MOBILE BANKING :

Impact of Mobile Technologies on BANKING WORK

RESEARCH METHODOLOGY:

RESEARCH DESIGN : DESCRIPTIVE

TYPE OF STUDY : SAMPLE UNIT

SAMPLING METHOD : TWO STAGE SAMPLING AND LATER ON APPLYING RANDOM SAMPLING.

SAMPLE SIZE : 100

TOOLS FOR DATA COLLECTION : QUESTIONNAIRE

METHOD FOR DATA COLLECTION : FIELD SURVEY METHOD BY PERSONAL INTERVIEW

1

FINDINGS   :-

Most of investors are Eger about m-banking.

Investors mostly prefer investing on monthly basis.

Most investors prefer security in mobile banking.

In the current scenario of banking fast and advance.

2

TABLE OF CONTENT

Sr.No.Particulars Ppage

no.1. INTRODUCTION 09

2 MOBILE SERVICES IN INDIA 20

3 RULES AND REGULATION 22

4 M-BANKING SYSTEM 25

5 GETTING STARTED 28

6 M-BANKING AND WORLD 37

7 M-BANKING RISK AND SECURITY 44

8 SCOPE OF M-BANKING 76

9 CONCLUSION 79

3

1. INTRODUCTION

4

MOBILE BANKINGThe cell phone does it all: You can take pictures, send

emails, play music and watch TV. Now, you can add banking to that list.

What is m-banking?

Mobile banking (also referred to as m-banking, phone banking, SMS banking, etc.) means conducting account transactions via a mobile phone. For banks, mobile banking has become the most promising medium of reaching out to their customers because of the ability to provide services at any time or place in the world (of course, if there is cell phone reception). That’s why news headlines weekly report about new financial institutions launching mobile banking. 

Using comprehensive mobile technology, financial institutions can offer a wide array of different services to their customers. The basic options include bill payments, balance inquiries and transfers among accounts owned by the same person. However, many banks offer more sophisticated solutions, such as getting bank statements, receiving minimum balance alerts or even performing stock trading. 

Mobile banking provides exceptional convenience for all cell phone users. There are various m-banking methods to cover different capabilities of mobile phones: text messaging, the mobile Internet, and special programs called “clients” that are downloaded to mobile devices. So even if your phone does not support Web browsing, you can still take advantage of m-banking. 

5

Text messaging is the most popular method of mobile banking. However, its functionality is limited to two or three services. Web browser-based solutions are more sophisticated than text messaging and provide the same range of options as online banking. M-banking clients, generally created for smartphones, are the most comprehensive systems. They provide a fabulous combination of speed and functionality.

UK:The number of mobile phone subscribers that use their phones for mobile banking transactions will exceed 150m globally by 2011, according to a new study by Juniper Research. These figures refer to additive banking which is focused on developed markets rather than transformational banking (see Note for Editors below).

The Juniper Research report determined that the mobile banking market is currently most advanced in the Far East, but that growing numbers of mobile banking services are being offered in North America and Western Europe. The developed nations of the Far East, North America and Western Europe are forecast to account for over 70% of the user base by 2011.

6

Mobile Banking report author Howard Wilcox gave more details: "Transactional or "push" mobile banking is being offered increasingly by banks via downloadable applications or the mobile web, complementing existing SMS messaging services for balance and simple information enquiries. Mobile banking is a key element in banks' distribution channel strategies as they compete to attract and retain customers."

The Juniper report highlighted the extra user convenience as a key benefit. The mobile phone is the device that people - especially Generation Y - will not leave home without. Mobile banking is an addition to the wide choice of applications and services that they can access through their handsets to make life easier, especially via smart phones such as the iPhone.

However the report identified several factors that will need addressing to really foster market development including financial regulations which vary from country to country, application slickness, and security. Whatever the reality of the strength of the security, it is the perception and image in the mind of the user that dictates whether they will trust the service.

The Juniper Research study provides an analysis of the trends and issues affecting this market, exploring how the mobile banking market will develop. The report provides forecasts of user take-up, user-level messaging traffic, user-level transaction volumes and gross transaction values for "Push" Mobile Banking Information Services, and "Pull" transactional banking services. The report also presents the strategies of 15 key vendors and 12 mobile banking services pioneering in this developing market.

Mobile Banking Whitepaper and further details of the study, 'Mobile Banking: Strategies, Applications and Markets 2008-2013' can be freely downloaded from the Juniper Research website.People will be able to withdraw cash and transfer funds using their mobile phones in rural areas with the government approving the framework for introduction of such facilities by the banks. 

