[By Aarya Parihar]
The author is a student of Dr. Ram Manohar Lohiya National Law University.
Account Aggregator Framework
Have you ever wondered about consolidating all your financial data in one place? This is exactly the function the newly announced Account Aggregator Framework by Reserve Bank India (“RBI”)will carry out. This framework will put all your financial data in one place, that can be accessed by Financial Information Users (“FIUs”) for various purposes. One of the important functions is assessing the creditworthiness of an individual before sanctioning a loan by an FIU. The framework will consist of two more important players: Financial Information Providers (“FIPs”), who will provide the financial information, and Account Aggregators (“AAs”), who will store the financial information and will act as a link or consent/data fiduciary between the Individuals and the FIUs in providing data.
AAs will extend the financial data forward only after receiving the due consent of the individuals. AAs can be a Non-Banking Financial Company (“NBFCs”) and other companies registered with the RBI. FIPs can be banks, mutual funds, pension funds, and some NBFCs, as may be notified by the authority. FIUs can be Banks, lending agencies, etc.
The RBI framework of 2016 is the main piece of directive backed by an authority that discusses and lays down rules and regulations for the NBFCs signing up as AA. It also defines FIPs and FIUs in sub-section 3(xi) and 3(xii), respectively. Further, it lays the process of registration for NBFCs and also the consent architecture in place to protect the data of the individuals.
History of Account Aggregator in India
Account Aggregator in India is still at a very nascent stage. Its inception dates back to a meeting of the Financial Stability and Development Council Sub-Committee (“FSDC-SC”) held in 2013. The FSDC-SC for the first time manifested its desire to put in place a system where the financial data of individuals will be aggregated in one place. The Financial Stability and Development Council (“FSDC”) was set up in 2010 with the Finance Minister as its Chairperson, and other members included officials from RBI. Later, the Sub-committee was established with the Governor of RBI as its Chairperson. After that, there were different meetings every year of FSDC and FSDC-SC separately where the issue of Account Aggregator came up frequently for discussion. Finally, in the 552nd Meeting of the Central Board of RBI, the then Governor Shri Raghuram Rajan announced that the RBI would soon release the guidelines relating to the Account Aggregator framework. Thus, came the RBI’s Non-Banking Financial Company – Account Aggregator (Reserve Bank) Directions, 2016, which enumerated, among other things, definitions, duties, and procedures to carry out Account Aggregation in India.
Open Banking in Other Jurisdictions
The Account Aggregator Framework in India is similar to the Open Banking system in other countries. Open Banking refers to the consolidation of an individual’s financial data in one place with the involvement of banks, NBFCs, fintech companies, and government regulators. This data is shared securely among these entities, leading to a more accessible and efficient financial system. Some of the aforementioned players might be absent in one or the other jurisdiction since the Open Banking system varies around the globe. Nonetheless, the gist and crux remain the same: to consolidate and use the financial data of individuals for various lawful purposes.
The implementation of Open Banking varies around the globe, with approaches categorized as mandatory, supportive, or neutral. In mandatory jurisdictions, implementation is forced by law, while in supportive jurisdictions, regulators encourage implementation without any legal requirement. In neutral jurisdictions, private industry leaders drive the adoption of Open Banking. The aim of Open Banking is to increase competitiveness and streamline the borrowing process, making it more inclusive. Some countries with mature Open Banking systems include United Kingdom, Singapore, Australia, and Japan.
The rationale or aim behind Open Banking is also to increase competitiveness and to facilitate and quicken the financial borrowing mechanism. It aims to make it hassle-free and more inclusive. There are various countries where this system has become adequately mature and is working properly. I will discuss some of the countries with different approaches where this model has significantly matured or is adequately implemented.
United Kingdom
It can be safely argued that the Open Banking system in the UK is in its most mature phase if we compare it to that existing in any other jurisdiction. The whole ecosystem of Open Banking in the UK is authority-driven, or a mandatory approach is taken by it. It all started with a Retail Market Investigation Order 2017 by the Competition and Markets Authority (“CMA”) which required the nine largest banks to open up their financial data to third-party providers (“TPPs”) or entities mentioned in the order. The order laid down various guidelines and rules for the compliance by the banks and TPPs in the journey of Open Banking. Subsequently, the Open Banking Implementation Entity (“OBIE”) was formed to facilitate the implementation of the ecosystem devised by CMA.
It is also important to allude to the Payment Service Regulation (“PSR”), which transposes Payment Services Directive 2015 (“PSD2”) into the national scenario of the UK. PSD2 is a regulation promulgated by European Union (“EU”), and it requires banking institutions to share financial data with TPPs after taking the consumer’s consent. It was mandated for all the EU nations to implement this directive in their national law by January 2018. PSD2 does not explicitly endorse Application Programming Interface (“APIs”) as the medium of sharing the information, whereas PSR of the UK requires Banks to utilise common APIs to share financial data. This piece of legislation is also instrumental in the growth of Open Banking in the UK. Technically, after Brexit, the UK has no obligation to follow the PSD2 directives, but due to constant interaction with European institutions, it still follows them to a certain extent.
