FIU Participation Policy

Sahamati Account Aggregator Ecosystem Participation Terms

 

DigiSahamati Foundation, established as a not-for-profit company under Section 8 of the Companies Act, 2013, (Sahamati), as an organisation comprising Account Aggregators (AAs), Financial Information Providers (FIPs), Financial Information Users (FIUs), technology service providers and other persons, is fostering the establishment and development of the Sahamati Account Aggregator Ecosystem (Sahamati AA Ecosystem) which facilitates interoperability and related standards for AAs, FIPs and FIUs, manages the Sahamati AA Ecosystem and enforces compliance with Sahamati AA Ecosystem Participation Terms.

 

This document sets out Sahamati AA Ecosystem Participation Terms, Version 1.0  (the Terms), as amended from time to time, upon which the participants in the Sahamati AA Ecosystem have agreed to participate.

1. Ecosystem Participants

1.1       Sahamati AA Ecosystem shall have the following participants (Participants):

 

(a)        Financial Information Providers (FIP) - any entity that is registered with a Financial Sector Regulator and/or approved by the Financial Sector Regulator to be a provider of financial information;

(b)        Financial Information Users (FIU) - any entity that is registered with a Financial Sector Regulator and regulated by such Financial Sector Regulator to be a consumer of the financial information; and

(c)        Account Aggregators (AA) – any non-banking financial company that has been registered with the RBI to undertake the business of an account aggregator as defined in the AA Master Directions (as defined below).

 

1.2       In consideration for the mutual rights and obligations set out in these Terms, as amended from time to time, all Participants shall indicate their acceptance of these Terms by furnishing to Sahamati, an electronic copy of the declaration contained in Annex 1 on which shall be affixed the digital signature of its authorised signatory. These Terms shall supersede and prevail over any bilateral agreements or arrangements among or between Participant/s on matters specified in these Terms upon such Participant/s indicating their acceptance of these Terms.

 

1.3       Customers shall indicate acceptance of these Terms, as amended from time to time, by accepting these Terms on the AA Client Interface (as defined below) and the AAs shall ensure that their AA Client Interface enable such acceptance and retain a record thereof. FIUs and FIPs should display these Terms for information of their customers in relevant sections of their websites or mobile apps.

 

1.4.      These Terms may be amended from time to time and such amended Terms shall remain binding upon the Participants and the Customers, with the continuing participation, usage or access of the Sahamati AA Ecosystem by the Participants and the Customers signifying and constituting their respective acceptance of the amendments and amended Terms. Sahamati shall, prior to effecting the amendments to these Terms, undertake due consultations to the extent necessary and appropriate. The amendments and the amended Terms shall be provided to all the Participants and the Customers at least 30 days prior to such amendments and amended Terms becoming effective, with versioning of amendments being reflected appropriately. Only in the event of a complete overhaul and restatement of these Terms, the Participants and the Customers may be required to indicate their acceptance afresh to the restated Terms in the mode and manner specified in 1.2 and 1.3 respectively, for continuing within the Sahamati AA Ecosystem in accordance with the restated Terms and which shall become effective as provided in such restated Terms, with versioning of restatements being reflected appropriately. All communications with the Customers as contemplated in this section shall be undertaken by the AAs.

 2. Defined Terms

  1. AA Client Interface shall have the meaning set out in 4.1 below;

 

  1. AA Master Directions means the Master Direction - Non-Banking Financial Company - Account Aggregator (Reserve Bank) Directions, 2016 issued by RBI and as amended from time to time;

 

  1. AA Technical Standards means the technical standards issued by ReBIT or any other competent authority from time to time as applicable to AAs;

 

  1. Applicable Law means the AA Master Directions and all relevant technical specifications as well as any applicable law, regulation, ordinance, rule, judgment, notification, order, decree, bye-law, directive, framework or guideline issued by a competent government authority and having the force of law;

 

  1. Customer means any person, who has entered into a contractual arrangement with the AA to avail services provided by the AA for transfer of data from FIPs to an FIU or from FIPs to the Customer;

 

  1. Central Registry or Central Registry APIs means the service offered by Sahamati, as part of Sahamati Technical Services, to participants for discovery of public information such as API endpoints and public keys.

