Making UPI Safer

I recently came across NPCI PayAuth Challenge, seeking proposals to improve UPI authentication process to enhance user experience and improved security. I thought this is a good reason to write a new blogpost. I have been a big advocate of risk based authentication and believe that it clearly has the potential significantly improve the authentication process without compromising the security. In fact there is a possibility of even improving security by removing blanket authentication protocol for all transactions.

UPI as a transaction method requires you to register your mobile device as a trusted device after authentication from your bank before you are allowed to transact. Smartphones are capable of capturing a lot of data points at the background. These data points combined with user information and past behaviour data available with your PSP (and/or Bank) can be used to arrive at indicators/score to assess the risk associated with any particular transaction. Based on the risk scope UPI app can trigger authentication protocol. Low risk transactions can be processed without additional authentication while, moderate risk transactions can be approved with simple authentication and high risk transactions can ask for stricter authentication protocols (could be an IVR based referral even if the risk is high).

The idea behind this thought is that your PSP has assess to more behavioral data than your merchant or bank; this behavioral data if used wisely can be an effective tool to offer a seamless transaction authentication experience without compromising on security. PSPs can create a user profile around behavioral data based on things like, where, when, what, how etc. of a transactions. Any deviation from this profile can be triggered for additional authentication.

Nowadays we even have technologies available to create a behavioral biometric profile of a user based on how he normally interacts with his device. This behavioral biometric can be used a first level of authentication (your mobile device is already mapped, which serves as one level of authentication anyway in every transaction) to process the transaction without any Password or PIN. In case of enhanced risk, Password/PIN can be triggered to ensure triple factor of authentication in this case.

1. What you have? your mobile device.

2. Who you are? your behavioral biometric.

3. What you know? Password/PIN

One warning though, do not ever use a SMS OTP based authentication for transaction performed from a mobile device. An OTP is falsely attributed as “What you know?” factor, while it is actually a repeat of “What you have?” An SMS OTP is validating the possession of the mobile device, which is redundant if transaction is performed from pre-verified and tagged mobile device.

Let me illustrate with few examples.

1. Let’s assume a particular customer pays electricity bill to same electricity company every month, in the range of 2000-5000 Rs. How the step-up authentication would work in following scenario?

a. Customer trying to pay bill of 4000 Rs to same electricity company. – Transaction can be approved without additional PIN

b. Customer trying to pay bill of 6000 Rs to same electricity company. – Customer will have to authenticate using PIN

c. Customer trying to pay bill of 3000 Rs to different electricity company. – Transaction will require PIN

2. A customer living in Mumbai regularly transacts at shops in his region with transaction amount ranging between 50 Rs to 5000 Rs depending on merchant category.

a. A transaction with-in the location range on a merchant category-amount combination with-in typical behavior range will be approved without PIN

b. Transactions outside the location range or a different merchant category or value higher than typical behavior range will require PIN.

With machine learning we can create self learning algorithms to cater to more complex scenarios and let the algorithm decide when to step-up the authentication. With more usage, the algorithms will keep on improving making it more effective with time.

PS: I know some start-ups who are working on behavioral biometric and will be happy to do a POC.

PS 2: Happy to brainstorm with anyone whoever is interested, only condition is one will have to adjust to my availability

Building Sutradhar

For last one year I have been busy building Sutradhar. It’s a platform for stories from Bhartiya Itihas and Mythology. Our ancient literature and oral folklore tradition is extremely rich and full of entertaining stories. At Sutradhar we are attempting to bring these stories to limelight by delivering them to your mobile phone.

I urge all of you to give it a try. Android users can download our app here.

We haven’t yet launched an iPhone app, but don’t feel disheartened; because you can subscribe to our youtube channel where we post some of our stories.

Here is one such story we did recently. Do check it out.

Conversation with a fraudster: Apparently I won an SUV on some Amazon Prime Lottery

Had the most amazing conversation just now. Brace yourself and read this:

Received a call from an unknown number telling me I have won lucky draw of Amazon company and have won a Tata Safari.

The generous caller gave me two options, either opt for the car or get the cash equivalent to the value of the car.

Since now I am in Gurgaon now, like any other person living here, I opted for the SUV.

The caller asks me to send my photograph and Aadhaar copy over WhatsApp and pay 8,000 Rs as processing charges.

At this point I asked the caller, “din me kitne logon ko aap aise bewakoof bana lete ho?”

The caller replied, “10-12.”

Me: Sahi hai boss, din ka 80K se 1L tak bana lete ho matlab.

Caller: Nahi. Dena bhi padta hai naa.

Me: Police ko? Kitna dete ho?

Caller: Din ka 10K.

Me: Matlab police bhi mili hui hai?

Caller: Police to 5 Rs me bik jaye, hum to 10K dete hain din ka.

Me: Aise gareebon ko lootna band karo. Nahi kisi din dande padenge.

Caller: Kaon marega dande. Police hi humare sath hai. Ab unse upar kaon hai?

Me: Police ke upar bhi hain log. Lootna acchi baat nahi hai.

Caller: Sir ab aap ek baat batao, abhi ek din ek vakeel ne hume 1L rupaye diye. Ab wo sabko lootta hoga. Humne usko loot liya to kya galat kiya.

Me: Hume to mat looto. Humari sab mehnat ki kamai hai.

Caller: Ab aapka number aaya to humne call kar diya. Aap aache admi lag rahe hain, warna loot to hum lete hi.

Me: Samjhdar aadmi ko aise lootna aasaan kaam nahi hai. Bewakoofon ko hi loot sakte ho. Ab tum Amazon bhi to dhang se bol nahi paate ho.

Caller: Aap manoge nahi kitne bewakoof hai. Vakeel se lakh rupaye loote hi nah humne.

