 Hello again, my name is Caitlin Asrow and I'm a fintech policy advisor at the Federal Reserve Bank of San Francisco. I've been with you throughout this conference as MC and it is my pleasure to now shift to moderator for this fascinating panel that is central to my own research. My area focuses data in particular understanding potential tradeoffs between capturing the value of data while also ensuring that information is protected and individual privacy upheld. I'm going to lay a brief foundation for this discussion, introduce my great panelists and then jump into the conversation. So overall today, our ability to collect and use data is constantly expanding. Information is both an economic resource for businesses and entire countries, as well as something very sensitive and personal to individuals that can create new and unique risks if it's breached or misused. So this dual nature of information means that it can help achieve country goals around inclusion competition and more while also posing new risks around security bias and potentially new forms of exclusion. So the goal of this panel is to explore the potential for market level systems and resources that could help companies and again countries strike this balance between using information while also protecting it and upholding new forms of individual rights. Furthermore, given the unique expertise of central banks and providing market level systems like payments, could central banks themselves play a larger role in managing information, or in many countries they already are. So rejoining me for this discussion are three panelists with deep expertise in this area. First, David Medin, currently a consultant to CGAP or the consultative group to assist the poor, where he focuses on data protection and cybersecurity. David has over 25 years of experience in privacy and consumer financial services and has held positions at the SEC, CFPB and FTC. Next is Sabnendou Mouanti, Chief FinTech Officer for the Monetary Authority of Singapore, where he is responsible for creating strategies, public infrastructure and regulatory policies around technological innovation. He has spent over 20 years in leadership roles globally across technology, finance and innovation. Finally, Siddharth Shetty is a fellow at iSpirit Foundation, a non-profit technology think tank. At iSpirit, he works on the India stack with a focus on utilizing digital infrastructure to solve problems in financial inclusion. In particular, he works on India's data empowerment and protection architecture, as well as the public credit registry run by the Reserve Bank of India. So thank you all for joining me so much. To jump in, can you each briefly describe the unique proposal or situation in your countries, Singapore and India, that touches on this topic of central banks potentially providing new functions around data? So I'll start with David first. Thanks, Caitlin. Pleasure to be with all of you. So I wanted to focus on the threat posed by cyber attacks on the financial system. The financial sector, particularly in developing countries, has seen an increasing number of attacks from cyber criminals. We're seeing it in Sub-Saharan Africa, Asia, Pacific, Latin America. And these attacks of successful could harm financial inclusion efforts by undermining trusted confidence in financial systems. And of course, the poor are at least able to afford losses to cyber criminals and are becoming more reliant on mobile money. So a denial of service attack that takes it down could really impede people's lives. The attacks also could be used as an entry point from small and medium firms in developing countries to attack the global financial system. The International Association of Securities Commission said that cyber risk is a significant threat to the integrity, efficiency and soundness of financial markets worldwide. So what we need is a ecosystem approach to combating cyber crime. But the problem is oftentimes no single government entity is charged with responsibility for the entire financial sector. There's also a lack of access to affordable cyber security services. And we know that there's a global talent shortage of cyber experts. And smaller countries can't afford cyber centers on their own. So what we've come up with at SeaGap is a proposal to create regional cyber security resource centers so that a number of smaller countries could share centers and get efficiencies of scale. Have a critical mass to meet demands. The centers could share threat information, provide early warnings to attacks, provide guidance on smart regulation on cyber that focuses on risks and not being unduly prescriptive. Do business and consumer education because that's obviously critical in preventing cyber attacks and promote cross-country, cross-sector collaboration. So what is the central role of central banks in this effort? I think it's three-part, champion, coordinator and cheerleader as a champion to promote cyber centers and where possible mandate their use in their country. As coordinator is to work with regional central banks to help create cyber centers and make use of them. And then as cheerleader to make sure both the traditional financial sector of banks as well as MFI's, Fintech's, embedded financial services and others all get on board with the critical task of combating cyber criminals. Thank you. Thank you, David. So, Sop, maybe you can continue the conversation a little bit if you describe the EKYC utility that MAIS has been working on and the potential role of your organization in data. Sure. Look, there's a broader context to this discussion because in Asian market, in ASEAN market in particular, if you look at last two years, within between the 10 countries, close to 20 plus new digital bank license has been issued. Why this license has been issued? Because ASEAN market in particular believes that there's a huge shift to a digital economy. And to get into a digital economy, you need a very different kind of financial services, which is we call the digital bank license entities. Now, you can't have a digital bank license entity which is writing on a processes which are old-fashioned incumbent type processes of onboarding customers or moving money. So there is a need for a public rail for this country, which is a precursor for these licenses to be issued. And the public rails are in the business of providing three things. Ability to ensure and identify consumers in the financial systems are verified as per the KYC requirement. Second, once the customers