 

  1. Data means any data that has been permitted, under the AA Master Directions, to be transferred from FIPs to FIUs and/or from FIPs to Customers;

 

  1. Financial Sector Regulator means any of RBI, SEBI, IRDAI or PFRDA;

 

  1. Force Majeure Event means any event beyond the reasonable control of a Participant which adversely impacts the ability of the Participant to perform its role contemplated under these Terms, which events include but are not limited to: non-availability of any communication or electronic services due to an act of god, on account of relevant authorities requiring suspension of any activity or operation, or on account of pandemic or other infectious or contagious disease;

 

  1. IRDAI means the Insurance Regulatory and Development Authority of India;

 

  1. ODR Institution means an independent neutral institution that provides online dispute resolution as a service or as a platform, encompassing online arbitration, online mediation or online conciliation or a combination thereof, and which has been empaneled by Sahamati from time to time;

 

  • PFRDA means the Pension Fund Regulatory and Development Authority;

 

  1. RBI means the Reserve Bank of India;

 

  • ReBIT means Reserve Bank Information Technology Private Limited;

 

  • Sahamati Certification Framework means a set of tests designed and administered by Sahamati, or its empaneled certifiers, to verify the adherence to the AA Technical Standards and with such standards as may be specified by Sahamati from time to time including but not limited to standards specified for availing of Sahamati Technical Services or standards specified for other matters as relevant to the role of the Participant in the Sahamati AA Ecosystem being performed in a standardized and/or interoperable manner;

 

  1. Sahamati AA Ecosystem means the ecosystem comprising the Participants and the Customer/s designed to facilitate the consented flow of Data from FIPs to FIUs as enabled by AAs or from FIPs to Customer/s as enabled by AAs;

 

  1. Sahamati Technical Services means services such as Central Registry or Central Registry APIs, Token Service APIs and any other services that Sahamati may provide to the Participants from time to time;

 

  1. SEBI means the Securities and Exchange Board of India; and

 

  1. Token Service APIs means the service offered by Sahamati, as part of Sahamati Technical Services, for participants to obtain a short-lived access token and present it to other Participants for authorizing access to their resources.

 

3. Commencement of Services by AAs, FIUs and FIPs

3.1       The detailed onboarding plan for AAs, FIUs and FIPs has been set out in Annex 2.

 

3.2       Every entity desirous of becoming a Participant in the Sahamati AA Ecosystem, will be assessed in accordance with the Sahamati Certification Framework, as relevant to the role it desires to perform in the Sahamati AA Ecosystem. Once a Participant has been so certified and has indicated its acceptance of these terms under 1.2 above, then such Participant shall be allowed to commence performing its role in the Sahamati AA Ecosystem.

4. AA Client Interface

4.1       All AAs will create one or more front-end interfaces through which Customers will be able to link their accounts in order to manage their consent for Data transfers from FIPs to FIUs and/or from FIPs to the Customer, as the case may be (AA Client Interface).

 

4.2       The AA Client Interface should, at the very least, support the following features:

 

(a)        Consent management including but not limited to account discovery, account linkage and activity logs;

(b)        Profile management including registration of users resulting in the issuance of Virtual User Addresses; and

(c)        Complaint management including the ability to raise a complaint and receive updates as to the progress of the complaint till final resolution.

 

4.3       The AA shall ensure that the AA Client Interface is designed to use authentication measures as prescribed in the AA Technical Standards, from time to time, for all actions or transactions between the Customer and the AA, including but not limited to all consent management actions and all profile management actions.

 

4.4       At least one or more of AA Client Interface/s of an AA should offer a Customer the ability to check the status of a Data request and to view the entire history of their consents and Data flows at any point in time.

5. Customer Onboarding

5.1       The AA will onboard Customers using a process that shall comprise the following steps:

 

(a)        The Customer shall provide to the AA the Customer’s mobile number, email address, or any other identifier that has been declared to be suitable for digital verification in the AA Technical Standards, from time to time.

 

(b)        The AA shall verify that the identifier provided is valid and verified and that it is in fact being solely operated by the Customer.

 

(c)        Upon conclusion of such verification, the AA will issue to the Customer a virtual address that uniquely identifies the Customer in the following format:
 

<customer_identifier>@<AA_identifier>

 

Where:

 

  1. <customer_identifer> is a word/alphanumeric that uniquely identifies the Customer in the AA system and which may either be selected by the customer or issued by the AA. The AA shall, at its discretion, be free to suggest a unique default identifier (such as mobile number or last name)

 

  1. <AA_identifer> is the unique identifier that has been provided to the AA by Sahamati at the time of on-boarding that uniquely identifies the AA among all AAs in the ecosystem.

 

  1. The entire Virtual User Address, also known as the VUA or the AA Handle, should only contain “a-z, A- Z, 0-9,.(dot), - (hyphen), @", as currently defined in the AA Technical Standards and subject to any modifications in such standards, from time to time.

