Authors’ preface: We have always been drawn to bold, ambitious ideas that aim to leverage technology to improve the world. Unsurprisingly, we were inexorably sucked in by the gravity of cryptocurrencies and blockchains in 2013, and the exciting potential of the creator economy in 2020. The only other idea to have a similarly profound effect on us was India Stack - the remarkable project that represents the beating heart of this essay. Due to serendipity, or perhaps persistence, we have been fortunate enough to get a front row seat to this incredible spectacle unfolding in India. Over the past eighteen months, both of us have spent time volunteering with iSPIRT, the non-profit think tank that has played a leading role in catalyzing the technological sea change described in the paragraphs below. For more about the authors, see the post-script at the bottom of the page. And with that, our story begins.
Picture this. The year is 2007 and the dark afterglow of sunset hangs in the sky above the Kibera slum in Nairobi, Kenya. Three local tour guides are enjoying some chilled Tusker beers on a warm Sunday evening, and they gesture to the barkeep that they would like to settle their dues. The shop only accepts cash payments, and unfortunately one member of the group isn’t carrying his wallet. No problem though - one of his companions offers to spot him the money. While the friend fishes out a few notes from his wallet to settle the tab, our cashless consumer whips out his mobile phone and presses a few keys. By the time his friend collects the change, the debt between the two men has already been cleared and settled.
Source: Alamy Stock Photo // Benedicte Desrus
At the same time, in New York City, two students from Columbia University grab a quick lunch in between classes. They haven't known each other long, but they've been working together on a project for a computer science class this past semester. For the sake of efficiency and kindness towards their meagre student budgets, they elect to visit one of the city’s many ‘Halal carts’ hawking Egyptian-style lamb over rice. These are literally carts set up on the road, cheap and quick street eateries that normally only accept cash payments.
Mirroring the situation in Kenya, one of the two diners isn’t carrying any cash on him. ‘No worries”, says his companion, “I’ll pay for you now, just give me some cash later”. When ‘later’ finally comes around in a couple of weeks, the ‘borrower’ visits an ATM, withdraws the money, and heads to class. As he looks around the classroom, he learns that his buddy, the ‘lender’ who covered his meal, has taken a leave of absence and won’t be back till the following semester. Driven by a desire to settle his accounts, our protagonist tracks down his classmate’s coordinates and asks for his bank account details. After an awkward exchange of bank account information, he is dismayed to discover that the cost of making the bank transfer exceeds the cost of the lamb-over-rice he consumed. Feeling dejected, the borrower laments the paucity of options available to him - he either has to mail the money through the post office, or wait a few months and hand it over in person!
Source: billypenn.com // Marcos Espinoza
Take a moment to examine the contrast between these two situations. How is it that consumers in the slums of Kenya, a country with comparatively undeveloped infrastructure and a GDP per capita of $800 (at the time) were able to enjoy a seamless online payments experience, while two computer science students in the financial capital of the world’s wealthiest country had to navigate painful bank account numbers, prohibitive fees, and literal physical movement of money all in order to settle a measly lunch tab? Why didn’t the USA already have this capability?
The reality is that in 2007, there were hardly any online retail payment systems in operation in America, let alone mobile money solutions. Banks had only just begun to offer internet banking portals, but these weren’t designed for easy, low value payments. Despite all the convenience it offered, PayPal was largely focused on merchants - their retail payments experience was filled with too much friction, and consumers never took to it. Venmo would only get incorporated in 2009, and Splitwise wouldn’t exist till 2011.
On the other hand, Kenya had a full fledged mobile payments network all the way back in 2007. Users could send money to their friends using a plain old feature phone. Transactions were cheap and instantaneous. Anybody wishing to convert the mobile money into physical money could do so easily via a network of agents who facilitated cash deposits and withdrawals. While Silicon Valley and the developed world pumped out all kinds of amazing hardware and software, it was Kenya that was first to bring payments into the future.
Customers queue up to transact with M-PESA tellers. Source: sokodirectory.com
This was made possible thanks to a product known as M-PESA, a mobile payments platform launched by the Kenyan telecom operator Safaricom. When it was launched in 2007, roughly 20% of Kenyan adults had access to banking services. In just 5 years, almost 80% of Kenyan adults were using M-PESA, and the aggregate value of annual transfers approached 50% of Kenya’s GDP. This was incredible for the government, as more and more economic activity shifted out of the shadows and into the formal economy. It also generated significant brand equity and profits for Safaricom - presently the largest listed company in Kenya, with 10x the market cap of the second biggest firm.
But most of all, it changed the lives of millions of Kenyans who were able to access payments, savings, and credit products in a much cheaper, easier, and more secure way than ever before. It provided an experience so convenient and magical that business schools still run case studies on it more than a decade later.
Ok so what’s the point?
The reason we highlight this story is because there is an instructive, relevant lesson buried in this tale. M-PESA wasn’t a success because it pioneered some groundbreaking intellectual property. Nor did it succeed because of astronomical investment. On the contrary, it was a basic software system built on top of Safaricom’s existing nondescript telecom infrastructure. The network of cash collection agents was organized using basic technology and the well-understood hub-and-spoke logistics framework. But despite this relatively simple operational and technological backbone, M-PESA had an outsized impact on the Kenyan economy. So what is the secret - how and why was M-PESA so successful?
The answer is that it solved an economic primitive. It satisfied the basic needs of individuals wishing to participate in the full spectrum of economic activity taking place around them. As we illustrate below, most economic activity comprises certain common, repetitive actions, regardless of the industry or use case in question. These are economic primitives.
Going back to M-PESA, the economic primitive it solved was payments, an integral activity at the heart of our entire socio-economic system. If a new mechanism for carrying out this activity came around which was cheaper, easier, and more convenient than its predecessor, why wouldn’t its usage skyrocket? It seems like a no brainer. The same story has played out in countries like Sweden and China, where the recent convenience and ubiquity of mobile wallets and cards are pushing cash out of circulation.