get onboarded, they should be able to move money in the most affordable, cheapest, safe and secure way. And third, any leverage of consumer data to provide a better financial services need a trusted source of data. And these are very fundamental rails required to build an ecosystem which believes that the future is with digital economy. Now, coming back to the KYC question, today in Singapore, we have a public utility called MyInfo. There are 40 plus data element out there which are golden source data collected from residents by the government through different lifecycle of the individual whether at the point of getting born to going to college, getting a house, buying a car. At every point of the lifecycle, there are certain events which creates a trusted source of data and that agency which collects the data contributes to the national infrastructure. Now, how does that help? For somebody to get a bank account in Singapore, all you have to do is to authorize and consent your access, the bank to pull data from the national infrastructure and all the data bank needs to open account, get pulled out within a minute, a full-fledged bank account gets opened. To me, that's the first thing fundamental facility a country must have to facilitate a digital onboarding of customer. Moving on to the second point of moving money safely. Today in Singapore, we have a national infrastructure called PayNow. What it does, it allows two individuals with two bank accounts to be able to send money to each other by just knowing their national ID or their mobile number. And within three clicks, zero cost money gets moved across account and that's the rights on a national infrastructure. And the third aspect of about how additional data set which the customer may have and how can different asset class, whether it's insurer or wealth managers or basic banking products being provided using the data the customer has. To answer that question, we are going to production by in a month's time, which is called the National API Gateway. What it does, it pulls all the data I have in multiple banks, my liability asset data, which I can consent and get one of the bank which I bank with to pull all data and see a single view. And that's a public utility because I concentrate banks to pull the data. Now when you bring all this piece together, what it does, it allows individuals like me to have a full control over my data. Because I can send this data to be sent to this third party and discuss bank. I also know what data I sent, when did I send, after two years when I come back, I can always press when did I send this data and that whole infrastructure today is available to us through our own citizen portal. I think that's the way we think about the role of public rails, the role of public utility and the greater good for the society when it comes to a broader economic construct. Thank you so much, Saab. Sid, could you close us out? And I think one thing that's really interesting is Saab talked about this infrastructure and multiple layers. And I think India has taken a similar approach. So I'd love to learn about the data architecture and the public credit registry. Sorry, Sid, you're on mute. So the data empowerment and protection architecture is actually the final layer of a collection of public infrastructure called the India Stat. It first started off with Aadhar which was a national project to give a digital identity to a billion Indians and today over a billion Indians have that through which they can in a low cost manner authenticate themselves. This then allowed them to open bank accounts at scale. The second step that was required is in India with over a billion people, hundreds of millions of home are using smart phones. They needed and very low levels of discretionary income. They needed a low cost mass market payment rails using any consumer friendly app while retaining the stability that the traditional banking system offers through the regulated banks. And that resulted in the creation of a payment rail called UPI which today does billions of transactions a month. And that allows any Indian to transact with each other or with any merchant for a few rupees. Now as these transactions got generated and connectivity started permeating deeper and deeper. So Indians started adopting 4G technology. What that resulted in was Indians were becoming data rich at an exponential pace. And this paradigm was very different from other developed markets where when the individuals became data rich their data was fundamentally used to shape their spending pattern because they already had higher levels of discretionary income. And so you put data about that individual or business and use that to personalize the ads and earn a commission on any ad a good or service bought through those ads. And that's a hugely profitable business model. But the same set of companies that operate in the Indian market while they have some of their largest user bases out here draw relatively piddly amounts of revenue. And that's because at scale Indians still don't have money to spend very low levels of perfect capital income. And therefore we became imperative to invert this entire paradigm where data instead of being used to sell things to the user is actually used to empower them to access better financial services by eliminating the asymmetry gaps. Whether it pertains to asset or liability information bridge trust access better health services or any other service that social economically uplifts them to do that. We actually had to give every individual control of their data and that gets manifested through consent. So what's now rolling out in India through India Central Bank is essentially a consent framework that allows every individual to securely fetch and share their information in a decentralized way. So the data is never stored in one central repository and they can fetch a range of information across sectors of banking securities insurance pension fund taxation and electronically share this with a lender with a wealth manager with a robot advisor a range of financial information users at a click of a button in an informed manner. And this is done through an ecosystem of entities that create these diverse user experiences and a similar effort is also underway in through the public credit registry which is essentially to build out real time credit reporting in the country. So one of the ways a lender can actually reduce their risk is by reducing the tenure of the credit that they give. And for a