Sahamati and Account Aggregator Ecosystem

First time I became aware of the consent layer iSPIRT was working on was sometime around late 2016, when my then boss (who happened to meet Nandan during some event they both attended and heard about it from him), asked my keep my eyes on it because this is going to be something really big for Indian digital ecosystem. I scanned to through my contacts and found out that it was work in progress and I will get to know when they are ready. After that conversation I put it in the back-burner.

Then sometime during July 2019, I came across this article and I was eager to find more about the next big thing happening in Indian digital ecosystem so I attended a workshop on Sahamati conducted by iSPIRT in Aug, 2019. In this post I will attempt to explain what all the noise is about, what excites me and my disappointments with this entire venture based on what I know about it through various sources and what I learned in the workshop I attended.

What is an Account Aggregator?

Around the time when I had joined HDFC Bank in 2005, HDFC Bank used to have a product called Oneview. If you happened to have multiple accounts in different banks, you could register for Oneview and provide Netbanking credentials for all the bank accounts and we will do something called “screenscaping” through all those bank’s netbanking sites, use the credential provided by you to show the information available across all these places as a single view.

Then few years later I heard about Yodlee and then Perfios, who were offering similar services to customers or businesses, who needed to access data across multiple bank relationships. Later came multiple other businesses with similar offering and most of them were dependent on screenscaping.

The problem with screenscaping is that every time a bank made any changes to their netbanking pages, it needed changes at aggregator’s end as well. In short if was not a very efficient way of managing access and data and to top it all they were all self regulated. Considering the sensitive information they were accessing RBI decided to come up with guidelines governing these “Account Aggregators”. After these guidelines everyone was confused how to approach this. Nobody knew what to do, not even RBI (based on my conversations with some of the players in the space, who happened to seek clarifications from RBI on this subject matter). Some of these players applied for the license from RBI under AA-NBFC category but there was still confusion, till came Sahamati.

As per the information shared at the time of workshop there were total eight entities who had received in principle approval from RBI to set up AA-NBFC. The names I remember from those 8 are, FinServ (CAMS), FinVu (Cookiejar Technologies), OneMoney (FinSec AA Solutions), Jio Information Solutions, Yodlee Finsoft and National E-governance Services (NeSL).

What is Sahamati?

As their website says: DigiSahamati Foundation is a Collective of Account Aggregator ecosystem set up as a non-Government, private limited company (With the new Companies Act of India, not for profit companies are governed under Section 8).

What Sahamati has built is a consent protocol that is approved by government and a way for customers to legally provide their smart and informed consent to the information user (FIU) for then to use one of the Account Aggregators (AA) to access your data from information providers (FIP).

Representation of flow of consent and information in AA ecosystem (Image Credit: Sahamati)

How it works?

Step 1: Account aggregator will be establishing connectivity with various FIPs like Banks, Mutual Fund AMCs, Insurance Companies, Government Portals like Tax/GST etc (the scope might be extended to non-financial data sources as well, depending on the adoption of the platform). Once that connectivity is established AA will be ready to access the customer information from these institutes.

Step 2: Customers will have to register with one or more of these AAs and link his/her various financial relationships with his profile created on the AA platform. AA will seek one time authentication as prescribed by FIPs from the customer and link the details, upon successful validation.

Step 3: When customer visits the FIU for any service (could be Financial Advisor or Loan Application etc) that requires them to access his/her financial information they will ask the customer to select their AA and provide their consent to access the information to the AA.

Key attributes of consent (Image Source: Sahamati)

Key Attributes of the Consent: The consent given by user will clearly state the duration for which the data is to be pulled, the time period for which the data can be accessed, frequency, revocation allowed or not, access type along with the purpose of the consent. This is to make sure the user is clearly aware of the access being granted and tag the usage of this information along. Use of this information for any other purpose than what is stated in the consent artifact is not allowed.

Step 4: After validating the consent AA will access all the information requested from respective FIPs and transfer it to the FIU in encrypted form. AA will have no access to this information and they will just act as a pass-through.

Why is this the next big thing in Indian Digital Eco-system?

In order to enhance the digital eco-system ownership, access and sharing of data is very important. AAs coupled with consent architecture proposed by Sahamati is a great first step in that direction because it enables seamless transfer of data from FIPs to FIUs, with informed consent of the user, while restricting the use of data thus shared with-in the stated purpose. This is a certain upgrade over sharing photocopies of various statements and other documents at the time of application.

Why am I disappointed?

Imagine you buy a SIM card from Airtel and you are told that with this SIM card you will be able to call only Airtel numbers and not Jio or Vodafone numbers, in order to do that you will have to buy Jio and Vodafone SIM cards. Would you like this scenario.

In the current way it is structured there is no interoperability among these AAs, meaning an FIU or FIP will have to partner with all the AAs to ensure full coverage. It may even mean that customer may end up registering with multiple AAs. Forcing organizations or users to maintain multiple relationships for the same service seems like a very inefficient way of doing something. Imagine multiplication of resources needed to run this kind of set-up, setting aside the inconvenience it would be for all the parties involved. This one problem can prove to be the biggest reason this entire exercise will fail to reach its full potential.

