Indian Stack

The National Payments Corporation of India and the Indian Ministry of Electronic and Information Technology.

India

Banking

Open Banking

• Balance Information
• Payment Initiation (Transactions) NpciMarketplace (nfinite.in)

The system architecture enables multiple API interfaces:

• Consent flows handle the collection of customer consent and its ongoing management.
• Data flows retrieve financial information based on that consent.
• Notification flows inform customers about data access and consent activity.

Current Accounts | Investments | Savings | Insurance | Pensions

Currently only asset-based data is available (bank accounts, deposits, mutual funds, insurance policies, pension funds). Other data types are likely to be added over time. See https://github.com/Sahamati/aa-common-service/blob/main/central-registry/overview.md for registry details.

JSON | XML | YAML

Swagger UI (rebit.org.in)

Hybrid

User companies must be regulated by one of the four authorities: the Reserve Bank of India (RBI), the Securities and Exchange Board of India (SEBI), the Insurance Regulatory and Development Authority of India (IRDAI), or the Pension Fund Regulatory and Development Authority (PFRDA).

Mandated

India has successfully built a fully digital banking ecosystem from the ground up.
UPI enables instant transfers between bank accounts via mobile, using an API that operates on top of the Immediate Payment Service. It is operated by the National Payments Corporation of India and regulated by the Reserve Bank of India.

The Account Aggregator framework, developed by the Ministry of Electronics and Information Technology, enables encrypted and consent-based data sharing, supporting the delivery of fully digital financial services.

It is part of the Data Empowerment and Protection Architecture (DEPA), an interoperable, secure, and privacy-focused model for data exchange. Account Aggregators manage customer consent but do not access the data themselves — they simply facilitate its movement.

In this setup, consent for accessing personal data is granted through a dedicated consent manager rather than directly through the financial institution.

Certificates | Registry | Directory

Other

The Account Aggregator functions as a consent manager that does not access or view the data.
It simply transfers encrypted information from one financial institution to another based on the individual’s approval and instructions.

The data shared through the system is encrypted by the sender and can only be decrypted by the intended recipient. This end-to-end encryption, combined with mechanisms like digital signatures, makes the process far more secure than exchanging physical documents.

All consent provided through Account Aggregators is designed to be revocable.

App to App Redirect | Browser Redirect | Browser Decoupled | Browser Delegated

AA: The customer uses the Account Aggregator to link accounts and provide consent. All account-linking and consent-related actions must occur directly between the customer and the AA through its application or client. Any consent given can be revoked at any time.

Payment Initiation is handled via UPI, however this is not considered an open banking/finance API.

API Specifications

Accounts

• Developer Resources
• Technical Policies
• ReBIT | Industry Initiatives

India, historically a largely cash-driven economy, has been able to build its digital banking infrastructure from the ground up. The first major step was the creation of the Unique Identification Authority of India (UIDAI), which manages Aadhaar and enables identity verification using biometric features such as fingerprints, photographs, and iris scans.

The success of Aadhaar — and the trust created through a single, efficient identity system — paved the way for the National Payments Corporation of India (NPCI) to establish a nationwide retail payment and settlement platform. This became the Unified Payments Interface (UPI), which connects an individual’s bank account to their Aadhaar-based identity.

Today, the Account Aggregator Framework is expanding this foundation. Introduced in September 2021, it enables encrypted, consent-based data sharing, aimed at unlocking a wider range of digital financial services.

Functional | Security Profile

Both the Account Aggregator framework and UPI are regulated by the Reserve Bank of India (RBI).

While the RBI sets the licensing requirements and oversees the operations of Account Aggregators, the responsibility for ongoing compliance and guideline implementation has largely been delegated to the industry through a self-regulatory model. This allows consistent standards to be developed across entities regulated by different authorities, but also requires consensus-building through market-driven mechanisms. Sahamati, as an industry body, plays a key role in enabling this.

As the ecosystem expands, a broader regulatory structure- potentially involving multiple regulators, may emerge and take on a more direct role in governing the system, working alongside the industry-led approach currently driven by Sahamati.

In December 2019, India introduced the Personal Data Protection Bill, which outlined the rights of individuals, the responsibilities of data processors, and penalties for non-compliance. After three years of debate, the bill was withdrawn due to significant criticism from industry stakeholders and technology companies, mainly over its stringent restrictions on cross-border data transfers. In November 2022, the Digital Personal Data Protection Bill was introduced, placing renewed emphasis on personal data protection.