Account Aggregators Under DPDP Act, 2023 Introduction 

• India is taking significant strides in creating a user-centric data governance framework, with the Digital Personal Data Protection (DPDP) Act, 2023 leading the charge. 
• With the passage of the Digital Personal Data Protection (DPDP) Act, 2023, and the release of the Draft DPDP Rules, 2025, the Union Government might expand the AA framework to a broader data governance ecosystem by introducing Consent Managers (CMs).

What is Account Aggregator Network?

• • Definition:
    •  An Account Aggregator (AA) is a type of RBI regulated entity (with a Non-Banking Financial Company (NBFC-AA) license) that helps an individual securely and digitally access and share information from one financial institution they have an account with to any other regulated financial institution in the AA network. 
    • The key feature of an AA is that it does not store or process data; instead, it facilitates the encrypted transfer of data between Financial Information Providers (FIPs) and Financial Information Users (FIUs). 
    • The system is designed with a ‘consent layer’, ensuring that users have complete control over their data and maintain privacy.

• How Does an Account Aggregator Work?

• • • User Consent: Users link their bank accounts and other financial accounts to an AA platform.
    • Data Sharing: With explicit consent, users allow the AA to fetch their financial data (such as bank statements) from a Financial Information Provider (FIP) (e.g., a bank or insurance company) and share it securely with a Financial Information User (FIU), like a lender or wealth manager.
    • Secure Data Transfer: The AA facilitates this transfer by encrypting the data, ensuring that it is shared securely without storing or processing it.

• Examples of Licensed Account Aggregators (AAs):

• • • CAMS FinServ: A subsidiary of Computer Age Management Services (CAMS), providing account aggregation services.
    • PhonePe AA: A subsidiary of PhonePe, leveraging its extensive digital ecosystem to facilitate financial data aggregation.

• Key Stakeholders in the Account Aggregator Ecosystem:

• • Financial Information Providers (FIPs): These include institutions such as banks, mutual fund companies, insurance companies, etc., that provide the data to be shared.
  • Financial Information Users (FIUs): These are entities such as lenders, wealth managers, insurers, etc., that use the shared data to offer services like loans, investments, and insurance.
  • Account Aggregators (AAs): These are the licensed entities that facilitate the secure flow of data between FIPs and FIUs, ensuring transparency and user consent.

Key Features of the Account Aggregator (AA) Framework

• Multi-Regulatory Collaboration: The AA Framework is a collaborative effort involving several key regulatory bodies in India, including:

• • • Reserve Bank of India (RBI)
    • Securities and Exchange Board of India (SEBI)
    • Insurance Regulatory and Development Authority of India (IRDAI)
    • Pension Fund Regulatory and Development Authority (PFRDA)
  • Ministry of Finance: This broad regulatory partnership ensures the framework operates across multiple financial sectors, promoting a unified and secure system for financial data sharing.

• Operationalized Under RBI’s NBFC-AA Master Directions: The framework was operationalized under the RBI’s Non-Banking Financial Company Account Aggregator (NBFC-AA) Master Directions, 2016. This provides the legal and technical foundation for the secure, real-time, and machine-readable sharing of financial data, including:

• • Banking data
  • Loans
  • Taxation data
  • Investment portfolios
  • Pension information

Core Provisions of the DPDP Act, 2023

• • The DPDP Act, 2023 brings significant reforms to how personal data is managed, processed, and shared in India. The Act introduces mechanisms that promote transparency, user consent, and data protection across sectors.

• Introduction of Consent Managers (CMs): One of the key innovations under the DPDP Act is the creation of Consent Managers (CMs). These entities serve as intermediaries that enable individuals, referred to as Data Principals, to exercise control over their personal data. The CMs allow Data Principals to:

• • • Provide explicit, informed, and revocable consent for the sharing and processing of their data.
    • Manage their consent preferences across various sectors such as health, education, employment, digital commerce, and more.

