 Hi everyone, it's me again, for those of you who are there in the morning, welcome back after tea, by which point, I think I was in the audience, I know there's a point at which your absorption capacity just kind of dies at the end of the day, so it's a really nice of Haskeek to give us this slot, however I suppose it's also a good time to be here because I think we've talked a lot around data security and business models also of various providers like pay you and so on and you know the great thing about Dilbert is sometimes they have these great moments of kind of poignant reflection when they're saying something quite funny which is that you know we're all just a monetizable asset these days and the best way to dehumanize each and every one of us in the room is just call us data which is what we're doing and my talk here is to kind of refocus that data conversation on what each data point really is which is someone like you and me sitting in this room making a digital payment and I suppose if we go back to where we started and I should mention I'll reintroduce myself my name is Malavika Raghavan I'm project head of the Future Finance Initiative which is looking at policy and strategy to support customers as we see this large-scale change in retail finance that's happening because of digitization and you know about three or four years ago this is how we were making payments you and I would go into the bazaar give 100 rupees buy some fruit now obviously there's inflation as well bit more demonetization helped that it's also done this right we have all of these different ways in which we are interacting with money and we're paying for goods and services and why does why is this picture different from that picture really because at the end of the day it's just two people transacting right but what really sets it apart is that every digital payment creates a data trail right you and I are creating this entire map of how our behaviors our financial behaviors are kind of needs and preferences which are being collected by various entities across the chain of payments and I guess what we're trying to see here is what does that mean for each customer so if I just walk you through a standard customer journey we've looked at stuff today quite a bit from the provider side and I suppose tomorrow it'll be a bit more technical as well but from the customer perspective so we step away from wallet slash provider mindset into you and me sitting in front of a computer trying to make a payment what happens right first you go hit a merchant site that merchant site collects some information from you right that or then you are then passed on to some kind of a gateway product say a PayPal right who collects each and your bank account information your card information all sorts of things you know address email mobile gender sometimes or it's some kind of wallet provider like Paytm they hold the data and then you're passed on to the entire payment processing infrastructure and so this is the great and wonderful complex world of payments themselves there are multiple bodies involved there are credit card providers and networks in the middle you have issuing banks authorizing banks agents all over the place payment systems clearing houses settlement systems all of these different things which are using your data in order to settle that payment to an extent we had it for checks as well obviously which is kind of the the avenue that we use between cash and digital but of course digital just ensures that you have this data trail which is starting off with you just flowing through this entire ecosystem and being kind of traded and packaged up with other customer data to make these aggregate sets and then you have all these philosophical questions about like at what point is it your data at what point is it proprietary data which algorithm mind what to make what and so on and so forth so I'm not going to get into any of that because you know philosophy is not great for five o'clock however I think this is why we should care right you're sitting in front of your computer and these are like three risks there are more but I think these are the most significant ones from a customer perspective we think affect you legally and also affects you in in you know just financially so it's the big one the big one is privacy I'm going to set the stage for privacy and then Rahul Matan is going to come in like talk about some issues around that then financial risk because obviously if your data is compromised the exact fallout of that is that your the money in your bank account can also be compromised and then there's this entire question of exclusion risk which I'll come to but it's just that when you have all these payment channels available are you kind of focusing on one end of the market and is that a good thing or a bad thing so to start off with privacy risk right rather than get into kind of the letter of the law and also how we conceptualize these things I thought looking at a couple of symptoms of privacy risks really makes it real for everybody so identity theft is I think something that came up in the pay you presentation the fact the matter is somebody using your personal information to impersonate you yeah and in the financial context what this means is that they can go and have access to your bank account they could be making payments collecting welfare payments on your behalf and so on and so forth and obviously do factor authentication has helped that to some extent but it doesn't really solve some of those payment systems that you don't use to factor authentication or you know a large mass of our population actually receive a benefit transfers into their account so there are a lot of reasons why identity theft is you know something significant currently we do have something in the in the law and the information technology act which I'll be referencing later as well which punishes it but as we will also talk about and I mentioned briefly in the morning it's you know it's quite a weak kind of structure for enforcement the other one which I think the big one also is this whole question of profiling and discrimination you have all the sensitive personal information about yourself right apart from the fact your gender and whatever else is collected it could also be the transactions that you're doing and as a payment system what you are is really or a gateway to other things right I mean there is the transaction in itself but you're also gateway to other things like you know credit like other kinds of financial products and sort of physical products now