India Set To Pass Payments Data Protection Law

India’s Account Aggregators – And Open Banking

Will India prove to be a model for open banking? Will it be a fast follower – or a cautionary tale?

India is on the verge of passing a data protection law in 2020 that, in some respects, mirrors – and may help inform – other initiatives around the globe.

In the simplest terms, the data laws place parameters around the collection and use of data that springs from a staggeringly large market – as many as 560 million individuals, if we count the number of people who have internet access in India.

The rules mandate that firms across any number of financial services verticals, from insurance to investing, get permission from users for their information to be used for pretty much any purpose. And those same individuals can request that their data is erased.

And once the law is official in India, the country will take its place alongside the U.K. and Australia.

The Mechanics of It All

In tandem with this new era of data sharing, India is creating the Data Protection Authority, which will be tasked with rulemaking and deciding which companies are covered by the new data protection laws and which are exempt.

As for the mechanics: An “account aggregator” system is being created by banks, and will be regulated and licensed by the central bank. The aggregators have duties as fiduciaries to manage consent.

As detailed in the framework drawn up by the Reserve Bank of India (RBI) – titled Non-Banking Financial Company - Account Aggregator (Reserve Bank) Directions, in its most updated form at the end of the last year – the account aggregator is tasked with verifying that individuals are who they say they are, that they have consented to their data being used, and that the data shall not be used beyond the explicitly agreed-upon terms. This means data cannot be retrieved, shared or even transferred by the aggregator without that consent.

“The business of an account aggregator will be entirely information technology (IT)-driven,” notes the document, which also states that no other business can be conducted by the aggregator. Third-party arrangements are expressly prohibited. Also, the aggregator may not store data tied to the customer, such as passwords.

Banks and other financial firms, in turn, must be verified by the reserve bank. The credentials presented by the individual and the aggregator must also be verified.

“All responses by the financial information provider shall be in real time,” according to the framework. The financial companies are also required to have “robust” IT systems in place (which includes IT security, too).

Among the firms that have been granted “in principle” licenses are Yodlee Finsoft, Aditya Birla and Perfios Software.

The Roadmap

The rollout may be a bit bumpy, given the size and scope of the installed base of internet users and the fact that any initiative on such a grand scale requires the seamless interplay of data protection legislation, technology/infrastructure and FIs and end users.

To look at Europe as prologue, recent findings from the CMA9 (shorthand for the nine largest banks in the U.K.), open banking customers have passed the one-million-customer mark for the first time, two years in, and regulated providers have grown to more than 200 from roughly 100 at the end of 2018. Along the way, banks had to agree on standards. And where the tailwind came from regulators, the CMA9 have said, growth has come as firms have recognized – and sought to capitalize on – the commercial opportunities that come with providing a broader range of services and products to a wider audience.

In India, because the data protection initiative is backed by the RBI, the path might be similar. The government has experience with large-scale data collection, done digitally and at scale – witness the issuance of the 12-digit individual identification numbers via the Unique Identification Authority of India.

One initial impact – and a long-term one, with significant ripple effects – is to boost the credit profiles of millions of consumers.

The same information that is being aggregated in one place for consumers can be leveraged to provide a picture of creditworthiness (for personal or business loans) to lenders.

And, as has been seen in other open banking efforts, end users who download and log into apps will see a broad swathe of financial data in one place, spanning bills, taxes and spending. That same data can be sent to a prospective lender to provide insight into cash flow and payment history.

In an interview with Bloomberg, V.R. Govindarajan, co-founder and CEO of Perfios, one of the licensed account aggregators, said “we have to ensure that hundreds of millions of Indians with varying levels of education and literacy properly understand consent. It’s a work in progress, and for the system to gain mass adoption, we need to evangelize.”

That’s no easy task, but the rewards – among them financial inclusion and innovation – will be considerable.



The How We Shop Report, a PYMNTS collaboration with PayPal, aims to understand how consumers of all ages and incomes are shifting to shopping and paying online in the midst of the COVID-19 pandemic. Our research builds on a series of studies conducted since March, surveying more than 16,000 consumers on how their shopping habits and payments preferences are changing as the crisis continues. This report focuses on our latest survey of 2,163 respondents and examines how their increased appetite for online commerce and digital touchless methods, such as QR codes, contactless cards and digital wallets, is poised to shape the post-pandemic economy.