# RAAST vs UPI: The System India Doesn't Know Exists ## Research Brief — Cashless Consumer (Consumer Rights Lens) ### Angle: When "financial inclusion" becomes financial surveillance — what India can learn from Pakistan's RAAST, and what India is already doing worse. --- ## The Narrative Frame India celebrates UPI (Unified Payments Interface). 228 billion transactions, $3.4 trillion, 640 million a day. Bill Gates praises it at every Modi meeting. The IMF writes papers. India exports it to 12+ countries. But here's what nobody is connecting: **the same Bill & Melinda Gates Foundation that shaped India's digital payments revolution is now directly funding Pakistan's RAAST — in a country with one of the world's most intrusive surveillance states.**[^1][^2] This isn't about MDR (Merchant Discount Rate — the fee banks charge merchants per transaction) or merchant adoption. This is about **what happens when a state gets a real-time X-ray of every citizen's financial life** — and how the "financial inclusion" narrative papers over the surveillance implications. As a consumer rights group, CashlessConsumer's question isn't "which system processes more transactions?" It's: **who sees your data, what can they do with it, and what happens when they misuse it?** --- ## 1. The Invisible Architect: Gates Foundation and the "Inclusion" Playbook ### The Framing Device The Gates Foundation has a consistent playbook: fund the infrastructure, call it "financial inclusion," and let the state do what it will with the data. The same foundation that: - **In India**: Helped shape DBT (Direct Benefit Transfer — the system that sends welfare money directly to bank accounts), advised payment banks on tech innovation (2015), funded the Level One Project principles, and created Mojaloop — an open-source payment switch software whose design directly mirrors UPI's architecture[^3][^4][^5] - **In Pakistan**: **Directly funded RAAST** through Karandaaz Pakistan (a development finance organization), attended and spoke at the Prime Minister's launch event, selected CMA (a Swedish fintech company) as the technical vendor, and committed new grants in 2025-26 for RAAST governance and GCC (Gulf Cooperation Council) cross-border connectivity[^6][^7][^8] The foundation's own Mojaloop project lead acknowledged: "Digital systems generate data that governments or corporations could track, potentially leading to surveillance or financial control, **especially in countries with weak privacy protections**."[^9] This is the key admission. The foundation builds the infrastructure. It knows the surveillance risk. But the question is: **does it condition its funding on privacy safeguards?** Evidence suggests no. Pakistan's Personal Data Protection Bill has been pending since 2021. RAAST was built without it. India's DPDP Act (Digital Personal Data Protection Act) 2023 is weak on biometric data. UPI biometric authentication was rolled out in October 2025 without new privacy legislation[^10]. **The "financial inclusion" narrative is the permission slip.** --- ## 2. What RAAST Reveals About State-Controlled Payment Rails ### The Architecture of Visibility RAAST is operated by the SBP (State Bank of Pakistan — Pakistan's central bank). The central bank is the switch operator. There is no NPCI-equivalent neutral intermediary. The settlement runs through PRISM/PRISM+ (SBP's own Real-Time Gross Settlement system — the system where banks actually settle money between each other). The identity layer — called CAS (Centralized Addressing Scheme) — is a mobile-number-first "Raast ID" issued by the same ecosystem[^6]. This means **the State Bank of Pakistan has visibility into every transaction on the network** — who paid whom, when, how much, from where. ### Why This Matters in Pakistan Specifically Pakistan is not a normal democracy when it comes to surveillance: - **Amnesty International's September 2025 report "Shadows of Control"** documented that Pakistan operates one of the world's most intrusive digital surveillance regimes[^1]. The WMS (Web Monitoring System 2.0) and LIMS (Lawful Intercept Management System) allow the state to "constantly snoop on the lives of ordinary citizens." - The surveillance infrastructure is powered by technology from Chinese, German (Siemens), French (Thales), Emirati, and North American companies[^1]. - Pakistan's military-intelligence establishment has a documented history of monitoring journalists, political opponents, and civil society activists[^11]. - The Pakistan Telecommunication (Re-Organization) Act 1996 gives the state broad interception powers with minimal judicial oversight. **Now connect the dots**: the same state that runs a mass surveillance apparatus now operates the country's instant payment switch. Every RAAST peer-to-peer transfer — 7 million per day — flows through infrastructure controlled by the State Bank of Pakistan, which answers to a government with unchecked surveillance powers. ### The Financial Profiling Machine With RAAST, the Pakistani state now has the ability to: 1. **Map social networks** through payment flows (who sends money to whom, at what frequency, in what amounts) 2. **Track economic activity** in real-time (when you buy, where you buy, from whom) 3. **Monitor dissent** through transaction patterns (a journalist receiving small donations, a protest organizer buying supplies, a political worker making regular transfers) 4. **Build credit profiles without consent** (the person-to-merchant module tracks merchant-customer relationships) The State Bank of Pakistan has mandated that **all government payments** flow through RAAST by end of financial year 2026[^12]. This creates a complete financial picture of every government employee, pensioner, and welfare recipient. --- ## 3. India: Same Risk, Different Wrapper ### UPI's Privacy Problem India's UPI is technically more sophisticated than RAAST. But the privacy risks are arguably **greater** because India's digital infrastructure is more deeply integrated into daily life: **The Aadhaar-UPI-Biometric Nexus** In October 2025, NPCI (National Payments Corporation of India — the organization that runs UPI) introduced biometric authentication for UPI transactions, linked directly to Aadhaar — India's national biometric identity system covering 1.4 billion people through fingerprints and iris scans[^10]. A Washington International Law Journal paper called this "The Biometric Economy": - Aadhaar was upheld by the Supreme Court only for **welfare delivery**. The Court explicitly warned against "function-creep" — repurposing biometric data beyond its intended scope[^10]. - Biometric UPI does exactly this: transforms biometric data collected for public welfare into a tool for **commercial payments**. - This shift occurred "without any new legislation, privacy audits, or meaningful consent."[^10] - India's DPDP Act 2023 makes **no distinction** between biometric and other personal data — unlike Europe's GDPR (General Data Protection Regulation), which classifies biometrics as a "special category" requiring higher protection standards[^10]. - Private intermediaries like PhonePe, Google Pay, and Paytm become "custodians" of biometric data with "no statutory limits on storage, cross-use, or third-party transfer."[^10] **The function-creep is real and documented:** | Year | What Happened | Was This the Original Purpose? | |------|---------------|-------------------------------| | 2010 | Aadhaar launched as a welfare identity card | ✅ Yes | | 2016 | UPI launched as a mobile payment system | ✅ Separate system | | 2018 | Supreme Court limits Aadhaar to welfare only | ⚠️ Legal boundary set | | 2020 | AePS (Aadhaar-enabled Payment System) — biometric bank withdrawals | ❌ Commercial use begins | | 2023 | Private companies get Aadhaar sandbox access | ❌ Commercial use expands | | 2025 | Biometric UPI — Aadhaar-linked payment authentication | ❌ Direct function-creep | ### What Every Indian Consumer Should Know **Who sees your UPI data?** When you make a UPI payment, your data flows through: **your bank → NPCI switch → recipient's bank → PSP app** (Payment Service Provider apps like Google Pay, PhonePe, Paytm). Each of these entities can see transaction details. The PSP apps also see your device information, location, app usage patterns, and in some cases, even your contacts[^13]. **Can the government access it?** Yes. India's DPDP Act 2023 allows the government to exempt any state agency from compliance "in the interest of sovereignty and integrity of India, security of the State, friendly relations with foreign States, public order."[^14] This is virtually unlimited discretion. The Income Tax Bill 2025 gives tax officials power to access emails, WhatsApp chats, social media, stock trading, and banking data[^15]. **Is there an Aadhaar data breach risk?** Aadhaar has suffered documented data breaches. In 2018, a Tribune investigation showed access to 1 billion Aadhaar records was available for just ₹500. In 2026, TechCrunch reported that India is pushing Aadhaar deeper into private life through a new app, with "security and privacy concerns remain[ing]"[^16]. ### The "Voluntary" Illusion Both systems are marketed as voluntary. The reality: - **India**: You can't open a bank account, get a SIM card, file taxes, or receive government benefits without Aadhaar. The Supreme Court called digital access a fundamental right (2025), making non-participation effectively impossible[^10]. - **Pakistan**: RAAST is being mandated for government payments (FY26). The State Bank of Pakistan rerouted existing inter-bank fund transfer transactions through RAAST to inflate numbers[^17]. The average Pakistani consumer had no choice in the migration. --- ## 4. The Comparative Frame: Same Architecture, Different Dangers | Dimension | India (UPI) | Pakistan (RAAST) | |-----------|-------------|------------------| | **Who operates the switch?** | NPCI — a non-profit owned by banks, with some separation from the government | State Bank of Pakistan (the central bank) — **no separation from the state** | | **Identity layer** | Aadhaar — 1.4 billion biometric IDs, deeply integrated into everything | Raast ID — mobile-number-based, lighter touch for now | | **Biometric payments** | ✅ Live since Oct 2025 — linked to Aadhaar fingerprints and iris scans | ❌ Not yet — but India's Aadhaar model is being exported globally | | **State surveillance risk** | Government can access via DPDP exemptions + Income Tax Bill | Central bank directly operates switch + existing mass surveillance infrastructure | | **Privacy law** | DPDP Act 2023 — weak on biometrics, broad state exemptions | No data protection law enacted yet | | **Private data extraction** | Google Pay, PhonePe, Paytm collect behavioral data; Aadhaar opened to private AI companies (HyperVerge and others) in 2025 | Less mature fintech ecosystem, but data will accumulate | | **Function-creep risk** | Aadhaar expanded from welfare → banking → payments → biometric commerce (documented) | RAAST expanding from person-to-person → merchant payments → government mandates (predictable path) | | **Financial profiling** | NPCI + banks + payment apps + government = 4+ entities with partial or full visibility | State Bank of Pakistan = single entity with complete visibility | ### The Key Insight **India's risk is distributed surveillance** — many actors (banks, payment apps, government) each hold pieces of your financial life, creating a broader but less centralized attack surface. **Pakistan's risk is concentrated surveillance** — one entity (the central bank, embedded in a surveillance state) holds everything. Both are dangerous. But they're dangerous in **different ways** that Indians rarely understand because RAAST is invisible in Indian discourse. --- ## 5. The Gates Foundation Question This is the uncomfortable thread that connects both systems: - The Gates Foundation's Level One Project principles (2014-2016) prioritized **interoperability, instant settlement, and low cost** — but **not privacy-by-design**[^5] - Mojaloop, their open-source payment switch software, was designed for "financial inclusion" — the privacy risks were acknowledged as secondary[^9] - The foundation funded RAAST in Pakistan through Karandaaz without conditioning the grants on privacy legislation[^7] - In India, the foundation's advocacy for digital payments (through Direct Benefit Transfer support, payment bank guidance, and global promotion) never publicly flagged Aadhaar's surveillance risks[^3] **The pattern**: build the financial rails first, deal with privacy later (or never). "Financial inclusion" is the cover story. The actual outcome is financial visibility — for the state, for corporations, for whoever controls the data. This isn't malice. It's ideology. The Gates Foundation genuinely believes digital payments reduce poverty. But their approach creates **surveillance infrastructure as a side effect of inclusion infrastructure** — and they don't seem to reckon with this trade-off. --- ## 6. What This Means for Indian Consumers ### Five Things Every UPI User Should Know 1. **Your biometric data is now a payment instrument.** Aadhaar was built for welfare. The Supreme Court said keep it there. The government expanded it to commerce anyway. Your fingerprints and iris scans now authenticate daily purchases[^10]. 2. **"Voluntary" is a fiction.** You can't participate in India's formal economy without Aadhaar-linked UPI. Digital access is a fundamental right (Supreme Court, 2025), which means exclusion isn't an option — but neither is opting out of the data collection[^10]. 3. **Multiple entities have your financial DNA.** Your bank, NPCI, your payment app, and potentially the government (via DPDP exemptions) all hold transaction data. There is no single point of accountability if your data is misused[^13]. 4. **India is exporting this model.** Countries adopting India Stack-inspired systems (Philippines, Morocco, Ethiopia) are importing both the benefits and the surveillance risks[^16]. 5. **Pakistan's RAAST is the control experiment.** Same Gates Foundation playbook, weaker privacy safeguards, documented surveillance state. It shows where India's trajectory leads if privacy isn't prioritized — the state gets a real-time financial X-ray of every citizen. ### Consumer Demands As CashlessConsumer, these are the policy positions this research supports: - **Classify biometric data as high-sensitivity under DPDP** — matching Europe's GDPR Article 9 standards. No lower standard for government use[^10]. - **Mandate DPIAs (Data Protection Impact Assessments) for all payment operators** — mandatory privacy audits before any entity (government or private) can process payment data at scale[^10]. - **Statutory data retention limits** — transaction logs must be deleted after a defined period. No indefinite storage[^10]. - **Ban biometric authentication as the default** — it must remain an opt-in alternative to PIN, not the other way around. Aadhaar authentication failures disproportionately exclude rural and manual-labor users[^10]. - **Split operator from regulator** — India's NPCI model is better than Pakistan's central bank model, but the separation needs formal legal protection, not just convention. - **Reject function-creep** — any expansion of Aadhaar/UPI into new use cases (health, education, identity verification) should require fresh legislation and parliamentary debate, not administrative orders. --- ## 7. Sources ### Primary Research [^1]: Amnesty International, "Shadows of Control" (Sep 2025) — https://www.amnesty.org/en/latest/news/2025/09/pakistan-mass-surveillance-and-censorship-machine-is-fueled-by-chinese-european-emirati-and-north-american-companies [^2]: Slate, "Pakistan Is Using a Terrorism Surveillance System to Monitor Citizens" (Jul 2020) — https://slate.com/technology/2020/07/pakistan-isi-terrorism-surveillance-coronavirus.html [^3]: NextBillion, "Gates Foundation to Help India's Payments Banks" (Sep 2015) — https://nextbillion.net/news/gates-foundation-to-help-indias-payments-banks-with-tech-innovation [^4]: Gates Foundation, "Inclusive Financial Systems - India" — https://www.gatesfoundation.org/our-work/places/india/inclusive-financial-systems [^5]: Mojaloop Foundation, "Genesis of Mojaloop" (May 2026) — https://mojaloop.io/genesis-of-mojaloop [^6]: SBP, "Raast - Instant Payment System" — https://www.sbp.org.pk/dfs/Raast.html [^7]: World Bank, "Pakistan RAAST Case Study" (May 2022) — https://fastpayments.worldbank.org/ [^8]: Mettis Global, "Pakistan's digital payments hit 3bn transactions in Q2 FY26" — https://mettisglobal.news/Pakistans-digital-payments-hit-3bn-transactions-in-Q2-FY26-59156 [^9]: Bill Gates LinkedIn, "The Mojaloop moment" — https://www.linkedin.com/posts/williamhgates_the-mojaloop-moment-expanding-financial-activity-7247714493072322560-PnNI [^10]: WILJ, "The Biometric Economy: How India's Biometric Payment System Challenges the Right to Privacy" (Dec 2025) — https://wilj.org/2025/12/05/the-biometric-economy-how-indias-biometric-payment-system-challenges-the-right-to-privacy [^11]: Privacy International, "Tipping the scales: Security & surveillance in Pakistan" (2015) — https://www.privacyinternational.org/sites/default/files/2018-08/PAKISTON%20REPORT%20HIGH%20RES%2020150721_0.pdf [^12]: Data Darbar, "Notes on Raast P2M adoption" — https://insights.datadarbar.io/notes-on-raast-p2m-adoption-subsidies-and-challenges/ [^13]: "The Privacy Angle of UPI", Drishti Ranjan — https://alawttohandle.substack.com/p/the-privacy-angle-of-upi [^14]: Digital Personal Data Protection Act, 2023 (India) — Section 17 exemptions [^15]: Income Tax Bill 2025 — cited in multiple news reports on government data access powers [^16]: TechPolicy.Press, "Public Infrastructure and Private Surveillance in India's Aadhaar System" (Aug 2025) — https://techpolicy.press/public-infrastructure-and-private-surveillance-in-indias-aadhaar-system [^17]: Data Darbar, "Raast force routing transactions won't be enough" — https://insights.datadarbar.io/raast-force-routing-transactions-wont-be-enough/ ### Academic/Legal Sources - K.S. Puttaswamy v. Union of India (2021) — Aadhaar Supreme Court judgment - IEEE, "Towards Formal Modeling and Analysis of UPI Protocols" — https://ieeexplore.ieee.org/document/9388452/ - SAGE Journals, "Digital financialization and surveillance capitalism in the Global South" — https://journals.sagepub.com/doi/10.1177/13505084231183033 ### Data Sources - NPCI UPI statistics — https://www.npci.org.in/ - SBP Financial Stability Review 2025 - Pakistan digital payments data Q2 FY26 (Mettis Global) - USENIX Security 2025, "Security and Privacy Advice for UPI Users in India" — https://www.usenix.org/conference/usenixsecurity25/presentation/mungara --- *Research compiled by CashlessConsumer — the consumer's voice in fintech.* *Last updated: 2026-05-23*