Search

Account Aggregators: Issues related to Data Privacy and Data Safety.



Introduction


In a digital economy, the lack of safety of data adversely affects its users in the financial sector, especially in the geographical locations where there is a lack of alternatives or in societies where the socioeconomic status of people isn’t robust.

To solve the financial problems of people and enable financial institutions to access the information of individuals in exchange for offering services to them, India had introduced an account aggregator system in 2016 but with its benefits, came drawbacks and these issues surrounding privacy and safety of financial information.

 

Who are Account Aggregators?

  • NBFC Account Aggregators are the financial entities that obtain and consolidate information about various accounts held by a customer in different financial institutions like banks or NBFCs.

  • The account information is basically the well organized retrievable data of customer’s various engagements with different NBFC Products like Insurance, Mutual Funds, etc and Account Aggregators provide this data in such a manner that it's easily understandable and analyzable for the customer.

  • These entities voluntarily help customers in knowing about their asset holdings in different places at a commonplace.

 

Significance of Account Aggregators

  • Purpose: Usually, people can’t remember all of their financial holdings and tend to only have a vague idea about them. Account Aggregators solve this problem by giving them a one-stop-shop to keep an eye on their holdings.

  • Nature of Data: The activities of Account Aggregators are IT backed and thus provide digital information without any hassles of physical effort for the customer.

  • Privacy: The Account Aggregators don’t provide information about any financial transactions of a person. Its sole purpose is account aggregation.

  • Conditions: Account Aggregators have to get themselves registered with RBI and get a license to start operations. They have to follow a set of guidelines specially made for them. These guidelines are the conditions of the license and include customer protection, grievance redressal, conditions of license, data security, audit control, corporate governance, and risk management framework.

 

Problems and Challenges with Account Aggregation Framework in India


Chances of Data Mining and Data Abuse

  • Data Mining is the practice of examination and analysis of large pre-existing data sets and databases to generate new information

  • The Account Aggregator System can be used as a large scale mechanism for data mining by Financial Information Providers and Financial Information Users.

  • For instance, if a website offers you a product on credit, it asks you to share your income and account statement which can further be used by unfair means.

  • While NBFC- Account Aggregation specifications and Personal Data Protection Bill have guidelines that limit data collections and storage, there is nothing they can do to prevent an FIU from overreaching.

Ethical Issues

  • Nothing in the account aggregator program or the proposed PDP bill explicitly prevents FIUs of any kind from combining their existing data sets with financial information to profile their customers.

  • This makes the account aggregator system conducive for data mining and ethical issues arising out of it.

Consent and Storage of Personal Data

  • The NBFC Account Aggregator is required to specify a time frame within which FIU must take the information from the aggregator’s database.

  • The maximum limit for data to be stored with Account Aggregator is 72 hours, according to the RBI guidelines.

  • However, the technology guidelines fail to mention the methodology with which this rule will be implemented, enforced, and regulated.

  • Also, the RBI doesn’t enforce any standards on how an FIU, after acquiring the financial information from an account aggregator, would be required to store and manage data.


No Standardised Method for Consent

  • The Directions from RBI clearly state that before taking out the financial information of an individual, the Account aggregator will have to take the consent of the person through a valid consent artifact.

  • Since these aggregators ask for consent through popups or signing an e-form but the studies suggest that individuals consenting to terms and conditions online often have a poor understanding of what they’re consenting to.

  • The Guidelines don’t provide any measures for simplification of the consent collection procedure which, according to researchers will lead to several complexities in the effective translation of the principles, originally envisaged by the PDP bill, into practice.


Debt Collection and Credit Scoring Issues

  • The application of the Account Aggregator System is to provide individuals with a safe and secure method of sharing financial information for calculating credit scores.

  • With this consent, there are chances that digital merchants will start alluring users into credit products and may mislead them as observed earlier. Also, they can offer customers with low credit ratings, a more diminished experience.

  • A free hand to debt collection without actual consent could mean that lenders can call friends and relatives of users who have taken loans through their information which is also an unfair practice.


Mergers and Acquisitions

  • According to the PDP Bill guidelines, the consent of a customer is not required in case of a merger or acquisition.

  • This poses a serious risk to the customer as he had consented to another entity on whom it had trust but was not asked when the company went into others’ hands.

  • It’s not wrong to say that the PDP bill makes it seem that an act of merger or acquisition could serve as a legitimate business strategy for a company looking to forcefully take the consents of individuals collected by a target company.


Revoking Consent

  • Reserve Bank Information Technology Private Limited (ReBIT) specifications say that the individual, at any point of time, can revoke their consent either directly on the account aggregator’s application.

  • An individual can also revoke the consent through Financial Information Providers (FIP), who will then inform the account aggregator about the revocation.

  • Although these specifications offer guidelines for the consent revocation, they fail to provide any method or guidelines about how will the data be handled post revocation.

  • It is also not clear whether the Financial Information Users (FIU) will erase user data if reached out upon through requests. There are no laws to deal with non-compliance with these requests.


Technical Glitches can affect Deserving individuals

  • Usage of Account Aggregators ecosystem forces the individuals to only act through an intermediary.

  • This invites onto itself multiple possibilities of errors, of both false positive and false negative kind at different touchpoints.

  • Technical glitches at the account aggregator’s end could cause imprecise responses, which could end up blocking the access of deserving individuals to financial products.

  • While the technical standards do have all the means of security checks to prevent such events from happening, it is not hard to imagine such accidents as India must take lessons from Aadhaar and UPI in the past.


Interoperability Concerns

  • FIP can turn reluctant to share the consumer data with other companies for commercial reasons.

  • Sharing Data can lead to disruption of the business models or market share of data-rich companies.

  • This may lead to interoperability disputes among the stakeholders and also make data companies avoid setting up and maintenance costs of data sharing.

  • These interoperability issues were also experienced during the introduction of UPI when a major bank had blocked transactions from a specific UPI app. This may be replicated in this case too.

 

Way Forward

  • In light of these circumstances, it’s recommended that a data protection authority (DPA) takes a proactive approach in setting up clear boundaries for consent and notice mechanisms from time to time.

  • A clear-cut simplified mechanism for consent must be enforced so that the users have a full idea of what they’re signing up for.

The lack of availability of a structured data-sharing system also implies that setting up a new system for the same can be seen as a step in the positive direction.