Syllabus: GS3/ Economy
Context
- With the Digital Personal Data Protection (DPDP) Act, 2023 and Draft DPDP Rules, 2025, India aims to expand its consent-based data-sharing system by building on the Account Aggregator model.
What is an Account Aggregator (AA)?
- Definition: An Account Aggregator is a type of Non-Banking Financial Company (NBFC-AA) regulated by the Reserve Bank of India (RBI).
- It helps individuals securely and digitally access and share information from one financial institution to another in a real-time, consent-based, and secure manner.
- It acts as an intermediary between Financial Information Providers (FIPs) and Financial Information Users (FIUs).
- The AA does not store or process the data; it simply facilitates the encrypted transfer of data.
- The system is based on a ‘consent layer’, ensuring user control and privacy.
- Working: Users link their bank accounts to an AA.
- Gives consent to share data (e.g., bank statement) with a Financial Information User (FIU) like a bank or NBFC.
- The AA fetches the data from the Financial Information Provider (FIP), like a bank, and shares it securely with the FIU.
- Examples of licensed Account Aggregators (AAs):
- CAMS FinServ: A subsidiary of Computer Age Management Services (CAMS).
- PhonePe AA: A subsidiary of PhonePe, leveraging its digital reach.
Key Stakeholders of Account Aggregator
- Financial Information Providers (FIPs): Banks, mutual fund companies, insurance companies, etc.
- Financial Information Users (FIUs): Lenders, wealth managers, insurers, etc.
- Account Aggregators (AAs): Licensed entities that facilitate data flow between FIPs and FIUs.
The DPDP Act and Consent Managers (CMs)
- The Digital Personal Data Protection Act, 2023 introduces Consent Managers (CMs) as intermediaries to facilitate:
- Consent collection and withdrawal
- Consent lifecycle management
- Secure data sharing between Data Principals (individuals) and Data Fiduciaries (entities processing personal data).
Draft DPDP Rules, 2025
- The recently released Draft DPDP Rules, 2025 outline the registration process, obligations, and permitted activities of consent managers.
- Given the significant structural alignment between the Account Aggregator (AA) and Consent Manager (CM) frameworks, certain revisions have been proposed to the Draft Rules. They are as;
- Mandatory Registration with the Data Protection Board (DPB): Entities seeking to operate as consent managers under the DPDP regime must be mandatorily registered with the DPB.
- Enable Sector-Specific Consent Managers: The DPB should allow for the registration of sector-specific consent managers, provided they operate on common, interoperable APIs and technical specifications as prescribed.
- Allow Commercial Arrangements with Data Fiduciaries: Consent managers should be allowed to have business deals with data fiduciaries (like banks or companies that use personal data).
Significance of a Unified Consent Infrastructure
- Avoids duplication: Aligning AA and CM frameworks reduces regulatory overlap.
- Increases efficiency: Leveraging existing AA insights accelerates CM implementation.
- Promotes innovation: Encourages startups and established entities to develop secure data services.
- Supports Digital Public Infrastructure (DPI): Strengthens India’s ambition for a holistic, interoperable data governance regime.
Concluding remarks
- India has an unprecedented opportunity to become a global pioneer in citizen-centric data governance.
- By harmonising the Account Aggregator framework with the emerging Consent Manager regime under the DPDP Act, India can move toward a secure, scalable, and inclusive data economy.
Source: TH
Previous article
Put Pakistan Nuclear Arsenal under Watch: India