Account aggregators and e-consent for credit markets

The public credit registry (PCR), a centralized credit information system, would improve data quality and help borrowers build reputational collateral. However, a PCR alone isn’t sufficient; lenders also need information on borrowers’ financial assets. The Reserve Bank of India’s account aggregator infrastructure addresses this by allowing borrowers to share financial asset information securely and with consent. While this system limits data misuse, it requires robust legal frameworks to ensure data is used only for intended purposes.

This article was first published in The Mint. You can read the original at this link.

On 4 July 2017, on the occasion of the 11th Statistics Day Conference, Viral Acharya delivered a speech calling for the establishment of a public credit registry (PCR) in India. He argued that by building a robust and centralized credit information system, we will be able to bring transparency to the credit market that will allow borrowers to build up their “reputational collateral", reward good borrowers and encourage credit discipline.

India has a multiplicity of credit information repositories. As a result, it is very difficult for lenders to form a comprehensive view of the indebtedness of potential borrowers as their credit information is dispersed across multiple entities. Additionally, as the formats in which the data is required to be reported to each of these entities varies widely, there is no assurance about the quality of the data, even if it were to be aggregated.

A PCR that operates as the single point of mandatory reporting of credit information, would remove these inconsistencies, leading to improvements in data quality and offering a mechanism by which borrowers of all levels can establish the reputational collateral that is needed. It would additionally allow lenders to distinguish between different types of borrowers, avoiding the pitfall of adverse selection where lenders overcharge low-risk borrowers and undercharge high-risk borrowers simply because they don’t have accurate data.

However, even after the PCR is established, it will only be one part of the solution. A registry of credit gives lenders an accurate snapshot of only the indebtedness of a borrower. It provides no information as to that person’s financial assets. In determining whether or not to grant a loan, lenders need to evaluate both the existing debt burden of the individual as well as the details of her financial asset portfolio to assure themselves that she will be able to service the loan.

At present, lenders meet this second requirement by asking for copies of bank statements and other financial assets of the borrower and then physically verifying the copies presented to them against original records. The process is time-consuming and runs the risk of fraud. What is required is a trusted, electronic system through which borrowers can provide lenders with verifiable information about their financial assets in an auditable, electronic format that is both accurate and up to date.

It is with this in mind that the Reserve Bank of India is establishing the account aggregator infrastructure, a digital architecture that offers borrowers a mechanism by which potential lenders can view their financial assets without compromising privacy and confidentiality. Central to this construct is the account aggregator, a regulated third-party entity whose sole function will be to maintain and operate a trusted platform on which registered users can link details of their financial accounts, such as bank accounts, mutual funds and insurance accounts.

Whenever potential lenders need evidence of the financial assets of a potential borrower, they will have to issue an electronic request setting out details of the data sought and the purpose for which it will be used. To limit the risk of over-consenting, lenders will only be able to request limited information for specified purposes using templates that have been designed keeping in mind principles of data minimization and purpose limitation. Once this request has been received, the borrower can digitally consent to the specific request, thereby authorizing the account aggregator to extract the relevant information from the financial asset portfolio that has been linked. Based on the authority of the digital consent artefact, the account aggregator will instruct the relevant financial institutions to issue digitally signed copies of the required information to the lender.

Regular readers of this column will be familiar with my aversion to an over-reliance on consent as a mechanism to safeguard privacy. However, the electronic consent artefact contemplated in the account aggregator framework is not the same as the over-broad, confusingly worded terms of service that we most frequently encounter. It is, to the contrary, a specific, one-time request for limited information, intended to be used for a clearly defined purpose. As such, consent deployed in this manner is highly unlikely to be misconstrued and, as only a limited amount of data is provided, the risk of misuse is contained.

That said, as much as this construct achieves the objective of purpose limitation, there is no way to ensure that once financial data has been provided, the recipients will only use it for the purposes for which it was requested. At present, there is no technological construct by which the data that has been provided using the account aggregator framework will automatically expire once its original purpose has been served. Nothing stops lenders from retaining, and using, data long after its purpose is served.

It is for this reason that the account aggregator architecture needs to be firmly ensconced within an extended regulatory framework that imposes restrictions over and above that which is contained within the technological framework of the consent artefact. While technology offers new means by which results can be achieved, it is critically important that we remember to ground these solutions in appropriately robust legal frameworks.