Master Direction DNBR.PD.009/03.10.119/2016-17
Dated: September 02, 2016
Master Direction- Non-Banking Financial Company – Account Aggregator (Reserve Bank) Directions, 2016
The Reserve Bank of India, (the Bank), in exercise of the powers conferred under section 45JA of the Reserve Bank of India Act, 1934 (hereinafter referred to “the Act”), and of all the powers enabling it in this behalf, hereby issues these directions for compliance of the same by every non-banking financial company undertaking the business of Account Aggregator as defined herein.
1. Short title, commencement and applicability of the directions :
(i) These directions shall be known as the “Non-Banking Financial Company – Account Aggregator (Reserve Bank) Directions, 2016“.
(ii) These directions shall come into force with effect from the date of notification, by the Bank in the Official Gazette, of a non-banking institution that carries on ‘the business of an account aggregator’ to be a non-banking financial company, under sub-clause (iii) of clause (f) of section 45I of the Act.
These directions provide a framework for the registration and operation of Account Aggregator in India.
(1) In these directions unless the context otherwise requires,
i. “Account Aggregator” means a non-banking financial company as notified under in sub-clause (iii) of clause (f) of section 45-I of the Act, that undertakes the business of an account aggregator, for a fee or otherwise, as defined at clause (iv) of sub-section 1 of section 3 of these directions.
ii. “bank” means –
iii. “Banking company” means a banking company as defined in clause (c) of section 5 of the Banking Regulation Act, 1949 (10 of 1949);
iv. “business of an account aggregator” means the business of providing under a contract, the service of,
retrieving or collecting such financial information pertaining to its customer, as may be specified by the Bank from time to time;
consolidating, organizing and presenting such information to the customer or any other financial information user as may be specified by the Bank;
Provided that, the financial information pertaining to the customer shall not be the property of the Account Aggregator, and not be used in any other manner.
v. “Company” means a company registered under section 3 of the Companies Act, 1956 or a company registered under sub section (20) of section 2 of the Companies Act, 2013;
vi. “Customer” for the purpose of these directions means a ‘person’ who has entered into a contractual arrangement with the Account Aggregator to avail services provided by the Account Aggregator;
vii. “Depository” means a company which has been granted a certificate of registration under sub-section (1A) of section 12 of the Securities and Exchange Board of India Act, 1992;
viii. “Depository Participant” means a person registered under sub-section (1A) of section 12 of the Securities and Exchange Board of India Act, 1992;
ix. “Financial Information” means information in respect of the following with financial information providers:
x. “Financial Sector regulator” for the purpose of these directions, shall mean the Reserve Bank of India, Securities and Exchange Board of India, Insurance Regulatory and Development Authority and Pension Fund Regulatory and Development Authority;
xi. “Financial information provider” means bank, banking company, non-banking financial company, asset management company, depository, depository participant, insurance company, insurance repository, pension fund and such other entity as may be identified by the Bank for the purposes of these directions, from time to time;
xii. “Financial information user” means an entity registered with and regulated by any financial sector regulator;
xiii. “Insurance Repository” means a company formed under the Companies Act, 1956 and which has been granted a certificate of registration by Insurance Regulatory and Development Authority (IRDA) for maintaining data of insurance policies in electronic form on behalf of insurers.
xiv. “Leverage Ratio” means the ratio of the Outside Liabilities excluding borrowings/ loans from the group entities to Owned Funds.
xv. “Non-banking financial company” means a company registered under the Companies Act and which has been granted certificate of registration by the Bank under section 45IA of the Act;
xvi. “Person” means
(2) Words or expressions used in these directions but not defined herein but defined in the Act, shall have the same meaning as assigned to them under the Act. Any other words or expressions not defined in the Act, shall have the same meaning assigned to them in the Companies Act, 1956/ 2013.
4. Registration and matters incidental thereto
4.1 (a) No entity other than a company shall undertake the business of an Account Aggregator.
(b) No company shall commence or carry on the business of an Account Aggregator without obtaining a certificate of registration from the Bank.
Provided that, entities being regulated by other financial sector regulators and aggregating only those accounts relating to the financial information pertaining to customers of that particular sector will be excluded from the above registration requirement.
