Universal DPI Safeguards Framework – Mifos Alignment

You are here: / / / Universal DPI Safeguards Framework – Mifos Alignment

The Mifos Initiative is pleased to express its commitment to the DPI Safeguards initiative co-stewarded by the UN Office for Digital and Emerging Technologies and United Nations Development Programme.  As part of this  commitment, we will showcase how our Digital Public Goods (DPGs) align with the Universal DPI Safeguards Framework’s foundational and operational principles. We also pledge to ensure that as we engage with countries for the adoption of our DPGs for digital public infrastructure (DPI) use cases, we’ll ensure a Safeguards by Design approach at all stages from design to development to implementation to ongoing support. We will also ensure training and sensitization of ‘Safeguards Inside’ and ‘Safeguards always’ philosophy with our Communities of Practice.

The Mifos Initiative is a global 501(c)3 fintech non-profit that has been pioneering open source technology for financial inclusion for the past two decades. Mifos stewards two Digital Public Goods (DPGs)

  • Mifos X, an open source core banking platform and system of record
  • Payment Hub EE, an open source payment orchestration engine

which collectively provide the critical yet often overlooked capability needed to provide last-mile accounts for financial inclusion.

We also steward a number of other projects such as Mifos Gazelle, a DPI as a Solution deployment and demonstration tool to help countries evaluate and understand the possibilities of DPI, and a range of mobile applications.

Often when governments are implementing DPI for G2P and P2G payments, digital identity and an instant inclusive payment system are the first priorities. However to achieve financial health and ensure instant payments are inclusive, those last mile recipients must have access to a functional account or wallet. Mifos provides low-cost scalable infrastructure to enable the public and private sector to provide those accounts, connect seamlessly to payments, and deliver a range of financial services via those accounts. Mifos and solutions built on top of its open APIs are reaching more than 75 million individuals across 500+ institutions. 

Mifos as the Last-Mile Delivery Specialist 

What use is a railway without stations to get on or off, all the way to the  last-mile. The same principle applies to Payments DPI where Mifos can be compared to the stations, providing critical infrastructure for the last mile to enable people to access the rails provided by DPGs such as MOSIP and Mojaloop. Mifos also provides the innovation railcars to enable the creation of responsible user-driven financial services on top of these rails. By providing this critical infrastructure for tier 2 and 3 institutions (MFIs, SACCOs), Mifos emphasizes the “Do Not Exclude” principle by bringing the most marginalized into the DPI Ecosystem.

Safety-by-Design at the Edge

While MOSIP secures the identity and Mojaloop secures the transfer, Mifos secures the stored value. As part of our modern core banking infrastructure, the granular access controls, robust audit trails, and  “Data Privacy by Design” protect the long-term financial records of vulnerable individuals.

Social Performance & Evidence

MOSIP and Mojaloop focus on technical reliability for the underlying rails of digital identity and instant inclusive payments. Mifos lead on the “Evolve with Evidence” principle by enabling focused innovation on human-centered financial services, transparency around the costs of these services, and integrating social performance tools like the Poverty Probability Index (PPI). This demonstrates a commitment to measuring if DPI is actually improving financial health through meaningful usage, not just increasing transaction volume. 

Mifos & DPGs as Safeguards Practitioners

DPGs are uniquely suited to promote and guide adoption of the safeguards. As stewards of DPGs, we  interact with multiple stakeholders at all stages of DPI implementation – working with our own developer community and the developer communities of other DPGs during the conception & scoping, design and development phases; interacting with local system integrators and government practitioners during the deployment and operations/maintenance phases; and with regulators/funders during the strategy & design phases. 

In this critical role, we are eager to use both our technology as well as our community and ecosystem to drive adoption of the Safeguards. Edward Cable, our President/CEO, has been the 2025 Co-Chair for the Assessment working group building a holistic set of indicators and measurable outcomes to help put the principles into practice. 

The Mifos Initiative as a whole (Leadership, Developers, Volunteers and Partners in our eco-system) is now pleased to make a greater commitment to the Universal DPI Safeguards Principles as well; embedding them at the core of how we work and operate.

