While exploring the Account Aggregator framework, I was unsure about how long my consent remains valid once I share financial data. Since this directly affects security and control, I wanted to know the exact expiry time for AA consent in India.
The Account Aggregator (AA) framework in India works on a consent-based model. This means financial data cannot move between banks, lenders, or fintechs unless you explicitly grant permission. But every consent comes with a validity period, after which it automatically expires unless renewed.
Consent Expiry Rules for AA in India:
Time-Bound Consent for AA
Every consent you provide has a fixed validity, defined by you at the time of granting access. It can be as short as a few hours for one-time access or extend to months and years for ongoing access.
Expiry of One-Time Consent for AA
If you only allow a one-time data pull (for example, sharing bank statements for a loan application), the consent usually expires immediately after the data is fetched.
Expiry of Recurring Consent for AA
For continuous data sharing (like monthly income verification), the consent can remain valid for the duration you choose, say, 3 months, 6 months, or 1 year. Once this period ends, data flow automatically stops.
User Control on Renewal for AA
The best part is that you decide the validity when giving consent. If the financial institution needs further access, you must renew or reapprove it manually.
1 Like
Anshul it depends on your choice, or whatever choice your fiu is providing you, it can be mentioned explivcitly while taking your consent, like one time or reccuring
depends on the AA and the consent the FIUs are asking so in my opinion 1 year should be the max we can provide for now but in future it may increase as the tech matures and banks do the part what they are oppose to do anyways
Sahamati (the watchdog for the account aggregator ecosystem in India) has issued guidelines that determines the validity of an account aggregator consent depending on the usage type.
For example, if an FIU is seeking the details of a user for lending, the consent duration would be lesser in comparison to the duration if the consent is sought to manage and track finances or investments of a user.
Depending on the use case, Sahamati issues guidelines on it. In most cases, the consent validity does not go beyond 1 year.
Also, in case you have given consent for a longer period than what you think is needed, you can always revoke your consent to the account aggregator by going to either the FIU that has asked you for the consent or the account aggregator that has provided the consent.