Remarks at Account Aggregator Ecosystem Go-Live

Remarks by Siddharth Tiwari, Chief Representative of the BIS Office for Asia and the Pacific.

Thank you for inviting me to this event. I am honoured to be part of this august gathering. We, at the Bank for International Settlements (BIS), have been observing with keen interest the tremendous progress and innovations made in India in the past few years. We look forward to working closely with the Reserve Bank of India and other innovators in India to share the Indian experience and approach with the broader international community. In my brief comments today, I would like to provide a global perspective on the account aggregator model.

Globally, most countries have privacy laws that recognise the rights of individuals over their data. These laws give data subjects – consumers and businesses in this case – the opportunity to exercise control over their data through the granting or withholding of consent to the use and transfer of these data. However, consumers find it difficult to effectively operationalise this consent for two reasons.

Firstly, a service provider usually seeks consent to use and transfer data at a time when a consumer is agreeing to participate in an activity with the service provider. Since this consent is sought ex ante for a wide range of possibilities, it is broad and sweeping in nature.

Secondly, newly created data are often gathered and retained in proprietary silos, and stored in various institutions in incompatible formats. Consumers can find it difficult to share their data as they have only limited options to combine data requests across institutions.

Thus, service providers who are custodians of data effectively act as de facto owners of data. Inaccessible data, including data isolated in silos, represent a significant cost to consumers and to society.

What is this cost? The digital footprint of consumers has increased dramatically as more and more activity has moved online. Advanced computing techniques have enabled this ever expanding data footprint to provide benefits. Traditionally, economic systems ensure that individuals and businesses have ownership rights over commodities which they create but this is not the case with data. The cost is therefore the absence of ownership on the part of individuals and businesses – and the consequent absence of benefits that this ownership would bring.

How can this be corrected? Correcting this requires a granular consent-based data governance system that is user-friendly and has low transaction costs. Such a system will preclude the need for consumers to provide the broad, sweeping consent described earlier. A robust consent-based data sharing system has the potential for consumers to derive value from their data while maintaining control. When used appropriately many benefits can result from access to a large stock of comprehensive transactional and locational data on an individual – the individual's "information capital".

As a concrete example, let us look at financial intermediation. The World Bank Findex data shows that while significant gains have been made in bringing individuals into the formal financial system, many account holders do not save funds in their accounts and an even smaller proportion are in a position to borrow from the system. This is not just a developing country or emerging market phenomenon. It is true even in jurisdictions with high levels of income and education (including financial literacy), and near universal bank accounts.

There are two reasons for this. First, tangible capital as collateral is key to lending. The young take time to accumulate tangible collateral and the poor never do.  Second, these low-margin, high-risk consumers are uneconomical to reach.

Academic research has shown how information created by the monitoring of financial intermediaries could allow firms with low value collateral to finance their investments. More recently, transactional and locational data gathered from these potential borrowers' activities have been used by banks to lessen their dependence on tangible collateral. A readily available consent-based data sharing system which is both user- and business-friendly with low transaction costs is essential for consumers and businesses to share data for their benefit.

In India, the account aggregator (AA) operationalises a consent-based data governance system. Through an AA the owners of the data control which information is shared, with whom and for how long. The AA consent data-sharing framework allows individuals and small businesses to use their personal financial data or "information capital" in the manner described above to gain access to improved financial services, including lending, insurance, savings and securities.

Can such a system be developed to scale? We have seen in the past that India has leveraged technology very successfully for the public good. Previous BIS work has shown how the public sector in India has used technology to leapfrog traditional development processes by facilitating both the opening of bank accounts and the making of payments. A digital ID, steered by the state, helped more than a billion people to gain access to the banking system. Layered upon this is a fast payments system – unified payments interface (UPI) – that is interoperable, allows open/contestable entry and operates within the regulatory framework. It has made payments services universally available in the country.

Such a data governance system would also be the next layer for the India Stack, which is a shining example of how a unified, multi-layered set of public sector digital platforms can combine to provide substantial benefits to the population, from promoting financial inclusion and increased efficiency to enhancing financial stability. In the India Stack, while the official sector defines the regulatory framework, the private sector is encouraged to engage in innovation and manage the consumer interface. In other words, it seeks to build a balanced framework between protecting consumers on the one hand and supporting market innovation on the other.

Finally, what should be the global approach to data governance? The Data Empowerment and Protection Architecture (DEPA) framework seeks to ensure that standards are open and interoperable; and that consent is granular, revocable, auditable and secure. Yet this alone may not be sufficient. In the absence of a globally coordinated approach, data could remain in walled gardens and owned by private service providers, or innovation will migrate to jurisdictions with the lowest data protection standards. This could in turn compromise both privacy and the creation of publicly available large datasets that are key for competitive innovation. Thus, to complement initiatives like DEPA, we very much need an international discussion on these important issues.