So the real question is this - why did it take so long for us to build a better solution to an essential economic primitive like payments? And why is it that some parts of the world (even at completely different ends of the development spectrum) are still struggling to get payments right? To go even further, why haven’t we already solved for multiple economic primitives in every part of the world? After all, this is the Internet Age.
Source: Mohamed Hassan // Pixabay
We have the technology and know-how to weave beautiful, elegant networks connecting almost every single human being and business on the planet. Nonetheless, even as more and more economic activity takes place within the edifice of the Internet, it seems as though the scaffolding supporting the structure hasn’t been upgraded to reflect that importance. In particular, there are three economic primitives which have yet to be fully unfettered for the digital age: identity, payments, and data.
For starters, consider identity. Your digital identity is like your invite to the dance, the first step to unshackling important capabilities from the limits of the physical plane. What if we lived in a world in which every individual and business had their own verifiable digital identity? One which they could leverage to prove some information about themselves - as much or as little as they wished to. What if all government documents existed in a digital format, so we never had to worry about losing our driver’s licenses or making photocopies of our passports? In fact, what if all documents were digital, and paper signatures were an optional artefact of the past? In the cathedral of the digital economy, identity is the buttress which provides support to the entire structure. Shouldn’t the services at our disposal today match the grandeur of this purpose?
To extend the architectural analogy, if identity is the buttress, payments are the foundation. Without online payments, there are no online transactions - there is no digital economy to speak of. But somehow, most global payments infrastructure still runs on technology from the 1960s. Why should it be expensive for people to send or receive their own money? Why do we need to wait days to move funds from one account to another? Why is it so hard to send money around the world at a time when we have never been more connected across borders? Why can’t you pay a friend, stranger, or merchant using something as simple as a username? Why can’t different payment systems all talk to each other so that consumers can use the service which best suits their needs without worrying about being cut off from their friends? We often speak about ‘smart contracts’ in the context of cryptocurrencies, but why can’t we have programmable payments denominated in all world currencies? Wouldn’t these upgrades cultivate efficiency and innovation within the whole economy?
Revisiting the Christian imagery of the cathedral (for the last time - we promise), payments and identity are only two parts of the trinity of a digital economy. The third and final piece, the holy spirit which permeates all aspects of digital life, is data. Data can be used to unlock and improve virtually any kind of business model. As the count of networked sensors and online interactions grows, we find ourselves sitting on increasingly rich and useful piles of data. Unfortunately, much of this data lies underutilized, siloed, or misappropriated.
Shouldn’t every person and business get to decide the fate of their own data? Wouldn’t it be convenient if all this data was available to its rightful owner in a secure, structured, and machine-readable format? The use cases spanning health, finance, telecom, and pretty much any industry would be mind boggling. Along with the ability to better protect our data from prying eyes, we should also be able to leverage our data by sharing it with service providers on our own terms. This would result in cheaper, more personalized, and hitherto impossible service delivery. Just like M-PESA, it's a no brainer: if you built better solutions around these three primitives, economic activity would flourish.
If you think that what we've described sounds like a wistful and futuristic fairy tale, then think again. Every single use case that has just been laid out already exists, and it has been built in India.
- pauses for dramatic effect*
Under the banner of a program known as India Stack, the land of the tiger has been solving for the three economic primitives of identity, payments, and data for over ten years.
It is this set of digital building blocks that led Bill Gates to remark in 2016 that India was on the cusp of “leapfrogging the world”.
The three layers of India Stack. Source: iSPIRT
The fruits of this decade-long labour have begun to germinate, and as we shall soon see, the results have been astounding. Echoing the credo of M-PESA, India Stack was not built with a breakthrough of intellectual property, nor with a mountain of investment. Instead, all the components of India Stack have been built using a first-principles approach leveraging commodity technology, modest investment, and a commitment to solving for economic primitives. Just like the fictional trio from the Kibera slum, 1.3 billion Indians are currently enjoying access to fundamental digital services that are far ahead of their time.
But unlike the Kenyan payments platform, few people within or outside India know about India Stack. That is why it is so important for this tale to be heard - in order to kickstart the discourse and allow a cross-pollination of ideas stemming from India’s grand experiment with digitizing its economy for all its inhabitants.
This is the story of India Stack, or how India is writing the blue-print for nation-building in the digital age.
Part 1: The Foundation
The story begins in 2009, at a time when India was only 18 years removed from its self-imposed economic exile. While many Asian countries enjoyed rapid economic development in the latter half of the twentieth century, India’s socialist and protectionist policy environment meant that the largest country in the subcontinent long remained a globally excluded market devoid of high growth, natural competition, and trade-induced investment. Although the country did change course and liberalize its economy in 1991, the hangover stemming from forty four years of a smothered domestic market took a while to dissipate, leaving some industries worse off than others. One of the industries in which development was hobbled was financial services. In particular, India had a massive problem with financial inclusion.
In 2009, only 17% of Indian adults possessed a bank account. Hundreds of millions of people were cut off from the formal financial system, resulting in a huge loss of productivity, tax revenue, and socio-economic development.
One of the key reasons for this was the high cost of conducting KYC (or Know-Your-Customer) verification. The economics of complying with the regulator’s KYC norms simply didn’t work out for profit-seeking enterprises. Verifying a customer’s identity was a manual process which required physical document collection and processing. Undertaking this logistical challenge for customers all over India’s infrastructure-bereft farflung hinterlands just didn’t make sense, especially when you consider that the revenue from these rural customers would be paltry compared to their richer urban counterparts.
But this wasn’t the only reason for the low penetration of financial services - even more challenging was the fact that until 2009, a mind-boggling 400 million Indians were estimated to lack any sort of individual identity document or identifier.
It was against this backdrop that the Aadhaar project was introduced. Launched in January 2009, Aadhaar - which means ‘Foundation’ in Hindi - is the first of three layers of India Stack (although the term ‘India Stack’ would first appear only some five years later).
