Instagram Linkedin
svgviewer-png-output (1)

NBFC Account Aggregator License

Account Aggregators in India: A Complete Guide to their Role, Requirements, and RBI Compliance

The Reserve Bank of India (RBI) has been steadily working towards creating a secure, consent-based digital financial ecosystem. A key pillar of this reform is the Account Aggregator (AA) framework. It is an innovative, technology-driven system that enables individuals and businesses to share their financial data safely across institutions. As financial services become increasingly digital, understanding the legal, regulatory, and operational requirements around Account Aggregators is essential for fintech companies, NBFCs, financial institutions, and legal practitioners.

What Are Account Aggregators?

An Account Aggregator is a Non-Banking Financial Company (NBFC) authorised by the RBI to act as a digital intermediary for secure financial data sharing. Under Section 45-I of the RBI Act, an NBFC-AA undertakes the business of:

  • Retrieving or collecting financial information relating to a customer from multiple financial institutions (called Financial Information Providers or FIPs), and
  • Consolidating and presenting this information to the customer or a Financial Information User (FIU) such as a bank, NBFC, insurer, or mutual fund distributor.

Importantly:

  • The AA cannot store, use, or own the customer’s financial data.
  • No data can be shared without the explicit, revocable consent of the customer.
  • The AA framework replaces “blanket consent” or paper-based submissions with a granular, digitally signed consent artefact.

Consumers are free to choose whether they want to register with an AA. As of September 2025, the ecosystem has grown rapidly, with over 2.6 billion enabled accounts and more than 223 million users linked to the AA network.

Request a call Back

Rated at 4.6/5 By 200+ Happy Clients

Need More Information?

Contact Now
+91-85050-01410

How the Account Aggregator Ecosystem Works?

The AA framework involves three key players:

FINANCIAL
INFORMATION
PROVIDERS
ACCOUNT
AGGREGATOR
FINANCIAL
INFORMATION
USERS
Financial Information
Providers (FIPs)		 Financial Information
Users (FIUs)		 Account Aggregators
These include banks, NBFCs, asset management companies, insurance companies, depositories, GSTN, and other regulated entities that hold customer financial information. These are regulated financial entities such as lenders who request customer data through the AA to offer services like loans, insurance, investments, or financial planning. They act as the secure consent managers facilitating this data flow.

Registration Requirements for an Account Aggregator

To operate as an AA, a company must obtain a Certificate of Registration (CoR) from the RBI. Key eligibility conditions include:

  • The entity must be a company registered under the Companies Act.
  • It must maintain a minimum Net Owned Fund (NOF) of ₹2 crore.
  • Promoters and management must meet fit and proper criteria.
  • The business must be entirely IT-driven, with strong data security and governance frameworks.
  • A leverage ratio not exceeding 7 must be maintained.
  • There must be a robust IT architecture capable of handling secure data flows.

Before granting the CoR, the RBI issues an in-principle approval valid for 12 months, during which the applicant must set up its technology platform, execute legal documentation, and demonstrate compliance readiness.

Key Duties and Responsibilities of an Account Aggregator

The 2025 RBI Directions clearly outline the obligations of NBFC-AAs, ensuring customer protection, data privacy, and operational transparency.

  1. Consent-Driven Architecture
  • No financial information can be accessed, shared, or transferred without explicit customer consent.
  • Consent must be obtained through a standardised consent artefact that specifies:
  • Type of information requested
  • Purpose
  • Recipient
  • Duration of validity
  • Rights of the customer
  • Customers must have a seamless option to revoke consent at any time.
  1. Data Handling and Security
  • AAs cannot store customer credentials, passwords, or sensitive authentication data.
  • No financial information may reside with the AA after transfer.
  • Third-party outsourcing of the core aggregation function is prohibited.
  • AAs must ensure:
  • Secure, encrypted data flow
  • Scalable technology systems
  • Strong cybersecurity and disaster recovery mechanisms
  • A systems audit by a CISA-certified auditor must be conducted every two years.
  1. Customer Protection and Grievance Redressal

AAs must:

