IT is hard to gauge BHIM’s identity as a consumer app without understanding the Unified Payment Interface (UPI) platform that powers it. The UPI concept itself was made possible by the National Payments Corporation of India (NPCI), an umbrella organisation set up in 2006 at the behest of the Reserve Bank of India for all retail payment systems of the land. It is singularly responsible for paving the way for tech startups to work with commercial banks on one hand and serve customers like you and me on the other. UPI needed all banks to become interoperable with the UPI technology (between February and June 2016), which is no mean task. NPCI took two extra months to ensure as many banks as possible were on board a compact system. UPI is how apps like PhonePe — built in less than a year — help make the inter-banking experience as simple as email for customers. It is a living and breathing platform that enables immediate payments. And it was a wake-up call for banks to get their technology act together. Bharat Interface for Money (or BHIM) is another of UPI’s progeny and applications. The buzz in the tech sphere is that it is the shape of things to come — read, technology and micro-lending. If BHIM has had something other apps don’t, it is Prime Minister Narendra Modi’s voluntary endorsement. This counts for a lot in a land where banking access is abysmally low and faith in technology stillborn for more than 500 million people. Unsurprisingly, Modi’s endorsement helped BHIM achieve the same number of downloads in 10 days that a slicker PhonePe app clocked in five months. But here’s the thing: PhonePe is a standalone business and business enabler for parent company Flipkart. Paytm is a red-blooded digital wallet business. What’s the Prime Minister doing evangelising an app, especially a basic app and “balancing wheel” for starters? He is helping spawn a technology ecosystem for the poor.
The idea
The Ratan P Watal Committee mooted strengthening the digital payments ecosystem in a December 2016 report. Its recommendations hold one of the cues that make BHIM relevant. “By enabling the creation of a robust credit history, digital payments can also enable the provision of micro-credit to low-income households and small businesses.” It would have taken a private player far longer to reach the mark now set by BHIM. And yet, the process toward a digital payments economy is just underway. AP Hota, managing director and chief executive officer of NPCI, explained it to ET. “In our country of a billion mobile phone connections (active connections could be around 800 million), nearly two-thirds of mobile phones are simple feature phones without data connectivity.” NPCI factored Unstructured Supplementary Service Data (USSD) technology, which is used to send text between a mobile phone and an application programme in the network, into BHIM. “We have built USSD-based mobile payment system with 51 participating banks. BHIM integrated USSD infrastructure with UPI,” said Hota. In effect, a customer with a feature phone can now have access to UPI just by dialling the USSD short code *99# if the customer’s bank is already UPI-enabled. “There are 35 UPI banks. Thus, the customers of 35 banks will have access to UPI irrespective of whether they have a smartphone or a feature phone. While smartphone based customers will use BHIM, other customers would dial *99#,” added Hota. More importantly, BHIM has demonstrated a consumer app reference point to the app developer and telco community — what it will take to make digital payments possible. “BHIM is one of 30 such apps available today,” said Sharad Sharma, cofounder of the Indian Software Product Industry Round Table (iSPIRT). “It is one of the most limited apps in terms of functionality. In terms of smoothness, it is well-designed. But it is meant to be a reference app.” Sharma’s reading is that even as millions throng the mobile app and feature phone function, competitors (including traditional banks) have to exceed this threshold or benchmark. Even if some banks don’t, they and their customers are not losing out because they are on the UPI platform.Sharma likens BHIM to Google Nexus, which was the smartphone model in 2010 that came to be emulated by handset manufacturers (Samsung, HTC, Motorola, et al) even as app developers knew all the Android functionalities they had to fulfil to feature in Google’s app store. “BHIM is the equivalent of the Nexus phone for Android—the goal was not to make money from Nexus but to show the possible features in a smartphone. In building a better phone, use every feature of Android that is possible. It is called ‘reference implementation’,” he explains. By April, Sharma expects almost 150 apps, including those by traditional banks.