population like India where most of the Indians do not have a credit score, you need to have a mechanism to progressively build up the credit profile. And so therefore a key part of that is if you want to create the short term products, you need an infrastructure to report it. Let's say today the reporting cycle to a traditional bureau is a month to three months. If I need to give a one day loan or a one week loan and then increase it to two weeks and then four weeks. If the reporting happens after, you know, four months or three months, you know, you're going to have a lot of over in debt in this case in the system because the user will go out to multiple lenders and take a loan. And so therefore became imperative to also build out the public credit registry so that you could have real time reporting of this information and eliminate the asymmetry gaps to the next lender such that new financial products that are short tickets, short tenure, as you call it in India, sachetized, could be created. And that becomes a stepping stone for individuals as they enter the financial system, and they can progressively move up and access more larger formal products. Thank you. I think one thing that I'm noticing throughout Ray is, I think in this conference as a whole we're tying together a lot of the different functionalities of central banks and both of you mentioned payments and how essential information is to kind of building these payment systems and identity systems. I would like to open it up to anyone at this point and just ask if anyone disagrees with the framing of kind of data as its own resource to help build these systems and whether you think central banks in particular have any unique capabilities. Well, I think just to give a wider frame to your question, rather your second question for the same question, saying that is there any specific spatial roles central bank plays in this process. At the end of the day, this isn't a highly regulated industry. And there is a fear of liability ownership when you use certain data set. And having a system of data which is in a way governed outside the central bank system creates the fear of liability risk of anything goes wrong with the data. So that's one piece. I think that there's a need for a central bank quasi governance or some kind of partnership where there's a shared blessing of the public utility to allow certain trust in using that platform, especially the banks which are regulated by the central banks. So that's one argument I will give in favor of a central bank role in this whole public infrastructure. I guess that's the question you're asking, right, Ketlin? And the second aspect is trust. Now, there's one way to argue that in many countries you write an application straight on the internet. I mean, I'm using very loosely word straight on the internet. But there is a need to put something between the app and the internet. And that's the four trusted rail which Siddharth also spoke about, which is ID, who you are on internet, what data you carry with you, is it trusted, moving money on a trusted rail and a clear consent architecture. So these are the four components which is between the app and the internet. And having that in the center in a more governed way allows a better trust systems on a digital economy where we don't see each other and we project on trust. Yeah. I think I want to actually focus on that trust piece. Yeah, so go ahead and then. Yeah, just to add on to that, Ketlin, you know, your question of data as a resource, I think we look at it, there's a nuance way to look at that. There's, you know, one view which is data when viewed as a resource is a property. And then that takes people down the ownership path and then questions around, you know, who owns the data? How do you price this? There are, you know, lack of economic models available around pricing data. And therefore, in India, we've taken a conscious call to view it actually on the other end, which is that because data is often co-created with platforms and other technology systems and therefore viewing data in a manner where the individual should have rights to access it, to share it, to know what data is captured about them and have a safe and secure mechanism to then share that downstream. Versus the traditional methods where, you know, they either physically go and fetch their data or digitally give out their username and password on its screen script, which is very primitive today. So that's just an additional way to look at data, at least how we've been looking at it out here in India. Can I add a couple of points? One is in terms of data protection, many countries are developing data protection authorities, but I think the central bank plays an important role with them because there are specific contexts of financial services where when does someone become a customer? When do they cease becoming a customer? What about affiliates of the bank? Things that the general data protection rules may not address and the central bank can play an important role there in clarifying it. But in terms of how the system operates, I would challenge the consent aspect of it because as we know, people don't read privacy notices. They click through whatever screens they need to get to where they want to go. So I think it's important to not just rely on consent to protect people's data. Even in the account aggregator or banking context, consent is not enough. And I think we need to have use restrictions so that the data is only used for the purposes for which it was transferred and not for secondary purposes. I also think authentication is important and SAP I think alluded to it and not every country like India has a digital biometric ID. In that case, you want to know who you're dealing with because if you give someone access to data and it's not the right person, it could cause tremendous harm. And so I think cabining in consent and emphasizing authentication are both critical to giving consumers power to use their data from prior experiences to get new credit or other opportunities. Absolutely. Consent should never, you know, just building on what David's point, consent does not absolve the data processors from accountability or responsibility around using it and not causing harm to the individual. And so while on one end, you cannot have lack of a consent framework because that implies that the individual is no agency over their data and choice. But at the same time, it's consent coupled with an accountability framework, which is what