In essence, the Aadhaar project sought to give every Indian a foundational digital identity so that they could unlock all of the wonders of the formal economy. The project achieved its objective in stunning fashion - in just 5 years, more than one billion Indians had received an Aadhaar card. This makes it one of the most successful rollouts of any tech product anywhere in the world. Today, 1.27 billion Aadhaar cards have been issued, covering more than 94% of the country’s entire population. This historic achievement set the trajectory of India’s journey towards becoming an Internet-friendly economy.
Although we use the term ‘Aadhaar card’ in the preceding paragraph, the physical card itself has no real value. Instead, the card bears a unique 12 digit number known as an Aadhaar number which is central to this programme. To obtain this number, individuals sign up at enrolment centres by providing only four data points: name, address, gender, and birth date. Mobile number and email address are optional additions. Individuals who already possess other forms of ID such as passports and driver’s licenses are able to verify their information using those documents, but the system also allows individuals who are without documentation to receive an ID. Along with the four mandatory demographic data points mentioned above, users are also required to submit their biometric data, namely their facial photographs, iris scans, and fingerprints. Once the system is able to use these biometrics to run a de-duplication check across the database, the user is successfully enrolled in the program and issued a unique Aadhaar number.
Source: ‘Identity, Payments and Data Empowerment’ - Nandan Nilekani (2019)
Using this number, individuals can access multiple different services to authenticate their identities. One of them is called e-authentication, or e-auth. To use e-auth, a service provider takes a user’s Aadhaar number and makes a request to the Aadhaar database, managed by the independent government body known as the Unique ID Authority of India (UIDAI). The request contains the Aadhaar number in question, along with some demographic data: this can be age, name, address, birth date, email, or mobile number. In response to the request, the UIDAI server simply returns a yes/no, indicating whether the database does indeed contain a record which matches the given number and demographic data or not.
In conjunction with two-factor authentication - in which a user enters a one-time password sent to the mobile number or email address on file - and biometric authentication, e-auth provides a useful and highly portable identity management solution for businesses. This has obvious benefits for things like KYC, but it also allows for more original applications.
For instance, one could use this system to build a bot-free, humans-only social media network or polling system without actually capturing any personally identifying information about users. Similarly, it would be trivial to use e-auth to build verifiable age, address, or gender requirements into an app or website, while keeping everything else anonymous.
Although the present usage of e-auth has largely remained confined to the more boring and regulated worlds of financial services, civil services, and so on, the design of Aadhaar’s digital identity system makes it easy to implement a range of operations. Till date, more than 48 billion e-auth operations have been carried out, largely by financial institutions, telecom companies, and utility companies.
Speaking of banks and telecom companies, the Aadhaar system was the lynchpin that enabled these players to massively expand their coverage within India. The mechanism they leveraged was known as Aadhaar e-KYC, which is very similar to e-auth except that it takes as input an Aadhaar number and biometric scan and returns as an output the demographic data and photograph of any matching record found in the database (eliminating the possibility of spelling mistakes causing matching errors during e-auth). This facility is also available ‘offline’, which means that Aadhaar users can generate a digitally signed copy of some subset of their KYC information from the UIDAI server without having to reveal their Aadhaar number or their intention behind proving their identity. This ability to selectively, clandestinely, and autonomously share identity credentials is a core tenet of the increasingly popular self-sovereign identity movement favoured by privacy activists and web 3.0 advocates.
Leaving aside the features of Aadhaar, the importance of the system really comes through when looking at its impact. The graph below, built using data from the Bank of International Settlements, plot GDP per capita against the percentage of adults with a bank account. As the data shows, India’s position on the graph in 2011 was roughly in keeping with the global trend line - less than 20% of adults had a bank account.
Source: World Bank / iSPIRT
But by 2018, the number of adults with bank accounts shot up drastically to almost 80%, and India’s position on the graph now hangs as an outlier high above the trend line. This dramatic increase in financial inclusion can be attributed partly to political efforts which loosened compliance requirements and incentivized banks to open accounts, but also in large part due to e-KYC.
Source: World Bank / iSPIRT
Source: Bank of International Settlements Analysis / iSPIRT
As the graph suggests, the level of progress that should have taken 46 years to achieve eventually unfolded in just 7 years!
The World Bank estimates that Aadhaar e-KYC brought down the customer onboarding cost for an Indian bank from $23 to just $0.15. At this new price, it was economical to open new accounts for poorer customers, and private bank branches began to mushroom all over the country.
Along with banks, telecom companies also benefited massively from e-KYC. Reliance Jio - the country’s telecom behemoth which singlehandedly covered the nation with $32bn worth of high-tech telco infra - used eKYC to onboard more than 100m customers in its first six months of operations, shattering many records in the process. Prior to e-KYC, new mobile phone users had to wait for days or sometimes even weeks for telecom companies to verify their profile and issue a SIM card. After the introduction of e-KYC, this became a 5 minute process.
Reliance Chairman Mukesh Ambani at the RIL AGM touting Jio’s record breaking user adoption numbers following their public launch in 2016
Along with e-auth and e-KYC, there are multiple other products based off of Aadhaar that are useful for consumers and businesses. One of them is e-Sign, a standard that allows any Aadhaar holder to generate a legally valid, verifiable digital signature. Another is Digilocker, a system of personal cloud lockers that uses Aadhaar to link, fetch, and store digitally signed copies of important documents like Income Tax cards, driver’s licenses, insurance policies, and educational diplomas. More than 4.2 billion documents have been issued on Digilocker, giving Indian consumers a way to drive, enter airports, and open accounts without needing to carry any physical papers or cards.
In summary, the digital identity solutions introduced by Aadhaar proved to be a turning point in the history of India. Unlike social security numbers and other national IDs issued by foreign countries, the Indian government built Aadhaar in a way that it could be easily leveraged and extended by developers.
