State of Account Aggregator in 2026: What Founders Actually Need to Know
A factual, research-backed assessment of India's Account Aggregator framework in 2026. 17 AAs, 135+ FIPs, but joint accounts excluded, bonds still proposed, and you need to be a regulated entity. Here's what the ecosystem actually looks like.
If you’re building a fintech product in India and need access to customer financial data, you’ve heard about Account Aggregator (AA). The pitch sounds compelling: a government-backed, consent-based framework for accessing financial data across banks, insurers, and depositories.
But when you actually sit down to implement it, the picture gets complicated fast. This post is a factual assessment of where AA stands in early 2026, based on data published by Sahamati (the AA ecosystem’s self-regulatory body) and the RBI Master Direction. No marketing spin, just what founders need to know before committing engineering resources.
How Account Aggregator Works
AA uses a tripartite model with three roles:
FIP (Financial Information Provider) is the entity that holds your customer’s data. Your customer’s bank, insurer, depository, or NPS provider.
AA (Account Aggregator) is an RBI-licensed consent manager. It acts as a secure pipe between FIPs and FIUs. The AA cannot view, store, or sell customer data. Data flowing through the AA is encrypted end-to-end, and the AA does not hold the decryption key.
FIU (Financial Information User) is your company. The entity that needs customer data to provide a service (lending, wealth management, insurance underwriting).
The consent flow works like this:
- Your app (FIU) sends a consent request to the customer’s AA, specifying what data you need, from which FIPs, for how long, and for what purpose
- The customer reviews and approves the consent on their AA app
- The AA forwards the consent artefact to the relevant FIPs
- Each FIP verifies the consent, encrypts the data, and sends it through the AA
- Your app receives and decrypts the data
The customer can view active consents and revoke them at any time.
The Ecosystem by the Numbers
As of March 2026, here’s where the AA ecosystem stands (source: Sahamati):
| Metric | Count |
|---|---|
| Operating AAs | 17 (13 with live FIP integrations) |
| Total FIPs | 135+ live entities |
| Banks | 72 (private, public, SFBs, RRBs, foreign, cooperative) |
| Insurers | 57 (life + general + health) |
| Depositories | 2 (CDSL, NSDL) |
| RTAs | 2 (CAMS, KFintech) |
| NPS CRAs | 3 |
| GSTN | 1 |
| NBFCs | 6 |
| AMCs (via RTAs) | 40 |
Those numbers look impressive. But the real question is: what data can you actually get?
What Data Is Actually Live vs. Proposed
RBI’s Master Direction defines 20+ categories of “Financial Information.” Not all of them are live. Here’s the honest breakdown:
Working well (broadly integrated)
- Savings accounts (individual, singly held): All 72 banks
- Equities, MF units, ETFs, AIFs, InvITs, REITs: via CDSL and NSDL, both live with 13 AAs
- Mutual fund folios: via CAMS RTA and KFin RTA, both live with 13 AAs
- GSTR 1 & 3B: via GSTN, live with 13 AAs
- NPS balances: via 3 CRAs, live with 10-12 AAs
Live but patchy
- Fixed deposits / Recurring deposits: Only ~40% of banks support them. Axis, SBI, PNB, HDFC, IndusInd, and some RRBs do. Many banks don’t.
- Current accounts (sole proprietor): ~65 of 72 banks support them. DBS, HSBC, Standard Chartered, and a few others don’t.
- Insurance policies: 57 insurers are “live” but many are integrated with only 1-2 AAs. SBI Life leads with 10 AAs. LIC is on exactly 1 AA (OneMoney). If your customer’s insurer isn’t connected to the same AA they use, the policy won’t be discoverable.
Not live at all (still “Proposed”)
- Bonds
- Debentures
- Government Securities (G-Sec)
- Commercial Paper (CP)
- Certificates of Deposit (CD)
- EPF
- PPF
These have been “Proposed” since the framework launched. No FIPs provide this data. No ReBIT schemas are in production for them.
Explicitly excluded
- Joint accounts: Not supported by any bank. Every single bank shows “not supported” for joint account discovery.
- NRE/NRO accounts: Not discoverable on AA.
- Non-sole-proprietor current accounts: Partnerships, companies, trusts, all excluded.
- Depository transaction history: Capped at 2 years. If you need historical portfolio data beyond 2 years, AA cannot provide it.
What It Takes to Become an FIU
This is where most founders hit a wall. The requirements are substantially more involved than “just integrate an API.”
Step 1: Be a regulated entity
Your company must be registered with and regulated by at least one of: RBI, SEBI, IRDAI, or PFRDA. If you’re a pure-play fintech startup without an NBFC license, lending license, or investment advisory registration, you cannot directly become an FIU. You’ll need to either obtain a license or partner with a regulated entity that acts as the FIU on your behalf.
Step 2: Become a FIP first
Per the RBI circular from October 2023, any regulated entity that wants to join AA as an FIU must also join as a FIP if it holds financial information. This means if you’re a lender and want to pull customer bank data (FIU), you must also contribute your own loan data to the ecosystem (FIP). This bilateral mandate is designed to prevent free-riding.
Step 3: Implement the FIU module
Build the API integration per ReBIT technical specifications (published at api.rebit.org.in). This covers consent management, data fetch, encryption/decryption, and integration with AAs.
Step 4: Sahamati certification
Get certified by a Sahamati-empanelled auditor. The certification covers four areas:
- Security specification conformance: API authorization, non-repudiation, data-in-transit controls
- API schema conformance: Your implementation matches ReBIT specs
- Financial Information schema conformance: Data schemas match ReBIT standards
- Central Registry integration: Your module works with the AA discovery and token APIs
Certification is tied to a specific version of the ReBIT technical specification. If the spec version changes, you need re-certification.