the risk here is that once you have this information about people we know that it can be used adversely to affect financial decision making by providers and you know this is not just like a bogeyman scare we've had multiple instances of this in our country and in other countries where it's used to deny credit for instance or to undertake predatory lending so denial of credit of there's something called credit redlining which I won't get into too much but the US has specific laws against this as to some other jurisdictions because we know for a fact that people who live in a particular area a bit of the same community credit is just denied because it might be for reasons of religion or race or education levels income levels and so on and the fact that matters we know that this happened how much is technology going to amplify that because you're basically sitting on all this data but that's just kind of one point to lack so if these are the risks what is the law say about them the main law that I want to talk about is the information technology act of 2000 it was an interesting legislation because it came up in the background of all this outsourcing that was happening to India and essentially you had all these large companies you know dealing with these data sets from all over the world with no framework right like think about a 2000 is when we pass this law to deal with data protection in India and so therefore it's only a reasonable for us to think that you know it was put together and it did do some level of thinking we have this category that I want to talk about it it does set up a wider you know that deals with lots of things but the thing that's relevant for our purposes is that it says collect sensitive personal data or information which we call as SPDI because we like acronyms in the legal world which is any of these things so your password your financial information which is bank accounts and I'll come to like a little gap there help you know mental health or sexual orientation medical records biometrics very relevant for India stock and other when an Indian entity which is doing commercial business here collects any of this stuff they should be telling you that they are collecting it they should be using it for XY and Z purpose only they should then be telling you who they are passing it on to and then finally they should be saying any if you ask for it you should be given you know details of entities handling this SPDI and of course apart from this I should also mention there are a lot of regulator codes I think at last count some of the work that we've been doing at FFI I think there about 17 SEBI codes the securities regulators codes that set out regulation for particular institutions that they you know look over have oversight over the RBI has about eight codes for different types of institutions that it regulates which also says that for confidential information you should have this kind of data protection rules now couple of things here right first of all they don't really reference the standard under the IT Act they use a subjective standard they have some kind of uniformity amongst themselves they talk about adequate protection but as you see it's like a subjective standard so as a company if you're a bank say you have confidentiality obligations under RBI circular and then you just say you should have adequate proportion adequate protection for sensitive data or whatever data so that's kind of the picture it's great that in a fact in fact we do have something that talks about purpose limitation collection limitation and so on but I think like we all know that in practice this is like a practitioner's conference right I know a lot of you like have already said this and in these four worlds like honestly and the live stream we all know that this is how it works you know it's the transaction is not the asset you know your 50 paisa that you're getting for the transaction on you pay or which you don't know need to pay that's not what really is driving the market it's the data that's driving the market and if that data is driving the market what what do people do I mean we know from and actually it was I think actually can't stock where he had some terms of reference up and he was talking about how widely it's worded like you know I agree to give you my data so you can share it with every man woman and her or his dog like etc etc like basically you can do what you want with it and that's fine the other point is also foreign incorporated companies for some strange reason aren't captured by that provision I was talking about right 43 of the Information Technology Act so we have a flip cut who's collecting a sensitive information which I'm sure they are what happens that's like a big gray area that we have we aren't really talking about right now and there are you know another thing is like for instance transaction records like I won't go into all of these points but just some things to flag the like transaction records we know that financial information to your bank account details are sensitive information but we don't know that your transaction records are again you know that's where all of this credit profiling and assessment and all the algorithms to deal with that are looking at so there are some gaps is my headline from this section quickly I'll move on to financial risk again fraudulent transaction something we've talked about already I guess the you know the big point here is as the law currently stands the bank is or does not have automatic liability for a fraudulent transaction you have to go through the redressal system and if you after 16 years get a decision no sorry I shouldn't slag off the ombudsman they are they are quite good if you do get a decision it's only at that point you're back in the money and even for a payment system it's only to return the money at the earliest the great thing is that the RBI does have some guidelines out which have been released in draft limiting customer liability for unauthorized transactions and they say if you report the transaction within five days the bank should bear the loss and five to seven days you bear some of the loss and then after seven days it's your problem kind of thing I mean obviously we can go into details of that but the headline is there's something in the works but right today if you have a fraud best of luck the on the failed transaction bit as well same no automatic liability and then I've kind of referenced that law right there moving on to exclusion risk so this is one that I think maybe surprised we haven't really discussed it may just be