(c) Subject to the above proviso, entities that are undertaking the business of an Account Aggregator, as defined at paragraph 3(iv) of these directions, as on the date of effect of these directions, shall apply for registration as an Account Aggregator, in compliance with these directions, to the Bank within a month from that date. Such companies, which have applied to the Bank for registration as an NBFC – Account Aggregator, shall be permitted to continue the business of an Account Aggregator till their application for issue of Certificate of Registration is rejected or twelve months from date of the application, whichever is earlier.
(d) Every company seeking registration with the Bank as an Account Aggregator shall have a net owned fund of not less than rupees two crore, or such higher amount as the Bank may specify.
Provided that, those companies not having a Net Owned Fund of minimum of Rupees two crore at the time of seeking registration, shall meet the Net Owned Fund criteria within the period of validity of the in-principle approval for grant of certification of registration given by the Bank.
4.2 Process of registration
4.2.1 Every company seeking registration as an NBFC- Account Aggregator shall make an application for registration to the Department of Non-Banking Regulation, Mumbai of the Bank, in the form specified by the Bank for the purpose at Annex 1.
4.2.2 The Bank for the purpose of considering the application for registration shall require to be satisfied that the following conditions are fulfilled:-
4.2.3 The Bank may, after being satisfied that the conditions specified under paragraph 4.2.2 are fulfilled, grant in-principle approval for registering as an Account Aggregator subject to such conditions as it may consider fit to impose.
4.2.4 The validity of the in-principle approval issued by the Bank will be twelve months from the date of granting such in-principle approval.
4.2.5 Within the period of twelve months, the company shall put in place the technology platform, enter into all other legal documentations required to be ready for operations and report position of compliance with the terms of grant of in-principle approval to the Bank. The Bank may, after being satisfied that the company is ready to commence operations and in compliance with the registration requirements, grant it a Certificate of Registration as an NBFC – Account Aggregator subject to such conditions as it may consider fit to impose.
4.2.6 The Bank may cancel the certificate of registration granted to an Account Aggregator, if such company –
(a) ceases to carry on the business of an Account Aggregator in India; or
(b) has failed to comply with any condition subject to which the certificate of registration has been issued to it; or
(c) it comes to the notice of the Bank that the Account Aggregator is no longer eligible to hold the certificate of registration; or
(d) at any time fails to fulfill any of the conditions referred to in paragraphs 4.2.2 and 4.2.5; or
(e) fails to –
5. Duties and Responsibilities of an Account Aggregator
6. Consent Architecture
6.1 No financial information of the customer shall be retrieved, shared or transferred by the Account Aggregator without the explicit consent of the customer.
6.2 An Account Aggregator shall perform the function of obtaining, submitting and managing the customer’s consent in accordance with these directions.
6.3 The consent of the customer obtained by the Account Aggregator shall be a standardised consent artefact which shall contain the following details, namely:—
6.4 The consent artefact can also be obtained in electronic form.
6.5 At the time of obtaining consent, the Account Aggregator shall inform the customer of all necessary attributes to be contained in the consent artefact as per paragraph 6.3 above and the right of the customer to file complaints with relevant authorities in case of non-redressal of grievances.
6.6 An Account Aggregator shall also provide its customers a functionality to revoke consent to obtain information that is rendered accessible by a consent artefact, including the ability to revoke consent to obtain parts of such information. Upon revocation, a fresh consent artefact shall be shared with the Financial Information provider.
6.7 An electronic consent artefact shall be capable of being logged, audited and verified.
7. Sharing of financial information by Financial Information providers upon valid consent artefact being presented
7.1 Financial Information providers shall share financial information of a customer with an Account Aggregator on being presented a valid consent artefact by an Account Aggregator in accordance with Clause 6.
7.2 Upon being presented the consent artefact, the Financial Information provider shall verify:
(a) validity of consent
(b) specified dates and usage; and
(c) the credentials of the Account Aggregator
through appropriate means.
7.3 Upon due verification, the Financial Information providers shall digitally sign the financial information and securely transmit the same to the Account Aggregator in accordance with the terms contained in the consent artefact.
