Thoughts on RBI Draft Paper on NUE for Retail Payment Systems

On 10th Feb, 2020 Reserve Bank of India released a paper on ‘draft framework for authorisation of a pan-India New Umbrella Entity (NUE) for Retail Payment Systems’ for public comments. RBI has invited comments from all stakeholders by February 25th, 2020.

In 2005, when I had started my career from HDFC Bank, there were multiple ATM networks active in the country. Apart from Visa and MasterCard, there was one ATM network run by Euronet, where (I think) 16 banks were participating, and there was another operated by FSS (The entity was walled FSS Net), where (I don’t remember the number of banks) were participating. Apart from these some banks were having bilateral arrangements with other banks for sharing of ATM infrastructure. Around the same time another ATM network by the name of NFS was getting active, which was run by IDRBT. Most of the banks slowly started joining NFS network and with time it became the largest domestic ATM network in India. It was about this time, two things happened; control of NFS network was transferred from IDRBT to a newly formed entity called NPCI and RBI had put a stop to all the bilateral ATM sharing arrangements. From this point onward NPCI became the source of almost all the innovations in retail payments starting with RuPay, IMPS, AEPS, APBS to more recent UPI, BHIM, BBPS, eNACH, NCMC and NETC etc. I had been very fortunate to have balcony seat to many of these stories by virtue of being a part of HDFC Bank and then Kotak Bank and Jio Payments Bank.

The journey of NPCI from NFS ATM network to today controlling almost 60% of retail electronic payment transactions by volume (please note that RuPay Credit Card is a very recent phenomenon and numbers there are still dominated by Visa and MasterCard followed by American Express and Diners) has been really exciting and in many ways the best thing to happen to Indian digital payments ecosystem. Having said that the amount of influence NPCI today commands is really dangerous and while NPCI claims to be very open to suggestion and ideas, I have personally seen on many occasions that best idea didn’t win due to various factors.

With introduction of NUE there is a possibility of many more innovative payment solutions to be envisioned and implemented, which are more suitable for Indian audience. This will also make NPCI work even harder to continue doing the good work they have been doing and not become complacent. Few key areas I can clearly see new NUEs to focus on would be building specialized and low cost solutions for business correspondent network, which is the back bone of entire Financial Inclusion story in India and still does not command the attention that it deserves from various larger players in the ecosystem. Another very important area that has been demanding attention and has clearly been mentioned in RBIs paper is remittances. There are so many migrant workers, who earn in Cash and need to send money to their families in their native places. Cash is still the biggest mode of transaction today in India and there is clearly scope to do more.

I will be looking at organizations like Euronet, FSS, AGS, TATA PSL, NSDL on one hand and PineLabs, Innoviti, mSwipe etc to be eager to go for this. One organization that has been at the center of many innovations happening in India iSPIRT to play a key role in all this. My only advice to anyone considering becoming NUE would be to let go of the traditional card protocols (think beyond iso 8583) and go back to drawing board before designing their solutions. In the end payment is all about debiting one account and crediting another, sounds like simple stuff. The key to any solution would be how simple the final offering remains.

This could also be a move in the direction of having specialized entities enabling interoperability for different modes of payments or use cases. For example Billdesk can attempt to become the go to entity for all things bill-payment. Another NUE can appear specializing the interoperability of mobile wallets. As I have mentioned above, there is a clear scope of specialized offering the business correspondent and self help group area, which has been the key to Financial inclusion in India so far. Hell, why cannot even bank branches be interoperable? Can a Kotak customer walk into and SBI branch and get his passbook updated, earning additional revenue for SBI in the process? The possibilities are endless, if we decide to think outside the box.

Few questions, will NUE as private entities be allowed to user Aadhaar authentication? What will be the exact role of NPCI in all this? Will NUEs be allowed to perform other business activities, for example can NSDL continue to offer e-Sign services as part of same business or have to set-up a separate entity, if they decide to go for it? More clarity should emerge after RBI releases final framework after reviewing everyone’s feedback post 25th Feb, 2020.

WhatsApp Pay: A Prediction

Finally after wait of many months NPCI has given go ahead to Facebook to launch their UPI based WhatsApp Pay service. I had used their service when they had launched their pilot last year and found the user experience super efficient for P2P payments. On multiple occasions we used this method to pay to or claim from friends just after receiving or sending a message about the due amount.

One more thing unique about paying money through WhatsApp pay was no need to input a PIN to access the UPI payment option. In case of any other UPI app customer has to input a PIN for accessing the UPI app (some apps like Google Pay give you the option to use your phone’s access PIN itself as this PIN) and then once again he/she needs to input his/her UPI PIN just before processing the payment. In case of WhatsApp pay, only the second PIN was being asked. This had led to some controversy also due to few leading players objecting to NPCI allowing WhatsApp to bypass the access PIN, which I also believed was giving WhatsApp an unfair advantage against its peers.

In their final version, I doubt they will be allowed to continue with this exception and they may or may not come up with any other more convenient way to introduce the access level control. Still the biggest advantage they have is their almost monopoly on P2P messaging.

One of the biggest advantage UPI had brought in payments was making it easier to communicate source and destination account address by introducing VPA. What WhatsApp’s ownership of messaging channel means that now there will not be a need to even communicate the VPA.

Dominating methods used for P2P payments before introduction of UPI were IMPS/NEFT (completely controlled by banks) or mobile wallets (with PayTM leading the game there), since the launch of UPI I have observed many people use Google Pay. With mobile wallets on its decline and Banks not bothering much to improve their UX (irrespective of customer’s mode of choice, the money eventually will flow in the bank account), they may end up getting into partnership with WhatsApp by becoming PSP sponsor. The only real competition left to face for WhatsApp in P2P payments space will be Google Pay, where WhatsApp has a clear advantage due to them owning the messaging channel.

To summarize, I am of the belief that WhatsApp is going to be the clear winner in P2P payments space. I do not have clear visibility on how much WhatsApp for business has picked up, but they may even have a chance to process P2M from with-in their messaging platform.

Why do I think Zero MDR is a good move?

Imagine a scenario without banks, everyone earns and spends in cash. There are no charges to be paid to anyone. If you are supposed to earn 100 Rs for a service offered, you would earn 100 Rs and when you purchase an item or service worth 100 Rs, you would pay 100 Rs for the same. Merchant earns the exact amount paid by the customer without any deductions in the process. Now this merchant collects bundles of cash everyday so he needs to spend money in handling that much cash. Maybe he will have to buy a secure vault to store it or even hire a security guard to protect it all the time. When he is transporting all that cash, he needs to spend on secure transit. All that would cost merchant some money, which has been the justification for charging MDR. Acquirer told the merchants, by accepting payments digitally we will manage the cash worries for you hence saving you huge cost in the process thus you should compensate us by way of paying us in the form of MDR.

Image Source: ETTech

However the problem is, in India only banks are allowed to be the acquirers, who are the custodians of all the money. That means customers as well as merchants keep their money in the books of the banks, meaning cost of transferring the money digitally is much cheaper compared when compared to cash for banks. Since the banks are custodians of all the money and they have the option to reinvest that money primarily by way of lending it to borrowers and charge interest on that money. Typically banks charge anywhere between 8% (home loan) to 36% (credit card roll-over) on the money they lend and a small portion of that around 3% (Savings A/C) -7% (Term Deposits) is passed on to the customer. Rest of the money is supposed to be spend on various expenditures of running the bank. These expenditures should also include building, managing and maintaining the entire payment infrastructure. A fee for allowing customers to access their own funds (on these very funds the entire bank is existing) in any form is unfair.

Specially in case of UPI, cost of merchant acquiring is almost zero. Instead of a PoS machine, which costs somewhere between 1500 Rs (mPoS) to 20,000 Rs (fancy PoS devices with multiple other supporting features) a UPI merchant needs a QR code, which can be printed and attached to a fancy plastic display in less than 100 Rs. In case of PoS, transactions are settled in two steps, authorization and settlements thus requiring an operations team to manage the reconciliation and payments processing, while in case of UPI the transaction is settled real time directly in merchant’s account hence the need for large operations teams and systems is eliminated. I do not have any numbers to compare on disputes/chargebacks but the going by the fundamental design of UPI, the possibility of disputes in UPI are much lesser compared to card world hence requiring even lesser operational expenditure.

When a bank outsources their ATM management business to a third party partner, they pay that third party. The third party is not expected to make fee income from customers. Similarly CC Avenue, Razorpay, Pinelabs of the world should be treated as third parties whom banks have outsourced the job of setting up merchant infrastructure and banks should pay these players for the services rendered at fair price, like they would for any other technology or operations outsourcing partner. Banks are making enough money to pay for this service. Based on some figure being floated around in various media sources I have learned that this zero MDR for RuPay and UPI will put burden of around 1800 Cr on the industry. Can someone remind me the profit made by HDFC Bank in last quarter?

