Insurance for Open Banking and Account Aggregator Fintechs India

Account Aggregators (AAs) are RBI-regulated entities that operate as consent managers in India's Open Credit Enablement Network (OCEN) and the broader financial data sharing ecosystem established by the Master Direction on Non-Banking Financial Company: Account Aggregator (Reserve Bank) Directions, 2016, revised substantially in 2021 following the operational launch of the AA framework.

An AA does not store or process financial data. Its role is to transmit financial information from Financial Information Providers (FIPs, which include banks, insurance companies, pension fund administrators, and depositories) to Financial Information Users (FIUs, which include lenders, wealth managers, and other regulated entities) subject to explicit, granular consent provided by the end data principal. The AA is the consent management layer: it captures the data principal's consent, maintains a consent artefact, enforces the scope and duration of each consent, and routes data requests between FIPs and FIUs over the AA network.

As of March 2026, eight Account Aggregator entities held operational AA licences from RBI, with approximately four others in the application or in-principle approval stage. Major operational AAs include Sahamati's network participants such as Finvu, CAMS Finserv, CAMSFinserv AA, OneMoney, and Anumati. The RBI's Master Direction establishes that AAs must maintain a minimum net-owned fund of INR 2 crore, are prohibited from storing financial data beyond the transit period, must maintain an ISO 27001-certified information security management system, and must not charge the data principal for consent management services.

AA entities occupy a unique regulatory position: they are RBI-regulated NBFCs but they do not lend, take deposits, or invest. Their business model depends on fees charged to FIUs for data access facilitation, API service charges, or volume-based pricing. This creates a financial profile distinct from both conventional fintechs and conventional NBFCs, and an insurance profile that combines technology company risk (system reliability, data handling), financial services risk (regulatory conduct obligations), and infrastructure provider risk (third-party dependency for FIPs and FIUs using the AA's pipes).

Professional indemnity is the primary insurance need for AA entities, and the risk scenarios are more specific and technically complex than for a standard fintech service provider.

The first PI exposure category is incorrect or incomplete data transmission. An AA transmits financial data from FIPs to FIUs based on consent artefacts. If the transmitted data contains errors because of a mapping failure (data from one account incorrectly attributed to another), a formatting error (currency or date field parsing failure), or a transmission latency issue (stale data transmitted after it has been updated at the source), the FIU receiving the data may make a lending or financial decision based on incorrect information. If a borrower is denied credit because a bank account balance was incorrectly reported as zero due to an AA data mapping error, the borrower has a potential claim against the AA for economic harm from incorrect professional services. If a lender extends credit based on an overstated income figure caused by AA transmission error and subsequently suffers a default, the lender has a potential claim against the AA for the lending loss attributable to the incorrect data.

The second PI exposure category is consent framework failure. The AA's core function is consent management: capturing consent artefacts that specify which data, for what purpose, for what duration, to which FIU. If an AA transmits data beyond the scope of a consent artefact (sharing data to a second FIU not named in the consent, transmitting for a longer period than consented, or sharing a data type not included in the consent specification), it has committed a professional failure that breaches the RBI Master Direction and may breach the Digital Personal Data Protection Act 2023 if the data principal can demonstrate harm.

Consent scope violations are technically possible at the API integration level even without intentional conduct. An API version update by an FIP that changes the data payload format could cause an AA's parser to inadvertently forward additional data fields beyond the consented scope. An AA whose consent management logic has a code error may transmit data after the consent duration has expired. These are professional service failures in the management of a regulated consent infrastructure, and they generate claims from data principals, FIUs, or RBI enforcement actions.

The third PI exposure is API failure causing FIU loss. FIUs integrate AA APIs into their underwriting, credit scoring, or customer onboarding workflows. If an AA's API is unavailable during a period when an FIU is processing a time-sensitive loan application or insurance policy issuance, the FIU may miss a regulatory deadline or lose the business opportunity. FIU partnership agreements often include SLA commitments from the AA with defined availability percentages; breach of these SLAs can create contractual liability that falls within PI coverage.