 

5.2       At the time of Onboarding and thereafter whenever initiated by the Customer, the AA Client Interface will facilitate discovery of accounts held by the Customer with one or more FIPs in the following manner:

 

(a)        The AA Client Interface will offer the Customer the opportunity to provide strong identifier(s) that the Customer’s FIP will recognise. The AA will relay such identifier/s to the FIP. The FIP shall, if such identifier/s correspond with a customer record within its system, provide to the AA a set of account numbers matching the Customer identifier so provided.

 

(b)        The AA Client Interface shall display the account numbers discovered in this manner from all FIPs in a masked format and in a manner that will allow the Customer to make a selection of those accounts that the Customer wishes to link.

 

(c)        By selecting the accounts that the Customer wishes to link on the AA Client Interface, the Customer authorises the AA to relay to the FIP the Customer’s consent to link the specified accounts to the Customer’s profile with the AA.

 

(d)        The FIP shall, after independently authenticating the Customer as specified in the AA Technical Standards, complete the linking request.

 

5.3        The process and steps outlined in 5.1 and 5.2 above are not prescriptive as regards user experience that an AA may provide while adhering to such process or steps.

6. Process for Data Transfer

6.1       The process for transfer of Data from an FIP to an FIU and/or from an FIP to a Customer as the case may be, shall involve the following parties – the Customer, FIPs, the FIU (if any) and an AA.

 

             The FIU may initiate the request for Data by submitting a consent request to the Customer through the AA. The AA will forward the consent request to the Customer and once such consent has been obtained, the AA shall convey the Customer’s consent request to the relevant FIPs. The FIPs shall, after verifying the consent, transfer the required Data to the AA . The AA shall facilitate the transfer of such Data from the FIPs to the FIU. 

 

             In the event, the Customer declines consent, the AA will convey information of such decline to the FIU, and accordingly no transfer of Data will take place.

 

             The Customer may initiate a request for Data by submitting a request and consent to the AA. The AA shall convey the Customer’s consent request to the FIPs for the Data. The FIP shall, after verifying the consent, transfer the required Data to the AA. The AA shall facilitate the transfer of such Data from the FIPs to the Customer.

 

             It is noted that in course of transfer of Data as envisaged in these Terms, the relevant FIP continues to retain the Data as available with itself

 

6.2       ReBIT is authorized to publish technical specifications, from time to time, to achieve the process described above. All Participants undertake to ensure that their systems are and for as long as these Terms continue to apply to them will hereafter be compliant with such specifications.

7. Obligations and Responsibilities

7.1       All Participants shall:

 

  1. undertake certification at the stage of joining the Sahamati AA Ecosystem and obtain certification whenever required and remain duly certified on an on-going basis in accordance with the Sahamati Certification Framework;

  2. implement the security measures issued by ReBIT from time to time;

  3. save and except as provided in 7.3 (d), ensure that no Data transferred through the Sahamati AA Ecosystem is shared with any third party unless required by law;

  4. ensure that their systems and infrastructure are compliant with the application programming interface (API) change management policies issued by ReBIT from time to time;

  5. ensure that their systems and infrastructure remain operational, at uptimes and standards as Sahamati may specify from time to time, in order to carry out the transactions contemplated under these Terms, and where any system or infrastructure needs to be taken offline, the relevant Participant shall give prior advance notice to Sahamati, in accordance with the standards specified by Sahamati from time to time;

  6. respond to unscheduled shutdowns and other disruption to the services expeditiously and notify Sahamati and the Central Registry of such shutdown or disruption;

  7. comply with all service level obligations, uptimes and standards as Sahamati may specify from time to time, as applicable;

  8. retain all consent logs and Data flow logs for such period(s) as may be required by Applicable Law, in a readily accessible and searchable format that allows for retrieval as per internal policies of the Participant; on demand by the Customer or any other Participants involved in the transaction; as required for audit or regulatory inspection in accordance with Applicable Law; or in the event of a grievance by a Customer or a dispute with any Participant;

  9. ensure that an audit is conducted by a qualified security assessor (QSA) approved by RBI at such frequency/intervals as specified by RBI from time to time;

  10. appoint grievance redressal officers whose responsibility it shall be to resolve Customer grievances and coordinate amongst themselves to collate all the Data transfer and consent logs or other information as may be necessary;

  11. agree and acknowledge that Data through the Sahamati AA Ecosystem is on an “as is” and “as available” basis only, disclaim any warranty or assurance as to the completeness or accuracy of any Data transferred and any reliance that may be placed on such Data;

  12. Ensure due adherence of commercial arrangements and duly discharging payment obligations as arising on account of the Sahamati AA Ecosystem, (including the payment of membership or other fees as applicable to Sahamati as notified from time time), and

  13. inform Sahamati and all other Participants of any change in the status of its operating license including but not limited to any cancellation, revocation or suspension thereof.

