7 Things to Know About the DEPA Consent Mechanism

Have you ever clicked "yes" on a banking app permission prompt without really reading what you agreed to share?

That habit is exactly what the DEPA consent mechanism is built to fix. DEPA, short for Data Empowerment and Protection Architecture, is the rulebook that powers the Account Aggregator India framework. Once you understand how it works, you stop blindly granting access to your financial data and start using consent like a switch you control.

Here are seven things every user, founder, and finance professional should know.

1. DEPA Treats Consent as a Digital Object, Not a Tick-Box

Most online consent today is a checkbox you forget the next minute. DEPA treats every consent as a structured digital artefact with clear fields: who is asking, what data, for what purpose, for how long, and how it will be used.

That artefact is signed, time-stamped, and stored. You and the regulator can both inspect it later. There is no "we lost the record" defence.

2. The User Is Always in the Driver's Seat

Under DEPA, your data does not flow until you explicitly approve it. Three roles work together:

• Information Provider — usually your bank or insurer holding the data
• Information User — the lender, advisor, or app that wants to read it
• Account Aggregator — the neutral pipe that moves the data after you say yes

The Account Aggregator never reads your data. It only carries it from provider to user, with your fresh consent on every transfer.

3. Consent Is Granular and Time-Bound

DEPA lets you grant just what is needed. You can share six months of bank statements with a lender for a loan check, then revoke that access once the loan is approved. You do not have to give blanket access "forever" the way older systems often demanded.

Each consent specifies:

1. Purpose, such as loan underwriting or wealth advisory
2. Data range, like statements from a fixed start to a fixed end date
3. Validity, after which the consent automatically expires
4. Frequency, like one-time or recurring up to a stated limit

If anything changes, the user must re-consent. Sneaking in extra purposes is not allowed.

4. Revocation Is a One-Click Right

You can pull your consent at any time. Once revoked, the Information User must stop accessing new data immediately. This is enforceable by law, not just a polite request.

This single feature is what turns DEPA from a technical standard into a user-rights regime. Most financial laws give you ownership on paper. DEPA gives you a working off-switch on screen.

5. The Account Aggregator India Network Already Has Real Volume

The framework is not a future promise. Active Account Aggregators in India already process millions of consent requests every month. Banks, NBFCs, mutual fund houses, and insurers are connected as Information Providers, while a wide range of lenders, wealth platforms, and personal finance apps are live as Information Users.

If you have applied for a loan in the last year, there is a good chance an Account Aggregator pulled your statements with your consent rather than asking you to email PDFs.

6. DEPA Is Sector-Agnostic by Design

While the early use cases are financial, DEPA is being extended to health, telecom, and education data over time. The same consent mechanics will let you share medical records with a hospital, course history with a recruiter, or telecom usage with an insurer, all on your terms.

The official architecture documentation lives on government and regulator portals. For current technical and regulatory detail, refer to the RBI for financial sector guidance and the relevant ministry portals for other sectors.

7. Common Misunderstandings to Avoid

Even with the framework live, misunderstandings keep popping up:

• Account Aggregators do not see or store your data themselves
• Consent does not hand over passwords or login credentials
• You are not giving up ownership of your accounts when you grant consent
• Withdrawing consent does not erase data that was lawfully collected before the withdrawal

If a service tells you any of these things, it is either misinformed or trying to scare you into broader sharing. Walk away.

How to Use the DEPA Mechanism Wisely

A short personal checklist before you click "approve" on any Account Aggregator screen:

1. Recognise the requesting Information User and confirm you initiated the request
2. Read the purpose line and check it matches what you actually want to do
3. Match the data range with the minimum needed, not the maximum offered
4. Set the validity to the shortest period that solves your need
5. Bookmark where you can later view and revoke active consents

Two minutes of attention up front saves you from years of unwanted data flow. The same checklist works whether you are sharing data for a small loan or for a long-running advisory relationship.

The DEPA consent mechanism is one of the most user-friendly data laws designed anywhere in the world. Its biggest weakness is that most people do not yet know how to use it well. Walk through these seven points with a friend or family member, share the checklist with anyone in your circle who manages money online, and you will already be ahead of the curve.