What disappoints me even more is that this comes from same set of people, who proposed UPI, where one of the key strengths of the protocol is the interoperability it offers. This is one of the key aspects, why it could be even called a wallet-killer. If wallets were interoperable, a user would have found lesser motivation to switch to UPI (I am not saying this is the only point of comparison, but in the context of this post I am sticking to this one.) After working of so many years and coming from an independent body, I would have expected this construct to provision for interoperability. We may need to create a new central body for this purpose or assign this responsibility to one of the existing and capable organizations like IDRBT or CERSAI. We may even explore to build this entire thing on blockchain to eliminate the need of having a trusted central body.

In fact I would really be happy to see this entire thing was built on blockchain based trustless architecture and I am sure we have enough capable minds among us to give this a shot and come up with something genuinely innovative and superior than what has been proposed.

EDIT: An error was pointed out by one of our readers regarding the interoperability bit. While what I meant with interoperability was AAs connecting among themselves, there is no need for all FIU and FIP to tie up with all AAs. I am copying below the relevant section from Sahamati website that highlights how it can be achieved.

As an AA, does an AA have to seek out, build partnerships with, and integrate with each new FIP or FIU separately?

No. The AA ecosystem is designed so that each FIP and FIU is enabled to work with every AA in the ecosystem network, rather than only with those with whom they have a bilateral situation. Once any FIP/FIU is certified and added to the Central Registry, any approved AA can connect with them. This Central Registry is akin the DNS server of the internet world.

For any queries regarding Sahamati, one can check out their FAQ page. They also have a very rich blog where they keep publishing about various aspects of AA ecosystem and interesting use cases.

Blockchain: A sample case for how it can affect your life

Before there were banks, people used to trade by exchanging goods of value between themselves. This system was not scale-able due to the logistics involved. To solve this problem states came up with currency, which was issued by the state and value of the currency was guaranteed by the state. Primary form for these currencies used to be metal, usually gold or silver. When humanity developed modes of transportation and started trades between far off places, it became extremely challenging to rely of metal coins, so Kublai Khan introduced paper currencies, to make the trade easier for merchants trading between China and Europe. This was a great innovation for the time however when trades became larger and more widespread even managing paper currencies became challenging thus came banks. Banks were the entities who were trusted with safekeeping of money and facilitate trade by acting as trusted middle parties managing the transfer of money from buyer to seller as per their agreed contract. So all this innovation throughout the history over centuries had been to facilitate trades between two parties bound by a mutually agreed contract without relying on mutual trust. Well, blockchain provides the necessary technology to facilitate above mentioned trade without need for a trusted third party in the form of banks. However it is not easy to throw away hundreds of years of evolution just because technology has finally managed to solve the original problem, resulting into a lot of resistance from various quarters. Change in technology is easy, the more difficult part is change in behaviour and mindset, which will take time, couple of decades in my opinion.

Adoption of blockchain has to start in a manner that drives acceptance in common practice without expecting significant change in behavior. Keeping regulatory challenges in mind, the most logical point of origin could be introduction of crypto-currencies in closed loop environment. By the way I am aware that blockchain and crypto-currency are not the same thing, however I thing crypto-currency is one of the most suitable usage for blockchain and it is the most straightforward way to ensure common adoption. In today’s connected world there are enough use cases with person to person exchange with no need for a banking third party. While the history of Facebook makes me skeptical but social media is one very appropriate use case for implementation of crypto-currency.

Any social media platform relies on two types of users, contributors and consumers (with some overlap between the two categories). In an ideal world contributors should earn for their contribution, while consumers must pay for their consumption. Such a platform can very easily introduce an internal currency, values of which is linked to the value of the platform and same is distributed among the contributors in proportion of their contribution towards the platform. The consumers can earn the currency by either contributing towards the platform, buy from other contributors or buy from the platform itself. If the platform provides enough value to consumers their will be enough demand of the currency thus increasing the value of currency, while if the value erodes the currency will also lose its value.

This is just one such example of a perfect setting where a blockchain based crypto-currency will do much better than the existing banking dependent settlement method. There are many emerging platforms supporting shared economy like Amazon, Flipkart, Uber, Ola, AirBnB, Oyo, Swiggy, UrbanClap etc where real-time settlement clearly is the need and will enhance the platform multi-fold by unlocking the value for the smaller participants in the economy. In today’s set-up one day a Swiggy might start feeling like that restaurant’s business is dependent of them and can come up with practices not entirely in the favour of restaurants. We can already see this happening with restaurant bodies protesting against Zomato, drivers protesting against Ola, hotels protesting against MMT and Oyo etc. This is because platform has too much power over the entire ecosystem making the entire set-up unfair for the smaller participants. An alternate platform built using smart contracts between participants ensuring real time settlement would be a much better and fair option.

