Open Banking and Data Fiduciary Obligations: Legal Tensions Between the Account Aggregator Framework and the DPDP Act

Introduction

India’s Account Aggregator (AA) framework, launched through the RBI’s master direction in 2016 and operationalised at scale from 2021, is among the most ambitious financial data portability initiatives anywhere in the world. It enables individuals to share financial data — bank statements, tax filings, insurance records, mutual fund holdings, pension account information — across financial institutions in a standardised, consent-based format, with the AA acting as a neutral consent manager and data pipeline rather than a data repository. The framework’s design is elegant: the customer controls the data flow, the AA does not see the data content, and the financial information provider (FIP) and financial information user (FIU) interact only with explicit, revocable customer consent.

The Digital Personal Data Protection Act 2023 (DPDP Act), India’s landmark data protection legislation that came into force in stages through 2024, creates a comprehensive framework for personal data processing built around the concept of the “data fiduciary” — an entity that determines the purpose and means of processing personal data. It imposes consent, transparency, and accountability obligations on data fiduciaries, along with data principal rights including the right to access data, correct errors, and seek erasure.

The intersection of these two frameworks — the AA’s consent architecture and the DPDP Act’s data fiduciary regime — creates a series of legal tensions that practitioners are only beginning to work through. Which entity in the AA ecosystem is the “data fiduciary”? Does the AA’s consent mechanism satisfy the DPDP Act’s consent standards? How do data principal rights under the DPDP Act operate when data is being processed under an AA consent artefact? These are not merely academic questions: they determine the accountability framework for one of the most significant data-sharing ecosystems in the country.

Legal Framework

The Account Aggregator framework is governed by the RBI’s Master Direction on Non-Banking Financial Company — Account Aggregator (Reserve Bank) Directions 2016, which created the NBFC-AA as a new regulated entity category. The AA is licensed by the RBI, is prohibited from storing financial data, and operates exclusively as a consent management and data routing platform. The technical standards for data exchange are governed by the financial data management API specifications developed by the Sahamati collective (now Rebit — Reserve Bank Information Technology Private Limited) and maintained through the Financial Information Exchange (FIX) protocol.

The DPDP Act 2023 defines a “data fiduciary” as any person who alone or in conjunction with other persons determines the purpose and means of processing of personal data. “Processing” includes collection, storage, use, sharing, disclosure, deletion, and destruction of personal data. Under this definition, multiple entities in the AA ecosystem could qualify as data fiduciaries: the FIP that collects and shares the data, the FIU that receives and uses it, and potentially the AA itself for its role in managing consent artefacts and routing data requests.

The DPDP Act’s definition of “consent” requires it to be free, specific, informed, unconditional, and unambiguous, given through a clear affirmative action. The AA consent artefact, which specifies the purpose, frequency, duration, and category of data to be shared, is structurally designed to satisfy these requirements. However, the alignment is not perfect, particularly around the “specific” requirement: AA consents often encompass broad categories of financial data for specified purposes, and whether this level of specification is sufficient under the DPDP Act is not yet definitively settled.

Judicial and Regulatory Developments

The Data Protection Board of India, established under the DPDP Act, has not yet adjudicated cases directly addressing the AA framework. However, the Ministry of Electronics and Information Technology (MeitY) has published draft data protection rules that address deemed consent and the obligations of data fiduciaries processing data in financial services contexts. The rules’ treatment of processing under existing regulatory frameworks — including RBI-mandated processing — will determine the extent to which DPDP Act obligations supplement or are displaced by the AA’s regulatory regime.

The RBI’s own data governance framework for AAs, which includes audit requirements, security standards, and grievance redressal obligations, overlaps with several DPDP Act requirements. The question of whether RBI-regulated entities are fully subject to the DPDP Act or benefit from a partial exemption for processing conducted under RBI directions is one that the implementing rules have not definitively resolved.

Contemporary Issues and Analysis

The data fiduciary characterisation question is the most immediately consequential. If the FIU that receives customer financial data through the AA is characterised as a data fiduciary — which it arguably is, since it determines the purpose of processing — it faces the full suite of DPDP Act obligations: appointment of a Data Protection Officer (for significant data fiduciaries), maintenance of a grievance redressal mechanism, data breach notification to the Data Protection Board within 72 hours, data retention limitations, and accountability for all sub-processors.

