 I will give you guys a second to see the first and the second second image like guy has invested enough to keep a security guard to do a check and that what happened and this happens I am telling you with terms of like the latest 2016-17 companies as well. You have everything he is checking it but there is no point of having him there ok. Everything secrets and salts ok here is something I want to talk about is all the companies that I know of almost the way they share secret is either it is available on a portal or they actually most many companies they send it across to the guy they are interacting with the merchant. Now it is it is a salt if I know so obviously me including a product guy will forward to an engineer then someone would integrate. Now the salt has been thrown out to so many people that all of those can actually go ahead and do free transactions and there is no way to trace it back. What is missing right now is we have to come up with a smart ways on how the salt sharing should happen between the payment gateway and the merchants which is there not in a very good fashion ok. The other problem is when a salt gets compromised then a lot of companies again do not support two plus salts ok they say ok you could go ahead and change it from salt one to salt two but the problem is there are value use cases where we have to support two salts and that is not there. The problem with that is either the merchant loses customer or there is a compromise on the there is a monetary compromise that happens. Talking about transaction logic wallet security any product folks here awesome wallet security so you guys obviously warned that hey ideally the payment should be without any friction right like guy should come to product and the moment he thinks and there should be payment done ok that is where the wallet came in because India has to pay in place now the problem with wallet security is and almost all the world companies have P2P in place the moment I log in I can do a transaction ok think about this my account is compromised someone log logs in transfer of my P2P to some place else now the problem is what kind of security is do we have in place just that ok you are responsible for the account security of your account apart from that do we have any kind of fingerprint in place I am not talking about that naive fingerprint ok five items that we figured out can you actually determine a legitimate guy versus a non-legitimate guy because more ease see usability and security go hand in hand the more user experience the less is security the more security the better an experience correct so this is something that I will say you guys have to figure out in terms of what's the kind of security do we have in our wallet system that will make sure that a legitimate users don't get compromised and we can track the illegitimate ones gift card security here almost like I am talking about two years back all websites all all the companies were broken in certain fashion or the other ok the way they were generating the pin they had like the same goes for a coupon abuse as well the way they were generating the pin they had all could have been good for misuse and you wouldn't know about it I am saying the aim here is to see have you thought it through and I am telling you about a company few days back which had very bad logic of generating good ok it's it's not something of real pass I am talking about it's something that happens see it could be like ok you are the lead you know how to do it but the moment you delegated to someone else to do does he has the right capability to do it or not he could be a fresher or you could bank on him or he could think who know figure this out that I am just changing the last digit right then UPI so I will just talk about one example of UPI is when someone initiate and says hey I know push notification push notification comes to app the point is then there is no hash in place ok from UPI itself ok now the point is people can change from hundred rupees to one though they are paying for one but there is no validation of what's happening ok those are couple of things that I wanted to talk about an application security integration so maybe you have awesome security in place but integration is not equal to your security integration I can't tell you how many times I have seen broken just because because not two parties are involved it's just not you you are security savvy enough but the other party is not they are not validating then you have different API's you have tons of other things in place so you have to make sure at the end how the integration is happening ok network network infra cloud this is another big one where we assume we move all of us have moved not all of us but mostly all of us have moved from typical DC to cloud and we assume now cloud would take care of everything in place just giving example of AWS it's clearly mentioned on the website security is 50 50 percent shared responsibility between the person using it and AWS itself ok now the problem there is how do you go about saying ok I have security in cloud I have in cloud what all things you have to take care of and what all things do I don't as simple as all other systems that are there let's say maybe your systems are good enough but like just talking about dirty cow which was a Linux privilege escalation vulnerability the point is someone at the end it's one place where all the things are there now how you have configured is something that I could exporting someone else can get into your system a classic example would be four years back an Indian company got hacked where someone exported shell shock vulnerability got into the servers which was running for more than four years old ok and send a cast email to all the customers that we are shutting down ok now whose responsibility is this like shell shock was patched but this is there they had a box which was running for more than four years and it was just a part of fraud VPC that was the only problem security issue due to miss call integration RMP is just one rabbit messaging Q is just one example here I can't tell you how many screw ups I guess Akash would be talking about all those things in place where like the reason example I put RMQ is there I have seen businesses that actually completely work on like that messaging Q has their business logic the business logic such critical data and they have no authentication in place and the administrator account for login account for RMQ is guess guess which is publicly available and anyone can access it so the point is when you see the data you see ok the whole business depend on this I consume it they wouldn't know about it and it's all gone ok so I'm just one example there are tons of things you have to take care on how do you fix it I have seen databases which are publicly available and have no authentication in place broad databases ok so the reason I have the third point here is I was talking to a couple of senior security not security devops guys and they said hey after I'll just give example of Amazon because after Amazon started patching in December spectra and this almost all the systems the CPU latency went high now people are saying for every CPU latency that's going high they're saying it's because Amazon is doing it and one was actually getting attacked now again it's an assumption that because I've seen like three systems Amazon is patching latency goes up my source utilization goes up one guy didn't realize that someone was actually exploiting his system in place ok so cloud security is all about thing about this these two bugs in itself no one knew for two decades everyone was good ok the problem with cloud security is not this cloud the security is the ROI or you don't know you cannot quantify how good it is if Intel would have patched like two decades back like how big is this 20 years later we know the impact we can quantify it now not like 20 years back right patch updates the like again couple of months back when Node.js says all their one versions are vulnerable to DOS and they are using a patch and there was like a time of 15-20 days where there was no patch how do you go about it how of you actually knew about it how many of you actually did something about it ok not just patching the system that are running but let's say your whole application is hosted on Node.js and every version is vulnerable to DOS how do you go about it is something we need to think very hard I am for all devices the reason I am talking I am for all devices I am means identity and access management is we have inventory in place like the other example that I was giving where company was hacked just because they had a system running for a machine running easy to machine running for four years is because when you are small you have five people you know everything and there is a time the moment you become 200 or 100 the point is now all the things that I was doing has been dedicated to this guy ok or I will give you a real example where we figured out a small company one of the devops was running a gaming server in the prod server a counter side gaming server in the prod box and no one had idea about it this could be happening to any of us how do you keep a track of it or now anyone can be using it for mining as well because they are the folks that are doing that ok DDoS protection again 30 more than like three decades old thing still exists just moving to cloud doesn't help you a small scale of DDoS they say they can handle but for others you have to handle ok now the DDoS is just not now seeing the attack itself now you have API's all around I've seen companies just they are down because someone is abusing one API's of theirs ok how you architect your system is again important ok just think about this one API bringing your whole system down ok I just can't name companies for the naming and shaming but because I interact with a lot of CTO's I am telling you things actually go like weird when these kind of things happen and you scratch your head because while starting you didn't care about it it's a small company who cares but you care but not that much and then when you hit it's the security is not the most important thing log analysis and correlation here it's actually important again this is just not a simple shock what I am talking about it's actually far more than that so you need to have a small engineering team to correlate all the logs that you have so I will give you one example of Ola this is just one instance of Ola I am talking about where think about this drivers are getting really smart ok fraud could be any level ok now let's say our partner what I will say customer care calls are increasing that for certain cases ok and we see jump in one API now we know drivers are abusing certain thing in a certain manner just if you can correlate these two things this is one very naive example that I am giving you guys have far more valuable use cases now if you can keep a track of what's happening like if you could connect these systems I am telling you all the frauds actually you can detect in real time it's just that we need to put in effort to figure that out which is actually missing from all of us this is just one example like I was talking to one of the guys like CTO and they said hey we have set up so they set up their hosted a gate it was publicly available protected by username password which was integrated with their LDAP so obviously no one can access though it was publicly available a small misconfiguration issue was this now the point is by default when you set up a local gate you can sign in with Google at their Gmail as well with this I actually logged in into his not his personal like companies official gate repo and I could see all the code and there wasn't a log of it think about this you think hey everything is protected just one small problem your whole code is gone and you can't figure that out I logged in I copy paste the whole code you can't figure that out and it's like the image experience itself you think it is just one small what's the what are the odds of someone getting through it in one shot and I'm saying like the odds are way too high than you think just because you're on this side of the table doesn't mean someone on that side of the table is not smart enough so cloud security is all about reducing the attack surface area where this much is the attack surface area you reduce to this much that only very smart guys could get through earlier thousand guys could get through now only one but there is always a possibility that someone would get through and probably in one shot couple of goof ups that happens this and the next one are big ones where I have tons of data on the slides but I didn't want it to miss out any of those GitHub I'll explain this just by another major unicorn company got hacked two months back where one guy because this was a way too big organization one guy committed some credentials in public GitHub and I as an attacker when and exploited the system it sounds funny but think about this when you have 2000 plus guys with you you cannot keep a track of it what happened to them can happen to anybody and it's not a breach in some fashion but it's a breach in some fashion now how do you make sure that your guys so again I'll give you one more example of I'll skip that but how about this where like I wrote some awesome automation I committed that code to GitHub obviously you need to show your awesome coding skills on GitHub now the only part that because it had tons of code in it the only part that was missing was it had my let's say corporate account password and username and the whole thing works on SSO how about that now my account gets compromised for every place okay so the aim here is you need to have system in place being payment that if one of you guys by mistake commit code to GitHub you should be notified in real time GitHub is just one example it could be any place like paceman paste the any place okay because people copy paste the code outside asking a couple of questions what happens that and that's your logic of doing something really important now you don't know everyone knows that this is how you generate coupons I'm just giving you example okay third party dependency again how many of you can say right now you can name all the third party dependencies in your company from Kafka Sentry to everything log for everything how many projects are being used what else is think that have been used any of one of you can say the whole inventory of third party projects so no okay I'm saying that's what happened with Equifax like can you say like you're using Apache stretch in couple of projects but can you name right now how many projects are using Apache stretch no and when someone exploits it then you come to know what I'm saying is you guys need to have list of all third party dependencies which of them are vulnerable which of them not is something that you need to have okay at Ola we do maintain all of these things okay to figure out okay which are vulnerable how exactly we are using it how exactly we are not what could go wrong are they vulnerable components that we're using or we're not okay something that I'll say for payments it's actually must OTPs man this one is a big one I can't tell you like how many different kind of OTP bypass I have found in my life one second I have seen code which says 1000 plus random 3 okay I have seen so much code which is I just call them blacksmith code in terms of key I label as like hey my parent company has military security and like it's a blacksmith code that's happening behind like 1000 plus this or just changing one character now that's not how you validate OTP or generate OTP okay even though you could say hey sign up on my website happens via OTP validation like that's fair but have you been sure that there is no bypass to that okay I have seen issues where just going a bit technical where people put the OTPs in reddish and that this cast gets clear and then there's no validation happening I'm saying understand at the end of the day it's a guy who's writing code with certain mindset and certain assumptions on how it's going to be used okay whether that code is running in an airplane or in a payment system okay and because I have written that code with certain assumptions there's always a possibility to be bypassed okay that's all I'll say how you generate OTP is really important and how you validate is very important like I'm saying the reddish cast I'm telling you it gets cleared or you spawn a new cluster there are no things and you're validating it at the end just a code bug okay vendors here what I mean is obviously we have to use tons of vendors to send OTPs transactional OTPs login OTPs and tons of other things to the customers how exactly is your contract with them what happens if they get breached because you say for this one number the OTP is this okay I'll talk about a just biggest goof up like it was one of the biggest bank in India right now I'm telling you like three years old story where when you go to that 2FA page of the bank you say I want to pay by credit card okay you go to that 2FA page second is VPA resolution third is the debit credit leg fourth is the acknowledgement leg so I initiated a transaction from my B-map I have though this goes to the UPI switch now UPI switch is like the central router which is responsible for orchestrating this whole transaction talking to different systems and helping the transaction go through we have sent my Wimble's UPI address amount encrypted pin to UPI switch that's the first API which is called RECP from there UPI switch looking at Wimble at YBL the domain part of the VPA knows okay I have to ask phone pay for the actual bank account which is mapped to his payment address so UPI switch initiates a RECP request to phone pay PSP where phone pay all PSPs maintain this VPA to actual bank account number mapping so phone pay will have a table which looks like Wimble at YBL is Kotick bank account this is his account number this is his IFSC Kiran at YBL this is bank account this is his IFSC so phone pay replies back saying okay Wimble has a Kotick bank account this is his account number this is his IFSC that's it we are now ready to make a real UPI transaction we have account numbers of both me and Wimble we have the encrypted M pin we have the order details like amount now starts the debit credit leg so since I had a access bank account the first debit UPI switch is responsible now go to is now responsible to go to access bank and say hey access bank can you can you debit the lips account my account number this IFSC code with amount 5000 the debit request goes the encrypted M pin is now unfolded by access bank at that point is verified access bank will have all their other checks rate limits and other things once it passes all those checks the access bank replies back ok you can proceed the debit is successful once the debit is done now the credit part where since Wimble had a Kotick bank account the UPI switch is now going to go to Kotick bank and say can you credit rupees 5000 in Wimble's this account this is the IFSC code this completes the credit debit leg if both of them are successful the transaction is done now the notification part is left which is notifying since I am still waiting on my VMM waiting to see the transaction status the last part is the notification leg where the UPI switch tells the initiating PSP the pair PSP saying ok the transaction status success or failure irrespective of that it notifies the pair PSP and similarly notifies phone page saying hey Wimble got rupees 5000 from Dilip at UPI this is UPI in nutshell this is what happens under the it's each time you make a transaction in phone pay and all this in very good latencies they have very good latencies SLAs and these things ok so some of you might be wondering ok we talked about encrypted M pin but where are the two factors RBI says all transactions should have two factors where is the two factor in UPI so one factor is the M pin the other factor factor is the acquiring PSP is responsible for maintaining that other factor which is which they most of the PSPs are using device finger printing and techniques like that so in my case since I had a beam bank beam account beam was responsible for one of the factors and the actual M pin is verified by my core banking system which is access bank in Wimble's case since he was a phone pay customer phone pay was responsible for his one factor and M pin was to be verified by Kotak so we said this encrypted M pin again and again right how is this happening NPCI has provided a encryption mutual utility which both android and IOS which is responsible for capturing this 4 digit or 6 digit UPI pin it encrypts right then in the source so that even the PSP even the beam and the force phone pay can't see the UPI pin the encryption happens at the source and that again is unfolded at the core banking system so this is the second factor authentication I think now we understand why they say right UPI is interoperable why is it UPI interoperable because I didn't even have a I didn't register on access bank PSP I registered on some beam PSP I wanted to transfer to some phone pay PSP address he had a Kotak bank account and I had a access bank account this is by the way called the 4-party model of UPI this makes it interoperable whoever is innovating on the PSP friend gets the customers whoever is providing good SLAs and all maybe they get they retain their core banking customers but any anybody is free to choose their own PSP and I think they have mandated for all of these PSPs to allow moving to some other PSPs also so let's look at some of the possibilities since I have a short talk and I'll be rushing through the talk so let's look at some of the interesting possibilities my favorite one is this auto debit not yet launched under development UPI 2.0 if we are some guys in our office are idly coding this feature up so what is this UPI if some of you guys have already used SI on cards credit cards and all right all these recurring payments become really simplified making a postpaid bill payment every single time on the first of every month you have to gain your credentials make that payment all that will be gone all a merchant has to do is say hey the lab I want a Rick merchant initiates a request saying hey the lab I want to debit 1000 rupees monthly weekly all these are configurable and you have to authorize once using your MPIN