As the earlier graphs demonstrated, India was able to speed up its financial and telecom development multiple times over thanks to the convenience and cost advantages conferred by e-KYC. In just three years from the launch of this programme, 600 million bank accounts had been linked to Aadhaar, including 250 million by new-to-bank customers. Multiple trillions of rupees have been disbursed as benefits and subsidies to Indian citizens via Aadhaar-enabled payment bridges, thereby cutting out inefficiencies and middlemen from the process of dispensing aid. But India didn’t just use this system to catch up with the rest of the world, it also developed the potential to surpass the global standard.
Source: McKinsey ‘Digital India’
While each of these new digital tools, and Aadhaar as a whole, have sometimes encountered problems - including legitimate concerns around privacy and security - they have undoubtedly helped usher in the future. Indian banks today flaunt their ability to onboard a new user from the comfort of her own couch, something that was previously unthinkable for the historically risk-averse and bureaucratic Indian banking sector. Similarly, many other industries are able to offer better experiences to a wider set of customers thanks to this convenient digital ID system. In the context of India Stack, the success of this first layer set the stage for the second layer of economic primitives - payments.
Part 2: No Party Without Payments
Now that most people in the country had a bank account and mobile connection, what was the next step? This was the question that faced the policymakers who wished to continue the process of digitally transforming India’s economy. The answer, it turns out, was to build a mobile payments platform that made using these newfound accounts cheaper and more intuitive.
In a developing country like India, users are price sensitive: the fees and charges often levied on bank transfers can deter poorer customers from making non-cash payments. On a parallel track, the cumbersome and text-heavy interfaces found on banking apps and websites can be too arcane for users at the bottom of the pyramid.
Luckily, customers were increasingly familiar with mobile phones, with about 400m Indians discovering the Internet through a smartphone in the 2010’s (in large part due to Jio’s ability to roll out the world’s cheapest 4G LTE services at breakneck speed). Therefore, it made sense to place the smartphone at the center of economic activity going forward. And so the idea for UPI was formed - the Unified Payments Interface.
Since its launch in April 2016, UPI has been nothing short of a runaway success story, with few parallels in the history of global payments. In just 4 years, the second layer of India Stack grew from an ambitious idea to the world’s 5th largest payment network by volume, behind only Visa, Alipay, WeChat Pay, and MasterCard (and gaining fast).
At its core, UPI is a payments markup language that runs on a central switch operated by a bank-owned non-profit known as the National Payments Corporation of India (NPCI). In simple terms, there is one NPCI server which all the licensed banks are connected to. This server sends messages to and fro between all the banks, with NPCI as the middleman.
Source: ‘Identity, Payments and Data Empowerment’ - Nandan Nilekani (2019)
One can think of the system as a three-tiered cake. At the base of this cake are the public rails provided by NPCI, which handles the routing of payments messages. Atop this lies the second tier, consisting of regulated banks - they are responsible for holding user funds and updating account balances. Presently, 200 of India’s top banks are connected to the UPI system. The third and final tier is the fintech layer, through which payment apps and fintechs can gain access to the system underneath. This is where the magic happens. Because there are 200 banks plugged in to the UPI system, a would-be payments provider or fintech app only needs to use one set of APIs to get access to all of the consumer and business bank accounts in India. Gone are the days of building bilateral relationships with each bank in order to get access to those banks’ customers. This frees up payment apps to focus their efforts on customer acquisition, product innovation, and UI/UX as opposed to business development and bespoke technical integrations.
This brings us to the customer experience side of things, where UPI offers a superior UX to most global payment systems. For one thing, consumers like UPI because it allows real-time payments directly out of and into their bank accounts. Since the transactions are all being cleared in the banking tier itself, customers don’t need to fund any kind of intermediary wallet. All the money transfers reflect inside the customer’s bank account instantaneously, and with basically no cost. This explains why closed-loop payment wallets all but died after the introduction of UPI.
Secondly, UPI defines something known as a Virtual Payment Address (VPA) or “UPI ID”. This is a unique identifier that maps a user’s bank account linked on UPI to an easily memorable string such as “aaryaman@upi”. The best part of this is that users of one UPI app can pay users of any other UPI app using only their VPA - allowing people the flexibility to use different apps based on their own needs without needing to worry about being cut off from their friends who prefer a different app provider. It also saves them the stress of having to remember and share their bank account details every time they want to receive a payment!
Furthermore, users can also pay to a bank account number or QR code, so UPI apps in effect offer all the payment services a person may need, but wrapped inside a nice interface built by a consumer internet company. Taken together, it is easy to see why these features won over users; UPI has exploded in popularity, with monthly transaction volumes of 2.2 billion, growing at over 10% month-on-month. The value of these transactions exceeds $54bn on a monthly basis, adding up to an annual run rate of $648bn, or 25% of India’s GDP. It is by far the most popular mode of digital payments in the country, outstripping all forms of cards and netbanking put together.
Source: ‘Identity, Payments and Data Empowerment’ - Nandan Nilekani (2019)
Beyond providing cheaper, faster, and more interoperable payments, UPI also introduced a few futuristic use cases to the Indian payments landscape. The first of these innovations was a set of integrations allowing payment apps to help customers subscribe to IPOs and purchase stocks, mutual funds, and other financial assets. This development has helped drive up the penetration of financial services while also changing the way consumers interact with these industries.
Another utility introduced via UPI is the electronic mandate, or e-mandate. This instrument allows a user to issue a standing instruction to their bank similar to a direct debit arrangement. By invoking the mandate, a service provider can keep debiting a user’s account within user-defined limits such as time period, amount, or frequency. This helps with recurring transactions such as Uber rides or Netflix subscriptions.
Presently, there are plans to introduce a more specialized type of e-mandate known as an e-lien. While e-mandates allow a service provider to debit a user’s current bank balance, e-liens give service providers the ability to entrap a user’s future cash flows. For instance, a borrower might provide a lender with an e-lien that automatically diverts 50% of all incoming payments from the borrower’s account to the lender’s account. By combining the use of e-mandates and e-liens with external data signals and business logic, it is currently possible for Indian fintechs to implement programmable payments into their workflows. This vision of payments is frequently invoked by cryptocurrency enthusiasts touting the potential of smart contracts and programmable money. The fact that this is currently possible in India is something that should pique the curiosity of developers around the world.
