contact@affluence.net.in
FREE CONSULT
×

FREE CONSULT

Blog

The Account Aggregator Framework: A Complete Application-to-Compliance Guide for Fintech Founders and NBFC Professionals

Table of Contents

  1. Executive Summary
  2. Regulatory Context and Objective
  3. Eligibility and Capital Requirements
  4. Application Process via PRAVAAH Portal
  5. In-Principle Approval and Implementation Roadmap
  6. Certificate of Registration (CoR) and Operational Readiness
  7. Post-License Compliance and Reporting
  8. Information Security, Technology, and Consent Architecture
  9. Governance Framework and Board Oversight
  10. RBI Reporting, Control Changes, and Dividend Norms
  11. Integration with FIPs and FIUs: Operating the AA Ecosystem
  12. Common Pitfalls and RBI Red Flags
  13. Case Snapshots: Active Account Aggregators in India
  14. Practical Timelines and Compliance Calendar
  15. Conclusion: Future of the AA Ecosystem

1.     Executive Summary

The Account Aggregator (AA) framework represents one of the most transformative reforms in India’s financial sector, enabling consented, secure, and interoperable sharing of financial information between regulated entities. Administered by the Reserve Bank of India (RBI) under the Master Direction – NBFC-Account Aggregator Directions, 2016 (as amended), it lays the foundation of the Data Empowerment and Protection Architecture (DEPA). For fintech founders, NBFC professionals, and compliance officers, understanding the AA lifecycle—from licensing to post-registration governance—is critical for navigating this new layer of financial infrastructure.

2.     Regulatory Context and Objective

The RBI introduced the Account Aggregator framework to create a regulated class of NBFCs that act as consent-based data intermediaries. An AA retrieves financial information from Financial Information Providers (FIPs) and shares it with Financial Information Users (FIUs) based on explicit customer consent. This enhances financial inclusion, transparency, and credit access without compromising data privacy.

3.     Eligibility and Capital Requirements

To qualify for an NBFC-AA license, the applicant must:

  1. Be a company incorporated in India under the Companies Act.
  2. Have a minimum Net Owned Funds (NOF) of ₹2 crore at the time of final registration.
  3. Maintain a leverage ratio not exceeding 7:1.
  4. Restrict business solely to account aggregation activities (no lending or investment).
  5. Ensure promoters and directors are ‘fit and proper’, with at least one director having prior bank/NBFC experience.
  6. Comply with FATF jurisdictional norms to prevent control by entities from non-compliant jurisdictions.

4.     Application Process via PRAVAAH Portal

All applications for NBFC-AA registration are now filed through RBI’s PRAVAAH portal. The step-wise process is as follows:

  1. Preparation of documents: Incorporation certificate, MoA/AoA, shareholding, business plan, IT note, governance policies.
  2. Online filing on PRAVAAH with annexures and self-declarations.
  3. RBI evaluation covering capital, promoters, management integrity, IT framework, and public interest.
  4. Grant of in-principle approval subject to fulfilment of specific conditions within 12 months.

5.     In-Principle Approval and Implementation Roadmap

The in-principle approval is valid for 12 months. During this window, the applicant must achieve capital readiness, complete technology deployment, execute agreements with FIPs/FIUs, and finalize governance structures. Failure to comply within the timeframe can lead to rejection or reapplication.

  1. Key deliverables during this phase include:
  2. Development of ReBIT-compliant API infrastructure for secure data exchange.
  3. Implementation of consent architecture aligned to DEPA.
  4. Execution of FIP/FIU agreements and sandbox testing.
  5. Completion of DR/BCP setup and vulnerability testing.
  6. Appointment of Compliance Officer, GRO, and constitution of mandatory board committees.

6.     Certificate of Registration (CoR) and Operational Readiness

Once the applicant evidences full compliance, RBI issues the Certificate of Registration under Section 45-IA of the RBI Act, 1934. The NBFC-AA can then commence operations. The CoR specifies that the entity cannot accept public deposits and must adhere strictly to the NBFC-AA Directions. The registration enables onboarding of customers, integration with FIPs, and facilitation of data sharing.