7.4 All responses of the Financial Information provider shall be in real time.
7.5 To enable these data flows, the Financial Information providers shall:
7.6 Use of information by Account Aggregator and Financial Information user
7.6.1 Where financial information has been provided by a Financial Information provider to an Account Aggregator for transferring to a Financial Information user with the customer’s explicit consent, the Account Aggregator shall:
7.6.2 Where financial information has been provided by a Financial Information provider to an Account Aggregator for transferring to the customer or to a Financial Information user, it shall not be used or disclosed by an Account Aggregator or the Financial Information user except as may be specified in the consent artefact.
8. Rights of the customer
a) An Account Aggregator shall enable the customer to access a record of the consents provided by him and the Financial Information users with whom the information has been shared.
b) An Account Aggregator shall not use or access any customer information other than for performing the business of account aggregator explicitly requested by the customer.
9. Data Security
(a) Business of an Account Aggregator will be entirely Information Technology (IT) driven. Account Aggregator shall adopt required IT framework and interfaces to ensure secure data flows from the Financial Information providers to its own systems and onwards to the Financial Information users.
(b) Account Aggregator shall not request or store customer credentials (like passwords, PINs, private keys) which may be used for authenticating customers to the Financial Information providers. Access by Account Aggregators to customer’s information shall only be based on consent-based authorisation.
(c) The technology should also be scalable to cover any other financial information or financial information provider as may be specified by the Bank in future.
(d) There shall be adequate safeguards built in its IT systems to ensure that it is protected against unauthorised access, alteration, destruction, disclosure or dissemination of records and data.
(e) Appropriate measures for Disaster Risk Management and Business Continuity shall be in place.
(f) Information System Audit of the internal systems and processes shall be in place and shall be conducted at least once in two years by CISA certified external auditors. Report of the external auditor shall be submitted to the Regional Office of the Department of Non-Banking Supervision of the Bank, under whose jurisdiction the Registered Office of the Account Aggregator is located, within one month of submission of the report by the external auditor.
10. Customer Grievance
10.1 An account aggregator shall have in place a Board approved policy for handling/ disposal of customer grievances/ complaints. It shall have a dedicated set-up to address customer grievances/ complaints.
10.2 Customer complaints shall be handled/ disposed of by the Account Aggregator within such time and in such manner as provided for in its Board approved policy, but in any case not beyond a period of one month from its receipt.
10.3 At the operational level, Account Aggregator shall display the following information prominently, for the benefit of customers, on the website and at the place/s of business:
(a) the name and contact details (Telephone / Mobile nos. as also email address) of the Grievance Redressal Officer who can be approached by the public for resolution of complaints against the company.
(b) that if the complaint / dispute is not redressed within a period of one month, the customer may appeal to the Bank.
11.1 An Account Aggregator would require to have a Board approved policy for pricing of services. Pricing of services will be in strict conformity with the internal guidelines adopted by the Account Aggregator which need to be transparent and available in public domain.
12. Corporate Governance
12.1 An Account Aggregator shall have adequate internal mechanisms for reviewing, monitoring and evaluating its controls, systems, procedures and safeguards. The integrity of the IT systems shall be maintained at all times and all necessary precautions taken to ensure that the records are not lost, destroyed or tampered with.
12.2 Audit Function
12.2.1 An Account Aggregator shall constitute an Audit Committee, consisting of not less than three members of its Board of Directors.
Explanation I : The Audit Committee constituted by a non-banking financial company as required under Section 177 of the Companies Act, 2013 shall be the Audit Committee for the purposes of this paragraph.
Explanation II : The Audit Committee constituted under this paragraph shall have the same powers, functions and duties as laid down in Section 177 of the Companies Act, 2013.
12.3 Nomination Committee
12.3.1 An Account Aggregator shall form a Nomination Committee consisting of not less than three members of its Board of Directors to ensure ‘fit and proper’ status of proposed/ existing directors.
Explanation I : The Nomination Committee constituted under this paragraph shall have the same powers, functions and duties as laid down in Section 178 of the Companies Act, 2013.
12.4 Risk Management Committee
12.4.1 The account aggregator shall establish a well-documented risk management framework which shall include
a) A sound and robust technology risk management framework;
b) Strengthening system security, reliability, resiliency, and recoverability; and
c) Deploying strong authentication to protect access to customer data and systems.
