The Account Aggregator Framework Explained for IIBF Digital Banking
The account aggregator framework has quietly become one of the most important pieces of India's digital banking plumbing, letting customers share their financial data securely and with explicit consent. For bankers preparing for the IIBF Digital Banking certification, understanding how this consent-based data-sharing ecosystem works is now essential, because it underpins faster lending, better financial advice and a new wave of fintech products.
This guide explains the account aggregator framework end to end: the players, the consent architecture, the RBI rules that govern it, and how it connects to digital lending. Read on, and then test your grasp with our practice questions.
What the Account Aggregator Framework Actually Is
The account aggregator framework is an RBI-regulated, consent-based system that allows individuals and businesses to share their financial information from one institution to another in a secure, machine-readable, real-time manner. An Account Aggregator (AA) is a special class of Non-Banking Financial Company licensed by the RBI under the 2016 Master Direction for NBFC-AAs.
Crucially, an AA is a data blind pipe. It moves encrypted data between institutions but cannot read, store or use that data itself. It earns revenue from facilitation, not from selling information. This separation of "data movement" from "data use" is the design principle that makes the system trustworthy.
The framework replaces older, messier ways of sharing financial data such as:
- Screen scraping, where apps asked for your net-banking password, a major security risk.
- Physical statements, which were slow, forgeable and hard to verify.
- PDF uploads, which lacked authenticity and standard structure.
Instead, data flows in a standardised, digitally-signed, tamper-evident format. The system went live in September 2021 with the launch of the AA ecosystem by eight major banks, and by 2026 it spans banks, insurers, mutual funds, pension funds and tax data. If you are studying these reforms alongside other RBI topics, our CAIIB course ties them into the wider banking syllabus.
The Four Roles in the Ecosystem
To master the account aggregator framework for the exam, you must be able to name and distinguish four core roles. Examiners love testing whether you can tell an FIP from an FIU.
- Financial Information Provider (FIP): The institution that holds your data and shares it on instruction. Examples include banks, NBFCs, mutual fund registrars, insurers and the GST network. The FIP packages and digitally signs the data.
- Financial Information User (FIU): The institution that consumes the data to deliver a service, such as a lender assessing a loan or a wealth manager building a portfolio. An FIU must be regulated by a financial sector regulator (RBI, SEBI, IRDAI or PFRDA).
- Account Aggregator (AA): The licensed NBFC-AA that brokers consent and moves data between FIP and FIU without seeing it.
- The Customer: The data principal who grants or revokes consent at every step and remains in control.
A single bank can wear two hats: it is an FIP when it shares a customer's account data and an FIU when it pulls another bank's data to underwrite a loan. The standards that bind these roles together are maintained by Sahamati, a self-organised collective, and built on the open DEPA (Data Empowerment and Protection Architecture) APIs. Keeping up with role-related circulars is easy via the IIBF news and updates page.
How Consent Works: The Heart of the System
The defining feature of the account aggregator framework is its granular, revocable consent mechanism, delivered through a machine-readable object called the Consent Artefact. Nothing moves without it. When an FIU requests data, the AA presents the customer with a consent request specifying exactly what is being shared and why.
Every consent must define these parameters:
- What data is being shared (for example, six months of savings-account transactions).
- Purpose of the sharing, such as a personal-loan application.
- Frequency and whether it is a one-time or recurring pull.
- Duration for which the consent remains valid, after which it expires.
- Data life, meaning how long the FIU may retain the data.
The customer can revoke consent at any time through the AA app, instantly stopping future data flows. This "consent dashboard" model gives individuals control that screen scraping never offered. The system is also designed around data minimisation: an FIU should request only the fields it genuinely needs. Because each artefact is digitally signed and logged, there is a clear, auditable trail of who accessed what and when, which supports both customer trust and regulatory supervision. Practising scenario questions on consent flows helps cement this; try our mock tests to check your understanding.
