Introduction to NBFC Account Aggregator License
The NBFC Account Aggregator (NBFC-AA) is a specialised category of Non-Banking Financial Company registered with the Reserve Bank of India. An NBFC-AA is authorised to collect and share the financial data of customers securely, and exclusively on the basis of their explicit consent. It does not deal with money β only with the secure, structured flow of financial information.
The AA framework is built on a data fiduciary model. The Account Aggregator acts only as a conduit β a regulated data pipe β between financial institutions that hold data and those that need it. It is not a data warehouse. It does not retain, analyse, or monetise customer data independently.
The growing importance of this framework cannot be overstated. The AA ecosystem is the backbone of open banking in India, enabling instant digital lending decisions, personal finance management (PFM) applications, insurance underwriting based on verified financial data, and wealth management platforms that require a holistic view of a customer's finances β all with the customer in full control of their data.
What is an NBFC Account Aggregator
In simple terms, an NBFC-AA is a bridge between financial institutions and their customers. It securely transfers a customer's financial data from institutions that hold it to institutions that the customer wishes to share it with β based entirely on the customer's explicit, time-bound, and revocable consent.
From a compliance perspective, an NBFC-AA is a restricted category of NBFC registered under the Reserve Bank of India Act. Its activities are strictly limited to data facilitation β it cannot lend, accept deposits, or engage in any other form of financial intermediation.
Legally, the framework operates under the RBI Master Directions β NBFC Account Aggregator, the IT Act 2000, and the data privacy and consent frameworks including the Digital Personal Data Protection (DPDP) Act.
- Store customer financial data at any point
- Use financial data for analytics or profiling without explicit, purpose-specific consent
- Sell, monetise, or transfer customer data to any third party independently
- Engage in lending, investments, or any other NBFC activity
Regulatory Framework
The NBFC-AA framework is governed by a layered regulatory structure combining RBI directions, IT law, and evolving data privacy legislation.
| Regulatory Dimension | Governing Authority / Instrument |
|---|---|
| Primary Regulator | Reserve Bank of India (RBI) |
| Governing Law | RBI Act 1934 & FEMA (where applicable) |
| Master Direction | NBFC β Account Aggregator Directions (RBI) |
| Ecosystem Participants | Financial Information Providers (FIPs), Financial Information Users (FIUs), Account Aggregators (AAs) |
| IT Framework | RBI IT Framework for NBFCs & CERT-In Directions |
| Data Privacy | IT Act 2000 & Digital Personal Data Protection (DPDP) Act β consent framework |
AA Ecosystem Participants
The Account Aggregator ecosystem comprises four distinct participants, each with a defined role. Understanding this structure is essential before applying for an NBFC-AA registration.
| Participant | Role | Examples | Position in Ecosystem |
|---|---|---|---|
| FIP (Financial Information Provider) | Data Provider | Banks, NBFCs, Mutual Funds, Insurance Companies | Holds customer financial data |
| FIU (Financial Information User) | Data User | Lenders, fintech lending apps, wealth management platforms | Consumes customer financial data |
| AA (Account Aggregator) | Data Facilitator | Licensed NBFC-AA entities | Routes data from FIP to FIU with consent |
| Customer | Data Owner | Individual / Business | Gives or revokes consent; controls all data sharing |
Who Needs an NBFC-AA License
Any entity that intends to operate as a data aggregation intermediary within India's regulated financial ecosystem needs an NBFC-AA registration from the RBI. This includes:
- Fintech companies offering financial data aggregation as a core service to banks, NBFCs, or other financial institutions
- Digital lending platforms that intend to use customer financial data for credit assessment in a structured, regulated manner
- Wealth management platformsthat need a holistic view of a customer's financial profile across multiple institutions
- Digital banks and neo-banks seeking to build open banking capabilities on a regulated data infrastructure
- Personal Finance Management (PFM) applications that aggregate account data across institutions to provide financial insights to users
Eligibility Criteria
RBI has prescribed specific eligibility criteria for entities seeking to register as NBFC-AAs. Meeting these criteria is a prerequisite before submitting the application.