“Being Co-chair for the Assessment working group of the UN DPI Safeguards Initiative has been an immense honor. Being able to use my experience from DPG stewardship and engagement in DPI alongside the other deep experts in the working group to ensure indicators and measurable outcomes are in place.  I am therefore truly delighted that the Mifos Initiative and its community is able to step up and make this commitment to the DPI Safeguards. Mifos is eager to to act as a Safeguards Practitioner, serving as the bridge between high-level principles and the measurable outcomes of financial inclusion”

Mifos is delighted to announce our commitment to the Universal DPI Safeguards Principles like Mojaloop and MOSIP already have. The rest of this blog post outlines our similar alignment at the principle level.  Throughout the coming months, we’re eager to put the Safeguards into practice. We’ve already collaborated extensively with these critical DPGs for Financial Inclusion and are looking forward to working alongside other DPGs like OpenG2P and OpenSPP to streamline G2P and P2G payment flows. 

This G2P use case and integrated solution architecture is a key focus of Mifos Gazelle that we continue to evolve as the tool that helps countries visualize how all three DPGs (Identity, Payments, Accounts) work together under a unified Safeguards framework.

With Safeguards Inside, Mifos as the Account Management & Financial Health layer can convert these foundational rails into tangible human outcomes.

Foundational Principles

F1. Do No Harm

Harms to individuals may not be immediately obvious. A human rights-based framework should be integrated throughout the DPI life cycle to anticipate, assess, and effectively mitigate any potential human rights harms and power differentials.

Governments and the broader financial services ecosystem struggle to achieve their financial inclusion mission due to the high cost and complexity of financial services infrastructure. By equipping governments with a mature and proven core banking and payment orchestration infrastructure powered by Mifos DPGs, they can focus their effort on designing responsible and human-centered financial services that minimize harm and ensure that payments can be delivered last mile and act as a means of enabling inclusion of these vulnerable individuals in the digital economy. We also stand committed to ensuring we undertake an assessment in all DPI engagements.

F2. Do Not Discriminate

All individuals, regardless of intersecting identities, should have unbiased access and equal opportunity. Risks due to the circumstances of all vulnerable communities, historically marginalized groups and those who opt-out should be mitigated.

By enabling those last-mile institutions like MFIs, SACCOs, savings groups to have access to modern banking technology and connect into instant inclusive payment systems, we can ensure that marginalized individuals have equal opportunity and access to real-time payments and other modern financial services. Likewise by democratizing access to these financial services and enabling technology, we build a local support ecosystem that goes beyond the boundaries of typical support providers, ensuring even at the operational level there is equality of access to opportunities to participate.  

F3. Do Not Exclude

All individuals should have a choice of channels (digital/non-digital) to access and benefit from services enabled by DPI based on their individual capacity and resources. Access should not be limiting, conditional or mandatory — explicitly or in practice.”

We once again want to emphasize last mile-delivery of accounts. While payments hinge upon digital ID and a real-time payment system integration, even if these are in place, these technologies alone doesn’t ensure that these payments are inclusive. Participation in a national switch does not necessarily mean that each individual in the country (especially those marginalised) has the means to participate. For individuals to be truly included and harness the full potential of digital payments, they need access to a functional transactional account. Most often those Tier 2 and Tier 3 institutions focused deeply on financial inclusion are the last to participate in a switch. We enable these last-mile institutions who might lack sophisticated IT staff or large IT budgets to still have modern core banking software that allows for a functional wallet account and that can connect into real-time payments. By being open source from the ground up and API-driven, we enable grass-roots innovation where those service providers who want to provide alternative channels can build upon our APIs to cost-effectively reach those under-served and excluded markets. 

F4. Reinforce Transparency and Accountability

DPI should be developed with democratic participation, have public oversight, promote fair market competition and avoid vendor lock-in. All partnerships should be transparent, accountable and publicly governed.

When a government chooses to build its banking infrastructure on open source Mifos DPGs, it enables the government to achieve digital sovereignty by owning their solution, adapting it and supporting it with their own staff or local vendors of their choice. They are not beholden to a third party vendor and have complete control of their IT destiny with the backstopping and support of a global community. While we don’t expect individuals or the broader public to be interacting with the source code of underlying DPGs, our software facilitates openness at all levels. From co-creation with civil society and private sector of new innovative services that are more inclusive, to flexible data tables to ensure household impact information is being captured, to being able to disclose how financial calculations are done and provide transparent APRs, to generating sufficient audit trails from the system, Mifos ensures transparency and accountability to the end recipient.  At Mifos being Open isn’t limited to Open Source we uphold openness and transparency in the decisions we make, how we operate, being democratic and allowing participation from all.

F5. Uphold the Rule of Law

DPI should be introduced with a clear legal basis, with required legal and regulatory aspects embedded into its design, supported with capacity for sector specific tailoring (such as health), implementation, oversight and regulation by law.

