Last week, a new data-sharing framework went live to 1.1 billion bank accounts that would allow users to seamlessly aggregate their personal financial data in one place and share it with multiple lenders with the click of a button. It’s a big step forward for consumers. But is the cost of convenience too high?

The data sharing framework, called account aggregators (AA), enables users to share their data digitally with different service providers in exchange for loans, insurance, or any other financial service. The user then gets to decide what data they want to share, with whom to share it, for what purpose, and to even revoke permission to access their data.

“You can think of an AA as a gateway to your financial data,” tweeted Sahamati, a nonprofit account aggregator collective. “Users download an AA app and use it to securely link their bank accounts and other financial accounts [such as insurance, investments, and pension funds]. Once the accounts are linked, users can share data from their banks and other service providers with the click of a button.”

This new system could be a game-changer for banks and insurers accessing new borrowers. Currently the process is broken: a lender looking to underwrite a customer receives financial data in different formats, such as PDFs, paper printouts, or pictures of bank statements, which costs money to import into standard systems. With the consent-based sharing of user data through account aggregators, credit risk assessment becomes quicker, smoother, and cost-effective.

With 1.1 billion live accounts, including participation from India’s largest bank, State Bank of India (SBI), some think that the open banking framework will unlock a $300 billion lending market by catering to small and medium-size businesses.

But some privacy advocates are alarmed over the new system. “Account aggregator does to banking privacy what Truecaller did to caller privacy,” said Srikanth Lakshmanan, a member of Cashless Consumer, a consumer protection collective for digital payments.  

While registering for caller ID app Truecaller, users consent to sharing their contacts with the company. So, even if your friends haven’t signed up, their numbers and identities would automatically end up as a registered identity on Truecaller’s database. 

 “If you give consent to your lender to actively monitor your bank statement for the loan you have got, and I happen to digitally pay you, your lender/fintech value chain now has access to knowledge of my transaction from your statement without my consent. This is a gaping hole in account aggregator which doesn’t account for counterparty privacy. Given recovery practices by lenders and poor oversight by regulators, I assume this data will get misused systemically,” Lakshmanan said.

The greatest risk is Central Bank of India’s refusal to regulate digital lending, even after more than two years of misuse of data and dozens of suicides. “Sahamati being self-regulated will prioritize industry interests first and offer limited consumer-first redressal options,” Lakshmanan said. 

In the future, “It will be impossible to access credit without consenting to active monitoring, and this is the banking world equivalent of having a million CCTV cameras all around the city — both by the police and business establishments,” Lakshmanan said. “This will give a perception of security to banks in giving loans; [it] might increase confidence but will not improve security, just like how CCTVs can’t make streets safer.”