7

Banks have been advised to start mobile banking rural areas by July 31, and complete the roll by the end of NEXT YEAR "With the acceptance of the report of inter-ministerial group by the committee of secretaries banks are being advised to implement the IMG framework on priority basis to extend basic financial services to the unbanked population," said a communications ministry release today.  As you are no doubt aware, with the rapid growth in the number of mobile

phone subscribers in India, the banks have been exploring the feasibility of using mobile phones as an alternative channel of delivery of banking services. A few banks have also started offering, through the mobile phone, information-based services like balance enquiry, stop-payment instruction of cheques, record of last five transactions, etc. Considering that the use of this technology for the banking services is relatively new and calls for appropriate safeguards to ensure security of financial transactions, the Reserve Bank has formulated the ‘Draft Operating Guidelines for Mobile Payments in India', through a consultative process and placed them on the RBI’s website in June 2008 for public comments.  It is expected that the guidelines when operationalised, would help strengthen the operating environment for mobile banking in the country.

Mobile banking also known as known as the M-banking it

includes balance check account transitions payment balance inqury , mini

statement cheque book request bill payment mobile top up dth, electricity

bill payment insurance premium payment

Mobile banking can offer services such as the followingit refers to provision and availment of banking and financial services with help of mobile phoneAccount Information Mini-statements and checking of account history Alerts on account activity or passing of set thresholds Monitoring of term deposits Access to loan statements Access to card statements Mutual funds / equity statements Insurance policy management

8

Pension plan management Status on cheque, stop payment on cheque Ordering check books

Balance checking in the account Recent transactions Due date of payment (functionality for stop, change and deleting of

payments) PIN provision, Change of PIN and reminder over the Internet

Blocking of (lost, stolen) cards Payments, Deposits, Withdrawals, and Transfers Domestic and international fund transfers Micro-payment handling Mobile recharging Commercial payment processing Bill payment processing Peer to Peer payments Withdrawal at banking agent Deposit at banking agent

Thus as we see above mobile banking will defiantly become a giant service

and mbanking will defiantly over shadow traditional banking process and

its started old banking players like 1.Sbi

2.baroda bank

3.indin bank

And many others also come out with mobile banking

9

Digital wallets will subsume paper money in 30 years: Sam Pitroda (Interview) Wednesday, September 08, 2010

 With some five billion mobile phones in use today globally and over 10 billion credit and debit cards issued each year, tech evangelist Sam Pitroda has predicted the virtual death of paper money in 30 years thanks to innovative convergence.

"Paper money will disappear as transactions become digitised in another three decades," said the inventor of Casio Digital Diary, which was a rage in the 1980s, speaking about his latest innovation -- the "digital wallet" that uses the concept of "mobile money".

"Today all your credit, debit cards are put in an envelope and sent to you. In the future, your plastic cards will be digital and sent to your new address -- your mobile phone," Pitroda said at the well-attended launch function.

"If you can make your home and office paperless, why not banks, trade and your wallet? All transactions will be online in the future," Pitroda told IANS in an interview on his invention, now explained in the book: "The March of Mobile Money: The Future of Lifestyle Management".

"Every mobile telephony service provider will embrace it. With declining average revenue per user, digital wallet could lure more subscribers who would pay more for the services offered," he said.

"It is completely foolproof."

Pitroda's book covers the evolution of the mobile phone in India, which is fast becoming a lifestyle emblem in the country, its emerging links with banking and the concept of money, to make eventual, but certain, room for what he calls the "mobile wallet".

10

"The mobile revolution is like a big train coming. India will have a billion connected people in 10 years and everything, including health, education and social service, will have to be done through mobile telephony," he said.

India has over 650 million mobile phone connections just behind China's

795 million.

"The mobile service provider or networks will become the management platforms. Nobody is thinking about it -- but you cannot conduct your life the way you are doing it now. The cell phone has made India younger, mobile and connected."

First, he says, the mobile telephony blitz will deal with uploading of content in areas such as education and health, with handset storing health data, doctor's address, phone numbers, drug schedules, lab test reports and even a list of regular chemists.

The mobile phone will also be a boon for the education sector, and in a a decade's time, students will be able to solve math, trigonometry and answer their examination on their cell phones. The concept is currently under trial across four states in the US, he said.

Pitroda then presented a live demonstration of the services provided by his personal digital wallet -- a sleek black blackberry with a rather large display screen -- to explain the premise on which the technology of "digital wallet" operated.

His mobile phone has four icons in the money menu -- for wallet, bank, my-commerce and my-city, which lists information about Delhi, where he is now. The wallet contains an electronic imprint of his plastic cards and bonuses collected on it.