PI limits for AAs in the INR 2-5 crore annual revenue range (early-stage operations) should be in the INR 5-15 crore range, reflecting the potentially high economic consequences of systematic data errors affecting multiple FIUs simultaneously. The limit calibration must account for the possibility that a single code defect causes transmission errors across all consent transactions in a defined period, not just a single transaction.

Account Aggregators handle personal financial data under the consent framework, and the Digital Personal Data Protection Act 2023 (DPDP Act) classifies them as data processors acting under instruction from data fiduciaries (which include the FIPs and FIUs). The distinction between data fiduciary and data processor matters for compliance obligations, but it does not eliminate the AA's cyber liability exposure.

Under the DPDP Act, a data processor has contractual obligations to the data fiduciary it serves and must implement security measures adequate to the sensitivity of the data processed. Financial data, which the DPDP implementing rules are expected to classify as a sensitive data category alongside health and biometric data, attracts heightened security obligations. An AA that suffers a breach of financial data in transit (the only point at which it holds data, since storage is prohibited) exposes itself to claims from both the data principals whose data was breached and from the FIPs and FIUs whose contractual obligations to those data principals have been compromised by the breach.

The Data Protection Board of India, established under the DPDP Act, has enforcement jurisdiction over data processors for breaches of security obligations. Penalties for data processors can reach INR 250 crore for serious violations. For an AA entity with INR 2 crore minimum net-owned funds, a INR 250 crore penalty would be an existential liability that regulatory defence cost coverage must address even before any penalty is imposed.

Cyber liability insurance for an AA entity should cover: first-party incident response costs including forensic investigation, legal counsel, notification to the Data Protection Board, and notification to affected data principals; regulatory defence costs in proceedings before the Data Protection Board of India and the RBI; third-party liability to FIPs, FIUs, and data principals for breach of confidentiality and data handling obligations; and business interruption during system downtime caused by a cyber event.

The AA's transit-only data model, where it does not store financial data beyond the consent transaction window, reduces the volume of at-rest data exposure relative to a conventional data repository. However, it does not eliminate the in-transit breach risk: a man-in-the-middle attack on the AA's FIP-to-FIU data pipe, or a compromise of the AA's consent artefact database (which contains metadata about consents even if not financial data itself), can constitute a serious breach. The consent metadata alone, which records that a specific PAN-holder has given access to their bank account data to a specific FIU for a specific purpose, is sensitive personal data under the DPDP Act.

Benchmark cyber liability premium for an early-stage AA entity with 50,000-200,000 registered users and INR 5 crore annual revenue: INR 15-35 lakh annually for INR 5-15 crore in limits. At growth stage with 1 million-plus users and INR 20 crore revenue: INR 40-80 lakh for INR 15-25 crore limits. ISO 27001 certification reduces premiums by approximately 20-30% relative to uncertified peers; RBI-mandated ISO 27001 means all operational AAs should qualify for this reduction.

The RBI Master Direction on Account Aggregators places explicit obligations on the AA's board of directors and senior management, including requirements for board-approved information security policy, board oversight of consent framework integrity, and personal accountability for regulatory compliance filings. These obligations create D&O exposure that is specific to the AA's regulated status and distinct from the general startup D&O risks familiar from conventional fintech.

The primary D&O scenarios for AA directors arise from two sources. First, RBI regulatory enforcement: if RBI finds that an AA has violated its Master Direction on consent framework management, data security, or operational standards, RBI can issue directions to the company and, in serious cases, can name individual directors in its orders and require them to show cause for failures of oversight. An RBI enforcement action that names a director, even without a finding of personal culpability, generates personal legal defence costs that the director cannot recover from the company if the company itself is the subject of the enforcement.

Second, investor derivative claims: AA entities at growth stage are typically funded by institutional investors including venture capital firms. If investors believe that management failed to disclose known regulatory compliance deficiencies before a funding round, or that board decisions about the pace of expansion created regulatory risk that was not disclosed to investors, derivative claims can follow. In the AA context, board decisions about which FIPs and FIUs to onboard, how quickly to scale the user base, and how to prioritise security investment relative to growth investment are all potential subjects of investor scrutiny if a regulatory event follows.

