 Quick introduction, my name is Srikanth, I run this volunteer initiative called cashless consumer which aims to make consumers as stakeholders in the payment system. So we track closely every pay tech developments closely and put together like consumer perspective into that so that that makes the products consumer friendly not just in terms of say user interfaces but the overall experience a couple of disclaimers so one is technical disclaimer I am not from the payment industry I am an outsider I am a consumer so whatever access to knowledge that I have is from second hand information and publicly documented specifications documents and whatever is there on the web and I don't have say an industry inside access the other political so I could be factually wrong so if I am wrong please feel free to correct me and then the political disclaimer there are a couple of things so when talking about UPI so majority not maybe in this room but outside think that UPI is the government's product but it's not it's a product of a private company which is in the job settlements and which is formed by a bunch of banks and so here we are talking not about say countries platform it's a platform it's a payment platform by a private company let's get that clear and the other political disclaimer is in the technology world just around the other Audi they talk a whole lot of decentralized systems that's the Bitcoin ICOs and all those stuff whereas like we see that UPI is fully centralized system so to speak so there may be differences of opinion in that so I am not going to go into that so if you are into that debate like we will probably not talk too much about it we will probably get started with the understanding that this is a centralized system but like I may have my own political opinions on that so on say the centralized versus decentralized debate and the privacy security debate and those things I will see I will try to be an observer from the distance but please apologize if I hurt your sentiment with that we will see a quick overview of what we are planning today we will make some platform observations like how the overall UPI as a platform or an ecosystem is progressing and what what I learned from some of these NPCI circulars which are there in the public on their NPCI website and like how to read between the lines and know what's happening in the UPI ecosystem and I will also make some technology observations technology observations would be like reading through the specs or the how a product is being implemented and like so that could be like the design choices that are either technical and how it impacts the user and also we already talked about like a bunch of UPI integration so we will see how UPI integrations have and what sorts of design choices they have and how they impact usability and then we will talk about consumer observations so this is like the typical consumer experience so he just said like 10% merchants don't get a call back and that results in a poor experience for the consumers right so in that have in that environment what's the grievance framework or what's the regulatory framework for disputes and how long does it take and things like that but even when that is aside then there are still a lot of people loving it like simply because it makes their payment seamless we will see like why people are loving it and then we will see into the data debate so there is a whole lot of discussion around say privacy security of data other non other and besides from other there is the concept of say centralization and what it could have impact on your privacy and right we will see what are consumer observations on that and we will have a quick sneak peek into what's coming on UPI v2 so firstly like we will see what UPI by numbers are there are 67 bank issuers so this means that if you are a customer of one of those 67 banks you can install any of these UPI apps and get started transacting UPI and this is probably a largest larger number in India because typically the mobile banking world had say the top 10 banks had rich apps and then they say the next 20 or 30 banks would have some sort of an app where you can transact and that too maybe in a limited manner but not say not to merchants and things like that but this this number of 67 banks thus is the largest in in some sense also although I am PS to an extent has more apps as well and then there are 44 VP issuers so now to understand this we need to understand the notion of who is a payment service provider and who is a bank so bank is where you store your money but a payment service provider is a service provider with which you interact and through them you can use transact your money that's stored in the bank so they may be the same so the bank can be a payment service provider but say non banks can as will be a payment service provider so there are these 44 non banks 44 payment service providers who have direct access to the payment infrastructure they are called the VP issuers so you will have all this so in the UPI you have a VPA where you say Vimal at UPI or something so that's the ad portion there are 44 different entities that are issuing IDs like that and they issue 56 IDs they're close to 75 apps we'll quickly see what these apps are and a small distinction there are three non bank PSP partners in UPI so a distinction will probably that is will be covered in tomorrow's talk on regulation as to how banks which are owning and controlling payment systems and how there are other entities let's say the Google Tays and and phone pay and beam so these are the three entities which are actually technically not owning a banking license but still have direct access to the payment and settlement infrastructure through partnership agreements and the numbers like like this