NBFC Account Aggregator – Consent Gateways

Timothy Lopes, Executive, Vinod Kothari Consultants Pvt. Ltd.

finserv@vinodkothari.com

The NBFC Account Aggregator (NBFC-AA) Framework was introduced back in 2016 by RBI[1]. However the concept of Account Aggregators did exist prior to 2016 as well. Prior to NBFC-AA framework several Account Aggregators (such as Perfios and Yodlee) undertook similar business of consolidating financial data and providing analysis on the same for the customer or a financial institution.

To give a basic understanding, an Account Aggregator is an entity that can pull and consolidate all of an individual’s financial data and present the same in a manner that allows the reader to easily understand and analyse the different financial holdings of a person. At present our financial holdings are scattered across various financial instruments, with various financial intermediaries, which come under the purview of various financial regulators.

For example, an individual may have investments in fixed deposits with ABC Bank which comes under the purview of RBI, mutual fund investments with XYZ AMC which comes under the purview of SEBI and life insurance cover with DEF Insurance Corporation (which comes under the purview of IRDAI.

Gathering all the scattered data from each of these investments and consolidating the same for submission to a financial institution while applying for a loan, may prove to be a time-consuming and rather confusing job for an individual.

The NBFC-AA framework was introduced with the intent to help individuals get a consolidated view of their financial holdings spread across the purview of different financial sector regulators.

Recently we have seen a sharp increase in the interest of obtaining an NBFC-AA license. Ever since the Framework was introduced in 2016, around 8 entities have applied for the Account Aggregator License out of which one has been granted the Certificate of Registration while the others have been granted in-principle[2].

Apart from the above, we have seen interest from the new age digital lending/ app based NBFCs.

In this article we wish to discuss the concerns revolving around data sharing, the reason behind going after an Account Aggregator (AA) license and the envisaged business models.

Going after AA License – The reason

New age lending mainly consists of a partnership model between an NBFC which acts as a funding partner and a fintech company that acts as a sourcing partner. Most of the fintech entities want to obtain the credit scores of the borrower when he/she applies for a loan. However, the credit scores are only accessible by the NBFC partner, since they are mandatorily required to be registered as members with all four Credit Information Companies (CICs).

This is where most NBFCs are facing an issue since the restriction on sharing of credit scores acts as a hurdle to smooth flow of operations in the credit approval process. We have elaborately covered this issue in a separate write up on our website[3].

What makes it different in the Account Aggregator route?

Companies registered as an NBFC-AA with RBI, can pull all the financial data of a single customer from any financial regulator and organise the data to show a consolidated view of all the financial asset holdings of the customer at one place. This data can also be shared with a Financial Information User (FIU) who must be an entity registered with and regulated by any financial sector regulator such as RBI, SEBI, IRDAI, etc. The AA could also perform certain data analytics and present meaningful information to the customer or the FIU.

All of the above is possible only and only with the consent of the customer, for which the NBFC-AA must put in place a well-defined ‘Consent Architecture’.

This data would be a gold mine for NBFCs, who would act as FIUs and obtain the customer’s financial data from the NBFC-AA.

Say a customer applies for a loan through a digital lending app. The NBFC would then require the customer’s financial data in order to do a credit evaluation of the potential borrower and make a decision on whether to sanction the loan or not. Instead of going through the process of requesting the customer to submit all his financial asset holdings data, the customer could provide his consent to the NBFC-AA (which could be set up by the NBFC itself), which would then pull all the financial data of the customer in a matter of seconds. This would not only speed up the credit approval and sanction process but also take care of the information sharing hurdle, as sharing of information is clearly possible through the NBFC-AA route if customer consent is obtained.

The above model can be explained with the following illustration –

What about the Fintech Entity?

Currently the partnership is between the fintech company (sourcing partner) and the NBFC (funding partner). With the introduction of an Account Aggregator as a new company in the group, what would be the role of the fintech entity? Can the information be shared with the fintech company as well as the NBFC?