| Criteria | Requirement | Practical Note |
|---|---|---|
| Entity Type | Company incorporated under the Companies Act | Mandatory β LLPs and individuals are not eligible |
| Net Owned Fund (NOF) | Minimum βΉ2 crore | Must be maintained continuously; NOF = paid-up equity capital + free reserves β accumulated losses β intangible assets |
| Promoter Fit & Proper | Clean track record | RBI evaluates credibility, background, and financial integrity of all promoters and directors |
| IT Infrastructure | Secure, scalable, API-ready system | Critical for approval β RBI evaluates the actual architecture design, not just policy documents |
| Data Security Framework | End-to-end encryption, consent management, audit logs | RBI's primary focus area; ISO-level standards are expected |
| Business Model | Pure data facilitation β no lending, no data storage | An NBFC-AA cannot conduct any other NBFC activity |
Documents Required
A complete and well-prepared document package is critical for a successful NBFC-AA application. The following documents are required:
- Certificate of Incorporation (COI) β issued by the Ministry of Corporate Affairs
- MOA & AOA β the Memorandum and Articles of Association must explicitly include Account Aggregator activity in the objects clause
- Net Worth Certificate β CA-certified certificate clearly demonstrating minimum βΉ2 crore Net Owned Fund
- Detailed Business Plan β comprehensive plan explaining how the AA will operate, including proposed FIP and FIU partnerships and revenue model
- IT Policy & Architecture Document β system design documentation including API framework, security architecture, and data flow diagrams
- Data Privacy Policy β documenting the consent management system, customer rights framework, and data flow procedures
- Director KYC β PAN, Aadhaar, and background verification for all directors and key management personnel
- Board Resolution β authorising the company to apply for NBFC-AA registration with the RBI
Registration Process
The NBFC-AA registration process involves six key steps. Each step must be completed thoroughly before proceeding to the next.
- Step 1: Incorporate the Company
Incorporate a company under the Companies Act 2013. Ensure that the Memorandum of Association explicitly includes Account Aggregator activity β data facilitation and consent-based financial data sharing β in the objects clause. This is a mandatory prerequisite for the RBI application.
- Step 2: Achieve Minimum Net Owned Fund
Ensure the company has a minimum Net Owned Fund of βΉ2 crore at the time of application. Obtain a CA-certified Net Worth Certificate confirming this. The NOF must be maintained on a continuous basis even after registration.
- Step 3: Build the IT and Data Security Framework
This is the most critical and time-intensive step. Develop a robust, API-based integration system with end-to-end encryption, a customer-facing consent management dashboard, real-time authentication, and comprehensive audit logging. The architecture must meet RBI's IT framework requirements and ISO-level security standards.
- Step 4: Prepare the Complete Application Package
Compile all required documents β including the business plan, IT architecture documentation, data privacy policy, director KYC, Net Worth Certificate, and board resolutions. Each document must be accurate, complete, and consistent with the others.
- Step 5: Submit Application via RBI COSMOS Portal
Submit the complete NBFC-AA registration application through the RBI's COSMOS (Company Submission) portal. All documents must be uploaded in the prescribed format. Incomplete submissions result in automatic delays.
- Step 6: RBI Scrutiny and Certificate of Registration
RBI conducts a detailed review of the application, including scrutiny of the IT architecture and the consent management framework. The RBI may request clarifications or additional information. Upon satisfactory compliance, the Certificate of Registration as an NBFC-AA is granted.
Consent Architecture
The consent architecture is the heart of the NBFC-AA framework. The entire regulatory model is built on the principle that customer financial data can only be shared with explicit, revocable, and granular consent. Without a strong consent management system, RBI approval is not achievable.
