What Is the Account Aggregator Framework?
In a country where millions of citizens have fragmented financial lives — savings in one bank, loans in another, insurance with a third party, and investments scattered across brokers and mutual funds — the Account Aggregator (AA) framework is a transformational leap toward financial coherence and consumer empowerment. Launched operationally in September 2021 and expanded significantly through 2023-2026, the AA framework is India’s answer to Open Banking, and arguably a more privacy-preserving, consent-first model than anything deployed globally.
At its core, the Account Aggregator is a Reserve Bank of India (RBI)-licensed Non-Banking Financial Company (NBFC-AA) that acts as a secure data-sharing intermediary. It allows individuals and businesses to share their financial data — bank statements, tax records, insurance policies, investment portfolios, pension data — with financial service providers in a digitally consented, encrypted, and auditable manner.
This guide covers everything from the foundational architecture and regulatory framework to the practical journey of a loan applicant using AA in 2026, the key players in the ecosystem, and the expanding scope beyond banking into healthcare, telecom, and GST data.
Background & Genesis — How the AA Framework Was Born
The seeds of the Account Aggregator were planted in the Data Empowerment and Protection Architecture (DEPA) — a policy framework developed collaboratively by iSPIRT, the Ministry of Finance, Ministry of Electronics and Information Technology (MeitY), and the RBI. DEPA’s philosophy centres on giving individuals sovereign control over their own data while enabling its use for economic benefit.
Key Milestones:
Year | Milestone |
2016 | RBI constitutes an Internal Working Group to study financial data sharing frameworks. |
2016 | RBI issues Master Directions for NBFC — Account Aggregator (NBFC-AA) under the RBI Act, 1934 (Section 45-IA). |
2018-2020 | First AA licenses issued. Technical standards (API specifications) developed by RBI’s Sahamati (industry alliance). |
Sept 2021 | Eight major banks — SBI, ICICI Bank, HDFC Bank, Axis Bank, Kotak Mahindra Bank, IDFC First, IndusInd Bank, Federal Bank — go live on the AA network. |
2022-2023 | GST data, tax return (ITR), EPFO pension data, and SEBI investment data added to the AA ecosystem. |
2024 | IRDAI and PFRDA data (insurance policies, National Pension System) formally integrated. |
2025-2026 | Over 50 crore AA consents processed. More than 25 RBI-regulated entities live as FIPs. AA framework being extended to MSME credit, healthcare, and telecom sectors. |
Regulatory Framework — Who Governs the Account Aggregator?
The AA framework is a multi-regulator initiative, unique in that it involves four of India’s financial regulators working in concert. This is what makes it far more comprehensive than traditional open banking frameworks that cover only banking data.
Regulator | Role in AA Ecosystem |
Reserve Bank of India (RBI) | Licenses and regulates NBFC-AAs. Governs banking and lending FIPs/FIUs. Issues Master Directions. |
Securities and Exchange Board of India (SEBI) | Regulates capital market FIPs — mutual funds, demat accounts, stock brokers as FIPs. |
Insurance Regulatory and Development Authority (IRDAI) | Regulates insurance FIPs — life and general insurance policy data sharing. |
Pension Fund Regulatory and Development Authority (PFRDA) | Regulates pension FIPs — NPS (National Pension System) data sharing via AA. |
Ministry of Finance / MeitY | Policy oversight of DEPA architecture. ITR and GST data pipelines via CBDT/GSTN. |
The Master Direction — Non-Banking Financial Company — Account Aggregator (Reserve Bank) Directions, 2016 (as amended up to 2024) is the primary regulatory instrument governing NBFC-AAs. Key provisions include:
- Minimum Net Owned Fund (NOF): Rs. 2 crore for NBFC-AA registration.
- NBFC-AAs cannot undertake any other NBFC activity — they are pure data intermediaries.
- NBFC-AAs cannot store financial data of customers — they act only as a conduit.
- All data flows must be end-to-end encrypted using industry-standard encryption (TLS 1.2+, AES-256).
- Every data-sharing transaction requires explicit, revocable, purpose-specific consent from the customer.
- Consent Artefacts must be digitally signed and stored by the AA for audit purposes.
- NBFC-AAs are subject to regular RBI inspections and must maintain IT security standards aligned with RBI’s IT Framework for NBFCs.
The AA Architecture — Three Core Pillars
- Financial Information Provider (FIP)
A Financial Information Provider is any regulated entity that holds a customer’s financial data and provides it through the AA network upon receiving a valid consent artefact. FIPs are the data sources.