all subsequent request will be happening in the background customer doesn't even have to key in any office credentials again this this brings us very close to the zero click payments which we might have seen in us and these things where now you don't have to worry you are frequent Uber user just give a mandate to Uber and that's it all your payments will happen the Paytm like experience is possible from your real bank account this is the power of UPI this is yet to be launched and the customer is the king here customer can revoke the mandate at any point of time it is mandatory for all PSPs to give a option for customer to revoke all these mandates which he gives to the merchants. Second interesting things this something there's a sort of a hack which you can do merchants can do merchants can request a flexible VPA from their PSPs saying okay whenever there's a payment from allies on the payment address which is of the format LIC hyphen let's say a 6 digit number please forward it to me where the LIC will see okay this is my policy number let's say 0 1 1 2 3 5 8 is my policy number each time I make a payment to that VPA automatically my premiums will be paid similarly a recharge will be as simple as R hyphen your mobile number hyphen your network at Paytm and boom your recharge is done. Merchants can request this from their PSPs all this is possible. Third one UPI on delivery this is also interesting like things like we were doing a pilot in Bangalore with LPG and the petrol bomb guys so providing a UPI solution what we did was on the day of delivery we send a collect request a pull payment request saying hey your gas is going to be delivered today if you want pay via UPI 500 rupees and we saw just by doing that we could convert at least 10% of the overall transactions we didn't give any offers just by giving that flexibility a lot of interesting use cases can be built in one of the regions in our pilot what we saw was when the LPG delivery guys wore the static QR codes and went to the houses they could convert 40% of the transactions overall cash transaction into online none of this was run by offers or something this is if some of you have not yet integrated UPI in your app there are two ways to do this one is the in-app payment second is the collect request the building blocks remains the same you have to go and create a account with a PSP beta access HDFC phone you have to create an account with them they will probably share some API keys with you which the merchant server using these API keys has a right to access to talk to the PSP servers and optionally you might integrate a UPI SDK in your merchant app this is roughly the architecture for both the approaches so in-app payments here your PSP will give you a UPI SDK which is roughly about 500 kb in size good thing is you don't have to worry even if your customer is not already on UPI you can do in-app registration and make the payment bad part about this is you have a 500 kb bloat which will come into your app and if you are really concerned about the size maybe this is not the right choice the flow looks very simple invoke UPI SDK with the order detail saying I want to collect rupees 500 from the UPI SDK does all the heavy lifting of talking to PSP server talking to common library and finally response back response back with the status to you which you can again you are advised to go and check with your server what was the current status second is the collect request where Uber started this way where they didn't let's say you are still experimenting you are not sure whether to go all in in this network you can do just two API integration one is the collect request API and second is the transaction status API with this you will be able to collect so you have to ask the customer to enter his payment address at this point a collect request will be sent to him he has to open his PSP app and make the payment and meanwhile you have to constantly poll for the transaction status problem with this is there is this app switching cost you might lose out on your customers but it's a if no increase in size is your criteria this is the way to go so after having integrated with nearly UPI stacks of nearly 10 to 15 banks we have some learnings to share one of the key problems which we saw is this missing acknowledgement problem the part where the PSP server is supposed to tell the merchant server saying this transaction was successful this was failure right what we saw is surprisingly at least 10 percent of the transactions we didn't get callbacks from the PSPs and this results in a very bad customer experience as the payment has already happened but since you don't have a status you show that order is still in pending state a way to fix this which is sort of a hack is ask for a transaction search API or a transaction list API from your PSP so that you can ask your customers ok key in your RRN and I'll look up the system if it's like push versus pull and settlements still banks lot of banks are having manual settlements though it's UPI instant they don't typically provide instant settlement but you can always request problem with that is you will have your bank statement with lot of these small entries if you have small transactions going on but you can always request a instant settlement where you will get the money instantly in your bank account otherwise these bank systems are still evolving they take typically settlements are delayed which is not acceptable for small moods at least from our experience either drink chai or drink coffee if you'd rather drink coffee please stand alright wow it's about a third maybe maybe a third maybe a quarter alright so the next question would you rather skip dinner or skip lunch beach or visit the mountains mountain people stand beach people can stretch out and one last one would you rather speak a new language or would you rather program in a new language programmers stand up speakers stay seated yeah I kind of figured this would be the big one alright it looks like we are just about ready to start so as I was saying this is an overview talk on the state of UPI Srikanth has been tracking UPI and various related developments closely since UPI launched he's going to give us an overview of the ecosystem with an emphasis on what happened in 2017 and what's coming up hi quick introduction my name is Srikanth I am a volunteer initiative called cashless consumer which aims to make consumers as stakeholders in the payment system so we track closely every pay tech developments closely and put together consumer perspective into that so that makes the products consumer friendly not just in terms of user interfaces but the overall experience couple of disclaimers one is technical disclaimer I am not from the payment industry I am an outsider I am a consumer so whatever access to knowledge that I have is from second hand information and publicly documented specifications documents whatever is there on the web and I don't have say an industry inside access the other political so I could be factually wrong so if I am wrong please feel free to correct me and then the political disclaimer there are couple of things I am talking about UPI so majority not maybe in this room but outside think that UPI is the government's product but it's not it's a product of a private company which is in the job of settlements and which is formed by a bunch of banks and so here we are talking not about say country's platform it's a payment platform by a private company let's get that clear and the other political disclaimer is in the technology world just around the other body they talk a whole lot of decentralized systems that's the bitcoin ICO's and all those stuff whereas like we see that UPI is fully centralized system so to speak so there may be differences of opinion in that so I am not going to go into that so if you are into that debate like we will probably not talk too much about it we will probably get started with the understanding that this is a centralized system but like I may have my own political opinions on that so on say the centralized versus decentralized debate and the privacy security debate and those things I will see I will try to be an observer from the distance but please apologize if I hurt your sentiments ok with that we will see a quick overview of what we are planning today we will make some platform observations like how the overall UPI as a platform or an ecosystem is progressing and what I learned from some of these NPCI circulars which are there in the public on their NPCI website and like how to read between the lines and know what's happening in the UPI ecosystem right and I will also make some technology observations technology observations would be like reading through the specs or how a product is being implemented and like so that could be like the design choices that are either technical and how it impacts the user and also we already talked about like a bunch of UPI integrations so we will see how UPI integrations have and what sorts of design choices they have and how they impact usability and then we will talk about consumer observations so this is like the typical consumer experience so he just said like 10% merchants don't get a call back and that results in a poor and experience for the consumers right so in that in that environment what's the grievance framework what's the regulatory framework for disputes and how long does it take and things like that but even when that is the side then there are still a lot of people loving it simply because it makes their payment seamless we will see like why people are loving it and then we will see into the data debate so there is a whole lot of discussion around say privacy, security of data other besides from other there is the concept of say centralization and what it could have impact on your privacy and right so we will see what are consumer observations on that and we will have a sneak peek into what's coming on UPI v2 right so firstly like we will see what UPI by numbers are there are 67 bank issuers so this means that if you are a customer of one of those 67 banks you can install any of these UPI apps and get started transacting in UPI and this is probably a largest larger number in India because typically the mobile banking world had say the top 10 banks had rich apps and then you say the next 20 or 30 banks would have some sort of an app where you can transact and that too may be in a limited manner but say not to merchants and things like that but this number of 67 banks is the largest in some sense also although IMPS to an extent has more apps as well and then there are 44 VP issuers so now to understand this we need to understand the notion of who is a payment service provider and who is a bank so bank is where you store your money but a payment service provider is a service provider with which you interact and through them you can use transact your money that's stored in the bank they may be the same so the bank can be a payment service provider but say non banks can as well be a payment service provider so there are these 44 non banks 44 payment service providers who have direct access to the payment infrastructure they are called the VP issuers so you will have all this so in the UPI you have a VPA where you say Vimalat UPI or something so that's the app portion there are 44 different entities that are issuing IDs like that and they issue 56 IDs and they are close to 75 apps we will quickly see what these apps are and a small distinction there are three non bank PSP partners in UPI so a distinction will probably that is will be covered in tomorrow's talk on regulation as to how banks which are owning and controlling payment systems and how there are other entities let's say the Google Tays and phone pay and beam so these are the three entities which are actually technically not owning a banking license but still have direct access to the payment and settlement infrastructure through partnership agreements and the numbers like this is the larger numbers of entire UPI volume and value transacted over the year so there are 75 apps so what are these 75 apps why do we need 75 apps to begin with when we look closer there are 49 of these apps are by the banks themselves so remember there are 67 banks that are actually UPI enabled but not all banks need to actually make the apps so they can just since the any app in UPI ecosystem is supposed to be interoperable with any other UPI participating banks so there are 49 of these banks who have launched their own apps and 8 of these apps are specifically focused on the merchant acquiring experience so this is like these are not the consumer apps which we use but this will be for the merchant or point of sale counter so instead of a past machine they could just install an app which can then accept UPI payments so the 8 of these apps are focused for merchants and there are 19 deep integration apps so this could be the Ola Uber or the Samsung Pay or the Truecaller all these apps which have their own functions but they also add UPI into their app as an integration either for their own payment needs or say for example integrating or expanding the UPI footprint and then while we say this over the last year there are 3 apps that have also gone shut this is because since there are this is a very crowded market there are a lot of these apps probably some companies which did not see value how to make business sense out of this probably then went like shut because beyond a point paying and receiving and making value out of it is probably very difficult in such a crowded market the average app update frequency rise somewhere around like a month so if you are using an app which is not updated for over a long period of time it's probably time to change an app because there are 75 apps and there are apps which are well maintained so some platform observations one is this is a digitally inclusive platform so I made the point that 67 banks have onboarded so some 10 to 20 banks are cooperative banks and say rural banks which don't have necessarily any digital infrastructure that is well in place which can interact with say the entire one infrastructure so all these customers of these banks were previously were probably having only a rupee debit card which was not possible to transact online in all places which they can probably transact at a limited number of merchants now they have the ability to transact say through the flip cards and amazons and wherever UPI is so that's the inclusion part in there and multilingual payments apps so this is something that around the time of demonetization there are hardly like 2 or 3 apps which are like really multilingual so beyond English the entire payment experience was restricted pretty much to a person only whose knowledge is in English but now there are probably a dozen apps which are having like multilingual interfaces and this is becoming a new norm so that like any new payment company that comes in is probably also automatically getting into the multilingual payment and although in the entire one population the PTP transfers were still at a nascent pace only the texts have been used a lot of these apps including say even Paytm before demonetization so it's not probably very common for your parents to use something like this prior to demonetization but UPI bought a lot of these people into installing these apps and trying out and the biggest advantage for them is they didn't have the they didn't lose the comfort of storing part of their money in a wallet they didn't trust much they're still in their own bank which they trust better and so as I said UPI decouples the UX to the payment service providers who probably could build better apps but still inside a banking model so in terms of commercial agreements or anything you still need to have a partnership agreement with the bank and only through that license you could still get access to this UPI so what it also made was a lot of these prepaid instruments or wallets were having a lot of these transactions being made digitally and banks were actually losing in that front this UPI made a shift of moving the volumes of PPI's into UPI and it's actually a myth to say that interoperability didn't exist in wallets before because interoperability means that say moving money from say your ETL money wallet into your ICICI pockets account now many people might think that this is not possible before and only UPI could make this shift right but it's actually not true because at least both these wallets they do have cards supported in them and you could transact money from one of these wallets into the other so interoperability did exist in a limited way but UPI used it among the banks so that like you could transact through any app and the next roadmap on UPI now has wallets on UPI so wallets will be soon integrated into UPI so they'll probably become the payment service providers or they may even be at some level treated at par with banks over the course of time so that's to be seen like what sort of integration wallets will be and how they will guide into the UPI so the initial phase one would be only wallet to wallet interoperability will exist in a phase two when the full KYC is done probably wallet to bank integration would be doesn't work then the next observation is UPI is also touted to be the most developer friendly or developer first product which is like having a lot of these APIs which developers can consume easily and build apps faster but what we've seen is while there have been integrations happening between these apps they've not been at a scale where like where the UPI has been so UPI itself the consumer base have exploded like anything like you have these millions of users installing apps and transacting but when you come to the business side of things where like the app integrations there haven't been enough in deeper integrations and like the payment experiences still remain largely the same and probably in some cases it's it's worse I'll take an example on IRCTC of how it's actually much harder in UPI but on one observation like there is this new digital chip fund app which is based on UPI so this is probably that was not possible before UPI to build as quick as what they've done but these are the sort of integrations or the applications that could potentially come out of UPI although it's like not rolling out faster as expected so then the other thing is about like is it UPI or BEAM UPI because there is recent there is UPI UPI was the centralized payment platform that was launched and BEAM was actually one of the applications in UPI but recently they just changed the convention like they just called everything is BEAM UPI so let that it may be but what the point here is now UPI as a platform is much larger platform covering all these 46 payment service providers and BEAM is one of the payment service providers and if you look at the market shares of the transaction volumes and values BEAM is actually emerged as a service road kind of thing so you have this well 6 lane toll highway which is like super fast and then you have a service road parallel to that so BEAM is emerging as that service road so you are having this global big tech players like google has come in so whatsapp is going to come and then there is the Indian pay tech so you have the paytms and phone pay and also a lot of these start-ups probably it does not start-ups and then there are banks again big and small you have the ICICIs HDFCs and then there is bunch of small banks all of them are in this ecosystem and it is tough to predict like what is actually moving this ecosystem at what pace and there have been bunch of issues in the initial days so one of which is probably like ICIC blocking phone pay there has been friction between the banks and payment service providers and banks within themselves and like all these were like solved through some sort of rules and regulations around interoperability and of late there has been recent like tussle around like capital dumping so is all the volumes and values bigger because there are more cash backs and like there are few companies which have the bandwidth to dump capital into cash backs but we will see how that goes then I will quickly walk through these circulars around interoperability guidelines meant that the apps were seamless any app to any app any PSP app to any PSP app works and one of the interesting observation is that UPI never had a chargeback policy so unlike cards which had a chargeback policy like you could dispute a transaction and then it gets reversed UPI never had it until recently so they recently announced that chargeback process is in place and it may take at most 60 days for you to get your money back for say a transaction which you dispute and there are also like Dilip explained how multi tired this entire process flow when a transaction happens and that causes a lot of technical failures so banks have been asked to improve their infrastructure to make sure that the technical declines failures reduced to 1% and there is also one more circle which says that you got to make sure do your due diligence before balance check is enabled in third party apps now why should my taxi company app which is integrated UPI even have the feature to check my balance like is that even a valid use case so this is probably happening because now banks have become more cautious around like data and data protection they don't want to have every application have the same sort of access and they are asking banks to do the due diligence technology observations will quickly see platform tech observations the application observations the qr story pause and the integrations so at a platform level UPI has something has technically has something called an equivalent of one time virtual net safe cards which is like a use and throw vpa but sadly very few 2 or 3 apps support that and even they are not very usable so for a end user there is not much of a privacy option that exist in reality and UPI also has support for cards and wallets and they can also technically work with any other settlement system so right now they work with the imps settlement system which has its own merits and demerits but they can technically work with other settlement systems as well so what are the observations on apps so every app will have this common features to pay, collect create a vpa, show a qr code scan a qr code all these things are pretty standard features across all these apps there is this bill