India today can boast of having a truly homegrown payments infrastructure that is handling scale at a scarcely believable level for a project that was only launched a few years ago. In a world that is highly dependent on a small number of leading retail payments companies it can only be good thing for a country to have a self-sufficient alternative when it comes to critical infrastructure like payments systems.
Part 3: Becoming Data Rich
Coming to the third layer of India Stack, the logical connection that exists between the first and second layers extends to the third layer as well. Where Aadhaar first helped seed India’s economy with hundreds of millions of new economic participants with bank accounts, UPI then gave those account holders an easy and cheap way to transact digitally. In similar fashion, the third layer of India Stack helps those same account holders to leverage the data trail they leave behind as they go about transacting and operating in the digital economy. This third layer is known as the Data Empowerment and Protection Architecture, or DEPA.
In a sentence, DEPA is a policy framework that defines how the economic primitive of data can be freed up so that individuals and businesses can choose how to best protect it and use it for their own gain. This innovation, which is presently being rolled out in the financial services industry, has its philosophical roots in a piece of impending legislation known as the Personal Data Protection Bill (PDP).
Source: Sahamati
According to this bill, Indians will (for the first time) get a litany of new rights pertaining to their data. Specifically, they will get the following rights:
- The right to data confirmation: The right to know what data is being stored about them, how it has been processed, and who else it might have been shared with
- The right to data correction or erasure: The right to update their data stored with a service provider, in order to make corrections, edits, and omissions of data that is no longer relevant
- The right to be forgotten: The right to have their data deleted from a service provider’s database should they withdraw their consent to its continued storage
- The right to data portability: The right to obtain and share their data in a structured and machine-readable format
Although the PDP Bill is set to undergo further civil and parliamentary scrutiny before being passed into law, the financial service regulators of India decided to presage the bill’s passing and implement its principles in their industries. To be precise, they elected to implement data portability in the financial system, not as a right, but rather as an optional feature.
To bring this to life they prescribed the creation of a new class of financial intermediary called Account Aggregators (AAs) to function as traffic cops for the flow of user data. These AAs represent a new type of fintech company tasked with playing the role of ‘consent managers’, facilitating the transfer of user data between different entities, only after explicitly obtaining user consent.
Source: Sahamati
To illustrate this, here is what a user journey looks like thanks to DEPA: it begins with a user downloading an Account Aggregator (AA) app, similar to how they would download a payment app.
These apps, provided by newly licensed financial institutions (Account Aggregators) allow individuals to use their mobile numbers to discover and link their bank accounts, credit cards, loan provider accounts, stock broking accounts, insurance policies, and 18 more financial assets which currently ‘house’ their data. Once these assets have been linked, users can begin to issue consent to share data pertaining to their finances with third parties that wish to provide them with services.
To make sense of all of this, imagine that a customer visits a digital lender’s website to request a loan. In the past, this customer would have been required to submit their financial data by uploading a PDF of their bank statement, taking a picture of their documents, or entering their internet banking password so that the loan company (or a third party provider) could ‘scrape’ the relevant financial data off the HTML code displayed on the user’s screen. Using the AA framework, none of this is necessary.
Instead, a lending company using the AA system merely has to ask the user for their Account Aggregator ID. Like the UPI ID, this can be a memorable string, such as “rahul@aa”. With the help of this ID, the lender sends the user a consent request via the AA app on their mobile phone. These electronic consent requests, which follow a standard electronic format, contain explicit information about the data requested such as the quantum of data, purpose of request, duration of access, frequency of access, and so on. After perusing the terms of the consent request, the user can accept or reject. If the consent request is accepted, the digitally signed consent artefact (re: data sharing agreement) is shared with the user’s linked bank or financial service provider, and the user’s work is done.
The entire process of sharing data takes less than a minute for a user. Behind the hood, the user’s bank encodes and encrypts the data before sending it out for the approved requester’s eyes only (in this case - the lending website). What’s key to remember here is that Account Aggregators are ‘data blind’ - they can’t actually view the data themselves, they can only help transport it from the entities that have it to the entities that the user wants to share it with.
The encouraging thing about this system is that it solves many problems for both consumers and service providers. For consumers, the AA interface provides one location to view, manage, and revoke all consents. Most conveniently, data requests are clearly defined and can be approved or rejected with one click, eliminating the need for PDF uploads, photocopies, and other unwieldy solutions. Additionally, the AA system gives users a more secure way to transfer data - unlike the HTML-scraping or mobile reverse-engineering techniques favoured by many global data aggregator companies today, the AA method of data sharing doesn’t require literally handing over your banking username and password to a stranger on the Internet.
RIP to the outdated and painful technique of scraping through HTML code
The next benefit to the user is that granular consent controls allow for granular data sharing. For instance, a user will no longer have to share her entire bank account statement with a consular office just to prove her income for a visa application. She could selectively choose to share only her average balance, or all transactions at hotels costing above 10,000 rupees. The point is that control over one’s data is taken out of the hands of corporations and put into the hands of individual consumers. It basically amounts to giving people and businesses the agency to prove any data about themselves in a permissionless and verifiable manner - this has profound implications and use cases that we will likely elaborate on in a separate post.
On the other side of the table, service providers like lending websites or fintechs get the benefits of authenticity, interoperability, and lower costs. For a start, the data provided comes directly from the bank, stock broker, or insurer in a digitally signed format. There is no risk of doctored data. Secondly, the entire AA system is interoperable by design, so a service provider that integrates with one AA app can make data requests to users of any other app too. This takes away the need for custom integrations with different banks, and it also gives users the freedom to use whichever AA they want to. Lastly, the data coming from banks is accurate and machine-readable from the onset. There is no need to use complicated and expensive algorithms to structure the data, possibly generating inaccuracies in the process.
