ExtoPay- The last mile solution for digitizing cash

Mobile and Non-Mobile Consumer and Merchant Wallets

Inspiration

The efficiencies demonstrated by digital currencies and stable coins has jolted Central Banks to seek more efficient domestic and cross border payment rails and be open to disturbing the status quo of current card payment networks or big tech/ telco based closed loop mobile payments which result in data monopolies.

Ubiquitous access to digital payments has been identified as fundamental to financial inclusion by various Central Banks/ Bank of International Settlements (BIS), the World Bank, United Nations and International Monetary Fund (IMF). Businesses of all sizes seek efficient and lower cost means of transactions. Consumers seek security free payments and access to financial services and discounts from retailers and brands.

Four years ago we set out to develop a Distributed Ledger based system which would enable digital payments without any wide area connectivity (offline), enable users with or without mobile devices (universal access), enable an open loop programmable payment network, provide for interoperability with existing digital payments.

Our objective is to reduce transaction fees to negligible amounts. Digital currency systems have demonstrated highly secure systems that have reduced transactions costs to negligible amounts when compared to credit card merchant transaction rates or cross border payments. However to make such systems scalable enough for retail domestic payments or reach users that would normally use cash because they don't have reliable connectivity or can't afford smartphones remained key un addressed issues.

Most important to scalability of such systems is new means of monetization to support the infrastructure, here we saw a clear path for value migration from transaction fees to data revenues but in a fully user controlled atomized data sharing model where users could choose to share credit risk data with commercial banks and lenders on the one side and with brands and retail channels on the other. Such user controlled atomized data sharing is now being considered by regulators in many jurisdictions.

Emerging market banks have lost the first salvo for digitization of payments to telcos and or big tech hindering their ability to get credit risk data needed to offer financial services to billions of consumers and small business owners.

Fast Movable Consumer Goods (FMCG) producers spend roughly half of their $250B annual marketing budgets on in store promotions. In mature markets data needed for optimizing this spend is provided by big box retailers from data the gather from loyalty systems and receipt data.

Allowing a consumer controlled sharing of such data with financial institutions or brands and retailers of their choice with ability to disable the use of such data at any time is key for enabling new means of monetization of a transaction fee-less payment system.

What it does

ExtoPay is a digital payment solution that utilizes our own modified version of the XRPL distributed ledger technology in combination with low-cost biometric smart card/wearable hardware wallets or mobile App software wallets. ExtoPay provides universal access to smartphone or non-smartphone users, secure offline transactions, recovery of lost funds, fraud prevention, and user controlled cryptographically secured digital ID. The system also enables agent based onboarding/KYC, cash-in/out and access to banking services. ExtoCard and App wallets enable users with a full range of online and offline payments very securely. Users can also use agent ExtoCard/App wallets and access their account using ExtoID verifiable credentials issued when then were onboarded enabling users without full featured ExtoCard or App wallets.

ExtoPay has best-in-class security by using edge based cryptography of distributed ledgers, low cost hardware wallets with easy to use and private on-card multi factor authentication. ExtoPay is an open-loop system which aims to enable negligible transaction fees and migrate monetization to financial services or closed loop marketing for merchant and brand loyalty.

DLT Clusters: The permissioned version of the XRLP distributed ledger is designed to support private DLT clusters for data management by payment service providers. Each private system can interoperate within an opt-in open-loop network of payment service providers. Each participant can operate its own private DLT for its users and/or may opt in to join the ExtoNetwork and enable transactions with other ExtoNetwork participants and tap a common agent-merchant acceptance network.

ExtoPay can gateway via hub/switch to existing banking and digital payment systems or CBDC issuing platforms. In the case where the ExtoPay ledger is managing CBDC backed obligations, an interledger consensus protocol ensures that the CBDC obligations on the ExtoPay DLT are represented by equivalent obligations on the Central Bank DLT. Essentially, each instance of an ExtoPay DLT operates as a Wallet on the Central Bank DLT to determine its aggregate CBDC supply, which is allocated among individual customers by internal transactions.

ExtoPay also interoperates with existing banking and digital payment systems via payment hub and core banking APIs. To the extent existing banking and digital payment APIs allow for real time transactions, ExtoPay enables the retail CBDC holder to rapidly convert value from the retail CBDC to digital fiat and transact via the existing banking and digital payment rails. Such interoperability via APIs will be of practical importance when a retail CBDC solution is being launched and allows retail CBDC holders to still be liquid and transact with counter parties that may not accept and be on the CBDC rails yet.

