The Account Aggregator framework is an RBI-regulated system that lets you share your own financial data, bank statements, investments, insurance, between regulated institutions with a single digital consent you can revoke anytime.
Author: Aadarsh Patel | EQMint
Instead of downloading a PDF bank statement and emailing it to a lender, you tap approve in an app, and your data flows securely and directly. The company in the middle, the Account Aggregator, works as a blind pipe: it moves your encrypted data but cannot read, store or sell it.
It’s been live since September 2021, and by the end of 2025 over 252 million users had linked accounts. If UPI became the rails for moving money, the Account Aggregator Framework is becoming the rails for moving financial data.
You’ve probably already used it without knowing the name. That consent screen when applying for a loan on a fintech app, the one asking permission to fetch your bank data, that’s the Account Aggregator Framework at work.
Here’s how the framework actually works, in plain language, who the players are, what it does for you and where to stay alert.
The problem it solves
Start with the old way, because it explains why this matters. To get a loan, you’d download bank statement PDFs, maybe share your net-banking password with an app, or hand over paper copies. Slow, clumsy and genuinely risky, since you were giving away access you couldn’t control or take back.
The Account Aggregator Framework replaces all of that with one consent-based digital transfer. No passwords shared, no PDFs emailed, no screen-scraping. You decide exactly what data to share, with whom, for how long, and you can pull that permission back whenever you want. It turns a leaky, manual process into a controlled, revocable one.
The three players, in plain terms
The whole system runs on three roles. Once you see them, everything else makes sense.
| Player | Plain meaning | Example |
| FIP | Holds your data | Your bank, mutual fund, insurer |
| AA | Moves it, blindly | OneMoney, Finvu, Anumati |
| FIU | Wants to use it | A lender, wealth app, insurer |
The FIP (Financial Information Provider). The institution that already holds your data, your bank, mutual fund house, insurer, depository or even the GST network for business data. It’s the source.
The AA (Account Aggregator). The consent manager in the middle, an RBI-licensed company like OneMoney, Finvu or Anumati. This is the crucial one: it shows you every request, captures your consent and moves the encrypted data, but it cannot read, store or sell any of it. It’s a blind pipe, nothing more.
The FIU (Financial Information User). The institution that wants your data to give you a service, usually a lender deciding on a loan, but also wealth apps building a full view of your holdings or insurers assessing income. An FIU must itself be regulated by RBI, SEBI, IRDAI or PFRDA, so your data never flows to an unregulated party.
How it actually works, step by step
Here’s the full journey of a single data request, which usually completes in 2 to 5 seconds.
You apply for something, say a loan, on an app (the FIU). The app sends a consent request to your chosen Account Aggregator, spelling out exactly what data it wants, from where, for how long and why.
You see that request on your AA app and review it. If you approve, the AA fetches the encrypted data from your bank (the FIP) and passes it to the lender (the FIU). The lender reads it, makes its decision, and you can revoke the consent whenever you like afterward.
The detail that protects you. The data moves end-to-end encrypted, and the Account Aggregator never holds the key to read it. It’s a sealed envelope passing through a courier who can’t open it. The consent itself is granular and digitally signed, specifying purpose, exact data scope and duration, so you’re never handing over blanket access.
What data can flow, and what can’t
Be honest about the current state, because the Account Aggregator Framework is still filling in. A lot works, some things don’t yet.
What’s live and widely available: individual savings accounts across the major banks, and investments like equities, mutual fund units, ETFs and more through CDSL and NSDL. The ecosystem spans banking, securities, insurance and pension data, pulling in regulators across RBI, SEBI, IRDAI and PFRDA.
What’s still patchy as of early 2026: joint accounts aren’t supported by banks yet, NRE and NRO accounts aren’t discoverable, current accounts for partnerships and companies are largely excluded, and depository transaction history is often capped at around 2 years. So the framework is powerful but not yet complete, and a given app may not find every account you have.
Why it’s becoming the rails of Indian fintech
Take a clear position on why this matters so much. The Account Aggregator Framework is quietly doing for data what UPI did for payments, building a common, standardised, government-backed rail that every player can plug into.