  • Maintain a Board-approved customer grievance policy.
  • Resolve complaints within one month.
  • Display the Grievance Redressal Officer’s contact details prominently on their website and business locations.
  • Comply with the RBI Integrated Ombudsman Scheme, 2021, wherever applicable.
  1. Corporate Governance Requirements

Every AA must maintain high governance standards, including:

  • Establishing Audit, Nomination, and Risk Management Committees of the Board (with minimum three members each).
  • Ensuring directors and senior management meet fit and proper criteria on an ongoing basis.
  • Maintaining internal controls to protect IT system integrity and prevent data tampering.
  • Making detailed financial disclosures as per RBI’s NBFC guidelines.
  1. Pricing Transparency

AAs must adopt a Board-approved pricing policy, which must:

  • Be transparent
  • Follow internal guidelines
  • Be publicly available
Additional obligations include:
  • No other business can be carried out apart from account aggregation.
  • Submission of periodic returns as prescribed by the RBI.
  • Ensuring compliance with rules on:
  • Managing outsourcing risks
  • Declaration of dividends
  • Prior approval for changes in shareholding or control
  • Reporting changes in directors, address, or auditor

The RBI also retains the power to inspect AA operations, grant exemptions, or issue further clarifications as needed.

Other Compliance Requirements

Additional obligations include:

  • No other business can be carried out apart from account aggregation.
  • Submission of periodic returns as prescribed by the RBI.
  • Ensuring compliance with rules on:
  • Managing outsourcing risks
  • Declaration of dividends
  • Prior approval for changes in shareholding or control
  • Reporting changes in directors, address, or auditor

The RBI also retains the power to inspect AA operations, grant exemptions, or issue further clarifications as needed.

Key Takeaways

The Account Aggregator framework represents a significant leap toward a transparent, customer-centric financial ecosystem. It not only empowers individuals with control over their financial data but also enhances efficiency for lenders, insurers, and investment platforms. However, the system’s integrity depends on stringent compliance with RBI’s regulatory and technological mandates.

For companies seeking to operate as Account Aggregators or financial institutions wishing to join the AA network – understanding and adhering to these regulatory requirements is critical. With robust governance, secure technology, and transparent operations, AAs can play a pivotal role in shaping the future of India’s digital finance landscape.

Frequently Asked Questions (FAQ)

An Account Aggregator is an RBI-regulated platform that allows you to securely collect and share your financial information with your explicit consent.

Yes. AAs cannot store, read, or misuse your data. They only transfer it securely using strong encryption and RBI-mandated safeguards.

No. Registration is fully voluntary. You choose whether to link your accounts and when to share your information.

Bank statements, deposits, insurance policies, investments, mutual funds, GST returns, pension (NPS) details, and more only with your permission.

Your data is provided by Financial Information Providers (FIPs) such as banks, NBFCs, insurers, and mutual fund companies.

It is received by Financial Information Users (FIUs) such as lenders, insurers, and financial service providers with your consent.

No. AAs are prohibited from accessing or storing your passwords, PINs, or authentication details.

No. AAs do not lend money, sell financial products, or provide advice. They only facilitate secure data sharing.

Yes. Your data can only be shared after you approve a consent artefact that clearly states what data is needed, why, and for how long.

Absolutely. You may revoke or change your consent at any time, and the AA must stop accessing your information immediately.

It saves time, reduces paperwork, and speeds up processes like loan approvals, insurance onboarding, and investment services through secure, digital, real-time data sharing.

What People Say

"Vestibulum morbi blandit cursus risus at ultrices. Tristique sollicitudin nibh sit amet! Siverra lectus mauris ultrices eros in!"
Jon BakkenJournalist
Jon Bakken
"Vestibulum morbi blandit cursus risus at ultrices. Tristique sollicitudin nibh sit amet! Siverra lectus mauris ultrices eros in!"
Andrea VelleCustomer
Andrea Velle
"Vestibulum morbi blandit cursus risus at ultrices. Tristique sollicitudin nibh sit amet! Siverra lectus mauris ultrices eros in!"
Elle AasenJournalist
Elle Aasen
"Vestibulum morbi blandit cursus risus at ultrices. Tristique sollicitudin nibh sit amet! Siverra lectus mauris ultrices eros in!"
Isa HolmgrenCustomer
Isa Holmgren