is the larger numbers of entire UPI volume and value transacted over the year so there are 75 apps right so what are these 75 apps like why do why do we need 75 apps to begin with it's like on this when we look closer like there are 49 of these apps are by the banks themselves so remember there are 67 banks that are actually UPI enabled but not all not all banks need to actually make the apps so they can just since the app any app in UPI ecosystem is supposed to be interoperable any other UPI participating banks there are 49 of these banks who have launched their own apps and eight of these apps are specifically focused on the merchant acquiring experience so this is like these are not the consumer apps which we use but this will be for the merchant or point of sale counter so instead of a past machine they can just install an app which can then accept UPI payments so the eight of these apps are focused for merchants and there are 19 deep integration apps so this could be the Ola Uber or the Samsung Pay or the Truecaller all these apps which which have their own functions but they also add UPI into their app as an integration either for their own payment needs or say for example integrating or expanding UPI footprint and then while we say this over the last year there are three apps that have also gone shut this is because since there are this is a very crowded market there are a lot of these apps probably some companies which did not see value how to make business sense out of this probably then went like shut because beyond a point paying and receiving and making value out of it is probably very difficult in a such a crowded market the average app update frequency rise somewhere around like a month so if you are using an app which is not updated for over a long period of time it is probably time to change an app because there are 75 apps and there are apps which are like well maintained so some platform observations one is this is a digitally inclusive platform so I made the point that seventy sixty seven banks have on boarded so a large part some 10 to 20 banks are cooperative banks and say rural banks which do not have necessarily any digital infrastructure that is well in place which can interact with say the tier one infrastructure so all these customers of these banks were previously were probably having only a rupee debit card which was not possible to transact online in all places which which they can probably transact at a limited number of much and much in establishments now they they have the ability to transact say through the flip cards and Amazon's and wherever UPI is so that's the inclusion part in there and the multi and multilingual payments apps so this is something that around the time of demonetization there are hardly like two or three apps which are like really multi lingual on and so beyond English so the entire payment experience was restricted pretty much to a person only whose knowledge is in English but now there are probably a dozen apps which are having like multi lingual interfaces and this is becoming a new norm so that like any new payment company that comes in is probably also automatically getting into the multilingual payment and although in the tier one population the PTP transfers were still in at a nascent phase not many only the tech savvy used like lot of these apps including say even Paytm before demonetization right so it's not it's not probably very common for your parents to use something like this prior to demonetization but but UPI bought a lot of these people into installing these apps and trying out and the biggest advantage for them is they didn't have the they didn't lose the comfort of storing part of their money in a wallet that they don't they didn't trust much it's still in their own bank which they trust better and so as I said like UPI decouples the UX to the payment service providers who probably could build better apps but still inside a banking model so wherever so in terms of commercial agreements or anything you still need to have a partnership agreement with the bank so and and only through that license you could still get access to this UPI so what it also made was a lot of these prepared instruments or wallets were having a lot of these transactions being made digitally and banks were actually losing in that front this UPI made a shift of moving the volumes of PPIs into UPI and it's actually a myth to say that interoperability didn't exist in wallets before because interoperability means that say moving money from say your Airtel money wallet into your ICICI pockets account now many people might think that this is not possible before and only UPI could make this shift right but it's actually not true because all these at least both these wallets they do have cards supported in them and you could transact money from one of these wallets into the other so interoperability did exist in a limited way but UPI broad based it among the banks so that like you could transact through any app and the next the roadmap on the UPI has now has wallets on UPI so wallets will be soon integrated into UPI so they'll probably become the payment service providers or they may even be at some level treated at par with banks over the course of time so that's to be seen like what sort of integration wallets will be made into the UPI so the initial phase one would be the only wallet to wallet interoperability will exist in a phase two when the full KYC is done probably wallet to bank integration would be so far then the next observation is UPI is also touted to be the most developer friendly or developer first product which is like having a lot of these APIs which developers can consume easily and and build apps faster but what we've seen is while there have been integrations happening