The open-loop nature of the system to avoid data monopolies and allows for payment service providers to have access to customer KYC and transaction data for compliance purposes. However, privacy preservation methods limit information 3rd party counter parties can collect and allows the consumers and merchants to have control over sharing their data with counter parties for financial services or loyalty applications.

How we built it

The proposed ExtoPay solution intends to imbibe all the possible features of physical currency.

• ExtoPay is a disruptive digital payment system that provides universal access for consumers and merchants reducing merchant transaction fees to negligible levels. It supports a two tier CBDC distribution model and is a hybrid account and token-based system. The ExtoPay Backend is made to support permissioned DLT clusters.

• It can interface with a Tier 1 CBDC system and banking and payment systems via APIs. An Inter Ledger Layer enables an open-loop payment system allowing wallet holders of one bank to transact with wallets issued by another.

Security considerations

• ExtoPay uses edge-based distributed ledger wallets where private keys are generated in hardware and never leave the secure enclave. When combined with easy-to-use multifactor authentication via on-card private fingerprint recognition or pins, the accounts are secured against take-over or man-in-the-middle attacks (90% of digital payment system fraud currently is due to account takeovers). This raises the question of how funds on lost wallets can be recovered, which we address below under lost fund recovery descriptions of the system.

• Fingerprint recognition simplifies the task for the user to securely approve transactions. This makes the security of the system accessible to the widest range of audiences. The distributed ledger guards against backend system compromise by requiring transaction confirmation by multiple validator nodes that can be set up on different cloud or hosted systems with dissimilar security vulnerabilities. The ExtoPay backend supply chain is secured using the ExtoCards themselves as secure sign on devices and to generate hierarchical multi-signature certificates.

• ExtoCard wallets enable a hardware secured edge cryptography infrastructure where private keys are generated and never leave the secure enclaves of the hardware wallet. This edge cryptography is further secured with multi factor authentication using on-device biometrics. After onboarding by agents the system incorporates a built-in digital ID system where the issuer signs Exto ID credentials (e.g. photo, name, age etc.) which can be loaded onto the user's ExtoWallet to be presented to counter parties for certain payment or financial transactions. After this point credentials are controlled by users and presented to counterparties who can cryptographically verify credentials e.g., photo of users, etc.

Two-tiered model

• ExtoPay supports a two tier CBDC distribution model and is a token-based system. The ExtoPay Backend is made to support permissioned DLT clusters. It can interface with a Tier 1 CBDC system and banking and payment systems via APIs. An Inter Ledger Layer enables an open-loop payment system allowing wallet holders of one bank to transact with wallets issued by another.

• ExtoPay’s first tier can be operated by the Central Bank to mint CBDCs, manage reserves and establish and interledger settlement layer.

• This first tier allows interledger layer which forms an open-loop settlement layer amongst regulated financial institutions who are acting as issuers and acquirers similar to UPI and RuPay. This interledger layer for instance could be formed by validator nodes that NPCI operates as well as each participating financial institution.

• The second Tier consists of private DLT clusters operated by each regulated financial institution for retail account creation, KYC, AML CFT etc.

• ExtoPay can also interface in Realtime via APIs to other sources of funds via UPI or RuPay. The system utilizes wallets to exchange such digital fiat with CBDCs updating separate trust accounts for the regulated financial institutions allowing realtime liquidity for the retail customers between their fiat and CBDC balances.

• We are currently integrating the ExtoPay system to bring in value from UPI and issue e-money tokens on the system while managing balances on trust accounts at the regulated financial institution. The issuance of e-money tokens and liability on ExtoPay is dictated and managed by such fiat balances swept in or out over UPI.

Token based vs. account-based system

ExtoPay has implemented hybrid account-token based system. Why a hybrid account-token based model which can support a highly secure intermittent offline/online system with system level double spend protection via time limited balances and pseudo anonymity with no KYC but wallet ID tracking.

• ExtoPay utilizes a hybrid account-token mode. Like a pure token model, value is represented by a bearer instrument that is spendable by whoever bears the private key. Unlike a pure token model, incoming payments are automatically consolidated into a single balance, which can then be sub-divided as needed for outgoing payments. This avoids the complication of assembling and signing multiple tokens to complete a payment and managing change when the aggregate overshoots. It improves security by simplifying transaction processing, transmission and storage, especially on smaller scale embedded systems that enable higher security and universal access. However, it is different than the "account-based" model because possession of the private key is the sole means of access.

