How can LSPs be a part of the Account Aggregator ecosystem?

By this time we all know that the Account Aggregator (AA) ecosystem in India is experiencing tremendous growth, significantly simplifying and securing the process of financial data sharing between Financial Information Providers (FIPs) and Financial Information Users (FIUs), while ensuring all data transfers are consent-based.

Simply put, any entity having anything to do with financial products and services wants a piece of the ‘AA’ pie. But… hold on… aren’t only regulated entities (REs) allowed to be part of this framework?

Well yes… only REs are allowed to be FIUs and FIPs and by extension, any direct data transfer through an AA can only take place between two REs.

That’s a drag, a lot of you might say! Delivering financial services today involves an intricate network of partnerships with third-party entities for improving user experience, for performing data analytics, for loan underwriting, for efficient distribution and so on.

Check out Licenses for Fintechs to go live on Account Aggregator

What about all those ‘unregulated entities’ that are not ‘registered and regulated’ by any of the four financial sector regulators, namely, RBI, SEBI, IRDAI and PFRDA. These entities include various kinds of Technical Service Providers (TSPs), Lending Service Providers (LSPs), Digital Selling Agents (DSAs) and other third-party entities that work with REs. By virtue of not being regulated, are they out of the AA ecosystem as of now?

No, they can still play a transformative role in the Indian financial sector by leveraging the AA framework through partnerships with REs. For instance, Sahamati clearly defines the role that certified Data Standards TSPs can have in onboarding FIPs/ FIUs onto the AA network. However, deliberations are ongoing on whether such partnerships that involve using the underlying financial data are in keeping with the spirit and motivation of the AA framework.

Alright… So how can ‘unregulated’ entities be part of the AA ecosystem?

Sahamati and regulatory bodies are in the process of reviewing and approving various approaches that can formalise the roles of such partnerships between a RE and other unregulated entities. The collaboration between these entities necessitates a structured approach ensuring regulatory compliance, data security, and seamless integration of services.

Here’s the long and short of it—

Step 1: Understanding the Engagement Framework

The initial step involves grasping the engagement framework within the regulatory space. Unregulated entities looking to partner with FIUs must familiarise themselves with the stringent guidelines and obligations set forth for Regulated Entities (REs) like FIUs. This comprehension lays the groundwork for establishing a compliant partnership. For instance, an LSP collaborating with an NBFC for credit underwriting and decision-making, an in-depth understanding of the Reserve Bank of India regulations and Sahamati’s guidelines regarding data sharing and financial services is critical.

Step 2: Clarifying Roles and Responsibilities of each Partner

Identifying the specific roles of each party within the collaboration is pivotal. For instance, in the context of an LSP working alongside an NBFC partner acting as the FIU, delineation of the responsibilities becomes crucial. The NBFC holds full accountability as the end-user of consumer data, while the LSP, functioning as a technical partner, engages in underwriting and credit decision-making processes. The RE remains the custodian of consumer data throughout the process.

Step 3: Documentation and Legal Agreements

To formalise the partnership, the contractual arrangements between the unregulated entity and the RE need to be established and presented for review. These contracts should outline the terms of engagement, data handling protocols, adherence to regulatory norms—such as RBI digital lending guidelines in the case of our lending example—and explicit permissions for data transfer along with the reason for transfer from the FIU to the TSP or unregulated entity for processing.

Step 4: Setting up a Consent Framework and Data Purging

Now, this is super important from a customer protection standpoint (hence super important for the regulator). Prior to initiating consent requests from consumers, explicit permission must be sought, clearly stating the involvement of the unregulated entity of the partnership in data processing for underwriting purposes. The consent interface is separate from the one used for the data sharing arrangement under AA. It should prominently feature the logo and name of the partner entity, emphasising their role and usage of the data.

Moreover, it’s imperative for the unregulated entity/partner to ensure data security and privacy. The handling and storage of raw data should align with regulatory requirements. This can be done through working on shared infrastructure with the RE or else purging sensitive user information after processing or returning it to the FIU within specified timeframes is a critical aspect of data governance that will be expected.

What should unregulated entities keep in mind while approaching such partnerships?

From a regulatory standpoint, the concerns with formalising access to unregulated entities stems from understanding whether such partnerships go against the spirit of the AA framework; i.e., consent-driven and greater control over financial data sharing.

In the absence of a formalised framework, here are a few things that need to be kept in mind.

1. Depth of relationship with the RE: Understanding the depth and dynamics of the relationship with the Regulated Entity (RE) partner is fundamental for seamless collaboration. Moreover, the RE partner’s willingness and agreement to act as the custodian of the data throughout the entire process is crucial.

2. Limiting data sharing for specific purposes: If an FIU collects data through AA for a specific purpose like underwriting but plans to use it for broader tasks—like sharing with a data processor for fraud detection or customer categorisation—it contradicts the frameworks’s intent. Presently, obtaining consent for a specific purpose, such as underwriting, restricts using the data for other purposes without seeking fresh consent.

3. Capturing data sharing in Consent: Incorporating the nuances of data sharing within the consent mechanism requires a lot of attention. Balancing transparency and clarity while capturing the extent and purpose of data sharing in a user-friendly consent format is crucial. Users need to understand the precise nature of data access and usage.

4. Ensuring clarity on data storage and purging: Deciding when and how to purge sensitive or shared data, especially in the context of activities such as training AI models, becomes important. Ensuring compliance with data retention norms like the Digital Personal Data Protection Act, while effectively training AI models on limited, permissible data involves finding a delicate balance.

In the end, it’s about finding the right mix —blending innovation, following regulations, and maintaining ethical standards. Ensuring this partnership aligns with the unregulated entity’s goals, operational capacity, and compliance frameworks is pivotal for the collaboration to be mutually beneficial!

If you want to speak to us to learn more or just chat, write to us at aa@setu.co or signup here.