Casela Advisors

Business Enquiries +91-9819 000 227 / +91-9819 000 511 / +91-9819 000 147 / +91-9765 000 966

Get in Touch

NBFC Account Aggregator Compliance

Home > NBFC Account Aggregator Compliance

NBFC Account Aggregator Compliance

The Account Aggregator (AA) framework is India’s pioneering consent-based financial data sharing architecture, created by the Reserve Bank of India to give customers clear control over their financial information. An NBFC-AA is a specialized, data-blind intermediary — it does not lend, does not hold customer money, and does not see customer data. Its only role is to securely transport a customer’s consented financial information from a Financial Information Provider (FIP) like a bank or NBFC, to a Financial Information User (FIU) like a lender, insurer, or wealth manager.

NBFC-AAs sit at the heart of the emerging Digital Public Infrastructure (DPI) for finance. Strong AA compliance is not optional — it is a continuous blend of RBI NBFC-AA Directions, ReBIT technical standards, Sahamati ecosystem rules, Digital Personal Data Protection (DPDP) obligations, information security norms, and PMLA / AML discipline, all wrapped around a single core principle: no data flows without a valid, granular, revocable consent.

We offer end-to-end NBFC-AA compliance services — from CoR support and operating model design to consent framework implementation, ReBIT-aligned tech review, DPDP alignment, IS audit, RBI returns, ecosystem integration, and day-to-day compliance — so your AA stays regulator-ready, auditor-ready, and Sahamati-ready at all times.

₹2 Cr
Minimum Net Owned Funds
Consent
Only basis for data flow
Data-Blind
AA cannot read customer data
RBI
NBFC-AA Master Directions
Regulations & Frameworks We Align With
RBI Act, 1934
NBFC-AA Master Directions
ReBIT Technical Specifications
Sahamati Rulebook
DPDP Act, 2023
IT Act & CERT-In
PMLA & FIU-IND
SBR Framework

The AA Ecosystem at a Glance

FIP

Financial Information Provider

Banks, NBFCs, mutual funds, insurers, and pension funds that hold the customer’s financial data.

AA

Account Aggregator

The data-blind NBFC-AA that moves consented data from the FIP to the FIU, without seeing the content.

FIU

Financial Information User

Regulated entities — lenders, insurers, wealth managers, advisors — that consume data to serve the customer.

Our NBFC-AA Compliance Services

01

CoR & Structure Advisory

Advisory on NBFC-AA registration, in-principle / final CoR, and operating model design.

02

Consent Framework

Design and review of consent artefacts, dashboards, revocation flows, and audit trails.

03

ReBIT Tech Alignment

Gap assessment of AA stack vs ReBIT technical specifications and API schemas.

04

Sahamati Readiness

Alignment with Sahamati onboarding, certification, and operational rulebook.

05

DPDP & Privacy

DPDP Act, 2023 alignment — notice, consent, rights, grievance redressal, and DPO setup.

06

IS & Cyber Security

IS policy, CERT-In reporting, cyber resilience, and periodic IS audit coordination.

07

RBI Returns & Reporting

Periodic AA-specific returns, CoR conditions, event disclosures, and SBR compliance.

08

Audit & Inspection Support

Statutory audit, internal audit, IS audit, and responses to RBI & supervisory reviews.

Core Principles Every NBFC-AA Must Honour

Consent

Explicit, Granular Consent

No data flow without explicit, purpose-bound, and revocable customer consent.

Data-Blind

No Access to Data

AA only transports encrypted data between FIP and FIU; it cannot read or store payload.

Purpose

Purpose Limitation

Data can be used only for the specific purpose disclosed to the customer in the consent.

Minimization

Data Minimization

Only information strictly needed for the stated purpose is requested and shared.

Revocation

Consent Revocation

Customers can view, manage, and revoke consent at any time via the AA app or dashboard.

Audit

End-to-End Audit Trail

Every consent, fetch, and data flow is logged to support regulator and customer audit.

No Lending

No Lending or Own Products

NBFC-AAs cannot lend, invest, advise, or sell financial products on their own account.

Security

Security & Encryption

Strong encryption, key management, and cyber resilience across every layer of the stack.

Documents & Artefacts We Review

Regulatory & Corporate

  • NBFC-AA Certificate of Registration
  • MOA & AOA with AA objects
  • Board & committee charters
  • CoR conditions & undertakings
  • Fit & Proper declarations
  • RBI & supervisory correspondence

Tech & Consent Artefacts

  • ReBIT API implementation docs
  • Consent artefact templates
  • Revocation & dashboard flows
  • Encryption & key management design
  • Audit logs & data flow diagrams
  • IS & cyber security policy
  • Business continuity & DR plan

Policy & Compliance

  • Privacy & DPDP policy
  • Grievance redressal framework
  • KYC / AML / PMLA policy
  • Outsourcing & vendor policy
  • FIP / FIU onboarding SOPs
  • Customer charter
  • Sahamati-related undertakings

Our NBFC-AA Compliance Approach

1

Diagnostic

Review current AA model, CoR conditions, policies, and tech stack against RBI & ReBIT norms.