• A potential drawback of the account-based model is that multiple transactions carry the same account, allowing transactions to be linked by anyone who can observe the transaction data. For example, a merchant could identify purchases by the same customer. This potential drawback can be eliminated by allowing users to hold multiple accounts and/or generate sub-accounts. Sub-accounts merely represent alternative public keys that can authorize transactions on the same account to prevent counterparties from linking transactions. Their linkage to the same parent account is readily visible to the ledger operator but hidden from everyone else.

Because a digital instrument can be perfectly copied, bearing the visible instrument does not effectively indicate ownership. Instead, a trusted ledger records a public key whose private key controls the instrument. Ownership is transferred by recording a transaction on the ledger that is signed by the current owner to associate a new public key with the instrument.

Offline while preventing double spend

• With ExtoPay system the offline transactions can be enabled in areas with no or limited internet connectivity along with safeguarding against double-spending and counterfeiting. The BIS Project Polaris now outlines system design approaches for enabling offline payments and our solution supports all modes suggested in this handbook. [https://www.bis.org/publ/othp64.pdf]

• The ExtoCard hardware wallets rely on a tamper-resistant hardware enclave to secure offline transactions against double spending. Each device carries a unique private key, generated, and signed during manufacture, that attests to its authenticity and operation according to specifications. Each Payment Provider maintains a list of root certificates to determine device authenticity prior to account activation. Once an account is activated, transaction counterparties rely on Payment Provider attestations regarding account authenticity and capability. The peer-to- peer transaction protocol is designed to make it highly unlikely that 2 parties can disagree on whether a payment completed successfully, as we take for granted when passing cash from hand to hand.

• In case a device is compromised, the proceeds of any such attack are bounded by measures that insure it is unlikely to be worth the effort. Wallets must periodically synchronize with the DLT to acquire a Time Limited Spending Authorization for inspection by potential recipients. Each Wallet also carries a signed photo of the authorized user, which can be requested by counterparties for verification on their own device.

Managed anonymity along with ensuring recoverability

• ExtoPay system is designed to ensure the adequate recovery of the lost funds in the event of theft, damage or loss of a wallet, card or instrument without compromising user identity.

• Whenever a wallet creates an ExtoPay account, the wallet also creates an associated recovery account whose key is passed back securely to the Payment Provider for storage in a secure offline database. If a user reports a lost or stolen wallet, the wallet account is disabled, and any remaining balance is transferred to the recovery account, but only after a predetermined period of time. If a user attempts to use their wallet during the lock-up period and discovers it is disabled, they can dispute the “lost” status by presenting their wallet and KYC documents. This ensures that the recovery procedure cannot be used for account take-over, as long as the user maintains possession of their wallet and uses it periodically. If the wallet is truly lost, the user can gain control of the recovered funds after the lock-up period by presenting KYC documents.

• Personal data protection: For low value transactions ExtoPay can be anonymous, but the system would still track wallet IDs with no KYC data to detect double spend of offline wallets when they synch with the backend and block them. Lost wallets with funds can be recovered with a pass phrase. To support higher value offline transactions ExtpPay gives up anonymity to the payment service provider to enable kyc based lost fund recovery, fraud prevention, regulatory compliance and prevention of illicit activities on the network. However, the privacy of users can still be preserved to a great extent in their transactions with counterparties when regulations do not dictate such disclosures. Compliant wallets, such as ExtoCards, erase identifying data acquired during transactions. Conversely, the issuing regulated institutions as the DLT operator have access to a complete transaction history on the DLT, but where users are identified only by randomly generated accounts. Mappings between DLT accounts and KYC data are maintained using BaasFlow, a commercial instance of MIFOS-FINERACT. Access to these different data repositories can be compartmentalized to maximize privacy while serving essential functions.

Resilient to single point of failure

• The ExtoPay system use of a permissioned private DLT version of XRPL creating resilience to a single point failure. Each DLT cluster can have multiple validator nodes which keep copies of the ExtoPay XRPL ledger. Each validator node can be operated on a different cloud with dissimilar security vulnerabilities. These validator nodes can be geolocated with consideration to disaster recovery, and jurisdictional control and governance considerations. The admin access and supply chain vulnerabilities can be managed by requiring separate admin access to each validator node with multi-sig features. The resilience by design resulting from and inherent in this DLT based system reduced operational security and resilience management overheads for operators.