that it's because this part of the market isn't really the market that people are chasing right now so if you are trying to make digital payments ubiquitous what happens when certain groups just don't use digital payments what happens if your standard rule of education and awareness doesn't work right I mean what if you have aged parents or age grandparents and they aren't just that great with digital channels what happens then what happens to disabled people or poor people who cannot access payment channels right and I think the gender bias point is an interesting one because if you look at cell phone ownership I'm sure a lot of you know the stat already only 20% of the women in this country own a cell phone right and even if 70% of them use it they're relying on the man and their family to kind of do the payment for them how does this affect privacy right I mean I think these are questions that we should be trying to think about if we want to make technology that works not just for this top segment of society but actually for all of us because in the end I don't yeah I don't think that there's this efficiency versus kind of fairness point doesn't really work you should build a model that works for everyone and and I think the pie is big enough for that as well and then the second one is less to do with the subject you know subjective situation of a person we live in a country where the ICT index I mean for digital India that is that is a start from 2016 we are 138 from 175 countries in terms of access to digital infrastructure right and this includes in like electricity I haven't put down like the electricity shutdowns but we've all been there right and the entire Northern grid went down two or three years ago mobile and internet shutdowns are now reality like in 2016 I think the first six months there's a CCG report on this there were 22 shutdowns what happens in that situation like money poor right if you're all following the news demonetization happened mobile shutdown happened I was in Chennai when Cyclone Varda happened for instance and there was just no money like people had their houses I mean in my house I live in a flat in Central Chennai and we almost lost our windows think about all the kind of huts and stuff like that you need a large pile of cash to rebuild that stuff what happens when your electricity isn't there so that's kind of just the broad points I'll stop banging on about it I think the final point here really from my side is I mean obviously knowledge is power but like as Srikanth said I think policy level engagement of consumers would be great as well I think it's important to think about these kind of issues which anybody you ask anybody on the road they will tell you right like as I I think I don't know if you know about IMR trust work but we do work we do have a small NVFC that does wealth management for underserved people and they are really bright like they know exactly what the transaction cost is they know exactly how much they need to you know how much they need to pay in order to for overheads of accessing digital payments and they're doing it so this is not a silly population that you're dealing with I mean again as I said they have the same concerns that an urban person has and an urban person can also have a lot of these other issues that we talked about the other thing is a big shout out to Nishant who works at IFF he has worked on something similar that Srikanth was talking about so if you look at about a thousand payment apps on the Google Play Store we've done some initial analysis which says that about 86 unique permissions are asked for so I I've not listed some of the permissions because they kind of they're funnier in conversation but you know it's two to permissions on in on the standard app like about 11 across if you take you know the one that asks for the most kind of a median and it's interesting I think the Bank of India app only asks for two permissions I think I mentioned this earlier and it seems to do the same thing that the Bank of Baroda app does for instance which asks for something like 36 or more so the question I think as a consumer really thinking why like why do you need to you know why do you need to control the volume on my phone for instance which is you know I don't get it but maybe it's just somebody's been filling the form on Google App Store yeah there's some code that's from Nishant's GitHub in case you guys want to look it up since you're at a conference so that's kind of it I just thought it'd be cool to play a little video for you guys again just as a little treat because it's five o'clock just give me one second yeah sure do I have to play the volume on my oh I never thought about that will it okay I'll try this I mean if it doesn't work that's fine like let me see we'll try it and if it doesn't work too bad I don't actually think it's playing on mine as well yeah I mean we'll just try for a couple of minutes otherwise I'll just send you the link and or post it on something or we can do it after afterwards as well I mean it's an interesting video like it's a bit silly but it's a good one okay in the meantime if any of you have clarifications or any doubts on what Malvika has just spoken about we can take the next two three minutes and have a few questions possibly before I call upon Rahul to speak yeah can you just hear here Sandhya okay I got it yeah I don't know if it's silly maybe Malvika can guide us you know what what steps should a person take if they find themselves in a situation like if their UPI ID is misuse their phone has been mistaken and for some while and they got misuse what are the I mean I'm a knowledgeable person maybe I can google and find out what are the right steps but even for me to google is some time maybe there is a there is a direct government provided guideline which I don't know so I mean I last I checked there was some Nithya like a pamphlet that looked at different types of digital payments but I mean off the top of my head I would say you're probably and Rahul please correct me or look whoever's kind of will look at the legal side of this thing I would say if you are actually with a bank a bank issued instrument like a debit card or something you're probably better off because the bank will have a redressal system and you can go to them they'll put you through the ombudsman if their redressal doesn't work on ultimately you can reach some court somewhere you could go to the consumer protection forum but that's like again hit or miss I'm not really sure about UPI to be honest because I feel like a lot of the wallet