The four defining characteristics of AA consent are:
- Time-bound access β consent is not permanent; it is granted for a defined period and expires automatically
- Purpose-specific sharing β data can only be shared for the stated purpose at the time of consent; it cannot be repurposed
- Revocable at any time β the customer can withdraw consent at any point, immediately stopping further data sharing
- Fully auditable β every consent action (grant, use, revocation) must be logged and traceable
- Customer initiates a consent request on the AA platform
- AA routes the consent request to the relevant FIP
- FIP shares the requested data only after consent is confirmed
- AA routes the encrypted data to the FIU
- Customer can revoke consent at any point during or after the process
- All actions are logged with complete audit trails
Technology Architecture
The NBFC-AA is one of the most technology-intensive licenses issued by the RBI. Unlike most other NBFC categories where the primary regulatory focus is on capital adequacy and credit norms, the RBI evaluates the actual technology architecture of an AA applicant β not merely its policy documents.
The following technology components are mandatory for an operational NBFC-AA:
- API-based integration system β all data exchange between the AA, FIPs, and FIUs must occur through secure, standardised APIs; no manual data transfer is permissible
- End-to-end encryption β data must never exist in plaintext at any point during transmission; encryption must cover data at rest and in transit
- Consent management dashboard β a customer-facing interface through which users can view, manage, and revoke their consent in real time
- Real-time authentication system β robust multi-factor authentication for all customer interactions
- Audit logs & monitoring tools β comprehensive logging of all system events, data access requests, and consent transactions
IT Governance & Cybersecurity
Given that an NBFC-AA handles sensitive financial data of customers across multiple institutions, RBI imposes a high standard of IT governance and cybersecurity. The following requirements are expected:
- ISO-level security standards β ISO 27001 certification is strongly recommended and signals credibility to RBI evaluators
- Regular VAPT β Vulnerability Assessment and Penetration Testing must be conducted periodically to identify and remediate security weaknesses
- Data encryption at all stages β encryption must apply to data both at rest (if any temporary buffering occurs) and in transit at all times
- Incident response framework β a documented, tested framework for detecting, responding to, and reporting cybersecurity incidents
- No data retention β the system must be designed for temporary encrypted transmission only; no financial data may be stored beyond the transmission lifecycle
NBFC-AA vs Traditional NBFC
The NBFC-AA is a fundamentally different entity from a traditional NBFC. Understanding these differences is important for promoters deciding which regulatory path to pursue.
| Parameter | NBFC-AA | Traditional NBFC |
|---|---|---|
| Core Activity | Data sharing & facilitation (consent-based) | Lending, deposits, financial intermediation |
| Revenue Source | API usage charges, subscription fees | Interest income, processing fees |
| Financial Risk | Low β no lending exposure or credit risk | High β direct credit risk on loan book |
| Data Handling | Cannot store customer financial data | Not applicable β deals in money, not data |
| RBI Scrutiny Focus | Technology architecture & consent framework | Capital adequacy, credit norms, NPA management |
| Minimum NOF | βΉ2 crore | Varies by category (βΉ2 crore+ for most) |
| Can it lend? | NO | Yes |
Revenue Model
The revenue model of an NBFC-AA is service-based, not data-based. An AA is strictly prohibited from monetising customer data directly. All permissible income must come from services rendered to ecosystem participants.
| Revenue Source | Description |
|---|---|
| API Usage Charges | Fees charged to FIUs per data request processed through the AA platform |
| Subscription Model | Annual or monthly subscription fees from financial institutions (FIPs and FIUs) for platform access |
| Data Access Fees | Per-transaction charges for each data retrieval and sharing event |
βThe NBFC Account Aggregator model is a paradigm shift in financial data governance β from institution-controlled data to customer-controlled consent. The technical robustness of your consent architecture is what RBI scrutinises most closely. A strong technology foundation is not optional; it is the license.β
Fees & Costs
The cost of obtaining an NBFC-AA registration is primarily driven by technology infrastructure investment rather than regulatory fees. The RBI does not charge an application fee.