In March 2022, the OBIE was replaced with a cross-authority committee led by Financial Conduct Authority (“FCA”) and the and the Payment Services Regulation (“PSR”). It will also have HM Treasury and the CMA as members assisting. The FCA has played a role of a regulator, providing licenses to Account Information Service Providers (“AISPs”) and Payment Initiation Service Providers (“PISPs”) for operating and delivering their services.
In conclusion, , the open banking system of the UK is mandatory and authority driven, with the nine largest banks being required to open their data and effectively implement open banking. CMA, in one of its reports, highlighted the problems faced by small banks due to the market being captured by the bigwigs (Larger Banks). It also stated that the customers could make an informed choice by comparing the services provided by the different banks according to their own personal needs.
Singapore
The Monetary Authority of Singapore (“MAS”) is the main regulatory body pushing the Open Banking reform in the Country. It was the first regulatory body in the whole Asia-Pacific to publish guidelines for the development and implementation of APIs in different organisations back in 2016. It took an organic approach, where voluntariness was respected. Banks were open to implementing APIs into their ecosystem and later opening banking. The absence of a mandatory approach like the UK does not mean that the banks have not implemented this framework. OBCS was the first bank to implement APIs back in 2016. DBS, which is the largest bank, also opened its data through API voluntarily in 2017.
In Singapore, there is a digital infrastructure by the name of SGFinDex, which can be understood as data fiduciary or a data exchange portal where individuals retrieve or share their financial data from Government agencies (via MyInfo) and private organisations (say, Bank A) with another organisation (say Bank B) of their own choice. The consent for the retrieval of data has to be given through SingPass, which is a national digital identity card used to interact with almost all Government Ministries.
The Country also created API Exchange (“APIX”), allowing different players to share information through APIs. APIX also acts as a sandbox where institutions can experiment safely on newer technology. Also, an API register was launched, which tracks and lists down functional APIs based on certain criteria laid down by MAS.
SGFinDex is a safe mechanism where the user has to give consent every time an organisation asks for the data, and this consent expires after a year. It also mandates that the participating entities in this financial data-sharing ecosystem have to comply with the rules laid down under the Personal Data Protection Act. In case of any breach thereof, the concerned organisation would be penalised accordingly.
The whole framework of Open Banking in Singapore can be termed as a healthy consonance between the regulator and the market. There was no specific legislation or instrument passed by the Government making it a voluntary scheme for banks. Customers’ access to financial information through SingPass, a Government authorised framework, makes the whole system backed by the sovereign. Also, the constant push by MAS in this regard makes it all the more impactful and safer for individuals and financial institutions to join the ecosystem.
Australia & Japan
There are other jurisdictions also, where Open Banking is excelling or is promised to take big leaps. In Australia, the lead is taken by the Australian Competition and Consumer Commission (“ACCC”). The island country has an important legal instrument Consumer Data Right (“CDR”), regulated by ACCC. CDR allows individuals to share their information with other entities. It is extended to Open Banking, where individuals can share their financial data with the different entrusted entities and benefit from the ecosystem. This approach is also regulatory-driven, with the regulators pushing for reforms and bringing out pieces of legislation. Interestingly, CDR is not limited to Open Banking per se but will increase the ambit of opening data of other sorts also, like telecommunication and energy.
In Japan, there is no master regulation or legislation in place for the advent of Open Banking. It believes in a more organic and guided approach instead of mandating it. It amended the Banking Act in 2017 to define the term Third Party Provider (“TPP”)or Electronic Payment Intermediate Service Providers (“EPISP”) and also amended it, asking the banks to develop infrastructure to open their APIs by 2020. The amendments require entities that provide Electronic Payment Intermediate Services to register with the Japan Financial Services Agency (the “JFSA”). Japan also brought out a vision that explicitly laid down the goal to promote Open APIs in the banking system. In Japan, Open Banking is still in a very nascent stage, which can partly be attributed to the fact that only 20% population of Japan transacts in online mode.
Conclusion
Open Banking is a revolutionary concept. It is already in place in various jurisdictions around the globe, but it is yet to become a familiar concept. The pace at which it is increasing is very fast. Given the other catalysts like the Unified Payment Interface (“UPI”), the internet, and technology, everything becomes more and more easy and viable.
UK in the west and Singapore in the east are arguably the leaders in Open Banking. Whereas there are other players also in the market, like Australia and Japan, where this framework is not fully functional, but a plethora of measures are taken by the concerned regulators in the two countries. India is still in a very initial phase when it comes to Open Banking. In India, it is referred to as the Account Aggregator Framework, and the approach towards it can be understood as prescriptive or regulatory-driven. There has been considerable progress made in this regard by drafting and putting out a few regulations and frameworks laying down the way forward. There is still a need to fine-tune these instruments to make the system workable. There are various challenges with respect to making the whole infrastructure inclusive for all. In India, the issue also lies concerning the data protection regime in place or the lack thereof. As of December 2022, there is no existing Central Data Protection Legislation or regulation in India.
These are the concerns that have to be dealt with, but this road, although filled with thorns, has to be traversed by carefully plucking all the thorns as we usher into the era of Open Banking or, as we call it: Account Aggregator Framework.