Account Aggregator India: consent and revoke - citizen guide 2026
You linked your bank to get a loan faster, and now you want that data tap switched off. With an Account Aggregator you can revoke that consent yourself in a few taps, and the lender stops getting fresh data the moment you do.
Quick answer: An Account Aggregator (AA) is an RBI-licensed company that moves your financial data from one institution to another only with your explicit, time-bound consent. It never sees, stores, or uses the data itself. You can revoke any consent at any time inside the AA app, and the data flow stops.
What an Account Aggregator is
An Account Aggregator is a special non-banking financial company licensed by the Reserve Bank of India. It acts as a secure consent manager between the institution that holds your financial data and the one that wants to use it. The AA carries the data through, but cannot read, store, or sell it.
How it works: the three roles
The framework has three players, and you are the most powerful one.
- You, the customer. You own the data and you control every consent. Nothing moves without your tap.
- FIP (Financial Information Provider). The institution that already holds your data, such as your bank, mutual fund registrar, or insurer.
- FIU (Financial Information User). The institution that wants your data to give you a service, such as a lender checking your bank statements before a loan.
The AA sits in the middle as a pipe with a lock. When an FIU asks for data, the AA shows you a consent request. If you approve, the AA fetches the data from the FIP and delivers it to the FIU. Per RBI's NBFC-AA Master Direction, 2016, no financial information of the customer accessed by the Account Aggregator from the providers shall reside with the Account Aggregator. In plain words, the AA is data-blind.
Step by step: link, consent, and revoke
Step 1: Pick and register on an AA app
- Choose an RBI-licensed AA. The current, official list of licensed Account Aggregators is published by Sahamati at https://sahamati.org.in/account-aggregators-in-india/ . Well-known consumer apps include Finvu, OneMoney, CAMS Finserv, Anumati, and NADL.
- Register using your mobile number that is linked to your bank accounts.
Step 2: Link your accounts
- Inside the app, search for your bank or institution and link the account. The AA discovers accounts tied to your registered mobile number.
- Linking only creates the connection. It does not share any data yet. Data moves only after a separate consent.
Step 3: Give consent
- When an FIU needs your data, you get a consent request showing the purpose, the exact data types, the FIU name, and how long the access lasts.
- Read it carefully, then approve only if the purpose and duration match what you expect. Per the Master Direction, this standardised consent must state the purpose, the nature of the information, the recipient, and the consent expiry date.
Step 4: Revoke consent
- Open your AA app and go to the consents or active consents section.
- Select the consent you want to stop and tap revoke. The AA must give you a feature to revoke consent, including the ability to revoke parts of it.
- Once revoked, no fresh data is shared with that FIU under that consent. The data flow stops at that point.
Your rights and what an AA cannot do
- You can revoke any time. The RBI rules require every AA to give you a working revoke feature.
- The AA cannot see your data. It is a blind pipe, not a reader. The data does not reside with the AA.
- Consent is purpose-bound and time-bound. Each consent carries a stated purpose, data types, an FIU name, and an expiry date.
- No consent, no data. No financial information is retrieved, shared, or transferred without your explicit consent.
- You can link and unlink freely. Linking an account is not the same as sharing it.
Common mistakes and safety tips
- Approving without reading the duration. A consent can run for months. Check the validity period and shorten it if the app allows.
- Confusing linking with sharing. Linking is just a connection. Watch for the separate consent screen before any data moves.
- Using an unlicensed app. Only use AAs on the Sahamati list. If a name is not there, do not link your accounts.
- Ignoring purpose mismatch. If an FIU asks for far more data than the service needs, decline and ask why.
- Forgetting old consents. Review your active consents every few months and revoke any you no longer need.
- Sharing OTPs outside the app. A genuine AA flow never asks you to read out an OTP to a caller.
Real-life example. Kashvi Pathak linked her savings account through an AA app to apply for a personal loan. The lender, acting as the FIU, asked for six months of bank statements for a stated loan-assessment purpose. After her loan was approved, she opened the AA app, found the active consent, and revoked it so the lender could not pull any fresh statements. The data tap closed the same day, and the AA itself had never stored a copy of her statements.
Sample revocation request note
If your AA app is down and you need a written record, you can send a short note to the AA support team. Keep a copy for yourself.
To: Support, [Name of your Account Aggregator] Subject: Request to revoke consent and stop data sharing Dear Team, I am a registered customer of your Account Aggregator service. Mobile number: [registered number] Consent reference / handle: [consent ID if shown in app] I wish to REVOKE the following consent with immediate effect: - FIU (recipient): [name of lender or institution] - Purpose stated: [for example, loan assessment] - Linked account: [bank name, last 4 digits] Please stop all further data sharing under this consent and confirm the revocation in writing to this mobile number. Thank you, [Your name] [Date]
FAQ
Is an Account Aggregator regulated by anyone?
Yes. An AA is a non-banking financial company licensed by the Reserve Bank of India under the NBFC-AA Master Direction, 2016. Only RBI-licensed companies may run an AA service.
Can the Account Aggregator read or sell my financial data?
No. Under the Master Direction, the data accessed by the AA does not reside with it. The AA is a data-blind pipe that moves data only between the provider and the user you approve.
What is the difference between an FIP and an FIU?
An FIP (Financial Information Provider) holds your data, like your bank. An FIU (Financial Information User) wants your data to give you a service, like a lender assessing a loan.
How do I revoke consent?
Open your AA app, go to the consents section, select the active consent, and tap revoke. RBI rules require every AA to provide a working revoke feature. After revoking, no fresh data is shared under that consent.
Does linking my bank account mean I am sharing my data?
No. Linking only creates the connection. Data is shared only after you approve a separate consent that names the purpose, data types, recipient, and duration.
Which Account Aggregator apps can I trust?
Use only those on the official list published by Sahamati. Names you may see include Finvu, OneMoney, CAMS Finserv, Anumati, and NADL. Always verify the current list before linking.
Is there a fee to use an Account Aggregator?
For most consumers the AA flow inside a lender or app is free to use. The AA earns from the institutions, not usually from you. Check the app before you proceed.
What happens to data already shared before I revoked?
Revoking stops future data sharing under that consent. Data already delivered to the FIU is governed by that institution's own privacy and retention rules, so you may also ask the FIU to delete it.
Sources
- Reserve Bank of India, Master Direction Non-Banking Financial Company Account Aggregator Directions, 2016: https://www.rbi.org.in/Scripts/BS_ViewMasDirections.aspx?id=10598
- Department of Financial Services, Ministry of Finance, Account Aggregator Framework: https://financialservices.gov.in/
- Sahamati, Account Aggregators in India: https://sahamati.org.in/account-aggregators-in-india/
Related on RTI Wiki
Reader signal
Was this article useful?
Tap once if it helped you. These counters show other citizens which pages are worth reading.