This went on for some time and the caller kept justifying himself and was confident that he is doing nothing wrong and nobody can harm him. So I terminated the call wishing him all the best.

My only advice to anyone receiving such calls – Don’t Overestimate Your Luck.

ProTalks : Fireside Chat with Gaurav Tripathi

Join the Fireside Chat featuring Gaurav Tiwari, the founder of Sutradhar which is building an ecosystem to support storytellers focused on telling stories from Indian mythology and ancient history, legends and folklores.
Earlier he held senior roles at various banks with a focus on FinTech products and investments.

Protalks is a series hosted by Gaurav Tripathi to feature professionals who can inspire others.

Register here for FREE: https://bit.ly/36Vumw6

Save the date – 28th November 2020| Sunday| 06:00 pm

Protalks #firesidechat #superpro #entrepreneur #business #webinar #live #discussions #covid19 #technology

What Did I Learn in IIT?

I am often asked this question, specially in the context that my career choice has nothing do with my B.Tech. degree. I feel like recounting some of my experiences from my IIT life, which taught me a great deal and played a key role in shaping me as a person and have directly or indirectly helped me in my professional life as well.

Today I will recount a story from my 2nd year of IIT life, but before we get going, some background. People who are familiar with life in IIT Bombay or have seen Chhichhore know the competitive spirit between hostels when it comes to extracurricular activities. While Chhichhore talks about sports GC (General Championship), my story is more about Cult (cultural) GC.

I was in hostel 5 and at the end of my first year, when annual awards were being distributed, my hostel had won only one trophy. This trophy we won was in bridge, because we were fortunate to have one ace bridge player in our hostel. I was sitting in the crowd thinking why cannot our hostel win any awards. I told my friend sitting beside me that next year I will make sure our hostel wins at least one award.

With this conviction in my mind, I became dramatics secretary of my hostel and with the help of everyone in the hostel managed to win almost every inter-hostel dramatics event that year. Now coming back to the story.

The biggest inter-hostel creative event in IIT Bombay is called PAF, which is short for Performing Art Festival. In this event 2/3 hostels are paired together to put up a live play at the stage of Open Air Theater (OAT), witnessed by thousands of fellow students and other campus residents.

We design giant sets using crates, tables, newspaper and bamboos to facilitate the performance. I along with another senior from hostel was in-charge of set piece on center stage. The center stage was supposed to be the lair of a tantrik. The creative team gave us a design of a throne, which was supposed to be the main attraction of center stage. The design given to us looked something like this:

We had three days to design it, so we analyzed all the material we had and started working on it. We were having second thoughts about how the audience sitting in the OAT be able to appreciate the center piece like this and decided to be creative about it. At one point, I suggested checking with the creative team. To this my senior replied, “har kaam puchh-puchh ke nahi kiya jata.” (We need not ask permission for everything.)

So we kept working on our vision and kept learning and improvising at every step of the way. First we thought maybe we should make the skull bigger, if that was the main attraction. Then we decided that maybe instead of making a chair with skull on it, we should make a cave in the shape of a skull, where the character will sit inside its mouth.

While making it, we realized that mouth could not be made big enough for a person to fit. So, we decided to make nose of the skull big enough for a full size human to fit in it and designed steps for him to climb up and down. What we ended up creating was this.

Center stage for Shantimrigyam, PAF by hostel 5 and 6, IIT Bombay (2003)

We did not stop at that. We made the jaw of the skull movable, so when the villain laughed the jaw of the skull moved. (we made someone sit behind the skull to do this, since all our engineering efforts failed to produce results in time.)

I along with another friend sat behind the black curtain inside the two giant eyes and when the tantrik got killed we dropped red color, making it look like tears of blood.

That year along with winning the dramatics trophy, we also won the best PAF. The effort we had put in resulted into us winning best prop trophy.

Someone has uploaded a video of the PAF on Youtube (quality is very bad though), if you wish, you can watch the entire performance there.

If it is still not clear, what I learned from this experience, let me state it explicitly. I learned that if you are clear about the objective and are ready to learn and adopt, with belief in your own ability, you can end up achieving more than what you imagined to begin with. Don’t lose sight of the end goal. As long as you are clear of the bigger objective, finer details are not rules cast in stone but general guidelines.

Supporting Offline Transactions

In a recent communication RBI has pointed out the need for supporting digital transactions in offline mode in order to overcome the handicap of “lack of stable connectivity” as a hindrance to digital adoption. I thought it is a good time to talk about offline authorization, when it comes to processing payment transactions.

Some definitions first:

Authentication: Every payment transaction goes through two steps, authentication and authorization. Authentication is the step that validated the card user. Historically for transactions done using card plastic, this step was performed by taking signature of the customer on the merchant copy of the transaction slip. Then in order to ensure better security, RBI mandated the use of PIN inputted at the encrypted PIN-pad of the point of sale (POS) terminal.

For transactions performed without the plastic, i.e. used on a website, mobile app etc. this step is taken care of by asking the user to input a transaction password or OTP on the authentication page.

Authorization: Authorization is the step that validates the availability of funds. It is this step that is responsible for posting the transaction in your account.

Settlement: Settlement is the step that is responsible for movement of funds from Issuer Bank to Acquirer Bank. As part of this step the merchant claims the money from the acquirer bank and acquirer bank sends this claim to Visa/MasterCard/RuPay, which they then share with respective issuers for processing.

In online transaction scenario authentication and authorization are performed in real time, while the settlement is an offline step, that happens by exchanging the transaction data through the network and does not depend on connectivity at merchant location.

Offline Transaction: When a transaction is processed without connecting to issuer bank’s system in real time. This means the debit in your account will not appear immediately at the time of transaction.

There are two possible ways they will appear in your account, first is at the time of processing settlement, the issuer bank as part of their reconciliation process identify all the transactions where authorization was not performed online, but a settlement was received and post these transactions in customer’s account after reconciliation.

