Account Aggregation – Questionable Viability

September 9, 2021

The PSD2 (Revised Payment Service Directive) – going to be implemented across SEPA (Single Euro Payments Zone) in 2018 – will bring about many changes to how financial services are delivered to customers. However, the Directive has been in the news since its announcement for one major shift that has caught the market’s attention. It makes it compulsory for banks to open up their APIs to third-party providers and give them access to customers’ account information who have given their explicit consent. Additionally, the Directive lays down the security standards to be followed by all players. Thereby, it encourages competition and innovation while making the operations more secure.

One of the market players that benefits immensely from this change in rules is the account aggregator. The concept of account aggregators is not new to India. They have been around for more than a decade, using various means to procure customer data, aggregate it, and provide a range of services built on data analytics to customers, banks, and other market players.

As the concept of account aggregators gained more importance in the emerging financial services scenario, the Reserve Bank of India (RBI), India’s central bank, came out with its own Account Aggregator Directions in September 2016. The Directions make it compulsory for account aggregators to register with the RBI as Non-Banking Financial Company – Account Aggregator, thus making them a regulated entity. The aggregators will need to have net-owned funds of at least Rs. 20 million and shall not have a leverage ratio of more than 7.

The most impactful clauses of the Directions are those related to the storage and use of customers’ information. The Directions prohibit aggregators from accessing the login details and storing customers’ financial information. Aggregators can no longer undertake any business other than an aggregator, nor can they support transactions by customers. These directions effectively take away the business model of an account aggregator as it exists today. The ease of use offered to customers in the form of auto-login by the aggregator, investment advice, and sweep-in investments according to predefined goals are all a matter of the past. Nor can the aggregators offer value-added services to banks and FIs.

On a stand-alone basis, account aggregation is not a viable business model, as evidenced worldwide. The Indian financial sector customer is susceptible to costs and is unlikely to sign up for the service in the large numbers required to make the business viable on its own. As sharing customer information with anyone other than the customer or the FIU (financial information user) authorized by the customer is expressly prohibited by the guidelines, any possible revenue streams from that source can also not be considered for devising a business plan. What then is the way forward?

With these Directions coming into play, it appears inevitable that the aggregators’ major income source will have to be the FIUs – banks, FIs, Personal Financial Management firms (PFMs), etc. Even the FIUs currently aggregating the data themselves will now need to tie up with other aggregators for the data inputs. The only exception would be regulated firms consolidating data only from their own sector. (E.g. If a brokerage house wants to give a consolidated picture to its customers of their various market investments, it will continue to do so. However, the customer would not receive an overall picture across all financial investments.)

The aggregators face many challenges in making this transition. Most banks started looking at the associated services provided to the customers only after these nimble challengers created a market for them. With these challenges out of the running, it would need to be seen as to how many banks would want to be the nimble players they are now trying to be. There is already a hesitation from the banks’ side to sign on, and it is being witnessed in the market. The banks also have resource and legacy limitations that may prevent them from fully utilizing the information being provided by the aggregators.

However, other entities like the PFMs may prove to be more willing partners as their needs would synergize with the aggregators. This in itself is not free of challenges as PFMs will face their own issues now. Only regulated bodies can now act as FIUs. Thus, the PFMs that are unregistered with any regulator will either have to register themselves as a regulated entity or be up for grabs by one. Registering as a regulated entity entails a certain capital commitment. Going ahead, it is quite possible that PFMs that are already acting as aggregators may just want to spin off those parts of their operations. This could be a huge financial burden as the spin-off operations would have minimum capital requirements.

Other FIUs may see this as an opportunity to take over the existing aggregators and retain them as separate entities. An alternative for them would be to start their own subsidiaries/related entities for the purpose. However, the latter might take substantial investments of time and effort, while the existing players would provide a ready platform.

The second biggest challenge would be to enter into an agreement with all the FIPs (financial information providers), as laid down in the Directions. If the Directions had made it compulsory for the FIPs to share information in the event of customer consent (as is mandated by PSD2), the life of an aggregator would have become easier. It is, however, possible that the regulator had the security aspect of identity authentication of the aggregator in mind while including this clause. In addition, not all FIPs would have the technological, infrastructural, and financial capabilities to create the required secure channels.

Convincing the customer to sign up for stand-alone aggregation services will be a challenge in itself, even if the service is provided free. The average Indian customer is not financially savvy enough to understand the need to sign up with a third-party (for data aggregation) for a service provided by his financial service provider (the add-on services). This is where the tie-ups with the FIUs come into higher focus. The aggregator may just become a pop-up on the FIU’s website like a payment gateway currently is.

On the other hand, the Directions have a number of positive aspects. They resolved several issues that were beginning to cause friction in the industry. Storing of customers’ login details by the aggregator was one such friction point. Banks had started reacting by server mapping and making OTP mandatory for even balance inquiries. The new rules prevent aggregators from storing the information. The time taken by FIPs to share the information was another bone of contention between the players. The Directions make it mandatory for the FIPs to implement the required interfaces and provide a real-time response to the aggregators. The issue of screen-scraping and SMS-scraping is likely to get resolved now as the FIPs, aggregators, and FIUs become partners in the true sense of the word. Solutions will become more commoditized and standardized, moving away from the proprietary solutions currently in the market.

Overall, the directions appear to be quite balanced and appropriate for the situation from the regulator’s point of view. The rules ensure that all participants are regulated entities, sort out various issues that had cropped up amongst them, and make the interplay between them more seamless. However, like all emerging areas, the new regulations can be expected to cause a high degree of turmoil till things settle down and the market finds a new balance. RBI has always had to find a balance between encouraging innovative products and players and keeping the marketplace secure. These rules are also an attempt in the same direction. The only question is, Was it too soon? The reader may also expect this space to mature further, as RBI refines these Directions in the future, in line with its learnings, market response, and realities.

To learn about Prove’s identity solutions and how to accelerate revenue while mitigating fraud, schedule a demo today.

Keep reading

See all blogs
How to Defend Against the Rise of SIM Swap Attacks

The Federal Trade Commission (FTC) received reports of a significant increase in SIM swap attacks in 2023, and Experian's 2024 scam forecast identified SIM swapping as one of the top threats, emphasizing the need for heightened awareness and preventive measures.

Mary Ann Miller
July 24, 2024
Fraud in the Age of AI: Meet the Shapeshifter

The COVID-19 pandemic not only changed the way we work and live, it also unleashed a wave of fraud unlike anything we've seen before.

Mary Ann Miller
July 18, 2024
Company News
Introducing Prove Link™ – Unlocking the Power of Identity for Any Business

To continue achieving our mission of accelerating trusted interactions on the internet, we’re proud to announce the introduction of the Prove developer self-service platform and the Prove LinkTM SDK. With these tools, it’s now faster and easier for any company to integrate our industry-leading identity technology into its brand operations.

July 16, 2024
Company News