Home  |  Newsletter | Feedback | Advertise - Online  | Help
Google
Web dqindia.com
Search by issue  | Sitemap

• Visit pcquest.com to know all about the business benefits of IT infrastructure outsourcing • Ad : Play and Plug ERP by IBM

 
 RSS |  Follow Us on twitter
Home > Mobility

Mobile Banking : Win-Win for All?
The formalization of guidelines for mobile banking by RBI will drive more action, but loopholes need to be plugged
Shipra Malhotra
Monday, November 10, 2008
Print Comment Email DiggDigg DeliciousDel.icio.us RedittReddit TwitterTwitter

If there has been the one big learning from the recent financial crisis that hit the US economy, it would have to be regulations. It is no secret that the lack of it fuelled the sub-prime debacle. RBIs guidelines for mobile banking transactions released in October 2008 have come in at a time when the financial sector can do with some caution and control.

Guidelines should now formally allow banks to offer secure mobile banking services. Sanjay Swamy, CEO, mChek Payment Systems, expects the formalization of the guidelines to drive more action and activity. The guidelines will help instill greater confidence in the customers regarding mobile banking transactions. Until recently, most banks focused on balance alerts and transaction alerts in the name of mobile banking. Abhishek Sinha, CEO, Eko points out that banks can now look at the mobile as a low-cost and an efficient alternate channel to access your account for money transfer, utilities, bill payments and premium payments.

TelcosLeft in the Lurch
According to Sinha, the guidelines allow only bank-led models and therefore, telecoms will not be able to play a lead role as they wanted to, limiting telecom operators as just a channel of communication.

Telecom operators rework models like M-Pesa, G-cash. "Guidelines insist on interoperability, and the mobile payment companies can play a greater role in managing relationships between the banks and various telecom operators to ensure this," adds Sinha.

However, Probir Roy, CEO of PayMate holds the opinion that the guidelines are a Win-Win for the various stakeholders in the value chain.

Checking the Guidelines
Operative Guidelines
  • Transaction limit as daily cap of Rs 5,000 per customer for funds transfer and Rs 10,000 per customer for transactions involving purchase of goods/services
  • Banks may put in place a monthly transaction limit depending on banks risk perception of the customer
  • Authentication Guidelines
  • One time approval of the RBI; approval of the banks Board of Directors
  • Document-based registration with mandatory physical presence of the customers
  • Allowing only Indian Rupee based domestic services with strict prohibition on cross-border inward and outward transfers
  • Only banks, that are licensed and supervised in India, and have a physical presence in the country will be permitted to offer mobile banking services
  • Banks that have implemented core banking solutions would be permitted to provide mobile banking services
  • Services shall also be restricted only to customers of banks and/or holders of debit/credit cards issued as per the RBI guidelines

Interoperability Guidelines

  • Banks must ensure services to customers irrespective of the network operator they have subscribed to. The leeway is limited to a maximum period of six months
  • To enable real time fund transfer guidelines stipulate that banks adopt message formats like ISO 8583, with suitable modification to address specific needs

Security Guidelines

  • All mobile banking shall be permitted only by validation through a two factor authentication
  • One of the factors of authentication shall be mPIN or any higher standard
  • End-to-end encryption of the mPIN is desirablewhere mPIN is used,
  • For mobile banking facilities that do not contain the phone number as identity require a separate login ID and password to ensure proper authentication
  • It is necessary that the mobile banking servers at the banks end or at the mobile banking service providers end to be certified by an accredited external agency
  • There must be appropriate level of encryption and security at all stages of the transaction processing with an endeavor to ensure end-to-end encryption of the mobile banking transaction
  • Banking regulations require implementation of application level encryption over network and transport layer encryption wherever possible
  • Establish proper firewalls, IDS, data file and system integrity checking, surveillance and incident response procedures and containment procedures; implementing physical security measures, conducting periodic risk management analysis, regular audits on the mobile banking systems, etc.

Loopholes Glaring
While the guidelines issued by RBI are comprehensive and considered a satisfactory beginning, experts have identified some loopholes that will require plugging. For one, the approvals (RBI and Board) required for such projects may slow down the process, even though these are just one-time approvals.

