RBI regulated Account Aggregator India AA framework RBI NBFC-AA Consent-based data sharing Indian financial data

Account Aggregator (AA) framework in India

From WebNotes, a public knowledge base. Last updated 17 May 2026. Reading time ~12 min.

The Account Aggregator (AA) framework in India is a consent-based data-sharing architecture operated under Reserve Bank of India (RBI) licensing that allows individuals to securely share their financial data across regulated financial entities (banks, mutual funds, insurance companies, NBFCs, lenders) with explicit, granular consent. The framework was conceptualised through the RBI Master Direction on NBFC-Account Aggregators, 2016, and operationalised at scale from approximately 2021-2022 onwards through licensed AA entities and Financial Information Providers (FIPs) and Financial Information Users (FIUs) network.

The AA framework is one of three components of India’s Data Empowerment and Protection Architecture (DEPA) designed by the Government of India and Indian regulators. Alongside Aadhaar (identity infrastructure) and Digi Locker (document storage), the AA framework provides a consent-based financial-data-sharing infrastructure that enables retail-and-business borrowers to share verified financial data with lenders, financial advisers, mutual fund and insurance entities, replacing manual bank-statement uploads and physical-document submission with a digital consent-driven flow.

As of 2026, the AA framework has matured substantially:

Over 15 RBI-licensed AA entities operate as intermediaries.
Hundreds of Financial Information Providers (FIPs) participate (banks, mutual fund AMCs, insurance companies, NBFCs).
Thousands of Financial Information Users (FIUs) consume AA data (primarily lenders, but also financial advisers and analytics firms).
Millions of consent-based data-sharing transactions occur monthly.

Origin and conceptual framework

Before the AA framework, Indian financial-data-sharing operated through:

Physical document submission: Bank statements, salary slips, ITR copies physically submitted to lenders.
Email-based sharing: PDF attachments without security or auditability.
Third-party scraping: Various unauthorised approaches to access bank data.
Bureau-based information: Credit bureau reports (CIBIL, etc.) with summary data.

This landscape had multiple problems:

Friction: Document collation and submission required investor effort.
Reliability: Document authenticity could be challenged.
Privacy concerns: Sensitive financial data shared without granular control.
Security risks: Email and physical submission vulnerable to interception.

DEPA conceptual framework

The Data Empowerment and Protection Architecture (DEPA) framework was developed by Indian regulators (RBI, SEBI, IRDAI, PFRDA, IT Ministry) and the Finance Ministry as a three-component architecture:

Identity layer: Aadhaar (foundational identity).
Data layer: Account Aggregator (consent-based data sharing).
Settlement layer: UPI and related payment infrastructure.

DEPA’s design principles:

User control: Individuals own their data.
Granular consent: Specific data shared for specific purposes.
Time-bound consent: Sharing expires automatically.
Revocable consent: Individuals can revoke at any time.
Audit trail: Every consent and sharing event logged.
Standardised data format: Machine-readable across entities.

RBI 2016 Master Direction

The RBI Master Direction on NBFC-Account Aggregators, 2016 established:

NBFC-AA category: A new licensed-NBFC subcategory specifically for Account Aggregators.
Operational framework: Functions, restrictions, technical standards.
AA cannot store data: Only routes data between FIP and FIU.
AA cannot use data: Cannot consume or process data beyond routing.

This restriction is structural to the AA framework: AAs are pure intermediaries, not data consumers.

2021-2022 operational launch

After several years of framework development, the AA ecosystem operationalised at scale in 2021-2022:

Live consent-based data sharing: First production transactions.
Major bank participation: SBI, HDFC, ICICI, Axis, and others joined as FIPs.
First FIUs: Initial lenders and aggregator platforms.
Continued ecosystem expansion.

Operational framework

Three principal entities

The AA ecosystem has three principal entity types:

Account Aggregator (AA)

An RBI-licensed NBFC-AA that:

Routes data requests and consent flows between FIPs and FIUs.
Cannot store, view, or use the underlying data.
Provides the technical and consent-management infrastructure.

Major Indian AAs as of 2026:

CAMS Finserv: Operated by CAMS group.
Cookiejar Technologies (Finvu): A leading AA.
NeSL Asset Data.
Onemoney (FinSec AA).
Anumati (Perfios AA).
Yodlee (Indian AA license).
Several others.