between these apps they've not been at a scale where like where the UPI has been so UPI itself the consumer base have exploded like anything like you have these millions of users installing apps and transacting but when you come to the business side of things where like the app integrations there haven't been enough in deeper integrations and like the payment experiences still remain largely the same and probably in some cases it's it's worse I'll take an example on IRCTC of how it's actually much harder in UPI but on one observation like there is this new digital chip fund app which is based on UPI so this is probably that was not possible before UPI to build as quick as what they've done but these are the sort of integrations or the applications that could potentially come out of UPI although it's like not rolling out faster and as expected so then the other thing is about like is it UPI or Beam UPI because there is recent there is UPI in UPI was the centralized payment platform that was launched and Beam was actually one of the applications in UPI but recently they just changed the convention like they just called everything is Beam UPI so let that it may be but what the point here is now UPI as a platform is much larger platform covering all these 46 payment service providers and Beam is one of the payment service providers and if you look at the market shares of the transaction volumes and values Beam is actually emerged as a service road kind of thing so you have this well six lane toll highway which is like super fast and then you have a service road or parallel to that so Beam is emerging as that service road so you're having this global big tech players like Google has come in so WhatsApp is going to come and then there is the Indian Paytex so you have the Paytm and phone pace and also a lot of these startups there are probably a dozen startups and then there are banks again big and small you have the ICICI's HDFC's and then there's bunch of small banks all of them are in this ecosystem and it's it's tough to predict like what is actually moving this ecosystem at what pace and there have been bunch of issues in the initial days so one of which is probably like ICIC blocking phone pay there has been friction between the banks and payment service providers and banks within themselves and like all these were like solved through some sort of rules and regulations around interoperability and off late there has been recent like tussles around like capital dumping so is all the volumes and values bigger because there are more cashbacks and like there are few companies which have the bandwidth to dump capital into cashbacks but we'll see how that goes then I'll quickly walk through the circulars around interoperability guidelines meant that the apps were seamless any app to any app any PSP app to any PSP app works and one of the interesting observation is that UPI never had a chargeback policy so unlike cards which had a chargeback policy like you could dispute a transaction and then it gets reversed UPI never had it until recently they've recently announced that chargeback process is in place and it may take at most 60 days for you to get your money back for a say a transaction which you dispute and there is also a point so like Dilip explained how multi tired this entire process flow when a transaction happens and that causes a lot of technical failures so banks have been asked to improve their infrastructure to make sure that the technical declines failures reduced to 1% and there's also one more circular which says that you got to make sure do your due diligence before balance check is enabled in third party apps now why should my taxi company app which is integrated UPI even have the feature to check my balance like is that even a valid use case so this is probably happening because now banks are become more cautious around like data and data protection they don't want to have every application have the same sort of access and they ask they're asking banks to do the due diligence to that technology observations will quickly see platform tech observations the application observations the qr story pause and the integrations so at a platform level UPI has something has technically has something called an equivalent of one time virtual net safe cards which is like a user through vpa but sadly very few two or three apps support that and even they are not very usable so for a end user there is not much of a privacy option that exists in reality and UPI also has support for cards and wallets and they can also technically work with any other settlement system so right now they work with the imps settlement system which has its own merits and demerits but they can technically work with other settlement systems as well so what are the observations on apps so every app will have this common features to pay collect create a vpa show a qr code scan a qr code all these things are pretty standard features across all these apps there is this bill splitting feature which was probably there in all the UPI apps but never took off because maybe socially we aren't engaged like convinced around the concept of splitting the bills we probably don't split our restaurant bills as often as people do in the best then all these apps have the reminders to pay bills and saw these apps also have bill payments integrated through the bvps so you can pay all your mobile postpaid bills electricity bills utility bills they also have card payments they have paid to other this is a small observation here the pay to other is very unsafe in sense like you key in another and the response to that pay by the bank to say that the payment is confirmation this payment actually happened it sends back the other number in the filling text so and the accessibility