In fact I am saying why should it be applicable for selective merchant base, this should be the case across all merchants. Our banking system is capable enough for paying for their service in order to get the balances from these merchant in their current accounts so that they can make float income on that money.

Another logic given to merchants for demanding MDR is that a card in the hand of customer increases his/her purchasing capacity hence increase in sales for the merchant. That logic primarily applies for Credit Cards and the current mandate leaves them untouched. Maybe a better way to go for banks would be to push Credit Cards. India is still super under penetrated when it comes to credit product and the scope is enormous. The business Bajaj Finance has built on EMI product is proof enough that banks have been failing miserably in exploiting this opportunity. My suggestion would be that banks get their act together, get off their high horse and start optimizing their processes and utilizing their resources better to find efficient ways to increase their revenue by serving their customers better rather than trying to build a fee income. In fact I would rather worry about a bank that is earning a significant portion of their revenue from various fees.

Having stated above, the way most of the players in the market are approaching this entire thing is flowed in my opinion. Banks are refusing to compensate the third party payments processors creating a huge dent in their revenue thus leaving them no choice but to compromise on their core business by creating other parallel businesses in order to generate sustainable revenue streams, which in the long run will be disastrous for the overall payments business. Ideally since banks are the only parties making money from the circulation of money during transaction should own up to their responsibility and compensate the payment providers fairly for their contribution in creating the ecosystem for bank’s customers to use the funds he/she has parked in the bank seamlessly; the way they would compensate any other service provider of theirs.

Above proposed arrangement is a significant shift from common practice prevalent for years, hence expecting such shift overnight would be a folly. Keeping that in mind I propose as an interim arrangement government bears part of the burden with a clear roadmap and visibility towards banks owning the entire cost in due course. Banks are clearly at the seat of power here and instead of exploiting their position to gain more profits and fee income they should instead invest and work for overall growth of digital economy. This move, even if forced should force banks to become more efficient in their processes and start using customers’ data optimally in order to maximize their gains.

कार्ड पेमेंट की परिभाषा सरल हिंदी में

जब आप अपने डेबिट, क्रेडिट या फिर प्रीपेड कार्ड का इश्तेमाल करते हैं तो कई कंपनियां इस पूरे चक्र में मिलकर काम करती हैं। पहले तो आपको कार्ड देने वाली बैंक जिसे इस्सुअर बैंक, दुकानदार के यहाँ कार्ड चलाने का मशीन या QR कोड देने वाला बैंक जिसे एक्विरिंग बैंक और इन दोनों बैंकों के बीच लेन देन को करवाने वाली कंपनी जिसे इंटरचेंज कहते हैं। हमारे देश में ज्यादातर पेमेंट वीसा, मास्टरकार्ड या रुपे इंटरचेंज के द्वारा किये जाते हैं। इनका लोगो आपको दुकानों में, वेबसाइट के पे पेज पर और आपके कार्ड पर देखने को मिलेगा। जब आपके कार्ड का इंटरचेंज लोगो दुकान पे लगा हो इसका मतलब वहाँ आपका कार्ड चलेगा। अगर आपके कार्ड का इंटरचेंज लोगो दुकान या एटीएम पे नहीं है तो आपका कार्ड वहाँ नहीं चलेगा।

आज के इस निबंध से मेरा उद्देश्य है आप सबको कार्ड के इस्तेमाल से जुड़े हुए कुछ प्रचलित शब्दों से आप लोगों को अवगत कराना जिससे आपको सारी प्रक्रिया समझने में आसानी हो और आप इस सुविधा का सोच समझकर बिना किसी हिचकिचाहट के प्रयोग कर सकें और इससे जुड़े हुए कई लाभ उठा सकें।

डेबिट कार्ड: आपका डेबिट कार्ड आपके बैंक द्वारा आपको दिया गया प्लास्टिक है जिससे आपका बैंक एकाउंट जुड़ा होता है। एक डेबिट कार्ड हमेशा किसी बचत या चालू खाते से जुड़ा होता है और केवल आपका बैंक ही इसे आपको जारी कर सकता है। कार्ड के ऊपर आपका कार्ड नंबर, एक्सपायरी डेट और आपके नाम के अलावा आपके बैंक और इंटरचेंज के लोगो छापे जाते हैं। कार्ड के पीछे कुछ अत्यावश्यक जानकारी जैसे की बैंक का कस्टमर केअर नंबर के अलावा एक सफेद पट्टी होती है जिसपे आप को अपना हस्ताक्षर करना होता है और उसी पट्टी के पास एक तीन अंकों की संख्या होती है जिसे सीवीवी या सीवीसी नंबर भी कहते हैं।

क्रेडिट कार्ड: एक क्रेडिट कार्ड आपके बैंक द्वारा इशू किया गया वो प्लास्टिक है जो आपके उधार खाते से जुड़ा होता है। इस कार्ड पे किये गए सारे पेमेंट का हिसाब आपको आपके बैंक के साथ महीने में एक बार करना पड़ता है। हर महीने की एक निर्धारित तिथि को बैंक आपको पूरे महीने का हिसाब एक स्टेटमेंट के रूप में आपको भेजती है और आप बैंक को निर्धारित तिथि के पहले पूरा पैसा चुका देते हैं। पैसा निर्धारित तिथि तक नहीं चुकाने की सूरत में बैंक आप पर पेनल्टी और इंटरेस्ट लगा देता है। इसलिए मेरी सलाह यही है की हर महीने पूरा भुगतान करें। क्रेडिट कार्ड देखने में आपके डेबिट कार्ड के जैसा ही दिखता है और उस पर वही सारी जानकारी छपी होती है जो एक डेबिट कार्ड में। हमारे देश में एक बैंक ही क्रेडिट कार्ड जारी कर सकता है।

प्रीपेड कार्ड: यह प्लास्टिक भी देखने में आपके क्रेडिट और डेबिट कार्ड की तरह ही दिखता है। एक प्रीपेड कार्ड आपके बचत, चालू या उधार खाते से नहीं जुड़ा होता। इस कार्ड में आपको पहले पैसा लोड करना पड़ता है उसके बाद ही आप इसको कहीं इस्तेमाल कर सकते हैं। एक बैंक के अलावा दूसरे कंपनियों को भी आरबीआई प्रीपेड कार्ड जारी करने की अनुमति देता है। ऐसी कंपनियों को पीपीआई या प्रीपेड पेमेंट इंस्ट्रूमेंट इस्सुर भी कहते हैं। मोबाइल वॉलेट, Sodexo मील कार्ड, ट्रैवेल कार्ड, FASTag वगैरह प्रीपेड कार्ड के अलग अलग उदाहरण हैं।

इस्सुअर: जिस बैंक या पीपीआई ने आपको कार्ड जारी किया है उसे इस्सुअर कहते हैं। इस्सुअर का काम लेन-देन के समय कार्ड और कस्टमर की वैधता स्थापित करना जिसे ऑथेंटिकेशन और आपके खाते में पैसे की उपलब्धता बताना जिसे  ऑथोरिजशन कहते हैं।

एक्वायरर: जो बैंक दुकानदार के यहाँ लगी मशीन के लिए और उसके खाते में लेन देन के लिए जिम्मेदार होती है उसे एक्विरिंग बैंक कहते हैं। कार्ड मशीन या फिर QR कोड पर बने हुए लोगो को देख कर आप पता कर सकते हैं की किसी दुकानदार का एक्विरिंग बैंक कौन सा है। HDFC Bank, ICICI Bank, SBI, Axis Bank इत्यादी बड़े अस्क्विरिंग बैंक हैं।

इंटरचेंज: इंटरचेंज का काम इस्सुर और एक्वायरर बैंकों के बीच लेन-देन सुनिश्चित करने का होता है। कार्ड के इश्तेमाल के दौरान दोनों बैंकों के बीच में कनेक्टिविटी और बाद में पैसे का लेन-देन इंटरचेंज की जिम्मेदारी होती है। वीसा, मास्टरकार्ड और रूपे भारत में तीन इंटरचेंज हैं। एक इंटरचेंज के बिना आपके बैंक का कार्ड किसी और बैंक की मशीन में नहीं चलेगा।

पॉस मशीन (PoS): दुकानदार के पास जिस मशीन में आप अपना कार्ड डालते हैं उस मशीन को पॉस कहते हैं। दुकानदार को यह मशीन अस्क्विरिंग बैंक दिलाता है और इस मशीन से हुए सारे पेमेंट्स को दुकानदार के खाते से जोड़ता है। पॉस मशीन में एक डिसप्ले, की पैड, प्रिंटर और नेटवर्क से कनेक्ट करने के लिए सुविधा होती है।

Payments Explained: UPI Part 1 (Terminology)

UPI stands for Unified Payments Interface. It’s a system created by NPCI (National Payments Corporation of India) to enable various forms of payments like peer to peer (p2p), merchant payments (p2m) using bank accounts through mobile phone. With increasing adoption of mobile phone there was a need to enable a mobile native payments method that offers superiors user experience and interoperability between banks. While other interchanges were still trying to find a work-around through their traditional card protocols, NPCI decided to go back to basic and conceptualized UPI, which was a system built for mobile users using some inherent capabilities offered by smartphones, like using the mobile device as one factor of authentication (by doing device binding).