Financial Information Provider (FIP)

An entity that holds the individual’s financial data and is willing to share with consent:

Banks: Sharing savings/current account data.
Mutual fund AMCs: Sharing mutual fund holdings (limited rollout).
Insurance companies: Sharing insurance policies.
NBFCs: Sharing lending records.
Tax authorities: Sharing ITR data (limited).

Major Indian FIPs:

SBI, HDFC Bank, ICICI Bank, Axis Bank, Kotak Bank, Yes Bank, IndusInd Bank, and most major banks.
LIC, HDFC Life, ICICI Pru Life, and major insurance companies.
Major mutual fund AMCs (CAMS and KFin RTAs providing AA bridge).

Financial Information User (FIU)

An entity that requests data with the individual’s consent:

Lenders: For loan-application underwriting.
Financial advisers: For client portfolio analysis.
Mutual fund distributors: For client profiling.
Aggregator platforms: For comprehensive client view.

Examples of FIUs: NBFC lenders, banks lending to non-customer prospects, fintech lending platforms (Paytm, BharatPe), and advisory platforms.

The typical AA consent flow:

FIU initiates data request: For specific purpose, time period, frequency.
AA presents consent to user: Through the AA’s mobile app or web interface.
User reviews and grants consent: Specifying:
- Data fiduciary (AA).
- Data principal (user themselves).
- Purpose: Specifically defined.
- Time period: For how long data can be accessed.
- Data scope: Which accounts, which types.
AA forwards consent to FIP: With user’s explicit instruction.
FIP retrieves data: From its own systems.
FIP sends data to AA: In standardised format.
AA routes data to FIU: Per user consent.
Audit trail logged: At AA, FIP, FIU.

Data formats

AA-shared data uses standardised formats:

Account information: Account number, type, balance.
Transaction history: Date, amount, category.
Mutual fund holdings: Scheme, units, NAV.
Insurance policies: Policy details.

Standardisation enables machine-readable processing.

Use cases

Lending applications

The most-common AA use case:

Borrower seeks loan: From a bank, NBFC, or fintech.
Lender requests AA-based bank-statement access: Replacing PDF upload.
Borrower consents: Through AA.
Lender receives standardised bank statement: For credit decisioning.
Faster decisioning, lower fraud, reduced friction.

Wealth and advisory

For wealth-management and advisory:

Adviser/RIA needs client portfolio view: Across multiple banks and AMCs.
Client consents to AA-based sharing: Through the adviser’s AA-integrated platform.
Adviser receives consolidated view: For client-specific advice.

Insurance and underwriting

For insurance:

Underwriting: Risk assessment based on consented financial data.
Policy comparison: Multi-insurer policy view.

Personal finance management

For PFM apps:

Multi-account aggregation: Through AA consent.
Budget and spending analytics: Across consented accounts.

AA and mutual fund context

MF AMC participation as FIP

Indian mutual fund AMCs are progressively becoming FIPs:

CAMS as RTA-FIP: CAMS-serviced AMCs share holdings data through CAMS AA bridge.
KFin as RTA-FIP: KFin-serviced AMCs similarly.
Individual AMC participation: Some AMCs participate directly.

For PPFAS Mutual Fund (CAMS-serviced), PPFCF and other scheme holdings can theoretically be shared via the AA framework (CAMS AA bridge).

Investor benefits

For mutual fund investors:

Loan applications: Mutual fund holdings as collateral or income proof.
Adviser sharing: Consenting to share holdings with chosen RIA.
Tax-filing assistance: AA-aided ITR preparation through tax platforms.

Privacy considerations

For mutual fund investors:

Granular consent: Only specific data shared.
Time-bound access: Automatic expiry.
Revocable: Investor can revoke any time.

Regulatory framework

RBI oversight

The RBI is the principal regulator:

NBFC-AA licensing: For AA entities.
Technical standards: For data formats and security.
Consent management: Specific requirements.

Cross-regulator collaboration

The AA framework involves:

RBI: For banks, NBFCs, AA entities.
SEBI: For mutual fund AMCs.
IRDAI: For insurance.
PFRDA: For pensions.

Cross-regulator collaboration ensures consistent framework.

Data Protection framework

The AA framework operates alongside:

Digital Personal Data Protection Act, 2023 (DPDP): India’s data-protection legislation.
RBI data localisation requirements: For sensitive financial data.

Standards

The technical standards for AA include:

ReBIT (Reserve Bank Information Technology): Indian technical infrastructure.
DigiSahamati Foundation: Industry-led standards body for AA framework.