Second possibility is by syncing the offline transactions stored at the card/app next time the card interacts with another POS terminal that has connectivity or app finds the network connectivity. Don’t worry, will try to explain it in more details below.

This offline method of processing payment transactions has been in use in many countries but not in India. There are two primary reasons we did not see such transactions in India, (Transit cards and FasTag are two cases, where India does use offline method). First is low risk appetite. These transactions are riskier and there is possibility of more disputes and even possibility of loss to banks. Second is India is primarily a market driven by savings account and not credit cards. In savings accounts banks pay interest that means if a transaction is processed offline and is posted at a gap of few days to customer’s account (traditionally the gap between authorizations and settlement could be few days in many cases) the bank would in effect be paying interest to customer on money that she has already spent.

Floor Limit: Many countries have this concept called floor limit. What a floor limit means is at certain merchant categories payment transaction can be processed without online authorization provided transaction amount is below a certain amount. This amount in card terminology is referred as floor limit. So far floor limit in India has been Zero. Now from what I understand RBI is planning to make this floor limit as 200 Rs. That would mean any transaction below 200 Rs, processed at specific merchant categories will not require authorization from issuer bank. This transaction will be approved and stored at the terminal level and will be sent to acquirer at the time of settlement.

In this case no authentication or authorization is performed, just the details of the card are captured so that the claim can be prepared for settlement.

Now imagine if this was done few months back, would we have even needed FasTag. One of the very popular use case for this floor limit globally is toll payment.

EMV Cards: I am not sure how many of you know this but besides EMV being more secure, one of the reasons EMV was introduced was because of its capability to process transactions in offline mode, thus avoiding the need of sending every transaction through network and save on cost of communication. For countries where telecom cost is high, this could mean significant savings.

EMV protocol supports offline mode of transaction processing by provisioning for offline PIN, something that can be validated at card itself, thus taking care of the authentication step. There are various other parameters like last known balance (i.e. the balance at the time of last online transaction), cap on number of transaction (total number of transaction that can be approved at card chip level before it will force the transaction to go online. For example if this parameter is set up as 4, the chip will force every 5th transaction to be online. This 5th transaction will carry with it all the other past offline transactions thus syncing the issuer systems in the process.) and amount (cumulative amount up to which the chip on the card can process transaction in offline mode. Similar to the cap on number of transaction the moment this threshold is hit the chip forces the transaction to be processed online). From what I have read, it looks like RBI is proposing to set this amount limit at 2,000 Rs.

Most of the systems at banks these days are capable of the methods described above and should be able to implement without making much changes, thus can be rolled out fast.

Similar principles can be used in order to build the capability for other modes, which do not follow card protocol. In fact in case of modes like UPI, where a mobile device is involved this can be done in much better way considering unlike card a mobile device in capable of connecting to the issuer directly as soon as it finds network.

My IIT JEE Preparation Story

How a sixteen year old me navigated through coaching classes in Kanpur with almost no money to prepare for IIT JEE and managed to sail through in my first attempt.

I prepared this on request of my friends from ExtraClass to help their students in these uncertain times. Hopefully this will motivate kids preparing themselves for competitive exams in particular and life in general.

Decoding CRED : Part 2

There is nothing unique about acquiring customers by offering something extra for free, even our vegetable vendors have been doing this for ages. This is the reason he throws in those extra curry leaves in your bag whenever you buy vegetables from him. How often though have you seen a vegetable vendor giving away curry leaves for free but no vegetables to sell. Right now that is the situation of CRED. They have a customer acquisition strategy, but no core business model.

In my last post I talked about CRED transforming into a digital mall and offer their digital real estate for a fee to various D2C brands, however the unique part about these brands in D, they want to sell direct to the consumers by cutting the middlemen and pass on that value to the customers because internet has made it possible. Introducing CRED as a middle party defeats the whole D part of D2C. Also when the nearby shop with same footfalls in available for almost free, why would any brand pay high value for opening the shop in the Mall. This is the digital world. These brands when they are new might use CRED for few months of promotions and then divert the customers to their own digital shop (app or website) rather that sticking with CRED forever.

I think CRED team has also realized this and that is why they are now trying to pivot into becoming a fintech by offering services like rent payment and consumer loan. There have already been many rent payment options already existing in the market like Red Giraffe and No Broker, who even offer better deal than CRED in terms of transaction fee. Rent payment on Credit Card is something I would personally not recommend, however if you are a super premium card holder with superior reward program like more than 3% cashback or something similar then paying rent through CC may yet make some economic sense, however there are not many card holders that fall in that segment, and many who do are likely not living in a rented house.

Now on the consumer loan part, as of now as per my knowledge CRED is not an NBFC and offering this in partnership with some other lender. The problem with this option is that entire customer base of CRED is already eligible for a better deal offered by his/her bank. Some people say convenience may drive CRED users opt for the option offered through CRED than their bank, well in that case you do not understand the Indian consumer. First of all Indian consumer, no matter how rich prefers the option that gives him/her better value also CRED themselves don’t believe in that convenience hypothesis, that is why they sell themselves as “most rewarding way to pay your Credit Card bill” instead of “most convenient way to pay your Credit Card bill”.

Please also note that the customer base of CRED is the same customer base that banks also treasure. They typically get a dedicated relationship manager or personal banker. Banks will not let this customer get away, and even if by some odd chance CRED sees some traction in this regards banks may even try to block CRED something like what few banks did when they started seeing wallets as a threat.

So in the current situation they have nothing going for them in terms of a visible business plan hence they are spending all their energy on UI/UX, someone in the boardroom might be like “at least make it look premium so that the customer sticks around”.