the central banks or the data protection authorities bring in. So that the data, you know, minimal data is accessed, it's used for the right purpose for which it was shared and so on. A quick, I think my response on consent for David is that I agree with David that's clicking thousand, like three pages of two size font doesn't make a great consent architecture. What we need and which I think we have practiced in Singapore is consenting what data set you have shared. When I say consent, it is a simple white screen with clear articulation of these are the four data you shared with this third party for this purpose on this date. That's to me is consent. The consent doesn't mean I'll click on four pages of legal protection lawyers have written, which makes no difference to myself. So to me, the consent is about what data we share as simply as it sounds and also the purpose at the point of transaction because there are implication on the same third party can go and do something else after a year of time. At that point in time, you as a citizen have a right to withdraw the data because the original purpose of collecting data is no more the same. So having a elaborate consent system facilitates a clear data consent strategy rather than blindly clicking into pages of documentation. Yeah, I completely agree from those of you who know my own research. So in this kind of architecture that needs trust and maybe thinking about permissible use like you mentioned David and upholding these types of consent frameworks. I want to move to enforcement or supervision. So David, you said, you know, some of these cyber security frameworks, you could mandate their use or maybe not. Could you talk through a little bit about how what we're describing could be enforced or supervised or whether it should be at all? Right. Well, I think there are a number of ways to look at that. The banking, the financial sector now has become very complex and diverse with banks, fintechs, and microfinance institutions, embedded financial services in messaging systems and on and on and on. And so the question is, how do you get a cohesive set of protections in place? I think it can happen in a number of different ways. One is, I think the central bank could sort of encourage that to happen and hope it will. One other model that we had years ago in the U.S. was the central bank, the Federal Reserve Board issued regulations that were then enforced by other agencies like the Federal Trade Commission over non-banks. So you could have one rule writer and then different enforcers. And then, as you know, over time in the U.S., we've moved to a entity that Consumer Financial Protection Bureau that is jurisdiction over both banks and non-banks for financial services. So I think there are different models that each one may be appropriate to a different country. But I think the key thing is the cyber threat is real. And I think we need a cohesive response to it because, again, from the financial inclusion point of view, we talk about trust and confidence. We need poor people to be confident that the services will protect their money and their data and make sure it's being used to benefit them. Thank you. And Sop, is it a requirement? I want to ask two questions. I apologize. First, is it a requirement for banks? Will it be a requirement for them to use the EKYC utility? And how do you think about supervision, like you said, liability related to it? And then, do you have any concerns from like a broad cybersecurity perspective of kind of this centralized point of failure by having MAS play that role? Yes. Look, there are, we provide a consumer a choice whether they can use the public utility or they can follow the normal process, go to a branch with a bunch of documents, putting a signature if you are comfortable. I want to emphasize, choice is very essential in this journey. You cannot force people to use electronic data systems if they're not comfortable because people come from different background literacy level. There is a need to provide that safety mechanism for the transition. So we should not get over excited about the public utilities, everything touch and electronic. So that is one part. So today in Singapore, every customer is going to choose how they want to go for it. Of course, they get, they do prefer electronic way to go. I think a question around the data breaches. I think once the data moves from a public utility to a bank, at that point of time, bank is accountable for maintaining the privacy, protecting the data. Two days back, we actually passed a more stricter regulation. You can Google where I think if I'm not mistaken, if there's a data bridge up to 10% of annual turnover will be fined or $1 million, whichever is higher. This is one of the most strictest penalty to my knowledge in this space. We just came a couple of days back. While we do encourage there's a better use of data in terms of with a proper consent and legitimate business use, but sometime we want to bring the accountability back to the firms which are taking the data and processing the data. On your third question around liability and who is accountable if the data source is bad? I think that's a big question. I think for that, there's a collective agreement between all the parties, which is in this case, myself, the citizen, the infrastructure and the source of data. We all collectively come to a state where we agree that this is generally speaking a golden source data. And I think the likelihood of this data going bad is perhaps somewhere else, not on the system and the processes. So that's the evolving process going around. In fact, at an individual level, it's much easier. It gets very complex when it becomes corporate data because there the ownership is multiple. Owners may not be sitting in Singapore, they may be sitting somewhere else. It becomes far more complex when it comes to corporate data, infrastructure and consent associated with that. So it is still an evolving process. I think we need to work out how we strengthen the whole legal framework progressively. But if you try to fix all this thing at the onset, very difficult to move forward. Caitlin, could I add to that? So I made the point about responsibility for data breaches. I think another way to approach this would be liability, having the provider assume liability for fraudulent transactions, which is, as you know, the way it's done in the United States on credit cards and debit cards is the consumer does not bear the risk of loss on those cards. And this was adopted I think in 1970. It wasn't obvious to the credit card industry that it would be a wonderful for them to assume their customers liability. I think it is absolutely probably the best thing that ever happened to the credit card industry because it made it happen. And that you wouldn't walk out on the street with a credit card if you were responsible for your full credit limit. So I think, and even more importantly, it puts the burden on the part of the entity who can best control what's going on. And the credit card industry has done an amazing job at reducing fraud. And I think that's a lesson to be learned outside of the credit card system to other payment systems is assume the liability where it makes the most sense in terms of creating incentives and less on people least able to afford the loss of money. And just quickly add very quick on David's point, in fact, that's what we call Consumer Protection Act. In fact, the credit card actually forced a shift of using chip as a liability shift if you don't use it. And that's also incentivized people to shift to a higher protection card structure. But that's all and fine on a credit card. What happens to the debit card? What happens to an ATM card fraud? What happens to a bank transfer which goes bad? So there is a whole set of Consumer Protection Act coming as we speak. There are certain liability covers being given, minimal small value transfer to be protected. So yeah, credit card is a great precedence to pick other part of the money transfer risk as we think about consumer protection. Thank you. That was great. Sid, I want to jump to you then and could you kind of explain the role of public entities like the Reserve Bank of India or others in enforcing some of the or not enforcing some of the new architecture and standards, especially around consumer protection, liability and risk like we've been talking about. Yeah. So the Sendhood Bank in India, RBI has played a pivotal role in that. They've essentially been made the nodal agency for the, so India has four financial sector regulators. So you have RBI for banking, SEBI for securities, PFRDA for pension funds and IRDA for insurance. And each of these sectors have their own individual data sets. And therefore RBI has been made the nodal agency for driving data empowerment in the country. And the first step for doing that was actually adopting a common consent taxonomy such that every entity, when it receives the consent request from the individual, they're able to interpret it in a standardized manner. The second was actually laying of technical standards in place. So RBI notified pan India standards around when you receive a consent, what is the data that gets shared? How does it get shared? So India actually has national APIs for consented data sharing that every bank or pension fund or insurer or even telecom company, these are very generalized APIs can adopt and implement. And that makes the rollout much safer, more secure and also operationally a lot easier for the different entities that are involved. Because if you have competing standards like it is in the case of the EU and UK, it makes the rollout extremely difficult. So along with notifying these technical standards, and these are all open standards that anyone can adopt, what RBI also did was license the consent managers. So a key part of India's architecture, when you think about it, at the scale of a billion people, each of whom need to have the ability to give informed consent. That means, like Sop mentioned, consent could be shown to me in a structured manner in a screen. But for a large part of India, for whom they don't have access to a smartphone or any digital device and they have an assisted journey, you need a different mechanism using the same infrastructure to collect their consent in a way that's far more accessible and adaptable to their needs. So therefore it was imperative that as India unbundled consent from the custodian of data, which is traditionally how data sharing would take place, and it didn't give it to the consumer of data, which is the architecture, let's say in Australia or the EU, where the app that's consuming your data also collects your consent. And we've seen the repercussions of that through Cambridge Analytica. India unbundled it from both ends and placed it into a third party fiduciary entity, which are the account aggregators. And therefore, given the scale of this country, we couldn't have just one account aggregator. And therefore RBI couldn't place a licensing regime with which a range of companies could apply. So you could be a corporate, you could be a startup. If you met the specific requirements, RBI had an extensive process around giving them invincible approvals and now four of these have an operational license. So they put in place essentially an enabling framework for these actors to participate through the licensing regime as well as through technical standards. At this stage, they haven't actually mandated the institutions to adopt the system. And I think that's also very key. But as we speak, the largest banks in India, so hundreds of millions of bank accounts are now being available, made available electronically through this consented system. And that's because the individual actors are coming on board, the banks and others are coming on board because this system benefits them as well. It widens market access because you can now create sachetized products. And so therefore by putting in place the enabling framework, but at the same time, not taking the hammer approach like the case of the EU, where they mandated it. And in India was also approached from a point of view of inclusion and not competition. So it wasn't, hey, everyone, open up your data. Let's make this market more competitive. But it was, hey, everyone, only 8% of our small businesses have access to formal financing, 8 to 10%, only 30 million Indians have a thick file in a credit bureau. We've got to create sachetized financial products to at least give them a first leg up. And that's the reason why you see a lot of the incumbents and challengers working together in the operational role out of this system. Now, of course, this requires no doubt new capabilities on the path of the central bank when it comes to supervisory and others because traditionally their domain has been in the area of monetary policy and related matters. And those have to be built out. I think valid questions around enforcing data governance. How do you put in place audit so that you ensure that the regulated entities only use data for the purpose with which it was shared? And what happens when this framework extends beyond regulated entities? Because as an individual, I should have a right to share my data securely with any service provider in the country or across countries as well. And then what happens to enforceability in that case? So those are open questions that have to be thought about as we move from the next phase of, as we move towards the next phase of mass market consumer adoption. If I could jump in. This conference is focusing on central banks of the future. And I guess one question is why do we have credit bureaus at all in the present? We have massive databases covering hundreds of millions of people in some places, which are targets for cyber criminals to get information. When you aggregate that much data in one location, it's a huge risk. And in a networked environment, why do we need credit bureaus at all? And something that hasn't been mentioned is India's creation of digital lockers, where people can store their own data. And perhaps what we should do is have companies report to each individual's digital locker in a digitally signed way so that individuals could truly control their credit report and all their other data about them and then consent on a granular basis as to who gets access to that information. And that way there's a security breach that's not maybe it's one person's data, but it's not the entire system we saw the Equifax breach of a couple of years ago with over 100 million people's data was compromised in a digital locker environment. You wouldn't have that situation. And then people could check their credit information at any time day or night to see what goes on. And then they could authorize through consent as to who has access to it. So I think in the future we should take advantage of technology and not resort to massive databases, which made sense back in the 1970s and 80s, but don't make sense on it going forward in the 21st or 22nd century. And David, in that kind of scenario, I think one thing that's interesting between Singapore and India is that ability of MAS to actually hold some of the liability for the quality and the correctness of the information that it's storing. So in a scenario in which we have these kind of personal lockers, would central banks play a role in actually assuming some liability or would that continue to be on, let's say, the entities that are generating the data originally? Well, the central banks could assume essentially responsibility for the system working properly and that on an everyday basis it should really be a dispute between the individual and the entity that provided the data. And you want to be sensitive to regulatory capacity challenges anywhere in the world and not have the central bank get involved where they don't need to, but where there are systemic problems of accuracy of how long the data is retained and how it's protected. And I think the central bank can play an important enforcement and supervision role, but in the everyday operations system it ought to operate mostly on its own. I just want to clarify, I think the central bank doesn't own liability in this sense, but they provide the notice required for the banks to use a certain set of data as a golden source. So the liability still is within the system, not at the central bank, because it's not possible that way. There is a notice which you ensure that that's a reasonable good place to pull the data and they will not be penalized for pulling the data. I think that's the cover you get. So I think that's something and also the quick point on the notion of utilities. I think there's an implicit understanding that utility is a centralized place. Once I've attacked, life is done. I just want to clarify that in the case of example in Singapore, actually the mine for and the data are gateways, they're not the database. Eleven plus agencies are actually holding the actual source of data and on a real time you are pulling data from each agency based on what data are looking for. So you actually don't get to attack a single system for taking all the data. In fact, if at all there's a consolidated data as the banks themselves and that's why they have to go through a very rigorous data protection act. Yeah, and that's the same in India, correct? In terms of the DigiLocker as well. These are all just kind of pipes and nodes rather than one centralized database. So moving on. Yes, absolutely. Go ahead. In fact, as David mentioned, given that the Bureau's work created in a world where it was required to centralize data since it was all physically collected, but now that we are all connected over a network, you can imagine a paradigm where your credit information is fetched in real time straight from source in a decentralized manner and that reduces the significant vector of attacks. So I want to move now when we talk about kind of these utility systems to think about who actually builds them. You know, does do public entities build them or do they create standards and incentives for private companies to kind of facilitate that. So maybe Sid, we could start with you because in India there is kind of a standard setting and then private entities are actually kind of creating the network itself. So maybe you could describe that choice and then stop maybe kind of any role that MAS is playing in actually building the technology side for the EKYC. Yeah. So the way we look at it in India is, you know, essentially a jugal bandi, a partnership. That's a Hindi term for partnership between public infrastructure and private innovators on top. So what we do know is at scale, given the diversity of solutions that are required by these various individuals and businesses, no one government app, one government portal, one government service or one private sector app portal service is going to satisfy the needs across the country and keeping in mind that a lot of individuals have very low levels of income per capita income. It's critical that you put in place infrastructure that lowers the transaction cost, thus making it economically viable for companies to reach there. And so therefore India has gone down the path of building out a set of public goods and these public goods take the shape of specifications, right? So in the case of payments, there is a payment specification through which you can transact in a real time manner using any consumer app. Same as the case of data. Now these specifications are adopted