They also built it with the thought process of democratizing the innovation by offering open APIs to build up on. The idea behind offering these open APIs was to enable innovators to build their applications/payment experiences suitable for their environment and target customer base the way they deem fit. This thought process gave birth to start-ups like PhonePe, BharatPe and later even larger technology players like Google, Amazon, Truecaller, Whatsapp (they did a pilot but their progress was halted because they were not storing their data locally in India, as per my information they are still working on the same). Recently India’s biggest corporate Reliance also announced their entry in this space by enabling UPI through myJio family of applications. In this series I will try to explain the UPI transactions in detail starting with common terminology followed by transaction flow and various variations of payments built on top of UPI rail and then conclude it with some thoughts on common fraud trends and how to protect oneself from same. Let’s start with common terminology.

Terminology

PSP (Payment Service Provider): A PSP is an entity authorized by NPCI to process UPI based payment transaction. PSPs take care of following functions in a UPI life cycle:

  • Front-end the transaction flow for the customer
  • Issue and manage the access credential to the customer to access the mobile app
  • Register customer on the UPI platform and issue them VPA (Virtual Payment Address)
  • Maintain the mapping of VPA and Mobile device at their end

VPA (Virtual Payment Address): A VPA is issued by your PSP, that is used to uniquely identify the payer and payee in any transaction. Usually your VPA is username@psp for example abc@okhdfcbank in case of Google Pay, username is abc, selected by user, okhdfcbank is the PSP id issued by NPCI to HDFC Bank, which HDFC Bank has extended to Google Pay as third party processor.

Third Party App: These are typically apps launched by non-bank technology companies like Google, Amazon, Uber etc in partnership with one or more banks as PSP. A list of these apps and their PSP and handle name can be found by visiting this link on NPCI website.

BHIM: BHIM, short for Bharat Interface for Money is an app created by NPCI that lets a user make payments using UPI.

BHIM QR: BHIM QR is a branding used by UPI merchant acquiring PSPs to demonstrate that the particular QR code can be scanned by any app supporting UPI payments i.e. is inter-operable among all PSPs.

BHIM QR Code is nothing but a way to store the VPA of the merchant that is read by your UPI app at the time of scanning. One can use other form factors like NFC or sound wave etc to communicate the merchant VPA to customer’s UPI app to offer differentiated experience, if it is more appropriate for that environment for example maybe a NFC based interaction will be more appropriate for transit use cases like bus, metro etc.

UPI PIN: UPI PIN is the PIN that you input on your UPI app to authenticate yourself with your issuing bank, i.e. the bank that holds your account. You set it up at the time of registration when you link your account with your VPA by verifying the combination of your mobile number and OTP or M-PIN with your issuing bank. This PIN is different that the PIN you use to access your UPI app.

Push Payment: When you scan the QR code of the merchant or use someone’s VPA to send money through your UPI app by debiting your account, such transactions are commonly referred as Push transaction.

Pull Payment: UPI also supports pull payment i.e. you can use someone’s VPA to request money from their account. In this case a request is sent to the concerned person’s UPI app through his PSP and once authorized their account is debited and your account is credited.

Payments Explained: Card Transactions Part 4 (Fraud Prevention)

This is the last part of my series on card payments and in this post I will try to cover some common frauds targeting card users and how one can best protect herself/himself against those.

Skimming: Skimming is the process of stealing your card information at the time of interaction and then misusing that information to fraudulently post transactions on your card. Whenever card is swiped at a PoS or ATM device a fraudster attaches an external card reader to steal the card information at the time of swipe.

Skimmers like these are easily available and can be attached to PoS devices.

One most effective measure taken to prevent this kind of fraud is implementation of CHIP (EMV) cards. RBI has made it mandatory to all the card issuers to ensure all the Debit and Credit Cards issued are CHIP cards. ATM machines are designing their card readers to make installation of any additional external component difficult. However few precautions one can take to safeguard oneself from this are as follows:

A card skimmer places on an ATM machine
  1. Ensure you have sight of your card all the time and the device where the card is being swiped is clearly visible to you and does not have any external component that does not belong is attached to the device.
  2. While using an ATM please ensure there is no external component attached to the card reader of the ATM (many ATMs that still use a magnetic stripe reader use jitter to interrupt the card entry into the card reader that ensures card data is not captured by external device). One way to identify if any external component is attached on the card reader is to look for the light blinking from the card reader. If you cannot clearly see the light at the card reader avoid using that ATM.

These types of frauds are specially prevalent in popular tourism destinations. The logic is that most of the time the card being skimmed is of a tourist and once you are back from your vacation and it becomes very difficult for your to follow through on the crimes committed on your cards in a place you are not native to specially if that place happens to be in a foreign country. Only thing you can do when you are traveling to be extra cautious using your card. I visited Australia recently and noticed that merchants encourage you to swipe/dip or tap your card yourself instead of taking it away from your hands. It is a very good practice.

Phishing: Phishing is exactly what it sounds like (Fishing) fraudster targets a bunch of people in the hopes of getting them to reveal their sensitive information. There is another more entertaining way to learn about Phishing, is watch the very entertaining web-series on Netflix Jamtara, which is based on a tele-calling Phishing racket run by a bunch of young kids from a remote town.

According to Wikipedia definition, “Phishing is the fraudulent attempt to obtain sensitive information such as usernames, passwords and credit card details by disguising oneself as a trustworthy entity in an electronic communication.”

If you receive a call, SMS or e-mail pretending to be from your issuer or any other entity requesting you to share sensitive information like card number, PIN, CVV, OTP, net banking ID and password etc. Only way to protect yourself from this kind of fraud is to never share sensitive details to anyone over any medium. Your bank will never ask for these details over call, sms or e-mail.

Website Spoofing: Fraudsters will create a website that looks like the website of another trusted entity and even have similar url (a very neat trick used by fraudster is to replace of of the characters in the url with another special similar looking special character). One simple way to avoid falling prey to this is avoid clicking on links received on e-mail or sms that asks for sensitive information to be shared, instead type the url yourself.

A typical example of spoofing

There are checks and controls implemented by websites to make sure customer recognizes the right page. For example, some websites have a shared image or message that is displayed on the page seeking you to input sensitive information. Like HDFC Bank Netbanking displays a picture and a message selected by you on its log-in page to ensure you are inputting your credentials on an authentic bank page and not some other spoofed website.

Social Engineering: The use of deception to manipulate individuals into divulging confidential or personal information that may be used for fraudulent purposes. Phishing explained above is a type of social engineering. Some other ways of social engineering relevant in this context are Vishing, where fraudsters will mimic the IVR (Interactive Voice Response) of the target organization to convince that organization’s customers into revealing sensitive information and Baiting, where fraudster will send you a link over e-mail or SMS prompting you to click on an infected link with promise of certain reward or threat of some loss.

Social engineering life cycle

There are no prince in Nigeria or warlords in Sudan dying to share their wealth with you, neither you have won any Coca-Cola or Reader’s Digest lottery. RBI or Income Tax departments are never going to call you to credit your account neither is Modi government giving you fifteen lac rupees in your account provided you share your account or net banking credentials with them. To receive LPG subsidy you just need to link your Aadhaar to your bank account and nothing else.

Money Mule: A money mule, sometimes also called as “smurfer” is a person who helps fraudsters transfer money acquired illegally. If someone approaches you with a story that he needs to transfer a fortune and want to use your account to park some funds and they will offer huge reward just for allowing the money to pass through your account or once the money is deposited in your account you need to withdraw cash and hand deliver it to someone in person, you are being recruited as a money mule in an elaborate fraud scheme.

When money is moved digitally, it leaves a trail and that can be used to identify and arrest the fraudster. To avoid this fraudsters create an elaborate trail of movement by passing the money through various money mule accounts and convincing these unsuspecting people into handing over the money in the form of cash at an unsupervised location. If you act as a money mule then you become a co-conspirator in the fraud and will be liable for any criminal proceedings that attracts. So avoid falling into becoming a criminal for some monetary reward.

Protect your Mobile Phone: These days your mobile phone has become very important when processing digital transactions. In many cases your mobile device is used as a mode of authentication, most of the time an OTP received on your mobile phone is used as 2nd factor authentication and many times websites and mobile apps store your card details (called card on file in payments world) in order to provide you a convenient user experience.