2

Gap Assessment

Identify gaps in consent framework, data flows, DPDP readiness, IS controls, and reporting.

3

Remediation

Build the remediation plan — policies, flows, contractual changes, tech fixes, and training.

4

Implementation

Hands-on support for policy rollout, process changes, artefact updates, and user training.

5

Monitoring

Ongoing compliance calendar, RBI returns, IS audit coordination, and incident response support.

Why Robust AA Compliance Matters

Protect your CoR and supervisory standing
Avoid penalties under RBI and DPDP Act
Strengthen customer trust in your AA brand
Remain Sahamati-compliant and ecosystem-ready
Pass IS audits and RBI inspections cleanly
Onboard quality FIPs & FIUs faster
Robust consent architecture and audit trails
Credibility with investors, partners & regulators

Ongoing Compliance Obligations for NBFC-AAs

NOF & Leverage

Continuous maintenance of minimum NOF and compliance with leverage / prudential norms.

RBI Returns

AA-specific periodic returns, event-based disclosures, and supervisory reporting.

Consent & Audit Trails

Logging of every consent, fetch, and data flow with immutable audit trails.

DPDP Compliance

Notice, consent, DPO, rights, and breach reporting obligations under DPDP Act.

IS Audit & CERT-In

Periodic IS audit, incident reporting to CERT-In, and cyber resilience testing.

Sahamati Rulebook

Alignment with Sahamati operational rules, dispute resolution, and conduct standards.

Grievance Redressal

Customer grievance cell, RBI IOS integration where applicable, and public disclosures.

Corporate Filings

MCA filings (AOC-4, MGT-7, DIR-3 KYC), statutory audit, income tax, and GST.

FAQs on NBFC-AA Compliance

What is an NBFC-AA?
An NBFC-AA is a specialized Non-Banking Financial Company registered with the Reserve Bank of India under the NBFC-AA Master Directions. It acts as a data-blind consent manager that transports a customer’s financial data between a Financial Information Provider (FIP) and a Financial Information User (FIU), strictly on the basis of explicit customer consent.
What are the key compliance pillars for an NBFC-AA?
Key pillars include continuous compliance with the NBFC-AA Master Directions, ReBIT technical specifications, Sahamati rulebook, DPDP Act, CERT-In cyber obligations, PMLA / FIU-IND reporting, corporate and tax compliance, and a strong consent architecture backed by end-to-end audit trails.
Can an NBFC-AA see or store customer data?
No. By design, an NBFC-AA is data-blind. It only transports encrypted data from the FIP to the FIU on the basis of the customer’s consent. It cannot read the content of the data, retain the payload, or use it for any purpose of its own. Any deviation from this design is a fundamental breach of the framework.
Does DPDP Act apply to NBFC-AAs?
Yes. The DPDP Act, 2023 applies to all entities processing personal data, including NBFC-AAs. This includes obligations around notice, consent, purpose limitation, customer rights, grievance redressal, breach reporting, and appointment of a Data Protection Officer where applicable.
What is the role of Sahamati?
Sahamati is the self-regulatory body for the Account Aggregator ecosystem. While it is not a statutory regulator, it plays a critical role in onboarding, certification, interoperability, dispute resolution, and adoption of operational rulebooks for AA participants. Alignment with Sahamati rules is expected in practice by counterparties and supervisory authorities.
Is an IS audit mandatory for NBFC-AAs?
Yes. Given the sensitive nature of AA operations, an IS audit is a core compliance expectation. NBFC-AAs are required to maintain robust information security controls, undergo periodic IS audits, follow CERT-In reporting obligations, and maintain business continuity and disaster recovery arrangements.
Can an NBFC-AA offer lending or investment advice?
No. NBFC-AAs are prohibited from undertaking any financial activity other than account aggregation. They cannot lend, invest, hold customer funds, sell financial products, or provide advice. The only permissible activity is the data-blind transport of customer data between FIPs and FIUs on the basis of consent.
What are the consequences of AA non-compliance?
Non-compliance can lead to monetary penalties under RBI and DPDP Act, restrictions or conditions on the AA CoR, supervisory action, reputational damage, loss of partners, Sahamati-level consequences, and in severe cases, cancellation of the Certificate of Registration itself. Personal liability of directors and key officers can also arise in specific circumstances.

Run a Regulator-Grade, Ecosystem-Ready NBFC-AA

Partner with our specialists for end-to-end NBFC-AA compliance — consent architecture, ReBIT & Sahamati readiness, DPDP alignment, IS audit, and ongoing RBI reporting, all under one roof.

Talk to an Expert