Industry development

Adoption trajectory

2016-2020: Framework development.
2021: First operational launches.
2022: Major bank participation.
2023-2024: Rapid lender adoption.
2025-2026: Mainstream use case for lending.

Transaction volumes

By 2026, AA framework has facilitated:

Multi-million consent transactions monthly.
Substantial loan-decisioning volume: Particularly for fintech and NBFC lending.
Growing wealth-management use: As advisory platforms integrate.

Market participants

The AA market has matured:

AA entities: Approximately 15+ licensed.
FIPs: Hundreds.
FIUs: Thousands.
Aggregate users: Tens of millions of individuals with at least one AA consent.

Challenges and limitations

User awareness

AA awareness remains:

Lower for retail investors: Compared to Aadhaar awareness.
Higher for borrowers: Especially fintech borrowers.
Growing: Through bank and lender education.

MF FIP rollout

Mutual fund AMC participation as FIP is:

Phased: Not all AMCs are yet full FIPs.
Through RTA-bridges: CAMS and KFin provide aggregated access.
Continually expanding.

Use-case maturity

Beyond lending, other use cases are:

Wealth advisory: Emerging.
Insurance underwriting: Emerging.
Tax filing: Emerging.

The framework’s full potential is still being realised.

Data sovereignty

AA framework operations:

Indian data localisation: Sensitive financial data must remain within India.
AA entities: Must comply with Indian data-residency rules.

Privacy concerns

Some privacy concerns:

Consent fatigue: Many consents may overwhelm users.
Pre-checked consents: Some platforms may default-grant excessive consent.
Long-term data accumulation: At FIUs even after consent expiry.

The DPDP Act 2023 and RBI guidelines address these.

Comparison with international frameworks

EU PSD2 (Payment Services Directive 2)

EU’s PSD2 framework:

Open Banking: Similar consent-based bank-data sharing.
PISP and AISP entities: Equivalent to FIU and AA roles.

UK Open Banking

UK’s Open Banking framework:

Banking-account-only initially.
Expanded to broader financial data.

Australia Consumer Data Right

Australia’s Consumer Data Right:

Sectoral approach (banking, energy, telecom).
Similar consent-based framework.

India versus global

Indian AA framework is:

Broader scope: Cross-sector from inception.
NBFC-AA-specific licensed-entity model: Distinct from PSD2.
More granular consent: With specific purpose and duration.

Future trajectory

Expanding use cases

Future AA use cases include:

Tax compliance: AA-based ITR auto-filing.
Subsidy and welfare: Means-tested benefits delivery.
Personal finance management: Comprehensive multi-account dashboards.

Beyond financial data:

Healthcare records: Potential expansion to health-data sharing.
Education records: For credit and other applications.
Government data: Various government-held records.

Regulatory evolution

The AA framework continues to evolve through RBI and cross-regulator action:

Periodic technical standard updates.
New use case approvals.
Cross-border consideration (limited at present).

External references

References

RBI Master Direction on NBFC-Account Aggregators, 2016 (with subsequent amendments).
Reserve Bank of India Account Aggregator framework documentation.
DEPA (Data Empowerment and Protection Architecture) framework documentation.
NITI Aayog publications on DEPA.
DigiSahamati Foundation framework and standards.
Digital Personal Data Protection Act, 2023.
ReBIT (Reserve Bank Information Technology) technical standards.
EU PSD2 (Payment Services Directive 2) framework (comparative reference).
UK Open Banking framework.
Australia Consumer Data Right.
Industry press archive of AA framework coverage.
CAMS Finserv, Finvu, Onemoney, and other AA entity documentation.
SEBI Master Circular for Mutual Funds, 22 May 2024.
AMFI Industry Best Practices on data-sharing.
CFA Institute publications on data-driven financial services.

Reviewed and published by

WebNotes Editorial Team

The WebNotes Editorial Team covers Indian capital markets, payments infrastructure and retail investor procedures. Every article is fact-checked against primary sources, principally SEBI circulars and master directions, NPCI specifications and the official support documentation published by the intermediary in question. Drafts go through a second-pair-of-eyes review and a separate compliance read before publication, and revisions are tracked against the SEBI and NPCI rule changes referenced in the methodology section.

Last reviewed: 17 May 2026
Conflicts of interest: WebNotes is independent. No relationship with any broker, registrar or bank named in this article.