Now imagine a scenario where you have lost your smart phone and some fraudster has gotten hold of the device. Your phone is unlocked because you never set-up any access control like face, fingerprint, pattern or password to lock your phone when not in use. Fraudster notices that you have installed your telecom operator’s app on your phone and have your card credentials stored there. He sets up a shop offering cheap recharge to prepaid customers of that telco. He collects cash from the customers to recharge their prepaid mobile number and used your card stored in the app and OTP delivered on the device to make the payment. By the time you would report this and authorities catch up to him he would have shut the shop and run away. The only thing protecting you at this moment is your three digit cvv2/cvc2, if somehow he manages to find out that or guess that number you have no protection.

My only advice to you in this case is a. store your mobile number only at the apps/website you frequently use, b. set up an access control on your smartphone be it PIN, Pattern, Fingerprint or Face ID have some protection, c. don’t lose your phone and if you do immediately call your telco to block the number and also your bank to block your cards.

Physical Interaction: At last one very important thing, whenever you are providing photocopy of any KYC documents to anyone please make sure you sign it with date and purpose. The logic is to avoid misuse of your document from giving any instruction to your bank through their branch for example change of address, reissue of card, reissue of PIN, new cheque book etc. Bank branches typically ask for an identity proof to be attached with any written instructions to ensure the instruction has been received from authorized party.

Payments Explained: Card Transactions Part 3 (Protection)

Card payments ecosystem has been designed with safeguards at various stages to ensure protection of various parties involved in the value chain. I would like to dedicate this post to list down these safeguards to make users familiar with them. Every entity, system and process handling card information needs to adhere to Data Security Standards established by Payment Card Industry (in short PCI-DSS) which ensures all sensitive information is protected at any point in time.

Card Issuer Controls

Card Printing: At the time of card issuance card printing file is created and transported to print shop in encrypted format and is destroyed after the card printing is complete. I have been to one such print shop and experienced their security standards first hand. On top of data security they also have strict controls for physical security. Personals visiting there are taken through multiple locked doors and are not allowed to even wear cloths that has pockets in them.

Chip (EMV): Earlier card transactions used to be performed using magnetic stripe. The problem with magnetic stripe was that card information stored in the magnetic stripe is stored in clear form and can be stolen by fraudsters by swiping the card on a card reader. This process of stealing card information is referred as skimming. In order to protect users against this, RBI has now made it mandatory to use EMV cards. The benefit of EMV card is that all the card information is stored in the Chip is encrypted form.

PIN Printing: PIN of your card is not stored in any system anywhere. At the time of PIN issuance, a PIN block is generated using a complex logic and encryption and sent directed to the PIN printer. PIN is printed in sealed form and can be seen only by tearing the PIN mailer.

The level of caution at this stage is to the level that card plastic and PIN are both printed at different locations (in HDFC Bank cards are printed at Chennai, while PIN printing usually happens in Mumbai), this is done to ensure that your card and PIN are never together unless they are delivered to the customer. In addition to this cards are delivered with addressee specific delivery. The delivery guy usually asks for ID proof before handing over the card kit to you.

PIN Validation: At the time of transaction PIN is encrypted at the key pad itself and an encrypted PIN block is generated. PIN travels to issuer system for authentication in encrypted format. PIN block is generated in the issuer system using the information available at the back end. Both the PIN blocks are compared and if matched PIN authentication is successful.

CVV or CVC: This is a three digit code linked to your card and a variation of same CVV2/CVC2 is printed at the back of your card. This three digit code is available only on the card plastic and presence of CVV/CVC or CVV2/CVC2 (for CNP transactions) means that the person providing the detail is in possession of the card plastic.

It is very important that one does not share PIN and CVV details with any person except for on the card details capture page at the time of transaction.

2 Factor Authentication: According to RBI mandate all the card transactions in India are processed with 2 factors of authentication. Typically these two factors are combination of any two from below three:

  1. What you have? In case of card world it is usually your card plastic or if you are transacting through your registered mobile device, it can be your mobile device.
  2. What you know? Your PIN or Passwords fall in this category. It is a shared secret that only you and your issuer knows and can validate.
  3. Who you are? All biometric forms of authentication would fall under this category. Most common biometric is your finger print. In future we might even see iris, voice, behavior, face etc also being used for authentication.

In case of card present transaction these two factors are your card plastic and PIN, while in case of card not present transactions it is your card details (card number, expiry and cvv2/cvc2) and OTP or password.

Merchant Acquiring Controls

POS Terminal: PoS device consists of following components, a. card reader, b. key pad, c. network connectivity, d. memory storage and e. receipt printer. Card reader and key pad are programmed to encrypt the data at the time of entry itself. Memory stored this information in encrypted form and deletes as soon as the merchant processes the settlement. Communication on this network happens in encrypted format through a protected line. Receipt is programmed to mask sensitive information like your card number while printing the receipt.

The encryption logic used for card transaction is called TripleDES or 3DES; which is one of the most advanced data encryption standard in practice today and encryption is used for each terminal is unique and dynamically updated in order to ensure protection from any possible compromise at key level itself.

Void and Refund

Void and refund are transactions used to undo a transaction by the merchant himself. For example if merchant has swiped your card for a wrong amount or you have changed your mind about transaction immediately after making the payment, merchant and recall that transaction from terminals memory and cancel the transaction. This process is called void and in this case when merchant processes the settlement this transaction is omitted from the same and not claimed further. In lack of any claim against the transaction issuer automatically reverses the transaction in customer’s account after designated settlement time is over.

In case merchant has processed the settlement on the machine and transaction has already been deleted from the device, it cannot be canceled/voided. In this case merchant performs refund transaction, i.e. send instructions to credit the customer account by debiting merchant account. When merchant settles this transaction appropriate credit instruction is passed on to the issuer by acquirer via interchange. These days interchanges have come up with ways to process instant refunds.

Chargeback

As you are now aware that there are many controls in place to ensure safe transaction at the time of card issuance and transaction processing. Chargeback is a process to protect customer’s interests after the transaction. As part of chargeback process if there is any issue with with transaction like duplicate billing, services not rendered, goods not delivered etc, a customer can reach out to his/her issuer to raise a dispute with all the evidence supporting his/her claim. In such cases issuers approach the merchant through acquirer via interchange and asks the merchant to provide necessary evidence or accept the dispute and reverse the transaction. Merchant either provides the evidence either in the form or delivery confirmation, payment receipt etc. If the merchant is unable to prove that it was a genuine charge the case is closed in customer’s favour and transaction is reversed. If the merchant is able to prove is necessary evidence that the charge was genuine, dispute is closed in merchant’s favour.

Zero Liability

If you read all the study material sent along with your card, in many cases you will find a section labeled as zero liability. Zero Liability applies to your purchases made in the store, over the telephone, online, or via a mobile device and ATM transactions. As a cardholder, you will not be held responsible for unauthorized transactions if:

  1. You have used reasonable care in protecting your card from loss or theft; and
  2. You promptly reported loss or theft to your financial institution.

If you believe there has been unauthorized use of your account and you meet the conditions above, rest easy knowing you have the protection of Zero Liability promise. Please read this clause carefully in your card kit and ensure you understand the same.

Hotlisting

Please ensure contacting your bank with the fastest mode available to report the loss of your card or any suspicious activity on your card. Every card issuer ensures that there are methods to report this through telephone call (at a dedicated number, please keep this number handy with you), mobile banking, internet banking etc.

What can mean a suspicious activity? Some examples are as follows:

  1. You receiving an SMS/e-mail regarding an activity in your account that you are not aware of
  2. Receiving an SMS/e-mail informing you about an OTP generated for a transaction that you did not initiate
  3. Someone calling you and inquiring about sensitive information about your card like card number, cvv, PIN, OTP etc. No bank ever asks for this information to be shared over a phone call to any person.

Hope this information has been helpful and make you more confident about using your card for payment next time you go shopping. In next part I will be covering various types of frauds happening in the card world and how to protect yourself from them. Most of the banks actually send mailers/SMS regarding this kind of information, you might be aware of same if you have been paying attention to those mailers.

Payments Explained: Card Transactions Part 2 (Transaction Flow)

Continuing from my last post dedicated towards explaining the common terminology used in payments world in terms of the participants and instruments, in this post I will focus on how a card transaction works. Back in 2005, after completing my B.Tech. in Mechanical Engineering, during my job interview with HDFC Bank, my super boss (then head of BSG retail) asked me, if I know how an ATM transaction works. I answered in negative and yet attempted to guess how it might work using logical reasoning coupled with my experience of using my ICICI Bank card at Canara Bank ATM installed in IIT campus. My answer was somewhat close to the reality. I will try to use similar language in this post in order for it to make sense to wider audience with no background in payments business.