Many FIUs are fintech lenders, credit bureaus, wealth managers, or insurance companies that are already regulated entities with their own data governance frameworks. The question of how DPDP obligations layer onto existing RBI, SEBI, and IRDAI requirements is a significant compliance design challenge.

The right to erasure creates a particularly sharp tension with the AA framework. Under the DPDP Act, a data principal may request erasure of their personal data. But the financial records that flow through the AA — bank statements, transaction histories, tax filing data — are also subject to regulatory retention requirements under separate law. Banks must retain records for specified periods under the Banking Regulation Act and the RBI’s guidelines; income tax data must be retained for assessment periods; insurance records have their own retention regime. A customer’s DPDP Act erasure request may therefore be legally unenforceable with respect to data that is simultaneously subject to mandatory retention requirements. The Act’s own exceptions acknowledge this conflict but do not resolve it with the precision that would allow compliance officers to act with confidence.

The deemed consent provisions of the DPDP Act are another point of tension. Section 7 of the DPDP Act permits processing without explicit consent in specified circumstances — including processing “necessary for compliance with any law for the time being in force.” If an AA-mediated data flow is characterised as necessary for compliance with RBI directions, FIUs might argue that deemed consent applies and the full AA consent process is not required for certain processing. This interpretation, if accepted, would undermine the AA framework’s consent-centric design.

Comparative and International Perspective

The European Union’s open banking framework under PSD2 (Payment Services Directive 2) predates India’s AA framework and operates differently: it creates account access rights for licensed third-party providers (TPPs) based on API access to bank accounts, with GDPR providing the data protection overlay. The GDPR-PSD2 intersection has generated extensive regulatory guidance and enforcement action from European data protection authorities, providing a rich body of experience for India to learn from.

The UK’s open banking framework, implemented through the Open Banking Implementation Entity (OBIE), is generally regarded as the most technically mature. Post-Brexit, the UK maintains its own open banking standards while GDPR principles continue under the UK GDPR.

India’s AA framework has some advantages over PSD2: it is more comprehensive (covering multiple financial data categories beyond just payments), more consent-centric (requiring explicit consent for each data-sharing operation), and less dependent on screen-scraping. However, the DPDP Act creates a new compliance complexity that Europe addressed through the established GDPR framework from the outset.

Practical and Policy Implications

For AAs and financial institutions, the immediate practical need is a MeitY-RBI joint clarification on the DPDP Act’s application to AA-mediated data flows. Without this, compliance teams are working from legal opinions rather than authoritative regulatory guidance, creating variation in implementation and uncertainty about enforcement risk.

For consumers, the AA framework genuinely expands financial data portability and enables access to credit and financial services based on actual financial behaviour rather than collateral. The DPDP Act adds a further layer of data principal rights. If these frameworks are properly integrated, the consumer protection outcome is strong. If they conflict, consumer experience may deteriorate as financial institutions impose more conservative data handling practices to manage ambiguous compliance risk.

Suggestions and Reforms

MeitY and RBI should issue a joint guidance note clarifying the allocation of DPDP Act obligations among AA ecosystem participants, specifying which entity bears data fiduciary obligations for which processing activities, and confirming that the AA consent artefact satisfies the DPDP Act’s consent standard when properly implemented.

The DPDP Act’s implementing rules should include a specific schedule for financial data processing, providing clear guidance on the interaction between data principal rights (particularly erasure) and regulatory retention requirements.

Conclusion

The Account Aggregator framework is a remarkable institutional achievement that places India at the global frontier of open banking. The DPDP Act is a necessary and overdue legislative intervention in data protection. Their intersection, however, creates a regulatory complexity that neither framework was designed to resolve. The legal tensions are real, the compliance implications are significant, and the resolution requires active coordination between MeitY and the RBI — coordination that is institutionally possible but has not yet produced the clarity that practitioners and regulated entities need.

About the Author

Leave a Reply

Your email address will not be published. Required fields are marked *

You may also like these