features so this is again as as one of the factors that has improved because of a lot of these apps want to differentiate themselves so beam for example has a talk back feature which lets enable user to use the talk back feature instead of seeing this game so qr codes so the bigger promise on qr codes is that qr codes will be like everybody will keep scanning and paying and like this is the chinese revolution that has happened a couple of years back people expected that to replicate in India but sadly dent qr codes are largely used to identify vps at most when they are used there is a lack of certification among these apps so this actually breaks the function also if you if i create a qr code based on the specification any other up is also supposed to support it but in reality it doesn't work there is and that causes like friction there are fewer merchant establishments showing actually the stickers but why that's because like there is an unclear strategy even within the banks themselves as to whether to use upi or barqr and what's the merchant incentives the merchant discount rates and stuff like that so upi has thus have the barqr integration a detailed post is out there in the handbook of what this integration is about and but barqr still is non-starter because again the mdr and the discussions around incentivizing payments for the banks is still a discussion between the government the banks then there is also the audio qr so google tests lets you transmit the same qr information through audio so you can technically make a audio payment and potentially soon very soon you'll probably be having also voice driven payments so next is the upi pos thing so this is a interesting feature from the ground up because the merchants always want a paper receipt so and they were far more comfortable with the pos machine because all the employees are trained in pos machine so they actually innovated the existing pos machine to make it smarter to add upi option which lets the pos machine show a qr code which a person can scan the upi app and that actually prints the confirmation which so it's a success for the merchant and so that's one hack but this is not seen much adoption in the market or maybe because there is not much of awareness within people and the merchants the other thing that phone pay is trying is this calculator pos we need to see how that goes and the mdr debates are still continuing that's the crux of the debate like who will pay the mdr whether the merchant has to accept the charges or the would the government remember so that's and is that really helping currently it's not probably a clearer policy might might help we'll quickly see what kind of integrations are there in upi so you have the payment processors a lot of these payment processors have upi options so they ask you to feed in your vpa and they'll send you a collect request all you need to do is take your phone and say approve and enter your pin and the payment completes now this is probably easier but we'll come to the hard case of say the ire ctc now everybody here would know that ire ctc is like a war zone like you need to make that everything quick there right but upi actually makes it like painfully slower because it first redirects to a page where you need to enter vpa and then you need to take out your phone and you need to wait for the collect request notification to come and once that comes in you open the v open the app enter the app pin first to open the app and then enter the upi pin to authorize the transaction and then wait for that browser screen to actually detect this payment whether it is con success or failure and then move to the payment confirmation page and after that is where the ire ctc ball comes now this is actually very convoluted process for making this payment simpler there are some efforts being made to make this slightly better but that still won't solve at least for ire ctc it won't solve we'll then see like the app integrations so there are some of these apps say uber and ola they have tighter app integrations so but even they some of them actually send out collect request the problem with that is the collect request is sent out with an expiry time so the collect request more or less expires typically in the case of uber you take a ride you you don't open the uber app again and you open the uber app only the next time and you want an uber so this this problem exists with cards as well with two factor and this is not solved with upi probably it may get better with the e mandates of pre authorized payments and there is also this vpa creation health so every app that has got tighter integration wants you to create a upi vpa that's that's not always necessary actually you can take an existing vpa and use it but that's like that's a problem in the integration strategy of that particular app right we'll see quickly see some of the user risks and attacks auto creation of vpa is one risk then spam control and fraud so on auto creation of vpa so beam auto created with a phone number which lets and since the upi spec also has like if you provide a vpa and it'll give you back the original verified name of that person so that became a privacy issue and then beam later plugged it with a disabling option to disable such auto created vps but even today a large number of psps do create auto create vps based on your mobile number and the reason they say for that is like you know these people are actually it's too complex for them to even understand the concept of vps so we help them get started automatically by auto creating their vps and and that has it's privacy implications as well and google says also auto created their vp is with the gmail id so if you have ever used your own gmail id on this it would have created with your email id