Now question is what they could do, the only thing that comes to my mind is they can become a discovery platform for semi-luxury lifestyle goods, however with the economic slowdown caused by this pandemic, this semi-luxury consumption will see a steep downfall. My definition of semi-luxury is luxury items for upper middle class.

Thoughts on Product Management

While I rarely held the title of Product Manager, I spent most of my career as one. During my stints as part of Business Solutions Group in Banks, my role usually was to design solutions for the concepts raised by product or operations teams. I still took it upon myself to launch various initiatives on my own, throughout my career. In simple words I was the solutions guy who didn’t wait for someone else to identify the problems to work on them. When I look back, these initiatives were the best part of my job, specially when I see some of them have become industry standards now. In this post I am trying to look back and analyse, what worked for me. Hopefully this will help people who are working on Product roles or aspire to become one.

Spend considerable time with your users: Spending as little time as possible at my desk was one of the key features of my work-day. I would rarely be sitting at my desk, instead I would go to operations floor and spend time with teams there. I would sit with them, talk to them, watch them work and observe their day. One obvious benefit of this was knowing my users and his work-day. What my users appreciates and what irritates them. This also helped me empathize with my users. When a user would complain about some problem in the system I would take it seriously instead of trivialize it because I would know how much it affected her/his daily routine.

Another benefit of this was that I became the go-to person for them whenever they faced any issues. They trusted me and saw me as their representative inside the IT team.

The result of this was that with time I managed to automate most of their operational activities. The reconciliation system that I worked on with the help of our direct banking operations team is being sold internationally by that vendor and controls almost 85% of Indian market.

Talk to customer service team and study customer complaints: I was not only responsible for building solutions for operations team but also direct banking channels products used by bank customers. The first thing I did after joining bank was to find out the customer service head and set-up with a meeting with his team. I made sure they knew me and found me approachable. With-in months I managed to train them enough to address most of the customer complaints at their level itself.

The biggest advantage I got out of this was, whenever they got a tricky customer complaint, I was usually getting copied on them. I would try to analyse the complaint and sometimes these complaints resulted into redesigning our CX or a new feature.

I got the idea of introducing most of the debit card related support functions via net-banking through this. Now every bank is doing it because it is the most obvious thing to do. Sometimes obvious things are hardest to get attention though.

Spend time with your vendor/development team: If I was spending 30% of my work-day at my desk, rest of the time I was distributing between my operations teams and vendors/tech team. I would sit with my vendor, ask them questions about how a particular setting affected the system behavior. Sometimes, if I got a chance, I would even sit with them analyzing the code. This last part usually would happen on holidays, when I would call them to office with promise of drinks and pizza afterwards.

This made me aware of what the systems we were using were capable of and the speed of introducing any change in the system. If you have worked for any large organization, you would know that introducing any change in core systems is frowned up on, specially for smaller impact items. Hence my objective used to be to get thing done with zero to minimum changes in the core systems/processes. Knowing the systems capabilities and good equation with vendor teams helped.

When we decided to launch mobile payments in partnership with mChek way back in 2006/07, I could do it with zero code changes in our core systems. By the way this solution was designed for basic phones and I used mobile device as a factor of authentication.

Testing: During my early days one of my key responsibilities was testing and I used to hate it. I used to think that have I graduated from IIT to do this but with time I understood how important it was for my learning and growth as a product person. Testing gave me the opportunity to be the user. It would help me play around with the system to explore the capabilities of the system. It also helped me plug any process changes that need to be introduced or any user training required before we launch the product/feature more efficiently.

Once I understood the benefits of it I started spending time on our test systems voluntarily also. When my bank decided to have separated dedicated team for testing and also worked on testing automation, I insisted on my team still participating in the testing process. There is no better way to learn and experience actual user interaction.

Once when I was in a senior position in my organization and didn’t have to do testing myself, I decided to test the launch of new version of mobile app. I downloaded the app, log-in was with mobile number and OTP. OTP was being automatically read by the app, so no input from user. Yet I got error “Invalid OTP”. I tried again and this time it went through. I tried to probe further and noticed that the OTP in first attempt was 0431. I understood, what the problem was. I got the development team to check the field classification and got it changed accordingly. This was such a trivial and accidental discovery, with potentially huge impact. It also made me realize that even after 12 years, testing can throw these kind of surprises.

Be friends with Security, Risk and Audit guys: This is specially important because I was building products for one the most highly regulated industry prone to frauds resulting into real financial losses. This made me take regulatory aspects into account while designing a solution. This also made me appreciate and keep in mind fraud trends and how to control them at design level itself.

Things like KYC-AML, PCI-DSS and their impact on your product/feature are very important in your journey. There were projects where we had to factor regulatory reporting as key aspect of design process.

When I was working on GreenPIN project, this came in very handy. Things like you can/should not send a PIN over SMS, a card PIN should always be inputted on an encrypted key pad, J & K customers could not receive SMS etc were important aspects.

Be curious and keep experimenting and analyzing: Always analyze the data that is available. Data will tell you how your customer is interacting with your product/feature. Which features are loved by your customers and which are ignored. Data can often show you very interesting positive/negative ways your product/feature is being used and you may have to take some actions accordingly.

Get access to that test system and keep experimenting. Play around with parameters and observe how it affects the behavior.

Once I was observing data of one of innovative products launched by our bank and I observed that few of our customers were accessing that feature everyday doing a part of the action and leave it halfway. On further investigation I realized that they were trying to game the system into gaining unfair rewards. I immediately initiated a change in the system to plug this gap.

I am sure many of you would have already known most of these and were doing these things. Some of you probably knew and didn’t do, for them I have thrown examples of how exactly these things have helped me in actually real life situations. Hopefully people who want to become product managers or become proactive solutions guys may find this useful.