D&O coverage for an AA entity should include: coverage for regulatory investigations by RBI, the Data Protection Board, and IRDAI (if the AA distributes insurance products through its pipe); Side A direct coverage for individual directors where the company cannot indemnify; and run-off coverage provisions for at least five years, given that regulatory investigations often follow the triggering event by two to four years.

One additional D&O exposure specific to AAs is the personal liability of directors for compliance with the DPDP Act's requirement for designation of a Data Protection Officer at significant data fiduciaries. If an AA is classified as a significant data fiduciary under the implementing rules (which will depend on user volume and data sensitivity classification), the failure to appoint a qualified DPO is a violation attributable to board oversight, and the consequences of that failure flow to directors who signed off on compliance representations.

D&O premium for an AA entity at early stage (pre-Series A, INR 2-5 crore revenue, NBFC licence): INR 8-18 lakh annually for INR 10-20 crore limits. At growth stage (Series A or B funded, INR 15-50 crore revenue, large FIP and FIU network): INR 25-55 lakh for INR 25-50 crore limits.

The AA framework is being used not only for financial data sharing but as a distribution infrastructure for financial products, including insurance. An FIU that is also an IRDAI-licensed insurer or insurance intermediary can use the AA pipe to access a data principal's financial profile, assess insurance eligibility, and offer products through the AA's user interface or partner app.

This use case creates a product liability dimension for AAs that would not exist for a pure data transmission utility. If an insurance product offered through the AA's distribution pipe is unsuitable for the data principal, contains misrepresentation in the product description, or generates a claim denial that the data principal believes arose from incorrect data presented through the AA, the AA faces potential product liability as a distribution channel participant.

IRDAI has not yet issued specific guidance on the liability allocation between AAs and the licensed FIUs (insurers or brokers) when insurance products are distributed through the AA framework. Until this guidance exists, the contractual terms between the AA and its FIU partners govern liability allocation. AAs who allow insurance product distribution through their interface should ensure their FIU partnership agreements include clear indemnification provisions requiring the FIU to defend and indemnify the AA against product-related claims, and should carry third-party liability coverage to backstop the contractual protection.

For AAs that are actively marketing insurance products as an ancillary revenue line, IRDAI's position on corporate agent registration for AA entities is relevant. An AA that facilitates insurance product recommendations or sales to its user base is likely to require IRDAI corporate agent registration unless the distribution is entirely passive (the FIU pushes product offers through the AA pipe without any AA-level recommendation or comparison). AAs exploring insurance distribution revenue should obtain legal counsel on IRDAI corporate agent requirements before launching commercial arrangements with insurer FIUs.

Product liability insurance for an AA engaged in insurance distribution should be structured as a combined technology errors and omissions policy that covers both data transmission errors and distribution-related professional failures. Maintaining separate PI and product liability policies creates potential coverage gaps at the boundary between technical failure and distribution failure, which is precisely where AA liability events occur.

Insurance programme calibration for AAs needs to reflect the entity's stage of growth, user volume, FIP and FIU network breadth, and the regulatory maturity of the AA framework itself, which is still developing as of 2026.

At the early stage, defined as an AA with RBI in-principle approval or recently granted operational licence, fewer than 100,000 registered users, and primarily a technology validation and partnership development phase, the insurance programme should cover the minimum regulatory requirements plus the core professional liability and cyber risks.

The RBI Master Direction does not explicitly mandate PI or cyber insurance for AA entities, unlike SEBI's requirement for stockbrokers or IRDAI's requirement for insurance brokers. However, partnership agreements with FIPs (banks, insurance companies) and FIUs (NBFCs, lenders) typically require the AA to carry minimum insurance, since these regulated entities carry their own compliance obligations to RBI and other regulators and cannot expose themselves to uninsured counterparty risk. FIP partnership agreements commonly specify minimum PI limits of INR 5 crore and cyber limits of INR 10 crore. An early-stage AA that cannot evidence these coverages will fail partnership onboarding with regulated financial institutions.

