Sahamati’s SRO Approval: A Game‑Changer for India’s Account Aggregator Ecosystem

India's digital banking landscape is expanding rapidly, yet secure data sharing remains a stumbling block. When customers move funds or apply for credit, banks rely on fragmented data silos that can lead to errors, delays, and privacy concerns. The Account Aggregator model, introduced by the Reserve Bank of India (RBI), promises a unified, consent‑based data exchange, but its success hinges on a trusted regulatory framework. Recent approval of Sahamati as a Self‑Regulatory Organisation (SRO) marks a pivotal step. By granting Sahamati the authority to oversee Account Aggregators, the RBI aims to tighten compliance, standardise security protocols, and foster confidence across the ecosystem. This move raises a key question: how will Sahamati’s new role shape the future of data sharing in India’s banking ecosystem? The answer lies in the organisation’s ability to bridge technical standards, enforce strict audit trails, and create a marketplace where banks, fintechs, and consumers can interact safely. These safeguards also reduce the risk of data breaches and streamline onboarding for new services.

Background

The RBI’s Account Aggregator (AA) framework was unveiled in 2020 to enable consumers to give explicit, time‑bound consent for their financial data to be shared between banks, non‑bank financial institutions, and third‑party service providers. AAs act as intermediaries that pull information from multiple source accounts—such as savings, loans, insurance, and investment products—and present it to the chosen recipient in a single, readable format. To prevent misuse, the RBI mandated that every AA be regulated by a Self‑Regulatory Organisation. An SRO must develop industry norms, monitor compliance, conduct audits, and enforce penalties. Until now, the industry had been split between a handful of established players and newer entrants, each following their own set of rules. The lack of a unified oversight body had made it difficult for banks to assess the trustworthiness of an AA and for customers to understand the security guarantees in place. By appointing Sahamati as the first SRO, the RBI seeks to bring a common set of standards and a single point of accountability to the ecosystem.

How Sahamati’s SRO status enhances trust and compliance

Sahamati’s new mandate gives it the legal authority to set operating guidelines that every AA must follow. This includes a mandatory audit trail, encryption standards, and a clear escalation process for data‑related incidents. By centralising these requirements, banks can rely on a single compliance framework rather than negotiating with each aggregator separately. The SRO also has the power to impose fines or revoke membership if an AA fails to meet its obligations. Such enforcement capability signals to the market that data protection is not optional but a core requirement. For customers, this translates into a higher level of assurance that their consent is respected and that any data shared is protected by industry‑grade security. In practice, this means that when a customer authorises a loan application, the AA will automatically verify that all parties have adhered to the same security checklist before the data reaches the lender.

Practical benefits for banks, fintechs, and customers

With Sahamati steering the AA ecosystem, banks can accelerate product launches that rely on real‑time data. For example, a credit‑scoring firm can pull a borrower’s transaction history from multiple accounts in a single request, reducing the underwriting cycle from weeks to days. Fintechs, especially those offering payment‑as‑you‑go or micro‑loans, now have a clear compliance pathway and can avoid costly regulatory surprises. Customers gain a smoother experience: a single consent form grants access to a range of financial services, eliminating the need to repeatedly share credentials. Moreover, the SRO’s audit reports are publicly available, allowing consumers to verify that an AA is operating within the prescribed limits. This transparency is expected to increase adoption rates, as users feel safer sharing their data. Ultimately, the SRO’s oversight is likely to lower systemic risk by ensuring that no single aggregator can become a point of failure in the data‑sharing chain.

Practical implications

For banks, the immediate next step is to align their internal data‑sharing policies with Sahamati’s published standards. This may involve updating API specifications, tightening encryption protocols, and training compliance teams to interpret audit findings. Fintechs should register with Sahamati’s SRO portal and submit their technical architecture for review. Consumers, meanwhile, should keep an eye on the AA consent dashboard that lists all active aggregators and the data they can access. When signing up for a new financial product, users should confirm that the AA is listed under Sahamati’s approved roster. In the long term, the SRO’s regulatory framework will likely reduce the cost of compliance, as a single set of guidelines replaces multiple, fragmented ones. By staying proactive and engaging with Sahamati’s oversight mechanisms, stakeholders can ensure that the benefits of the Account Aggregator model are realised safely and efficiently.

Key takeaways

• Sahamati’s SRO approval centralises compliance, giving banks a single standard for all Account Aggregators.
• The SRO can enforce audits, penalties, and membership revocation, boosting data‑sharing security.
• Banks and fintechs can streamline product launches by relying on a unified, consent‑based data pipeline.
• Consumers benefit from greater transparency and a single consent mechanism that protects privacy.
• The new oversight is expected to lower systemic risk and accelerate the adoption of digital banking services.