by a range of entities. In the case of data, those specifications have been adopted by the account aggregators and the providers of data and the consumers of data. And the account aggregators, since they are the ones mediating this flow, kind of like a postman and they are the ones licensed by RBI, they drive the network creation. Now, they don't own the specification, they're operating on the back of the central bank's policy and these open standards and they just play the role of building out the infrastructure and operating it and creating a nice experience for the front-end consumer. So even if you, to unbundle this word of utility, because utility kind of applies this one service, one provider, you have a layer of specifications, those are the open standards, those are the public goods that are laid out. Much like, you know, HTTP is a specification on top of which people create private innovators created the browser or send TPS for email. And that's been the real focus and then you will have a set of players that operate the system on the back end, a set of players that build out front-end experiences for the consumers and then of course the rest of it in terms of auditors for data governance practices and so on. So that's the approach that India has taken kind of this unbundled manner, so to speak and just based on these specifications, are very core principles of interoperability. So for example, one of the principles of interoperability are that as a consumer I can go to any account aggregator and link any custodian of mine. So, you know, I could be banking with let's say bank ABC and then XYZ and the account aggregator and not get into bilateral partnerships with them. Because if they did, then let's say one account aggregator partner with one bank, the other partner with a different bank. As a consumer if I have my data residing in two banks that becomes a very fragmented experience. So baked into these specifications are these principles of interoperability, reciprocity, which is unless you contribute data you cannot consume it and that allows for the creation of a level playing field on top of which a range of these companies and middle web providers and end data consumers get. And Sop, how does it work with MAS? I mean, what is the role of your organization in actually building and continuously running these rails? We have a couple of structural advantages here because we have a very efficient government technology infrastructure which is shared by all agencies including MAS. So they are a shared utility that put in market infrastructure public rails, we are the governance agency for the sector. So we put the governance, the regulatory umbrella around those data being used by our sector and then the consumer of the such data which are the banks themselves. But utility has a different structure. When it comes to payment rail, it is run by the banks and it is a shared utility. When it comes to the data infrastructure, it is infrastructure run by the government technology department but different agencies provide data set so that data can be shared and MAS provides the regulatory framework. But when it comes to bank banking data itself we actually perceive an interesting principle that only a contributing party can also consume the data which means that I can only participate in data exchange if I am contributing to data only. I cannot be only consuming which means if we have an API gateway if two banks are contributing to the data both two banks are participating, both are supposed to contribute as they also take data from each other. So this is to ensure level playing field. We do not want to be in a situation where somebody, a big tech comes and sucks all the data and contributes nothing. Imagine if one of the big tech actually goes to public utility takes all the banks data but they do not contribute themselves all the data they collect themselves. So it will be unfair practice on the recipient banks in this construct. So we practice that equitable participation of ownership and data contribution. So that is the structure for the transactional data. And I think a critical part of what both the panelists are saying is that the government can establish a framework or technical standards but still leave room for innovation and competition because I think if it is all run by the government there may not be as much incentive to be creating new services new analytical tools. I think the partnership between the government making sure things are interoperable and that appropriate standards are maintained like in India the uniform payment interface I think is brilliant because it's a very efficient system but people can build APIs on top of it. Is the right kind of balance to strike between making sure things work but also letting the private sector be as creative and innovative as possible. And David I think one key part also regulation also has to unbundle themselves because a large part of regulations are still an entity based regulation. They are not activity based regulation which perhaps is the big elephant in the room because you can create data, you can disaggregate data which creates different innovation of services but the regular switch they comply to is the one big box. So you need to have an unbundled regulatory construct to be innovative on such data opportunity. Yeah I think you want to be technology neutral on your regulations. I mean you can look back at setting encryption standards which may have made sense five years ago or even yesterday but won't make sense tomorrow. But you're right also but then you're also challenging what the regulatory structure should look like to make sure there's a uniform playing field between fintechs and big banks and payment systems and mobile money. So that I think that's also a challenge to make sure. You can have a fabulous infrastructure but the single regulation entity can just kill the innovation. Right. And can you both speak also to the capabilities within regulators. You mentioned kind of you know an awareness of this technology ability to use this technology potential. Could you David first speak to a little bit how you think about having those technological capabilities and awareness inside of regulators and then any kind of partnerships that are going on in India and Singapore. One thing I guess I would mention is our proposal to create regional cyber security resource centers which in part reflects the challenge regulators face who haven't grown up on cyber security and technology