| Cost Component | Amount / Note |
|---|---|
| RBI Application Fee | NIL |
| Professional Fees (legal & compliance) | Variable β depends on scope of engagement and complexity of application |
| Technology Infrastructure | HIGH β this is the most significant cost component; API systems, encryption, consent platform, security testing |
| CA Net Worth Certificate | Approximately βΉ10,000 β βΉ25,000 |
Timeline
The total timeline from commencement of preparation to receipt of the Certificate of Registration is typically 4 to 9 months, depending on the readiness of the applicant's technology infrastructure and the completeness of the application.
| Phase | Duration | Key Activity |
|---|---|---|
| Preparation | 3 β 6 weeks | Company incorporation, NOF structuring, IT framework development (technology setup is the critical path) |
| RBI Review | 3 β 6 months | Application scrutiny, IT architecture inspection, compliance framework evaluation (timeline is case-based) |
| Approval | 1 β 2 months | Post-scrutiny compliance confirmation and issuance of Certificate of Registration |
Post-Registration Compliance
Registration as an NBFC-AA is the beginning, not the end, of the compliance journey. RBI expects ongoing adherence to strict operational and reporting standards.
- Consent-based data sharing only β no unsolicited data requests; every data access event must be backed by a valid, active consent artefact
- Strict no-data-storage policy β the AA must operate only as a transient, encrypted data conduit at all times
- Strong encryption protocols β end-to-end encryption for all data in transmission must be maintained without exception
- Periodic audit and reporting to RBI β regular statutory returns and compliance reports must be filed with the Reserve Bank
- Regular IT system audits β periodic Vulnerability Assessment and Penetration Testing (VAPT) must be conducted and results documented
- Cybersecurity incident reporting β all incidents must be reported to CERT-In within the prescribed timeline and to the RBI
- Maintain audit logs β comprehensive logs of all consent transactions, data access events, and system activities must be maintained and available for regulatory inspection
Frequently Asked Questions
What is an NBFC Account Aggregator?
An NBFC Account Aggregator (NBFC-AA) is a class of Non-Banking Financial Company registered with the Reserve Bank of India that facilitates the secure, consent-based sharing of financial data between Financial Information Providers (FIPs) and Financial Information Users (FIUs). It acts purely as a data conduit β not a financial intermediary.
Can an Account Aggregator store customer financial data?
No. An NBFC-AA is strictly prohibited from storing customer financial data. It operates as a transient, encrypted data pipe β data passes through the AA system only during the transmission process and is never retained or warehoused.
What is a Financial Information Provider (FIP)?
A Financial Information Provider (FIP) is an entity that holds customer financial data and is registered to share it via the AA framework. Examples include banks, NBFCs, mutual fund depositories, insurance companies, and pension fund managers.
What is a Financial Information User (FIU)?
A Financial Information User (FIU) is an entity that consumes customer financial data (with consent) through the AA ecosystem. Examples include lending platforms, wealth management applications, and fintech companies that use financial data for credit assessment or advisory services.
What is consent architecture in the AA framework?
Consent architecture refers to the technical and operational framework through which a customer explicitly authorises the sharing of their financial data. The consent must be time-bound, purpose-specific, revocable at any time, and fully auditable. A robust consent management system is central to RBI's evaluation of an AA application.
What is the minimum capital requirement for an NBFC-AA?
The minimum Net Owned Fund (NOF) required for an NBFC-AA registration is βΉ2 crore. This must be maintained on a continuous basis. NOF is computed as paid-up equity capital plus free reserves minus accumulated losses and intangible assets.
Can an Account Aggregator lend money?
No. An NBFC-AA is a restricted category of NBFC that can only facilitate data sharing. It cannot undertake lending, accept deposits, or engage in any other financial intermediation activity. Its sole business is consented data facilitation.