For an early-stage AA with INR 2-5 crore annual revenue and 50,000-100,000 users, the recommended programme is: PI at INR 5-10 crore, cyber at INR 5-10 crore, D&O at INR 10-20 crore, and directors' personal accident cover. Total annual premium budget: INR 35-60 lakh.

At the growth stage, defined as a Series A or B funded AA with over 500,000 registered users, multiple FIP and FIU integrations, and active insurance or credit distribution revenue, the programme must scale significantly. PI should increase to INR 15-25 crore to reflect the larger volume of concurrent consent transactions and the higher aggregate loss potential from a systematic error. Cyber should increase to INR 20-30 crore, reflecting the expanded attack surface and the DPDP Act's potential INR 250 crore penalty exposure. D&O at INR 25-50 crore, reflecting investor-demanded limits and the higher regulatory profile of an AA operating at scale.

Growth-stage AAs should also consider adding fidelity guarantee insurance, covering employee dishonesty in access to consent metadata and FIU relationship management systems. An AA employee with access to consent artefacts and FIU API credentials has significant potential to facilitate fraudulent data sharing beyond consent scope, generating liabilities for the AA. Fidelity guarantee cover sized to the maximum data volume that could be compromised in a single employee action provides a meaningful protection layer.

Total annual premium for a growth-stage AA at INR 20-50 crore revenue with a comprehensive programme: INR 80-150 lakh. This represents 0.5-1.5% of revenue at growth stage, a materially higher insurance cost ratio than conventional SaaS companies of equivalent revenue, reflecting the regulatory liability exposure of operating a consent infrastructure in a dual-regulator environment.

AAs that distribute or enable distribution of insurance products face a coordination risk that is unique to their position at the intersection of RBI and IRDAI regulatory frameworks. This dual-regulator exposure is not just a compliance management challenge; it creates specific D&O and PI liability scenarios that are not adequately addressed by insurance policies designed for single-regulator entities.

RBI regulates the AA's core consent management operations, its technology standards, its data handling obligations under the Master Direction, and its financial conduct as a licensed NBFC-AA. IRDAI regulates any insurance-related activities: if the AA distributes insurance products, recommends insurance covers, or plays any role in the insurance underwriting data flow (for example, transmitting financial data used in insurance underwriting decisions), IRDAI's conduct regulations apply.

The dual-regulator coordination risk materialises when a compliance action by one regulator creates second-order exposure to the other. Suppose RBI directs an AA to suspend operations for 30 days following a data security incident. During this suspension, FIUs who are insurance intermediaries cannot access the AA's data pipe, disrupting their insurance product underwriting workflow. If the FIU is an IRDAI-licensed entity that has made representations to its clients about data availability for underwriting, the RBI-ordered AA suspension may create IRDAI-related conduct issues for the FIU that trace back to the AA relationship. The AA faces claims from the FIU for the downstream regulatory harm caused by the suspension.

Conversely, if IRDAI initiates an investigation into insurance mis-selling by an FIU that used AA data in its product recommendation engine, and the investigation scrutinises the quality and completeness of AA-provided data as a contributing factor, the AA may be drawn into an IRDAI investigation without being an IRDAI-regulated entity itself. This is a regulatory investigation scenario that standard professional indemnity policies, which typically cover claims by commercial counterparties but not regulatory investigation costs by a regulator with no direct jurisdiction, may not address.

AAs should structure their PI and D&O policies to explicitly cover regulatory defence costs in investigations by both RBI and IRDAI, and should include a broad definition of regulatory investigation that covers preliminary enquiries, information requests, and inspection visits, not only formal investigation orders. Policies that cover regulatory defence costs only after a formal investigation order is issued leave the AA without coverage during the most expensive phase: the initial response to regulatory enquiry, where legal counsel is needed immediately and the outcome is most uncertain.

The practical resolution is to work with a specialist financial lines broker who understands both the NBFC regulatory environment and the IRDAI conduct regulation landscape. A broker who regularly places insurance for fintech lenders, payment platforms, and insurance distributors can structure a programme that addresses the full dual-regulator exposure rather than applying a standard tech startup policy with inadequate regulatory investigation provisions.