Physical Verification:
Secondly, mandatory physical presence of the customer for registration may affect the uptake amongst not only the banked but also the unbanked segment. One of the arguments against this is the fact that physical verification is done separately for opening a bank account and getting a mobile phone connection, both of which are part of the mobile banking system. Sinha opines that remote registration for the service should be accepted. Banks and telecoms should be allowed to share and use the KYC documents collected from the customer once.

However, both Swamy and Roy are in favor of physical verification requirement. Roy agrees that while there are practicality and logistics issues, but KYC is important. "While many believe that this could slow down the adoption process, we believe that this will help build stronger customer confidence and lower support costs as customers get trained on the start of this service. From a long-term view this will be very beneficial to the industry as it grows," says Swamy.

Transaction Limits:
The central bank has already upped the transaction limits from its earlier draft guidelines, RBI increased the daily transaction limit for cash transactions from Rs 2,500 to Rs 5,000, and the daily transaction limit for goods and services from Rs 5,000 to Rs 10,000. The maximum cap has been an area of contention with some insisting that the existing limits are too low.

One school of thought insists on why the rules should be any different from those for internet based transactions? Intuitively it is a remote channel, no different from the internet, rather significantly more secure than the internet, as Swamy points out.

Over time, Swamy expects that the limits will stabilize around Rs 25,000closer to a daily withdrawal limit on your debit card. Roy feels that the caps should be in line with cc/dc and/or ATM, preferably the former. Further, the bank should be able to decide limits for its customers.

Interoperability:
Interoperability is critical for mass adoption and for scaling the market exponentially. However, the time frame of six months can be a limiting factor. Dynamics between the banks and telecoms will become clear with time. There are certain apprehensions that banks may become dependent on telecom operators, which may slow down the process. Also, if telecom operator sees a greater role than just being the bearer of information, then it may be easier to provide interoperability, adds Sinha.

Further, interoperability depends on the technology used. SMS-based services are operator agnostic where as there is much more dependence on the operator in SIM-based applications. Telecom regulations will also bear an impact.

End-to-end Encryption:
The draft for guidelines insisted on end-to-end encryption but this clause has been relaxed in final guidelines. According to Roy, there is also lack of clarity on what end-to-end encryption means whether it means device level to device level across all layers of security, ie, data, network, transport, device/end point. Then there has to be availability of such technology which allows this to be done universally. "I dont think encryption is a mode of security relevant to India at this stage of its growth with dependency on entry level handsets and use of mobile for small value transactions," he adds.

Encryption as such has not eliminated security risk for the Internet or e-commerce. Technically speaking the CDMA network is theoretically best configured for authentication and encryption vide their E-CMEA sub system. This allows from keypad level (device) to voice, data, messaging to be secure over the signaling system.

All said and done end-to-end encryption is not the only way to secure the mPIN and the transaction. Also, with the limits and other security processes in place the risk of misuse or exploitation of the channel is considerably reduced. Further, most banks will insist on end-to-end encryption to be mandatory and not desirable.

The customer protection is the fundamental base of the guidelines And confidence will come with use.

Shipra Malhotra
shipram@cybermedia.co.in

Page(s)   1  

Print Comment Email DiggDigg DeliciousDel.icio.us RedittReddit TwitterTwitter



ZTE:Leading CDMA Technology

Extraordinary Networks:Freedom of Choice





Collective Intelligence @ Work

Analysts: Guiding Stars or Shepherds?

How's the 'pitch' looking?

What's your Everest?

 

 

 

 

 

 

Magazine Subscription | Sitemap | Contact Us | About Us | Advertising Print | Mediakit Print | jobs@cybermedia
Other CyberMedia web sites
  [Voice&Data]  [CIOL]  [PCQuest]  [Living Digital]  [IDC India]
  [CIOL Shop]  [DQ Channels]  [DQweek]  [CyberMedia Events]
  [Cybermedia Digital]  [CyberMedia India]   [Cyber Astro
  [Global Services Media ]  [BioSpectrum]  [BioSpectrum Asia]

Copyright © CyberMedia. All rights reserved.
Reproduction in whole or in part in any form or medium without express written permission is prohibited.
Usage of this web site is subject to terms and conditions.