The cost reductions and quicker turnaround times resulting from this structured data will expand the spectrum of products in the market. Just like e-KYC made it economical for banks to service even the poorest customers, the cleaner data provided by AAs can make it feasible to offer smaller ticket loans with instant credit approval processes. As things stand, the AA system is in closed beta testing with 4 of India’s leading private banks and digital lenders. Similarly to UPI, the initial cohort of bank adopters seems small at first but looks set to grow exponentially once the product goes live.
The first generation of AA-powered use cases will likely range from fintech staples like lending and personal finance management to new ideas spanning the worlds of rewards, cashbacks, and even income verification services for matchmaking and background checks. Our readers in the EU and UK might recognise the AA system as India’s own spin on Open Banking. What’s unique about the Indian approach is that consumers get their own singular interface of choice to manage all their consent requests across different accounts. The scope of the Indian implementation also covers 23 kinds of financial assets and counting, in contrast with something like the current European PSD2 framework which only covers payment accounts.
The other hallmark of India’s methodology is the appointment of regulated intermediaries to perform the task of data extraction and provenance, as opposed to the free market and regulation-led approaches in the US and EU respectively. The tradeoff in the Indian approach is that while it might take longer for market players to get licensed and off the ground, it is better for consumers and regulators. For the authorities, it is easier to certify and oversee a smaller set of licensees than to cast a net over the entire ocean of independent implementations. For consumers, there is uniformity, clarity, and interoperability in the system, with better data safety guarantees to boot.
While the AA framework is the finance industry’s early harbinger for the expanded data rights granted by the PDP, it is not the only manifestation of DEPA that is taking shape in the market. Similar systems are being rolled out in the healthcare and telecom industries as well. These two projects have monumental potential in their own right, but to delve deeper into those topics would be to double the length of this article. Curious readers can learn more via the links at the bottom or could just imagine the kind of use cases arising from seamless and consented transmission of location signals, biomarkers and other forms of health or communications data. The overall goal of these various efforts is to unlock the raw power of the data lying idle across the various silos in the economy. Once this economic primitive is unleashed, the possibilities are endless. In fact, the unshackling of the economic primitive of data is already helping to nurture another economic primitive - credit.
A recently announced project called OCEN (Open Credit Enablement Network) aims to leverage the AA system to embed lending into online marketplaces and tech platforms.
This diagram shows how lenders can implement a common set of open APIs to offer credit across multiple distribution points or ‘loan service providers’. Conversely, marketplaces, tech platforms, and other kinds of loan service providers can integrate multiple lenders into their system just by supporting the common OCEN standard. (Source: iSPIRT)
The rationale here is that marketplaces or aggregators like Etsy or Doordash can utilize the same consent flow used by AAs to enable their sellers or riders to share their performance data with lenders. So right from within the Doordash interface, a rider can grant consent to share their financial data but also their Doordash-specific data with a network of lenders. In tandem with things like e-sign, e-liens, and UPI, OCEN can completely digitize and instantize the end-to-end process of originating a loan customer, underwriting them, completing the documentation, disbursing the funds, and even collecting repayments. In fact, here is a demo of exactly this kind of solution which is slated to go live later this year - the product is built on top of the nation’s GST tax platform so that small businesses can easily get their invoices financed, but it is designed using open OCEN standards so as to be simple for lenders and borrowers to spin up a similar system on top of any marketplace.
This model of data-driven underwriting has exciting potential not just for India, but for the whole world. Even in developed economies like Hong Kong, the credit penetration amongst small and medium enterprises is very low relative to the employment and GDP output generated by those same firms. This is partly due to operational friction and cost barriers in the credit application process, but also due to an outdated method of underwriting which requires borrowers to put up significant collateral in order to take a loan. For most SMEs (or even individuals), this kind of collateral is out of reach. What these borrowers often do have though, is a track record of cash flows which can be give comfort and security to lenders. An increasing number of startups, like Pipe in the US, are embracing this new paradigm of cash-flow or revenue-based financing. Similarly, developers working within the decentralized finance ecosystem are finding ways to simplify and automate the process of collateralizing and issuing loans using blockchains. Systems like the AA framework, e-liens, and OCEN aim to fast forward these global trends into the Indian mainstream, hopefully transforming the country’s financial and economic landscape in the process.
Phew, so what have we really learnt here?
The purpose of telling this story is to turn the heads of those in the global tech community towards this remarkable project that is being built in India so that we can collectively build upon the lessons learnt from India Stack, similar to how the virtues of M-PESA are still extolled in business schools and case studies around the world today.
Although the implementation of India Stack has undeniably helped to transform the fortunes of the world’s fifth largest economy and its second most populous country, this work has largely gone unnoticed. This needs to change.
Source: iSPIRT
It is important for people to be cognizant of this grand exercise, and not just so that they can set up business in India or invest in the country. To be sure, there has never been a better time to do so, with the Indian tech ecosystem enjoying a belle epoque moment. The entrepreneurial zeal in the nation is palpable, with an increasingly sophisticated and mature coterie of operators and builders outgrowing a historical reputation as Western mimics to become innovators and trendsetters in their own right. There are over 33 tech unicorns in India, and it seems more and more certain that the country will become a leading global exporter of software and technology.
Source: India Fintech Geo Deep Dive
But thats besides the point. The point is that the philosophy behind India Stack can be instructive for the world at large, here and now. This decade-long socio-economic experiment has proved that you can balance innovation and inclusion without compromising on your economic principles. The results have demonstrated that aside from the Invisible Hand in the US, or the regulation-led strategy in the EU, or even the Great Firewall of China, there is a ‘fourth approach’ to development in the digital era and it is being pioneered in India.
Source: 'Building India's Digital Highways: the potential of Open Digital Ecosystems (ODEs)' - Omidyar Network India
This means that countries with a wide range of challenges and capabilities can extract nuggets of insight from the India Stack story that are relevant to their own economic trajectories. It isn’t necessary to start with an identity programme like Aadhaar if you already have a working social security system (like the US). You don’t need to rebuild your payments infrastructure if you’ve built a pragmatic, scalable solution for your population (like Kenya). You don’t need to rewrite the rulebook around data governance if you’ve been making strides in this direction for the last decade (like the UK and EU).
