Account Aggregator (AA) — India’s Consent-Based Financial Data Sharing Framework: Complete 101 Guide

Last updated: June 2026

What is Account Aggregator (AA)?

The Account Aggregator (AA) framework is a Reserve Bank of India (RBI)-regulated system that enables individuals and businesses to securely share their financial data between regulated institutions, with explicit consent and in a structured, encrypted manner. Formally, an Account Aggregator is an NBFC-AA (Non-Banking Financial Company — Account Aggregator) licensed by the RBI under Section 45JA of the RBI Act, 1934. 1

An AA’s sole function is to facilitate the transfer of financial data from institutions that hold it (like your bank) to institutions that need it (like a lender) — with your explicit consent, for a stated purpose, and for a limited duration. The AA itself cannot read, store, or monetise the data it transmits. 2

The AA framework is India’s practical implementation of the DEPA (Data Empowerment and Protection Architecture) in the financial sector, making India one of the first countries to operationalise a full consent-based data-sharing ecosystem. 3

Core Principles

PrincipleDescription
Data SovereigntyThe individual (data principal) owns their financial data
Consent-BasedExplicit, informed consent required for every data-sharing request
Purpose LimitationData can only be used for the stated purpose
Time-Limited AccessConsent expires after the specified duration
Minimal DataOnly necessary data is shared
Encrypted TransitEnd-to-end encryption; AA cannot view the data
No RetentionAAs do not store the financial data they transmit
Audit TrailEvery consent and data access is logged

How It Works

Transaction Flow

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11

1. FIU (e.g., lender) requests your financial data for a specific purpose
2. AA sends a consent request to you (via the AA app or FIU's interface)
3. You review and approve — specifying purpose, data types, duration
4. AA fetches encrypted data from the FIP (e.g., your bank)
5. AA transmits encrypted data to the FIU
6. FIU uses data only for the approved purpose, within the consent period

Key Entities

EntityFull FormRole
AAAccount Aggregator (NBFC-AA)Licensed consent manager; facilitates encrypted data transfer
FIPFinancial Information ProviderHolds your financial data (banks, MF houses, insurers)
FIUFinancial Information UserRequests your data for a service (lenders, brokers, wealth managers)
TSPTechnology Service ProviderTech enabler helping FIPs/FIUs integrate with AA network
SahamatiSahamati FoundationIndustry alliance — operates Central Registry and Certification

Every data-sharing request generates a consent artefact — a machine-readable, digitally signed document that captures:

  • Data Principal: Your identity (linked via account discovery)
  • FIU: Who is requesting the data
  • FIP(s): Which institution(s) hold the data
  • Data Purpose: Why the data is needed (e.g., loan underwriting, KYC)
  • Data Types: Specific financial information (e.g., bank transactions, GST filings)
  • Time Period: How far back the data goes (e.g., last 6 months)
  • Consent Duration: How long the FIU can access the data (e.g., 30 days)
  • Frequency: One-time or recurring fetch

The consent artefact is cryptographically signed and tamper-proof. You can revoke consent at any time. 4

Data Types Supported

The AA framework supports 16+ Financial Information (FI) types as of September 2025 5:

CategoryData Types
BankingDeposit accounts, savings accounts, current accounts, credit cards, loan accounts
InvestmentsMutual funds, equities, demat accounts, bonds
InsuranceLife insurance, general insurance, health insurance policies
PensionNational Pension System (NPS), Atal Pension Yojana (APY)
TaxGST filings, income tax returns
SecuritiesDepository holdings (CDSL, NSDL)
Post OfficePost office savings accounts, small savings schemes
CorporateMCA filings, company financials

Key Statistics (Verified)

MetricValueSource
Financial entities live on AA999+Sahamati, May 2026 6
Financial Information Users (FIUs)955Sahamati 6
Financial Information Providers (FIPs)179Sahamati 6
Operational Account Aggregators17Sahamati 7
Technology Service Providers75Sahamati 6
Certifiers2Sahamati 6
Accounts linked via AA272 million+Sahamati, Sep 2025 6
Consent requests fulfilled408 million+Sahamati, Sep 2025 6
Monthly data shares265 million+Sahamati, Feb 2026 6
Loans enabled via AA₹1.6 lakh crore across 1.8+ crore accountsNBBL, Sep 2025 8

Major Players

Licensed Account Aggregators (17 Operational)