 

7.2       All AAs shall:

 

(a)        support requests to transfer data which are initiated by the Customer or by FIUs;

(b)        ensure that appropriate measures have been implemented to ensure proper Customer identification and authentication and ensure that the consent obtained is in accordance with the AA Technical Standards;

(c)        not undertake any other business other than the business of an account aggregator;

(d)        not use the services of any third party service provider to undertaking its business;

(e)        ensure that no Customer information when received from an FIP is retained by the AA for longer than is necessary for such Data to be transferred to the Customer or FIU or 6 hours from time of receipt, whichever is earlier;

(f)        ensure that the AA is blind to and does not share, view or access any of the contents of such Data from the moment of receipt till its delivery to the FIU or to the Customer, as the case may be, or for the period it retains the Data;

(g)        educate Customers on informed consent, significance and possible result/s of consenting, and the possible implications of consenting without the Customer properly evaluating the consequences or results;

(h)        enable a Customer who seeks to port to another AA to do so seamlessly;

(i)         put in place and keep current a Disaster Recovery or a Business Continuity management plan for all their operations;

(j)         not be held responsible for any loss or damage that may arise due to a Customer’s account being disabled or suspended for any reason or due to unauthorized use of such account (other than on account of failure of the AA to comply with these Terms or Applicable Laws);

(k)        comply with the various duties and responsibilities of an AA as set out in the Master Directions; and

(l)         be entitled to take appropriate action to prevent harm to the Sahamati AA Ecosystem, including but not limited to, disabling or suspending a Customer’s account in order to prevent unauthorized access to the Customer’s account.

 

7.3       All FIUs shall:

 

(a)        ensure that their systems are wholly interoperable and capable of working with every AA in the ecosystem;

(b)        set up and continue to operate their systems so that the FIU also functions as an FIP, when holding the types of Data notified by RBI as eligible for transfer through an AA, in the Sahamati AA Ecosystem on the principle of reciprocity;

(c)        ensure that any Data received from an FIP through an AA is only used for the express purpose mentioned in the consent artefact under which such Data was requested;

(d)        not transfer, share or otherwise disclose any Data collected from an FIP to any third party whatsoever except with the specific prior consent of the Customer Provided that an FIU may share data in an aggregated and anonymised form with contracted third parties and with due notice to the Customer that it is so sharing the data; and

(e)        only retain any Data received from an FIP for as long as is necessary for the FIU to fulfil the purpose for which such Data was obtained and for no longer, save and except as required in order to comply with Applicable Laws.

(f)        immediately notify the relevant AA about any consent revocation initiated by the Customer through the FIU and desist from further fetching of any Data from an FIP through an AA using the consent so revoked by the Customer.

 

7.4       All FIPs shall:

 

(a)        ensure that their systems are wholly interoperable so that they can work with every AA in the Sahamati AA Ecosystem;

(b)        permit the AAs to use its name or logo in the AA Client for customer ease and convenience, permit all AAs to discover the accounts that the Customer has with them, and permit the linking of these accounts using standard protocols specified by ReBIT from time to time;

(c)        on receipt of a consented Data request from an AA, verify its validity (including with respect to the mode of operation specified by the customer for the accounts) before proceeding to collate and furnish any Data in response to such request;

(d)        once a Data request and consent has been validated, collect all Data under its possession and control that responds to such Data request, store it in an encrypted format, inform the AA that it is ready for collection and facilitate its collection by the AA for delivery to the FIU and/or the Customer, as the case may be;

(e)        ensure that its systems implement any revocation of consent by a Customer that has been communicated to such FIP by an AA;

(f)        set up and continue to operate their systems so that they also function as an FIU, if permitted by the Master Directions to do so, in the Sahamati AA Ecosystem on the principle of reciprocity; and

(g)        may reject any such request for Data sharing received from the AA if it fails to meet the criteria for obtaining instruction or consent of the Customer, as specified under consent artefact and the Applicable Law or is not as per the mode of operation specified by the customer for the accounts.

 

7.5       All Customers shall:

 

(a)        review the details of all requests that they receive from FIUs through AAs to transfer Data from FIPs to such FIU in order to verify the nature and quantum of Data requested, the purpose for which such Data is being collected and the duration for which it will be retained by the FIU;

(b)        only provide their consent after having duly verified the details of the request to transfer Data and any consent so provided shall be binding on the Customer;

(c)        be entitled to revoke their consent for requests to transfer Data that have not yet been fulfilled.

 

             For requests to transfer Data that have been fully or partially fulfilled, and the FIU has received the Data and not (for any reason whatsoever) provided any service or product to the Customer: be entitled to revoke their consent for such requests and the revocation shall take effect without any consequences. The FIU shall in this situation, purge the Customer’s Data unless required to be retained in accordance with Applicable Laws.