He said if he were to go out for lunch and decided to split the bill with the host, all that was needed was to send two messages -- one from his phone to the host and another to his bank to transfer the money to the host's account.

Similarly, if he wished to buy a pair of jeans, all that he needed to do was to go to the payments icon on his phone, and the magnetic stripe of the card will automatically be swiped and money transferred to the merchant.

11

"If, for example, I go to WalMart, the payments screen can even fish out my WalMart discount card and offer me fresh discounts on my cell phone. You could have up to 50,000 coupons stored in your mobile telephone."

But why the book?

"Several people, especially in India, have been inquiring about the security of digital wallets, the mechanism and its feasibility. It was not possible to

explain to everyone. Hence, I thought let us write about the digital wallet and mobile money," he said.

"It is an effort to educate the average consumer on how banks started digitising their systems and connected to our mobile phones -- changing the nature of money transaction in a layman's language," Pitroda said of the book, co-authored by Mehul Desai.

According to him, there were three fundamental requirements to make banking, e-commerce and eventually the complete lifestyle management of an individual and his family over mobile phones a reality.

"Phones have to be smarter with bigger colour displays. They must be equipped with the underlying network infrastructure to connect to the Internet. And they must be able to download cards, tokens and applications directly from issuers - anywhere any time."

He said phones also have to be simple with interfaces that mock the traditional wallet, including branding and familiar images of cards, coupons and bills, to provide consumers a single platform to conduct a host of transactions in the virtual world.

The telecom and tech whiz, who is advisor to Prime Minister Manmohan Singh on public information, infrastructure and innovation and chairs the National Innovation Council.

1.2 BANKING IN INDIA 12

banking in india is in still tradional mode go to bank fill up the challan and get recipt its quit manual and simple but changes coming very Fast Banking in India originated in the last decades of the 18th century. The first banks were The General Bank of India which started in 1786, and the Bank of Hindustan, both of which are now defunct. The oldest bank in existence in India is the State Bank of India, which originated in the Bank of Calcutta in June 1806, which almost immediately became the Bank of Bengal. This was one of the three presidency banks, the other two being the Bank of Bombay and the Bank of Madras, all three of which were established under charters from the British East India Company. For many years the Presidency banks acted as quasi-central banks, as did their successors. The three banks merged in 1921 to form the Imperial Bank of India, which, upon India's independence, became the State Bank of India.

Indian merchants in Calcutta established the Union Bank in 1839, but it failed in 1848 as a consequence of the economic crisis of 1848-49. The Allahabad Bank, established in 1865 and still functioning today, is the oldest Joint Stock bank in India. It was not the first though. That honor belongs to the Bank of Upper India, which was established in 1863, and which survived until 1913, when it failed, with some of its assets and liabilities being transferred to the Alliance Bank of Simla.

When the American Civil War stopped the supply of cotton to Lancashi re from the Confederate States, promoters opened banks to finance trading in Indian cotton. With large exposure to speculative ventures, most of the banks opened in India during that period failed. The depositors lost money and lost interest in keeping deposits with banks. Subsequently, banking in India remained the exclusive domain of Europeans for next several decades until the beginning of the 20th century.

Foreign banks too started to arrive, particularly in Calcutta, in the 1860s. TheComptoire opened a branch in Calcutta in 1860, and another in Bombay in 1862; branches in Madras and Pondichery, then a French colony, followed. HSBC established itself in Bengal in 1869. Calcutta was the most active

13

trading port in India, mainly due to the trade of the British Empire, and so became a banking center

The partition of India in 1947 adversely impacted the economies of Punjab and West Bengal, paralyzing banking activities for months. India's independence marked the end of a regime of the Laissez-faire for the Indian banking. The Government of India initiated measures to play an active role in the economic life of the nation, and the Industrial Policy Resolution adopted by the government in 1948 envisaged a mixed economy. This resulted into greater involvement of the state in different segments of the economy including banking and finance. The major steps to regulate banking included: In 1948, the Reserve Bank of India, India's central banking authority,

was nationalized, and it became an institution owned by the Government of India.

In 1949, the Banking Regulation Act was enacted which empowered the Reserve Bank of India (RBI) "to regulate, control, and inspect the banks in India."

The Banking Regulation Act also provided that no new bank or branch of an existing bank could be opened without a license from the RBI, and no two banks could have common directors.

However, despite these provisions, control and regulations, banks in India except the State Bank of India, continued to be owned and operated by private persons. This changed with the nationalisation of major banks in India on 19 July 1969.