The scale is already large. By the end of 2025 the framework counted over 252 million users with linked accounts and 2.61 billion accounts enabled for sharing, with more than 400 institutions consuming data and over 120 acting as both provider and user. Adoption among borrowers reached roughly 38%, and it’s climbing fast.
The reason it spreads is genuine efficiency. For you, a loan that once took days of paperwork can be approved in minutes. For lenders, instead of building error-prone tools to read thousands of different bank PDF formats, they receive clean, standardised, machine-readable data through one common pipe. That efficiency is why nearly every serious Indian fintech is wiring itself into the framework, which is exactly what makes it infrastructure rather than just another feature.
Where to stay alert
It’s a well-designed, privacy-first system, but using it well still takes attention. Here’s the honest guidance most explainers skip.
Read the consent screen properly, don’t just tap approve. The three things to check every time are the purpose (why they want it), the scope (exactly what data) and the duration (a one-time pull, or recurring access for months). A lender underwriting a single loan needs a one-time pull, not a year of daily access to your accounts. Watch especially for recurring consent that lasts far longer than the service needs.
Two more habits. Use your AA app’s dashboard to review active consents periodically and revoke any you no longer need, since you can withdraw access anytime and the FIU must then stop fetching. And remember the framework is entirely voluntary, no one can force you to register or share, so if a consent request asks for more than the service plainly requires, you’re free to decline. The system gives you control. Using that control is on you.
Is the Account Aggregator safe?
On balance, yes, and the design is the reason. Your data moves encrypted, the Account Aggregator can’t read or store it, data only ever reaches regulated institutions, every transfer is logged in an audit trail, and you hold a revocable, granular consent that aligns with the DPDP Act’s privacy principles. It’s a meaningful step up from emailing PDFs or sharing passwords.
The realistic caution isn’t a flaw in the rails, it’s human. The risk is consent fatigue, approving requests without reading them, and granting broader or longer access than needed out of habit. The framework hands you genuine control over your financial data, probably more than you’ve ever had. The honest takeaway is to actually use that control, read before you approve and revoke what you don’t need, and the Account Aggregator becomes one of the better things to happen to your financial privacy.
FAQ
What is the Account Aggregator framework?
An RBI-regulated system that lets you share your financial data between regulated institutions through a single digital consent you can revoke anytime. It replaces PDF statements, shared passwords and screen-scraping with secure, consent-based transfer.
Can an Account Aggregator see my financial data?
No. The Account Aggregator works as a blind pipe. It moves your encrypted data and never holds the key to read it, and it cannot store, use or sell your information. RBI rules prohibit this.
What are FIP, AA and FIU?
The FIP is the institution holding your data, like your bank. The AA is the licensed consent manager that moves it, such as OneMoney or Finvu. The FIU is the regulated institution that uses it, like a lender or wealth app.
Is using an Account Aggregator mandatory?
No, it is entirely voluntary. No one can force you to register with an Account Aggregator or share your data, and you can decline any consent request or revoke an existing one at any time.
How long does an Account Aggregator data transfer take?
Usually 2 to 5 seconds once you approve the consent. The Account Aggregator fetches the encrypted data from the provider and passes it to the requesting institution near instantly.
What data can I share through it?
Individual savings accounts across major banks and investments like equities, mutual funds and ETFs via CDSL and NSDL are widely live. As of early 2026, joint accounts, NRE/NRO accounts and many business current accounts are not yet supported.
Can I cancel consent after giving it?
Yes. You can revoke any active consent at any time from your Account Aggregator app’s dashboard. Once revoked, the institution must stop fetching your data.
Is the Account Aggregator framework safe?
It is built privacy-first: data is encrypted, the AA cannot read or store it, data only reaches regulated institutions, and every transfer is logged. The main risk is human, approving requests without reading the purpose, scope and duration.
EQMint is not a SEBI registered investment adviser. This article is for informational purposes only and is not investment or legal advice. The Account Aggregator framework is governed by RBI regulations and the participating institutions, and details evolve, so verify current specifics with your bank or licensed Account Aggregator.
For more such information visit EQMint
Join our Whatsapp channel for timely updates: Whatsapp