 

             For requests to transfer Data that have been fully or partially fulfilled, the FIU has received the Data and provides service or product to the Customer (which continues to subsist): be entitled to revoke consent in respect of any further Data requests being performed subject to the Customer acknowledging and confirming to the AA that all or any consequences or measures as may arise on account of the revocation (as may be specified between the FIU and the Customer in such situations, which the AA is not privy or party to) may become applicable or operational, and accordingly that the revocation will be at the risk, costs and consequences of the Customer.

 

             The AA will immediately update the relevant FIPs and the FIU of such revocation and give effect to the revocation.

(d)        be responsible for the confidentiality, safekeeping and security of their account details, including but not limited to, login and other credentials, required to access and use their account on the Sahamati AA Ecosystem;

(e)        be solely responsible for all communications exchanged between Customer and AA through the Sahamati AA Ecosystem and/or any transaction or activity conducted, or purported to be conducted with the AA;

(f)         duly discharge payment obligations as arise on account of the Sahamati AA Ecosystem, and

(g)        notify AA immediately if upon becoming aware of any unauthorised access to or use of their accounts.

 

7.6       Sahamati shall:

 

(a)        maintain and operate Sahamati Technical Services, as per standards notified by Sahamati from time to time;

(b)        design and administer the Sahamati Certification Framework to ensure that all entities seeking to be Participants are duly assessed and certified, from time to time, and also design and administer the Sahamati Certification Framework  as relevant to the mode, manner, role and function that Participants perform in the Sahamati AA Ecosystem, perform necessary assessments and certify the Participants at specified intervals for continuing participation in the Sahamati AA Ecosystem;

(c)        design and maintain such additional technical services as may required by the Participants from time-to-time;

(d)        institute processes, reporting requirements and/or measures for proactively monitoring performance of respective obligations by the Participants to the extent technically feasible, providing assurance of due adherence, and shall deal with breach of obligations, if any identified, in accordance with these Terms,

(e)        implement and enforce these terms and take all other actions necessary for the orderly development of the Sahamati AA Ecosystem, and

(f)        be able to undertake such activities, operations or services as are required, relevant or useful for the Sahamati AA Ecosystem or in accordance with these Terms, or empanel service providers for rendering such services.

8. Customer Rights

            A Customer shall have the right:

 

(a)        to be informed of all the attributes specified in the consent artefact in relation to any consent sought to be obtained from such Customer for the transfer of Data from FIPs to the FIU through the AA and/or for transfer of Data on Customer’s own request from FIPs to Customers through the AA, as the case may be;

(b)        to access a record of all the consents provided, the details of the subsequent Data flows and the FIUs with whom the corresponding Data has been shared for such period of time as specified under Applicable Laws from time to time;

(c)        to raise a grievance with the grievance resolution officer of the Participants in accordance with 14 below;

(d)        subject to 7.5(c) above, to any time revoke any consent that has been provided to an FIU; and

(e)        to deregister from any AA at any time by following a simple process that allows the Customer to delink all connected accounts, revoke all active consents subject to 7.5(c), and download the consent and transaction history.

9. Withdrawal of AA

9.1       No AA shall exit the Sahamati AA Ecosystem without first making appropriate arrangements to either: (a) assign its rights and obligations under these Terms to another AA; or (b) ensure that it no longer owes any obligations to any Participant.

 

9.2       Subject to 9.1 above, an AA may withdraw from the Sahamati AA Ecosystem by following the process set out below:

 

(a)        The AA shall submit a notice to Sahamati in writing of its intention to withdraw from the Sahamati AA Ecosystem along with the reasons, at least ninety (90) days before such withdrawal;

(b)        Sahamati shall process the withdrawal request and inform all other Participants of the Sahamati AA Ecosystem of the date on which such AA shall cease to be a part of the Sahamati AA Ecosystem; and

(c)        The withdrawing AA shall take all reasonable necessary and appropriate measures to ensure that all Customers who have active consents with respect to such AA do not suffer any hardship, cost or inconvenience on account of such withdrawal.

 

9.3       Once the AA has completed all the obligations set out herein, such AA’s entry in the Central Registry shall be removed and thereafter the AA shall no longer be a Participant in the Sahamati AA Ecosystem or have access to the Sahamati AA Ecosystem.