• To secure against failures of such an infrastructure ExtoPay enables an open-loop payment network formed by each participant operating a node on this network. Regulators can mandate and license redundant marketplace provider participants both in and out of local jurisdictions to balance resilience to infrastructure failure versus keeping consumer and participant data safe.

• The offline modes supported by this open-loop system can create, scalability by allowing averaging of peak transactions, resilience for momentary outages due to connectivity infrastructure failures caused by disasters. Last by not least enable transactions with no connectivity.

Interoperability with existing payment system

• Domestic Retail CBDC System Interoperability via mandating open-loop characteristics: When it comes to domestic CBDC payments, ExtoPay as part of a two tiered Retail CBDC system enables interoperability via its open-loop network attributes allowing participation of multiple financial service providers and agent- merchant acquirers. Absent standards regulations within such jurisdiction could be mandated to ensure open-loop aspects and reasonable and nondiscriminatory participation of regulated financial service providers. Exto’s retail CBDC solution allow financial institutions to distribute CBDCs to the end user in a manner that leverages existing national payment rails.

• Domestic Payment system Interoperability via non-CBDC public API aggregation: Some level of interoperability can be achieved by integrating with APIs of legacy banking and payment systems. ExtoPay accounts link to payment switches and hubs via open banking/payment APIs. This allows participation of existing financial service providers to use Extopay as a payment system tied to their Bank accounts. Existing bank account transfers or use of other payment rails can be facilitated this way.

• Integration with UPI and RuPay: To ensure the interoperability with India’s payment system, we are integrating with UPI to enable easy pay in and pay out by customers. We are integrating ExtoPay with RuPay rails. To foster ease of use, the RuPay transactions can be enabled by using NFC for smaller value transactions. We are integrating RuPay compliant dual interface chips in partnership with SELP. The Exto hardware wallets could therefore be made to support RuPay and NCMC transaction.

ExtoPay therefore allows transfer of value to and from other digital accounts such as bank accounts, mobile money accounts, and credit or debit accounts. These existing digital accounts can be used for reconciliation and settlements of ExtoPay merchants and agents, for cross-border transfers, online e-commerce payments etc. However, ExtoPay provides for disruptive p2p, and consumer to merchant at negligible transaction fees making it a more favorable open payment system if adopted widely.

Programmable for issuance of vouchers

• ExtoPay solution supports tokenization allowing programming and restriction of the token for acceptance enabling a vouchering system. The solution enables the programing of tokens for the issuance of vouchers for different use cases such as fertilizers subsidies for farmers, etc. ExtoPay backend is based on permissioned version of the XRPL DLT which is modified for issuance and acceptance of tokens.

Novel Secure QR-Code BLE Transaction Interfaces

ExtoPay utilizes QR codes to select and encrypt BLE for secure transactions between cards and mobile phones. It can also support NFC to select and secure card to phone transactions. Card to card transactions will utilize our proprietary ultra-low power near field capabilities to secure BLE Transactions. This allows ultra-low power p2p transactions with a tap of the cards to each other. NFC requires a high power device like a phone or POS terminal on one side and low cost, low power compact hardware wallets are not possible. NFC and EMV however can be used where such readers are available and can lead to faster transactions for transportation application (e.g. NCMC). We are currently integrating RuPay dual interface chips on our cards. Chips such as Infineon’s multi token Secure Element will allow both RuPay but also tamper resistant version of our wallets to run key generation, storage and transaction signing.

ExtoPay Backend ExtoPay wallets and agent Apps communicate, transact and are provisioned using the ExtoPay backend. Our primary goals for the Exto XRPL based DLT layers were security, speed, scalability, resilience, the ability to support out-of -order transactions for deferred execution of offline transactions, and ability to support permissioned private validator clusters with open-loop inter-ledger transaction capabilities.

The back-end of the ExtoPay XRPL DLT system supports private permissioned clusters for each financial institution with interledger layers to allow open loop transaction.

ExtoPay interfaces with a Tier 1 CBDC system operated for a central bank via cross-chain wallet interfaces allowing transfer and settlement of value. It also interoperates with banking and e-money systems via core banking APIs such as UPI, IPSL, RPP etc.