Having access to an open source codebase allows financial service entities whether the government or the private sector to be flexible and adaptable to meet regulatory requirements. We observed this directly during COVID when numerous providers were able to respond to the requirements around pausing interest or providing moratoriums for borrowers in hardship. With access to the source code, our private sector adopters are able to adapt their systems to regulatory changes in the course of days and not months like with proprietary systems. Likewise, the open data model and extensibility around business intelligence ensures timely reporting for financial services back into central authorities. This understanding of the need for open-source code at the point of implementation in a DPI needing to account for local legal and regulatory aspects is one of the reasons Mifos exemplifies and advocates for local service providers as part of capacity building, being able to lead and ensure this legal and regulatory compliance.

F6. Promote Autonomy and Agency

Ensure that everyone (especially indigenous communities with sui generis rights), on their own or with assistance, can take control of their data, promote their agency, exercise choice, and contribute to their society’s well-being.

Mifos promotes this principle at two levels – across the ecosystem and down at the level of the individual as well. By providing an open API-driven platform, we leverage the market dynamics by unlocking local ownership of solutions, grass-roots innovation, and control over these open assets. At the level of the individual by providing everyone regardless of status with access to a functional wallet or transactional account, they have control over their financial well-being by not just being able to participate in the digital economy by transacting but gaining access to a full range of inclusive financial services like productive credit to create economic opportunity and access to savings to withstand economic shocks.

F7. Foster Community Engagement

All stages of the DPI life cycle should centre on the needs and interests of individuals and communities at risk. They should participate at critical junctures and provide feedback actively in an environment of transparency and trust.”

A fundamental guiding principle for Mifos is our virtuous cycle whereby we encourage all adopters of the Mifos DPGs to be on the latest upstream version and contribute back; as such the global collective community maintains and evolves the platform and knowledge, innovation and enhancements are shared globally. 

As Paul Ramsey noted, “You get what you pay for, everyone gets what you pay for, and you get what everyone pays for.”

We can only achieve our shared vision of 3 Billion Maries by unifying an entire global community of not just the developers and technology providers of the software but the software adopters and civil society such that we create a flywheel of innovation, ideas, and impact that translates into the design of more impactful financial services offered via digital accounts that promote inclusive financial health. 

F8. Ensure Effective Remedy and Redress

Complaint response and redress mechanisms, avenues for appeal without reprisal, supported by robust administrative and judicial review, should be accessible to all in a transparent and equitable manner during service delivery.

Mifos DPGs seamlessly integrate with other systems like CRM for effective remedy and redress. A key component of the Payment Building Block of Payment Hub EE is the ID Account Mapper which ensures the account of a recipient  of a payment within a program is confirmed before payment is sent and the beneficiary’s chosen payment modality is utilized. Our orchestration engine enables the retry of all payments and ensures that if they don’t go through, notifications are received and the status of the payment is tracked. Our reference customer-facing apps integrate with all relevant communication channels. 

F9. Focus on Future Sustainability

Inculcating foresight is key to anticipating and limiting long term and inter-generational harms. For example, mitigating the environmental impact with a net-zero strategy or minimizing resource needs with reuse of software.

Building and re-using DPGs is a crucial driver of success for governments adopting payments DPI. Rooted in our permissive open source licenses, governments can adapt and re-use our proven banking and payment solutions while being able to support it locally or with their own staff. The software is built on common modern web technology stacks so finding and training local IT talent to support is both sustainable and replicable. The technology itself is designed to be run in low resource environments and can be deployed via hybrid approaches via containers leveraging the benefits of public and private cloud and on-premise deployments. Our reference mobile applications are developed using Kotlin multip-platform for cross-platform development across multiple devices. 

Operational Principles

O1. Leverage Market Dynamics

DPI should foster an increasingly inclusive environment for public and private innovation such that market players can compete and introduce diverse equitable solutions that cater to emerging needs of all people across the society.

Our approach to developing and distributing our DPGs is an ecosystem-based approach that enables a level playing field where all providers, public or private sector, can use, contribute to, and build their own solutions using our DPGs. Our building blocks for banking enable the delivery of any financial service whether that’s a government offering a wallet account to its citizens, a fintech providing a mobile wallet, or a SACCO or MFI providing a small business loan. Payment Hub EE provides an orchestration engine enabling G2P and P2G flows via any type of digital payment rail. 