 

10. Suspension

10.1      Sahamati may suspend a Participant from the Sahamati AA Ecosystem in the event:

 

(a)        such Participant commits a material breach of any of these Terms;

(b)        such Participant commits a breach of Applicable Laws; or

(c)        the operating license of such Participant is temporarily suspended by a Financial Sector Regulator,

 

10.2      Any such suspension shall remain in force until the event/s mentioned above have been duly rectified or compounded and/or its operating license restored, as the case may be. No such suspension of a Participant shall affect any of its accrued obligations to the Customer including but not limited to the obligation to provide access to the Data or perform its role and function as envisaged in these Terms.

11.Termination

11.1      A Participant shall, forthwith, cease to be a participant in the Sahamati AA Ecosystem, in the event:

 

(a)        its operating license is cancelled or revoked by a Financial Sector Regulator, or

(b)        it ceases or is unable to carry on its business, or

(c)        it is or appears likely to be unable to pay its debts or upon admission of a petition for its winding-up, dissolution, administration, bankruptcy or insolvency or the appointment of a liquidator, receiver, resolution professional or other similar officer in respect of any of its assets and/or any analogous procedure or step is taken in any jurisdiction in relation to the foregoing.

 

11.2      Upon the termination of a Participant:

 

(a)        Sahamati shall inform all other Participants thereof and shall specify the date on which such termination would take effect and a separate date by when all the other Participants shall settle accounts, if any, with the terminated Participant (or the receiver, resolution professional or liquidator or other similar officer thereof, as the case may be);

(b)        All other Participants shall ensure that they settle their accounts, if any, with the terminated Participant (or the receiver, resolution professional or liquidator or other similar officer thereof, as the case may be) on or before the date specified by Sahamati for settling of accounts;

(c)        The terminated Participant (or the receiver, resolution professional or liquidator or other similar officer thereof, as the case may be) shall take all reasonable necessary and appropriate measures to ensure that all Customers who have active consents with respect to such Participant do not suffer any hardship, cost or inconvenience on account of such withdrawal.

 

11.3      Once the terminated Participant (or the receiver, resolution professional or liquidator   or other similar officer thereof, as the case may be) has completed all the obligations set out herein to the satisfaction of Sahamati, reference to such terminating Partner in the Central Registry shall be removed and the terminating Participant shall no longer be a Participant of the Sahamati AA Ecosystem.

12. Liabilities

12.1      In the event any Data in the possession or control of a Participant is lost, damaged or otherwise rendered unusable, then such Participant alone shall be liable for the consequences of such event.

 

12.2      A Participant shall be liable for any loss or damage notwithstanding the fact it was caused due to gross negligence or willful misconduct of the Participant’s employees or agents, representatives or contractors or because it arose on account of its gross negligence or willful misconduct.

 

12.3      No Participant shall be liable to any other party/ies for: (a) any third party claims, indirect or consequential loss or damage, or special or punitive or exemplary damages, or loss of profit, business, revenue, goodwill of the other party/ies, (b) an amount exceeding the annual total revenue (attributable to its participation in the Sahamati AA Ecosystem) in the year in which the claim or dispute arises unless the liability is on account of gross negligence or willful misconduct by such Participant (or its employees or agents, representatives or contractors) or when such liability arises on account of breach of applicable laws.

 

12.4      Notwithstanding anything contained in these Terms, no Participant shall be liable for a failure to participate on account of:

 

(a)        any act or omission attributable to any other Participant (including, but not limited to, any rejection, downtime or negligence, or any malfunction of its technical systems or its incompatibility or failure to comply with the technical specifications and/ or Applicable Laws),

(b)        any delay, revocation or suspension of consent on the part of a Customer to transfer Data from FIPs to FIUs or to the Customer, as the case may be,

(c)        any Force Majeure Event, or

(d)        any change in Applicable Laws.

 

12.5      Notwithstanding anything contained in these Terms, FIPs or FIUs shall not be held liable for any breach, loss, damages that may arise out of or result on account of transfer of Financial Information based on the consent obtained and shared under the consent artefact in the manner and mode provided for under the Applicable Laws. Provided that nothing contained herein will absolve the FIP or the FIU, as the case may be, from any gross negligence or willful misconduct.

 

12.6      In case of a failure by any Participant to comply with their respective roles and obligations, the defaulting Participant shall be liable for such penalties and consequences as prescribed under these Terms or Applicable Laws. Notwithstanding anything contained herein, no Participant shall be held liable for any breach, non-compliance, failure (including but not limited to data security breach) if such Participant complied with Applicable Laws (including the technical specifications issued by ReBIT, from time to time).

 

13. Indemnification

Subject to these Terms, each Participants shall indemnify and keep indemnified every other Participants, their respective officers, directors, personnel, representatives from and against any and all direct loss suffered or incurred (including but not limited to liabilities, judgments, awards, damages, losses, claims, costs and expenses, etc.), arising out of breach of any provisions under these Terms and/or violation of any applicable laws. The indemnity obligations set out herein shall survive the termination or exit of any indemnifying party from the Sahamati AA Ecosystem for a period of three (3) years after such termination or exit.

