In order to enhance security of the entire Account Aggregator ecosystem with the addition of Virtual Data Room Provider (VDRP) as a new regulated entity, we propose the following guidelines around which data policy and regulations may be framed for compliance by various participating entities.

Overview Of the Proposed Policy:

1. There should be a central regulatory institution which will certify Virtual Data Room Provider and provide license to it to operate/provide services in the AA ecosystem. This could be the Central Registry.

2. The above mentioned central regulatory institution should conduct an audit of the infrastructure of the VDRP and re-evaluate audit certification at regular intervals.

3. The regulatory body should take into consideration the following domains while vetting the infrastructure of the VDRP:

   • Level of security of API's exposed by VDRP to utilize the Virtual Data Room
   • VDRP VDRPunder no circumstances should store the decrypted user data.
   • All storage infrastructure involved in the computations of insights from financial data (both in encrypted form and decrypted form) should be transient in nature.

   Policy to be adhered by Virtual Data Room Provider:

   Virtual Data Room Provider (VDRP) being a separate independent entity in the AA ecosystem will provide secure virtual data rooms where FIU can compute on User's Financial data and extract insights without accessing the actual financial data of the user. As a result it must adhere to below mentioned policies/guidelines:

   1. VDRP should adhere to the guidelines provided by the regulatory body in order to gain license and operate in the AA ecosystem.
   2. VDRP should have an appropriate audit mechanism and generate appropriate audit data for each computation performed using its infrastructure. Such audit reports should at least contain below mentioned fields:
      • FIU-id
      • FIU-resource-id
      • Timestamp of FIU request received
      • Size of FI data received
      • Timestamp when the encrypted is data received by VDRP
      • Timestamp at which decryption process starts
      • Timestamp at which decryption process ends
      • Timestamp at which computation on decrypted data starts
      • Timestamp at which computation on decrypted data ends
      • Timestamp at which FI data and other associated data is flushed from memory
   3. VDRP should provide all virtual data room server logs to the regulatory body at the time of audit.
   4. VDRP should only allow uploading code that is non-malicious certified (by the central body) for any FIU using its services.

   Policy to be adhered by an FIU:

   1. In order for FIU to utilize third party VDRP services and execute it's own proprietary algorithm on user FI data its algorithm and code must be certified by licensed code audit organizations as non-malicious in nature. These audit services may be provided by the VDRP themselves.
   2. When uploading binaries evaluated by a third party auditor on a VDRP portal, they need to be signed with the auditor's digital certificate.