We follow the hourglass architectural approach endorsed by Pramod Varma that ensures a minimal yet functional core as the center of the hourglass that enables the ecosystem to build and support the core through primitives and enables innovation and use case development via APIs and open standards. Through this common platform for innovation we unite government, civil society, private sector technology providers as well as university interns and academia to design and co-create meaningful financial services that benefit the whole of society. 

A powerful yet under-utilized force for DPI adoption are universities and interns. Mifos has a long track record of participation in programs like Google Summer of Code and Code for GoodTech which help to build the next generation of open source contributors. We have participated in GSOC for 13 years now and the first two years of Code for GoodTech. In 2025, Mifos graduated 22 interns who contributed substantially to our DPGs. 

O2. Evolve with Evidence

Independent, transparent, and continuous assessments, due diligence, or audits should engage with people, understand concerns, review evidence and rapidly cease or initiate activities that contain heightened risks or harms.

Both our Mifos X core banking and Payment Hub EE orchestration engine ensures the creation of the necessary reporting and compliance measurements for operational, regulatory, and social performance. We have robust audit trail capabilities, flexible business intelligence and dashboards, robust dynamic data tables to capture additional metrics, and integration with social performance indicators and measurement tools like PPI to measure progress out of poverty. 

At the level of the software itself, each feature and module undergoes rigorous behavior-driven acceptance testing using the Cucumber framework.

O3. Ensure Data Privacy by Design

Digital Public Infrastructure (DPI) must protect people’s privacy by collecting only what is necessary for service delivery and by giving nations full control over data storage and management.

Mifos X, an open-source core banking system, aligns with this principle by giving implementers control over:

  • Data governance: Defining what customer data is collected and retained, ensuring that institutions only store information relevant to service delivery and avoid unnecessary exposure.
  • Deployment control: Deploying within national data centers or sovereign clouds to ensure local data residency and compliance with national data sovereignty laws.
  • Modular architecture: Enabling data minimization by storing only essential financial information, which reduces privacy risks and improves system efficiency.
  • Flexibility for privacy-preserving technologies: Supporting integration with advanced privacy-enhancing tools such as homomorphic encryption, differential privacy, zero-knowledge proofs, and secure multiparty computation. This flexibility allows institutions to adopt stronger protection measures over time without redesigning their systems, future-proofing data protection strategies.

To strengthen privacy-by-design, implementors can further enhance data masking, auto-deletion policies, and customer consent management features, all of which are crucial for building user trust and regulatory compliance.

Within Payment Hub EE, the introduction of the ID account mapper ensures data privacy by ensuring that the final account details for the beneficiary are controlled and not distributed to all beneficiary management systems.

O4. Assure Data Security by Design

Digital systems must embed strong and regularly updated security mechanisms to protect data from misuse or breaches.

Mifos X incorporates:

  • Secure authentication: Using strong and multi-factor authentication helps prevent unauthorized system access and protects user credentials.
  • Encryption: Applying encryption for data at rest and in transit safeguards sensitive financial information from interception or theft.
  • Granular access controls: Restricting permissions ensures that only authorized staff can access specific data, minimizing insider and external threats.
  • Comprehensive audit trails: Tracking all user and system activities supports accountability and quick incident response in case of security breaches.
  • Open-source security reviews: Engaging a global developer community ensures continuous updates, peer validation, and rapid patching of vulnerabilities.

Likewise for Payment Hub EE it incorporates:

  • Secure authentication: Using strong and multi-factor authentication helps prevent unauthorized system access and protects user credentials. It can link to existing implementations such as Keycloak minimising the risks of multiple points of account controls.
  • Encryption: Applying encryption for data at rest and in transit safeguards sensitive financial information from interception or theft.
  • Granular access controls: Restricting permissions ensures that only authorized staff can access specific data, minimizing insider and external threats.
  • Secured API’s requiring digital signatures to stop unauthorised system integration.
  • Comprehensive audit trails: Tracking all user and system activities supports accountability and quick incident response in case of security breaches.
  • Open-source security reviews: Engaging a global developer community ensures continuous updates, peer validation, and rapid patching of vulnerabilities.

Implementation-specific enhancements can include standardized deployment guides, automated updates, and stronger key and intrusion management tools, all of which are vital to maintaining long-term system resilience. This could also include designing and building a crypto agility layer to defend against future quantum computing threats. The architecture is adaptable and expandable to allow these types of future enhancements.

O5. Ensure Data Protection During Use

Personal data should be processed for legitimate purposes, accessed only by authorized personnel, and protected in accordance with defined legal and operational standards.