12.4.2 To manage the integrated risk, an Account Aggregator shall form a Risk Management Committee consisting of not less than three members of its Board of Directors. The Risk Management Committee shall
a) give due consideration to factors such as reputation, customer confidence, consequential impact and legal implications, with regard to investment in controls and security measures for computer systems, networks, data centres, operations and backup facilities.
b) have oversight of technology risks and ensure that the organisation’s IT function is capable of supporting its business strategies and objectives.
12.5 Fit and Proper Criteria
12.5.1 An Account Aggregator shall
i. ensure that a policy is put in place with the approval of the Board of Directors for ascertaining the fit and proper criteria of the directors/ managing director/ CEO at the time of appointment, and on a continuing basis. The policy on the fit and proper criteria shall be on the lines of the Guidelines contained in Annex 4;
ii. obtain a declaration and undertaking from the directors/ managing director/ CEO giving additional information on the directors/ managing director/ CEO. The declaration and undertaking shall be on the lines of the format given in Annex 5;
iii. obtain a Deed of Covenant signed by the directors/ managing director/ CEO, which shall be in the format as given in Annex 6;
iv. furnish to the Bank an annual statement on change of directors/ managing director/ CEO duly certified by the Statutory Auditors that fit and proper criteria in selection of the directors has been followed. The statement must reach the Regional Office of the Bank within 15 days of the close of the year.
13. Requirement to obtain prior approval of the Bank for acquisition or transfer of control of Account Aggregators –
13.1 (i)The prior written permission of the Bank shall be required for –
a) any takeover or acquisition of control of an Account Aggregator, which may or may not result in change of management;
b) any change in the shareholding of an Account Aggregator, including progressive increases over time, which would result in acquisition / transfer of shareholding of 26 per cent or more of the paid up equity capital of the Account Aggregator.
Provided that, prior approval would not be required in case of any shareholding becoming 26% or more due to buyback of shares / reduction in capital where it has approval of a competent Court. The same is to be reported to the Bank not later than one month from its occurrence;
c) any change in the management of the Account Aggregator which would result in change in more than 30 per cent of the directors, excluding independent directors.
Provided that, prior approval would not be required in case of directors who get re-elected on retirement by rotation.
d) any change in shareholding that will give the acquirer a right to nominate a director.
13.2 Application for prior approval
(i) An Account Aggregator shall submit an application, on the company letter head, for obtaining prior approval of the Bank, along with the following documents:
b) Sources of funds of the proposed shareholders acquiring the shares in the Account Aggregators; and
c) Bankers’ Report on the proposed directors / shareholders.
(ii) Applications in this regard may be submitted to the Regional Office of the Department of Non-Banking Supervision of the Bank where it is registered.
13.3 Public notice about change in control/ management
i. A public notice of at least 30 days shall be given before effecting the sale of, or transfer of the ownership by sale of shares, or transfer of control, whether with or without sale of shares. Such public notice shall be given by the Account Aggregator and also by the other party or jointly by the parties concerned, after obtaining the prior permission of the Bank.
ii. The public notice shall indicate the intention to sell or transfer ownership/ control, the particulars of transferee and the reasons for such sale or transfer of ownership/ control. The notice shall be published in at least one leading national and in one leading local (covering the place of registered office) vernacular newspaper.
13.4 Information with respect to change of address, directors, auditors, etc. to be submitted
Every Account Aggregator shall communicate, not later than one month from the occurrence of any change in :
(a) the complete postal address, telephone number/s and fax number/s of the registered / corporate office;
(b) the names and residential addresses of the directors of the company;
(c) the names and office address of the auditors of the company; and
(d) the specimen signatures of the officers authorised to sign on behalf of the company
to the Regional Office of the Department of Non-Banking Supervision of the Bank in whose jurisdiction the Registered Office of the Account Aggregator is located.
The Bank may, from time to time, prescribe return/s to be submitted by Account Aggregator as deemed fit.
The Bank may, at any time, cause an inspection by one or more of its officers or employees or other persons, of any Account Aggregator and at any intervals as it deems fit.
16.1 The Bank may, if it considers necessary for avoiding any hardship or for any other just and sufficient reason, grant extension of time to comply with or exempt any company or class of companies or all companies, from all or any of the provisions of these guidelines either generally or for any specified period, subject to such conditions as the Bank may impose.
16.2 The Bank can give any clarification in respect of the above directions and such clarification shall be treated as part of these directions. The directions can be amended by the Bank from time to time.