The credo is simple - if you solve for the economic primitives required by your people, prosperity and innovation will follow. If you make it easier to do the little tasks that need to be done in almost every business dealing, your economy will reap the rewards.
This mantra has held true in India, where the capabilities afforded by Aadhaar, UPI, and the AA framework have resulted in a leapfrogging of global standards. As an illustration, consider the transfer payments made by world governments in response to the coronavirus pandemic. In the US, the government physically mailed cheques to swathes of the population. This was a hugely complicated undertaking, with many recipients having to wait for more than two weeks to receive their payment. In contrast, the Indian government was able to identify payees and disburse funds to hundreds of millions of individuals rapidly using an Aadhaar-based direct benefit transfer mechanism. If something is working on such a large scale, shouldn’t we discuss and dissect it together so we can all benefit?
Fortunately, some of this cross-pollination of ideas has already begun, although the hope is that this article can accelerate the rate of collaboration and creativity. On the identity front, an open-source organization called MOSIP helps governments implement national ID schemes using the learnings from Aadhaar. Morocco and Philippines are two countries in the most advanced stages of implementing these systems, but several other states like Sri Lanka, Ethiopia, and Guinea are in the pilot phase.
On the payments side of things, UPI is finding admirers all over the world. Most notably, Google has been a vocal champion of the architecture powering UPI, repeatedly encouraging the US Federal Reserve to model the upcoming FedNow payments system on the second layer on India Stack. Similarly, Singapore has been running pilots in anticipation of deploying a UPI-like system in its home market. The first usage of this system involved testing whether Singaporean merchants could accept payments in real time from Indian UPI users. This is not only a first step towards enabling a UPI-like system within the island nation, it is also the first step towards enabling real-time low-cost cross-border payments outside of the ancient SWIFT system.
While it is still early days for DEPA, there have been encouraging exchanges of ideas between the architects of India’s open finance system and their counterparts from Australia and the EU. The hope is that in 2021, these ideas can reach even further into the collective consciousness - all it takes is for one developer, entrepreneur, investor, or policymaker somewhere in the world to get excited, and then the butterfly effect can take over.
Are there any drawbacks to this tech utopia?
There are no free lunches. With any large scale economic programme there will always be trade offs, especially so in a country like India that is in a state of constant oscillation between capitalism and socialism, protection and promotion, and ultimately progress v/s patience.
Before concluding this post, it is pertinent to discuss some of the criticisms levelled at these projects. Aadhaar, in particular, comes with a lot of baggage. There are three main lines of contention against the ID system: rogue state, exclusionary consequences, and privacy risks. The first argument gets easily politicized and loses its objectivity. Yes, the government can theoretically turn malicious and break the law to abuse the data stored inside the Aadhaar system. But if this happens, isn’t Aadhaar the least of our problems? The only fields inside the UIDAI database are name, address, age, gender, email, phone number, biometrics (which are designed to never leave the database), and some metadata about which service providers the user performed e-Auth or eSign or online e-KYC with.
An omnipotent rogue state can extract much more damning information than this from the banking system, telecom system, or countless other public and private sector databases. To argue that Aadhaar gives hypothetical tyrants too much power is like saying that engineers shouldn’t invent cars because some hypothetical terrorists could use them to run over innocents - it is an iconoclastic worldview that eschews progress in favour of scaremongering.
In contrast, the other two criticisms of Aadhaar are valid and grounded in research and data. There are many individuals who have been excluded by Aadhaar; some of them due to inaccuracies in the enrolment process, and others who missed out on subsidy payments because they weren’t able to properly link their bank accounts with their Aadhaar numbers. These individuals have suffered, and although they only account for 15% of all the bank account holders in India, that still adds up to 160 million people. The state should do more to ensure that the poorest and most vulnerable citizens are able to enrol in Aadhaar and make full usage of the facilities available at their disposal. This increase in coverage should take place alongside an education campaign informing users of their rights, privileges, and grievance redressal mechanisms, rather than by making usage of Aadhaar implicitly or explicitly mandatory for any public or private service.
Source: www.stateofaadhaar.in
In a similar vein, critics of Aadhaar’s privacy protection measures also have valid points: there were some sloppily implemented encryption workflows during the early days of Aadhaar. Additionally, the ecosystem of hardware and software partners around the Aadhaar system should have been controlled better so that their own faulty security practices did not result in data leaks about Aadhaar users. This is one of the main issues with Aadhaar - the core technology is very robust, but education and awareness around its proper implementation and usage is lacking. Lastly, although the introduction of tokenized Aadhaar numbers and offline e-KYC gave privacy-conscious users a much better way to use the system, perhaps these features should have been baked in from the start.
As regards UPI, two common criticisms are that the system experiences occasional transaction failures and that the market structure rewards the firms with the deepest pockets. The transaction failures are an understandable occurrence - the sheer volume of payments taking place on UPI is rattling the data centers of banks which were never designed to handle this load. But this inadequate infrastructure provisioning is a technological anachronism of our times - many global banks still rely on old-school core banking systems and on-premise data centers. These setups simply can’t adapt fast enough to the requirements of the Internet Age. In short order, we will see a cloud and FOSS-powered overhaul of core banking architecture to better accommodate the demands of the current era.
Coming to the market structure, UPI effectively ignited a land grab amongst global consumer Internet giants. Large companies like Google threw money at the system to acquire users with cashbacks, rewards, and other incentives. As a result, the UPI market is dominated by Google Pay and PhonePe (a subsidiary of Walmart-owned ecommerce giant Flipkart). After recently receiving regulatory approval, WhatsApp Pay is the latest foreign-owned giant to enter this market. Although local companies like BharatPe and PayTM do enjoy sizable market share, they are dwarfed by American-owned tech colossi. Maybe this is just an unavoidable consequence of free market capitalism, but there might have been a longer and more diverse list of successful UPI apps had the regulators specified more intricate product norms around interoperability. Despite the fact that the UPI payment system is seamlessly interoperable between different apps, the larger players attempt to build network effects by deliberately obscuring and minimizing this capability so that many consumers believe that payments are only possible between users of the same app.