and that's the ability to actually do this and what this actually makes is for an attacker if he knows your gmail if you know your phone number he can predict your vpa and he can raise a collect request and this and we'll see in the next slide of even when that is not the case there are actually attacks of different kind so when in a vpa you have you can actually have the ability to raise a collect request so that's the pulled mode right so anybody can raise a collect request to anyone else like if i know your vpa i can raise a collect request now what happens is if i'm a stranger i'm spamming you right so you can do a spam control and say block all the requests from this particular handle now that works if i'm a person but what is i actually use a e-commerce site so occasion point here is somebody is actually has harvested my vpa so there is a list of database of vpas out there already in the gray market which has my vpa which i've never actually transacted the only place i put this on is on my blog where i used it for an example but this vpa got harvested somebody is actually using it through flipkart and they've actually raised a bulk payment of 76000 this is probably some led tv or something and the best part is even flipkart does not know this because they can they can't technically know from where it was raised although if say the deep log monitoring is actually in place the we could trace out and in one case i did actually trace out with patreon it happened to be some guy in up so there are these these attacks these are real and we need solutions for this so there are partial solutions but they're they're not enough for the the fraudsters are always smarter right so then we'll actually look at the large scale frauds that have taken place in upi so one is the upi hack in one of the banks which was possible through a factor that they didn't have a reconciliation process so what was happening was a bulk of payments were processing and the other party was getting paid whereas no money was getting detected from the account from which the transaction was made and this was later discovered and they found some 25 crore value transactions were happening through this then there is also this new sim attack so in upi a bunch of guys who were with the bank colluded with some criminals and they got a new sim card using and they also had the debit card details so they could set the upi pin and they transacted as as measures so upi is probably need to take a lot more measures against this so they did try something called as beam cyber security hackathon there are some 1500 people who registered but nobody ever heard back after that so we don't know what and in fact that probably also has some amount of these hacks listed there i don't know how that is getting fixed but essentially a lot of security education is required among developers and users and also certification to help like the app certify we'll see the consumer observations on regulations like the grievance literacy mechanism is in scaling so the problem right now is like every other transaction is failing and people are gonna like tweet it back so i have this joke so like people now every now and then tweet to the prime minister saying that this this transaction failed in beam so the reason for that is again like as dilip said that these are multi-party systems and you need to have a high degree of reliability reliable systems and when one of the systems break in the chain like the transaction fails like so there is one on technology scaling the other thing is let's say even if the failure happens the operations of the banks need to actually scale the support to even at least respond to the support request so actually every up app has a dispute management section but you will find that hardly few banks or few psps respond to that and even when they respond they'll say we are still looking at it we're still looking at so the lot of these consumers are actually frustrated and they are probably dropping off the payments what we also need to help is more open data on qs parameters of banks are their servers up and running at 99.99 or what percentage it is and so service delivery or are the transaction processing through fine like what's the percentage of failures and what's the grievance handling mechanism sle all these things need to be having an open data and not just that the open data around the operations of the network provider itself so npci itself needs to provide open data about what's the qs parameters of upi switch right but why are people still loving it the large number of people actually use it so this can be seen in the volumes although one what might say that a lot of these volumes are because of these incentives but the truth is somewhere in the middle where a lot of people actually finding value to use these instant payments systems and it's also because this is the only payment infrastructure which is instant and like available widely and it's a monopoly so obviously people are going to use it when there are no other choices right because neft still takes few hours at best the upi will continue to grow and people will move from neft to upi because it's instant until they realize a point maybe where they see the support is not up to their mark right we'll talk about concerns so there are concerns about data centralization so if you see the upi architecture every transaction that you make gets logged in a central system so that's that could cause a very detailed profile of you of your transaction which the data of which can be used in multiple ways so that's one big concern and the next thing is terms of service loading so if you have attended caught up on the last year's talk we saw that like a lot of these terms of service are like very complicated and