The answer to the former would be that firstly the fintech company could itself apply for the NBFC-AA license, considering that the business of an NBFC-AA is required to be completely IT driven. However, the fintech company would require to maintain a Net Owned Fund (NOF) of Rs. 2 crores as one of the pre-requisites of registration.

Alternatively the digital lending group could incorporate a new company in the group, who would apply for the NBFC-AA license to solely carry out the business of an NBFC-AA. This would leave the fintech entity with the role of maintaining the app through which digital lending takes place.

The above structures could be better understood with the illustrations below –

To answer the latter question as to whether the information can be shared by the NBFC-AA with the fintech entity as well? The answer is quite clearly spelt out in the Master Directions.

As per the Master Directions, the NBFC-AA can share the customers’ information with a FIU, of course, with the consent of the customer. A FIU means an entity registered with and regulated by any financial sector regulator. Regulated entities are other banks, NBFCs, etc. However, fintech companies are not FIUs as they are not registered with and regulated by any financial sector regulator. An NBFC-AA cannot therefore, share the information with the fintech company.

How to register as an NBFC-AA?

Only a company having NOF of Rs. 2 crores can apply to the RBI for an AA license. However there is an exemption to AAs regulated by other financial sector regulators from obtaining this license from RBI, if they are aggregating only those accounts relating to the financial information pertaining to customers of that particular sector.

Further the following procedure is required to be followed for obtaining the NBFC-AA license –

Consent Architecture

Consent is the most important factor in the business of an NBFC-AA. Without the explicit consent of the customer, the NBFC-AA cannot retrieve, share or transfer any financial data of the customer.

The function of obtaining, submitting and managing the customer’s consent by the NBFC-AA should be in accordance with the Master Directions. As per the Master Directions, the consent of the customer obtained by the NBFC-AA should be a standardized consent artefact containing the following details, namely:-

  1. Identity of the customer and optional contact information;
  2. The nature of the financial information requested;
  • Purpose of collecting such information;
  1. The identity of the recipients of the information, if any;
  2. URL or other address to which notification needs to be sent every time the consent artefact is used to access information
  3. Consent creation date, expiry date, identity and signature/ digital signature of the Account Aggregator; and
  • Any other attribute as may be prescribed by the RBI.

This consent artefact can also be obtained in electronic form which should be capable of being logged, audited and verified.

Further, the customer also has every right to revoke the consent given to obtain information that is rendered accessible by a consent artefact, including the ability to revoke consent to obtain parts of such information. Upon revocation a fresh consent artefact shall be shared with the FIP.

The requirement of consent is essential to the business of the NBFC-AA and the manner of obtaining consent is also carefully required to be structured. Account Aggregators can be said to be consent gateways for FIPs and FIUs, since they ultimately benefit from the information provided.

Conclusion

There are several reasons for the new age digital lending NBFCs to go for the NBFC-AA license, as this would amount to a ‘value added’ to their services since every step in the loan process could be done without the customer ever having to leave the app.

However the question as to whether this model fits into the current digital lending model of the NBFC and Fintech Platform should be given due consideration. The revenue model should be structured in a way that the NBFC-AA reaps benefits out of its services provided to the NBFC.

The ultimate benefit would be a speedy and easier credit approval and sanction process for the digital lending business. Data coupled with consent of the customer would prove more efficient for the new age digital lending model if all the necessary checks and systems are in place.

Links to related write ups –

Account Aggregator: A class of NBFCs without any financial assets – http://vinodkothari.com/2016/09/account-aggregator-a-class-of-nbfc-without-any-financial-assets/

Financial Asset Aggregators: RBI issues draft regulatory directions – http://vinodkothari.com/wp-content/uploads/2017/03/Financial_asset_aggregators_RBI-1.pdf

[1] https://www.rbi.org.in/Scripts/BS_ViewMasDirections.aspx?id=10598

[2] Source: Sahamati FAQs (Sahamati is a collective of the Account Aggregator System)

[3] http://vinodkothari.com/2019/09/sharing-of-credit-information-to-fintech-companies-implications-of-rbi-bar/

0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *