 Hi, everyone. It's me again, for those of you who are there in the morning. Welcome back after tea, by which point, I think I was in the audience. I know there's a point at which your absorption capacity just kind of dies at the end of the day, so it's a really nice of Haskeek to give us this slot. However, I suppose it's also a good time to be here, because I think we've talked a lot around data security and business models also of various providers like pay you and so on. And the great thing about Dilbert is sometimes they have these great moments of kind of poignant reflection when they're saying something quite funny, which is that we're all just a monetizable asset these days, and the best way to dehumanize each and every one of us in the room is to just call us data, which is what we're doing. And my talk here is to kind of refocus that data conversation on what each data point really is, which is someone like you and me sitting in this room making a digital payment. And I suppose if we go back to where we started, and I should mention I'll reintroduce myself. My name is Malavika Raghavan. I'm project head of the Future of Finance Initiative, which is looking at policy and strategy to support customers as we see this large-scale change in retail finance that's happening because of digitization. And about three or four years ago, this is how we were making payments. You and I would go into the bazaar, give 100 rupees, buy some fruit. Now, obviously, there's inflation as well, so you probably pay a bit more. The monetization has helped that. It's also done this. We have all of these different ways in which we are interacting with money, and we're paying for goods and services. And why is this picture different from that picture really? Because at the end of the day, it's just two people transacting. But what really sets it apart is that every digital payment creates a data trail. You and I are creating this entire map of how our behaviors, our financial behaviors, are kind of needs and preferences, which are being collected by various entities across the chain of payments. And I guess what we're trying to see here is what does that mean for each customer? So if I just walk you through a standard customer journey, we've looked at stuff today quite a bit from the provider side. And I suppose tomorrow it'll be a bit more technical as well. But from the customer perspective, so we step away from wallet slash provider mindset into you and me sitting in front of a computer trying to make a payment. What happens? First, you go hit a merchant site. That merchant site collects some information from you. Or then you are then passed on to some kind of a gateway product, say a PayPal, who collects each and your bank account information, your card information, all sorts of things. Address, email, mobile, gender sometimes. Or it's some kind of wallet provider like Paytm. So they hold the data. And then you're passed on to the entire payment processing infrastructure. And so this is the great and wonderful, complex world of payments themselves. There are multiple bodies involved. There are credit card providers and networks in the middle. You have issuing banks, authorizing banks, agents all over the place, payment systems, clearing houses, settlement systems, all of these different things, which are using your data in order to settle that payment. To an extent, we had it for checks as well, obviously, which is kind of the avenue that we use between cash and digital. But of course digital just ensures that you have this data trail, which is starting off with you, just flowing through this entire ecosystem. And being kind of traded and packaged up with other customer data to make these aggregate sets. And then you have all these philosophical questions about like, at what point is it your data? At what point is it proprietary data? Which algorithm mind what to make what? And so on and so forth. So I'm not gonna get into any of that because philosophy is not great for five o'clock. However, I think this is why we should care, right? You're sitting in front of your computer and these are like three risks that are more, but I think these are the most significant ones. From a customer perspective, we think affect you legally and also affects you in, you know, just financially. So what's the big one? The big one is privacy. I'm gonna set the stage for privacy and then Rahul Matan is going to come in and like talk about some issues around that. Then financial risk because obviously, if your data is compromised, the exact follow up of that is that your, the money in your bank account can also be compromised. And then there's this entire question of exclusion risk, which I'll come to, but it's just that when you have all these payment channels available, are you kind of focusing on one end of the market and is that a good thing or a bad thing? So to start off with privacy risk, right? Rather than get into kind of the letter of the law and also how we conceptualize these things, I thought looking at a couple of symptoms of privacy risks really makes it real for everybody. So identity theft is I think something that came up in the pay you presentation. The fact of the matter is somebody using your personal information to impersonate you. And in the financial context, what this means is that they can go and have access to your bank account. They could be making payments, collecting welfare payments on your behalf and so on and so forth. And obviously two factor authentication has helped that to some extent, but it doesn't really solve some of those payment systems that you don't use two factor authentication or a large mass of our population who actually receive a benefit transfers into their account. So there are a lot of reasons why identity theft is something significant. Currently we do have something in the law in the Information Technology Act which I'll be referencing later as well, which punishes it. But as we will also talk about and I mentioned briefly in the morning, it's quite a weak kind of structure for enforcement. The other one, which is I think the big one also is this whole question of profiling and discrimination. So you have all the sensitive personal information about yourself, right? Apart from the fact your gender and whatever else is collected, it could also be the transactions that you're doing. And as a payment system, what you are is really a gateway to other things, right? I mean, there is the transaction in itself, but you're also gateway to other things, like credit, like other kinds of financial products and sort of physical products. Now, the risk here is that once you have this information about people, we know that it can be used adversely to affect financial decision making by providers. And this is not just like a bogeyman scare. We've had multiple instances of this in our country and in other countries where it's used to deny credit, for instance, or to undertake predatory lending. So denial of credit, there's something called credit redlining, which I won't get into too much, but the US has specific laws against this as to some other jurisdictions because we know for a fact that people who live in a particular area that have the same community, credit is just denied because it might be for reasons of religion or race or education levels, income levels and so on. And the fact of the matter is we know that this happens. How much is technology going to amplify that because you're basically sitting on all this data? But that's just kind of one point to lack. So if these are the risks, what does the law say about them? The main law that I wanna talk about is the Information Technology Act of 2000. It was an interesting legislation because it came up in the background of all this outsourcing that was happening to India. And essentially you had all these large companies dealing with these data sets from all over the world with no framework, right? Like think about a 2000 is when we pass this law to deal with data protection in India. And so therefore it's only reasonable for us to think that it was put together and it did do some level of thinking. We have this category that I wanna talk about it. It does set up a wider, it deals with lots of things, but the thing that's relevant for our purposes is that it says when you collect sensitive personal data or information, which we call as SPDI because we like acronyms in the legal world, which is any of these things. So your password, your financial information, which is bank accounts, and I'll come to like a little gap there. Health, mental health, sexual orientation, medical records, biometrics, very relevant for India stock and other. When an Indian entity, which is doing commercial business here, collects any of this stuff, they should be telling you that they're collecting it. They should be using it for X, Y, and Z purpose only. They should then be telling you who they are passing it on to. And then finally they should be saying if you ask for it, you should be given details of entities handling this SPDI. And of course, apart from this, I should also mention there are a lot of regulator codes. I think at last count, some of the work that we've been doing at FFI, I think there are about 17 SEBI codes, the Securities Regulators Codes that set out regulation for particular institutions that they have oversight over. The RBI has about eight codes for different types of institutions that it regulates, which also says that for confidential information, you should have this kind of data protection rules. Now, a couple of things here, right? First of all, they don't really reference the standard under the IT Act. They use a subjective standard. They have some kind of uniformity amongst themselves. They talk about adequate protection, but as you see, it's like a subjective standard. So as a company, if you're a bank, say, you have confidentiality obligations under RBI circular, and then you just say, you should have adequate protection for sensitive data or whatever data. So that's kind of the picture. It's great that in fact, in fact, we do have something that talks about purpose limitation, collection limitation, and so on. But I think we all know that in practice, this is like a practitioner's conference, right? I know a lot of you have already said this, and in these four worlds, honestly, and the livestream, we all know that this is how it works. The transaction is not the asset. You're 50 paisa that you're getting for the transaction on your pay, or which you don't now need to pay. That's not what really is driving the market. It's the data that's driving the market. And if that data is driving the market, what do people do? I mean, we know from, and actually it was, I think, a Srikanth stock where he had some terms of reference up, and he was talking about how widely it's worded. Like, I agree to give you my data so you can share it with every man, woman, and her, or his dog, et cetera, et cetera, right? Like basically, you can do what you want with it, and that's fine. The other point is also, foreign incorporated companies, for some strange reason, aren't captured by that provision I was talking about, right? 43 of the Information Technology Act. So if you have a Flipkart who's collecting your sensitive information, which I'm sure they are, what happens? That's like a big gray area that we aren't really talking about right now. And there are, you know, another thing is, like for instance, transaction records. Like I won't go into all of these points, but just some things to flag to you, like transaction records. We know that financial information, so your bank account details are sensitive information, but we don't know that your transaction records are. Again, that's where all of this credit profiling and assessment and all the algorithms to deal with that are looking at. So there are some gaps, is my headline from this section. Quickly, I'll move on to financial risk. Again, fraudulent transactions, something we've talked about already. I guess the big point here is, as the law currently stands, the bank does not have automatic liability for a fraudulent transaction. You have to go through the redressal system, and if you, after 16 years, get a decision, no, sorry, I shouldn't slag off the ombudsman, they are quite good. If you do get a decision, it's only at that point you're back in the money. And even for a payment system, it's only to return the money at the earliest. The great thing is that the RBI does have some guidelines out which have been released in draft, limiting customer liability for unauthorized transactions, and they say if you report the transaction within five days, the bank should bear the loss, and five to seven days, you bear some of the loss, and then after seven days, it's your problem kind of thing. I mean, obviously, we can go into details of that, but the headline is there's something in the works, but right today, if you have fraud, best of luck, on the failed transaction bit as well, same no automatic liability, and then I've kind of referenced that law right now there. Moving on to exclusion risks, so this is one that I think maybe, surprise we haven't really discussed, it may just be that it's because this part of the market isn't really the market that people are chasing right now. So if you are trying to make digital payments ubiquitous, what happens when certain groups just don't use digital payments? What happens if your standard rule of education and awareness doesn't work, right? I mean, what if you have aged parents or aged grandparents, and they aren't just that great with digital channels, what happens then? What happens to disabled people, or poor people who cannot access payment channels, right? And I think the gender bias point is an interesting one because if you look at cell phone ownership, I'm sure a lot of you know the stat already, only 20% of the women in this country own a cell phone, right? And even if 70% of them use it, they're relying on the man and their family to kind of do the payment for them. How does this affect privacy, right? I mean, I think these are questions that we should be trying to think about if we want to make technology that works not just for this top segment of society, but actually for all of us, because in the end I don't think that there's this efficiency versus kind of fairness point, doesn't really work. You should build a model that works for everyone, and I think the pie is big enough for that as well. And then the second one is less to do with the subjective situation of a person. Like we live in a country where the ICT index, I mean for digital India, that is a stat from 2016. We are 138 from 175 countries in terms of access to digital infrastructure, right? And this includes like electricity. I haven't put down like the electricity shutdowns, but we've all been there, right? And the entire northern grid went down two or three years ago. Mobile and internet shutdowns are now a reality. Like in 2016, I think the first six months, there's a CCG report on this, there were 22 shutdowns. What happens in that situation? Like money pool, right? If you're all following the news, demonetization happened, mobile shutdown happened. I was in Chennai when Cyclone Vardha happened, for instance. And there was just no money. Like people had their houses. I mean, in my house, I live in a flat in central Chennai, and we almost lost our windows. Think about all the kind of huts and stuff like that. You need a large file of cash to rebuild that stuff. What happens when your electricity isn't there? So that's kind of just the broad points. I'll stop banging on about it. I think the final point here really from my side is, I mean, obviously knowledge is power, but like as Srikanth said, I think policy level engagement of consumers would be great as well. I think it's important to think about these kind of issues which anybody you ask, anybody on the road, they will tell you, right? As I think, I don't know if you know about IFMR trust work, but we do have a small NBFC that does wealth management for underserved people. And they are really bright. Like