#CompanyProduct/Brand
1Agya Technologies Pvt Ltd (Pine Labs)Setu AA
2CAMSFinServCAMSFinServ AA
3Cookiejar Technologies Pvt LtdFinvu
4CRIF Connect Pvt LtdCRIF Connect
5Cygnet Account Aggregation Pvt LtdCygnet AA
6Dashboard Account Aggregation Services Pvt LtdSaafe
7Digio Internet Pvt LtdDigio AA
8FinSec AA Solutions Pvt LtdOneMoney
9NESL Asset Data Limited (NADL)NADL AA
10OMS Fintech Account Aggregator Pvt LtdOMS AA
11Protean Account Aggregator LtdSurakshAA
12Perfios Account Aggregation Services Pvt LtdAnumati
13PB Financial Account Aggregator Pvt LtdPB Fintech AA
14Tally Account Aggregator Services Pvt LtdTallyEdge
15Unacores AA Solutions Pvt LtdINK
16Scoreme Account Aggregation Solutions Pvt LtdScoreme AA
17Upmint Solutions AA Pvt LtdUpmint AA

Source: Sahamati (alphabetical listing) 7

Industry Bodies

EntityRole
Sahamati FoundationNot-for-profit Section 8 company; runs the Central Registry and Certification framework for the AA ecosystem. ISO 27001 certified.
ReBIT (Reserve Bank Information Technology Pvt Ltd)Published the technical standards (v1.1.1, v1.1.2) that govern the AA protocol and APIs.

Use Cases

Use CaseHow AA HelpsExample
Lending & Credit UnderwritingLenders access verified bank statements, GST data for faster loan processingPersonal loan approval in minutes instead of days
Stockbroking & Demat KYCBrokers fetch financial data for KYC compliance and investor profilingSeamless demat account opening
Personal Finance Management (PFM)Individuals see consolidated financial data across institutionsReal-time personal balance sheet
Insurance UnderwritingInsurers verify income and financial health for policy issuanceTerm insurance underwriting using bank data
MSME CreditSmall businesses share GST filings and bank data for business loansEnabling ₹1.6 lakh crore in loans 8
Account VerificationInstitutions verify account ownership and standingBank account verification without manual statements
Portfolio TrackingInvestment advisors view consolidated portfolio across MF houses, depositoriesUnified investment view for advisory

Regulatory Framework

Primary Regulation

AspectDetail
Governing LawRBI Act, 1934 — Section 45JA
Master DirectionsRBI Master Directions — NBFC-Account Aggregator (Reserve Bank) Directions, 2016; updated 2025 (Ref: RBI/DoR/2025-26/368, dated Nov 28, 2025) 1
Technical StandardsReBIT Technical Standards v1.1.1 (2019) and v1.1.2 (2020)
Net Owned FundsMinimum ₹2 crore required for NBFC-AA license 9
Licensing ProcessIn-principle approval → certification → operating license (must obtain operating license within 1 year) 7
CertificationMandatory certification by Sahamati-certified auditors before going live
SupervisionRBI supervisory framework for NBFCs, including annual returns and statutory audit

Cross-Regulator Oversight

While the RBI is the primary regulator for the AA framework, other financial sector regulators also play a role:

RegulatorRelevance
RBIPrimary: licenses NBFC-AAs, issues Master Directions
SEBIOversees FIUs in securities markets (brokers, mutual funds)
IRDAIEncourages adoption for insurance underwriting; advocates “Insurance for All by 2047” 6
PFRDAEnables pension data sharing via NPS trust

Relationship to DPDP Act, 2023

The Digital Personal Data Protection (DPDP) Act, 2023 introduces the concept of a Consent Manager for all data fiduciaries. The Draft DPDP Rules, 2025 provide registration requirements for Consent Managers. 10

  • The NBFC-AA framework pre-dates the DPDP Act and currently serves as the de facto consent manager for financial data.
  • Sahamati is working on reconciling the AA (NBFC-AA) and Consent Manager frameworks to avoid regulatory duplication. 10
  • NBFC-AAs regulated by the RBI are expected to align with DPDP requirements as well.