splitting feature which was probably there in all the UPI apps but never took off actually socially we are not engaged like convinced around the concept of splitting the bills we probably don't split our restaurant bills as often as people doing the best then all these apps have the reminders to pay bills and saw these apps also have bill payments integrated through the bvps so you can pay all your mobile postpaid bills electricity bills utility bills they also have card payments they have paid to other this is a small observation here the pay to other is very unsafe in sense like you key in another and the response to that by the bank to say that the payment is confirmation this payment actually happened it sends back the other number in the fill in text so and the accessibility features so this again as one of the factors that has improved because of lot of these apps want to differentiate themselves so being for example has a talk back feature which lets enable user to use the talk back feature instead of seeing this game so qr codes so the bigger promise on qr codes is that qr codes will be like everybody will keep scanning and paying and like this is the Chinese revolution that has happened a couple of years back people expected that to replicate in India but sadly dent qr codes are largely used to identify vps at most when they are used there is a lack of certification among these apps so this actually breaks the function also if I create a qr code based on the specification any other upi app is also supposed to support it but in reality it doesn't work there is and that causes like friction there are fewer merchant establishments showing actually the stickers but why that's because like there is an unclear strategy even within the banks themselves as to whether to use upi or barqr and what's the merchant incentives the merchant discount rates and stuff like that so upi has thus have the barqr integration a detailed post is out there in the handbook of what this integration is about but barqr still is non-starter because again the mdr and the discussions around incentivizing payments for the banks is still a discussion between the government and the banks then there is also the audio qr so google tests lets you transmit the same qr information through audio so you can technically make a audio payment and potentially soon very soon you'll probably be having also voice driven payments so next is the upi pass thing so this is an interesting feature from the ground up because the merchants always want a paper receipt so and they were far more comfortable with the post machine because all the employees are trained in post machines so they actually innovated the existing post machine to make it smarter to add upi option which lets the post machine show a qr code which a person can scan the upi app and that actually prints the confirmation so it's a success for the merchant and that's one hack but this is not seen much adoption in the market or maybe because there is not much of awareness within people and the merchants the other thing that phone pair is trying is this calculator pos we need to see how that goes and the mdr debates are still continuing that's the crux of the debate like who will pay the mdr whether the merchant has to accept the charges or would the government remember so that's and is that really helping currently it's not probably a clearer policy might help we'll quickly see what kind of integrations are there in upi so we have the payment processors a lot of these payment processors have upi options so they ask you to feed in your vpa and they'll send you a collect request all you need to do is take your phone and say approve and enter your pin and the payment completes now this is probably easier but we'll come to the hard case of say the IRCTC now everybody here would know that IRCTC is like a war zone like you need to make that everything quick there right but upi actually makes it like painfully slower because it first redirects to a page where you need to enter vpa and then you need to take out your phone and you need to wait for the collect request notification to come and once that comes in you open the open the app enter the app in first to open the app and then enter the upi pin to authorize the transaction and then wait for that browser screen to actually detect this payment whether it is success or failure and then move to the payment confirmation page and after that is where the IRCTC ball comes now this is actually very convoluted process for making this payment simpler there are some efforts being made to make this slightly better but that still won't solve at least for IRCTC it won't solve we'll then see like the app integrations the so there are some of these apps say uber and ola they have tighter app integrations but even they some of them actually send out collect request the problem with that is the collect request is sent out with an expiry time so the collect request more or less expires typically in the case of uber you take a ride you don't open the uber app again and you open the uber app only the next time and you want an uber so this this problem exists with cards as well with two factor and this is not solved with upi probably it may get better with the e-mandates of pre authorized payments and there is also this vpa creation help so every app that has got tighter integration wants you to create a upi vpa that's that's not always necessary actually you can take an existing vpa and use it but that's like that's a problem in the integration strategy of that particular app we'll see quickly see some of the user risks and attacks auto creation of vpa is one risk then spam control and fraud so on auto creation of vpa so beam auto created with a phone number which lets and since the upi spec also has like if you provide a vpa and it will give you back the original verified name of that person so that became a privacy issue and then plug it with a disabling option to disable such auto created vpa but even today a large number of psps do create auto create vpa is based on your mobile number and the reason they say for that is like these people are actually it's too complex for them to even understand the concept of vpa so we help them get started automatically by auto creating their vpa and that has say it's privacy implications as well and google says also auto created their vpa is with the gmail id so if you have ever used your own gmail id on this it would have created with your email id and that's the ability to actually do this and what this actually makes is for an attacker if he knows your gmail if you know your phone number he can predict your vpa and he can raise a collect request and this and we'll see in the next slide of even when that is not the case there are actually attacks of different kind so when in a vpa you have you can actually have the ability to raise a collect request that's the pool mode right so anybody can raise a collect request to anyone else like if I know your vpa I can raise a collect request now what happens is if I'm a stranger I'm spamming you right so you can do a spam control and say block all the request from this particular handle now that works if I'm a person but what if I actually use a e-commerce site so a case in point here is somebody is actually has harvested my vpa so there is a list of database of vpa's out there already in the grey market which has my vpa which I've never actually transacted the only place I put this on is on my blog where I used it for an example but this vpa got harvested somebody is actually using it through flipkart and they've actually raised a bulk payment of 76000 this is probably some LED TV or something and the best part is even flipkart does not know this because they can they can't technically know from where it was raised although if say the deep log monitoring is actually in place we could trace out and in one case I did actually trace out with it happened to be some guy in UP so there are these these attacks these are real and we need solutions for this so there are partial solutions but they're not enough for the fraudsters are always smarter right so then we'll actually look at the large scale frauds that have taken place in UPI so one is the UPI hack in one of the banks which was possible through a a factor that they didn't have a reconciliation process so what was happening was a bulk of payments were processing and the other party was getting paid whereas no money was getting detected from the account from which the transaction was made and this was later discovered and they found some 25 crore value transactions were happening through this then there is also this new sim attack so in UPI a bunch of guys who were with the bank colluded with some criminals and they got a new sim card using and they also had the debit card details so they could set the UPI pin and they transacted as measures so UPIs probably need to take a lot more measures against this so they did try something called as beam cyber security hackathon there was some 1500 people who registered but nobody ever heard back after that so we don't know what and in fact that probably also has some amount of these hacks listed there I don't know how that is getting fixed but essentially a lot of security education is required among developers and users and also certification to help like the app certified and you'll see the consumer observations on regulations like the grievance literacy mechanism is in scaling so the problem right now is like every other transaction is failing and people are gonna like tweet it back so I have this joke so like people now every now and then tweet to the prime minister saying that this transaction failed in beam so the reason for that is again like as Dilip said that these are multi-party systems and you need to have a high degree of reliability system reliable systems and when one of the systems break in the chain like the transaction fails like so there is one on technology scaling the other thing is let's say even if the failure happens the operations of the banks need to actually scale the support to even at least respond to the support request so actually every UPI app has a dispute management section but you'll find that hardly few banks or few PSPs respond to that and even when they respond they'll say we are still looking at it we are still looking at so a lot of these consumers are actually frustrated and they are probably dropping off the payments what we also need to help is more open data on QS parameters of banks are their servers up and running at 99.99 or what percentage it is and so service delivery are the transaction processing through fine like what's the percentage of failures and what's the grievance handling mechanism SLAs all these things need to be having an open data and not just that the open data around the operations of the network provider itself so NPCI itself needs to provide open data about what the QS parameters of UPI switch right but why are people still loving it the large number of people actually use it so this can be seen in the volumes although one what might say that a lot of these volumes are because of these incentives but the truth is somewhere in the middle where a lot of people actually finding value to use these instant payments systems and it's also because this is the only payment infrastructure which is instant and like available widely and it's a monopoly so obviously people are going to use it when there are no other choices right because any of these still takes few hours at best UPI will continue to grow and people will move from any of the UPI because it's instant until they realize a point maybe where they see the support is not up to their mark right we'll talk about concerns so there are concerns about data centralization so if you see the UPI architecture every transaction that you make gets logged in a central system so that's that could cause a very detailed profile of your transaction which the data of which can be used in multiple ways so that's one big concern and the next thing is terms of service loading so if you attended caught up on the last year's talk we saw that like a lot of these terms of service are like very complicated and they load phrases and we did highlight that we need simpler terms of service which is actually clearer to the consumers and companies can't obfuscate and after like couple of months of that so the beam app did a terms of service overloading where they said like we can you give you authorize permission for us to monitor calls between you and other users of UPI which is essentially phone tapping agreement right you authorize them and then they corrected that saying that when you call our call center then we can monitor your calls which is at which point NPC did not even have a call center to begin with so but this is still a concern like we can't keep watching all these terms of service day in and day out we need to find a better way of how we can do that and then there's this whole notion of VPA gives you privacy right but at two levels so VPA gives privacy only to the transacting party and not to the network so the network still has a centralized data about your transaction trades right and the reason for that is like UPI was probably designed a few years back before the Supreme Court judgment and UPI needs a privacy friendly architecture and there will be probably questions of UPI is highly efficient because it's centralized and decentralized systems like bitcoin is burning all the energy and it's inefficient so and centralization in settlements is always been there in banking and settlements so but we need to figure out like can privacy still exist in some sort of centralized settlement architecture now if you've seen the IMPS also is similar architectures but it's slightly more privacy friendly there are protocols like intelligence multiple settlement entities settlement modes these are some of the solutions this is something about what I did any coincidences to what somebody else is doing at a very bigger scale are merely coincidences we call this as metadata surveillance but people then say like no it's not metadata surveillance it's fraud and risk management now I did as cashless consumer I did it to myself like I am actually collecting data without any actual intelligence or actioning on that data I'm tracking all these UPI apps day in and day out probably there's this tracker sheet which lists all these apps their features and stuff like that I'm also logging there will be a tweet from this handle every day as to which app got updated and I'm liking all the metadata like what's the app rating of each app what's the new update what's the recent update on the app and what's the recent message that they have put on the app update and all these are getting logs so again this is data amassment any actual intelligence or action I'm just dumping all the data I'm not saying who else is doing this we'll quickly peek into UPI v2 what are the features one is other authentication for transaction authorization so instead of UPI pin you'll use other and the E-mandate I believe in the next talk will be covered in detail and signed intents is the other feature which could probably let you open the app directly if it's a authorized merchant other authentication may be like it's going to be too complicated you need to have an on-the-go pen drive with an other device and that needs to have another app which encrypts your biometrics and all these things need to be like and the usability of this is simply just not there like you won't you don't want to plug in an on-the-go device with a biometric reader and then use the biometrics even if you believe in that and then like the context which is between the apps just to do the authorization is just too hard like probably what can be this can never probably work even in a secure way in a privacy friendly way and in a convenient way maybe like if we are like 5 years down the line there may be a situation where a secure voice biometrics is actually there like where authorization is also through your voice biometrics but we are still not there right today E-mandates will change the way how EMI's are done there's also option of push and pull mandates something like similar to push and pull payments so it's not that always you need to sign up the EMI form that your provider can sign up and you just approve and this also has a QR so you can probably scan QR codes on a website which does say subscriptions and you can do with like one click or two click subscriptions so use cases, taxidates so pre-auth payments for taxidates so UPI, PATM already existed they are right now bringing that back into UPI itself so your taxidates can be automatically paid and say food delivery subscriptions the biggest bet for them is the consumer durable EMI's so right now you have to fill up forms and get these EMI's or say some cards offer you at the checkout to convert them as EMI's or now you need to call up the customer care all that's going to be a history like UPI mandates which can do EMI's but this also has some concerns around are mandates valid without signature and you are actually liable for your mandates and mandate bounds is treated at par with check bounds so that could affect your credit score that could affect technically a merchant can do criminal proceedings against you as well and there are a lot more grey areas around eSign as well which needs to be discussed deeply so signed intents again like we are moving into world of audio qr, nfc bluetooth where you don't actually see what's coming in over there there's a possibility of manually middle attacks so they are going to hash the entire intent so that is that hashing and through a signature which is given for the pre-approved merchants so that's the signed intents part of it and that's it I think we are having the Q&A together later so I'm off thank you thank you Shikant you have office hours today from 2 to 4 so if people want to face to face session you can catch him upstairs in room 1 our next speaker is getting ready to come to the stage while he does that I want to remind you that if you were one of the first 100 people through the doors today you would have received a coupon to redeem for a t-shirt that is available during the lunch hour also if you registered late and we did not have your badge for you this morning, badges will also be available during the lunch hour and you should please go pick yours up atma is really quick at setting step up this is great I'm going to introduce him then atma krishna is from lotus pay and he's going to be doing another technical deep dive so it's a good tech talk a long one this time he does have a Q&A at the end so if you have questions also is running office hours this afternoon from 2 to 4 alright atma are you ready thanks my name is atma and I'm the founder and CEO of lotus pay we are an aggregator for NACH debit and I will explain what NACH debit is so we're going to talk about recurring payment collection methods so this talk is focused on how businesses can collect recurring payments digitally in India we'll cover what is NACH debit why you should use it how it works and how to design the subscription logic that underlies the actual payment collection recurring payment collection how you can actually get started and what the customers experience looks like and also at the end we'll touch on how it compares to the other upcoming recurring payment collection method which is UPI 2.0 traditionally collecting recurring payments in India has been quite challenging through these existing methods paper based NACH debit this is like a physical mandate it looks like a check it's 8 inches by 3 inches it contains the customer's details and you need to take their signature once you've taken their signature you send it to your bank your bank sends it to the customer's bank customer's bank will verify the signature and activate the mandate so the logistics of this is quite expensive and cumbersome and there's up to a 27% signature mismatch rate so paper based NACH debit isn't great for most businesses it's traditionally been used by the lending industry cards, cards are doing much better now payment aggregators have started to implement recurring payment methods on standing instructions on cards but they're still expensive and also they have the challenge that cards do expire, they get lost, they get stolen and when you're actually asking the customer if it's not a standing instruction if you keep asking the customer to pay then you're also reminding them to cancel so a true recurring payment method is one that never asks the customer to pay on a regular basis there is an exception as I mentioned so some large utilities like Airtel or electricity companies they do deep integration with banks and they take standing instructions on cards then there's payment gateways who are able to start doing standing instructions on credit cards and the UPI is coming up for other push payment methods like wallets, UPI net banking methods so push payment methods requires the customer to initiate the transaction whereas NACH debit and UPI 2.0 truly are pool based payment methods the business is pulling the money out of the customer's account so what is NACH debit? it's a way to keep getting paid and it's easy, quick and secure it's an NPCI payment system so most of you must be familiar with the National Payments Corporation of India it's a private organization owned by the banks it owns about half of the payment systems in India and all the payment systems are regulated of course NACH debit replaces ECS so ECS has been around forever NACH debit replaces it in the last couple of years with the national clearing system it basically means direct debit of a customer's bank account it's been traditionally done on paper as I mentioned but now it's transitioning into an electronic mode and there are about 30 or 33 banks today in fact who are live as e-mandates as destination banks for e-mandates destination banks so the key features are that it's paperless, it is now paperless there is still the paper method available but now there's the e-mandate method available it's the cheapest by far recurring payment collection method in fact I'd argue it's actually the cheapest payment method by far of recurring or non-recurring it's very very secure because it's a bank's payment system it doesn't require any aggregator as such but there are aggregators like us who do it it's also great for customers because they just do a single initial authorization and that's it, that's their touch point then they forget about their recurring payment recurring bills and you don't have to bother them it's great for businesses because you can collect a variable amount or a fixed amount you can do it regularly or irregularly and right now what's available is e-sign mandates which is an andar e-sign created on the fly, I'll explain but what's coming soon is another type of NACH debit e-mandate and it's called the API e-mandate which is initiated on the customer side by either validating through a debit card and PIN or through their net banking login so this is coming soon, this is not ready yet but it's called the API based e-payment method so what's available now is the e-sign based e-mandates it's good for businesses because you don't need to do a lot of security work especially if you're going through an aggregator so it's not great in all scenarios let's cover why when it's good and when it's not so good it's great for high volume small ticket payment collection that's why it's been used by the lending industry traditionally it can be used for any size but small ticket is particularly useful because of the ultra low cost it's very very secure because it's a banking payment system it pulls so it doesn't require the customer to push a payment it has legal standing what this means is that it's an electronic payment system so it's covered under the payment and settlement systems act and it's also covered under the negotiable instruments act because it's a customer authorizing a debit of their bank account and what that means is that under section 138 the the creditor, the business in this case is afforded the legal protection which is afforded to checks for example so if a customer defaults you have the right to initiate legal proceedings so it has a legal protection in that sense it's mass market you can use it with anyone because they just need a bank account there's no smartphone required it just requires a signature from the customer either physical signature or electronic signature right now it works with ADAR so you can do it with consumers soon with the new API mandates it will also work with corporates too one business can collect payments from another business it's not great if you need instant confirmation the ADAR eSign based mandates require some time for the destination bank to authorize the mandate and come back to you it's not great for e-commerce because in e-commerce generally you require instant authorization and it's not great for point of sale so if a customer is in a shop and they want to do a recurring payment it's not really suitable for that it's not great for push payments so it's not easy to initiate it from the customer's end it's traditionally initiated from the business end and it's not suitable for offering the customer a variety of payment methods because there is only one payment method here it's NACH debit so there's no underlying payment method for example in the Bharat Bill payment system that's a payment framework it's not a payment system as such it has underlying payment systems like UPI cards etc so it's the only way of actually taking a payment through the bank account and it's not great if you need to extend credit like in a credit card the customer can pay their bill every month they don't actually need cash to make the payment here you need clear funds in the customer's bank account so direct debit has been a very popular payment method in Europe in fact in Europe it's by far the most popular way for consumers to pay their bills in the US credit cards have been more popular that's the culture there and in India we're seeing that now UPI is kicking off so credit cards as a method for recurring payments haven't been so popular mainly because of the second factor authentication and payment RBI has recently been relaxing that policy but still it's it's challenging because card penetration is quite low at the moment credit card penetration is at 4% debit card penetration is quite high but most consumers don't use debit cards for recurring payment so NSH debit is based on free pillars the customer needs to have a bank account obviously most customers have that the customer needs to have a credit card now most people in India have that too and they also need to have if they're doing API based E-mandates then they need to have net banking login or a debit card with the PIN so here it's important to remember that the API based E-mandate is being authorized by the debit card and PIN it's not using the actual debit card payment network like Visa, Mastercard or RUPE to actually take the payment it's just an authorization method for the NSH debit E-mandate and they need a mobile phone to receive the OTP especially if they're going through Aadar E-sign now the great thing is that most customers have all of these like nearly everyone in India has these and by the end of March everyone has to link these three things together so the method that's available right now for NSH debit E-mandates is called Aadar E-sign Aadar E-sign is simply a combination of Aadar which is a unique identity that an individual has together with E-sign which is operated by the CCA and it's a method for providing digital signatures which come through a chain of hierarchy authorized ultimately by the government who issues the license to the CCA CCA issues license to E-sign service provider E-sign service provider issues licenses to corporates so what is Aadar E-sign it's a temporary digital signature created on the fly so it differs in that it doesn't require a customer to for example buy a digital signature certificate and store it on a USB that's the kind of thing you can buy from say Imudra or Tata but here it's not really required it's generated on the fly customer needs to have so here the customer needs to be an individual as I mentioned because it requires an Aadar soon businesses can do it through the API based E-mandates customer needs to have an Aadar or a mobile phone which is linked to the Aadar because they need to receive an OTP on it they need to have a bank account and the bank account should be with a live destination bank there's some 30 banks all the biggest banks are there except for a state bank state bank is going to be live next month so soon most of the customers in India will be covered under NCH debit mandates because they're banking with the banks that are already live and the maximum size of a single debit can be 1 lakh on E-mandates on paper based mandates is 1 crore but this 1 lakh should increase pretty soon and the customer needs to have cleared funds in the bank account what this means is that if the funds aren't in the account at the time of the debit the debit will fail and you'll be informed and then you'll have to re-attempt the debit or find out some other way of collecting the payment amount so if you want to do NCH debit collection this is what you need to do you need to integrate with the bank on one side and you need to integrate with an eSign service provider on the other side and then you need to collect information from your customer and you need to go through a data security audit a cert in audit a government body which empanels various auditors and those auditors will audit you to check that your data security is up to the mark so it's quite hard work you need to do a lot of integrations you need to build some subscription logic you need to figure out how to create the mandates how to authorize the mandates then how to take the payments against that mandate and then you need to reconcile the amount that's coming against that mandate too if you go through an aggregator it's far simpler there's just one integration required if you're the business you integrate with your aggregator the aggregator will receive the funds into their nodal account a nodal account is a it's an account where clients funds, your funds are segregated from the aggregators own operating activities and so the money coming in there is in the legal control of the bank so this nodal account is owned by the bank is not owned by the aggregator so the way this works is that you take your customers details you pass that mandate to your sponsor bank the sponsor bank is your bank and then the sponsor bank will pass it through the electronic system it's called the mandate management system MMS to the destination bank which is the customers bank the customers bank validates the mandate and comes back as validated and the payment flows in this direction too so the advantages of doing it through an aggregator is that you don't need to worry about all of this and here you can just focus on your single integration and the aggregators already done deep integration with the bank they can intelligently route the mandates they can negotiate better pricing with e-sign providers and with banks and they have dedicated resources working on this and the funds are in safe custody because of the nodal account so what does the destination bank do? so when a customer signs a mandate they are saying that the contents of the mandate is correct but that doesn't actually mean that they are the person who owns the bank account mentioned in the mandate that has to be verified by the destination bank so when the mandate reaches the destination bank they have a validation engine provided by one of the e-sign service providers they check that the person who digitally signed the mandate is the same person who owns the bank account contained in the mandate that's the validation process that's how a mandate gets activated and therefore you can start taking funds against that mandate to get all this started though you need to have some underlying subscription logic you need to have a billing system in place you need to understand ok I have a plan against that plan I need to invite a customer to be on that plan and then that link is called a subscription so this subscription then has a mandate that mandate can be through UPI or it can be UPI 2.0 or it can be through NACH debit it can be through say a standing instructional cards then you need to have the underlying bank account from which you're pulling funds so then once you have this mandate set up you need to pull the funds so that's the debit coming out of the customer's account then you need to map that to your bank account the credit and so you need the final object which is your bank account so all of these objects need to be coded in your billing software it's quite complex to get this right and there are existing billing management systems which will do this for you and there's also aggregators that are getting into the space of subscription logic too so payment aggregators are doing subscription logic if you want to do this yourself you need 4 things you need a current account to be paid out to you need the NACH debit product from your bank it's a cash management service offered by the banks then you need to do the SFTP you need to have a file transfer method in order to pass the e-mandates to your bank to get the response files from your bank and then you need to be banking with a sponsor bank a live sponsor bank for e-mandates there's not all banks are actually live as both destination banks and sponsor banks but many of them are so the large banks are available as e-mandate sponsor banks if you want to do it via an aggregator you just simply need a current account to be paid out to you don't need all these other things if you're going to do this yourself you need a doc signer certificate a digital signature certificate but it allows you at the corporate level it resides on the server it doesn't reside on a USB token and at the corporate level it allows you to sign documents various documents like a pdf or an xml in this case it's an xml the ASP setup is also important because you need to get authorized by an e-sign service provider as an EKYC user agency or as an application service provider you need to have one of these two setups with your e-sign service provider if you if you are an application service provider there's a redirect to the e-sign service provider which you'll come onto if you're an EKYC user agency this is called a KUA this means you have a license from the UIDAI in order to carry out our authentication on your own server then there's no redirect required so you need to integrate with one of these e-sign providers there's only five in the country so these are the options available to you as of a couple of weeks ago eMutra was suspended hopefully they'll come back online soon but you need to get on board with one of these e-sign providers either as a KUA an EKYC user agency or as an ASP an application service provider here's the steps to actually getting started with an ASP you need to prepare the mandate so you need to source the customer's data and we'll mention what data you need from the customer you need to create an authorization URL so this is an HTML page where the customer can go and see their details and confirm that yes these are my details this is my bank account, this is my IDAR number this is my name and so on the customer checks these details so they check the details and they go through the e-sign process which you'll come onto and you have to prepare the raw e-mandate XML that is a set of tags which contain all of the customer's data you base 64 encode this XML, this string and you hash it using a hashing algorithm that hash then goes into the request XML which is separate to the mandate XML that request XML you send to the e-sign gateway and that's the integration that you should have done by now it's important to remember here that you can actually ask the customer to enter their own details on this kind of confirmation page so that it could be like a form and then a confirmation page this is a bit risky because customers can make mistakes you need to get things pretty right you need to get their IDAR number right you need to get the bank account details correct otherwise this whole part will be successful they'll go through the e-sign process but you will only find out after the destination bank has responded that there's some mistake so it's best if you as a process you're collecting this data from your customer and you're just simply showing them a confirmation page where they carry out the e-sign you have to take this raw mandate contents it includes these details so you need to have your sponsor bank's details you need to have your name you need to have an NACH utility code which allows you to participate in the NACH payment system if you don't have this utility code you can use the aggregators utility code but then it's the aggregators name that will appear on the customer's bank statement if you don't want that to happen then you need to get your own utility code a good aggregator can do this for you in a day or two and this code basically entitles you to participate therefore it's your bank account it's your name appearing on the customer's bank account statement and it's you that's afforded the legal protection the section 138 protection that I mentioned earlier now you also need the customer's bank account details you need the IFSC code account number the account type savings or current account and you need the start date and end date of the mandate you need the frequency whether it's monthly, weekly whether it's ad hoc or quarterly and the amount the amount can be a fixed amount or it can be a maximum amount under which you can the limit within which you can debit you need the customer's ADAR number and there are two reference fields where you can enter your custom data like your customer ID number and reference number the request XML contains the hash that I mentioned it contains the algorithm type that was used to create that and it contains the authorization type so in ADAR eSign there's two ways of doing ADAR eSign biometric or OTP NACH debit only uses the OTP method and right now it's only a pre-verified node and you need a response URL so once the customer goes to the eSign gateway and signs where is that customer going to come back to so a URL for your website you need to have your digital signature, the dock signer that you use to sign that mandate along with the certificate and you need to have the customer's ADAR number so the customer visits this page, they check their details they click on proceed and then they're redirected to the eSign service provider this only happens if you are an ASP, if you're a KYC user agency then you don't need to do the redirect you can do this process on your own server to get this license is a bit challenging right now, you need to go through a process with UIDAI and you have to pay quite a big fee about 20 lakhs bank guarantee another 25 lakhs in annual cost so most companies most SMEs won't be able to do this many of the large companies have already done this for other reasons and therefore they can take advantage of this the customer reads the resident consent they are authorizing the creation of that temporary digital signature they request an OTP, it comes on their mobile phone as an SMS and they punch that in and they hit submit and that confirms, they get a confirmation that the eSign was successful and then they go back to your redirect URL so in the back that's at the front, but in the back this is what's happening you're getting a response from your eSign gateway and you need to use that response to code up your final e-mandate the one that you're actually submitting to the bank the final e-mandate contains the raw mandate data it contains the signed content it contains the gateway's certificate and the gateway's signature the signature contains the hash which verifies the contents of the mandate once you've submitted this to your bank so you do this via SFTP your bank will check it, they will validate that it conforms to the overall requirements of NACH then with e-mandates they will upload it to the mandate management system all the banks have integrated all the sponsor banks have integrated with the mandate management system of NACH this is when your unique mandate reference number gets generated at this point all that they're saying is that the mandate has been submitted it's not that the mandate is live yet the destination bank checks then it reaches the destination bank the destination bank then has two days to respond either to say yes it's a valid mandate or no it's not and then they can give the active or reject status and the sponsor bank gets that status back and then they inform you about what their status is so once the mandate is active then you need to start pulling funds against that mandate okay if you are going through an aggregator that pulling of funds can be automated so for example you're a gym but you know that okay on the fifth of each month we need to collect 5000 rupees from this customer then you don't want to worry about okay on the fourth of the month I have to remember to send a debit file to pull the funds so if you're using an aggregator they will hopefully build the subscription logic which allows you to forget about that if it's a fixed amount monthly you don't need to worry about the automation part of it if it's a variable amount for example say a mobile phone bill which varies a postpaid bill which varies from month to month then you as the business need to inform the bank or aggregator how much you want to debit each month once you submitted this bulk transaction file the sponsor bank validates it, submits it the destination bank will respond by the end of the day and you will receive one single bulk payment so suppose you submitted 100 debit requests in one batch file and each one is for say 1000 rupees and if they're all successful at the end of the day you'll get a single payment of 1 lakh rupees into your bank account then you need to figure out how to reconcile that 1 lakh rupees settlement pay out amount with the 100 debit request that you sent so this reconciliation process can be a bit complicated if you're doing it on your own if you're doing it with an aggregator then they will have built this into the subscription logic so here are some of the advantages that we see when you're going through an aggregator they will automate this billing process for you they will have done the whole subscription logic it will help you to improve your cash flow if you're using any kind of recurring payment methods that does not require a customer to authorize every subsequent payment remember what I said if you're asking the customer to authorize a subsequent payment a recurring payment you're also reminding them to cancel so it improves the cash flow it reduces the churn it also means that you don't have to keep chasing your customers for payment many businesses in India right now are literally having like sales people or support people call their customers every month for payment and that's there's a real cost to that you can integrate this with your existing workflow in your system and it improves the customer's experience because they just need to do a single initial authorization after which they can just forget about it for you it's great pricing it's much better pricing than any other payment system so what are the use cases if you are in the financial services industry then you might want to collect recurring payments for SIPs or on the liability side on the asset side if you are a lender for example then you need to collect EMIs so this is the best use case by far in fact 90% of NCH debit mandates are for the financial services industry slowly though it's being expanded into other industries it's great for the technology industry to collect cash payments for example subscription payments and all these other industries and their respective recurring payment collection requirements how does this compare to the other payment system like payment gateways so if you go through a payment gateway regardless of whether it's a push based payment or a pull based recurring payment you need to pay some fees which are generally going to be percentage based fees especially if it's a in fact all the underlying payment systems offered by payment gateways have a percentage based fee say if it's a debit card or it might be around 1% credit cards will be 2% to 3% UPI will be just under 1% net banking payments will be just under 1% so you're paying a percentage fee it's a sliding scale so if for example you're taking 1000 rupees that 1% is 10 rupees but if you're taking 1 lakh rupees then it goes up according so the point here is that NCH debit it doesn't matter how big the payment is you pay a fixed fee it's literally X rupees to create a mandate and Y rupees to take the debit it doesn't matter how much how big the debit is and so there may be some other maintenance fees as well so banks will charge you a setup fee to get started with NCH debit and aggregators should not NCH debit is by far the cheapest payment collection method for recurring payments this is a simple kind of illustration it's quite over simplified it uses kind of a little bit of internal analysis but if you're trying to collect say 5000 rupees from a customer on a recurring basis and you're doing it by cash the true cost of that cash collection is actually quite high because you need to move the cash around you need to keep reminding the customer to pay you need to get your sales and support people to go and physically collect that cash so the true cost of it is quite high so this incorporates the labour cost the logistics cost the transportation transportation cost and the lost interest and so on so for activity loss so if you're trying to understand the total cost to your business for doing recurring payment collection by various payment methods this gives you an idea now UPI fits in around the 150 mark just before NCH UPI on version 2.0 with recurring payment mandates will still have this MDR concept so it's still going to cost you a little bit more than NCH debit a percentage fee the cheapest method by far will be NCH debit and if you're doing it on paper there's still the logistics cost but if you're doing it on electronic mode through eSign or API based E-mandates that is literally by far the cheapest recurring payment method available and remember these other payment methods are push based payment methods the customer has to push the money NCH debit and UPI 2.0 are pull based payment methods this is a bit old I didn't have time to update this this is from June but it gives you an idea of kind of the volumes in play in different payment systems NCH debit is kind of in the middle of the back of the pack UPI I think it's grown significantly since June it's probably around 100 million 100 million rupees 100 billion rupees mark so it's still kind of it's probably just surpassed wallets but you can see that there's a significant volume of recurring payments this is not just for recurring payments but there's a significant volume of recurring payments going through other payment systems which could be consumed within true recurring payment systems UPI 2.0 and NCH debit and card standing instructions so how do the two compare NCH debit is a pull based payment method there is actually a way of doing it by push if it's the customer initiating the mandate it's not such a popular way of doing it because the customer has to go and get that paper or that form and they have to push it on e-sign mandates other e-mandates it's always pull you have to create the mandate whereas with UPI the customer can initiate UPI 2.0 the customer can initiate the mandate you can say okay I voluntarily want to pay this business or this other UPI user X thousand rupees per month the cost structure on NCH debit is a fixed fee so it's an absolute fee a rupee fee per mandate and a rupee fee per debit whereas with UPI it's a percentage fee so it's going to be more expensive NCH debit isn't great if you need instant confirmation so it's going to require two days up to two days to actually authorize the mandate that time period is actually coming down a good aggregator can get it done for you in a day and one business day to get the actual debit you get the debit request in the morning and by the evening you should get the funds the funds come into the bank that bank may take its own sweet time to pay you out but a good aggregator will pay you out the same day on the other hand if you're using UPI and you're doing bulk collection so bulk collection via UPI is actually a product offered by banks you don't need to go through an aggregator but aggregator will have solved a lot of the tech problems for you but if you're doing bulk collection via UPI one is that you're actually sending out individual UPI pool of requests the customer pays you and you're getting literally thousands of debits coming to your account and you have to figure out how to reconcile those against your subscription logic a better way would be to do it by bulk payment where you get one payment at the end of the day and then you can just reconcile that against the individual debit request if you're trying to set this up you can do it through a bank or aggregator in both cases but if you're doing it with NCH debit you need to have the eSign service if you're not going via an aggregator so revocability is an important concept here it's not the same as cancelling even a customer can cancel an NCH debit mandate or a UPI 2.0 mandate both can be cancelled by the customer the difference is about revocability whether they're allowed to cancel the mandate whether legally they were meant to cancel the mandate so technically an NCH debit mandate should not be cancelled by the customer unless they've taken the business's permission to cancel it so if for example the business is a lender and they're taking an EMI payment against an outstanding debt then the customer has no right to cancel that mandate they can but they have no right to do so if they do that then that's a section 138 default whereas with UPI it can be cancelled by the mandate and it is revocable by the customer and it is revocable by them so it's not great for lending products UPI 2.0 will not be a great legal will not afford great legal protection for lending businesses the customer requires a bank account in both cases they need a mobile phone in the case of NCH debit in the case of UPI 2.0 they need a smartphone they need to install a UPI app on it so that penetration is much less than just simple mobile penetration so with NCH debit you can receive the math the bottom of the pyramid you can literally take money from anyone's bank account whereas with NCH debit it only works if that customer owns a smartphone and has a UPI app and they created a VPA that's the one thing you need from a customer in the case of UPI 2.0 E-mandates from the NCH debit point of view you need to get their bank account details and there are other numbers if you go through an aggregator for NCH debit they will be able to provide you with dashboards and APIs that solve a lot of the subscription logic problem right? if you don't want them to do the subscription logic part of it then you just need the E-mandate creation the pool money the pool debit request the debit transaction request you need to understand how to reconcile the payouts against the actual debit request so you need an API or a dashboard to reconcile this and the aggregators should provide all three of these things so if you want to get started with NCH debit if you want to do it yourself then you have to go via bank so you have a current account with your bank you have to go to your RM and ask them for the cash management product known as NCH debit and then you need to do SFTP integration this alone will take you hope it will take weeks but it will take months you need to dock sign a certificate from an eSign service from an eSign authorized license you also need to do an eSign integration and you need to undergo an audit from a certain impaneled auditor dated security auditor you need to create the mandate and figure out how to do that so you need to actually code that up then you need to build in your subscription logic to link that mandate creation with your billing system and subscription system and then you need to undergo NCH certification to be actually allowed to participate in the NCH system if you do it by an aggregator you just need an API so in summary NCH debit is great for recurring payments collection it's cheaper more secure and it has better reach than other payment systems it has a different use cases compared to standing instructions on cars and UPI version 2.0 and you might want to consider using the aggregator that's all I have for you if you have any questions I'll be happy to answer them thank you very much are there any questions? mic runners will bring a mic to over here Nemo you can ask the first question maybe okay don't listen to what I just said somebody else gets to ask the first question it's fine Nemo can go second make sure you hold the mic right up to your face what are the reject rates you are seeing I'm here what are the reject rates in eNATCH you mean the destination bank the reject rate what a corporate would see it could be because of various reasons it could be because Aadhaar is not linked to the bank account one of the destination banks has not affirming as per the NTC the reject rate is a function of multiple reasons why it could be rejected one reason could be for example that you didn't create the XML request properly or you didn't submit it to the bank in the proper naming convention assuming that you got all the technology part of it right the only reason that the eManda will be rejected is because the Aadhaar number is not mapped to that customer's bank account all other reasons are to do with either with technology or lack of data on your part like for example if you entered the wrong customer a name or the wrong customer account number or if the customer gave you the wrong account number if you solved all the tech problems the only reason why an eManda will be rejected is if the customer has not mapped their Aadhaar number they haven't gone into the bank and put their Aadhaar number on the bank account now as I mentioned to you most customers have done that and by the end of March everyone has to do that so the reject rates if you take out the tech and data quality problem is really low I mean it's somewhere in the region of about 10% but once even if you get rejected you can just say to your customer please call your bank update your Aadhaar most banks allow them to do it online now or through their mobile app and then you can resubmit the mandate so the true reject rate is quite low two more questions what are the timelines for APS? I'm sorry it's one question for person if we want to let a lot of people ask their questions Nemo's next and then there's one over there what all does the certain audit cover? the certain audit so this auditor is like you know a KPMG can do it for you or it can be a small like local data security company there's about 110 of them in panel they will charge a fee between about you know like a small local one will charge you say 20-25 thousand rupees a big one will charge you 5 lakh and they'll ask you to submit your whole kind of process your system architecture they'll ask you to show that you actually have an ASE license integration they'll ask for your schema all the parameters your hosting environment etc then they'll start the good ones will kind of do some kind of attack to see if they can compromise your system the less good ones will just take your word for it and give you a certificate yeah I mean it covers kind of you know data security okay over there so I wanted to ask like can you like check the person's balance through this particular mandate first and charge the person later through a subscription based model to check a customer's balance no you can't do that right now there are APIs coming out from NPCI which allow to check for whether the customer has updated their other number in the bank customer ID profile there's another there are other APIs coming out hopefully there will be an API to check balance but you see the point here is that once the mandate, this is clear segregation between creating the mandate and taking the money right so when you're creating the mandate you don't know what the balance of that account is and at that time you also have no authorization to actually check the balance because the destination bank hasn't validated that this is a valid mandate there's no way you can check the balance once the mandate is live then it's the onus is on the customer to ensure that the balance is there like if they know okay on the fifth of each month my gold gym membership of 5,000 rupees is going to come out of my bank account I better make sure that it's 5,000 rupees in my bank account if it fails then it's a default the bank will charge them you as a business could also charge them a penalty the aggregator might charge you a penalty the bank will charge you a small penalty as well so as a business if there's no cleared funds then it's a problem what we're seeing is that India will as a kind of direct debit payment market will progress more towards the European style which is where customers have learned the discipline over decades to make sure there are cleared funds in their bank account on the debit date in the US customers don't give a damn about this they just put everything on card and they worry about how to pay the card bill at the end of the month but here we're seeing that customers are actually slowly understanding okay I need to make sure this funds in my account on this day it's much easier for them because they're only concerned about maintaining funds they don't need to worry about actually making the payment we have one more question how soon can we see the E mandate based on your UPI IDs going live based on the UPI IDs the version 2.0 how soon can we see that going live so you know like NPCI has been talking about this for a year and a half UPI 2.0 E mandates and the banks need to actually do a lot of integration at their side then there's the UPI vendors like Tess and PhonePay they need to do some work so the apps like PhonePay and Tess they're the fastest movers so they've probably done all their work it's just a question of banks going live as sponsor banks and destination banks probably simultaneously they need to do both I would say they were talking about this as if like it will go live in December but it's still not live yet so I reckon UPI 2.0 mandates in the kind of one to three month time frame you should start seeing the first banks go live thank you very much we are out of time for questions but don't worry if you didn't get your question in AMA has office hours from 2 o'clock to 4 o'clock upstairs in room 1 we are taking our break for lunch many of you have workshop access tickets if you do check your badge for the stamp that's either on or inside of it that will be your access to get into the workshop there is it's in Audi 3 at 245 235 right after lunch and it's on blockchain so it's a hands-on workshop on blockchain and smart contracts if you didn't buy the workshop access I think you still can go see the food token counter the help desk and they'll help you out lunch is upstairs I have heard that a few of you have been walking around looking hungry and confused all the food is upstairs so please do make sure you eat we'll be back here at 235 with a talk on BHIM thank you very much oh and do stop by the sponsor booths they're feeling a little sad and lonely out there people are still filtering in I can see you are all the ones who are not going to the workshop this afternoon so this afternoon's sessions are one on BHMI a joint Q&A we didn't have a lot of Q&A this morning so we've got a 15 minute Q&A free for all with four of our speakers followed by a birds of feather panel not a panel birds of feather discussion which is sort of an open format Q&A but on a specific topic and we have somebody who will help to moderate that if you didn't get your t-shirt don't forget to pick it up at the token counter at the front I hope you all enjoyed your lunch please remember there is no food and drink in the auditorium and I guess we're ready to start Vimal are you are you ready to go so our first talk for this afternoon session is called what we learned learnt building a product in just three weeks now anybody who's worked on a three week project knows that it's pretty intense no matter what it is Vimal Kumar who received 5,000 rupees in that example in Dilip's talk earlier this morning he's going to tell us the story of how functional programming techniques and a fully JavaScript based app development platform helped just pay build their products in just three weeks there were learnings good and bad and you'll hear them all Vimal? you guys can hear me so how many of you guys know about beam have used beam awesome how many of you have coded in functional programming using functional programming techniques haskell put haskell to production yeah see I was I was actually wondering like it's a one year old story how we built beam I wanted to actually share the story and what it transformed as a payments company into a company who actually is inspired to build creation tools right now a quick background about me I have a lot of experience actually like I people think I don't look like that but like I've been working for 15 years and pretty much an enterprisey guy from the old timer old times started in Amazon where I built like large scale systems which can actually support my sequel 4.0 so most of you wouldn't have touched something like that like old systems where consistency hashing where actually in papers we implemented it and have been in payments from that time looking at how to build a system of really really large scale for 100,000 transactions been a Java programmer then went into Azure at some point during my career at Bank Buzzer after that when I started JustPay JustPay is a company running for the last 5 years and we started the company saying let's actually solve payments for India and create a one click experience without a hard wireless one click experience that's how we started so so along the way when we were maybe 3 and a half years old Beam came in and in this talk I'm going to talk about how it kind of transformed our thinking and completely pushed us 10x better in how we do engineering so so the story behind Beam is we have been into UPI even before Beam so as I said we are super excited about one click hardware less payments for several years and when we first looked at the UPI spec it was amazed we were amazed at what we wanted was there in it in fact we were trying to work with the banks couple of years ago trying to build something like UPI but you know it's not at all easy you need to have a socialist and to build something like that you can't be a company and kind of create a network so when UPI came in we said we wanted to make this work and this is like 6 months to a year before Beam itself we were into UPI because if you really look at UPI it doesn't have OTP we were always trying to eliminate OTP though OTP powers our business our other side of business you might have seen just pay auto reading OTP in most of the apps that you use if you use Android right but we were wanted to in fact eliminate OTP and just create a one click experience and UPI provided a way towards it second is when I entered into the banks I saw there are too many layers again when I started the payments company I thought 10 people are enough to solve payments in India the payments is just moving money between one account to another and doing authentication what's the big deal about it right but when you entered in there is so many people out there and like nobody is trying to move outside trying to build their old mainframes etc etc you some of you who have been into enterprises would wonder like there are all these oligopoly networks and the real problem is simple you can just it's just there out there but like there is a red wall steel wall all kinds of walls they just let not let you go into that other side but somehow UPI found a crack in the wall and like just entered in and said like core banking to core banking just move the money right so we saw that if UPI is done well it is really going to make payments simple so for me I also think payments has to be free though I run a payments company so all this felt like yeah this is the right direction we have to support it so when beam came in we were well we have to jump into it we have to jump into it and make this work so even when beam came maybe maybe one more thing so even before beam we have been thinking about while we entered into banking looking at all the how much we have to talk etc etc and banking how enterprise it is in the other side unless we are super good in technology I don't think we will have fun working in the banks because there is so many other things that we have to do to close a deal etc right so we have been thinking about something called specification application like this is how many of you know closure closure or this so I have been thinking about when we make these apps we have to declaratively make it and is there a way in which you can make an app in a single page so this is maybe an email that I was taking my emacs and just writing like I wanted DSL like this and I am sending to my team in 2016 just little bit before the time when we got the beam as a requirement where I am saying just like how you write a C program in which you just start saying like main get as write something to the file read something from red is you can just declare it you can actually write line by line without callbacks etc but in the other side when you when we were using node is it's a mess right so I wanted something like that for app development something like saying like just show the login screen and the return value of the login screen is the login let's say the user name and password which I can then call an API you get what I am saying like the user's journey as a thread of execution so this is also something that has been kind of going on in our company right so then the beam happens when beam came in like first it came in in fact it didn't come as beam to us it came to us as okay there are lots of banks who are not able to build apps lots of small banks and NPCA came to us and said like okay you guys have been doing apps for the banks you are in the process of working can you create a template app which is like a reference implementation for the small banks well small banks was not like the thing that we can solve but we thought we are going to do engineering in a better way let's show it as an example even with small banks it's okay it might work out might not work out let's do our best and like within a week we are this is a little bit before the three weeks within a week we are just like prototyping and going and showing saying like this is the thing that we can do like this is I want to do even for the small banks I want to do something which is not there in the world like we have our own type of design called we used to call it not material design I've always wanted design also to be unique that in our company we want to we used to call it solid design we used to be inspired by cars and bikes etc like how how the controls of physical vehicles etc we wanted to give that kind of thing we used to call it solid design and we have all this and we made it and like people were impressed and somehow after a few days it comes to us and saying in our saying demonetization is happening maybe there are requests where there is a possibility that this can be launched at country wide scale as an app launched by NPCI okay we are wondering is it even possible UPI doesn't have that kind of the philosophy of UPI is PSPs are run by banks etc but when we thought through it yes why not right and there are lots of unknowns etc but we also didn't know that yeah we had to do the star and it's three weeks I just committed yes I said yes yeah we can do it I thought like maybe we should mash it together I'm a little bit of an optimist sometimes I thought like maybe in one week itself let's all come together work in three shifts move the entire company into this and like get something done right because we had a lot of things already in our minds where we wanted to go I we had a our own 35kb react native I wanted that to be put in use because we can do rapid prototyping which is actually close to implementation in the UI side using that I thought like yeah this is an opportunity let's just say yes and like I want to get all the team together and do it in one week then more and more requirements start coming and I'm getting like okay we also have to do star 99 hash then we wonder what is the star 99 hash how does it work how does usd work right and you have to integrate with all the telecom operators how and there is something called SMPP protocol what is what is that protocol so we committed and like then it's a big challenge and we are in a in a way in a in a difficult situation right and it has to support all languages it has to support accessibility because this is going to be a government app and we can't people are going to complain and from the day one it has to have high reliability and scale and then there are like teams in Chennai in Mumbai infrastructure has to be in a physical infrastructure in some place we are used to the cloud and we have to go back to again to the bare metal infrastructure and procurement of hardware has to so many other things have just just came to us and we have said yes now we have to somehow execute so it was not possible to do this without doing something radical so we were forced to just put our all our ideal ideas like saying like okay let's put our functional programming monads which we were experimenting with into it let's put somehow our non-programmers should code like we just said our lawyer also has to in two days learn JavaScript programming and they have to take care of multilingual so pms and our lawyers even have to code and we have to get all our customers and we have to design with the customers in place all this communication over it and all is going to kill us so we have to collaboratively create right so I think the two weapons that we had was at that time was functional programming and this collaborative creation we tested it a little bit we even internally in our company we use we in fact use these collaborative one is if till when we were a one floor company every time we are like calling everybody and like everybody we call it like we are running the company like playing jazz music like we are in the flow and we are actually creating and unbelievable things the outcomes happen but how do I bring that to a to a to a to enough teams that I don't know about and who's fragmented well that is something that is collaborative creation we wanted to do something creative about it and definitely functional programming functional programming I think a lot of you guys would know it's it's the purity is a big big thing in functional programming so you can actually parallelize you can create composable combinators and you can combine them if you use the right functional programming technique so we put all our other libraries that we were building which are functional programming immediately into practice into a very serious app well I think it's a lot of detail here so one of the core things is we just jumped in and we started building the we planned it out and we said it's not like prototype versus implementation we have to do prototypes which is like implementation so we started given a lot of unknowns which are out there things which we know we have to be 10x better so we went and there are two things that we were there I'm not going to actually get into the collaboration what we did because that's another thing altogether I'm going to focus on the engineering part in this discussion if you guys are interested you can talk to me after the talk about some of our thoughts about how collaborative creation can happen so if we have to somehow attack this problem and solve it the known things we had to wherever we think there is a 10x possibility we were actually our vision was that we were kind of thinking engineering should go like this and all now we are saying engineering should be like this from day tomorrow or now so we just put all our bets into practice immediately right which is we had written a monad how many of you know monads have heard about monads see monads are nothing but computation builders if you look at node js right now you have async await etcetera but I think when we went to node js writing back end was a big big problem like even compared to java it's pretty bad though you have functions as first class citizens etcetera so we to build something reliable in the back end we created our own javascript monad though we if you know haskell there is something called do notation we don't have it that's a problem there but like we had a library internally in our company which we have been using for a few products so we wanted to fully use a monadic way of writing the back end for beam the second thing is we had a way of writing the front end which is like the elm architecture we have been experimenting where how many of you heard about elm yeah so we had a javascript way our own way of our react native library plus elm architecture and we have been experimenting with it we in that hot reloading everything works with our own library and we can do rapid prototyping the good thing there is in our library a fresher android developer will be able to immediately be productive in react native they can't be because react native has its own markup language which you have to learn here we just took the android xml syntax and just you can write that in javascript so we had a bunch of interns in our company we put everybody into code and immediately we start making the screens into code and in 2-3 days we are like having like an app working like in the front end with dummy dummy data right so that and you know like all these screens can be parallelized then all apis when you write it in functional mode we are having lots of people who are writing all this parallely and we are people some people are coordinating assembling them together everything is falling in place and wherever unknowns are there we are marking out the data and like kind of in within a week we have like a system in place because even this 3 weeks there is always this unknown like can it really be done should we tell the price see I also don't know whether prime minister is going to launch I didn't know from till the last moment right like will this happen or not is but we thought well this whatever it is like compared to where we are it is like a great thing it works or not whether it launches or not not a problem let's do it let's give our best so whatever the way we did like a lot of people like we like after a week some IAS officers big big people are starting to talk to us why don't you do this feature why don't you do that feature like that right and because of because of this rapid prototyping of the UI that we did within a week what happened is like lots of people just collaborative creation started evolving like people who from various places who are actually big stakeholders in this started coming and they will call our team and they will ask directly like a big person will just call at 11 o'clock to a person in my team and can you add this to the UI and just do it and show me they will just do it and done that feature is done and in fact we also did for the ussd how many of you know ussd what is ussd that yeah so we in within a day of coming up with this requirement we created a small prototyping tool first we didn't go into ussd we just said okay let's show like a Nokia phone and like and we again created a monadic DSL for the conversational DSL very quickly we did something where because ussd is about questions and answers like you throw a question to the user, user answers, question answer question answer and in fact we made the code so simple and we started sharing okay this is how you write that code and this is how the UI looks so lot of people then get enabled oh yeah what the the person who gives the requirements knows how to give that requirement to us they are not going to give it in some format which is not understandable we just made it as as close as possible to implementation right so that we created our prototyping tool that is our presto UI this is our own other ussd prototyping tool this is we extensively used for architecture collaboration etc all these collaborative canvas tools where multiple people are all all the mouses are moving and people are commenting and we are discussing architecture how to solve our back end problems etc and yeah yeah so this is how the back end looks like with our with our monad it doesn't have the do notation so it has its own limitations which if you had written in Haskell or pure script it would be much better but we were able to live with the limitation we had to use a state because of that just to move things between the pure functions these are all like chaining pure functions together right for example api initially it has to limit the rate maybe it is fetching something from redis if redis doesn't have it has to fetch from the db and it is cleaning up the response and any error happens anywhere we will be able to catch it like that is a big thing in node js it's not possible somewhere some error happens some callback will just ignore it and and it could end up being a big serious bug and we wanted reliability to be in control like because anything happens we have to be able to catch right monads give you that and the entire thing is javascript this is also something that we had to take that approach this used to be like should we put a react native library to big production use or should we start small we had to put it to big production use so that is all javascript back end is like again javascript it's like there were discussions like oh this is high enterprise Easter should we write it in java no way you can do it in java within this time so all the good stuff that we had to do because of this time crunch just got approved right which was great functional programming will people be able to maintain it this is how we can do it so people we will teach functional programming to your people so everything now we are teaching Haskell to people in enterprises you know because like this is how we because because of these constraints time constraints we just went in like things which go in a bullet card went in a flight and like when you go in a flight you just can't ask questions and all is just done like all the good things we just go event and put it there put it out there and like now people are okay oh it's all working what is this whole functional programming about now in banking circles and all people talk about it you know we are going and in fact when I go to the bank and say we are already using functions what is this we have to again maybe we have to get a new term for it but but it's it's actually I'm quite excited these days that we are bringing functional programming the right paradigm we feel like into the hardest place and we have made it work through this so yeah like like as I said before our pms were coding and our lawyer is the one who made sure she is diligent about every detail and we just taught her JavaScript and like she manages certain files took care of all languages coordinated and let her how to build it and like yeah change it and build it change it and build it and non coders are able to code now in in fact in my office even admin is thought QAP team is already learning Haskell that is now my office admin why not so that is that is the kind of confidence we got out of all this so so that's how the beam happened see there are lots of other stories how we did all our ships three ships and all that it's not a it could have burnt us out it's like it's three weeks and so many unknowns and it was it was even with all this see here it's all JavaScript right it's not like like there are lots of issues also that we faced so from the beam experience we were the good thing about that is like we were able to see the entire picture I was able to see like in three weeks if we if it can be made why not in one week because in three weeks we are able to make it with so much of inefficiencies of JavaScript and certain types of things which are not unified etc etc right so we took that specification to application as something that we should go ahead and do it for the world like we have we have had this experience and see meanwhile other other threats are going on in our company like I met met this guy called Rahul from how many of you know there is a language called ETA there is a guy from Bangalore who who is writing a Haskell compiler for JVM and we after we got this success we went to the Haskell community and we saw him and like we were impressed till then Haskell is supposed to be like R&D language right and this guy is just out of draw port from college and he is like writing a Haskell compiler and I am a systems guy we are actually talking about how do you manage like Haskell has laziness and how is he able to kind of find a hack inside the JVM amazing stuff he was doing and we were thinking man we have like 100 people in our company this one guy is writing a compiler like me and Dilip in fact Dilip is also here my team members we got really impressed and we said like we should get into Haskell like this if it is not like impractical this guy is writing a compiler and he is believing he is saying like I am going to invest next 3 to 5 years in it like a realized guy he is saying and that is when we thought well let us just jump in the next thing is like why should we take baby steps entire company we should try moving into the ideal stuff so then at that time there is a debate happening where what should be the real it should be should it be Haskell should it be GHCJ should it be we wanted to unify the backend and print so we did not want different runtimes when we were getting into Haskell we saw that ideally if it is a JavaScript based runtime it is going to be better so we went into choosing pure script and definitely I used to be a Clojure coder I still really like Clojure and Lisp but what I found is the kind of constraint that we had which Clojure is suitable for a very small highly experienced team who is very much in sync otherwise what happens is you know in Clojure everybody will create their own language and you can create DSLs in Clojure and things will go out of control you won't know what the code will do the same code will people can create their own meta languages and it will all go out of control so it is like the artist way versus Haskell is the scientist way scientist way is more collaborative more people come together and one paper is referred by other etc and we also have like when we have 100 people when we have maybe 1000 people in our company because India is about scale of people right we have to utilize it so then I thought like yes we maybe we should get into Haskell so that we took that trade off and went into Haskell and actually my concern about Haskell was will it decrease my creativity because there are types now now it's all gone but I I would say at that time some of the people who like arc might think like it's constraining I want to just express myself this is all coming and bothering me define the type look at the big picture I don't want to think the big picture I just want to do what I want to do right now so a very fluid environment like Lisp will give you that but Haskell will just like if you want to print something somewhere you have to change the type signatures of everything if you see I am talking about lots of lots of things assuming you guys know stuff but like I believe I am going to convince you to go and learn all this so you will what I am saying you are also going to feel so I am in that regard I think it's okay for me to just talk at a high level but we had the concern that Haskell is like math it's not like art but like maybe we want to do business like art but we saw that if you get a little bit deep you can actually do it like art that is what we realize when we started experimenting so with all these right trade-offs we entered into Haskell and we are big time into it right now so the problem that we were kind of trying to solve which is getting again practical into mobile app development we see the event-driven programming model is not scalable it's for transactional apps 80% or 90% of the apps that we make are transactional or even in a very game like app lots of things are like flows of transactions as I said in the I showed the closure code initially right you want the user's journey to be like a thread of execution you are getting me what is the user's journey even if it is multi-machine like I imagine it like that even if you have IOT even if you have a user one user two and there is client server there is always like a thread of execution a user one I do something then it maybe goes into the IOT device IOT device waits for a day and comes back then it continues then it goes to the server and continues doing something then it goes to user two if you really look at it it's like a workflow which goes right so but I don't think we have unified programming models to look at the entire picture as a workflow the only thing that I saw was Haskell libraries which kind of again gave me confidence that this there is a library in Haskell called Transience that that guy was actually talking writing mathematical equations in which you can write the entire application like with with symbols etc where you can actually front and back and end all doesn't matter you just write it like an equation right so that gave us that that really gave us a kick that we have to go and do it so that to achieve that user's journey as a thread of execution and to write it as equations is something that we think will really really make that one week happen and see we are also not happy again considering I from come from a little bit the early 2000s days it was not tech was not so much of a pop culture tech was like we had to get into systems we have to understand things deeply there are few things that you really understand and it will remain for 10-20 years nowadays you learn something today tomorrow it's gone and every day you are on hacker news like what is new today what is new today so it's like I don't I was I was also into it for some time so I know that maybe 20% of you can do that 80% should get into fundamentals and since this it's the other way around in the industry 20% is fundamentals 80% we thought we have to change this so we see that again another story about functional programming functional programming comes from deep math what is math all the mathematicians want to find the truth in nature at least a part of the truth in nature they want to find commonness what is truth truth is about patterns that repeat things which are common between so many things around you right so the mathematicians are the pinnacle like and also artists in fact but mathematicians have a systematic way of going after finding what is common between things right and people have been doing this for maybe thousands of years and last few hundreds of years mathematics really got again big and complicated mathematics itself became too diverse that a single mathematician can't understand the entire mathematics so this has been a problem that people have been worrying in mathematics for the last 50 years like there is mathematics of numbers, mathematics of spaces mathematics of changes like calculus, mathematics practice etc then there is this higher dimensional again that is in spaces spaces itself gets into a big deal multi-dimensional and all that like things like topology and all that is also there and in all of these there is algebra but overall what mathematicians themselves were uncomfortable about is mathematics is not good right now we have to fix it so this is something that they have been working for the 50, 1950s, 19, till 1970s and they invented something called category theory so category theory is a layer below mathematics it's a foundation of mathematics so what they found is again by accident a couple of guys were trying to unify a couple of higher order mathematics and they found something called category theory and surprisingly the building block of category theory is a function how cool is that and we are all engineers we deal with functions every day the whole mathematics of all last few hundreds or thousand years all that is invented the foundation of that is function so this is what in 1970s they found out but it is very abstract how is it and all it is very hard to understand but it took like last few decades to bring that insight in from mathematics haskell the people in haskell for example there are the guy see haskell also has all these different layers of people people who are implementing the haskell compiler people who are getting the concepts from mathematics and people who don't even care about haskell but are into the programming related mathematics and all and slowly things like monads and all are coming from that it is not like a made up concept the people who actually talk about these they say these are discovered this is there in nature everywhere that's why we put it into the language if it is a little bit non-intuitive yes work a little bit hard but like for you to understand what is meant by force you have to slightly think a bit more you say oh yeah I don't think force is there see maybe you also have that attitude to kind of be creative and come up with your own new abstraction but like you can't discard some of these real true insights right so that with that spirit in our company we went and learnt to some extent a bit of category theory and try to build intuition around it and I think we are understanding it more and more and we want to make it more human we want to we also want to bring that simplify it and make it because there is a lot of truth in it we want to make it human so the whole point of the problem in haskell is that the humanness is missing it's all people get into some other like just like Einstein going and thinking light will go at a constant speed it doesn't feel right to us right and like I don't think we all know that but how many people really feel all this is correct like ok length gets contracted time gets delayed really like so here also it's like that these are a bit higher order thinking but I think we have to simplify we have to make it more accessible so we are in a quest towards that so but the people who are in technology with experience have to take these challenges and go into it and we think this has to be solved and you know the JavaScript has like so many libraries even a two line thing sometimes becomes like a npm library like so too many too much of fragmentation and people call names they don't know what it is right so rather I think we can create much more solid libraries with combining the concepts and reduce the fragmentation so we thought we have to create a UX DSL out of all these techniques etc to make it more human human is user experience right like user experience of programming itself and what are we programming we are programming in fact user experience of an app interacting with a consumer right so we thought it has to be like a conversational DSL app is nothing but something that talks to the user and talks to the system and it is just a conversation going on right so we created a conversational DSL and a DSL can be chained like a narrative using a monad but that also since it's functional programming we have the ability to make it very composable we can actually create small snippets of code which can be reused across apps which can be put outside and everybody in the world can just use one mobile OTP verifier or one login flow and it can be perfected so currently everybody writes these things themselves but a lot of them are actually the same thing a lot of people what they do so why are people doing it differently because a lot of impurities are in when you write your code it is kind of you know what it's how many of you know about this impure functions and pure functions so maybe I will quickly put it this way a pure function is like a mathematical equation for the same input it gives you the same output and it also can't change the external world really speaking 95% of your program is pure conceptually only 5% actually has to do with the other things but this 5% is like mixed up with your program like a kitschy so your entire 100% becomes impure and whenever something is impure it's unpredictable so your entire it's unpredictable it's also not composable just take my word for it you can go and learn why it is not composable if you can somehow separate out this 5% from the 95% that 95% becomes super stable composable reusable etc etc so that is the philosophy that we took and we created this DSL and the entire app building this is pure script code can become like a chain of computation which is all pure functions and business people should be able to write it and we chose pure script and to reduce the fragmentation there are only 3 building blocks one is like the UI structure then the flow structure all the business logic whether it's front and back and there is no differentiation it's all just functions and then types your database, business model, communication between functions everything is all as types so you just look at things as these 3 things and then everything simplifies and I already covered this why we chose pure script well GHCJS was very large and says we had to be like an SDK inside app so that also I will share my slides lots of benefit I think I have already touched upon lot of benefit see one other big benefit with types is once we get across dealing with types types will actually give you a lot of errors initially some simple stuff it won't allow you a lot of times when you actually you are going to try Haskell so when you try it you will find that but like refactoring really really gets simple and it's a big insight to me like I don't need to be right I have these big ideas of spec to app and we are doing something every week sometimes refactoring every month etc and such things are impossible for me in JavaScript I will be afraid to touch an existing code here we just go and refactor and get things changed in a day or two and we are also working on helping people learn functional programming in colleges starting something called school of functional programming working on one day apps one week apps etc etc all these are vision trying to do visual programming how to make the humanness we are still working on these ideas if you are interested in collaborating let us know and even we are looking at how to create a reactive system front and back and everything being reactive lot of people would have heard about FRP but FRP and steroids like your entire app should be written in one page like an equation and it is all reactive right so yeah so that's about what I wanted to give and I urge you guys to go learn Haskell and I will also send if possible if I can share I will put it in my slide some links which you can go and learn from you have any questions we have 5 minutes of questions and then we are having a 15 minute Q&A so you guys over there I need a mic runner I will be the mic runner I will literally run hello in your slides I have seen a small part where you had to handle the reliability for 200 million users beam in 3 weeks sure and you talked a lot about sharding and all and yeah so can you add some more details like what the problems are like what do you face sure definitely talk 200 million users the architecture has to be scalable to 200 million users right so if most of your application is stateless it's horizontally scalable so when the approach that when I talk about functional programming and all our services are stateless state is there only in few places like like the database is the problem red is also red is also shardable so we use red is and we use Postgres so the only thing that we had to worry about was how to shard the database and even there actually speaking for the first 3 weeks we didn't we actually opened kept the door open for immediate sharding so we created all the ID schemes etc so sharding is based on the IDs right so designing the schema such that in which place you need to like for example if you have to shard transactions that is the first thing you have to think about right transaction is the one which will grow second is sharding customers and there will be lookups based on mobile there will be lookups on some registration token or something like that so you can imagine you can actually go and very very standard we didn't have any very special use cases because this is not something like different level of scale this is like a reasonable manageable scale and we initially we went with scale up like we took really really large database machines because that's available why not you don't need to over engineer right so in 3 weeks we first said like let's get the best DB machines that we can get with the best memory tune Postgres to the best and get enough buffer and keep the door open for sharding after 3 weeks only we started working really on the sharding when we launched we didn't really shard hey yeah good presentation I feel the energy already so just an extension of the question that just asked in during those 3 weeks and post that how did your team take care of ensuring quality like general software engineering practices did you write a lot of tests did you I mean I understand that functional programming itself will help you keep state in control but that doesn't ensure bug free programs so what does your team so specifically 2 part question what did you do in those 3 weeks and what do you do now awesome so see this is a great question and I have my own opinions or own way of looking at it I am not a guy who is for writing a lot of tests it's a kind of boring thing actually my experience has been in the world you can't get 100% of the things perfect so lot of times 20% or a small percentage in fact 1 or 2 things only will matter so I am always looking for silver bullets to get me so much buffer to actually make mistakes and there are standard techniques and there are also creative very situational techniques so for example I will talk about in beam maybe getting first the requirements correct and all for example we can make a mistake in the broad thing itself right it's not even in technology so I think with all our wisdom we put together we were constantly thinking about where can there be problems and to feel in control there might be some small bugs somewhere maybe in some multilingual language it's okay but like if security has a problem even in fact around security like security and reliability and all when I think about it I go very little bit philosophical and try to really understand what is the fundamental thing otherwise we can say there are 100 things that we can worry about and we will keep worrying about it what is the core thing that we have to do to actually ensure quality so I will typically tell my team like if you have to build a building which is earthquake tolerant for example there are techniques you can actually make better better better materials and make it rigid but later you will figure out that oh it has to be elastic later you will figure out that maybe you have to put a pendulum below the building so it's not like writing a lot of test cases right you have to be very creative about finding ways to ensure quality so maybe it's a roundabout way of explaining so in a way functional programming also has a lot of practices like state which are not immediately intuitive see other other things that we did are we so other philosophies that I have is I always want to look at production like a playground like I talked about jazz music right I tell people you have to play with the player with the production itself if you make it very if you make a mistake it should not be a problem and write test cases on data I asked my QA to because my previous product is about things lot of things are not in our control so your application is your application there are two things that we followed I'll see in beam there are many things that certain things I don't know how much I can disclose also it's an NPCI's product but I will cover your question with my other product called just be safe just be safe is a layer on top of unreliable layer of banks anything bank pages can change and all that I used to have a thing that if something goes wrong go to fall back mode always we will have something called a safe mode so that immediately gives us extreme amount of if something happens safe mode and we did something called automatic anomaly detector which is very simple regression based it will it will find certain metrics and if some metrics are deviant to twice of standard deviation it will alert us and we have dynamic code push if some issue happens we get alerted by that time it has already gone to safe mode when it gets alerted we can immediately change the code and push it sounds very simple but it gives when you have that control of pushing code immediately and seeing the results in analytics and having this automatic anomaly detector and safe mode in my previous product it was not about types that's why I was actually not that interested in types in our previous product with JavaScript my all my strategy was around elasticity elasticity and looking at production you internalize production with yourself you don't see it as some alien you just play with the production so that was my philosophy here also this is a government product you can't push things like that so we had to change a bit but it it starts like that that we used to ensure quality if it's all right I'd like to slide right into our joint Q&A by inviting Atma, Shikant and Dilip up to the stage for a shared 15 minute Q&A on UPI I think they're in the room some of them we have microphones over here for you although you'll have to share so does anybody have questions for any of the people who are on stage now so if you had questions during their talks and you still remember them this is the perfect time to ask them or talk to them about the topic that they are expert in does anyone have a question there's one way in the back way in the back there hi I have a question around the E-mandate on UPI 2.0 like we have been hearing a lot of buzz since last October November when is it that it's actually going to take shape and we can see it live and the specification has been shared with all the PSPs it's under development exact date I can't give but the development for that has started I think you'll see in the next 1-3 months NPCI said it should have been done even last quarter but they're always buying tracks 1-3 months what is the strategy regarding revocation of rights for E-mandate you talking about UPI or LACH UPI UPI mandate can be cancelled NACH mandate can also be cancelled in my talk I gave a distinction between cancellation of a mandate and revocation of a mandate so the concept of revoking is where the user the end customer decides to withdraw his consent to allow an institution to debit his account now the concept of cancelling is a little bit different think of it like a check so if you actually cancel a check before the institution has cached it then that is an offence under the negotiable instruments act under the and if it's an electronic payment that you are not honoring then the same offence applies under the payment and settlement systems act and the same legal protection is afforded to the institution so under both payment systems the mandates can be cancelled by the consumer under NACH the mandate can be revoked by the institution the customer can ask the institution to revoke it but the customer themselves are not meant to revoke it they can cancel it but they will be in default at that point under UPI if it's a so there's two types of mandates in a UPI there's the pull mandate and the push mandate so if it's a in both cases so in a pull mandate the consumer is authorizing in a push mandate the consumer is initiating so although it's not been launched yet in both cases they will be able to cancel and this will be within the PSP application itself within the actual end consumer app end consumer application the first question it's here the first question is regarding the eSign setup so I just wanted a sense of you told the only way a bank would really reject your eSign mandate is if your bank account isn't linked to the Aadhaar provided you give them the data in the right format do you have a sense of let's say a hundred people come and attempt to set up their eSign which starts from actually your Aadhaar being linked to your mobile and you know the OTP going through do you have a sense of end to end what percentage is successful what percentage of mandates which are attempted are actually successful sure so I also mentioned about the various failure points that can happen now we're talking about NACH there but eSign mandates one type of e-mandate the other type being API mandates which are not yet live in eSign mandates there are points of failure along the way so the first point of failure is if you did not create the actual mandate in the correct format right so then that's the fault is on you right the second point of failure is if the quality of the data in the mandate is not up to the mark for example if there's an error in the bank account number right or if there's an error in the spelling if you know if this the Aadhaar number is wrong for example so that's another point of failure and the actual final point of failure is if the destination bank rejects the mandate because they feel that the Aadhaar number of the user who signed the mandate is not matching with the Aadhaar number on account for the bank account contained in the mandate right so these are the three kind of failure points that you can think about the only true real failure point here is if there's an Aadhaar rejection from the destination bank the others are just kind of like you know tech or data quality failures if you talk about like if you want to know what's the combination of these three then it's kind of like a multiplicative you know number that you end up with which will probably be in the range of like 60 to 70 percent but that's again is a function of the quality of the tech and the quality of the data right if you take out those two failure points you're using say you know you got your tech you know in order you're getting good quality data from your customer then the only failure point the true failure point is the other number is not mapped in that customer's profile ID in the destination bank and so this concept of linking right so we have to be clear on what linking means so there's two way like linking goes in both directions right so the link that we're talking about is that the customer should necessarily have updated their other number in their customer ID with their bank right so the other aspect of linking is in the reverse which is seeding right seeding is not required for right seeding is for any stage credit something completely different right it's for like direct benefits transfer right so seeding is not required just linking the customer should have gone into their bank or on their app or on the phone or in their banking they should have updated their other number on their customer ID right so that's the one linking the other linking is with the mobile phone right so the other number can be linked with the mobile and think again what does this actually mean is the two directions to it one is that you've gone to your mobile network and you've updated your other there that's to be done by the 31st March right the other thing is have you put a mobile number on your other that's the reverse of it right so that most other holders have done because when they submitted their other applications they have put a mobile number on there if they haven't they've probably put an email address and if you don't have an other not if you don't have a mobile number on your other card you'll still be able to receive the OTP by email so it's one or the other but most of people receive it by by mobile so just clarifying the link the kind of two way link there is I think it is missing one one element because NPCI have a mapper concern separately because seeding or linking does not actually mean you are giving a mapper concern for NPCI so I think it's actually four parameters but most of the banks are forcibly collecting this mapper linking so the mapper linking is for NACH and it's used mainly for credit this is the seeding thing this is actually absolutely not required for NACH debit all that's happening here is the destination bank is checking that the person who signed the mandate is the same person who owns the bank account contained in the mandate so it has nothing to do with this mapper or this seeding or this direct benefit transfer that's a clarification that's come from NPCI Derek just to add on to as put out numbers on the mandate so roughly around 30 lakh mandates get presented to NPCI and of which 10 lakh or 78 lakh fail so you can say so NPCI did not actually distinctive that but they started putting numbers only from the 17th year which I would obviously mean that that's only the E NAS thing because they are probably tracking NAS thing separately I don't know like what part there's no split there's no detail as to what cost the failure because the percentage failure is so high and sorry to the total number of mandates outstanding is about three crores so you can see that like 90, 95% are actually physical mandates so the failure rate on physical mandates is about 27% it's been coming down recently but that's usually due to do a signature mismatch like the same signature mismatch failure you might find on a check but on physical mandates that's the failure rate on electronic mandates the failure rates have been higher because of these kind of three failure points that I told you about but that's rapidly improving as more destination banks are becoming live more sponsor banks are understanding what they're doing more corporates are understanding how to do e-sign properly the e-sign providers themselves are starting to talk to each other initially when we started out with this whole thing the e-sign service providers were talking in different language you're supposed to be able to sign a mandate with any one of these five e-sign gateways and then the validation engine used by the bank would be able to give the same answer regardless of who signed it the problem was that like eMudra was providing most of the banks with the validation engines and they were rejecting e-mandates signed by NSDL which is ridiculous right so things like that were happening in earlier months but they've been resolved now hi I have a question to Vimal Vimal the Presto UI which has been released I mean it's already available for use do you have any number in terms of how many apps have been built using Presto UI and I still have to build the backend once after I use Presto UI if there's any demo app that can be built yes the instructions in the Presto UI not very elaborate for me to working on it one of the things the problem in the Haskell ecosystem is it doesn't get popular that much so we know that we are the biggest users and unless we build lot of other tools around it I think people won't use in my opinion we can go and market it or talk about it and all but like we are that's why I'm talking more about functional programming as such right so the thing with