they load phrases and and we did highlight that we need simpler terms of service which is actually clearer to the consumers and companies can't obfuscate and after like couple of months of that so the beam app did a terms of service overloading where they said like we can you give you authorize permission for us to monitor calls between you and other users of upi which is essentially phone tapping agreement right you authorize them and then they corrected that saying that when you call our call center then we can monitor your calls which is at which point npc did not even have a call center to begin with so but this is still a concern like we can't keep watching all these terms of service day in and day out we need to find a better way of how we can do that and then there's this whole notion of vpa gives you privacy right but at two levels so vpa gives privacy only to the transacting party and not with the network so the network still has a centralized data about your transaction trades right and the the the reason for that is like upi was probably designed a few years back before the supreme court judgment and upi needs a privacy friendly architecture and there will be probably a question so upi is highly efficient because it's centralized and decentralized systems like bitcoin is burning all the energy and it's it's inefficient so and centralization in settlements is always been there in in banking and settlements so but we need to figure out like can privacy still exist in some sort of centralized settlement architecture now if you if you've seen the imps also is similar architectures but it's slightly more privacy friendly there are protocols like intellectual multiple settlement entities settlement modes these are some of the solutions this is something about what i did any coincidences to what somebody else is doing at a very bigger scale are merely coincidences we call this as i call this as metadata surveillance but people then say like no it's not metadata surveillance it's fraud and risk management now i did the cashless as cashless consumer i did it to myself like i am actually collecting data without any actual intelligence or actioning on that data i'm tracking all these upi apps day in and day out probably there's this tracker sheet which lists all these apps their features and stuff like that i'm also logging there will be a tweet from this handle every day as to which app got updated and i'm liking all the metadata like each what's the app rating of each app what's the new update what's the recent update on the app and what's the recent message that they've put on the app update and all these are getting long so again this is desa data amassment sans any actual intelligence or action i'm just dumping all the data i'm not saying who else is doing this so we'll quickly pick into upi v2 what are the features one is other authentication for transaction authorization so instead of upi pin you'll use other and the e-mandage i believe in the next talk will be covered in detail and and signed intense is the other feature which could probably let you open the app directly if it's a authorized merchant so we'll other authentication maybe like it's going to be too complicated you need to have a on the go pen drive with another device and that needs to have an another app which encrypts your biometrics and all these things need to be like and the usability of this is simply just not there like you won't you don't want to plug in an on the go device with an biometric reader and then use the biometrics even if you believe in that and and then like the context which is between the apps just to do the authorization is just too hard like probably what can be this can never probably work even secure way in a privacy friendly way and in a convenient way maybe like if you're like five years down the line there may be a situation where a secure voice biometrics is actually there like where your authentic authorization is also through your voice biometrics but we are still not there right today e-mandates will change the way how emi's are done there's also option of push and pull mandates something like similar to push and pull payments so it's not that always you need to sign up the emi form that your provider can sign up and you just approve and this also has a qr so you can probably scan qr codes on a website which does say subscriptions and you can do with like one click or two click subscriptions so use cases taxidates so pre-art payments for taxidates so upi paytm already existed they're right now bringing that back into upi itself so like your taxidates can be automatically paid and say food delivery subscriptions the biggest bet for them is like the consumer durables emi's so right now you have to fill up forms and get these emi's or say some cards offer you at the checkout to convert them as emi's or now you need to call up the customer care all that's going to be a history you're going to have like UPI mandates which can do emi's and but this also has some concerns around are mandates valid without signature and you are actually liable for your mandates so and mandate bounce is treated at par with check bounce so that could affect your credit score that could affect criminal technically a merchant can do criminal proceeding against you as well and there are a lot more gray areas around say e-sign as well which needs to be discussed deeply so signed intents again like we are moving into a world of audio qr nfc bluetooth where you don't actually see what's coming in over the air there is a possibility of manly middle attacks so they are going to hash the entire intent and so that is that hashing and through a signature which is like given for the pre-approved merchant so that's the signed intents part of it and that's it