Account Aggregator: Share Bank Data for Loans, Skip the PDFs

Anyone who has applied for a loan in India knows the drill: download six months of bank statements, hunt for the PDF password, email them across, then wait while someone keys in your numbers. The Account Aggregator framework was built to kill that ritual. It lets you share your financial data with a lender or app in a few taps — encrypted, consent-based, and without a single attachment changing hands.

Quietly regulated by the Reserve Bank of India and live since 2021, the system now reaches deep into everyday finance. By the end of 2025, more than 2.6 billion accounts had been enabled for sharing and over 110 million users had linked at least one account. If you have taken a digital loan, opened a new investment account or used a budgeting app recently, there is a fair chance an Account Aggregator was working in the background.

What an Account Aggregator actually does

Think of it as a secure courier for your financial information. You hold the data at your bank. A lender wants to see it. The Account Aggregator stands in the middle, asks for your permission, and then carries the data across in a sealed, encrypted form.

The crucial detail: the aggregator is data-blind. It cannot open the envelope. It moves the encrypted payload from the source to the destination, records that you said yes, keeps an audit trail, and nothing more. It does not store your statements, and it cannot read your balance. That design is what separates this from the old habit of forwarding sensitive PDFs over email or WhatsApp, where copies linger forever on servers you do not control.

These entities are licensed by the RBI as NBFC-AAs — a special category of non-banking financial company whose only job is to manage consent and move data. As of early 2026 there are around 17 operational aggregators, including names like Finvu, OneMoney, CAMS Finserv, NADL and Anumati. Several large apps plug into one of these behind the scenes, so you may have used one without recognising the brand.

Three players: FIP, FIU and the aggregator

The ecosystem runs on three roles, and understanding them makes the whole thing click.

• FIP (Financial Information Provider): the institution that holds your data and hands it over. Your bank, mutual fund registrar, insurer, pension fund or GST system.
• FIU (Financial Information User): the entity that wants the data to offer you something — typically a lender checking whether you can repay, but also wealth apps, personal-finance trackers and insurers.
• NBFC-AA (Account Aggregator): the consent manager in the middle that connects the two and carries the encrypted data.

A single institution can wear two hats. A large bank, for instance, is usually both an FIP (it shares your account data when you consent) and an FIU (it pulls data when you apply for its products). What never changes is that the data only flows because you pressed approve.

How a single share works, step by step

The flow is deliberately short. Here is what happens when, say, you apply for a personal loan and the lender uses an aggregator:

1. Register and link. The first time, you set up a handle with an AA and link your bank accounts using your registered mobile number — no account passwords are ever shared.
2. The request arrives. The lender (the FIU) raises a consent request for exactly what it needs, for example six months of one savings account.
3. You approve — on your terms. You see the purpose, the duration, and how often the data can be fetched, and you either approve or reject. This is the moment of control.
4. The bank ships it sealed. Your bank (the FIP) fetches the data and encrypts it.
5. The aggregator carries it. The AA forwards the encrypted bundle without reading it.
6. The lender uses it. The FIU decrypts the data and uses it strictly within the approved purpose and window.

The whole exchange can finish in under a minute, which is why digital lenders love it — and why a process that once took days now closes while you wait.

The part that protects you: consent you can pull back

The strongest feature is the one people overlook. Every share carries a defined purpose, duration and frequency, so a lender cannot quietly keep dipping into your account for years after a one-time loan check. A consent for a single underwriting decision looks very different from one a money-management app needs to refresh monthly.

You can also revoke consent at any time from the aggregator app. The moment you do, future data fetches stop. One honest caveat worth remembering: data already shared under a valid consent stays with the institution that received it — revoking is not a delete button for the past, only a stop valve for the future. So treat each approval like signing something, and read the purpose line before you tap yes.

A few habits keep you safe:

• Check the FIU's name and the stated purpose before approving. If an app asks for far more history than the task needs, decline.
• Prefer the shortest duration that gets the job done. A loan check rarely needs open-ended access.
• Periodically open your AA app and review active consents, revoking anything you no longer use.
• Remember the AA never asks for your net-banking password or OTP to a third party — anyone who does is running a scam, not an aggregator.

Why this matters beyond skipping paperwork

The convenience is the hook, but the bigger shift is who holds the keys to your financial identity. For years, your data sat in silos, and unlocking it meant printing it out or surrendering login details. The framework flips that — it treats your bank statements, investments and insurance as yours to lend out, briefly and on purpose, then take back.

That has real consequences. A small trader with a thin credit history can now share genuine cash-flow data and get assessed on it, rather than being rejected for lacking a formal record. A first-time borrower can prove reliability without a CIBIL track record. Personal-finance apps can show your whole money life in one screen without you emailing statements around. As GST, insurance and pension providers join as FIPs, the same plumbing will stretch well past loans.

What to do with this today

You do not need to chase an Account Aggregator on its own; you will meet one the next time a lender or finance app offers to verify you instantly. When that screen appears, you now know what you are looking at. Confirm the aggregator is one of the RBI-licensed NBFC-AAs, read the purpose and duration, share the minimum that the task requires, and diarise a reminder to revoke long-running consents you stop using.

Used with a little care, it is one of the rare upgrades that is both faster for you and safer than the messy PDF habit it replaces. The paperwork era of borrowing in India is ending — and for once, the replacement actually puts you in charge.