Fundamental Principle

In simple terms any payment involves debiting one account and crediting another. When you purchase any goods or services from a merchant and make a payment in lieu of same, it’s your account that needs to be debited and merchants account that needs to be credited. It can be a much simpler process when both the accounts are in the same bank, however when both the accounts happen to be in different banks, it becomes slightly more complex. In payments lingo, if the issuer and acquirer are same bank it is referred as OnUs transaction and is settled with-in the bank without involving the services of Interchanges. However when issuer and acquirer are different banks the transaction is referred as remote OnUs and OffUs by issuer and acquirer respectively. Such transaction are processed through Interchanges utilizing their connectivity with both banks and are settled via the same Interchange.

The primary function of the instruments both the parties hold, (in case of customer it’s the card plastic and in case of merchant it is typically the PoS device), is to identify the source and destination financial address i.e. account number and the bank. Most of you would be aware of something called IFSC code, well this code is nothing but a way to identify your bank-branch combination, when you are performing an NEFT or RTGS transaction (even IMPS Person to Account commonly referred as P2A, where you use account number instead of MMID as destination address uses the same). Similarly in card world there is something commonly called as BIN, short for Bank Identification Number. This BIN is a six digit number issued by Interchanges (Visa/MasterCard/RuPay) to participating issuing and acquiring banks. On your card it is the first 6 digits of your card number, while in case of merchants it is mapped to the PoS device. It is this BIN that helps interchanges identify source and destination banks in any payment transaction using cards.

Sample Transaction

When you present your card issued by Bank A at a merchant on-boarded by Bank B, the transaction follows following steps:

  1. PoS Machine reads the card information from the card
    • In case of chip card the information is read from the chip when it is dipped inside the machine
    • In case of magnetic stripe card the information is read from the magnetic stripe at the back of the card during swipe
    • In case of NFC information is exchanged over the air during tap
    • If you have heard of a company called Tone Tag, they use sound waves to communicate between your phone (which stores the card number) and PoS device.
  2. The information read by the PoS device typically contains Customer Name, Card Number, Expiry of the plastic, CVV (a three digit secure code) and PIN Block (wherever applicable)
  3. PoS device connects to the acquirer and sends the information to their central system
  4. Acquirer system identifies from the BIN, which interchange the card belongs to and sends it to respective interchange
  5. The interchange from the BIN identifies the issuing bank and send the transaction to the issuer
  6. The issuer authenticates the card using the information captured by the PoS device
  7. Upon successful authentication issuer authorizes the transaction based on the status and availability of balance in the account
    • At this stage issuer debits the customer’s account and parks the credit in a designated account marked for interchange settlement
  8. The result of authentication and authorization is communicated back to the interchange in the form of response code
  9. Interchange passes on the response to the acquirer
  10. Acquirer communicates the same forward to the PoS device
  11. PoS device displays the message on the machine display and merchant concludes the transaction accordingly
  12. Merchant uses the PoS device to claim the money from the acquirer
    • At this stage acquirer credits the merchant by debiting the designated account marked for interchange settlement
  13. Acquirer send the claim file to interchange with details of all the transactions across all issuers
  14. Interchange splits the file as per issuers and sends the files to respective issuers to receive the funds for transaction performed on interchange’s network by customers of the issuer
    • Each interchange has a designated settlement banker. Every issuer and acquirer has to open account in this bank, which is used to settle transactions between participating banks
  15. Issuer debits the designated settlement account, to fund the interchange account in the designated settlement bank
  16. Interchange debits the issuer account in settlement bank and credits acquirer account in that bank
  17. Acquirer uses the fund received in the account in settlement bank to round off the settlement account in their book

Step 1 to 12 are called authorization and 12 to 17 are called settlement. Authorization steps are performed online real time while settlement is completed through file exchange. When you hear someone say it’s DMS, short for dual message settlement, this is what they are referring to.

When you are using the card at a website or mobile app, there is one additional step you all perform that is 2nd Factor Authentication with most common form being used in India being a one time password (OTP) delivered to your registered mobile phone. This is done because in online world there is no encrypted key pad, as available on a PoS device. Since PIN needs to be protected with certain encryption standards, which are difficult to implement on a website, as an alternate when the transaction hits the Interchange, they refer to a mapper maintained at their end to find the authentication url of the issuing bank and make a call to that url. At this point the issuing bank takes control of the transaction and triggers an OTP to cardholder’s mobile number, which is then validated on the web-page of the issuing bank. On successful authentication like this other authorization steps are performed. Such transactions where card plastic is not used at the time of transaction are called CNP (card not present) transactions.

I hope this gives most of you a fair idea about how card transactions are performed and the role multiple entities play in the process along with the flow of money. In next part I will cover the various security and safe-guards that are in-built at various steps in entire process to protect the customers and merchants from various frauds.

Payments Explained: Card Transactions Part 1 (Terminology)

Payments is the most popular service used by the widest customer base. Everyone recognizes some of the key players operating in the space like Banks (Issuers and Acquirers), Visa, MasterCard, NPCI (Interchanges) by virtue of seeing there logos at every ATM and merchant outlets and also on the face of their cards (Credit, Debit, Prepaid). I have come across many situations where at times people fall prey to frauds or unfair treatment due to their lack of awareness about the way digital payment works and the roles played by various involved parties in order to make the best use of the infrastructure available without any fear. There are enough precautions taken while building the systems and designing the surrounding processes to ensure customer is protected from wrongful conduct by malicious parties. This series is an attempt on my part to explain the fundamentals of digital payments in simple English in order to make common users of payments instruments aware of what goes behind facilitating the entire journey. Today I will try to focus on one of the most popular and oldest digital payment method for retail consumers, Cards.

Terminology

Let’s first introduce all to the terminology commonly used in Card payments world to help you understand it slightly better and know which means what when you hear these terms in future in any conversation.

Debit Card: Your debit card is the plastic instrument issued to you by your bank that you issue to transact using the balance in your savings or current account with the bank. Because a debit card is always linked to a savings or current deposit, only banks (including Payment Banks and Small Finance Banks) can issue this card. The logo of the bank is printed on the face of the card.

Credit Card: A credit card is the plastic instrument that enables you pay through your credit account. While there are non-Bank institution as well that offer credit facility to customers through their lending products, currently RBI allows only banks to issue credit cards. If you come across a credit card issued by any non-Bank to you, it will be typically in partnership with some Bank. Like Bajaj Finserv Credit Card is offered in partnership with RBL Bank.

Prepaid Card: Prepaid cards are stored value cards where you need to load the money in the prepaid account where you can transact up to the amount loaded on the prepaid instrument and that is why are considered less risky since the exposure is limited to the amount stored. RBI issues PPI (Prepaid Payment Instrument Issuer) license to entities interested in issuing prepaid cards. Entities like EbixCash (formerly ItzCash), Amazon Pay, Mobikwik, Oxigen, Sodexo, PhonePe are some popular PPI issuers in the market.

Prepaid cards issued by banks are usually open loop cards and work on a wider merchant base depending on their ability to accept Visa, MasterCard or RuPay cards (will explain them later under section Interchange); while cards issued by PPI issuers are semi closed loop cards. Meaning for a card issued by a PPI issuer to work at any merchant the merchant needs to have a direct arrangement with the issuer of the card. You need to look for specific PPI issuer’s logo at a merchant outlet or website to know whether that merchant has an arrangement with the particular issuer to accept your prepaid card.

There are many variations of prepaid card instruments available in market with varying popular terms. I will explain some of them below:

  1. Mobile Wallet or Wallet: These are prepaid instruments issued digitally only and are typically accessed through a mobile app offered by the issuer entity. Some very popular wallets in the market are PayTM, PhonePe, AmazonPay.
  2. Meal Card or Food Card: These cards work only on grocery merchants or restaurants. Sodexo is the biggest issuer in this category.
  3. Travel Card or Forex Card: This is the card category typically issued by Banks or through FFMCs (Full Fledged Money Changers) where you can load money in foreign currency. When you are traveling to a foreign country any transaction done on your INR cards incurs surcharge to the tunes of 2-5% depending on your issuers called cross currency mark-up. In that situation it is advised to carry a travel prepaid card with money stored in that region’s local currency thus avoiding this mark-up every time you transact. There are even multi-currency variants available in this category where you can load the card in multiple currencies supported by the card issuer.
  4. FASTag: This is a new variant of prepaid card that has become very popular recently because of government’s push to digitize toll collection at toll booth across country. This is an instrument that works on near field communication technology where your card stuck on your windshield is read by the sensors installed at toll booths while your car is passing through. Since this is a standard amount to be deducted a rule based setting process the transaction without the need for an operator. Toll gate is triggered based on the transaction response. Open the gate if response successful, if not refer for manual intervention.