The preparation
NPCI prepared fertile ground almost 18 months before BHIM’s launch. On February 20, 2016, it opened up to the APIs of UPI, which would enable developers to build mobile applications across themes. The application programming interface (API) is the set of functions and procedures that allow creation of applications which access the features or data of an existing operating system. This hackathon was organised in Bengaluru with Hackerearth, which hosts hackathons for clients to evaluate and assess developers. “Even before UPI became a reality, we were in conversation with NPCI at a hackathon,” said Sachin Gupta, chief executive officer, Hackerearth. The first thing NPCI wanted to roll out was a ‘sandbox’ for security reasons. “They don’t want to put out the real data in a hackathon because it may be misused. So you put out a sandbox, where all the functionalities a software needs are available but without real data,” said Gupta. To judge an application and gauge the developer’s mettle, NPCI needed to see proof of concept. So, it gave the developers fields (that change every hackathon) and API elements along the lines of ‘consent of a user who banks’ and data (such as name, location and banking history) but all the data was pseudo. “API allows you to interact, which is what developers need to know, not the data of real users. So the organiser seeds the system with pseudo data (artificial bank records, transactions or intentionally added anomalies like credit card frauds),” said Gupta. “The sandbox gave developers a flavour of the APIs without access to real data. It was followed by a workshop, where NPCI officials explained UPI and its implications. The BHIM rollout is a culmination of the effort NPCI has put in in the last 1.5 years,” he added. Gupta’s big takeaway from UPI is that it is trying to democratise banking, forcing banks to be more consumer-focused. “UPI forces banks to be innovative because then anybody can own an account anywhere and it is about the service you provide.” With the NPCI direction, banks too began to look at crowd sourcing ideas. Second, they evangelised their APIs because they too could make money as developers leverage APIs to build features. Third, banks build a brand for themselves in the tech community to attract talent. The National Payments Corporation’s Hota said the daily average volume of UPI has increased to about 1,80,000 (including 80,000 transactions on BHIM app). “UPI transactions from feature phones have also started showing an upward trend,” he pointed out. Even as the NPCI paved the way, it did not micromanage. It has selected young digital payment companies like Juspay Technologies in Bengaluru to build BHIM, or be a vendor as Lucideus, a cybersecurity services company, is. In time, this will be seen among the first few engagements between India’s rich developer community and the underserved banking market. “It’s not fully taken off yet among developers. Directly, startups and the government aren’t ready to work with one another completely. They still need a trusted intermediary,” said Sahil Kini, investor at Aspada Investments, which funds startups in healthcare, education, agritech and fintech.
The future
For a BHIM-like app, the three main security components would be the application itself, communication between the application and the server and the server security. “If a mobile wallet has one-factor authentication (you need to login and transact and just key in the password) and a credit card has two-factor (swipe plus password), BHIM has three-factor authentication,” said Saket Modi, co-founder of Lucideus Tech, which was involved in security assessment for UPI and BHIM. The first factor is a combination of a user’s device ID and mobile number that the app captures. The second factor is the bank on BHIM which the user chooses. At the back end, it is possible to ascertain if there is a bank account which has the corresponding phone number. “What made WhatsApp so popular was that the user ID was the phone number,” Modi noted. “Similarly, the user ID is the basis to authenticate with the bank.” The third factor is the four-digit UPI PIN, which only the user knows. “Even if it is possible to replicate the SIM card or a phone gets lost, transactions cannot be done unless the PIN is known.” Sharma of iSPIRT said that while India has been a laggard in the credit card industry, it has been a boon behaviourally. In the US, one swipe of a credit card is enough, with no additional factor of authentication. In India, digital companies complain about two-factor authentication. But with every added layer of authentication, the system reduces security risks. This is India-first by accident because elsewhere “the incumbents are very strong: VISA and MasterCard in the US, or Alipay in China.” If users continue to err toward caution, the digital payment industry is currently well-placed to deal with security threats even as any mobile app becomes the first port of call for those who have no access to credit. “Once a customer gets used to paying digitally, a certain degree of stickiness would develop,” said Hota, adding that customers build a good record on the basis of transactions. “Customers with no credit history earlier would have credit history now and be eligible for loans. We also need to educate them on the advantage of digital payments; maybe a certain degree of incentivisation.” NPCI envisions all this in a payment system that is as simple as sending email. “With the threat vector changing dynamically, we took precautions at the design stage itself to ensure the application is fully secure,” said Hota. “The underlying IT infrastructure of NPCI has very advanced security arrangements. We have teams monitoring every transaction 24×7 for fraud and overall security.”
For now, the attention is on tackling the underserved. In the Simple Mail Transfer Protocol (SMTP) era, email needed the name of the server to be delivered. That changed with Hypertext Transfer Protocol (HTTP) and every website had to follow an HTTP standard. UPI is the SMTP of payments, Sharma said. And BHIM is only the shape of things to come.