providers have their own dispute redressal so far it hasn't been anecdotally what I understand a problem because they are in market capture mode so the minute you dispute a payment it's just put into your you know it's kind of like uber the question is really when that market matures what happens right and right now there isn't it isn't clear to me especially on a mobile because there uh yeah I mean you have guidelines under the RBI's kind of PPI legislation but as we've been talking about there are lots of entities in the gray area and if you have to go to try I really don't I don't know what would exist uh anybody wants to add there's oh sorry there's a question here then we come to yeah I just want to hear about something like the sable report right you get all the all the records and transactions and even if you go and search for a loan somewhere and type in your pan they get all the details like the I'm like if I see my sable report I would have just gone and checked for some interest rates or something but they would got they would have got all the records of my transaction I would see that there is there a way to like like I'm like stop these things like from I'm like from those guys accessing these things or are we are deliberately allowing them to access like when I type in uh is there a terms and conditions that says like we can access those yeah I mean actually that's a really great point to bring up so the question of like credit credit bureaus right we already have people who collect our information and share it with banks in order to assess our credit worthiness so like that's actually a good thing because we have one person who has the responsibility to collect our data and there is an entire legislation around credit bureau uh so it's fully regulated space and you have to adhere to we actually think it's like a good model for data protection because they have to do certain things in terms of keeping your data safe who they disclose it to how and all that um and the other thing to notice I don't think it's all your transactions I think it's anything connected to a loan or a credit card only so if you're doing something else I don't think it should show up on your credit record the fact the the the tough part of this is actually people who are operating like credit bureaus but who aren't in credit bureaus right so you have um uh credit scoring companies that are coming up that don't have a retail front end they're not a bank they offer services to a bank I won't name any names but you know there are loads of people in the market they are scraping also alternative data so they might not have your credit data but they might get your transaction data from the bank then they might have alternative data your browsing history your social media profile this is another great point because the ita doesn't extend to that as far as I understand it doesn't count it as you know relevant uh especially if any of that sensitive information if it's in the public sphere you don't have any even kind of fig leaf protection so best of luck with all of you with very open on facebook and so on um yeah so what happens when you triangulate see a piece of information from your shopping record with your banking record with uh your alternative data with your social media we don't know I can give you a kind of if this thing is working I think this might be better at answering the question let's see if it does can you hear anything I feel like there has to be some noise yeah yeah yeah it's come on what on the room sure uh sorry guys we can possibly take one more question before that yeah I can uh there's a question right yeah so as you yeah as you rightly mentioned that a lot of app you know they take all of this permission to use a lot of data but many of the apps are like really useful and there's hardly anything that we can do about it so apart from policy engagement is there anything that I can do as a consumer like is there any central grievance or where like or can I contact the app provider and you know yeah and this is actually a great point which I hope we pick up in on now I mean one of the bigger questions that underlying all of this I mean the short answer is unfortunately the way things are set up right now I would actually argue that some kinds of contracts wouldn't stand up in court because they basically you could argue like duress or you know I don't know how meaningful that consent is anyway but that's a different matter I don't think you won't be filing a repetition in the high court or whatever the the main the main problem underlying this is I think we've come to a point where we are we've understood that the service is the service and the data is the data right essentially what's happening now is if you don't agree to the data you lose the service how is that a fair contract right like if if you want my data that's fine I'll give it to you I think we've moved past the point where we're thinking about data as a fee in the early days of Google we did feed stuff because we added you know data of ours in order to create this map together and that was great but at this point it's just like we have a service and I want all of the random data from you I I mean the radical view which I don't know maybe we'll even suggest the future finance initiative is that you have a separate contract for services and you have a separate contract for data and that's just how it is it may just still be a pop up on your phone but it could focus your mind a little right and I think that's where we should go unfortunately right now yeah it's all bundled into one and it's not very fair okay hold on to your questions because we'll have a more detailed discussion we'll have watch this video yeah and then we'll have Rahul speak okay this is just like I think that question about what happens when other kinds of data are mined is quite interesting boe in the lieutenants three, four the four of us, most of us don't know a lot of people it's the most fierce it's a red percolary plant yeah I see transactions but can you calculate the number from outside? I think I do know that it is negative on your bank calculation yeah 97 last month you spent 200 euros on alcohol last month you spent 300 euros on clothing 8 5 do you feel at home that it's going to change from your own? or are you going to spend 90,000 euros? yeah actually 42 yeah yeah that's right I should just add I'm not a Luddite I mean I don't think you should not like be online and we should just go back to carry a bit in the whatever so kind of I'll end on that and kind of hand over to Rahul now