Consumer Rights Analysis

Your Rights Under the AA Framework

RightDescriptionStatus
Informed ConsentYou see exactly what data, for what purpose, for how long before approving✅ Enforced via consent artefact
Right to RevokeYou can revoke consent at any time✅ Enforced
Purpose LimitationFIU can only use data for the stated purpose✅ Technically enforced
Data MinimisationOnly requested data types are shared✅ Built into consent artefact
No Secondary UseData cannot be repurposed beyond consent✅ Prohibited under Master Directions
Audit TrailYou can view who accessed your data and when⚠️ Available but awareness is low
Grievance RedressalEach AA has a designated Grievance Redressal Officer✅ Mandatory per Master Directions
Data PortabilityYou can share data across any regulated institution on the network✅ Core feature

What the AA Framework Does NOT Do

  • It does not store your financial data. AAs transmit data in encrypted form and cannot decrypt it.
  • It does not make lending decisions. Lenders use the data they receive; the AA has no role in credit assessment.
  • It does not replace your bank’s security. Your bank account credentials and PIN are never shared.
  • It does not cover non-financial data (health records, education data, etc.) — though this may expand under the broader DEPA framework.

Privacy Implications

Strengths

  • End-to-end encryption: Data is encrypted at the FIP level, passes through the AA encrypted, and is decrypted only at the FIU. The AA itself handles only encrypted payloads. 2
  • No AA data retention: AAs are prohibited from storing the financial data they handle. 1
  • Purpose-bound consent: Each data fetch is tied to a specific purpose and duration.
  • Structured data format: The ReBIT technical standards define specific data schemas, limiting what can be shared.

Concerns and Risks

ConcernDetail
Consent FatigueUsers may blindly approve consent requests without reading terms, especially during loan applications under time pressure
Dark PatternsSome FIU interfaces may bury consent details or use pre-checked boxes; Sahamati’s Fair Use Templates aim to address this 6
Secondary Sharing RiskOnce data reaches an FIU, there is limited technical enforcement preventing the FIU from sharing it further internally or with credit bureaus
Awareness GapDespite 272 million+ linked accounts, many users do not understand they are using AA when approving data access during loan apps
Concentration Risk17 licensed AAs — if a major AA (e.g., Finvu, OneMoney) fails, its linked accounts face disruption
Scope CreepAs data types expand beyond banking (GST, insurance, pension), the attack surface and misuse potential increase

Safeguards

Technical Safeguards

SafeguardDescription
ReBIT Technical StandardsAll participants must comply with v1.1.1/v1.1.2 technical specs
Sahamati CertificationMandatory certification before going live; periodic re-certification required
Central RegistryAll participants registered on Sahamati’s Central Registry with public keys
API Health MonitoringSahamati runs a real-time API health dashboard for all FIP APIs 6
End-to-End EncryptionData encrypted at source, decrypted only at destination
Tamper-Proof ConsentConsent artefacts are cryptographically signed

Governance Safeguards

SafeguardDescription
RBI SupervisionNBFC-AAs under RBI’s supervisory framework, including annual returns
Sahamati Code of ConductMembers must adhere to a Code of Conduct for responsible data use 6
Fair Use Template LibrarySahamati publishes templates for responsible data usage patterns (lending, PFM, insurance) 6
Grievance DashboardPublic dashboard of all grievances on Sahamati Support Portal 6

Consumer Best Practices

  1. Read the consent artefact before approving — check purpose, data types, and duration
  2. Choose your AA app carefully — download only from official sources (Sahamati list)
  3. Revoke unused consents — if you no longer need a service, revoke its access
  4. Monitor your AA activity — check your AA app for consent history
  5. Report grievances — contact the AA’s Grievance Redressal Officer (see below)
  6. Be sceptical of broad data requests — a personal loan shouldn’t need your entire lifetime financial history

Complaints & Grievance Redressal

Filing a Complaint

Each Account Aggregator is mandated by the RBI Master Directions to publish the contact details of a Grievance Redressal Officer (GRO). 1 If you experience issues with:

  • Unauthorised data access via an AA
  • Consent not being honoured (revoked but data still shared)
  • Technical failures (data not fetched, incorrect data shared)
  • Poor service by the AA

You can contact the GRO of the relevant AA. Sahamati maintains a directory of GRO contact details and a public Grievance Dashboard. 11

Escalation Path

1
2
3
4
5
6

1. Contact the AA's Grievance Redressal Officer
        ↓ (if unresolved within 30 days)
2. File a complaint with Sahamati Support Portal
        ↓ (if unresolved)
3. Approach the RBI's Integrated Ombudsman Scheme
        (https://cms.rbi.org.in)

Known Consumer Protections Under RBI Ombudsman

  • The RBI Integrated Ombudsman Scheme, 2021 covers complaints against NBFCs, including NBFC-AAs.
  • Complaints can be filed online, by email, or by post.
  • The Ombudsman can award compensation up to ₹20 lakh for deficiencies in service.

