RBI NBFC Guide

NBFC Account Aggregator License: Complete RBI Registration Guide

NBFC Account Aggregator License in India – detailed RBI registration process, eligibility, documents, compliance requirements, and step-by-step AA licence guide.
šŸ“… 2025
|
ā±ļø 18 min read
|
šŸ‘ļø Regulatory Guide
|
āœ… Expert Reviewed
Focus: NBFC Account Aggregator License: Complete RBI Registration Guide
Regulator
RBI
Min Net Owned Fund
₹2 Crore
Application Fee
NIL
Approval Timeline
4–9 months

Introduction to NBFC Account Aggregator License

The NBFC Account Aggregator (NBFC-AA) is a specialised category of Non-Banking Financial Company registered with the Reserve Bank of India. An NBFC-AA is authorised to collect and share the financial data of customers securely, and exclusively on the basis of their explicit consent. It does not deal with money — only with the secure, structured flow of financial information. The AA framework is built on a data fiduciary model. The Account Aggregator acts only as a conduit — a regulated data pipe — between financial institutions that hold data and those that need it. It is not a data warehouse. It does not retain, analyse, or monetise customer data independently. Critical Regulatory Principle: An NBFC-AA acts ONLY as a transient data conduit, never as a data warehouse. Data passes through the AA system in encrypted form and is never stored. This is the foundational principle of the entire framework. The growing importance of this framework cannot be overstated. The AA ecosystem is the backbone of open banking in India, enabling instant digital lending decisions, personal finance management (PFM) applications, insurance underwriting based on verified financial data, and wealth management platforms that require a holistic view of a customer's finances — all with the customer in full control of their data.

What is an NBFC Account Aggregator

In simple terms, an NBFC-AA is a bridge between financial institutions and their customers. It securely transfers a customer's financial data from institutions that hold it to institutions that the customer wishes to share it with — based entirely on the customer's explicit, time-bound, and revocable consent. From a compliance perspective, an NBFC-AA is a restricted category of NBFC registered under the Reserve Bank of India Act. Its activities are strictly limited to data facilitation — it cannot lend, accept deposits, or engage in any other form of financial intermediation. Legally, the framework operates under the " " RBI Master Directions – NBFC Account Aggregator, the IT Act 2000, and the data privacy and consent frameworks including the Digital Personal Data Protection (DPDP) Act. What an NBFC-AA CANNOT do: Store customer financial data at any point Use financial data for analytics or profiling without explicit, purpose-specific consent Sell, monetise, or transfer customer data to any third party independently Engage in lending, investments, or any other NBFC activity

Regulatory Framework

The NBFC-AA framework is governed by a layered regulatory structure combining RBI directions, IT law, and evolving data privacy legislation. Regulatory Dimension Governing Authority / Instrument Primary Regulator Reserve Bank of India (RBI) Governing Law RBI Act 1934 & FEMA (where applicable) Master Direction NBFC – Account Aggregator Directions (RBI) Ecosystem Participants Financial Information Providers (FIPs), Financial Information Users (FIUs), Account Aggregators (AAs) IT Framework RBI IT Framework for NBFCs & CERT-In Directions Data Privacy IT Act 2000 & Digital Personal Data Protection (DPDP) Act — consent framework

AA Ecosystem Participants

The Account Aggregator ecosystem comprises four distinct participants, each with a defined role. Understanding this structure is essential before applying for an NBFC-AA registration. Participant Role Examples Position in Ecosystem FIP (Financial Information Provider) Data Provider Banks, NBFCs, Mutual Funds, Insurance Companies Holds customer financial data FIU (Financial Information User) Data User Lenders, fintech lending apps, wealth management platforms Consumes customer financial data AA (Account Aggregator) Data Facilitator Licensed NBFC-AA entities Routes data from FIP to FIU with consent Customer Data Owner Individual / Business Gives or revokes consent; controls all data sharing

Who Needs an NBFC-AA License

Any entity that intends to operate as a data aggregation intermediary within India's regulated financial ecosystem needs an NBFC-AA registration from the RBI. This includes: Fintech companies offering financial data aggregation as a core service to banks, NBFCs, or other financial institutions Digital lending platforms that intend to use customer financial data for credit assessment in a structured, regulated manner Wealth management platforms that need a holistic view of a customer's financial profile across multiple institutions Digital banks and neo-banks seeking to build open banking capabilities on a regulated data infrastructure Personal Finance Management (PFM) applications that aggregate account data across institutions to provide financial insights to users Entities that do not wish to operate independently as an AA can instead partner with a licensed NBFC-AA. The tie-up route is commercially faster and avoids full licensing overhead for most fintechs.