• Alignment with Account Aggregator Framework (AA): The DPDP Act’s approach to consent aligns with the Account Aggregator (AA) framework, which is already operational in India. Both frameworks emphasize:

• • Explicit consent from the user,
  • Informed consent where the user understands the implications of their choices,
  • Revocable consent, giving users the ability to withdraw consent at any time.
• Techno-Legal Framework for Data Sharing: The DPDP Act sets up a techno-legal architecture focused on user-centric data flow. The data-sharing process operates through intermediaries that are registered with the Data Protection Board (DPB), ensuring accountability, security, and compliance with the law. This framework emphasizes interoperability, making it easier for different sectors to exchange data securely.

Draft DPDP Rules, 2025: Key Provisions and Recommendations

• Mandatory Registration with Data Protection Board (DPB):  A significant provision in the draft rules is the mandatory registration of Consent Managers with the Data Protection Board (DPB). This ensures that all CMs are held accountable, meet established standards, and operate transparently.

• Sector-Specific Consent Managers: The draft rules encourage the development of sector-specific Consent Managers. These domain-specific frameworks will include:

• • • Financial Health Records (FHR) under the National Health Authority (NHA), allowing individuals to control their health data.
    • Support for innovative APIs that enable interoperable data sharing, encouraging new business models and use cases across different sectors.

• Commercial Arrangements with Data Fiduciaries: The rules also acknowledge the importance of commercial arrangements with data fiduciaries. These arrangements will allow for the development of sustainable business models for Consent Managers while ensuring that their fiduciary duties toward Data Principals are not compromised. This reflects India’s commitment to data protection and user rights.

• Critical Recommendations for a Unified Data Ecosystem: To avoid unnecessary overlap and inefficiencies, the draft rules propose several critical recommendations to ensure a unified and coherent data ecosystem:

• Avoiding Regulatory Overlap with the AA Framework: The DPDP rules emphasize the importance of coordination with the existing Account Aggregator (AA) framework. 

• By leveraging the success of the AA model, the CM framework under the DPDP Act can be rolled out smoothly and efficiently. This avoids parallel regulatory setups and ensures that data-sharing initiatives are not fragmented.

• Alignment with Sector-Specific Frameworks: There is a call for alignment between the sectoral frameworks (like those for health and finance) and the broader DPDP architecture. This alignment will create a cohesive and interoperable data governance ecosystem that can scale across industries.

• Building a Future-Ready Consent Infrastructure: India must focus on future-proofing the data governance infrastructure by building a flexible, scalable, and secure system. This will enable India to meet future data-sharing demands and ensure that the system remains relevant as technologies evolve.

Importance of a Unified Consent Infrastructure

• Reduces Redundancy: By harmonizing the Account Aggregator (AA) and Consent Manager (CM) frameworks, regulatory overlap can be minimized, ensuring streamlined processes without duplication.
• Boosts Efficiency: Drawing on the established insights and infrastructure of the AA framework can expedite the implementation of the CM system, enhancing operational speed and effectiveness.
• Fosters Innovation: A unified consent infrastructure creates opportunities for both startups and established companies to build secure, user-friendly data-sharing solutions, driving innovation in the sector.
• Strengthens Digital Public Infrastructure (DPI): A cohesive consent system aligns with India’s goal of developing a comprehensive, interoperable data governance framework, advancing the country’s vision for robust Digital Public Infrastructure (DPI).

Way Forward

• • The successful implementation of the DPDP Act, combined with the Account Aggregator Framework, will help India move toward a consent-based data-sharing model that ensures user control, data privacy, and interoperability. Here’s how India can continue to improve its data governance approach:

• Leveraging AA Ecosystem Maturity for CM Framework Rollout: The maturity of the Account Aggregator (AA) system can provide valuable lessons for the rollout of the Consent Manager (CM) framework. By leveraging the interoperability, data security, and user-centric consent mechanisms established by AA, India can ensure a seamless and efficient deployment of the CM framework.

• Promoting Interoperability Across Sectors: To prevent regulatory fragmentation, India must focus on promoting interoperability between sectoral data frameworks. This will ensure that data flows smoothly across various industries, facilitating better services for individuals while maintaining strict data protection standards.

• Data Sovereignty and Digital Empowerment: India’s consent-based data governance model will reflect the country’s approach to data sovereignty and digital empowerment. By giving users control over their data, India is paving the way for a transparent, secure, and inclusive digital future.