500000+
Happy Customers
A Brief Overview of NBFC Account Aggregator Compliances
The Account Aggregator (AA) framework was conceptualized by the Reserve Bank of India (RBI) to enable secure, digital data sharing across the financial ecosystem. To operate smoothly, NBFC Account Aggregators must adhere to a strict compliance checklist. These regulatory requirements range from implementing robust data security protocols to maintaining mandatory board-approved policies.
Who are Account Aggregators and what do they do?
Regulated by the RBI, an Account Aggregator acts as a digital conduit to securely share financial information from one institution (where you have an account) to another regulated financial entity within the AA network. Data sharing is strictly consent-driven; traditional 'blank-cheque' agreements are replaced with step-by-step permissions, giving individuals absolute control over how their data is used.
What are the various NBFC Account Aggregator Compliances?
NBFC Account Aggregator compliances are comprehensive, spanning advanced data security measures, mandatory board-approved frameworks, structural corporate governance, and the formation of specialized oversight committees.
Compliances after obtaining In-Principle Approval
The RBI grants an initial In-Principle Approval that remains valid for 12 months. Within this window, the entity must set up its technology platform, execute necessary legal documentation for operations, and submit a detailed compliance report to the Bank. Upon satisfactory review, the RBI grants the formal Certificate of Registration (CoR) to operate as an NBFC-AA.
Once registered, the Account Aggregator must maintain proper books of accounts, publish financial disclosures as per statutory rules, and promptly produce all documents and registers for RBI inspection whenever requested.
Data Security & IT Infrastructure
1. IT-driven business
The core operations of an Account Aggregator must be entirely system-driven and powered by a robust IT architecture.
2. Scalable technology
The underlying technology must be highly scalable, allowing seamless integration of new financial assets and service providers in the future.
3. IT safeguards
Advanced institutional safeguards must be embedded within the IT systems to protect customer data from unauthorized access, alteration, destruction, or disclosure.
4. Disaster recovery and continuity
The company must establish reliable business continuity plans and disaster risk management protocols to handle system emergencies.
5. Information system audit
An information system audit of internal processes must be conducted by external auditors at least once every two years. The audit report must be submitted to the RBI's Regional Office (Department of Non-Banking Supervision) within one month of receiving it from the auditor.
Board Approved Policies
Customer Grievance Redressal
Every AA must implement a board-approved policy to resolve customer grievances. All complaints must be addressed within the framework's specified timeline, which cannot exceed a maximum period of one month.
The name and contact details of the Grievance Redressal Officer must be prominently displayed on the company's website and at all physical places of business.
Pricing Policy
The Account Aggregator must have a board-approved pricing policy for its services. The pricing structure must strictly conform to internal corporate guidelines, be completely transparent, and remain available in the public domain.
Corporate Governance
AAs must establish internal mechanisms to continuously review, monitor, and evaluate operational controls and systems. The absolute integrity of the IT systems must be maintained at all times to prevent data loss, destruction, or tampering.
Mandatory Committee Setup
Audit Committee and Nomination Committee
An Audit Committee must be constituted, comprising not less than three members from the company's Board of Directors.
A Nomination Committee must be formed, also consisting of a minimum of three board directors.
Risk Management Committee
To monitor and control integrated operational risks, the AA must form a Risk Management Committee consisting of at least three board directors.
The entity must establish a well-documented risk management framework. This includes sound technology risk management, multi-factor/strong authentication systems, and enhanced infrastructure resiliency.
Fit and Proper Criteria for Management
The Account Aggregator must put in place a board-approved policy to ascertain the 'Fit and Proper' criteria of directors, managing directors, or the CEO, both at the time of appointment and on a continuous basis.
The company is required to obtain a comprehensive declaration, financial undertaking, and additional background disclosures from all incoming directors and executive heads.
A formal Deed of Covenant must be signed by the directors/CEO. Additionally, the AA must furnish an annual statement to the RBI, certified by statutory auditors, confirming that the 'Fit and Proper' selection criteria were strictly followed during any management changes.
Since the AA ecosystem handles high-velocity transmission of sensitive financial data between FIPs and FIUs, strict adherence to these RBI compliance vectors is non-negotiable for legal operations in India.
FAQ
Common List Of Questioner That Our Customer Ask From Us -Solved !
What is NBFC Account Aggregator compliance?
NBFC Account Aggregator compliance refers to the regulatory, operational, technical and reporting obligations that an RBI-registered Account Aggregator must follow while enabling consent-based financial data sharing between Financial Information Providers and Financial Information Users.
Who regulates NBFC Account Aggregators in India?
What is the role of an Account Aggregator?
What compliances are required for NBFC Account Aggregators?
Can BIATConsultant help with NBFC Account Aggregator compliance?
Login
About us
Learning
Media
Our Team
Partner With Us
Contact us
Talk an Expert