FIP Type | Data Shared |
Banks (Commercial, Cooperative, Payments) | Savings accounts, current accounts, FDs, loan accounts, credit card statements |
NBFCs | Loan accounts, repayment history, credit lines |
Mutual Fund Houses / RTAs | Portfolio data, NAVs, transaction history |
Depositories (NSDL, CDSL) | Demat account holdings, transaction history |
Insurance Companies (Life & General) | Policy details, premium payment records |
EPFO | Provident Fund (PF) balance and transaction history |
NPS Trust / PFRDA | Pension account balance, contribution history |
GSTN | GST filing history, turnover data (for MSME credit) |
CBDT (via ITR data) | Income Tax Return filing history |
SEBI-registered entities | Portfolio Management Services (PMS) data |
- Financial Information User (FIU)
A Financial Information User is any regulated entity that seeks access to a customer’s financial data (with consent) in order to provide a financial service. FIUs are the data consumers.
- Banks and NBFCs seeking bank statements for loan underwriting.
- Wealth management platforms seeking investment data for portfolio advice.
- Insurance companies seeking financial health data for premium assessment.
- Credit rating agencies using multi-source financial data for alternative scoring.
- Personal Financial Management (PFM) apps aggregating all financial accounts.
- Chartered Accountants and tax filing platforms seeking multi-bank transaction data.
- Government agencies (e.g., SIDBI for MSME loans) using AA-verified income data.
- Account Aggregator (AA) — The Consent Manager
The NBFC-AA sits in the middle — it never sees the content of the financial data itself (the data is encrypted from FIP to FIU), but it manages the consent flow, creates and stores digitally signed Consent Artefacts, and provides the technical plumbing that connects FIPs and FIUs. Think of the AA as a ‘secure courier’ — it carries the sealed envelope but cannot open it.
- Onboard customers via mobile app / web interface with Aadhaar/Mobile eKYC.
- Present consent requests from FIUs to customers in plain-language format.
- Generate cryptographically signed Consent Artefacts upon customer approval.
- Route encrypted financial data from FIP to FIU on the basis of valid consent.
- Maintain a consent dashboard for customers to view, modify, pause, or revoke consents.
- Maintain audit logs of all data sharing transactions.
- Ensure data deletion by FIUs upon expiry of consent period.
The Consent Framework — Heart of the AA System
The consent architecture is what differentiates AA from conventional data sharing. Every piece of data shared through the AA network is governed by a Consent Artefact — a machine-readable, digitally signed document that specifies exactly what data will be shared, with whom, for what purpose, for how long, and in what frequency.
The 6 Pillars of AA Consent:
Consent Dimension | Description |
1. Consent Purpose | Specific declared purpose — e.g., ‘Personal Loan Underwriting’, ‘Wealth Management Advice’, ‘Tax Filing’. |
2. Data Type | Exactly which financial accounts and data types — e.g., SBI Savings Account XXXX1234, last 12 months transactions. |
3. Data Date Range | Historical period of data — e.g., Jan 2024 to Dec 2025. |
4. Data Fetch Type | One-time fetch (for loan applications) or periodic/recurring fetch (for PFM apps or ongoing monitoring). |
5. Consent Expiry | Hard expiry date and time — after which no further data can be fetched. |
6. Data Life at FIU | How long the FIU can retain the received data — must be deleted after this period. |
Importantly, under the AA framework, consent is granular and revocable. A customer who has granted a bank access to 12 months of salary data for a loan can revoke that consent at any time through their AA app — even mid-process. This is fundamentally different from screen-scraping or traditional KYC-based data collection where revocation is impossible.
Step-by-Step: How the AA Framework Works — A Practical Example
Let us walk through a real-world scenario: Priya, a 32-year-old salaried professional in Pune, applies for a personal loan of Rs. 5 lakh from an NBFC using the Account Aggregator framework.
