For account aggregation, it is as vital as the mandated consent focus
The digital financial ecosystem is still an area where regulation is evolving and, therefore, the conversation must move beyond the purely self-congratulatory.
While it is commendable RBI has asserted the transfer of information to account aggregators (Aas) must be based on explicit consent from the customer, an equal amount of emphasis needs to be put on dispute resolution mechanisms. The central bank has done well to place information security and customer consent at the heart of the guidelines. However, there is, as yet, little clarity on what happens if a customer experiences an instance of violation of consent. This is critical as more intermediaries join an ecosystem in which a large number of banks, non-banks, fintechs and internet firms are already operating.
It is especially important for a country like India where we have no dedicated data privacy law. A large segment is still struggling to secure the most rudimentary forms of financial information, despite the best efforts of regulators. Frauds involving theft of PINs, OTPs, passwords and other account information—where a customer actually shares the information with a fraudster masquerading as a bank employee—are common. Such incidences are only going up; to that end, the Indian financial ecosystem has a long way to go when it comes to financial and digital literacy.
Indeed, that we have in place an AA framework is a significant development.
The framework empowers a set of entities, licensed under a special category of non-banking financial companies (NBFCs), to operate a system of consent-based sharing of financial data among ecosystem players. As RBI deputy governor M Rajeshwar Rao recently observed, the transfer of information to AAs must be based on explicit consent from the customer. The AAs must be equipped with the proper consent architecture and audit trails should be available. Regulatory guidelines also require the providers of financial information providers to implement interfaces that will allow an AA to submit consent artefacts and authenticate each other. This will enable a secure flow of financial information to the AA.
There is today a fair bit of suspicion surrounding the way tech-driven financial intermediaries deal with customer data. The Delhi High Court is hearing a PIL against Google Pay for allegedly having unauthorised access to and storing Aadhaar and banking information. It is unfortunate users of a payments apps have no recourse but to file a PIL with a High Court if they believe their data privacy is being violated.
Contrast this with the European Union’s General Data Protection Regulation (GDPR) that aims to safeguard the data of anybody in EU territory. Under the regulation, a person who believes his data protection rights have been breached has the option of lodging a complaint with the country’s data protection authority. The concerned authority must investigate each complaint and inform the complainant of the progress or outcome of the investigation within three months.
If India truly wants to become a digital-led economy, for at least a majority of its citizens, regulation will need to be very particular about privacy. The digital financial ecosystem is still an area where regulation is evolving and, therefore, the conversation must move beyond the purely self-congratulatory.
Subscribe to FE Daily Newsletter for latest updates on markets, business, money, infra & more, right in your mailbox