they know exactly what the transaction cost is. They know exactly how much they need to pay in order to, for overheads of accessing digital payments. And they're doing it. So this is not a silly population that you're dealing with. I mean, again, as I said, they have the same concerns that an urban person has. And an urban person can also have a lot of these other issues that we talked about. The other thing is a big shout out to Nishant, who works at IFF. He has worked on something similar that Srikanth was talking about. So if you look at about 1,000 payment apps on the Google Play Store, we've done some initial analysis which says that about 86 unique permissions are asked for. So I've not listed some of the permissions because they kind of, they're funnier in conversation. But, you know, it's two to 34 permissions on the standard app. Like about 11 across, if you take, you know, the one that asks for the most, kind of a median. And it's interesting, I think the Bank of India app only asks for two permissions. I think I mentioned this earlier. And it seems to do the same thing that the Bank of Baroda app does, for instance, which asks for something like 36 or more. So the question, I think, as a consumer, why are you really thinking, why? Like why do you need to, you know, why do you need to control the volume on my phone, for instance? Which is, you know, I don't get it, but maybe it's just somebody who's been filling the form on Google App Store. Yeah, there's some code that's from Nishant's GitHub in case you guys want to look it up since you're at a conference. So that's kind of it. I just thought it'd be cool to play a little video for you guys, again, just as a little treat because it's five o'clock. Just give me one second. Yeah, sure. Do I have to play the volume on my, oh, I never thought about that. Will it, okay, I'll try this. I mean, if it doesn't work, that's fine. Like, let me see. We'll try it, and if it doesn't work, too bad. I don't actually think it's playing on mine as well. Yeah, I mean, we'll just try for a couple of minutes. Otherwise, I'll just send you the link or post it on something. Or we can do it afterwards as well, after. I mean, it's an interesting video. Like, it's a bit silly, but it's good fun. Okay, in the meantime, if any of you have clarifications or any doubts on what Malvika has just spoken about, we can take the next two, three minutes and have a few questions, possibly, before I call upon Rahul to speak. Yeah, can you just, here, here, here. Sandhya, no, okay. I got it. One second, one second, one second, sorry. Yeah, I don't know if it's silly. Maybe Malvika can guide us, you know, what steps should a person take if they find themselves in a situation like if their UPI ID is misused, their phone has been mistaken for some while and they got misused. What are the, I mean, I'm a knowledgeable person. Maybe I can Google and find out what are the right steps. But even for me to Google is some time. Maybe there is a direct government-provided guideline which I don't know. So, I mean, I last I checked, there was some NITI IO, like a pamphlet that looked at different types of digital payments. But, I mean, off the top of my head, I would say you're probably, and Rahul, please correct me on, whoever's kind of looked at the legal side of this thing. I would say if you are actually with a bank, a bank-issued instrument like a debit card or something, you're probably better off because the bank will have a redressal system and you can go to them. They'll put you through the ombudsman if their redressal doesn't work and ultimately you can reach some court somewhere. You could go to the Consumer Protection Forum but that's like, again, hit or miss. I'm not really sure about UPI to be honest because I feel like a lot of the wallet providers have their own dispute redressal. So far it hasn't been anecdotally what I understand a problem because they are in market capture mode. So the minute you dispute a payment, it's just put into your, you know, it's kind of like Uber. The question is really when that market matures, what happens, right? And right now it isn't clear to me, especially on a mobile because there, yeah. I mean, you have guidelines under the RBI's kind of PPI legislation. But as we've been talking about, there are lots of entities in the gray area and if you have to go to try, I really don't know what would exist there. Anybody wants to add anything? Sorry, there's a question here, then we'll come to it. Yeah, I just wanna hear about something like the Sable Report, right? You get all the records of your transactions and even if you go and search for a loan somewhere and type in your PAN, they get all the details. Like, I'm like, if I see my Sable Report, I would have just gone and checked for some interest rates or something, but they would have got all the records of my transaction, I would see that there. Is there a way to like, I'm like, stop these things like from, I'm like, from those guys accessing these things or are we are deliberately allowing them to access? Like when I type in, is there a terms and conditions that says like we can access the Sable Report? Yeah, I mean, actually that's a really great point to bring up. So the question of like credit bureaus, right? We already have people who collect our information and share it with banks in order to assess our credit