Old habits die hard, and few habits in Indian finance have died harder than our collective attachment to the self-attested photocopy. For three decades, the loan application was a ritual of paper, a thick folder of bank statements and payslips and PAN cards stapled together and handed across a desk to someone who, in all honesty, had no real way of knowing whether any of it was genuine.
I have sat on both sides of that desk in my career, first as someone trying to get a lender to take my application seriously and later as someone building the infrastructure meant to replace that entire charade, and I can say without exaggeration that the account aggregator framework is the most consequential thing to happen to consumer lending in India since the credit bureau.
Think about what a credit underwriter actually does. They look at six to twelve months of bank statements, a PAN card, an Aadhaar copy, payslips and sometimes title deeds, and from this pile of paper they are expected to make a financial judgment that determines whether a person can buy a home or expand a business.
The trouble was never the underwriter’s competence but that nobody in that chain could independently confirm a bank statement was real without phoning the bank directly, and with millions of applications moving through the system every month that kind of manual verification was never going to scale. So lenders did what any rational institution does when verification is expensive: they priced in the risk, they wrote off the inevitable fraud, and the honest borrower ended up subsidizing the dishonest one through higher rates and slower approvals.
It is tempting to credit the smartphone or the API economy for what came next, but that misses the real shift. The bigger change was regulatory imagination, the willingness of the Reserve Bank of India to architect a system where a citizen’s financial data could move between institutions with their explicit consent and without ever sitting unencrypted on a third party’s server. That is what the account aggregator framework actually is at its core: a consent layer sitting between the citizen, the lender seeking information, and the bank holding it, none of whom need to trust each other directly because the protocol itself enforces the trust.
I find it useful to walk people through what now happens when a borrower chooses the AA route instead of uploading a PDF or typing in net banking credentials, because the sequence is almost absurdly short given what it replaces.
The citizen registers on an aggregator of their choosing and is issued a digital identifier. They then select which financial institutions they hold accounts with, and the aggregator discovers and displays those accounts without the citizen having to remember account numbers or branch codes. They choose which accounts to link; a one-time password from the bank itself confirms that the request is genuine, and finally they approve a consent artefact that spells out in plain terms exactly what data is being requested, for what purpose and for how long.
Once that consent is granted, the lender retrieves the data directly from the source, the aggregator that brokered the exchange purges its own copy immediately, and the entire sequence, from registration to data delivery, typically completes inside ninety seconds. A process that once took weeks of back and forth now happens before a borrower has finished their coffee.
Most commentary on account aggregators focuses on convenience for the customer, and that convenience is real, but I think the more interesting story is what this does to a lender’s risk model. When data arrives directly from the regulated financial institution that holds it, with no scanning, no manual re-entry, and no possibility of a doctored PDF, fraud of the kind that comes from tampered documents simply has nowhere to hide.
Lenders who have moved meaningful volumes of their loan book onto the AA rail consistently report that document-related fraud, the kind that used to slip through manual checks on a busy desk, drops close to zero, because there is no document left to falsify in the first place. Underwriting teams that once spent their time squinting at bank statements for signs of editing can instead run analytics on clean, machine-readable data, which means credit decisions get not just faster but genuinely better informed. Customer acquisition cost falls too, because every manual touchpoint in a loan journey is a cost center as well as a drop-off point, and the AA rail removes several of them at once.
There is one more dimension to this that deserves more attention than it gets, which is that account aggregators were arguably India’s first large-scale, working implementation of purpose-limited data sharing. The consent artefact does not grant a lender open access to a citizen’s financial life; it grants access to exactly what was asked for, for exactly the stated purpose, and the aggregator that facilitates the exchange is contractually and architecturally barred from retaining a copy once it is delivered. In a country where data privacy law has mostly existed on paper, the AA framework quietly built the real thing into the plumbing of financial services before the statute even caught up.
If there is a single message I would leave with the lenders and DSAs still defaulting borrowers to PDF uploads, it is that every month spent on the old workflow is a month of avoidable fraud losses and lost approvals to a competitor who has already switched. The infrastructure is built, the regulatory framework is mature, and the borrowers themselves are already choosing the AA option when it is offered to them. The only question left is how much longer the industry wants to keep paying the paper tax.