Decoding CRED

CRED is one start-up, which has been getting a lot of media attention since it was launched by its charismatic founder, who in his previous avatar founded a very interesting start-up and gave a massive exit to his investors, when that start-up got acquired by Snapdeal. VC world loves a successful exit, for very obvious reasons. What do they love more than that though? They love it even more when the same founder offers them another chance at yet another successful bet. This time the confidence is higher, the dreams are bigger hence the bets are also bigger. Thus starts the journey of CRED.

Now most of us reading this post know about the massive funding round raised before even the launch. They are also aware of subsequent massive funding rounds before the start-up has even made any revenue. However there is one question in everyone’s mind. What exactly is CRED? Some call it a Fintech, while its own founder used to call it a Lifestyle company; some are still clueless. Very recently I read someone calling it an status symbol also. To that I jokingly mentioned that now the investors must be dreaming about it becoming the Louis Vuitton of the digital world and how they are now looking at another spectacular exit. Some may have even started planning, what they would do with this massive windfall.

I, like every other curious minds in start-up and Fintech space, have paid attention to CRED. Despite having no use for the base service it is offering, I yet downloaded the app. I even referred it to my wife to check what exactly is happening with their coin offering. One thing is for sure. The app is good to look at. It is one app, that I check from time to time without ever needing to use it for any purpose. I am someone who likes to keep things clean around myself, meaning when I don’t find the need for an app for a prolonged period of time, I just delete it. This is one app, I still keep. It’s just that good to look at. Design team of CRED, take a bow.

Let me start with a small story. Recently I was invited by my alma mater to mentor their budding entrepreneurs in the campus and I met this team of very bright young men still in their 2nd year of B.Tech. They are working on building something focused on students living in various campuses, so that companies wanting to advertise to that specific group of people can use their app to run campaigns on their platform and they can earn from these advertisers, while offering all the services to their users for free. They had thought of a bunch of services they were planning to offer. These services were all needed by students but not correlated or complimenting to each other in anyway.

I asked the team,”who is your customer?” They answered,”students.” I told them,”well, your customer is who pays you. While students are your users, your customers are the advertisers.” Then I tried to explain it to them using obvious examples of Google and Facebook and how the service they offer to their users is a mean to acquire user base, because their service is not their product. Their user base is their product. Then they find creative ways to sell this product (user base) to their customers, who are the advertisers.

I told the team that their thought process is in the right direction, however they should not focus on building ten services from the beginning. They should pick one to begin with, that they find most appealing and engaging to their potential user base and use that service to acquire as many users as possible. They may end up building all those service in the long run, but they should find an organic path towards it.

At this point in the discussion I invoked CRED. I told them while Facebook, Google and many more have built useful services to acquire user base for selling them ads, Kunal Shah is one brilliant mind. He noticed that in today’s market scenario the easiest way to acquire customers is offering them rewards. So instead of putting too much efforts in creating a service offering, he just picked up the common attribute of his target customer base (credit card) and offer them rewards for the very reason of possessing a credit card.

Under normal situation, one would spend resources building a service, then spend further in marketing and customer acquisition. This entire exercise will require a lot of money. Why not use that very same money to offer rewards to people and acquire them. Sounds simple? Well; it is. Now you can acquire the customer with this strategy, how you keep them engaged? Two ways, make the reward recurring (earn points on paying your monthly bill) and introduce gamification (lottery).

How do you make money now? The big question. Now that CRED has acquired a large number of customers who like to spend on lifestyle expenses (credit card users), next step is to connect Lifestyle brands to these customers. Imagine I run a premium coffee chain, opening a new outlet in Powai. What is the best way to market it? Whatever your answer is, unless it is CRED, it’s wrong answer. All you do is create a campaign for users living/working in Powai and surrounding area (200 Rs discount on your first visit up on burning 50,000 CRED points). Maybe you are launching a new premium FMCG brand. Create a campaign on CRED (spin the wheel to get 10-70% discount on your first purchase).

Why all the earning and burning points then? Well as I said Kunal is one of the smartest brains we have around. His offerings are designed based on users’ psychological needs not your mundane obvious things like paying your bills and all (this is probably the reason some people have called it a status symbol). All this earning and burning completes the loop and you are the hamster keeping the loop moving. It also makes this customer acquisition loop an opt-in. CRED is not into the business of selling your data. You will have to opt-in for the offer.

Just in case you have still not understood, how the money will be made; let me state it clearly. Each brand spends on customer acquisition, today they may be utilizing all the money they would be getting from brands for creating the offers, but they can always increase their margin. If the coffee chain offers you 200 Rs per customer acquired, you can make the offer 100 Rs discount instead of 200 Rs. Or spin the wheel. It may even go Google Pay’s “better luck next time” direction if there is too much pressure to generate revenue. Right now it looks like they have enough cash to keep on burning.

Some people may have question on why then they recently started rent payment and lending offerings. COVID is expected to hit the non-essential lifestyle expenses the hardest. With this situation, people will be less interested in visiting a new coffee chain or trying out new expensive face cream. That means the whole “Lifestyle company” business will slow down. These two recent offerings are attempts at offering something that is related to essential needs to its customer base.

He has not done this for the first time. Even Freecharge was same thing, targeting a completely different customer base though. You can say CRED is affluent person’s Freecharge. I think Freecharge had potential. When Snapdeal acquired it, the deal made some sense to me but when Axis Bank acquired it from Snapdeal, I knew it was a mistake and I also knew Axis Bank did not have any clue what Freecharge was all about (Axis Bank thought it was a Fintech, probably). This made me conclude that a Kunal Shah business can only be run by a Kunal Shah and there are not many Kunal Shah out there. He has an amazing understanding of how human psychology works and he uses this knowledge beautifully when creating his offering. So as long as Kunal is at the helm of CRED, it has the potential to grow into something unique and extraordinary and if he decides to sell it; there is a big chance it will also end up like Freecharge i.e. people in-charge of it having no clue what to do with it.