Step | Action / Description |
Step 1 | Priya applies for a Rs. 5 lakh personal loan on the NBFC’s app. The NBFC (acting as FIU) sends a consent request to Priya’s AA (e.g., OneMoney, CAMS Finserv, Setu). |
Step 2 | Priya receives a notification on her AA app: ‘NBFC XYZ is requesting access to your SBI Savings Account and HDFC Salary Account statements for the last 12 months for the purpose of Loan Underwriting. Consent valid till: 30 days. Data life at FIU: 6 months.’ |
Step 3 | Priya reviews the consent request, sees it is scoped only to the specified accounts for the specified period, and approves with a single tap. The AA generates a digitally signed Consent Artefact. |
Step 4 | The AA sends the Consent Artefact to SBI (FIP) and HDFC Bank (FIP). Both banks verify the artefact’s signature and authenticity. |
Step 5 | SBI and HDFC Bank encrypt Priya’s account data and send it directly to the NBFC’s FIU endpoint. The AA facilitates routing but the data itself is end-to-end encrypted — the AA cannot read it. |
Step 6 | The NBFC’s credit underwriting system receives the structured financial data, runs automated analytics (income stability, existing EMIs, spending patterns), and generates a credit decision within minutes. |
Step 7 | If Priya is approved, the loan is disbursed. Her AA consent dashboard shows the active consent with expiry date. She can revoke at any time. After 30 days, the consent automatically expires and no further data fetches are possible. |
Licensed Account Aggregators in India — 2026 Status
As of 2026, the following entities hold a valid NBFC-AA Certificate of Registration (CoR) from the RBI and are operational on the AA network:
AA Entity | Status (2026) | Key Differentiator |
CAMS Finserv (CAMSfinserv AA) | Operational | CAMS (Registrar & Transfer Agent); strong MF data access |
OneMoney (Yodlee Finsoft) | Operational | Consumer-facing AA app; broad bank FIP coverage |
Setu (Pine Labs subsidiary) | Operational | Developer-first AA; popular among fintech FIUs for API integration |
Finvu (Cookiejar Technologies) | Operational | Consumer AA app; NBFC and insurance FIP integrations |
NADL (National E-Governance Services Ltd.) | Operational | Government-backed; strong in GST and ITR data pipelines |
Perfios Account Aggregation Services | Operational | Enterprise-grade AA; dominant in BFSI sector lending use cases |
PhonePe AA (Indus AA) | Operational | Leverages PhonePe’s massive consumer base for AA consent flows |
Juspay Technologies AA | License Stage | Payments-focused; integrating AA for credit at checkout |
Note: RBI may have issued additional licenses post this publication. Always verify current licensees at rbi.org.in/Scripts/BS_NBFCList.aspx
Financial Information Types Supported by AA Framework (2026)
The AA framework supports a comprehensive range of Financial Information (FI) types as defined in the RBI Master Directions and the FI Data Standards published by Sahamati/ReBIT (Reserve Bank Innovation Hub). As of 2026:
FI Type Code | Description |
DEPOSIT | Savings, Current, Recurring, FD accounts in banks |
TERM_DEPOSIT | Fixed Deposit account data — balance, maturity date, interest rate |
RECURRING_DEPOSIT | RD account data — installment amounts, maturity |
SIP | Systematic Investment Plan transaction data |
CP | Commercial Paper holdings |
GOVT_SECURITIES | Treasury bill and government bond holdings |
EQUITIES | Listed equity holdings via NSDL/CDSL depositories |
BONDS | Corporate bond holdings |
DEBENTURES | Debenture holdings in demat form |
MUTUAL_FUNDS | Mutual fund folio data — NAV, units, transactions |
ETF | Exchange Traded Fund holdings |
IDR | Indian Depository Receipt holdings |
CIS | Collective Investment Scheme data |
AIF | Alternative Investment Fund data |
INSURANCE_POLICIES | Life and general insurance policy details |
NPS | National Pension System account data via PFRDA |
INVIT | Infrastructure Investment Trust units |
REIT | Real Estate Investment Trust units |
GSTR | GST filing history and turnover (MSME use) |
ITR | Income Tax Return filing data via CBDT |
Key Use Cases of the Account Aggregator Framework in 2026
- MSME Credit — The Game Changer
India’s MSME credit gap stands at an estimated Rs. 20-25 lakh crore. The inability of banks to quickly verify cash flows, GST turnover, and income history of small businesses has been a major bottleneck. The AA framework solves this by allowing MSMEs to share GST returns, bank statements, and ITR data in minutes, enabling:
- Cash-flow-based lending without the need for property collateral.
- Automated underwriting with same-day loan disbursal for working capital.
- SIDBI, NABARD, and public sector banks using AA to serve micro-enterprises previously outside the formal credit system.
- Integration with OCEN (Open Credit Enablement Network) for embedded lending in supply chains.