Account Aggregators and RBI Digital Lending
The account aggregator framework is the engine behind much of India's regulated digital lending. Under the RBI's Digital Lending Guidelines, first issued in 2022 and progressively tightened, lenders must follow strict rules, and AAs make compliant data collection far easier.
Key RBI digital lending principles that interact with AAs include:
- Direct disbursal: Loan money must flow directly between the lender's and borrower's bank accounts, with no pass-through pooling via the lending app or its agents.
- Regulated entity accountability: The Regulated Entity (a bank or NBFC) remains responsible even when a Lending Service Provider runs the app.
- Key Fact Statement (KFS): Borrowers must receive a standardised KFS showing the all-inclusive Annual Percentage Rate before signing.
- Data localisation and minimisation: Apps may collect only need-based data, stored in India, with clear consent.
By pulling verified bank-statement and income data through an AA, a lender performs cash-flow-based underwriting in minutes rather than days, which is especially powerful for thin-file borrowers and small businesses lacking long credit histories. This is why the AA rails and the digital lending rulebook are so often examined together. To revise interest and rate concepts that feed into the APR calculation, keep the current RBI rates reference handy while you study.
Benefits, Risks and the Road Ahead
The account aggregator framework delivers clear benefits but also carries responsibilities that bankers must appreciate.
Benefits include:
- Faster, paperless onboarding and loan approvals.
- Stronger security, since net-banking passwords are never shared.
- Financial inclusion through cash-flow-based lending for the underserved.
- Customer empowerment via a single consent dashboard.
Risks and challenges include:
- Consent fatigue, where users approve requests without reading them.
- Uneven FIP onboarding, meaning some institutions still lag in joining.
- Customer awareness gaps about how to revoke consent.
Looking ahead, the ecosystem is expanding beyond banking into insurance, securities, pensions and tax data, moving India towards a genuine open-finance model. As the upcoming Digital Personal Data Protection regime takes effect, the consent-led design of AAs positions them well for compliance. For bankers, the practical takeaway is to be able to explain the four roles, the consent artefact and the AA's data-blind nature in plain language to customers. Reinforce the terminology with our match-the-terms game, and browse more explainers on the iibf.store blog.
For authoritative guidance, refer to the official resources of the Reserve Bank of India and the Indian Institute of Banking & Finance.
Frequently Asked Questions
Is the account aggregator framework safe to use?
Yes. An Account Aggregator is an RBI-licensed NBFC that acts as a data-blind pipe, meaning it cannot read or store your financial data. You never share net-banking passwords, every transfer needs your explicit consent, and the encrypted, digitally-signed data flow is far safer than screen scraping or PDF uploads.
What is the difference between an FIP and an FIU?
A Financial Information Provider (FIP) holds and shares your data, such as your bank or mutual fund registrar. A Financial Information User (FIU) consumes that data to provide a service, like a lender underwriting a loan. The same bank can act as both, depending on whether it is sharing or using data.
Can I cancel consent once I have given it?
Absolutely. The framework is built around revocable consent. Using the Account Aggregator app, you can withdraw any active consent at any time, which immediately stops future data sharing for that purpose. Each consent also has a fixed expiry and a defined data-retention period after which the user's data must be deleted.
Do account aggregators charge customers a fee?
Generally, customers do not pay to use an Account Aggregator. AAs typically earn revenue from the Financial Information Users that consume data through the platform, charged on a per-request or facilitation basis. The customer-facing experience is designed to be free, encouraging adoption and broad participation across the financial ecosystem.
Conclusion: Turn Knowledge Into Marks
The account aggregator framework sits at the centre of India's digital banking transformation, linking consent, data security and modern lending. If you can confidently explain the four roles, the consent artefact and how AAs power compliant digital lending, you are well ahead on this part of the syllabus. Lock in your learning now by attempting a focused set of Digital Banking practice tests, or build broader command of the topic through our structured CAIIB course.
Take a free mock test, download chapter PDFs, or watch a video class — all included on iibf.store.