7.     Post-License Compliance and Reporting

After licensing, ongoing compliance obligations include:

  1. Biennial CISA-certified Information System (IS) audit and reporting to RBI.
  2. Maintenance of minimum NOF and leverage compliance.
  3. Quarterly board oversight on risk, audit, and grievance reports.
  4. RBI approval for change in control, ≥26% shareholding transfers, or >30% board change.
  5. Annual financial statements, NOF certificate, and any other returns RBI may prescribe.

8.     Information Security, Technology, and Consent Architecture

The AA business is fully IT-driven. RBI mandates a secure, encrypted, and consent-based architecture. Customer financial data cannot be stored, only relayed securely. Core principles include:

  1. End-to-end encryption and mutual authentication with FIPs/FIUs.
  2. No storage or caching of financial information; only transient data relay.
  3. Standard electronic consent artefact specifying purpose, validity, and FIU recipients.
  4. Easy consent revocation and auditable logs of all consents and data requests.
  5. Disaster Recovery and Business Continuity mechanisms tested periodically.

9.     Governance Framework and Board Oversight

Mandatory committees for NBFC-AAs include:

  1. Audit Committee – minimum three directors; oversight of audit findings and financial statements.
  2. Nomination & Remuneration Committee – ensures fit-and-proper management and balanced remuneration.
  3. Risk Management Committee – monitors IT, cybersecurity, and operational risks.

10.  RBI Reporting, Control Changes, and Dividend Norms

NBFC-AAs must notify RBI of operational changes and seek prior approval for major ownership or board changes. Dividend distribution is permitted only if leverage remains ≤7 for three years and statutory reserves are maintained.

11.  Integration with FIPs and FIUs: Operating the AA Ecosystem

Account Aggregators operate within an interconnected ecosystem of Financial Information Providers and Users. Integration requires adherence to ReBIT API specifications, digital certificate management, and interoperability via Sahamati. Service reliability and consent success rate directly influence revenue and trust among FIUs.

12.  Common Pitfalls and RBI Red Flags

  1. Incomplete technical documentation at application stage.
  2. Delay in achieving ₹2 crore NOF before CoR issuance.
  3. Poor consent revocation interface or opaque data flows.
  4. Failure to conduct periodic IS audits or DR drills.
  5. Unreported changes in shareholding or control.

13.  Case Snapshots: Active Account Aggregators in India

Illustrative examples of RBI-licensed NBFC-AAs include CAMS Finserv, Finvu, Perfios (Anumati), NeSL AA, Protean SurakshAA, and TallyEdge. Their models range from B2B infrastructure providers to consumer-facing platforms. Perfios, for instance, publicly discloses per-transaction pricing (₹5–₹25 per bank statement) and charges only for successful data retrievals.

14.  Practical Timelines and Compliance Calendar

Stage

Description

Indicative Timeline

Application Filing

Submit via PRAVAAH with annexures and corporate details.

Day 0

RBI Appraisal

Evaluation of capital, governance, IT systems.

3–6 months

In-Principle Approval

Conditional approval issued; 12-month validity.

Month 6

Implementation Phase

Technology, FIP/FIU contracts, audits, policies.

Months 6–12

Final CoR Grant

RBI issues operational license.

Within 12 months

Operational Review

Post-launch IS audits and RBI inspection.

Ongoing

15.  Conclusion: Future of the AA Ecosystem

The Account Aggregator framework is now central to India’s open finance evolution. As new data types—such as insurance, securities, and tax information—enter the fold, AAs will enable unified financial access. The next regulatory frontier includes interoperability enhancements, a designated Self-Regulatory Organization (SRO), and integration with the Digital Personal Data Protection Act. Startups and NBFCs that build early, secure, and compliant AA capabilities will be strategically positioned in the future of consent-driven finance.

Disclaimer: This article provides general information existing at the time of preparation and we take no responsibility to update it with the subsequent changes in the law. The article is intended as a news update and Affluence Advisory neither assumes nor accepts any responsibility for any loss arising to any person acting or refraining from acting as a result of any material contained in this article. It is recommended that professional advice be taken based on specific facts and circumstances. This article does not substitute the need to refer to the original pronouncement.

CLICK HERE DOWNLOAD PDF

Share
Latest Blog
Categories
Calender