14. Grievance Redressal & Dispute Resolution

14.1     Customer complaints, claims, disputes or grievances (together termed ‘grievance/s’) involving factual matters capable of being ascertained as fully or partially valid (or not) in an automated mode or manner by checking the relevant records of the concerned Participant/s, shall be so ascertained, and the accepting or rejecting such grievance/s (fully or partially) shall be duly notified to the claimant or the aggrieved person on so being ascertained. Where the grievance/s has been accepted as fully or partially valid, the Participant will undertake due measures to redress the grievance or make payment of the specified compensation to the claimant or the aggrieved person. Sahamati shall identify and notify from time to time the types of grievance/s which shall be attended to in this manner, and the appropriate amount, level or range compensation that shall be payable by the relevant Participant when a grievance/s has been ascertained to be fully or partially valid.

 

14.2      Customer grievances that are unresolved by the automated mode specified in 14.1, or if the Customer is not satisfied with the resolution provided through the automated mode specified in 14.1, or which arise before the automated mode becomes effective for specified types of grievances as envisaged in 14.1, shall be addressed in the following manner and sequence:

 

  1. by placing the grievance for redress by the Grievance Redressal Officer of the Participant, as applicable, and/or the Internal Ombudsman of the Participant (if any), whose determination will be binding on the Participant.

 

  1. If the Customer is not satisfied by the determination made by the Grievance Redressal Officer or the Internal Ombudsman of the Participant, as applicable, and subject to applicability of the respective Ombudsman Scheme specified by a Financial Sector Regulator governing the Participant, or appeal process, if any specified in Applicable Laws to deal with the matter, the grievance or appeal in relation to the determination shall be referred to an ODR Institution, empaneled by Sahamati from time to time, which shall facilitate online mediation or online conciliation.

 

The ODR Institution shall accordingly appoint a mediator or a conciliator, in accordance with its mediation or conciliation rules and the process shall be administered in accordance with such mediation or conciliation rules.

 

If such mediation or conciliation is unsuccessful in resolving the grievance as well as if the Customer is not satisfied with the determination made in terms of the Ombudsman Scheme or the appeal process as laid down, if applicable, then the grievance or appeal in relation to the determination shall be referred to an ODR Institution, empaneled by Sahamati from time to time, which shall appoint an independent sole arbitrator, in accordance with its arbitration rules to adjudicate the grievance.

 

The grievance shall be resolved by means of arbitration in terms of the applicable rules of the ODR Institution, and in accordance with the Arbitration and Conciliation Act, 1996. Such a process shall be conducted (including for recording of evidence or tendering of documents), concluded and administered online by the ODR Institution through its website/platform or its mobile application, and the determination made by such process shall be binding on such Customer and the Participant. The seat of arbitration proceedings shall be city and state where Sahamati is headquartered. The procedural law of arbitration shall be the rules of the ODR Institution.

 

Sahamati will also explore the possibility of creating APIs for ease of reference of grievances to ODR Institutions as envisaged in this section.

 

14.3      Any complaints, claims, disputes or grievances (together termed ‘dispute’) arising out of or in connection with these Terms between two or more Participants shall be referred to an ODR Institution, empaneled by Sahamati from time to time, which shall facilitate online mediation or online conciliation. The ODR Institution shall accordingly appoint a mediator or a conciliator, appointed in accordance with the applicable mediation or conciliation rules of the ODR Institution for such dispute. The process shall be administered in accordance with the applicable mediation or conciliation rules of the ODR Institution.

 

If such mediation or conciliation is unsuccessful in resolving the dispute, then the ODR

Institution shall appoint an independent sole arbitrator, in accordance with the applicable arbitration rules of the ODR Institution, to adjudicate the dispute.

 

The dispute shall be resolved by means of arbitration in terms of the applicable rules of the ODR Institution, and in accordance with the Arbitration and Conciliation Act, 1996. Such a process shall be conducted (including for recording of evidence or tendering of documents), concluded and administered online by the ODR Institution through its website/platform or its mobile application, and the determination made by such process shall be binding on such Participants. The seat of arbitration proceedings shall be city and state where Sahamati is headquartered. The procedural law of arbitration shall be the rules of the ODR Institution.

15. Confidentiality Obligation

All the Participants recognise that in the course of their participation in the Sahamati AA Ecosystem they will gain access to confidential information and agree to adhere to the same standard of care that it uses for its own confidential materials or for personal data as required by Applicable Laws.  The Participants agree that they will use such confidential information only in accordance with the terms of the contractual arrangements with the Customer and shall not use this confidential information for any purpose that has not been specifically permitted.