there. They do an excellent job on safety and soundness and prudential regulation but not so much on cyber which is not something that they had a reason to be familiar with. And so what we see these centers as being tools for the regulator to say here are best regulatory practices where you focus on risk assessment and mitigation and instead of being prescriptive and barring someone else's rules you make rules that make sense for your country your ecosystem. And so we see that as really a partnership between these centers and the centers as far as we're concerned could be private, public private entities but essentially give the regulators some assistance and how to regulate in this space because it's an ever growing challenge. And Sid how does it work in India? How do you guys think about blending private knowledge potentially around technology with public utilities? Yeah, so we see two institutional structures emerge. One is the notion of technical standards organizations so these are the ones that interface with the range of market participants and put in place these open standards and evolve these open standards. And then the second is self-regulatory organizations. These are the ones that are actually working with both the regulator on one end as well as the market participants on the other and they're essentially laying in place the operational guidelines of the ecosystem the best practices, certification a lot of the finer grained enforcement that's done. Much like along the lines of let's say in the internet space the role of Wi-Fi aligns would play or the Bluetooth aligns, right? They put in place a standard they ensure that all the participants meet at various quality levels. It's interoperable. The consumers have a safe, secure, smooth experience. And so therefore we do see in the case of the account aggregator ecosystem there's an SRO called Sahamati which is formed by a range of these market players essentially to manage the operational aspects of the ecosystem in a lot more fine-grained way. And then interact not just of course with the central bank but as I mentioned this is cross-sectoral so you've got regulators and so therefore they become an agency that interacts with all the others as well to manage the rollout. Thank you. And Sop, you already mentioned kind of the significant technical capabilities it sounds like of MAS and kind of all the regulatory system but any lessons learned from getting kind of staff and regulatory capability up to the level to manage these systems? Look, I thank my job with the regulatory because they want somebody to work for them in the space of technology to have a fancy title called chief intake officer. So that's the five years back. Now, yes, absolutely it's necessary for regulators to upgrade their capacity to understand the implication of technology but having said that there's a limit to how much they can upgrade. So what we have done in Singapore which has been effective for us is something we call as an ecosystem approach and I use this acronym called inner approach which is I stands for innovation N stands for a network of partners and E stands for ecosystem and R of course the regulation. Now, how does it help because it helps into expanding your own bench strength by tapping into the industry bench strength and having that part of your construct a part of your network helps to upgrade your own skill set also get industry to respond and the reason I quick example when we start in 2015 we had to put a massive set almost 500 pages of documentation on the API guidelines. So, you know, you start doing all this thing it takes time to build the capacity and together with the industry the regulators can build a better capacity to handle such evolving challenges and opportunities. By the way, just to David's point while regulators are known for KYC, AML consumer protection, financial stability they do have something they get criticized a lot they have something called take risk management guidelines which you can always question they were draconian but they have something out like that which kind of addresses to David's concern around cyber risk outsourcing guidelines. I also want to say I guess the soft point about the ecosystem is that we can't just focus on the bank we can't just focus on we have to focus on the switch and the interoperability switches the international system correspond in banking it's a very complex world and it's important to look at all the different components of them both from regulatory point of view particularly in cyber but more broadly on information flow it's not a simple world of just the regulator in the financial institution Yeah, absolutely I think I'm increasingly thinking about the interconnectivity needed within institutions to handle all these new systems and requirements and then that interconnectivity across the world within countries between regulators Just briefly to not forget that the central bank has data that's at risk as well that is not only is it a supervisor but it holds very sensitive data supervisory data monetary policy data and it's important that the central banks protect themselves as well as the entities over which they have jurisdiction we had a call when we started this project from a central a governor of central bank saying my central bank was hacked what do I do and so it's important to think of them both as customers and as regulators Yeah, absolutely so this has been fascinating and quite enjoyable to end with seeing if anyone else has any kind of final comments or lessons around inclusion security or technology based on what we've talked about I have a quick point that we spoke mostly about domestic market I think one of the unmet needs in this space is that all the systems were designed to make our domestic market efficient may have some challenge when they start connecting we have to be careful to look at because the designs we are making should not make it uninteroperable when we start connecting them cross-border be it payment, be it data, be it ID Yeah, absolutely and that's why we have events like these where we can talk to each other hopefully and think about how all these new systems we're building will hopefully talk to other countries and each other as everything becomes more connected Wonderful, well with that I'll conclude the panel our next step is a regulatory perimeter panel that I think will touch on a lot of these concepts in terms of security and jurisdiction and capabilities within regulators Thank you so much Thank you