What is the difference between an NBFC-AA and a traditional NBFC?
A traditional NBFC engages in financial intermediation β lending, leasing, investments β and earns interest income. An NBFC-AA only facilitates encrypted, consent-based data sharing between FIPs and FIUs. It cannot lend or store data, faces no direct credit risk, and is evaluated by RBI primarily on technology and consent architecture rather than capital adequacy.
What technology is required to operate as an NBFC-AA?
An NBFC-AA must have an API-based integration system, end-to-end encryption for all data in transit, a customer-facing consent dashboard, real-time authentication mechanisms, and comprehensive audit logs. RBI evaluates the architecture design itself β not just policy documents.
How does the revenue model of an NBFC-AA work?
An NBFC-AA earns revenue through service-based fees: API usage charges billed to FIUs per data request, subscription fees from financial institutions, and per-transaction data access charges. Importantly, an AA cannot monetise customer data directly β all income must be service-based.
What activities are prohibited for an NBFC-AA?
An NBFC-AA is prohibited from: storing customer financial data, using data for analytics without explicit consent, selling or monetising data, conducting lending or deposit-taking activities, performing unsolicited data requests, and undertaking any NBFC activity other than data facilitation.
How long does RBI approval for an NBFC-AA license take?
The overall timeline is approximately 4 to 9 months: 3 to 6 weeks for preparation (including technology setup), 3 to 6 months for RBI review and scrutiny of documents and IT architecture, and 1 to 2 months for final approval after compliance confirmation.
What is the COSMOS portal?
COSMOS (Company Submission Portal) is the RBI's online portal through which NBFC license applications, including NBFC-AA registrations, are submitted. Applicants must upload all required documents and the complete application package through this portal.
What is the consent flow in the AA ecosystem?
The consent flow is: (1) Customer initiates a consent request on the AA platform, (2) AA routes the consent request to the relevant FIP, (3) FIP shares the requested data only after consent is confirmed, (4) AA routes the encrypted data to the FIU, (5) Customer can revoke consent at any point, and (6) all steps are fully logged and auditable.
Can a fintech company become an AA or simply tie up with one?
A fintech company can either apply for its own NBFC-AA registration (if it meets all RBI eligibility criteria including βΉ2 crore NOF and a robust technology framework) or partner with an existing licensed AA to access data-sharing services. The tie-up route is faster and avoids the licensing overhead for most fintechs.
What is the purpose of the FLA return for an NBFC-AA?
The Foreign Liabilities and Assets (FLA) return must be filed by NBFC-AAs that have received foreign direct investment or hold foreign assets. It is filed annually with the RBI through the FLAIR portal and is a statutory compliance requirement under FEMA.
What are the data breach obligations for an NBFC-AA?
In the event of a cybersecurity incident or data breach, an NBFC-AA must report the incident to both CERT-In (within the prescribed timeline under CERT-In directions) and to the RBI. The entity must also have a documented incident response framework in place as part of its IT governance policy.
Can an NBFC-AA carry out other NBFC activities?
No. An NBFC-AA is a restricted category and cannot engage in any other NBFC activity such as lending, hire-purchase, leasing, or asset finance. Its Certificate of Registration from RBI restricts it solely to account aggregation and data facilitation services.
What is the practical use of the AA framework in digital lending?
In digital lending, the AA framework enables lenders (FIUs) to access a borrower's verified financial data β bank statements, GST returns, investment portfolios β with the borrower's explicit consent, in real time. This replaces manual document submission, accelerates credit underwriting, and significantly reduces fraud risk.
Why should I engage a professional for the NBFC-AA license application?
The NBFC-AA license involves a complex blend of regulatory compliance, technology architecture evaluation, and document preparation. RBI scrutinises not only the documents but the actual IT system design. A compliance professional helps align your application with RBI's expectations, avoid common rejection reasons, and significantly improve the probability and speed of approval.