Another argument in favour of blockchain is the incompetence or unfairness of banks over the years. Banking system has been in operation for centuries, however with all the advancements in technology their cost of managing money is consistent at around four percent. On top of that their insistence on charging customers for everything, even essential services makes the need for an alternate imminent. I recently encountered one bank (one of the largest private sector bank in India) whose credit card hotlisting helpline is a premium number and customer has to pay extra for using the same. Most of the banks have fees/charges for every type of interaction with the bank. If it wasn’t for RBI customers were even charged for using ATMs (even today there are charges beyond a particular frequency). Banks charging customers for account access is similar to shopping malls charging for parking or carry bags, both are unfair but both happen without any check because people in general accept it and move on. There are better ways to manage the situation but its lack of intent or imagination that they end up choosing the easier (direct) path to revenue than coming up with more customer friendly way. To top it all recent cases of corruption and incompetence across many banks have brought the trust among common public at all time low.

Financial Inclusion: Past, Present and Future A Technology View

The biggest challenge to financial inclusion situation is that most of the people attempting a solution don’t even have a clear view of the problem. When you solve the problem with clarity of vision, you end up creating an institution like Bandhan Bank and in other cases you end up installing ATM machines in villages, only to realize very soon that cost of operating an ATM in a rural location can never be justified by the value it offers even at 100 percent capacity utilization. During my stint at HDFC Bank, I was leading the solutions for retail payments space, I was also responsible for financial inclusion initiatives. We did many things like Bank on Wheels, installing an entire bank branch including an ATM with biometric (finger print) capability in a bus specially modified for this purpose. Another version of Bank of Wheels was Ultra Small Branch, where we created solution for single man branches operated entirely through a handheld device. The manager would basically carry the entire branch on a bike and travel to dedicated service locations.

Once Wincor-Nixdorf senior management representatives were visiting India to showcase their new hardware to Indian prospects and during the evening meet and greet one of the Germans got into a conversation with me. During the conversation he mentioned that he is really interested in building something for financial inclusion specially for rural India. My answer to him, “Stop selling them ATMs.” The income and spending patterns are very different for rural and urban markets. ATMs are required for a customer base that receives bulk of its income in its bank account and then withdraws what it needs to spend, while when someone earns primarily in cash, they spend in case and then deposit whatever is left of it as savings in their accounts. By the way, this conversation was back in 2011 and a lot would have changed in last 8 years (QR code and UPI were non-existent then for example) still fundamental principal remains the same.

One more point I used to hear often about rural customers that biometric authentication (finger print) is a must have for building any solution for rural customers. Although most of the time their point of view prevailed and we ended up building solutions with biometric authentication however my counter argument to this always has been that a numeric PIN will work as fine. Even if the customer is illiterate he can identify his PIN as combination of symbols, besides if a customer can count money, he can manage his PIN. Who remembers her/his PIN as Five Thousand Three Hundred Ninety One? You always remember it as Five, Three, Nine, One. Introduction of biometric pre-aadhaar meant any solution built for rural was costlier and not viable. Has anyone in any bank ever verified their hypothesis, I doubt. Nobody ever shared any field research in this regard with me.

A lot has changed in last decade. APBS (Aadhaar Payments Bridge) is extensively being used to transfer subsidy directly into beneficiary’s account using Aadhaar mapper. Only credit in my father’s account is cooking gas subsidy. NREGA payments are being credited directly to the account. AePS (Aadhaar enabled Payments System) makes it easy to authenticate customer using Aadhaar. Jio has given mobile data connectivity to anyone who they can get their hands on. Internet in India is cheapest in the world and the connectivity has reach even small villages. PayTM has spend billions to teach people how to transact using mobile phones. G-Pay and PhonePe have used the UPI to create user friendly payment experience for anyone with a bank account (PMJDY gave everyone a bank account, even the ones who were never interested in having one). BharatPe and PayTM are reaching out to smallest of the merchants and on-boarding them on digital payments using QR codes. The people who were not even expected to handle a 4 digit PIN are now scanning QR codes through their mobile phones.

Next big game changer in financial inclusion space according to me will be from mass adoption of speech recognition and voice biometric. Together they have the power to make payments completely invisible thus removing any friction in the process. Imagine an illiterate person in some remote village calls up a designated number of her/his bank and speaks the instructions in her/his native language e.g. “humara phone recharge kar do do sau rupai ka (please recharge my mobile number for 200 rs).” and the bank “identifies” the customer through her/his “mobile number”, “authenticates” the customer through the combination of two factors “what he has?” i.e. his “mobile device” and “who he is?” i.e. his “voice biometric” and reads the instructions from his speech. This simple a transaction experience can really transform the way payment is happening today. Behavioral biometric is another area that can use customer’s way of interaction with the device as password and make authentication experience completely seamless and yet sticking to the two factor authentication process. There are companies working towards making this a reality and this experience is very much possible with the technology available today. There are start-ups like Uniphore and Gnani working on speech and voice biometric and start-up like NeoEyed on the area of behavioral biometric. (In my opinion OTP delivered on my mobile device for a transaction I am performing on the same device is not two factor authentication in true sense, it is “what I have?” i.e. my “mobile device” performed twice.)