to be an account aggregator. Prasad of Onemoney seconds this.

A Krishna Prasad, founder of Onemoney

Account aggregators have to connect with banks and financial institutions to pull the data of their customers so they can then share this with financial information users (FIUs) such as Reliance Capital, Bajaj Finance and other lenders. While the technical specifications for such pull and push requests are specified, it is unclear as to which entity will do the job of data aggregation. There are more than 350 registered financial institutions in India.
Account aggregators can act only as pipes through which data from financial information providers are passed on to users of the information. While requesting data from banks and financial institution, the account aggregators will have read-only access to customer data and will not be able to store, change or process the information.
“As per RBI’s current directive, account aggregators can’t run analytics. For any analytics to happen you need a history of data, which the AAs can’t store,” says Javed Memon, cofounder of Fintify, a cross-border personal finance app that had sought to start an account aggregation business in India but decided against it due to regulatory hurdles. “The only thing they can do is hive that data to build a history of it and then do analytics on it. Which AAs can then sell to customers. But that entity also has to be an FIU.”

The making of the data aggregation model

Despite all this, there exists significant interest in the account aggregation business. RBI published its master direction for the creation of account aggregators in September 2016, but the in-principle approvals came only in November.
“(So) it is only in the past few months that these AAs are getting ready, and three of them are getting into pilot stage with a bunch of banks and data providers,” says Shetty of iSPIRT Foundation. “They have built out sandboxes for testing. They are at a stage where UPI was about a year-and-half ago where they were kicking off at the pilot level.”

The five entities who have gotten in-principle approval from RBI to be account aggregators

Of the five chosen account aggregators, NeSL Asset Data, CookieJar Technologies, and Finsec AA Solutions (Onemoney) confirmed they were conducting pilots and were at various stages of building software and integrating with data providers. CAMS Financial Information Services and Abcap Trustee Company (MyUniverse) did not respond to queries sent by FactorDaily.
Onemoney is currently conducting a pilot with the data of a few bank employees. “We are currently testing our systems with banks’ test environment servers and not the production servers. We have been given exposure to those and testing is on,” says Prasad.
The company, as well as the other account aggregators, refused to disclose the names of the banks and data providers with whom they are running their pilots.
“Currently, there are many entities performing the functions of AAs for banking and other financial services but have not applied for a licence from RBI. RBI has taken it upon itself to regulate all financial information data aggregation (not just banking data aggregation, over which RBI has mandate), pushing (the existing entities) to operate in a regulatory grey space,” says Srikanth Lakshmanan, who runs CashlessConsumer, an initiative working to increase awareness on digital payments in India.

The big question: how will aggregation happen?

A huge worry for account aggregators is their inability to consolidate and show a user’s financial position across assets, liabilities, cards, and investments because they aren’t allowed to view the data.
“If you don’t allow me to store the data for at least a day or two, I will not be able to offer a consolidated report. I can only give you the data dump from multiple sources,” says an executive with one of the RBI-approved account aggregators, declining to be identified. “Unless I give it in a readable report format, it is of no use for the customer.”

A history of all the entities who you have accepted or rejected access to your data

Shetty says the standard allows for report generation but has limitations. “If you look at the technical standard, the data is end-to-end encrypted. AAs can decrypt it on their trusted clients. That is, the data is decrypted on AA apps (on mobile phones) or the FIUs’ servers.”
Meaning, the standard allows account aggregators to perform analytics and visualisation for the end user on the edge — on the mobile apps. “The only limitation is that AAs will be restricted by the compute capacity of the phone used. AAs may not be able to do complex machine-learning tasks for underwriting or predictions,” says Shetty, adding, “Here, the AAs have a point where analytics has to be done on the server side. But basic visualisations and categorisation can be done on the AA app itself.”
None of the RBI-approved account aggregators have completed building a live, fully operational app yet. The businesses need to demonstrate a working system to RBI’s technical arm, Reserve Bank Information Technology Pvt Ltd, or ReBIT, in the coming months to secure their final licences.

Navigating regulatory overhangs

The European Union and the United Kingdom have something loosely similar to India’s account aggregation system under their new regulations (known as the PSD-2 directive and the open banking initiative, respectively). The AA equivalent in the UK is Registered Account Information Service Provider (RAISP) but with two differences: The financial information user consumes the data as well as collects user consent.
In India, the roles are decoupled. Account aggregators cannot store, process or run analytics on the data you share or use your data to sell you any products or run ads. They can only collect consent from users; the entities consuming the data are different. Also, while the RAISPs cover only aggregate payment and checking accounts, account aggregators in India cover banks, securities, mutual funds, pension funds, insurance, etc.
“It is a little more structured (in the EU and the UK). They have created sandbox environments for FIUs to start testing on, there is one single open banking forum that drives how both banks and third-party users (account aggregators) get on to the same platform,” says Ameet Gaikwad cofounder of Fintify.
Also, in the UK, the nine biggest banks have been mandated to open up their data to third-party providers by November. This means banks are forced to give customers control over their data. In India, there is no mandate from RBI to the banks to open up their data to service providers.
“With the presence of a forum it is easier. For testing — what kind of data is used, what kind of data is being given out by banks, whether they meet the technical specifications as listed by open banking – there is a central entity that oversees all this (Open Banking Limited in the UK),” says Memon. “In India, there is no single controlling body to oversee all this. There needs to be an official working group that meets every week and discusses the challenges faced by banks in sharing data.”

“It was the formation of a body like NPCI (the National Payments Corporation of India) that propelled UPI to be successful. The account aggregator ecosystem currently lacks an NPCI equivalent,” Siddharth Shetty of iSPIRT

This is what most players in the industry see as a fix.
For the most part, RBI has been leading the charge for account aggregators, even publishing the master directive.
“Account aggregators give RBI a superior regulator position among financial regulators since it has oversight over how data sharing must happen for investments (which falls under the Securities and Exchange Board of India) and how to standardise insurance data (which falls under the Insurance Regulatory and Development Authority) and standardizing sharing of pension portfolio data (which falls under the Pension Fund Regulatory and Development Authority),” says a person whose company is in the running to be an account aggregator, declining to be identified.
The solution that many have proposed is a controlling body to iron out issues of data standardisation. “It was the formation of a body like NPCI (the National Payments Corporation of India) that propelled UPI to be successful. The account aggregator ecosystem currently lacks an NPCI equivalent,” says Shetty.
That said, India’s “AA model is the first of its kind,” he adds. “This is not a model where you can look to America or the UK and implement it here. Hence, it is proving hard for regulators and the businesses.”
Which is to say that starting troubles are inevitable. Especially when it concerns something as ambitious as a game-changing data consent and sharing protocol. For the account aggregation model to be as transformative as UPI, all that may be needed is for the regulators to have their ears to the ground.

FactorDaily’s journalism is produced by some of the best brains in the story-telling business. If you like our body of work – deep reportage, domain specialist write-ups, data stories, podcasts and the like – consider supporting the FactorDaily journey.

Support FactorDaily

Nilesh Christopher is a writer of FactorDaily.