Eligibility Criteria

RBI has prescribed specific eligibility criteria for entities seeking to register as NBFC-AAs. Meeting these criteria is a prerequisite before submitting the application. Criteria Requirement Practical Note Entity Type Company incorporated under the Companies Act Mandatory — LLPs and individuals are not eligible Net Owned Fund (NOF) Minimum ₹2 crore Must be maintained continuously; NOF = paid-up equity capital + free reserves − accumulated losses − intangible assets Promoter Fit & Proper Clean track record RBI evaluates credibility, background, and financial integrity of all promoters and directors IT Infrastructure Secure, scalable, API-ready system Critical for approval — RBI evaluates the actual architecture design, not just policy documents Data Security Framework End-to-end encryption, consent management, audit logs RBI's primary focus area; ISO-level standards are expected Business Model Pure data facilitation — no lending, no data storage An NBFC-AA cannot conduct any other NBFC activity

Documents Required

A complete and well-prepared document package is critical for a successful NBFC-AA application. The following documents are required: Certificate of Incorporation (COI) — issued by the Ministry of Corporate Affairs MOA & AOA — the Memorandum and Articles of Association must explicitly include Account Aggregator activity in the objects clause Net Worth Certificate — CA-certified certificate clearly demonstrating minimum ₹2 crore Net Owned Fund Detailed Business Plan — comprehensive plan explaining how the AA will operate, including proposed FIP and FIU partnerships and revenue model IT Policy & Architecture Document — system design documentation including API framework, security architecture, and data flow diagrams Data Privacy Policy — documenting the consent management system, customer rights framework, and data flow procedures Director KYC — PAN, Aadhaar, and background verification for all directors and key management personnel Board Resolution — authorising the company to apply for NBFC-AA registration with the RBI The IT Policy and Architecture Document is not a formality — RBI actively scrutinises the technical design. Weak or generic IT documentation is one of the most common reasons for application delays or rejection.

Registration Process

The NBFC-AA registration process involves six key steps. Each step must be completed thoroughly before proceeding to the next. Step 1: Incorporate the Company Incorporate a company under the Companies Act 2013. Ensure that the Memorandum of Association explicitly includes Account Aggregator activity — data facilitation and consent-based financial data sharing — in the objects clause. This is a mandatory prerequisite for the RBI application. Step 2: Achieve Minimum Net Owned Fund Ensure the company has a minimum Net Owned Fund of ₹2 crore at the time of application. Obtain a CA-certified Net Worth Certificate confirming this. The NOF must be maintained on a continuous basis even after registration. Step 3: Build the IT and Data Security Framework This is the most critical and time-intensive step. Develop a robust, API-based integration system with end-to-end encryption, a customer-facing consent management dashboard, real-time authentication, and comprehensive audit logging. The architecture must meet RBI's IT framework requirements and ISO-level security standards. Step 4: Prepare the Complete Application Package Compile all required documents — including the business plan, IT architecture documentation, data privacy policy, director KYC, Net Worth Certificate, and board resolutions. Each document must be accurate, complete, and consistent with the others. Step 5: Submit Application via RBI COSMOS Portal Submit the complete NBFC-AA registration application through the RBI's COSMOS (Company Submission) portal. All documents must be uploaded in the prescribed format. Incomplete submissions result in automatic delays. Step 6: RBI Scrutiny and Certificate of Registration RBI conducts a detailed review of the application, including scrutiny of the IT architecture and the consent management framework. The RBI may request clarifications or additional information. Upon satisfactory compliance, the Certificate of Registration as an NBFC-AA is granted.

The consent architecture is the heart of the NBFC-AA framework. The entire regulatory model is built on the principle that customer financial data can only be shared with " " explicit, revocable, and granular consent. Without a strong consent management system, RBI approval is not achievable. The four defining characteristics of AA consent are: Time-bound access — consent is not permanent; it is granted for a defined period and expires automatically Purpose-specific sharing — data can only be shared for the stated purpose at the time of consent; it cannot be repurposed Revocable at any time — the customer can withdraw consent at any point, immediately stopping further data sharing Fully auditable — every consent action (grant, use, revocation) must be logged and traceable Consent Flow: Customer initiates a consent request on the AA platform AA routes the consent request to the relevant FIP FIP shares the requested data only after consent is confirmed AA routes the encrypted data to the FIU Customer can revoke consent at any point during or after the process All actions are logged with complete audit trails

Technology Architecture

The NBFC-AA is one of the most technology-intensive licenses issued by the RBI. Unlike most other NBFC categories where the primary regulatory focus is on capital adequacy and credit norms, the RBI evaluates the actual technology architecture of an AA applicant — not merely its policy documents. The following technology components are mandatory for an operational NBFC-AA: API-based integration system — all data exchange between the AA, FIPs, and FIUs must occur through secure, standardised APIs; no manual data transfer is permissible End-to-end encryption — data must never exist in plaintext at any point during transmission; encryption must cover data at rest and in transit Consent management dashboard — a customer-facing interface through which users can view, manage, and revoke their consent in real time Real-time authentication system — robust multi-factor authentication for all customer interactions Audit logs & monitoring tools — comprehensive logging of all system events, data access requests, and consent transactions RBI evaluates the architecture design itself — not just documentation. Applicants who submit generic IT policy documents without a credible technical implementation are likely to face delays or rejection.