Source: Medianama / NPCI
Source: Medianama / NPCI
Overall, while Aadhaar and UPI have not been perfect by any means, they have delivered incredible value to the Indian economy - the proof is in the data. A billion users around the country make incessant use of these services to make their lives easier, and businesses use this infrastructure to cut out costs, clear operational hurdles, and build brand new kinds of products.
The shortcomings of DEPA are yet to be seen, but some will surely arise as this ambitious framework is rolled out over the coming weeks and months. There are open and important questions around viability of business models for account aggregators, or whether the use of regulated intermediaries is the right way to ‘open’ up our financial infrastructure, but these remain hypotheticals until we actually see the system in action.
Closing thoughts
"There is no technical stack in the world with a country's name as a prefix. What the Indian government and regulators have done together with the common national identity through a digital system and a common national API for payments, is nothing but brilliant. India is one of the first countries that has a platform first approach, with the platform being secure, robust and reliable. It is a role model for many other countries to follow" - Sri Shivananda (Paypal SVP and CTO)
In conclusion, one must ask whether the story of India Stack really does contain solutions for the modern world’s needs. With its philosophy of building public digital infrastructure, India Stack seems to give the state an important role to play in fostering innovation. Some may argue that this is at odds with the American model of development, which has been to let the private sector figure things out in an almost laissez-faire vacuum. Although this model has undeniably produced incredible progress and wealth for America and the world, it is actually not as straightforward as it would appear. After all, the very Internet was born out of government-funded research. Similarly, we can thank the US Department of Defence for GPS and its wonderful constellation of apps and use cases. So evidently, there does not need to be a conflict between private sector innovation and public sector infrastructure.
Rather, the state should help the private sector reach its full potential in a way that benefits all members of society. We would even go as far as to say that in the Internet Age, the state is obliged to ensure some baseline level of digital infrastructure, not just for all its citizens, but for its businesses too. This kind of efficient, inclusive infrastructure might eat away at some private sector profit pools in the short run, but those profit pools will reappear and grow larger as the engine of progress chugs along.
It doesn’t even have to be the case that the state builds everything itself. M-PESA and OCEN don’t rely on any government infrastructure, but the point is that they are encouraged and supported by the sovereign. Similarly, systems like UPI and DEPA could easily be built by the private sector, with no need for any kind of government interference or any system like Aadhaar (which isn’t used in UPI or DEPA anyway). At the end of the day, all of this comes back to economic primitives. Whenever a new solution makes it easier, cheaper, or more convenient to do certain repetitive, abstractable tasks, not only does the new mechanism replace the incumbent, but all of society benefits as a result. Productivity increases. New ideas emerge. Lives improve.
While this might sound alluring to many architects of the world’s economies, they would be forgiven for thinking that it sounds daunting in equal measure. But there is good news - a blueprint exists. India’s attempt to solve for the economic primitives of identity, payments, data, and credit - through its digital infrastructure project known as India Stack - provide a progressive and accessible template for all countries wishing to upgrade their economies for the Internet Age.
ACKNOWLEDGEMENTS
This piece would not have been possible without the support and encouragement of several individuals who have been exceptionally generous with their time and insight including Nandan Nilekani, Sid Shetty, Sharad Sharma, Arun Sukumar, Lars Markull, Dirk Van Quaquebeke, Dan Kahn, Sanjay Jain, Pramod Varma, Nikhil Kumar, Simon Taylor, Sanket Nayak, Amit Ranjan, Dhruv Patel, Cem Garih, Amit Jain, and many other wellwishers.
ABOUT THE AUTHORS
Aaryaman was co-founder of a blockchain dev tools startup. More recently, he has been running an investment syndicate known as Prophetic Ventures which he is currently upgrading to a full fledged VC fund in order to better manifest his conviction in the quality and potential of the Indian software industry.
Rahul began his career as a consultant with KPMG in London, spending a majority of his time helping KPMG to set up their global enterprise blockchain and crypto asset advisory practice. He moved back to India to serve as the Head of Business and Strategy at Koinex (then India’s largest cryptocurrency exchange) before serving the same role at B2B SaaS-startup FloBiz. He now serves as the Fintech Lead for Visa in India and South Asia.
REFERENCES AND FURTHER READING
- iSPIRT Foundation : This website contains dozens of articles and videos about India Stack, ranging from technical talks and design sessions on OCEN to industry consultations and policy brainstorms around DEPA, UPI, the Health Stack (another topic for a future post), and many other interesting subjects.
- DigiSahamati (Sahamati) Foundation: This website, belonging to the organization overseeing the implementation of the AA framework, has lots of useful material, including video demonstrations by participants of last year’s seminal AA hackathon, and technical specifications of the AA system.
- UPI technical explainer: One of the best written blogs about the design and architecture powering UPI.
- Bank of International Settlements paper: A beautifully written report analyzing the impact of India’s initiatives in digital finance.
- India’s Digital Leap: The Multi-Trillion Dollar Opportunity: A comprehensive blue-paper by Morgan Stanley outlining their bullishness towards India’s prospects in the 2020s.
- Nandan Nilekani for Carnegie India: A tour-de-force video recounting the journey of India Stack.
Let us know what you think of this post - you can find us on Twitter at @AaryamanVir and @RahulSanghi1
Our goal with this essay is to kick-start the global conversation around India’s ‘digital blueprint’ for the economies of the future. We think that this story needs to be heard, and there is considerable progress to be made by building on these ideas together as a global tech community. If you made it all the way to the end of this essay and thought this was a good use of your time, why not take a couple of seconds and share this post?