Other than above described variants there can be various other variants tied to the usage limitations on the card like general purpose with no restrictions, petro card working only at petrol pumps, student card with restrictions on the card usage set up by guardians or college etc.

Issuer: An issuer is the institution that has issued you the card you are holding and it has the logo of that institution on the face of card. Card issuers are typically banks or other entities licensed by RBI in case prepaid cards i.e. PPI issuers.

Acquirer: Acquirer is the institution that on-boards the merchant on payment platform. The logo on the Point of Sale (PoS) machine or on the transaction receipt generated is of the acquirer. In India only banks are allowed to become acquirers. Any other names you see or hear like Pine Labs, Innoviti, mSwipe etc all use one or multiple banks as acquirers to process their transactions.

Interchange: An interchange in the payments ecosystem is the entity that ensure interoperability between issuers and acquirers during the transaction. There are currently three interchanges active in India, Visa, MasterCard and RuPay (run by NPCI, National Payment Corporation of India). Logo of partnering interchange is always printed on the face of the card and displayed at merchant location/website. If the logo on the merchant location matches the logo printed on your card means this merchant will accept your card.

Example: When you use your HDFC Bank Visa card at a merchant of ICICI Bank, HDFC Bank is the issuer, ICICI Bank is the acquirer and Visa is the interchange facilitating settlement between two banks.

POS (Point of Sale) Machine: This is the small machine you find at a merchant outlet on which he/she dips, taps or swipes your card to process the transaction. The biggest manufacturers of these devices are Ingenio and Verifone. These are companies who manufacture these machines and sell to acquirers or payment facilitators, who then provides them to the merchants. These devices typically use traditional telephone line of GSM (mobile phone network) for connectivity.

mPoS: This is smaller version of the PoS devices that connects to a mobile phone for connectivity. The extension typically has a card reader and PIN pad for entering the PIN and a small display. They rely on the mobile phone for connectivity and do not print receipts as opposed to traditional devices. mSwipe and Ezetap are two key players in this space.

Payment Gateway: Payment Gateway (PG) is a piece of software doing the job of a PoS device in digital world. Any website of mobile app integrates with a payment gateway to accept payments from card instruments. Many banks have their own payment gateways with HDFC Bank being market leader in this space. However there are many non-bank players like PayU, CCAvenue, Billdesk, Techprocess, Razorpay, Payabbhi etc playing the role of aggregator to offer this service to merchants.

Blockchain: A sample case for how it can affect your life

Before there were banks, people used to trade by exchanging goods of value between themselves. This system was not scale-able due to the logistics involved. To solve this problem states came up with currency, which was issued by the state and value of the currency was guaranteed by the state. Primary form for these currencies used to be metal, usually gold or silver. When humanity developed modes of transportation and started trades between far off places, it became extremely challenging to rely of metal coins, so Kublai Khan introduced paper currencies, to make the trade easier for merchants trading between China and Europe. This was a great innovation for the time however when trades became larger and more widespread even managing paper currencies became challenging thus came banks. Banks were the entities who were trusted with safekeeping of money and facilitate trade by acting as trusted middle parties managing the transfer of money from buyer to seller as per their agreed contract. So all this innovation throughout the history over centuries had been to facilitate trades between two parties bound by a mutually agreed contract without relying on mutual trust. Well, blockchain provides the necessary technology to facilitate above mentioned trade without need for a trusted third party in the form of banks. However it is not easy to throw away hundreds of years of evolution just because technology has finally managed to solve the original problem, resulting into a lot of resistance from various quarters. Change in technology is easy, the more difficult part is change in behaviour and mindset, which will take time, couple of decades in my opinion.

Adoption of blockchain has to start in a manner that drives acceptance in common practice without expecting significant change in behavior. Keeping regulatory challenges in mind, the most logical point of origin could be introduction of crypto-currencies in closed loop environment. By the way I am aware that blockchain and crypto-currency are not the same thing, however I thing crypto-currency is one of the most suitable usage for blockchain and it is the most straightforward way to ensure common adoption. In today’s connected world there are enough use cases with person to person exchange with no need for a banking third party. While the history of Facebook makes me skeptical but social media is one very appropriate use case for implementation of crypto-currency.

Any social media platform relies on two types of users, contributors and consumers (with some overlap between the two categories). In an ideal world contributors should earn for their contribution, while consumers must pay for their consumption. Such a platform can very easily introduce an internal currency, values of which is linked to the value of the platform and same is distributed among the contributors in proportion of their contribution towards the platform. The consumers can earn the currency by either contributing towards the platform, buy from other contributors or buy from the platform itself. If the platform provides enough value to consumers their will be enough demand of the currency thus increasing the value of currency, while if the value erodes the currency will also lose its value.

This is just one such example of a perfect setting where a blockchain based crypto-currency will do much better than the existing banking dependent settlement method. There are many emerging platforms supporting shared economy like Amazon, Flipkart, Uber, Ola, AirBnB, Oyo, Swiggy, UrbanClap etc where real-time settlement clearly is the need and will enhance the platform multi-fold by unlocking the value for the smaller participants in the economy. In today’s set-up one day a Swiggy might start feeling like that restaurant’s business is dependent of them and can come up with practices not entirely in the favour of restaurants. We can already see this happening with restaurant bodies protesting against Zomato, drivers protesting against Ola, hotels protesting against MMT and Oyo etc. This is because platform has too much power over the entire ecosystem making the entire set-up unfair for the smaller participants. An alternate platform built using smart contracts between participants ensuring real time settlement would be a much better and fair option.

Another argument in favour of blockchain is the incompetence or unfairness of banks over the years. Banking system has been in operation for centuries, however with all the advancements in technology their cost of managing money is consistent at around four percent. On top of that their insistence on charging customers for everything, even essential services makes the need for an alternate imminent. I recently encountered one bank (one of the largest private sector bank in India) whose credit card hotlisting helpline is a premium number and customer has to pay extra for using the same. Most of the banks have fees/charges for every type of interaction with the bank. If it wasn’t for RBI customers were even charged for using ATMs (even today there are charges beyond a particular frequency). Banks charging customers for account access is similar to shopping malls charging for parking or carry bags, both are unfair but both happen without any check because people in general accept it and move on. There are better ways to manage the situation but its lack of intent or imagination that they end up choosing the easier (direct) path to revenue than coming up with more customer friendly way. To top it all recent cases of corruption and incompetence across many banks have brought the trust among common public at all time low.

Financial Inclusion: Past, Present and Future A Technology View

The biggest challenge to financial inclusion situation is that most of the people attempting a solution don’t even have a clear view of the problem. When you solve the problem with clarity of vision, you end up creating an institution like Bandhan Bank and in other cases you end up installing ATM machines in villages, only to realize very soon that cost of operating an ATM in a rural location can never be justified by the value it offers even at 100 percent capacity utilization. During my stint at HDFC Bank, I was leading the solutions for retail payments space, I was also responsible for financial inclusion initiatives. We did many things like Bank on Wheels, installing an entire bank branch including an ATM with biometric (finger print) capability in a bus specially modified for this purpose. Another version of Bank of Wheels was Ultra Small Branch, where we created solution for single man branches operated entirely through a handheld device. The manager would basically carry the entire branch on a bike and travel to dedicated service locations.

Once Wincor-Nixdorf senior management representatives were visiting India to showcase their new hardware to Indian prospects and during the evening meet and greet one of the Germans got into a conversation with me. During the conversation he mentioned that he is really interested in building something for financial inclusion specially for rural India. My answer to him, “Stop selling them ATMs.” The income and spending patterns are very different for rural and urban markets. ATMs are required for a customer base that receives bulk of its income in its bank account and then withdraws what it needs to spend, while when someone earns primarily in cash, they spend in case and then deposit whatever is left of it as savings in their accounts. By the way, this conversation was back in 2011 and a lot would have changed in last 8 years (QR code and UPI were non-existent then for example) still fundamental principal remains the same.

One more point I used to hear often about rural customers that biometric authentication (finger print) is a must have for building any solution for rural customers. Although most of the time their point of view prevailed and we ended up building solutions with biometric authentication however my counter argument to this always has been that a numeric PIN will work as fine. Even if the customer is illiterate he can identify his PIN as combination of symbols, besides if a customer can count money, he can manage his PIN. Who remembers her/his PIN as Five Thousand Three Hundred Ninety One? You always remember it as Five, Three, Nine, One. Introduction of biometric pre-aadhaar meant any solution built for rural was costlier and not viable. Has anyone in any bank ever verified their hypothesis, I doubt. Nobody ever shared any field research in this regard with me.

