How Much Data Can NBFC-AAs Access Under New Rules?
An Account Aggregator in India can access a wide range of your financial data, but only with your explicit consent for a specific purpose and time. Crucially, the Account Aggregator itself is blind to your data; it only acts as a secure pipe to move encrypted information from your bank to the service provider.
How an Account Aggregator Works in Real Life
Imagine you are applying for a small business loan. The bank asks for the last 12 months of your company's bank statements, your GST returns, and details of your existing loans. In the past, this meant downloading dozens of PDF files, printing them, or emailing them. It was slow, messy, and you probably shared more information than necessary. The Account Aggregator India framework changes this entire process. Now, you can simply give digital consent through a secure app to share that specific information, for that specific purpose, directly with the new bank. No paper, no messy emails.
This system is built on trust and control. But it brings up a big question: just how much of your data can these companies, known as NBFC-AAs (Non-Banking Financial Company - Account Aggregators), actually access? The answer is both simple and powerful: they access only what you permit, and even then, they can't read it themselves.
What Data Can Be Shared via Account Aggregator India?
The Account Aggregator (AA) system is like a secure digital courier for your financial information. It doesn't open the package; it just delivers it from one place to another. You are the one who decides what goes in the package. The company requesting your data is called a Financial Information User (FIU), and the company holding your data (like your bank) is a Financial Information Provider (FIP).
With your explicit consent, you can share a wide variety of financial data. The scope is expanding, but it currently includes:
- Banking Data: This is the most common use case. You can share transaction data and account balances from your savings accounts, current accounts, and fixed or recurring deposits.
- Investment Data: Information about your mutual fund holdings, equity stock holdings from depositories like NSDL and CDSL, and units of Real Estate Investment Trusts (REITs) or Infrastructure Investment Trusts (InvITs).
- Insurance Data: Details of your life, health, and general insurance policies. This includes policy numbers, sum assured, and premium details.
- Pension Funds: Your National Pension System (NPS) account statement and balances can be shared.
- Tax Data: Businesses can share their GST returns, which is incredibly useful for business lending and credit assessment.
The Golden Rule: Consent is Everything
The entire system is built on a consent-based architecture. Nothing moves without your approval. When an FIU (like a loan app) requests your data, you receive a consent request on your AA app. This request must clearly state:
- What data they want (e.g., savings account statement).
- For what purpose they want it (e.g., for a home loan application).
- For how long the consent is valid (e.g., one-time access or for a period of three months).
You can approve or deny this request. The AA is just the middleman that manages this consent process. It cannot see the actual data, which is encrypted from end to end. Think of it as a sealed envelope that only the sender (your bank) and the receiver (the loan app) can open.
Real-World Example:Priya is using a money management app to see all her finances in one place. The app is an FIU. To connect her bank account, the app sends a consent request via Priya's chosen Account Aggregator handle (e.g., priya@okaxis). The request asks for ongoing access to her savings account transaction data. Priya reviews it, sees it's for her personal finance management, and approves. Her bank (the FIP) then sends encrypted data to the app through the AA. The AA never sees her balance or transactions.
Old Way vs. New Way: A Clear Comparison
The shift to the Account Aggregator framework is a massive improvement over traditional methods of sharing financial data. The differences in control and security are stark.
| Feature | Traditional Method (e.g., PDF Statements) | Account Aggregator Method |
|---|---|---|
| Control | Low. You share an entire document, often with extra data the lender doesn't need. | High. You give granular consent for specific data points for a set period. |
| Security | Low. Unencrypted emails and physical copies can be lost, stolen, or misused. | High. Data is fully encrypted. The AA cannot read it. Consent is digitally logged. |
| Convenience | Poor. Requires downloading, printing, scanning, or emailing multiple documents. | Excellent. A few taps on your smartphone are all it takes. |
| Data Integrity | Questionable. PDFs can be edited or forged, leading to fraud. | Guaranteed. Data comes directly from the source (your bank), so it's authentic. |
| Consent Trail | None. You don't have a clear record of who has your data or for how long. | Clear. You can view and revoke active consents from your AA app at any time. |
What an Account Aggregator Cannot Access
It's just as important to understand what is outside the AA's reach. An NBFC-AA is purely a data-blind consent manager. It cannot:
- Read your data: All information is encrypted. The AA only sees that data is flowing, not what the data contains.
- Store your data: The data passes through the AA's servers but is not stored there.
- Use your data: AAs are not allowed to use your data for any other purpose, like advertising or selling it. Their business model is based on charging small fees to the FIUs for their service.
- Access your login credentials: You never share your internet banking username or password with the AA or the FIU. Authentication happens directly with your bank or financial institution.
Is Your Data Truly Safe with an Account Aggregator?
Yes, the framework is designed with security as its core pillar. All Account Aggregators in India are licensed and regulated by the Reserve Bank of India (RBI). They must follow strict technical and operational standards. You can see the guidelines directly on the RBI's website. For example, the Master Direction for NBFC-AAs outlines these rules in detail.
The power remains firmly in your hands. You decide who gets your data, what data they get, and for how long. If you no longer want to share information with a particular service, you can revoke consent instantly through your AA app. This combination of strong regulation and user control makes it one of the safest ways to share financial information today.
Frequently Asked Questions
- Can an Account Aggregator see my bank account password?
- No, absolutely not. You never share your banking passwords or login credentials with the Account Aggregator or the company requesting your data. Authentication happens directly and securely with your bank.
- What happens if I want to stop sharing my data?
- You are in full control. You can go into your Account Aggregator app at any time, view all your active consents, and revoke any of them instantly. Once you revoke consent, the data flow stops immediately.
- Is it mandatory to use the Account Aggregator system?
- No, it is not mandatory. It is an optional framework designed to make sharing financial information easier and more secure. You can still use traditional methods like sharing PDF statements if you prefer.
- Does the Account Aggregator store my financial data?
- No. The Account Aggregator is a data-blind pipe. It facilitates the flow of encrypted data from your bank to the service provider but does not store any of it. Its primary role is to manage your consent.