Step 5: Ongoing compliance
- Quarterly self-tests: Re-run the certifier’s testing tool every quarter and declare that your production environment matches the certified environment
- IS audit every 2 years: By a CISA-certified external auditor, per the RBI Master Direction
- Re-certification on code changes: Any code change in your production environment technically requires confirming conformance
The Regulatory Stability Question
The RBI Master Direction governing Account Aggregators was issued on September 2, 2016. Since then, it has been updated 9 times:
| Date | Key Change |
|---|---|
| Oct 2021 | Scale-Based Regulation; AAs placed in Base Layer; board experience requirements added |
| Nov 2022 | GSTN added as FIP; Department of Revenue added as financial sector regulator |
| Nov 2023 | NPS CRAs added as FIP; FIP-first mandate for RBI-regulated FIUs |
| Feb 2024 | CCIL added as FIP (for Retail Direct Gilt accounts) |
| Sep 2024 | Most recent update |
Each time the Master Direction changes, or the ReBIT technical specification is updated, or Sahamati updates the certification framework, it can trigger re-certification requirements for existing participants.
The definition of Financial Information Providers keeps expanding (GSTN in 2022, NPS CRAs in 2023, CCIL in 2024), and each expansion means new integrations. The framework is actively evolving, which is both a sign of growth and a source of ongoing implementation burden.
Cost Structure
Sahamati does not publish standardized pricing. Costs are commercially negotiated between participants. Here’s what founders should budget for:
- Sahamati membership fees: Published separately for regulated entity members
- TSP (Technology Service Provider) fees: Most companies use a TSP rather than building from scratch. TSPs charge implementation fees plus per-transaction or per-consent pricing.
- Certification costs: Engaging empanelled auditors. Varies by certifier.
- Ongoing compliance: Quarterly self-tests, biennial IS audits, re-certification on spec changes
- Engineering resources: Dedicated team for AA integration, consent management, and ongoing maintenance
Industry estimates put the total first-year cost at ₹5-25 lakhs or more, depending on scope and whether you use a TSP or build in-house.
The FIP Fragmentation Problem
A subtle but important issue: not all FIPs are connected to all AAs. Your customer might have their bank account on AA X, but their insurer might only be connected to AA Y. The ecosystem doesn’t have universal interconnection.
The top AAs by FIP coverage (approximate, as of March 2026):
| AA | Approx. Live FIPs |
|---|---|
| Anumati | 80+ |
| CAMS AA | 70+ |
| OneMoney | 65+ |
| Finvu | 60+ |
| NADL | 60+ |
Four AAs (Upmint, Cygnet, PB Financial, Scoreme) have zero live FIP integrations.
The backbone entities (CDSL, NSDL, CAMS RTA, KFin RTA, GSTN) are connected to 13 AAs each, so investment and tax data is broadly available. But banking and insurance connectivity varies significantly.
CAS PDFs: The Stable Alternative for Investment Data
If your primary need is investment portfolio data (mutual funds, equities, bonds, AIFs, insurance, NPS), CAS (Consolidated Account Statement) PDFs offer a different approach worth considering.
SEBI mandated CAS statements in 2009, and the format has been stable for 15+ years. The core structure has remained consistent with only incremental additions. Every Indian investor can generate a CAS from CDSL, NSDL, CAMS, or KFintech.
Key differences from AA for investment data:
| Account Aggregator | CAS PDFs | |
|---|---|---|
| History depth | 2 years (demat) | 50+ years (CAMS/KFintech mutual fund history) |
| Setup requirements | Regulated entity + Sahamati certification | API key, no approvals |
| Time to integrate | 5-10 months | Same day |
| Cost | ₹5-25 lakhs+ first year | Starts at ₹999/month |
| Joint accounts | Not supported | Included in CAS |
| Regulatory risk | Master Direction updated 9 times since 2016 | CAS format stable since 2009 |
| Data coverage | Banking + investment + insurance + GST | Investment data across 9 asset classes |
| Who can use it | Only regulated entities | Any company |
| User consent | Multi-step flow via AA app, per-session | One-time Gmail OAuth, infinite validity, restricted to CAS senders |
AA is stronger for banking data and GST returns. CAS parsing is stronger for deep investment history, speed of integration, user consent simplicity, and accessibility to any company regardless of regulatory status.
The Practical Recommendation for Founders
If you need banking data: AA is the only scalable option. Plan for 5-10 months and ensure you meet the regulated entity requirement.
If you need investment portfolio data: Start with CAS parsing today. You can be live in minutes, access 50+ years of transaction history, and serve any customer regardless of which AA they use (or whether they’ve even set up an AA handle). Consider AA later if you also need banking data.
If you need both: Most platforms that evaluated both chose CASParser for investment data and only pursue AA if they specifically need banking transaction data. The regulatory and cost overhead of AA rarely justifies it for investment portfolio use cases alone.
The AA ecosystem is real, growing, and government-backed. But it’s not a silver bullet. Understanding its actual coverage, costs, and limitations will save you months of planning based on assumptions that don’t match reality.
All ecosystem data cited above is sourced from Sahamati and the RBI Master Direction on Account Aggregators. Data was current as of March 2026. For investment portfolio import, CASParser provides a REST API that parses CAS PDFs from CDSL, NSDL, CAMS, and KFintech into structured JSON. Get your API key - production keys free on signup.
Related reading: