Sign New York Banking Permission Slip Safe

Industry sign banking new york permission slip safe

so hello folks my name is Henin Kappa VG and I'm director of engineering at new bank today I'm going to talk about how new Bank is building a customer obsessed bank the code for this session is fSV 201 and this is a level 200 talk so this means I'm going to talk about middle level technical stuff and I'll be happy to take any questions after this presentation about more advanced detail because if you want to so for the agenda today I'll talk briefly about new bank who I created a bank from scratch in the cloud and how we're putting customer experience first and the pilers that have enabled our engineers to be customer obsessed I will wrap it up with the lessons learned during the process in this talk I'll bring examples and ideas that can be implemented in their own companies regardless regardless of size and age hopefully there will be direct action taken for you after seeing this presentation so in order to start I would like to know how many of you already know new bank please raise your hands so good a lot of people so the bank has started six years ago in a little house in Sao Paulo Brazil but since they won we were very very hungry we may be selling financial services but we see ourselves and compare ourselves to tech companies and to create something meaningful we knew we would have to have a strong culture so since the beginning RB hag or a big hairy audacious goal was become the most influential financial services company in the world and we were going to do it by fighting complexity and empowering people or customers and this board is from six years ago and our fate still is feels very true in your bank so look at the vivid description of success session and that board and there's a fast decline of the old world happening right now and how companies are changing their behavior we can see that happening and we aren't we want our customers to love us phonetically since that day one offering foundation and today I can tell you that we're living this vivid description of success in Brazil and being customer obsessed is key for this so today we're now the largest digital bank in the world outside of Asia with about 10 million customers we've seen exponential growth and this great hockey stick that everyone loves seeing we did it while keeping the highest NPS in the industry there is no trade-off between growth and quality here what I want to see is customer obsession driving growth customer experience being our focus and what we want to have is more satisfied customers growth and high NPS are byproducts of this we've just reached 10 million customers and we have about 206 people in our engineering team working in more than 270 micro services across more than 40 different teams and for the people that already know to bank you one thing that you might not know is that we're starting internationalization so why would we or any people create a bank from scratch in the cloud right it looks insane but we think that Brazil has one of the highest interest rates for revolving credit facilities worldwide and we also think there was a big opportunity in quality because the customer experience was actually very bad and instead of looking at this gap and doing nothing what we did is we as frustrated customers that we wore we know that this was also a big opportunity and we thought that it will lower the fees interest rates and improve the customer experience we would eventually lead to a sustainable business with more satisfied customers this opportunity came for a very general place because we were the customers we knew the pain and we also asked ourselves what are the other things we can do to better improve people's life in terms of financial services so we kind of saw that putting customer experience first was a good priority to have it would always lead us to a good direction and there are four pillars for new bank technology design data science and customer experience so I would like to tell you a quick story that illustrates how we've been doing and how we've been using the spyler's to make our customers life easier so we know and you know when you have to travel abroad and you kind of have to call your credit card issuer and something they're going to travel so they can put your name in a wide please to avoid blocking your card because of some in fraud mechanism right well in case you didn't know there's a suboptimal customer experience and from a business point of view this is also not great because you're ending up with a lot of tickets that should not have been created at first place so what we did is that we changed our mobile app and we added a toggle button I'm traveling just by that and that was pretty good right but we thought that we could do more instead of looking at only the design as a solution to the problem we also look at app machine learning and we use machine learning to detect whenever there was a card-present transactions abroad and it that was the case we would automatically enable that feature toggle for the customer because it was a credit present from card present transaction but if the car was not present that would probably mean that the card could be have been cloned and so instead of doing going that direction we would simply temporarily block the card and set a push notification email to the customer saying hey your card might have been cloned and if that's the case let us know so we can create a charge back for you and we your card automatically if that's not the case just go to the mobile app and unblock your card again so when you care about your customer it's all about the little things you want to create a wonderful experience for them and we had to start somewhere so when we started we started with a completely digital credit card was the first option in Brazil that was mobile first and in terms of strategy it makes a lot of sense to start off a credit card instead of a checking account and I'll tell you why you cannot simply tell people hey I'm a new bank digital we're purple but your earnings in our bank because we're great people won't fall for that you they're going to ask things like what this new FinTech fails what will happen with my money but instead of doing that we decided to take the burden for the customer because it's easier for people to take credit from newborn institutions than the other way around so by doing that we were kind of preparing our customers based on those four pilers four other new offerings or new products and with great customer experience and technology people were eager to get more out of new Bank the two biggest complaints that we had and that we currently have were I wasn't approved for the credit card or I want a higher limit and the translation of that is I want put more of my financial life to the bank I want to put that to you I trust you and by listening to other customers wanted we decided to create a loyalty program so amid 2017 we launched our rewards program and it was integrative the app 100% online you get a point instantly you would never use your card no waiting also the points they never expire that's cool right so no tricks no small letters we did a simple program with a very transparent mindset because we think that the other programs the other offerings were all about those small letters there was a lot of complexity in there and we since we wanted to have a district parents mindset we were telling our customers that if they were not spending $500 or more on a monthly basis the program was not worth for them and we told them since the product launching so this transparency and simplicity they build trust with our customers and customers have to trust their banks it's all about the long-term you don't want to create a relationship and screw it up because of some go for a quarterly resort or something like that so in Brazil we don't have a positive ride score record like here in the US we only have a credit risk information for people that ready to credit so for us this very fact create a situation where we were declining about 70% of people that were trying to get a credit card product that's very bad for a business and very bad for the customers because we can not we could not have liked that risk so what we did is that we decided to create a product that had no risk in order to democratize great customer experience for financial services in Brazil and we created our version of a checking account that was mixed of a savings account so it has data liquidity and bears you interest with zero fees and you in Brazil if you're transferring from a bank to order at another bank you usually pay five dollars per transfer so having no fees was a big deal for people and in my opinion there was a time where physical branches were assets now I think they used to protect your business but now there are liabilities because everyone's having a digital online life and in Brazil about sixty percent of the population is embanked this means that we're not only getting market share from other banks but we're also increasing the market size and talking about how we're increasing the market size we're also entering new markets I cannot tell you where but we're coming to Mexico and Argentina really soon so it's a exciting time to be in a bank I think I like to think that is like Amazon selling CDs back then did a lot but there are many things to be done but going a little bit more technical how do you enable developers to be customer obsessed mmm this digital world or everything is online and everyone's connected we like to think of banking as a software engineering problem and not an operational problem we want to look at the tech lenses so there are four characters because that we'll cover today here autonomy reliability scalability in velocity I'm sorry so take autonomy we want engineering team to feel empowered to execute independently with a cradle-to-grave mentality you build it you run it we don't want to have the wops engineers or the web teams we want a real devups culture we also want the best for users so reliability is a feature a matter of fact there's a certain scale that you reach were the three most important features of a product our number one the product works number two the product works and number three repeat of me the product works right so we want to ensure proper reliability and carefully managing the bless radios and time fix for inevitable bugs is paramount incidents will happen they will they will happen so I like to think of an incident as an investment that you are making is a investment that you don't know how much you're going to spend you don't know when we invest but the best thing you can do is to get the most out of it you have to maximize the ROI of that investment so if we're looking at things with a different mindset you start getting better and better and better instead of trying to blame blame people and choke necks so you have to learn and improve upon that you also want to build things for the long term in that scale out instead of scaling vertically and you want velocity a lot of velocity you want the maximum engineering throughput that can get within certain guardrails so risk mitigation is key to achieve that so let's go ahead and explore autonomy when we talk about autonomy one of the worst things that happen in the banking industry is that the dictatorship of the security teams right so intensities are not aligned the security teams are adversarial and they create friction and bureaucracy that prevents engineering throughput to be maximized don't get me wrong security ski is probably the most important thing you can do in the banking industry for your users but there are different approach to that so let's look at this kitchen analogy here so looking at a red restaurant industry you can think of using a SS I am ROS being very similar to making every engineer a chair for kitchen staff of a direct access to different parts of the kitchen we have different roles and responsibilities and that things mostly work right not really because there are different specializations in a bigger organization you don't want your restaurant customers to jump into the kitchen and prepare their own food you have a menu for that so when you have a different roles and responsibilities you have the chef's creating the menu for with the options options for the customers the customers are them from the menu the kitchen staff prepares the food the waiter gets the food from the kitchen brings to the table and the customers eat you get a point but out of some of your front-end engineers they might know a little bit about I am or perhaps a lot of about I am the what they actually want is to put that static a webapp aging cloud front and basically they just want to eat and if you put them in the security or inside the kitchen you get a lot of instant ramen so you might end up with things that you don't want for the long term you might not get nutrition you know so if the restaurant is big enough the key staff also has different responsibilities so in new bank let's see how that's done so there is a security engineering team and we they have access to great tooling sharp knife sophisticated plate warming and they deliver value in small batches they are developing our authentication authorization system as they're working with mutual TLS there we architectural security components to be able to scale with the company there are another team they are the security operations center and this team is like getting great instruments to measure temperature drift or if the people in the kitchen are the authorized personnel and when it comes to technology they are creating alerts and dashboards to ensure that have a great visualization of what's happening they are going to configure and tonight that was sheer attaboy suave we also have a blue team and this blue team they will harden our infrastructure and applications that will create a threat model matrix for our CI CD tooling they also we create a plan to mitigate those risks they will follow up with the teams to ensure proper action is being being taken and then you have the red team is the most fun team to be in right we're basically trying to hack out people all the time and trying to discover possible vulnerabilities in it's an internal team for pentesting that we have and there try to get into the local network to the printers the try to scale it permissions they'll send a phishing emails to key employees to sea level people and they will create a backlog for other teams when they find those vulnerabilities and we have the security teams which is a little bit different from most companies but one thing that I find really interesting is about having the physical infrastructure team or the IT ops team inside an information security organization because one of the biggest attack of vectors in our industry is the local network so if we have the physical infrastructure embedded with the information security you gather right alignments for that and all of these teams they have to be open and willing to collaborate with the rest of the because since they are in different phases of the like psycho they're working closely father control functions they have to understand and they do understand that if they don't create the right incentives in the company we are going to have a stuff like shadow IT you will have a people that when the people don't get the right access to do their jobs they're going to share passwords and that's terrible for audit trail and for many other reasons right but to enable engineers to be customer obsessed we want them to have the exact minimal permissions to do their jobs these permissions have to be fine-grained just enough to accomplish work they should be under constant evolution and scrutiny T we could recreate those mechanisms in the bank based on a device limiters and there are ad official lambdas that are using for managing account providers and organizations and many other different things but we also have a curated list of I M rows and I M groups that give access to specific operations on a SS services and those are very fine-grained operations only the bass and together if lambdas they are also used for temporary privilege escalations so this limited functions they're actually being run and monitoring he state of the system and revoking and removing expired permissions so we have a self-healing mechanism controlling everything and for the mic microscopes we use about 300 different scopes they are basically JWT tokens of style with an endpoint level granularity and we do restrict some scopes and to be used only when people do some certain of trainings we also restrict some tax combinations and they are also automatically ripped after inactivity and another thing that we do between hands autonomy is micro-services so it's hard to have a clear ownership of a monolithic architecture and you know that a dog with two owners dies of hunger so everything all the set of micro services from cradle to grave and you build it you run it model you know the classic between dev and ops teens right so avoid that the thing that this dev should also do ops and if the service has a lot of tech depth or a lot of crashes or incidents the engineers that developed the services they will get paged in the middle of the night so they have the right incentives to avoid that right and on the other hand if the team is only looking at operations and everything is green low latency zero error rate does that mean that everything is good not really in a bank this just means that this thing is low it's not taking risks so having the right feedback loop for the teams Foster's autonomy better than anything else and talking about reliability in ops security teams can get proper reliability without adding too much fresh friction to other engineers if they're using the right model so remember a cool kitchen analogy so we uh needs to order from the menu so they can focus on the end customer and with this security s code term our code is the recipes and we instead of having a human doing that we want to have a robot Kitsch robot kitchen staff to prepare the food so the software developers they don't depend too much mother humans to do their jobs and do you think that's confusing I will show you how it Abbas is helping us to do that so in terms of security as code there's an issue when we give people permission to create rows so when you have I am row creation you could also have a privilege escalation so this is the before face and I'll show you the before and after how are lessons during the process so the engineers they were autonomous and they were creating infrastructure isn't this git repository name the deploying new Bank and this represented would create a dynamic confirmation JSON templates contain everything necessary to run micro service in architecture that would be like a load balancer or scaling groups large configuration the as instance profile and of course they mrow so we were given full autonomy to them but if we're given this autonomy that meant that they could create a mrow that have could have possibly any permission later bus so they could do that ssh into the instance and do whatever like delete i see two buckets or things that are very important for us in terms of reliability it could be in a malicious sense like they want to do that on purpose but if the developer even if they're not malicious there was a lot of copy and paste going on right because to create a right am roles and policies you know the drill who never thought like i'm going to create this permission with s3 star just quickly here and then i'll look at it afterwards and remove it and then it goes on forever so this of course led to these star permissions that you don't want to have in your environment and it was clear for us that the engineer should be able to create am rows no engineer should be able to create i am rose to prevent these two issues so what we decided that we wanted to go to a device named approach so the engineer uses the same deploy repository to create a micro service but she doesn't have the permissions to create i am rose anymore but she has permissions to invoke a lambda function that will do the creation of that I am role so you get even better granularity because the lambda can be more fine-grained than I am so these permissions that could be a sat were also curated from a curated set of policies and this prevented permission escalations that have mentioned but if someone could manipulate or create or modify a lambda function then you would have another corner cases right so it doesn't actually solve anything so to avoid that nobody has permissions to modify and cradling the functions in your bank what we have is that we have a tool poly two repositories here one being I am policies and any engineer can create pull requests in their repository and change these permissions but you would need to get approval from the info section members and then after that's done that's going through CI CD and a lamp that will change the I am Rosen staging and production environments and for the lambda automation this is where all our lambdas are maintained and started I also get repository so the same thing happened and if anyone could possibly add or add or change a lambda but they would need to get approvals from the InfoSec seems to get that to stage into production environments so it's still talking about security what I want to to think in terms of proper reliabilities that the fencing death is essential so boundary defense doesn't address our tech vector because also the boundary is compromised it's necessary to defend the subsequent layers so for example here we have a customer and all the new bank customers should have a certificate issued by new bank pin it to their cell phones and with mojo TLS if the customer doesn't have the certificate they can not even establish a TCP connection with some offer for more important services so for storage we use am rose some specific item Rose segregation with security groups and also encryption at rest with our own keys of course and for asynchronous communication we rely on Kafka we sign out a message digitally and the sensitive topics are fully encrypted for our office network every employee also has a certificate pin it by and that was issued by us so there is no sharing of Wi-Fi passwords because without a certificate you simply cannot connect to the network so this certificates can put the employees in different groups based on their functions and those are putting different segregated subnets inside our systems so if someone also has to assess age into a server the AWS session manager makes out the session audible and talking about all the trails what we want to have is everything set up to do a forensic analysis in advance before that crime or the incident happened right so what we do is that we have different multiple logs covering same flows for redundancy and cloud tray of the seafloor logs DNS requests city requests etc all of the logging is being shipped to his plant and where we have alerting and dashboards with a 90-day retention period and we do ship all of these logins to s3 for archiving so we don't forget anything that happened and we also have a daily ETS ETL processing that enables us to do Senate checks for our database workloads because we can check systems consent consistency in a distributed ward so a device redshift is providing the capability for us and to protect our customers and satisfy regulators monitoring is essential so not only we want to detect problems as fast as possible but we want to fix them as fast as possible and we want to prevent them from happening so the most embarrassing thing that can happen is knowing that your site is down because a customer told you so but that happens and life goes on right and we want to ensure that we're learning from our mistakes so we want people to do post-mortem analysis get to the root cause and ensure that the actual actors are being implemented we want to get better you want to get better really really soon but we don't want to blame blame people want to focus on automation instead of bureaucracy we want our systems and to be so automated and reliable that even if someone inside our company tries to make us take us down on purpose they won't be able to do so so there are many many reasons why these things are important and talking about scalability you don't want to have higher latency or bad correctness for your systems because more people are using your service in a black fighter or another event and in new bank we run 13 kubernetes clusters in port with 70 m5 chocks 12 X large notes per cluster and each cluster runs about 900 pods if you include the cube system namespace we also have about 1 billion HTTP requests on a daily basis and 700 million Kafka messages and this is pretty big so how do we scale all of that so we use a sharding strategy or a cell based architecture and for each cell we have audits necessary to supposed support a customer in new bank our micro-services databases catechist services Kafka clusters kubernetes clusters load balancers all of it is sub sufficient from a customer point of view when they are living in a shard so take a 0 for instance we have the purple customers in s1 we have the orange customers in s2 we have the blue customers auto as 0 as 1 and s2 they share the same code basic functionality the data that they have is completely different so the data from the orange customers it's always going to be only in s1 is not going to be anywhere else never so in this makes us able to create more infrastructure if we want to have more capacity because when infrastructure is code we and we know how many customers each of these shards or cells can handle we can simply create a new shard to support another million customer let's say so this shards or cell based architecture are really good for scalability but another thing that I bring is a blast radius mitigation because if you have a casket cluster problem in our s0 shard customers from s1 and s2 they don't get affected so you have a thing where you can have incidents and have outages but people will generally not notice unless they are in the specific shard that's awesome and by offering a lot of micro services we can scale horizontally individually the services that are more demanding for that period of the day and we offer many services so instead of having a monolid architecture where you have to scale out your application because of one of the services you can just scale the features that are most use it and that's you gain a lot of efficiency and in terms of scaling organization each team works with a subset of micro services and behaves like a mini start-up inside a company they have the context and they have the ownership and can focus on what is really important for that part of the business so with micro services the engineers they are less afraid of change in the impact of change we reduced the conflicts and the dependencies between the teams and we get more done that's what we want to get more done we want to add more value to our customers while mitigating the risk and the blast radius and being able to scale and talking about getting more giant or customers velocity and innovation they work close to each other in some sort of self reinforcing feedback loop so we can start by looking at our applications and in new bank we deploy more than 400 times a week without having a change advisory boards no change management no downtime we know isn't that crazy for a bank so how do we do it if it hurts do it more often we're doing criminal changes in the code base and have someone reviewing the pull request then we run different types of testing unit testing integration tests consumer driven contracts tests and then we deploy Tory staging environment after we're done with that we deploy to a production environment and then we do monitor write and every if everything goes out we just keep going with a new incremental change so here in the upper part of the slide we can see the happening for a single micro service in named borough and for that micro service you can see there - I don't know if you can see actually can you see can you read it no so I think the fourth pipeline is borough - stage in the fifth is brought to prod and you can I don't know if you can see actually but I would describe it so there are some parts of the pipeline parts of the steps that are injected they're white and those steps of the pipeline they are the row back steps so for each of the pipeline we have a row back step that will have us in case of a failure we can just click on a button and will trigger a row back because as you know most incidents are caused by deployments and that's why people are afraid of deployments so there are some ways that you can prevent deployments to be so dangerous so having greater test coverage test for production schemas around cannery deployments featural outs so those are very important techniques that you can use to mitigate those risks so we use circle CI and go C D for a tooling and with the Payan kubernetes which enables us to do faster deployments and faster robots because it's way easier to create a process than to create a new VM faster so we depend on parameters and graph enough for the monitoring of our production workloads but if a device enables you to do infrastructure as code then you should have deployments of your infrastructure in the same way you would do if your application so we have this - git repositories one is definition where we have idiom files which is basically a closure equivalent for JSON and they contain definitions of other deployable units in a declarative DSL format that we have a proprietary one then we have the deploy project that I mentioned previously acting as a wrapper for the kubernetes and a de Bresse api's so it will read from these definitions those declarative things and then we turn it to a transform or proprietary version of the word in - confirmation JSON or kubernetes e mmoes and be able to talk to those api's so how many of you know Bluegreen deployments probably many of you right ok so imagine that you want to change your services discovery provider or ability or server Linux versions are me great Saku Burnett's or anything those big changes in the infrastructure but your infrastructure is code so you can extend your code you can create testing scenarios for the code and think of good abstractions so after your done with the code part you have to deploy so let's say you have your version of the word of your infrastructure green one V one dot o up and running and then with the new code you deploy the new version of the ward the version of the infrastructure and that's done without changing what's actually serving your customers currently so after creating those things with a SS API you check if everything is healthy and if that's the case you are ready to point the dns to your new version of the infrastructure the blue one the v2 right so the cool thing about is that if something doesn't go as expected Roback is as easy as changing a dns to the old version of the infrastructure again so you you don't have updates in place you have been motor baut infrastructure now you have a blueprint for your infrastructure but one thing that's cool is that you can have cannery deployments by using weighted record within alias records on route 53 so you can just put 5% of the traffic to the new version of the infrastructure and you have cannery deployments for your infrastructure too so yeah you can rebuild your whole infrastructure without any big risk with this approach and once you're done with it you can simply delete the confirmation templates are stacks that we're providing the old infrastructure and you're good to go but if you're not confident enough you could have both versions of your infrastructure running for weeks in parallel or so anterior it's safe imagine doing that in your data center impossible or costly so I want to wrap up here with some of the lessons we've been learning customer obsession is a drive for better products growth and better customer experience sorry to say but if we're doing digital transformation because you're afraid of getting disrupted you are doing it for the wrong reason and you'll probably fail and technology is not a cost center anymore technology technology is now focusing adding more value to the customers and you can do it with different techniques nowadays I won't lie to you microservices if you the benef ts of the micro-service you need a ton of automation but it will help of scalability reliability velocity and autonomy in a beautiful foil so regulators they expect out Astraeus they expect monitoring they expect risk mitigation and accountability but this has nothing to do with change advisory boards and CI culture so what we want to do is minimize the risk of deployments by using unity and integration testing feature allows generate deployments and the point frequent is now changes instead of big batches of changes you want to empower your engineers and automate things so hard that even if someone intentionally wants to break things it won't be possible we are hiring in different locations we're hiring Sao Paulo we're hiring Berlin in Mexico City and in Buenos Aires if we have the time mode we have to take care of some of your questions thank you [Applause] okay question there what do you think was the toughest challenge you faced I guess what do you think was the toughest challenge you faced with regard to guess blending everything in AWS and getting everything regarding typically either either specifically in with regard to the banking industry in financial services or with regard to in general the whole migration well that's a very tough question because there were so many right I think there are different types of challenge one is bootstrapping and not having all the licenses and depending a lot of partners that are using a bunch of xml's and things that are protocols that are proprietary that don't actually exist and having your partners or vendors that we're doing part of your banking system failing or having inconsistencies and having to the bug off of it and then migrate to your own infrastructure into your own services while you're your one two or more of your own destiny this was a big problem for us in the beginning but another one that I can say was really scaling right because there are growth growth pains when we are growing that fast if you're on this exponential growth live in an organization suddenly you have to hire more people and how to ensure that you have the right culture for everyone so I think there there are technical challenges and their cultural organizational challenges but it's really hard to point one that was the hardest one I think each person in the bank would say a different one question there since you're running everything in the cloud how do you manage your dr strategy like how do you switch between and AWS regions we're using this impala SS region for a production environment in brazil and for a staging environment and for data analytics we are using us virginia question thank you for your references to the blue grain deployments but I was wondering if you considered using app mesh to do the boot various blue-green and canary deployments Umesh yeah like going to a more service mesh architecture okay yeah that's probably all the world map but it's something new and now we avoid most of the problems that have mesh and service mesh so by using a flagel well so we have a very homogeneous stack in our environment we close your shop and we rely a lot of common libraries that we we developer ourselves and have wrappers for other different libraries so finais goes the library that twitter created before service mesh could possibly exist and some things for exponential back-off retries that line budgets all of it so that's living too in our services inside the JVM insider service so you can also tune a little bit better the exceptional handling and instead of being sidecars so a different context for us how much did the Brazil regulations affect how you design things and in the markets that you're going into and I don't know how much you know about us regulations but if you could compare that that would be good too I don't know that much about the US regulations but I can tell you a little bit about how it was for us in in Brazil so at first in Brazil there was no real clarity if we should run our infrastructure in Sao Paulo South America region or if we could run them for certiorari broad because there were no regulations regarding that and that's like the worst case scenario because it's not clear what you can do and what you cannot do and eventually they got a regulations that say that we could be out of that region and we probably could have a lot of cost savings by moving to a different region but we're not doing that because there are so many things to do right but in comparing to the US I think Brazil has a higher inflation but also it has things to cope with this higher inflation from the 80s and 90s where we have a central hub provided by this central bank where you can get instant transfers from different banks anywhere there so how the protocol for the central bank so you can get transfers and this comes from the hyperinflation with a phase in Brazil where if you depended on having to send a cheque from the west coast or to the East Coast you would lose like seven days of interest or something like that so your money would basically be less valuable so things in Brazil are different in many aspects people used to pay the credit card they used to pay with a lot of installments even if they don't have to they use credit cards as a means of payments instead of being for credit so it's just because they want to pay things and it's easier to do that then carry money so when when it comes to financial lives every country has its aspects being able to depend on Visa or MasterCard for credit card changed a little bit because you have this sort of one protocol for all the world but it also has its localizations you mentioned that you started with a credit card product and you later switched to checking and savings accounts and you were talking about how 60% of Brazil is unbanked and you were penetrating that market creating a new customer base but how do how do you measure the credit risk of the customer based period whether it's you know issuing a credit card or offering a checking savings account so for the checking account you don't actually have a lot of credit risk because the money that people will use is the money that they have deposits but for the credit card since there was in Brazil this red negative record where you can only have the record if you already took some credit we had to kind of there are credit bureaus that we get the data from and sometimes we don't fight the data so what we're doing is like getting more people into our checking account and look at how their financial life that actually is how much money they get deposit how much they are transferring and we're using this data that's proprietary data to the discredited analysis I think we're good or any more questions okay thank you so much you