- Personal Loan & Home Loan Underwriting
Banks and NBFCs using the AA framework have reduced loan processing times from 3-7 days to as little as 10-30 minutes for salaried individuals. Salary credits, existing EMI outflows, and bank balance trends are available instantly, enabling real-time credit decisions.
- Personal Finance Management (PFM) Apps
PFM apps like INDmoney, Smallcase, and similar platforms use the AA framework to pull a 360-degree financial view of a user — bank balances, mutual fund portfolios, insurance policies, pension accounts — all in one dashboard, updated in real-time with user consent. No screen scraping, no storing credentials.
- Insurance Underwriting & Wealth Management
- Life insurers using income and investment data for accurately-priced term insurance.
- Wealth managers using AA to access client’s existing portfolio for holistic financial planning.
- Health insurance companies exploring AA-linked premium adjustments based on financial wellness indicators.
- Tax Filing and Compliance
Tax filing platforms can, with user consent, pull transaction data from multiple banks, MF statements, and demat account data via AA to auto-populate ITR forms, reducing manual data entry and errors. The process is fully consent-based — the tax platform requests only what is needed and only for the duration of the filing session.
- Rent and Employment Verification
A new emerging use case in 2025-26 involves landlords and employers using AA-based financial data sharing for tenant income verification and employee financial background checks, replacing the traditional cumbersome process of collecting physical bank statements.
Technical Standards — The API Architecture Behind AA
The AA ecosystem is built on open, interoperable API standards developed by ReBIT (Reserve Bank Innovation Hub) and Sahamati. All FIPs and FIUs must implement these standards to participate in the AA network. Key technical specifications in 2026:
Technical Aspect | Specification |
API Standard | FI Data API v2.0 (ReBIT-specified); RESTful HTTPS APIs |
Encryption | AES-256-GCM for data payload encryption; RSA-2048 for key exchange |
Transport Security | TLS 1.3 mandatory for all AA ecosystem communications |
Digital Signatures | JWS (JSON Web Signatures) using RSA-SHA256 for Consent Artefacts |
Data Format | JSON-based Financial Information schema (FI Schema v2.0) |
Authentication | OAuth 2.0 + PKCE for FIU-AA interactions; OTP/Aadhaar for customer authentication |
Interoperability | Universal network — any licensed AA can connect any FIP or FIU regardless of who they use |
Central Registry | Central Registry of Financial Entities (maintained by Sahamati) for AA ecosystem discovery |
AA Framework vs. Screen Scraping vs. Traditional Data Sharing
Parameter | AA Framework | Screen Scraping | Traditional Sharing |
Data Collection | API-based, structured | Login credential based, unstructured | Physical documents / PDFs |
Customer Consent | Explicit, granular, digital | Implicit, opaque | Paper form, blanket |
Data Security | End-to-end encrypted | Credentials exposed to 3rd party | Unencrypted documents |
Revocability | Instant, digital revocation | Not possible post-credential sharing | Not possible |
Regulatory Status | Fully regulated by RBI | Prohibited under RBI/IT Act | Compliant but slow |
Data Freshness | Real-time / on-demand | Real-time but risky | Stale (days to weeks) |
Audit Trail | Full digital audit log | None | Paper records only |
Scalability | Highly scalable, automated | Fragile, site-change dependent | Manual, unscalable |
DEPA — The Philosophy Powering the AA Framework
The Account Aggregator is the first operational implementation of DEPA — Data Empowerment and Protection Architecture — India’s unique approach to data governance. Unlike GDPR (which focuses on data protection) or PSD2 (which focuses on payment data sharing), DEPA is a consent-centric, sector-agnostic framework that can be applied to any data domain.
DEPA operates on three principles: DATA EMPOWERMENT (individuals control their data and can use it for their own benefit), DATA PROTECTION (strong technical and regulatory safeguards prevent misuse), and DATA MARKET CREATION (enabling a competitive, consent-based data economy that drives financial inclusion and innovation).
In 2026, DEPA is being expanded beyond financial data. The Health Data Management Policy proposes a Health Account (HA) / Health Locker using the same AA-like consent framework for medical records. Similarly, the Telecom Regulatory Authority of India (TRAI) is exploring AA-like consent frameworks for telecom data (call records, data usage) for alternative credit scoring.