Timeline of the AA Framework

YearPolicyTechnologyMarket
2016RBI consultations on electronic consent begin
2017Srikrishna Committee on Data Protection; Supreme Court privacy judgementMeitY publishes Electronic Consent Framework; DEPA launched
2018Draft Personal Data Protection Bill releasedReBIT publishes draft technical standards9 AA license applicants; 5 in-principle licenses
2019First NBFC-AA operating license issued (OneMoney)AA sandboxes for POCs; v1.1.1 Tech Standard publishedSahamati industry alliance launched
2020Central Registry v1.0; Certification Framework v1.0; v1.1.2 Tech StandardsFirst AA hackathon (50 teams, 500 devs); 10 entities certified
2021RBI, MoF, NITI Aayog publicly advocate AA adoptionManaged rollout with 2 AAs and 6 FIsCommon Ecosystem Participation Terms; AA go-live announced; 30 TSPs
2022Market guidelines on reciprocityAA for joint/corporate accounts; assisted-mode journeysAll PSBs go live as FIPs
2023DPDP Act enacted (broader consent manager framework)Expansion of data types (GST, pension)Rapid scaling; fintech lenders adopt AA at scale
2024Draft DPDP Rules align with AA consent managementv1.1.2 refinements; API improvements₹1.6 lakh crore loans enabled
2025RBI updated Master Directions (Nov 2025)Sahamati secures ₹50 crore from 25+ institutions 6Sahamati 4th Foundation Day celebration
2026Draft DPDP Rules published for public consultationFair Use Templates for PFM and wealth management 6265 million+ monthly data shares (Feb 2026)

Source: Sahamati Account Aggregator Timeline 12

Relationship to Other DPI Explainers

ExplainerRelationship to AA
DEPA 101AA is the implementation layer of DEPA in the financial sector
UPI 101UPI handles payment flows; AA handles data flows — complementary rails
NPCI 101NPCI’s subsidiary NBBL promotes AA adoption
DPDP Act 101DPDP Act introduces Consent Managers; AA framework predates and overlaps with this
eKYC 101AA can streamline eKYC by fetching verified financial data

Frequently Asked Questions

Do I need to create an account with an AA to use it?

Not necessarily. Many FIUs (lenders, brokers) embed the AA consent flow directly in their app. You approve consent through their interface, and the data is fetched via the AA network behind the scenes. However, downloading an AA app gives you better visibility and control over your consents.

Is my bank account password shared?

No. The AA framework uses encrypted protocols (similar to how UPI works). Your bank credentials are never shared with the AA or the FIU. Account discovery uses your phone number and account details, not passwords.

Can I choose which AA to use?

Yes. You can download any of the 17 licensed AA apps. All AAs operate on the same network and protocol, so you can use any AA to share data from any FIP to any FIU.

The FIU can no longer fetch new data. However, data already fetched and processed by the FIU before revocation is subject to their own data retention policies — this is a gap in the framework.

Is the AA framework free for consumers?

Yes. You do not pay to share your data via AA. AAs charge the FIUs (who benefit from the data) for their services.

Prime References

Part of the DPI 101 Series by CashlessConsumer — empowering citizens with knowledge about India’s Digital Public Infrastructure.

  1. RBI Master Directions — NBFC-Account Aggregator (Reserve Bank) Directions, 2016 (updated 2025) ↩︎ ↩︎ ↩︎ ↩︎

  2. Sahamati — What is Account Aggregator? ↩︎ ↩︎

  3. India Stack — DEPA (Data Empowerment and Protection Architecture) ↩︎

  4. HyperVerge — Account Aggregator Framework: RBI Consent-Based Data Sharing ↩︎

  5. Finarkein — AA in Action Report (October 2025) ↩︎

  6. Sahamati — Official Website (Statistics as of 2026) ↩︎ ↩︎ ↩︎ ↩︎ ↩︎ ↩︎ ↩︎ ↩︎ ↩︎ ↩︎ ↩︎ ↩︎ ↩︎ ↩︎ ↩︎ ↩︎

  7. Sahamati — Account Aggregators in India (Licensed AAs List) ↩︎ ↩︎ ↩︎

  8. NBBL (NPCI Bharat BillPay Ltd) — AA Foundation Day Statement, September 2025 ↩︎ ↩︎

  9. Unified Chambers — RBI NBFC-AA Directions 2025 ↩︎

  10. Sahamati — Reconciling the AA and Consent Manager Frameworks ↩︎ ↩︎

  11. Sahamati — Grievance Redressal Officers of Account Aggregators ↩︎

  12. Sahamati — Account Aggregator Timeline ↩︎