Presto UI people will ask me like Presto UI versus React it's not big enough why should I take a bet on it etc etc it's small in size maybe we can give better instructions etc the next set of maybe I'll talk about the quick roadmap of it right Presto UI itself we are moving to using pure script otherwise it uses JavaScript JSX because because of that there are lots of I think the productivity really increases internally we have been there is a library called halogen you can check it out in pure script so we are taking parts of halogen and integrating it with the Presto UI I think that will give so yes the so yeah you can actually design and sketch right if you are talking about the generator also you can just design and you can just click on generate so this is by the way apart from functional programming we also launched a UI generator you can just design and you can just say generate and you get code for iOS Android and progressive web in one shot and well we are improving on the documentation etc but I am currently more than promoting it and making documentation better we are actually working on some of the features and as you rightly asked like what about the back end we are trying to bring a unified way of just writing the UI structure is one which is like a spatial tree second is the controllers or the there is something called FRP behaviors you should go and look at a talk by this guy called Conal Elliott he is the founder of FRP so there is a library in pure script called behaviors which actually is the right way to do FRP in our opinion so we are actually adding a FRP layer for the for really reactive UIs on top of the DOM the third thing is what I talked about in the talk which is like the functionality which is like the flows the flows also I mostly I showed you the UI part of the functionality we are trying to bring the back end also and unified and all the RPC in between and all will go seamless right and then we are also creating some visual programming tools to put all this together I think when we put all this and give it to the industry I think that's when we feel it will pick up mostly we are focusing on building these and I think maybe in next few months we might go and get back write documentation, promote it etc thank you all very much for coming back to the stage for this question and answer period it was very interesting and thank you all for your questions it's a little hard to remember things sometimes when you had a talk a couple of hours ago and then you had lunch our next session is a little bit different than all the other ones we had today so while I explain it I'm going to have a little bit of an exercise like you all to stand up and take your bags in your hands and none of you can get out of this because I'll be able to see okay people hi and welcome to flash talks we have three today we have three flash talks this evening each flash talk is up to five minutes I have a timer when the timer goes off the flash talk is over whether or not the clock is over so be prepared to be pulled off the stage our first flash talk is Nemo who works for razor pay who is also a friend of mine which is like how I know his name he's the only person at the conference whose name I know who doesn't work at hasgeek so I'm sorry that I don't know all your names yet I'll get to know them Nemo you ready okay here it goes three two one everyone how many of you know what an IFSC code is how many of you have had to type it ever made mistakes cool so it's a fun talk about IFSC codes I've done this a couple of times with flash talk so I work at razor pay we do payment things and as part of payment things you get to come I came to know a lot lot more about these IFSC codes so what's an IFSC code it's one of the most Indian examples of the RAS syndrome if you don't know what the RAS syndrome is is the redundant acronym syndrome syndrome syndrome you have ATM machines you have N numbers you have LCD displays and then you have IFSC codes with the C stands for code so it's the Indian financial systems code they are used to identify each and every individual bank branch within India so if you're a bank you get to allocate different codes to each of your branches so an account number is an account number when you want to uniquely identify any specific account you say my account number is 1, 2, 3, 4 tied to this particular branch the first four digits are the bank code followed by a zero the zero is mandated the next six digits are the branch code so I could have HDFC 0, 1, 2, 3, 4, 5, 6, 8 1, 2, 3, 4, 5, 8 that identifies which branch I am talking about so this was why I started working on IFSC codes we had the problem to validate a particular given IFSC code as fast as possible and get more details if needed for that particular IFSC code so I realized I should get all the data I went to the RBI website this is the first thing you should do for any open fintech data in India got the RBI website lots, downloaded the entire thing they give out excel sheets of course tried passing all the excel sheets of course there were errors there are things like NA lots of hash banks and lots of weird characters fixed all those errors exported those to nice clean CSVs JSON formats and then I did a Qt release this is the first release we did in February 2017 this is an open source project we run as part of RazorPay I'll show you the current website as well how much time do you have? 219 that opens so the data set releases we do are monthly RBI updates the data sets every month we take the same releases and push them to our servers there are around 330,000 IFSC code they've kept increasing so I think the current number is around 150,000 we wanted to do a true false response you give us an IFSC code we say is it a correct valid IFSC code or not as fast as possible so I did a bloom filter bloom filters for those of you who don't know are probabilistic data structures which means they have a 99% chance they'll give you an accurate response and say hey I've seen this IFSC code before it looks valid but there's a 1% chance of false positive where the IFSC code may be invalid but they say oh it's valid so I did that bloom filters don't look nice they look ugly you can't open the file I can't give that file to my finance department and say hey use this nice Excel file so it was somewhat ugly and I decided to do some custom compression thing IFSC codes in general are very sequential in nature you have one code starting from 1, 2, 3, 4, 5, 6 so the HDSE part will remain constant and there will be 0, 0, 0, 1, 0, 0, 1, 2, 3, 4 and then there will be some gaps because branches have gone missing they drowned I don't know so I made use of this it's a fake compression thing where I say from SIBL on the third line 0, 0, 0, 0, 1, 2, 0, 0, 2, 0, 4 are all valid IFSC codes it works well for us we have been drawing this code in production for around more than a year now automation is good so now all of our release is automated whenever RBA does a new release I get notified over email I create a new branch and it automatically gets almost gets converted to a new release with cute animals there are lots of quirks guess which bank is this not Yes Bank is correct answer this is the response that we returned this is the Navada Central Cooperative Bank Limited and you are wondering why does it start with the USB it starts with the USB because Navada Central Cooperative Bank doesn't have enough money and they went to Yes Bank and said hey please give me a IFSC code so Yes Bank sublet it out to them there's a list that NPCA publishes on their website it tells you which banks have sublet branches from other banks there are a lot of these similar banks Costner's Bank has its own quirks yeah and yeah I think that's where I'll stop it we have the thing at IFSC.com thank you that was very fast and full of numbers and wow it's confusing Yes Bank if you are interested in more things about IFSC code set me up I'll be around thanks Memo so the next speaker is me my colleague Akshay so you might not have realized this but I'm a foreigner and I've started my own timer okay you can start the timer too or you can just hold mine here catch do not drop it that was difficult to guess I am a complicated foreigner even because I was born in America and I have a US passport but I don't live there I live in Japan and I really struggle with payments in India I was hungry the other day and so I installed Swiggy like yeah I'll do like all my friends do and I'll order food in I logged in created an account put in my Japanese credit card chose some food and not process your payment because Indian payment systems require 2FA and most of the countries outside India that issue cards don't have a mechanism 2FA we definitely don't in Japan Japan is all trust based so okay great well maybe I can use Paytm I've never used Paytm so I download the app I'm getting hungrier and hungrier here and a little more and more cranky I download Paytm I'm like okay how can I put money I can put money in with my credit card no sorry same thing again same thing only I can't because I don't have correct change so I didn't eat that night and that really sucked I have another problem I can't open a bank account without an adhar yeah so the regulation says you can open a new bank account and submit adhar within the next 6 months or 31st March whichever is later but do our representatives really read these circulars or are they just like to get your adhar and they behave really strangely when foreigners go to get adhar cards now we are supposed to be able to get them and I do have foreign friends who are married to Indian people who get them but it takes them a lot longer than it should because nobody really understands what's going on so even if I wanted adhar which I kind of don't I have no guarantee that I'll be able to get it or win so adhar law says you can get an adhar continuously for 180 days in India and you have to prove it somehow it's not possible to get an adhar even if you got out for one day according to the rule now it's up to you how do you prove it to the assessing officer that you are here for exactly 180 days maybe I can show them my passport I don't know anyway getting a bank account and eating are two very difficult things to do as a foreigner so I really hope that all the systems that use 2FA will stop using them or maybe all the systems not using 2FA will look towards more security and start using them that's crazy but I'll talk to Japan about that that's it thank you thank you very much so we have one final one final flash talk see I'm really fast I still have a minute and 52 seconds we have one final flash talk which is written down on my whoa he just got 50 minutes that's too many minutes this one is called Distributed Ledgers by Santosh Vijay and it is a sort of a blockchainy talk alright your timer is running good evening so this is the most known topic what is bitcoin what is blockchain so I thought of sharing a quick small intro on my own style of explaining so whatever we are talking today blockchain is all coming under a concept called Distributed Ledgers so what is a ledger so if you look at a ledger it's a tool or a file which records and total economic transactions people have been using since the ages of clay tablets you can see we've been using clay tablets, tally stick we've been using double entry bookkeeping and with the technology with the computers we've been using the excel sheets to tally all those so this was a digital ledger the first digital ledger would be something like an excel sheet so a ledger is a book or a file recording and totaling economic transactions so just look at the date in which all this evolution started and let's look at the types of digital ledgers so this is a centralized ledger so everything is controlled by a central node think of a Facebook or an internet your own website it's hosted in a single server and everybody connects to it so the first website this is the next computer used for the world wide web right this is the first computer used for world wide web and you can see this is the first website and this was running in one single box and everybody was connecting to it and this was the first centralized type of ledger looking at the decentralized you can see the points of central authority so decentralized ledger is controlled by a limited number of parties and look at all are in blue color which means the nodes are not anonymous they all like come together participate with their identities they are not anonymous basically we could also say they are permissioned and distributed is where there is no central authority now if you see 1, 2, 3, 4, 5 central authorities are here there is one central authority here you cannot name the number of central authorities because the entire code or the entire logic or the entire data is being distributed and these are these three things are trusted environments and that the pink color is the trustless environment where Ethereum and blockchains are example and this one would be a hyper ledger right where you get into a permission and come and participate so this trustless environment where anybody can Tom Dick and Harry can come jump into that do a consensus and add the blocks is a trustless distributed network so just look at this is all what we have in the plate right and not sure if I am running out of time so if you look at it the whole internet right it was developed as a distributed system and slowly what happened was it became lot of central authorities came up and actually if you look at today's internet has to be a distributed and that is where blockchain is very exciting because it allows the power of distribution and that applications right and yeah as you know it started in 2008 by Satoshi Nakamoto the concept of blockchain was introduced and as you all know they used like 10,000 bitcoins for buying two Papa Jones PISA in May 2010 and in 2013 Ethereum project was launched and to create a decentralized application and followed by that there was a release of KORGA by R3 consortium and this is one of the blockchain which is very popular in the enterprise and open chain was introduced in 2015 by coin prism and I think multi-chain is one more blockchain and Hyperledger project was started in 2015 by the Linux foundation so the very exciting project and enterprises use Hyperledger fabric as the blockchain and hashgraph how many of you have seen hashgraph so it's one of the most exciting blockchain implementation but unfortunately it's a proprietary not an open source so that's the problem but yeah the space is evolving and when I present when I created this slide it was 2017 and the cryptocurrency market was like around like 730 billion dollars but now yeah there is a slight dip now you can see how this blockchain as a whole started from 2008 to 2016 in 8 years took different stages and how do you decide what kind of ledger should I use permission ledger permission less should I use Hyperledger should I use blockchain should I use Ethereum how do you decide this is how you decide how many copies of ledger you want if you want one copy of the ledger then happy you can go for the traditional ledger a personal bank account or your own systems existing systems when you want multiple copies of your ledger distributed right that's where the concept of distribution comes in and when you want only the owner group to maintain this then you use a private ledger if you want anybody to maintain the integrity of trusted ledger could be used by validation and any user by consensus so here is where the blockchain comes into picture sorry the bitcoin and the Ethereum comes into picture this is where Hyperledger comes into picture so this diagram is like from Dave Bridge so you can just refer this diagram on how you can decide on which technology to choose inside blockchain that was really interesting I kind of stopped paying attention after Ethereum so I didn't even know about those other ones so this is a slide on what is the difference between distributed ledgers distributed database something to look at as you put away your stuff your time is over so we have one more a bonus talk flash talk five minutes and I've been told it's called just talk she kind of is actually one of the editors of this conference so he is full of content you ready so I'll just talk about what can we as consumers and civil society can do there is a rough reference like are you a startup or activist I am actually proud to say that I am an activist okay now the goal of this now as consumers we are losing rights but there is an opportunity for a lot of us to actually engage and change the discourse positively for us the reason example I can quote Kiran on this public policy is well served for public only when public participates and he said this in the context of the save the internet thing where public participated which eventually led to the policy change now for that to happen a lot of you in this room I think that it just happened because some site was put up and people sent emails and because of that the policy changed now a lot of background to that is a bunch of people have been following telecom have actually have deep knowledge in that domain to put a response that was drafted on the email how many of you actually read that email now to actually put out that response you need to have a lot of background on how the internet works how networks work now if we put out some if something where to come for payments now the talk is that payments regulator would come now a regulator will not automatically solve your problems a regulator will solve problems only when there is power lobbying obviously the industry is there to power lobby for their interest now if you want your interest to be served then you need to talk talk to the regulator talk to the regulator in a meaningful way and for that you need to understand the industry so that's where like I started this volunteer movement which is nothing but a twitter handle called cashless consumer and I tried to produce content around the payment space a bunch of the articles on this handbook that you've got and all these have one common motto that is to actually understand the landscape because only if you understand the landscape you can talk to people in the language that the regulators or the governments or the banks actually see and also when you see things from their perspectives your approach to policy making will be entirely different because as of now you'll be a disgruntled customer saying that I don't have a choice or maybe a disgruntled start-up saying that this is not level playing field but if you need to say that you're probably saying that from your limited experiences the idea is to actually learn more and see the entire field as such and then develop opinions and try to form opinions based on that and push it with people so this is what cashless consumer is about and the way one can do is it's very simple like you read newspapers you read articles RBI puts ton of materials on these payment regulations so this is for policy folks who are focused on regulations so there are these lot of these materials which give you access to what these systems are how they are supposed to be right and then for developers we have an additional option right we know some of the tech so you can actually see what tech is this about and how it's supposed to work how it's working and since you know to decipher some level of tech you can do that and that's what we've been trying to decipher some of the UPI apps and see make sense to people and one of the consumer agenda is in a market a consumer will win only if there is a competition now UPI is supposed to be a perfect competition place right so there are supposed to be this 75 apps and a lot of people will build apps there are more players in the market it will benefit the consumer now it will benefit the consumer only if there is a competition that is evolved among the players until Geo came the competition was literally non-existent in telecom right now how do you kindle the moment in payments so for that you need to understand and differentiate different players and try to build the competition fuel the competition from the consumer needs to make one company build something by asking them right so or compare what are the different offerings so that's that's what we did with the UPI matrix where we put out all the features of different UPI apps and say these are the apps that are different from these right and when you do that you will probably see that at some level there is no competition now at which point you need to go deeper and say what is differentiating factor between each of them and see a one last thing that you also need can do as an average citizen is to put out more digital financial literacy that is deeply lacking with lot of us even the most technical educated tech savvy people will not understand digital payments or have financial literacy to deal with the sort of apps that are coming out so teach about it to the next person once you know which officially starts at six upstairs there's a talk on failure stories actually I think a very specific failure story and tea and coffee and snacks and things if you purchased a corporate ticket and all access ticket which got renamed to something else or a high T ticket which there are a few still available you are welcome to come up in the last talk otherwise we'll see you tomorrow we have a lot of talks on regulation we start the morning in this auditorium with some user interface and a really interesting accessibility talk and let's see a couple of tech talks anyway you can check out the schedule and speaking of the schedule it's also the feedback forms please fill in the feedback form you can hand it to anyone with a yellow tag they will hand it to me or you can hand it to me directly you're welcome to send them in anonymously you don't have to put your name on so if you know about your comments then please do put your name on them so we can track you down you'll also be getting a digital version of this as a Google form in your email probably tonight or possibly in the next 10 minutes that is all for today Opsecho is still doing their security clinic tomorrow from 10-3 if you want to sign up for it we tweeted out the application form they have some requirements that you have to you know like allow them to update it and stuff so you can't just rock up you need to reply I think that's it thank you all so much see you tomorrow