Challenges and Limitations of the AA Framework (2026)
Challenge | Detail |
Consumer Awareness | A large section of India’s population remains unaware of the AA framework. Digital and financial literacy campaigns are needed to drive adoption beyond urban, tech-savvy users. |
FIP Readiness | Not all financial entities have implemented AA APIs to the same standard. Some cooperative banks, smaller NBFCs, and insurance companies lag in FIP readiness, limiting the data universe available. |
Consent Fatigue | As more FIUs adopt AA, consumers may face multiple consent requests, leading to fatigue and uninformed blanket approvals — undermining the consent-first philosophy. |
Data Quality Issues | Some FIPs provide inconsistently structured data, requiring FIUs to invest in normalisation layers before analysis. |
DPDP Act 2023 Alignment | The Digital Personal Data Protection (DPDP) Act 2023 introduces additional obligations for data fiduciaries. Aligning AA consent flows with DPDP’s consent requirements is an ongoing compliance challenge for AAs and FIUs alike. |
Liability Framework | In case of a data breach at an FIP, FIU, or AA, the liability framework for consumer compensation is still evolving. RBI’s consumer grievance redressal mechanisms need strengthening for AA-specific disputes. |
Cross-Border Data Sharing | The framework currently applies to India-domiciled financial accounts. Cross-border financial data sharing (e.g., NRI accounts with foreign banks) is not yet within scope. |
Benefits of the Account Aggregator Framework
For Consumers:
- Single-tap sharing of financial data for loans, investments, and insurance — no more collecting bank statements.
- Complete visibility into who has accessed your financial data and the ability to revoke access at any time.
- Faster loan approvals — personal loans in minutes, home loan pre-approvals within hours.
- Better financial product recommendations based on comprehensive financial profile (with consent).
- Elimination of risk associated with sharing bank credentials with third-party apps.
For Banks and NBFCs (FIUs):
- Drastic reduction in loan processing costs — automated underwriting vs. manual verification.
- Access to richer, more accurate financial data — multi-bank view vs. single bank statement.
- Reduction in fraud risk — data sourced directly from regulated FIPs, not from customers who could forge documents.
- Ability to extend credit to thin-file customers using alternative financial data (GST, EPFO, ITR).
- Regulatory compliance — AA-based KYC and credit appraisal is increasingly preferred by RBI examiners.
For the Indian Economy:
- Closing India’s MSME credit gap estimated at Rs. 20-25 lakh crore by enabling cash-flow-based lending.
- Reducing dependence on physical collateral — enabling credit on the basis of financial history.
- Accelerating India’s Digital Public Infrastructure (DPI) model — AA as the financial data layer alongside UPI (payments) and Aadhaar (identity).
- Creating a competitive data economy where data portability enables consumers to switch financial service providers easily.
Digital Personal Data Protection (DPDP) Act 2023 & the AA Framework
The DPDP Act 2023, which came into force progressively from 2024, introduces the concept of Data Fiduciaries (entities that determine the purpose of data processing) and Data Principals (individuals). Under this framework:
- Account Aggregators are Data Fiduciaries for the purpose of consent management.
- FIUs that process financial data received via AA are also Data Fiduciaries.
- FIPs are Data Fiduciaries for the data they hold and share.
- Customers are Data Principals with rights to access, correction, and erasure of their data.
- The DPDP Act mandates clear, specific, and informed consent — consistent with the AA consent framework.
- Consent Managers under the DPDP Act align closely with the NBFC-AA model — AAs are well-positioned to become registered Consent Managers under DPDP.
- The DPDP Act’s data localisation requirements (data must remain in India) are already met by the AA architecture.
- Cross-cutting obligations under DPDP (breach notification within 72 hours, grievance officer appointment) apply to all AA ecosystem participants.
Account Aggregator Framework — Numbers That Matter (2026)
Metric | 2026 Data Point |
Consents Processed (Cumulative) | Over 50 crore (500 million) consent artefacts generated since launch |
Active FIPs on Network | 25+ RBI-regulated entities; 10+ SEBI, IRDAI, PFRDA regulated entities |
Active FIUs on Network | 100+ licensed financial entities including all major banks and NBFCs |
Loan Processing Time Reduction | From 3-7 days to 10-30 minutes for standard personal loans |
MSME Loans via AA (FY 2025-26) | Rs. 1.5 lakh crore+ disbursed using AA-verified financial data |
Cost of Loan Processing Reduction | Estimated 40-60% reduction in underwriting cost per loan for FIUs |
Licensed NBFC-AAs (2026) | 8 operational; 3 in pipeline/in-principle approval |
Consumer AA App Users (Est.) | 5 crore+ registered users across all AA platforms |