India Stack

The National Payments Corporation of India and the Indian Ministry of Electronic and Information Technology. 

India

The architecture has been designed to create several API interfaces:

The consent flows involve collecting consent and managing its lifecycle.

The data flows collect the financial information based on customer consent.

The notifications inform the customer about data access and consent.

Finvu (the brand name of CookieJar Technologies) has account aggregator status. When using the Finvu app (Finvu), customers can register and receive their own account aggregator identity. The app then allows the customer to link their bank accounts and select which ones they might want to share information from. The financial institution completes all verification at their end. The app allows the customer to give permission for financial institutions to use the information for their services, and transactions and account information can be viewed together through the app.

Sahamati has case studies to view on their YouTube channel. These include:

1. Personal Finance and Expenditure trend using AA: This case study shows how a registered investment advisor will use credit/debit data from bank statement(s) using the AA framework and provide insights to the customer on her expenditure pattern.

2. Lending on AA: A customer procures a business loan on the lender platform using the AA framework. The entire process of disbursal is quick and effective.

3. Assisted lending with AA: The case study presented here is for a consumer durable credit at the point of sale, with a salesman creating the request and the customer enabling/consenting to information transfer within minutes. It shows how the AA process can be used to access a quick loan in an assisted model. 

Swagger UI (rebit.org.in)

1.1.3 / 25th August  2021

User companies must be a regulated entity of one of the four regulators: The Reserve Bank of India (RBI), Securities and Exchange Board of India (SEBI), Insurance Regulatory and Development Authority (IRDAI), Pension Fund Regulatory and Development Authority (PFRDA). 

India has been able to comprehensibly create a digital banking environment from scratch.

UPI instantly transfers funds between two bank accounts on a mobile platform using an API running on top of the Immediate Payment Service.  It is regulated by the Reserve Bank of India and run by the National Payments Corporation of India.

The Account Aggregator framework, owned by the Indian Ministry of Electronic and Information Technology, is consent-based encrypted data sharing which should allow for a fully digital financial service. 

It forms part of the Data Empowerment and Protection Architecture (DEPA) which is an interoperable, secure, and privacy preserving framework for data sharing. The account aggregators enable the consent management for the user. They do not see the data themselves, but act as a conduit for the data flow.

The consent for access to personal data is provided through a consent manager, as opposed to the financial institution.

Open Banking

• balance information
• payment initiation (transactions) NpciMarketplace (nfinite.in)

Currently only asset based data is available (bank accounts, deposits, mutual funds, insurance policies, pension funds). Other data types are likely to be added over time. See https://github.com/Sahamati/aa-common-service/blob/main/central-registry/overview.md for registry details.

AA: The Customer interacts with the AA to link accounts and generates consent. All the interactions of account linking and consent management must happen directly between the Customer and the AA through the AA application or AA Client. All provided consent is revocable.

The Account Aggregator is a data blind consent manager.

Account Aggregators cannot see the data; they simply take it from one financial institution to another based on an individual’s direction and consent. 

The data these consent managers share is encrypted by the sender and can be decrypted only by the recipient. The end to end encryption and use of technology like the ‘digital signature’ makes the process much more secure than sharing paper documents.

All consent given through Account Aggregators is designed to be revocable.

Payment Initiation is handled via UPI, however this is not considered an open banking/finance API.

Developer resources.

Technical policies.

ReBIT | Industry Initiatives 

With a recent history of being predominantly a cash based society, India has been able to build from the ground up their digital banking systems. India first created a Unique Identification Authority of India (UIDAI)- controlled by Aadhar- allowing verification of an identity by features such as fingerprints, photographs and iris identification.

The success of this, and the trust built into having one, efficient system, led to the National Payments Corporation of India (NPCI) creating a retail payments and settlement system. This was the United Payment Interface (UPI), which linked a person’s debit card to their Aadhar identity.

Now, the Account Aggregator Framework is building on this. Unveiled in September 2021, it’s consent-based encrypted data sharing, with the hope of developing a much broader set of financial services.

The Account Aggregator and the UPI is regulated by The Reserve Bank of India (RBI). 

While the RBI has taken the lead in terms of licensing norms for Account Aggregators and monitoring, monitoring of guidelines has been left to the industry, through a self-regulatory mechanism that industry may come up with. This helps put together norms that apply to entities across regulators but  needs consensus-building through market mechanisms. Sahamati, as an industry body, attempts to do this.

As the ecosystem grows, regulatory mechanisms (perhaps even cutting across regulators) may evolve and those may get more directly involved in ecosystem governance, complementing Sahamati’s efforts being run from within the industry.

Token-based authentication.

In December 2019, India introduced the Personal Data Protection Bill, which defined rights of data subjects, and obligations of data handlers and penalties for non-compliance. After three years of discussion, the bill was withdrawn following major criticism from industry stakeholders and tech platforms due to its strict rules for international data transfers. In Novermber 2022 the Digital Personal Data Protection Bill 2022 was released, focusing on personal data.