Mifos X and Payment Hub EE support:

  • Role-based permissions and secure API access: These controls ensure that only verified users and systems can interact with sensitive data, reducing unauthorized data exposure.
  • Comprehensive audit trails: Maintaining detailed logs of all user actions promotes transparency and enables effective compliance monitoring.
  • Flexible integration methods help align with legal requirements around KYC/AML, ensuring that data use remains lawful and traceable across financial operations.
  • Configurable data retention policies: Allowing institutions to define how long data is kept balances operational needs with privacy obligations.
  • Integration options with RBAC systems such as Keycloak, allowing a single point of RBAC control for an implementing organisation.

Implementation-specific improvements can focus on enhancing user consent tools, facilitating data access requests, and strengthening compliance monitoring, ensuring that data protection is upheld throughout the system lifecycle.

O6. Respond to Gender, Ability or Age

Not all individuals experience DPI in the same way, and some continue to face barriers and challenges related to access or use. DPI implementation should not exacerbate existing challenges or introduce new barriers and inequalities.

By providing core banking built on open source primitives and building blocks and payment orchestration to connect into any payment system with extensible connectors and configurable workflows, we allow the government and/or ecosystem to focus on building responsibly designed human-centered applications and products and services that address inequalities and provide access to those typically excluded.  

We provide the back-end as a primitive or building block allowing the government or ecosystem to focus on building responsibly designed human-centered applications     that can cater for different individuals needs. We also offer a set of different interfaces such as web applications, mobile applications, voucher payments etc to ensure all individuals can access DPI without barriers. 

O7. Practice Inclusive Governance

Long-term effectiveness of DPI is contingent upon the establishment of a robust legal, regulatory and institutional framework that should promote transparent and participatory multi-stakeholder governance focused on safety and inclusion.

Within the Mifos ecosystem itself, we foster a welcoming and inclusive culture that enables the effective collaboration and participation of all participants through collaborative working groups, voting on releases and an open roadmap driven by user inputs and priorities. 

By enabling the government to adopt and adapt a re-use the upstream open source DPG to its needs, it can guide its own inclusive governance around how it maintains and supports its solution without any dependence on a third party vendor. 

O8. Sustain Financial Viability

As DPI are a public infrastructure, diversified, phased and sustainable financing models should be established. Governments can lead during the build phase and local digital partners or the private sector can lead on operations and maintenance.

First and foremost, we sustain financial viability by enabling last-mile accounts for financial inclusion by both reducing the barrier of providing a modern 24×7 functional account and reducing the cost and complexity of connecting into instant payment systems enabling their inclusivity. Rather than have to buy or build costly core banking or payment orchestration systems, they can now own their own infrastructure with no license costs and only bear the costs of extending the system and supporting and maintaining it via upgrades and regular collaboration back with upstream DPG community. 

Via this ecosystem approach, there isn’t concentration of payment volume or dependency upon a single provider or just the largest fintechs or banks or telcos but rather a diverse ecosystem of wallet providers that have the capability to reach the last mile. 

 

Furthermore the Ecosystem approach that Mifos takes, exemplifies and advocates for local service providers as part of capacity building efforts aligned to DPI. Meaning that long-term sustainable models can be built to support DPI using local service providers.

O9. Build and Share Open Assets

DPI should share and reuse open protocols, specifications, digital public goods (DPGs), and the associated knowledge. This enhances flexibility and assures that proprietary systems do not limit the ability to improve safety and inclusion

Mifos had direct involvement with 4 of the 7 DPGs as part of the Financial Inclusion Community of Practice that were evaluated and selected by the Digital Public Goods Alliance for their ability to catalyze financial inclusion at scale. Mifos is the steward of two DPGs – Mifos X and Payment Hub EE and helped to launch both Apache Fineract and OpenG2P. We use the permissive Mozilla Public License 2.0 which enables widespread adoption but also encourages contribution back to the core to enable that virtuous cycle of upstream contribution. We have an active ecosystem of Mifos partners serving as system integration and solution partners both supporting implementation as well as building new solutions. 

This DPG-led approach of building and sharing open assets allows a range of financial services to be built – providing both the connective tissue amongst the digital ecosystem as well as the DNA of financial services to allow governments and private sector to build any type of inclusive financial service.

The power of re-use of open assets was on full display when Financiera para El Bienestar (Finabien) was chosen as the 2025 recipient of the Future of Government Award for Open Source Re-Use for its usage of Mifos X as part of their DPI solution in Mexico.

Star Contributor of the Month – Yu Wati NyiStar Contributor of the Month – Krishna Mewara