A lot has changed in last decade. APBS (Aadhaar Payments Bridge) is extensively being used to transfer subsidy directly into beneficiary’s account using Aadhaar mapper. Only credit in my father’s account is cooking gas subsidy. NREGA payments are being credited directly to the account. AePS (Aadhaar enabled Payments System) makes it easy to authenticate customer using Aadhaar. Jio has given mobile data connectivity to anyone who they can get their hands on. Internet in India is cheapest in the world and the connectivity has reach even small villages. PayTM has spend billions to teach people how to transact using mobile phones. G-Pay and PhonePe have used the UPI to create user friendly payment experience for anyone with a bank account (PMJDY gave everyone a bank account, even the ones who were never interested in having one). BharatPe and PayTM are reaching out to smallest of the merchants and on-boarding them on digital payments using QR codes. The people who were not even expected to handle a 4 digit PIN are now scanning QR codes through their mobile phones.

Next big game changer in financial inclusion space according to me will be from mass adoption of speech recognition and voice biometric. Together they have the power to make payments completely invisible thus removing any friction in the process. Imagine an illiterate person in some remote village calls up a designated number of her/his bank and speaks the instructions in her/his native language e.g. “humara phone recharge kar do do sau rupai ka (please recharge my mobile number for 200 rs).” and the bank “identifies” the customer through her/his “mobile number”, “authenticates” the customer through the combination of two factors “what he has?” i.e. his “mobile device” and “who he is?” i.e. his “voice biometric” and reads the instructions from his speech. This simple a transaction experience can really transform the way payment is happening today. Behavioral biometric is another area that can use customer’s way of interaction with the device as password and make authentication experience completely seamless and yet sticking to the two factor authentication process. There are companies working towards making this a reality and this experience is very much possible with the technology available today. There are start-ups like Uniphore and Gnani working on speech and voice biometric and start-up like NeoEyed on the area of behavioral biometric. (In my opinion OTP delivered on my mobile device for a transaction I am performing on the same device is not two factor authentication in true sense, it is “what I have?” i.e. my “mobile device” performed twice.)

BharatQR: Untapped Potential or Lost Opportunity

Officially launched on Feb,2017; BharatQR is world’s first interoperable and low cost acceptance solution, developed by National Payments Corporation of India (NPCI), Mastercard, and Visa.

BharatQR was devised based on the direction set by the Reserve Bank of India (RBI) in September 2016 and its Payments Vision 2018, which outlines innovation, interoperability, and security as the three pillars to facilitate India’s transition to a less–cash society.

BharatQR has two very important benefits. First, consumers will not need to scan different QR codes at the same merchant provided by the different payment networks. Second, merchants will only need to display one QR code at the storefront or through the acquiring bank’s mobile application via UPI, IMPS or Visa/MasterCard/RuPay Cards.

With this one would assume that by now BharatQR must have become the default for on-boarding small merchants specially considering unlike PoS terminals, the cost of acquiring is practically zero for QR case based payments since there is no device to be purchased and managed, no key management, no stationary, not even the cost of telephone line/SIM. With BHIM, PhonePe, Google Pay and PayTM being so popular among consumers for small payments it’s obvious that on paper BharatQR has everything going in its favour to become the leading payment mode. Still the ground reality says another story. Adoption of BharatQR is nowhere even close to BHIM QR (UPI).

To be honest I have so far not come across a single merchant, who is actively using BharatQR as a major payment acceptance method. When BharatPe decided to get into the business, why they chose BHIM QR over BharatQR, given than BharatQR clearly gives them access to much larger number of payment instruments on consumer side, while keeping the merchant side efforts the same?

In my opinion, the reason BHIM is everywhere, while BharatQR is nowhere to be seen is in the way different custodians (NPCI, Visa and MasterCard) have approached the problem. UPI is an open platform where the baseline is defined, improved and maintained by NPCI, while PSPs are free to innovate on top of that layer to create suitable user experience depending on their target consumer base. (By the way, this is where Banks fail miserably, because they don’t clearly know who their target persona is for their digital products. This is a discussion for another post.) NPCI is fine whether customer chooses to use UPI or his RuPay debit card for any payment, in the end an NPCI product is used and customer savings account is debited either way. On the other hand everything about Visa and MasterCard has to follow the card framework, even when it is not the best way in a particular situation.

Based on my many years of interactions with NPCI, Visa and MasterCard, I can clearly say one thing, NPCI is not too hung up on card world. They are ready to explore beyond cards and in fact now RuPay card would be a smaller component of their overall portfolio. In fact even when it comes to cards they are not treating traditional benchmarks and standards as cast in stone and are not afraid of colouring outside the lines. While Visa and MasterCard are always insisting on not touching the core, which restricts the innovators to a large extent because of the constraints of the core offering. BharatQR from Visa perspective is a variation of mVisa, which is built on Visa direct (formerly known as VMT or Visa Money Transfer) primarily built for Card to Card money transfer. Same goes for MasterCard leveraging MMS or MasterCard Money Send. Another handicap for Visa and MasterCard is that unlike UPI, they do not have someone called PSP (the role played by Google Pay, PhonePe, BharatPe etc) and are completely dependent on acquiring banks to push the product. As I have mentioned again and again banks are not the innovators.

How many of you know that your Visa, MasterCard and even American Express card would work at BharatQR? Have any of you received any communication from your banks regarding how to go about it? Two of the banks I have worked for in the past and am their customer HDFC Bank offers BharatQR scanning through their PayZapp app and Kotak Mahindra Bank offers it through their mobile banking app. Most of the banks participate in this program however none of them seem to have put in any significant effort to make sure it is adopted at a scale.

I tried to find BharatQR numbers through various sources however I couldn’t find any credible source reporting these numbers separately. While everyone talks about UPI success story in my opinion a large part of that story is because of BHIM QR. It wouldn’t be an exaggeration to say that entire P2M story of UPI is heavily dependent on BHIM QR. This also shows how much of a missed opportunity it is for the card schemes like Visa and MasterCard. NPCI is fine whether it’s UPI or RuPay card being used for payments. Visa and MasterCard are clearly missing out on this new wave of digital payments. During my research I found that NPCI and Visa websites at least have dedicated space to talk about BharatQR, however I could not find anything regarding same on MasterCard website. Looks like Visa is at least still trying, while MasterCard has already given up.

What needs to be done? From long term perspective, the answer is very clear. May be it is right time for Visa and MasterCard to reinvent the wheel. Think beyond traditional card framework and build something suitable for mobile first world from scratch. (I am hoping there are teams already working on this mandate internally in both these organizations). For short term, Visa and MasterCard need to put extra effort to handhold organizations like BharatPe, Khata Book and OK Credit etc to ensure they adopt to BharatQR standards for their merchant base. Visa and MasterCard both have their payment gateway business Cyber Source and MPGS respectively, integrate BharatQR there even if it is to create sample cases to showcase how easy it is to adopt BharatQR for payment providers. Lastly instead of telling merchants to get in touch with their acquirers if they want to adopt BharatQR, do it for them (at least in the beginning).

State of Fintech in India

Introduction

First thing first, “what is Fintech?” Well, my definition is very simple, “a financial services organization that runs their builds and manages their own technology stack. Specially the components that are mission critical for their business.”

Why is this an advantage? Almost all the incumbents rely on outsourcing or licensing technology from various technology companies who had built their flagship products 20–30 years back and their latest iterations of these products are modifications on those age old products thus not abreast with contemporary needs. Having control over the technology stack gives Fintechs the advantage to move at a much faster pace to the changing needs of the market.

One might come across many start-ups claiming to be Fintech without even having an in-house technology team. In my opinion they are not Fintech and in long run they will not be able to deliver to their promise in long run.

In simple words, “Only advantage an start-up has over any incumbents is speed.” Rest everything can be matched by bigger competitors by virtue of having access to more resources than you.

Having established above, let me spend some time on the biggest flaw with the current situation. Manufacturers of Financial services products create a product and then go out in the market hunting for customers who fit their product. No wonder except for savings account and payments, no other FS product touches more than 15% of Indian population. The credit for payments services being used by larger populace goes to the fact that it is essential, even then still 80% of transactions happen in Cash.

Payments

The most used and talked about financial service is Payments. Without getting into too much dissection of the market let me directly rush into my vision for the future of Payments. RBI is contemplating regulating payment processors, once such regulation is implemented it will pave way for opening up the payment market from the clutches of banks. Banks do not deserve to be at the center of Payments for they have done very little in last so many years and they still seem clueless in terms of how to approach this.

Considering how every new business puts so much emphasis on UX, it is inevitable when every big merchant will want to create and the payment experience in their ecosystem, and the signs of same are already visible in the form of Amazon Pay, Ola Money etc. With increasing adoption of APIs it is going to be easier to do so even for medium sized merchants as well. UPI has already made it clear, what happens when you democratize innovation by opening up core functions in the form of APIs.