 

16. Privacy

All the Participants shall adhere to all applicable laws governing privacy, and hereby agree to utilize any Customer information which is received, provided or in the possession of the Participant only as approved or authorized by the Customer, these Terms or as per applicable laws, and not utilize the same in any other mode or manner. Sahamati will further evolve the privacy obligations of the Participants from time to time and publish the Privacy Policy required to be adhered to by the Participants.

 

17. Miscellaneous

17.1      Any delays or failure in performance by a Participants under these Terms shall not constitute a default hereunder if and to the extent caused by a Force Majeure Event.

 

17.2      All notices or other communications under these Terms shall be in writing and, unless otherwise specified, may be sent by email, speed post or courier or any other acceptable mode of electronic communication. Any such notice or other communication will be deemed to be effective: (i) if delivered in person, at the time of such delivery; (ii) if dispatched by speed post or courier, when recall of the letter is outside the control of the sender; (iii) if sent by email, when such email enters the sent items folders.

 

17.3      No delay by a Participant in enforcing any provision of these Terms shall be construed to be a waiver of any of the rights under such provision.

 

17.4      If any provision of these Terms is held to be invalid or unenforceable by a court or tribunal of competent jurisdiction or by the dispute resolution mechanism specified in these Terms, then the remaining Terms shall remain in full force and effect as if the invalid or unenforceable provision had never been part of these Terms.

 

17.5      Nothing in these Terms shall be deemed to be a transfer, license or assignment of any right, title, interest or claim in relation to intellectual property rights of any Participant, and any such transfer, license or assignment should be between or among the parties thereto in writing.

 

 

 

 

 Annexure 1: Declaration

This declaration is executed by [___][Name of Organisation] having its registered office at [___][registered office address] (hereinafter the Acceptor).

 

The Acceptor, having reviewed the Sahamati Account Aggregator Ecosystem Participation Terms (version 1.0), wishes to participate in the Sahamati Account Aggregator Ecosystem as a [choose any one of the following: AA, FIP, FIU]

 

The Acceptor hereby agrees the Sahamati Account Aggregator Ecosystem Participation Terms, as amended from time to time, shall be binding on it and commits to perform all the obligations required of it, in accordance with the terms thereof. The Acceptor acknowledges that its continued participation in the Sahamati Account Aggregator Ecosystem is conditional upon its continued compliance with the Sahamati Account Aggregator Ecosystem Participation Terms, as amended from time to time.

 

This declaration is made by the Acceptor on this the [___] day of [___], 20__.

 

Executed by

 

______________________________

Name

 

______________________________

Designation

 

 

Affix the digital signature, here.

 

 

 

Annexure 2: Onboarding Process for Participants into the Sahamati AA Ecosystem

 

Every participant, be it an FIP, FIU or an AA, can onboard itself into the Sahamati AA Ecosystem using the process described below:

 

  1. Become a member of the Sahamati AA ecosystem by agreeing to and accepting the Sahamati AA Ecosystem Participation Terms in the manner specified.

 

  1. Be ready with its technical implementation of the AA Technical Standards, as relevant to the role (FIP/FIU/AA) it wishes to play in the Sahamati AA ecosystem.

 

  1. Be ready with its technical implementation to integrate Sahamati Technical Services (such as the Central Registry APIs, Token Service APIs) as relevant to its role.

 

Details of Technology Service Providers (TSPs) who offer technical services for the above can be found on the Sahamati website. Sahamati, however, has no role to play in facilitating any commercial arrangements between participants and TSPs.

 

Details of Sahamati Technical Services can be obtained by writing in to [email protected].

 

  1. Test its technical implementations using UAT environments for access to Sahamati Technical Services and AA Sandboxes (relevant only for FIP / FIU participants).

 

Details for accessing the UAT environment of Sahamati Technical Services can be obtained by writing an email to [email protected].

 

Details of AA sandboxes can be found on the Sahamati website.

Sahamati, however, has no role to play in facilitating any commercial arrangements between participants (FIPs/FIUs) and AAs.

 

  1. Undergo the Certification process, as defined in the Sahamati Certification Framework.

 

Details of the Sahamati Certification Framework and entities empaneled by Sahamati as Certifiers can be found on the Sahamati website.

Sahamati, however, has no role to play in facilitating any commercial arrangements between participants and empaneled certifiers.

 

  1. Once certified, gain access to the production environment of Sahamati Technical Services and other participants in the Sahamati AA ecosystem.

 

Details for accessing the production environments can be obtained by writing an email to [email protected].