The ExtoPay system is being integrated with BaasFlow, a commercial instance of the award winning MIFOS+Fineract payment hub extension that can transact with legacy payment and bank accounts via Mojaloop payments. In addition the combined system allows onboarding and KYC data retention and reporting. ExtoPay also provides digital agent services such as onboarding, kyc, and authentication of users. The system will allow use of a heterogeneous source of KYC data such as e-kyc, SMS, photo IDs, etc. aided by semi-automated systems such as Aadhar for approval, auditing and reporting by remote compliance personnel.

• Via the Payment Hub, connections to real-time payment systems such as UPI and core banking system APIs can be supported.

• Account orchestration features of this layer allows the ExtoPay system to keep track and account for liabilities for value in/out from either a Tier 1 CBDC system, bank accounts via APIs or Agents who cash-in/out unbanked users. Detailed data logging and accounting is made available in real time for compliance and reporting.

• The DLT architecture is designed to simplify the need for intermediaries to operate the interledger layer and utilize our offline capabilities and geo-sharding to achieve unlimited scalability with much higher robustness and resilience for the DLT layers.

Agent- Merchant based Onboarding The ExtoAgent Apps are Android and iOS apps which support Agent functions for onboarding users with ExtoWallet accounts. Exto-Agent Apps also allow Agents to act as Cash-in/out and other digital financial services for ExtoCard Wallet holders.

In many emerging markets consumers may not have a formal photo ID. As such the ExtoAgent Apps can support integration with National e-kyc databases such as Aadhar, or SMS-ID data provided by Mobile Money operators/ telcos in some markets. Alternatively for users with no formal ID some jurisdictions allow attestations by other trusted 3rd parties such as clergy. The ExtoAgent App can support all of these modes of user onboarding and for different KYC levels based on use case and compliance requirements. For example: • No KYC- For low value transaction applications such as transportation payments no KYC maybe needed. User could still recover lost funds using 8 word passphrase. • KYC Level 1- For small daily payments PAN/OTP service • KYC Level 2- For larger transactions Aadhaar KYC

Exto is integrating for Aadhar based onboarding via third party APIs from vendors such as Signzy and IDFY.

ExtoPay currently utilizes elliptic curve cryptography for the Exto ID credential private-public key generation and signing. This system doesn’t create a central database of user IDs but rather allows credentialed digital agents to use KYC data sources mentioned and attest to the identify of the user by signing their ExtoID credentials. Once onboarded the attested ExtoID credentials are then held by users in their wallets and presented to verifiers who can verify their authenticity cryptographically. Users can therefore control the data that counterparties can capture but the system allows the payment provider to perform KYC/AML and satisfy Travel-Rule requirements. The proposed system balances accountability with user privacy. While the regulated entities that are acting as payment system providers can provide KYC and transaction data retention for compliance; users can control what they share with counterparties.

Challenges we ran into

Designing compact hardware wallets which are low power and low cost has required significant optimization of all firmware. Manufacturing the cards required several iterations before we perfected unique requirements for components which would not be soldered and required special bonding methods. The offline system requires unique protections against double spending and counterfeit wallet attacks. Our approach for such protections are now included in the Bank of International Bank of Settlements Handbook for offline CBDC payments. These included Intermittent and Staged offline designs where time limited balances are used.

Accomplishments that we're proud of

-We have been recognized by several international competitions.

-ExtoPay was chosen as one of 15 finalists by the Monetary Authority of Singapore Global CBDC Challenge where 300 companies participated.

-ExtoPay was a finalist for the Bank Indonesia G20 TechSprint for Retail CBDCs solutions with offline capabilities.

-We won the Runner Up award for Reserve Bank of India (RBI)/National Payments Corporation of India (NPCI) Harbinger in 2022 for extending Universal Payment Interface (UPI) with non-mobile and offline capable payments. We are going through validating this system for compliance in India.

-We have been selected by Ministry of Electronics and Information Technology in India for rural payments pilot.

-We are currently a finalist for the RBI Harbinger 2023 for retail CBDCs with offline capabilities.

What we learned

Offline and non-mobile payments are not an edge case but most developing country central banks require such a capability. The BIS handbook for offline payments May 2023 clearly outlines our approach for offline payments.