PS: Last night I heard the episode of Cyrus Says podcast with Kunal Shah, that more or less confirmed what I have written above. He also mentioned about a Mall that opened in Mumbai many years ago, which allowed entry only to people possessing mobile phones, cars or credit cards. So maybe he is trying to create that mall digitally. He has got the customers in the Mall already, he is waiting for brands to open their stores in this Mall and pay him rent for using his digital real estate.

PS 2: While I agree with most of the point he made there is slight deviation on what he mentioned about India being a low trust society. It may be true for cities, for whom most of the techies are building offerings, but I when we move beyond cities to smaller towns and villages, India is an extremely high trust society. I may be wrong, but being born in a small village and growing up in smaller towns my experience has been such.

How Does FASTag Work?

FASTag is part of NETC (National Electronic Toll Collection) program by NPCI designed to provide an interoperable method of toll collection across the country irrespective of the acquirer, simple meaning that your FASTag device issued by any issuer will work on any toll plaza across the country irrespective of its acquirer. That is the benefit you get when working with NPCI.

Couple of days back a friend working in transit payments called me to understand how FASTag works. That call gave me impression to write this post. Here I will be explaining the transaction flow of a FASTag transaction in simple terms:

What is FASTag?

FASTag is a RFID tag that stores static information like TAG ID, which can be read by the receivers installed at toll plazas.

How it is issued?

FASTag can be issued by any NETC member banks and it is linked to either your Current or Savings account maintained with the bank or a prepaid account created by the bank for this specific purpose. My bank gave me a prepaid account with separate credentials for inquiry and other financial transactions. In my opinion it will be wise for fleet companies to link FASTag for their vehicles to current account maintained by the company.

At the time of issuance a TAG ID is created, which is then linked to a CASA Account or Prepaid Account, depending on the implementation at your bank and your vehicle details like vehicle type (car, truck etc.) and category (personal, commercial etc.). TAG ID along with Vehicle details and Bank ID are then added in NETC mapper maintained by NPCI. As soon as your details are updated in NETC mapper, your FASTag is ready to use.

How it works?

NETC Transaction Flow (Image Source: NPCI)

Step 1: As soon as RFID tag affixed to the windshield of your vehicle is in range of the acceptance terminal installed at toll gate, terminal read the TAG ID and Vehicle Details and send them to acquiring bank

Step 2: Acquiring bank sends the details received from the terminal to NETC mapper,

Step 3: NETC Mapper validates the details collected from the TAG and responds with TAG Status. If TAG Status is active, it proceeds to next step else driver needs to pay cash. Other possibilities could be TAG is not registered yet (new TAG), TAG is blacklisted etc.

Step 4: After successful validation of TAG details and status, Acquirer system calculates the toll amount to be collected and sends to NETC Mapper.

Step 5: NETC System sends the debit request to issuing bank, based on the issuer bank ID maintained in the Mapper.

Step 6: Issuer system processes the debit into customer’s account linked to FASTag and sends response back to NETC system. In case no response is received with-in the defined time-out period it is assumed to be approved automatically.

Step 7: NETC System sends a notification to the acquirer system

Step 8: Acquirer system sends notification to respective toll plaza system

This transaction is performed in offline mode with systems syncing every 10 minutes. This means that by the time Step 8 happens your car is already far away from the toll-plaza. Once the TAG ID is validated and its status is found to be active, it is assumed that there is enough balance maintained at the bank’s end to settle the transaction, which happens at every settlement cycle and facilitated by NPCI through a system called EGCS (ETC Global Clearing and Settlement).

Settlement flow for FASTag transactions. (Image Source: NPCI)

NPCI basically collects the money from issuer banks and distributes it among acquirer banks as per the transactions processed during the settlement cycle. Acquirer bank then settles the funds with respective toll plazas.

What happens if your account does not have money?

Since the value of toll is usually small and syncing cycle is ten minutes, the exposure due to lack of funds in account is very limited. Having said that banks have a provision of keeping a security deposit for safeguarding themselves in any such possibility. In case your account does not have necessary funds to pay for the toll, same is deducted from your security and your FASTag is blacklisted and updated in NETC mapper to stop further transactions on that TAG till balance is maintained again.

My bank has taken 500 Rs as security deposit. The assumption is that for a private vehicle to pass through so many toll plazas with-in 10 minutes is practically very remote. I am assuming for heavy/commercial vehicles this security deposit would be higher. In case of fleet companies having multiple tags linked to same current account there might be a special arrangement negotiated with the issuer bank.

How to reload a FASTag account?

In case it is linked to your savings or current account, there is no question of separately reloading the account. While my bank doesn’t offer me this option, I am assuming, whichever banks would be offering this option must be keeping some cap on the amount from safeguarding perspective.

In case of prepaid account set-up like my bank, I have been given multiple options to reload. Your bank may even offer an auto-reload option where, if your balance goes below a particular threshold bank can initiate a reload by debiting your linked account or card that you may have provided while setting up the FASTag account.

This is the simplest explanation I could come up with for FASTag transaction flow that is easy to understand by most and also explains how it can be achieved at the speed of traffic i.e. your car practically doesn’t need to stop at the plaza for deducting the toll. This is unlike the regular transit card solutions where balance is usually maintained at the chip inside the card and offline balance is updated at the time of transaction.

Even more thoughts on MDR debate

In my last post I had touched upon the entire authorization piece for card transactions and how it makes sense to have MDR for Credit Card transactions however it feels unreasonable when it come to Debit Card transactions. Today I will explain the settlement aspect of transaction and try to make sense of MDR charges based on settlement flow.

How settlement for a card transaction works?