In my opinion in coming years, most of the bigger merchants will replace their payment processors with in-house offering, leaving these players to work with small and medium merchant base, thus invariably forcing them to look for alternate sources of revenues. While most of the payment processors are already exploring lending as an option, they need to think beyond. So far none of the payment processors have explored exploiting the network effect, for example turning their platform into a B2B marketplace or a value discovery platform.

UPI has also made another thing very clear, while merchants have clear focus on UX, banks on the other hand do not care. Compare the UPI experiences built by any consumer tech company vs what is offered by banks and you will know the answer.

I recently was talking to a very senior person in one of the top private sector banks regarding the sub-standard UPI experience offered by their app and his reply was but we do not get too many UPI transaction through that app anyway. Well, you may have gotten more transactions had you cared even tiny bit about the user experience.

To be honest, I am certain that most of the banks do not have dedicated functions focused on UX and even if they realize its importance and decide to set up such functions they would be scratching their heads on where exactly in their overall hierarchy they should position this team.

Lending

India so far has been dominated by savings product with really small part of population having access to credit, due to strict qualification criteria of banks and large NBFCs. Entire credit card industry caters to same ~20 million customers. All the new pay later players like Zest Money, Lazy Pay, Ola Postpaid etc are working towards curating the future credit card customer base. I believe restricting only banks to issue credit cards is not right. While many NBFCs have started issuing credit cards (in partnership with Banks) or CC equivalent products to customers, I believe RBI should start allowing NBFCs also to issue credit cards. In short, I think credit card story is yet to play out in India and this is the right time for it to pick up pace.

Most of the users of postpaid/pay later I know use it because of the convenience it offers than anything else, meaning the moment same convenience is matched by other methods (risk based authentication, are you listening RBI?). Besides this can only be a good tool for customer acquisition while all these players have to come up with alternate business model.

The start-ups I will be keeping a close eye on are the likes of Khata Book and OK Credit. The only right way to lend is to have a first hand clear view of the finances of the borrowers and have a recovery strategy as per the income schedule rather than trying to standardize the same. Non-standard products with non-standard schedules are very much possible with technology available today. Just one suggestion, build your own LMS.

P2P lending is still at very nascent stage and has to find cost efficient ways to grow lender base and distribution at scale.

Insurance

Insurance is very low contact business. Customers hear from their insurers only once a year under normal circumstances, i.e. to collect payments from the customers when renewal is due. On the other occasions when a customer needs to get in touch with the insurer is when the customer is going through extreme, high stress situation. Under that situation even the smallest miss-up from the insurer’s side can prove to be fatal not only for that one specific relationship but also for the reputation of entire industry.

While most of the efforts in insurance sector is focused on solving the sales problem, the only way to address the above critical problem is to innovate on the service side and considering the nature of this business it cannot the manufactures in their current form. The only ways to address this service problem is to either change the entire DNA of manufacturers (Start-ups like Acko and Toffee are trying the same) or leave it to third parties, who have a higher engagement relationship with the customer. I have few thoughts around this, which I would keep for a more focused and detailed analysis maybe for a later post or discussion.

Just to give you an example of how much insurers care about their customers, my health insurer, whom I have been with for 3 years now, has a free annual health check up as part of the policy however so far in no ways they have communicated with me regarding the same. If only they cared to make the customer feel cared for, since that is the hook entire insurance industry uses to sell their products. I mean SMS code for a leading insurer used to be PAPA. There is a reason entire insurance industry relies on invoking extreme human emotions to sell their products.

Wealth Management

There are many start-ups that can be clubbed under this category. Personal Finance Managers, Expense Managers, Brokerages etc can all be filed under this category. However most of the start-ups in this category are focusing on selling direct mutual funds. PayTM entering in this business with PayTM money is a reason for worry for all the other start-ups. With PayTM’s deep pockets they can continue to offer this for free for a long period of time, while others doing the same have to soon find out a way to make money, with no commission income and customers skeptical to pay for the advice it’s very difficult to generate revenue. The one company in this space I am keenly observing is ET Money, they have all the necessary elements in place, if they connect the dots in the right way they can really become the breakout performers in this space. With this space I mean, a low cost automated personal financial adviser for Indian middle class.

One clear trend I see emerging in the sector is Banks, who by virtue of being custodians of customer’s money used to have significant control over other financial decisions thus sale of third party products contributing to a significant source of their revenue. Banks in last so many years have done such bad job in selling other financial products to customers by prioritizing their interests over customer’s that large customer base is now losing faith on their banks. The direct result of this will be a clear reduction in size of customer’s relationship with their respective banks. The funny part in all this is that with the kind of resources and customer data banks have access to they should have been the first to figure out a way to serve their customers better but they continue to fail miserably.

About Me

I was born in a very small village in Uttar Pradesh, the population of which is in four digits and I still cannot locate it in Google maps. After spending six years there, I moved on to a small town called Jahanabad and studied there till 5th standard and then moved to Kanpur to live in a hostel while my family still stayed in Jahanabad. Few years later my family also moved to Kanpur. During my 12th standard I appeared for JEE and got selected. With a desire to explore beyond Kanpur, I decided to pick IIT Bombay instead of IIT Kanpur and moved to Mumbai in 2001.

After graduating from IIT Bombay in 2005, I started my career from unlikely field of retail banking for a Mechanical Engineer. I got an opportunity to work with HDFC Bank as part of their Business Solutions Group, which was later called Business Process Re-engineering Group. I was part of the team taking care of retail payments and digital solutions for retail customers. It was a time when innovations in payments space were just picking up. HDFC Bank had just recently launched their prepaid card variants, Netsafe, their one time use virtual card was still in infancy, Bank was having big plans around credit card and merchant acquiring business, mobile payments was something people had started talking about. In short I was very fortunate to start my journey at such a stage when India was at the starting point of re-imagining payments and in an organization which was at the forefront of this all under the supervision of a boss, who allowed me to paint my own canvas, without throwing his authority around whenever we had our disagreements and sometimes very heated debates.

I spent almost 9 years in HDFC Bank and in those years I was instrumental in implementation of many features of Indian payments space. I was the one who implemented Verified by Visa (VbV), back bone of 2nd factor authentication for online transactions way before RBI decided to make it mandatory. Soon after we extended to MasterCard Secure Code. I was key part of EMV implementation across debit, credit and prepaid variants of cards for HDFC Bank. I got to be a part of one of the biggest banking mergers in Indian Banking with merger of HDFC Bank and Centurian Bank of Punjab. I was the man in-charge for migration of all Debit and Prepaid card related data from CBoP to HDFC Bank.

When our financial inclusion business team needed support from solutions team I was pushed in that direction by my boss and that gave me the opportunity to work on projects like Bank on Wheels, Ultra Small Branches. We experimented with biomertic authentication for our rural approach and that made me the obvious choice to work with UIDAI and NPCI during early days of AEPS and APBS.

When Diners wanted to partner with HDFC Bank after expiry of their engagement with Citi Bank in India, I got to be a part of that project and worked very closely with Diners team to ensure smooth launch of HDFC Bank Diners Club Credit Card.

HDFC Bank also gave me the chance to work on massive project of core-banking upgrade and gave me the understanding of the amount of planning that goes into executing project affecting practically all departments of the organization spanning over a period of many months. How to manage and monitor the impact at various stages to avoid any catastrophe is one of the key things I learned from that project.

During this period mobile was also sneaking in and we were all exploring how to exploit the growing influence of mobile phones to process payments and allowed me to work on projects like mChek and mPesa. For our mChek implementation I made sure we store card track data inside mChek application on the mobile phone/SIM card thus processing the transaction as Card Present instead of Card not Present. Effectively we were using mobile device as one factor of authentication in 2007.

I also got a feel of regulatory and compliance areas by getting exposed to projects like SOX and PCI-DSS.

Post my stint at HDFC Bank and I moved on to Kotak Mahindra Bank, again as part of their Business Solutions Group. Two key projects I managed to execute in Kotak were enabling Kotak ATMs to acquire Master Cards and another banking merger as part of merger of Kotak Mahindra Bank with ING Vysya Bank.

At this point I was approached by the team building Jio Payments Bank and I joined them as their 11th employee with the mandate to design solutions for all their customer facing services. This gave me a glimpse of how to build an organization from scratch with access to unlimited capital.

Aparajit was setting up an accelerator for early stage Fintech start-ups and he approached me to help him with the same and I jumped to the opportunity as it was clearly something very new for me and also exciting considering all the action happening in Fintech space. I got a chance to invest in few really good Fintech start-ups at very early stage. One of them Open Financial is doing really well in Open Banking/Neo Banking space. This stint gave me a closer look at venture investing and a balcony seat to all the action in early stage Fintech start-up space.

When things changed at the accelerator because of factors beyond our control, we all decided move on to our respective directions with me choosing to join early stage payments start-up Payabbhi as their Chief Product Officer.