IT Governance & Cybersecurity

Given that an NBFC-AA handles sensitive financial data of customers across multiple institutions, RBI imposes a high standard of IT governance and cybersecurity. The following requirements are expected: ISO-level security standards — ISO 27001 certification is strongly recommended and signals credibility to RBI evaluators Regular VAPT — Vulnerability Assessment and Penetration Testing must be conducted periodically to identify and remediate security weaknesses Data encryption at all stages — encryption must apply to data both at rest (if any temporary buffering occurs) and in transit at all times Incident response framework — a documented, tested framework for detecting, responding to, and reporting cybersecurity incidents No data retention — the system must be designed for temporary encrypted transmission only; no financial data may be stored beyond the transmission lifecycle Cybersecurity incidents must be reported to both CERT-In (within the mandated timeline under CERT-In directions) and to the RBI. An incident response framework is not merely best practice — it is a regulatory expectation.

NBFC-AA vs Traditional NBFC

The NBFC-AA is a fundamentally different entity from a traditional NBFC. Understanding these differences is important for promoters deciding which regulatory path to pursue. Parameter NBFC-AA Traditional NBFC Core Activity Data sharing & facilitation (consent-based) Lending, deposits, financial intermediation Revenue Source API usage charges, subscription fees Interest income, processing fees Financial Risk Low — no lending exposure or credit risk High — direct credit risk on loan book Data Handling Cannot store customer financial data Not applicable — deals in money, not data RBI Scrutiny Focus Technology architecture & consent framework Capital adequacy, credit norms, NPA management Minimum NOF ₹2 crore Varies by category (₹2 crore+ for most) Can it lend? NO Yes

Revenue Model

The revenue model of an NBFC-AA is service-based, not data-based. An AA is strictly prohibited from monetising customer data directly. All permissible income must come from services rendered to ecosystem participants. Revenue Source Description API Usage Charges Fees charged to FIUs per data request processed through the AA platform Subscription Model Annual or monthly subscription fees from financial institutions (FIPs and FIUs) for platform access Data Access Fees Per-transaction charges for each data retrieval and sharing event Important: An NBFC-AA cannot sell, share, or monetise customer data independently under any circumstances. All revenue must be earned through legitimate service-based charges to ecosystem participants. “The NBFC Account Aggregator model is a paradigm shift in financial data governance — from institution-controlled data to customer-controlled consent. The technical robustness of your consent architecture is what RBI scrutinises most closely. A strong technology foundation is not optional; it is the license.” — CS Devyani Khambhati, Compliance Expert

Fees & Costs

The cost of obtaining an NBFC-AA registration is primarily driven by technology infrastructure investment rather than regulatory fees. The RBI does not charge an application fee. Cost Component Amount / Note RBI Application Fee NIL Professional Fees (legal & compliance) Variable — depends on scope of engagement and complexity of application Technology Infrastructure HIGH — this is the most significant cost component; API systems, encryption, consent platform, security testing CA Net Worth Certificate Approximately ₹10,000 – ₹25,000 Technology infrastructure is the dominant cost for any NBFC-AA applicant. Entities that underinvest in their technical foundation risk rejection at the RBI scrutiny stage — making the investment essential, not optional.

Timeline

The total timeline from commencement of preparation to receipt of the Certificate of Registration is typically 4 to 9 months, depending on the readiness of the applicant's technology infrastructure and the completeness of the application. Phase Duration Key Activity Preparation 3 – 6 weeks Company incorporation, NOF structuring, IT framework development (technology setup is the critical path) RBI Review 3 – 6 months Application scrutiny, IT architecture inspection, compliance framework evaluation (timeline is case-based) Approval 1 – 2 months Post-scrutiny compliance confirmation and issuance of Certificate of Registration

Post-Registration Compliance

Registration as an NBFC-AA is the beginning, not the end, of the compliance journey. RBI expects ongoing adherence to strict operational and reporting standards. Consent-based data sharing only — no unsolicited data requests; every data access event must be backed by a valid, active consent artefact Strict no-data-storage policy — the AA must operate only as a transient, encrypted data conduit at all times Strong encryption protocols — end-to-end encryption for all data in transmission must be maintained without exception Periodic audit and reporting to RBI — regular statutory returns and compliance reports must be filed with the Reserve Bank Regular IT system audits — periodic Vulnerability Assessment and Penetration Testing (VAPT) must be conducted and results documented Cybersecurity incident reporting — all incidents must be reported to CERT-In within the prescribed timeline and to the RBI Maintain audit logs — comprehensive logs of all consent transactions, data access events, and system activities must be maintained and available for regulatory inspection

Frequently Asked Questions

faqs.map((faq, i) => ( faq.q faq.a ))

Start Your NBFC-AA Registration Journey

The Account Aggregator framework is reshaping India's financial data landscape. Whether you are building a new AA platform or integrating with the ecosystem, our team provides end-to-end support — from technology architecture review to RBI application submission.