Account Aggregators, and the quiet revolution in consent-based data sharing.
How a 2016 master direction, ignored for five years, became the spine of digital lending in India.
The Account Aggregator framework is one of those Indian regulatory inventions that arrives quietly, sits in the rulebook for years, and then becomes essential to an industry that has forgotten it exists. The Reserve Bank of India issued the Master Direction governing Non-Banking Financial Company - Account Aggregators in September 2016. For the next five years almost nothing happened. Then, between 2021 and 2023, the framework became the way most digital loans in the country get underwritten.
The architecture is small and clever. An Account Aggregator is a regulated entity — a peculiar class of NBFC that may neither lend nor invest, and whose only permitted business is the secure, consent-based transmission of financial data from one financial institution to another. A user, through an AA application, asks his bank to share a year of his statements with a lender; the bank delivers the data, in a standardised format, directly to the lender, signed and tamper-evident; the AA itself sees only the encrypted payload. No screen-scraping, no shared passwords, no document uploads.
Three regulatory innovations
The framework rests on three regulatory innovations. The first is the AA licence itself, which creates the consent-broker as a separate, supervised entity. The second is the technical specification — published as a series of working documents by ReBIT, the central bank's technology arm — which standardises the API and the consent format. The third, and most consequential, is the gradual extension of the framework beyond banks to mutual funds, insurance policies, securities holdings, and most recently, GST returns. The AA does not see the data; the AA simply moves it.
Account Aggregator is the only piece of financial infrastructure in India that has succeeded by being deliberately small.
The slow start was structural. For an AA framework to be useful, both the data-providing institution and the data-receiving institution must be live on the network. Until both sides had integrated, the framework did very little. The integrations took years. The breakthrough came when the largest public-sector banks went live in 2021, and by 2023 the network had become the default underwriting pipe for any digital loan above a few thousand rupees.
What it built
What the framework has done, structurally, is to make consent-based data portability a real thing in a country that did not previously have one. A user can pull a year of his banking history into a new lender's underwriting in thirty seconds, and revoke that consent ten minutes later. The lender does not see the user's password; the user does not upload his statements. The country's data protection law, when it eventually lands, will find an existing infrastructure that already implements its central principle. This rarely happens.