After transaction is completed merchant claims money from the acquiring bank. Acquiring bank further sends a file to Interchange and Interchange gets the money from Issuer Bank. This entire cycle traditionally used to take days.

Acquiring bank is making a guarantee to the merchant and based on that guarantee, they process the transaction. Interchange is giving the guarantee to acquirers. Meaning in the event of an issuers inability to pay for a transaction done by its customer the interchange will ensure that the acquirer gets paid for the money they have paid to the merchant.

Above risk is high if you assume settlement cycle spread across many days. However in today’s fast paced world the settlement cycle is shrinking. We are practically settling the transaction with-in T+1 days. There are continuous attempts to shrink this cycle to make it even near real time. If that happens the risk by acquirers and interchange is going to be practically zero.

Many debit cards in the market even follow a single message settlement protocol similar to ATM transactions. In this case there is no need for merchant to process any batch settlement. The settlement is processed automatically by default.

This risk taken by acquirers and interchange on top of supporting the ecosystem with their technology and operations is additional justification for them getting a share of the transaction fee, however this still beats me, why the fee should be paid by the merchant and not by the issuer.

The merchant is the first one to go out of pocket (he has sold the goods without money in his/her account) hence contributes to zero risk in this entire ecosystem. Customer is using his debit card meaning he/she is using the money that he/she has parked in the his/her account already, hence not contributing to any risk. At the time of transaction the money is debited from customer’s account and parked in a payable account by the issuer bank. It is this account that is used to settle money with the interchange.

If a issuer bank has managed to get into a situation somehow (recent Yes Bank situation) that they are not able to settle with the interchange it is definitely not because of the customer and/or the merchant, hence in all fairness it is them who should fund the entire ecosystem from their income through deposits and not fleece the merchants.

If you want merchant to pay MDR, issue credit cards and give enough incentives to your customers to use them. If customer prefers to use his/her debit card instead, it is ideally his/her bank’s responsibility to offer necessary ecosystem to access his/her funds. Always remember the issuer banks are already making profits by investing this money parked by customers in their CASA.

Four years back RBI suggested some reforms in this consultation paper however no action has happened in that direction. What I am suggesting is not exactly the same but fundamentally both are using the base analogy that the benefits are currently unfairly tilted in favor of issuer banks and it is these issuer banks who should bear the most of the burden instead of expecting other players in the ecosystem to fund for the infrastructure needed for its customers to access funds parked in their accounts in these banks.

Recent growth in this ecosystem was fueled by VC/PE money, which may not be available in same proportion given the current global slowdown caused primarily by the Coronavirus pandemic. This means some key players will find it extremely difficult to survive and it will not be good for the overall digital payment ecosystem. It is in the interest of issuer banks to save this ecosystem by taking ownership of the costs involved. If that doesn’t happen, only players surviving will be the ones with deep pockets not the ones with better innovation. This will eventually kill the innovation in this space and steer entrepreneurs away from attempting new/innovative solutions in this space.

More Thoughts on MDR Debate

So much chatter going on in Indian market around MDR, short for Merchant Discount Rate, thanks to NPCI making MDR zero for RuPay debit card transaction based on instructions from Finance Ministry. I had touched upon this topic once before here. However now coronavirus pandemic putting extra pressure on most of the businesses including payment facilitators, this topic is again making rounds. I felt like I should put together one post explaining my views in other post where I have supported the move of zero MDR.

First thing let’s talk about what is MDR and why it has been there as a key source of revenue for payment providers. MDR is the money that is paid by the merchant to the payment ecosystem used in facilitating the transaction. All the parties involved in the value chain i.e. acquirer, interchange and issuer get their share from this MDR including the third party technology or operations service providers used by these parties. MDR is typically a small percentage of transaction value, somewhere between 0.8 percent to 3 percent. Essentially what it means is that when you pay a merchant 100 Rs using your American Express credit card, the merchant actually gets only 97 Rs, while the 3 Rs are used to pay everyone involved in facilitating this exchange.

Now why would a merchant agree to take a cut in his/her income to facilitate this after-all it’s the merchant who drives the mode of transaction and not other way round. How often have you refused to deal with a merchant because he did not accept your credit card? You find a way to pay that merchant accepts and move on with your purchase. Then what is the answer? In a credit card world card company is facilitating the purchase by offering an instant credit to the customer thus taking a risk on the transaction, this risk taken by the issuer enables the purchase to go through, which may not have happened in case the credit was not issued at the time of transaction. Now here is something for the merchant to gain, he is gaining a sale, which may not have happened otherwise. That is the reason merchant doesn’t mind paying that MDR. Now issuer alone cannot support this massive ecosystem, so parts of this MDR is distributed among other participants in the ecosystem.

If the MDR was for supporting the technology and operational cost for running the ecosystem, it would have been a flat fee and not a percentage of the transaction amount, because cost of processing a transaction remains more or less the same irrespective of the transaction amount. So primary reason a merchant agrees to pay an MDR is because issuer is taking a risk on the transaction by issuing an instant credit in order to facilitate the purchase. Bigger the amount, bigger the risk for the issuer.

Then industry launched debit cards in order for customers to access the funds parked in their savings and current accounts. Instead of reinventing the wheel, they decided to ride on the same infrastructure set-up for credit cards to facilitate debit card transactions as well but then they got too lazy and even copied the same MDR based business model. In case of debit cards customer has already parked funds in banks and banks are making more money from that money and it is responsibility of banks to facilitate access of funds in his/her bank account to its customer. Banks do not want customers to line up in the branches because that is the most expensive mode of transaction for banks, in order to save that cost banks have set up digital infrastructure to provide easy access to customers, this also includes POS/Payment Gateway infrastructure.