worthiness. So like, that's actually a good thing because we have one person who has the responsibility to collect our data and there is an entire legislation around credit bureau. So it's fully regulated space and you have to adhere to, we actually think it's like a good model for data protection because they have to do certain things in terms of keeping your data safe, who they disclose it to, how and all that. And the other thing to notice, I don't think it's all your transactions. I think it's anything connected to a loan or a credit card only. So if you're doing something else, I don't think it should show up on your credit record. The fact, the tough part of this is actually people who are operating like credit bureaus but who aren't in credit bureaus, right? So you have credit scoring companies that are coming up that don't have a retail front end. They're not a bank. They offer services to a bank. I won't name any names, but there are loads of people in the market. They are scraping also alternative data. So they might not have your credit data but they might get your transaction data from the bank. Then they might have alternative data, your browsing history, your social media profile. This is another great point because the ITA doesn't extend to that as far as I understand. It doesn't count it as relevant, especially if any of that sensitive information, if it's in the public sphere, you don't have any even kind of fig leaf protection. So best of luck with all of you very open on Facebook and so on. Yeah, so what happens when you triangulate, see a piece of information from your shopping record with your banking record with your alternative data with your social media? We don't know. I can give you a kind of, if this thing is working, I think this might be better at answering the question. Let's see if it does. Can you hear anything? I feel like there has to be some noise. Yeah, yeah, yeah, it's coming. On what? On the room? Sure. Sorry guys. We can possibly take one more question before that. Yeah, I can. There was a question right at the back. Yeah, so as you, yeah. As you rightly mentioned that a lot of FAP, you know, they take all of this permission to use a lot of data, but many of the apps are like really useful and there's hardly anything that we can do about it. So apart from policy engagement, is there anything that I can do as a consumer? Like is there any central grievance or can I contact the app provider and, you know? Yeah. And this is actually a great point which I hope we pick up on now. I mean, one of the bigger questions that underlying all of this, I mean the short answer is unfortunately the way things are set up right now. I would actually argue that some kinds of contacts wouldn't stand up in court because they basically, you could argue like duress or you know, I don't know how meaningful that consent is anyway, but that's a different matter. I don't think you want to be filing a repetition in the high court or whatever. The main problem underlying this is, we've come to a point where we are, we've understood that the service is the service and the data is the data, right? Essentially what's happening now is if you don't agree to the data, you lose the service. How is that a fair contract, right? Like if you want my data, that's fine. I'll give it to you. I think we've moved past the point where we're thinking about data as a fee in the early days of Google. We did free stuff because we added, you know, data of ours in order to create this map together and that was great. But at this point, it's just like we have a service and I want all of this random data from you. I mean, the radical view, which I don't know, maybe we'll even suggest the Future of Finance initiative is that you have a separate contract for services and you have a separate contract for data and that's just how it is. It may just still be a pop-up on your phone, but it could focus your mind a little, right? And I think that's where we should go. Unfortunately, right now, yeah, it's all bundled into one and it's not very fair. Okay, hold on to your questions because we'll have a more detailed discussion. We'll have, watch this video, yeah. And then we'll have Rahul speak. Okay, this is just like, I think that question about what happens when other kinds of data are mined is quite interesting. Day four. I see a school against Antwerp. Yeah. Insects. Please. I feel two insects on your back. Can that? Yeah. Climbers. Slovenia. In a moto. Orangia. What's there on it? I don't know. Oui, oui, bien. You have a friend in... Julie, the b****. Yeah. A good love life. Three, four. The four of us. Most of us don't know how many people there are. How much do you spend on a beer? With such a red balcony. Yes. Yes. I see money, I see transactions. But do you know the number outside? I think I do know it. Is that negative in your bank account? Yes. 97. Last month you spent 200 euros on alcohol. Last month you spent 300 euros on clothes. Eight. Yes. Five. Do you feel at home that you're going to change from your own? Is that what you spent 90,000 euros on? Yeah, finally. 41. Yeah. Is that right? Yeah, that's right. I'll just screen you in. Dad, I'm not a Luddite. I mean, I don't think you should not be online and we should just go back to carrier pigeons or whatever. It's just a funny video. So kind of I'll end on that and kind of hand over to Rahul now.