I am of the view that MDR model is fine for credit card universe however it does not make any logical sense for debit card transactions and issuer banks should bear the cost of these transactions instead of passing that cost to merchants or customers in anyway. Issuer banks should pay interchange and acquirers on fixed fees basis, then acquirers should compensate their technology and operations partners from their share. Interchanges as the bodies at the center of all this should facilitate working of a reasonable compensation mechanism for sustainable ecosystem growth.

Since the industry had been running on this illogical model for far too long everyone had gotten used to it; but zero MDR move by Government should work as a catalyst to drive this change and implement a more logical and sustainable business model, which is not designed to unreasonably favor the banks. Banks should not be allowed to only benefit from this entire ecosystem, while other partners share the entire burden of cost. I hope NPCI leads the way here with support from RBI and Finance Ministry to arrive at a agreeable solution that doesn’t ruin the payment facilitators and force them out of business. If that happens customer will be the biggest loser.

PS: This piece was originally published as my opinion piece on IBS Intelligence blog.

Facebook Acquired Minority Stake in Jio – My Views

First thing I came to know in the morning today, after I managed to figure out it was actually morning and not afternoon, was that Facebook has acquired 9.99% stake in Jio; making them the largest minority stake holder in Jio. Afterwords I spent the entire day reading tweets and news reports talking about how this is the greatest thing to have happened to India’s digital ecosystem since the launch of Jio itself and how this can potentially be the digital moment India has been waiting for. Many talked about how this can help Facebook, while other spoke about the benefits Jio will make from this deal.

Few obvious things people pointed out, how Jio can sort out Whatsapp Pay’s troubles in going beyond pilot stage by pulling the weight of Mukesh Bhai (as some tried to suggest), while few meant that Jio’s massive cloud infrastructure can be taken advantage of. As this article from 8th Feb suggests that Whatsapp had already cleared the permission hurdle and was on its way towards a phase-wise launch of Whatsapp Pay in India. They would have moved with or without this deal; selecting Jio Cloud as storage partner will now have added advantage.

Then there were others who talked about how this could mean that we can now finally have India’s version of WeChat. Airtel has been trying to do that through Hike messenger for years with very little success. Even Jio has been pushing their own Jio Chat, which is an exact copy of WeChat since much before the launch of Jio, with very little success. The one mammoth disadvantage these earlier two attempts by these Telcos, was that they were competing against Whatsapp. Whatsapp has built their entire loyal user base based on the simplicity it offers and people were finding other alternatives too cluttered for the base function of messaging as compared to Whatsapp and didn’t move, despite these apps offering so many other features and functions.

One thing very few people deny that Indian consumer is extremely value conscious and doesn’t mind using multiple apps for same functions depending on, which is offering better value at that time. This is one of the reasons there is so much overlap between customer base of PayTM, PhonePe and GooglePay and these apps have so far found it difficult to build a loyal customer base. Now comes the question of adding additional functions to Whatsapp and make it into a super-app capitalizing on its loyal customer base. Well, you can try, however if you think it will see as much success as WeChat in China, you must be dreaming. India doesn’t want a WeChat. Stop pushing it down our throats.

Jio has their homegrown apps for almost everything the apps are being used for, be it payment (Jio Money), chat (Jio Chat), reading (Jio Mags), OTT (Jio Cinema), Music (Jio Saavn), Education (Embibe), E-commerce (AJIO); there are more. The idea is to tell you that they have an app for everything and they are all copies of the leading apps in that particular category barring a few exceptions which they have not built but acquired. Yet, none of these apps are market leaders in their respective categories despite the massive distribution advantage Jio telecom brings to the table. Very simple reason for this is, unlike telco, there is no friction when it comes to selecting the app you want to use for any of the other services. A customer finds these apps pre-installed and he/she tries to use them only to realize that there is a better alternative he/she was either already using or can switch to and promptly discards the Jio’s versions of apps.

The point I am trying to make here is that you can make an app; you can even push the app to consumer’s mobile phones, however you cannot force them to use that app for a prolonged period of time unless it offers better value than the next available alternative. This cannot be created by just copying the best available option in the app-store.

You can click here to read about my prediction on WhatsApp Pay.

Another extension of above argument it looking at it as a massive Fintech play encompassing other Financial services beyond payments. The opportunity clearly is there, and it will depend on execution. What I mean by this is that they need to think beyond copying Chinese models and build something inherently Indian. They clearly have the resources to do so. They also have a very robust distribution channel, very superior to what anyone else has. All they need is the right product and execution strategy and they can clearly become unstoppable.

Last point, which I believe is the real game-changer is combining Facebook’s online strengths with Jio’s offline presence. Together they can completely transform the O2O game. Jio has sellers and they are working on enhancing that network, combine it with the massive customer base that Facebook brings to the mix and it can build a highly efficient low cost O2O marketplace that any other player would find difficult to compete with. The only problem I see with this though is that till now Facebook has spent massive efforts on teaching the customer a behavior of constant scrolling, which is not suited for selling anything to the customer. In order to sell things customer needs to instinctively switch to browsing behavior. An Instagram could be a better place to sell stuff, however I have never used it so, it will be very difficult for me to predict how it would pan-out.

In the end there is one clear area I would suggest Facebook and Jio should together work on and that is figuring out how to do push sale without making the customer uncomfortable. Simply put, you should ask a customer to buy something, when you know he is looking for that thing. So far nobody has been able to crack this. (In my last post about Google Debit Card, I had briefly mentioned about Google potentially attempting to do something like that.) If they can crack this, it will make them the most preferred player to buy the Financial Services products from.

I am, like everyone else going to keep a close eye on the developments to see, which direction they are headed. I just wish they don’t try to convert WhatsApp into WeChat. I may have to then start looking for an alternative to WhatsApp, of which there are none at the moment. Is Telegram there yet?