NationalizationBy the 1960s, the Indian banking industry had become an important tool to

facilitate the development of the Indian economy. At the same time, it had emerged as a large employer, and a debate had ensued about the possibility to nationalise the banking industry. Indira Gandhi, the-then Prime Minister of India expressed the intention of the GOI in the annual conference of the All India Congress Meeting in a paper entitled "Stray thoughts on Bank Nationalisation." The paper was received with positive enthusiasm. Thereafter, her move was swift and sudden, and the GOI issued an ordinance and nationalised the 14 largest commercial banks with effect from the midnight of July 19, 1969. Jayaprakash Narayan, a national leader of India, described the step as a "masterstroke of political sagacity." Within two weeks of the issue of the ordinance, the Parliament passed the Banking Companies (Acquisition and Transfer of

14

Undertaking) Bill, and it received the presidential approval on 9 August 1969.

A second dose of nationalization of 6 more commercial banks followed in 1980. The stated reason for the nationalization was to give the government more control of credit delivery. With the second dose of nationalization, the GOI controlled around 91% of the banking business of India. Later on, in the year 1993, the government merged New Bank of India with Punjab National Bank. It was the only merger between nationalized banks and resulted in the reduction of the number of nationalized banks from 20 to 19. After this, until the 1990s, the nationalized banks grew at a pace of around 4%, closer to the average growth rate of the Indian economy.

The nationalized banks were credited by some, including Home minister P. Chidambaram, to have helped the Indian economy withstand the global financial crisis of 2007-2009.

1.3 Evolution of Payment System in India

            The history of the payment system can be said to be virtually co-terminus with the evolution of money. The earliest form of payment system could perhaps be traced back to the pre-historic days of barter trade when the settlement of consideration took place through exchange of conch shells, goods, cattle and later commodities. Such a system, in the absence of money as a medium of exchange, was obviously very cumbersome due to highly improbable ‘coincidence of wants’ of the two parties to a barter transaction.  Subsequently, more formalised payment instruments, such as coins, developed. The earliest payment instruments known to have been used in India were coins, which were either punch-marked or cast in silver and copper; even leather is known to have been used for making coins. Thus, with the advent of institutionalised forms of money, initially in the form of coins and later as paper money, the barter trade withered away and the usage of currency became the order of the day.

Paper money, in the modern sense, has its origin in India in the late 18th century with the note issues of private banks as well as semi-government banks. Amongst the earliest issues were those by the Bank of

15

Hindoostan, which was the first joint stock bank established in 1770, the General Bank in Bengal and Behar, and the Bengal Bank. Later, with the establishment of three Presidency Banks since 1809, the work of issuing notes was taken over by them and each Presidency Bank had the right to issue notes within certain limits. The private banks and the Presidency Banks introduced other payment instruments in the Indian money market and cheques were introduced by the Bank of Hindoostan. Buying and selling bills of exchange became one of the items of business to be conducted by the Bank of Bengal from 1839. The Paper Currency Act of 1861 conferred upon the Government of India the monopoly of Note Issue, thus, bringing to an end the note issues of private and Presidency Banks. In 1881, the Negotiable Instruments Act (NI Act) was enacted, formalising the usage and characteristics of instruments like the cheque, the bill of exchange and promissory note. The NI Act provided a legal framework for non-cash, paper payment instruments in India and continues to be an operative legislation even today.

            While the modern cheques came into being in India only in the 19th century, it is noteworthy that India had pioneered the use of non-cash based payment systems long ago, which established themselves as strong mechanism for the conduct of trade and business. The most important form of credit instrument that evolved in India was termed as ‘Hundis’ and their use was reportedly known since the twelfth century. Hundis were used as instruments of remittance, credit and trade transactions, and were of various types, each type with its own unique features. However, with the steady rise in volumes of trade and commerce and the growing confidence of the public in the usage of cheques, etc., there was also rapid growth in the payment transactions using these instruments. With the development of the banking system and higher volume of cheques used, the need for an organised cheque clearing process emerged amongst the banks. Clearing associations were formed by the banks in the Presidency towns and the final settlement between member banks was effected by means of cheques drawn upon the Presidency Banks. With the setting up of the Imperial Bank in 1921, settlement was done through cheques drawn on that bank. After the establishment of the RBI in 1935, the Clearing Houses in the Presidency towns were taken over by the RBI, and continued with it for more than five decades.

16

1.4 Objectives of the Payment System            As some of you might recollect, a monograph on Payment Systems

in India was prepared by the RBI in 1998 to increase the awareness, both within the country and abroad, of the payment systems existing in India. The monograph also detailed the objectives that needed to be achieved. To that end, a Payment System Vision Document for 2001-04 was prepared to draw up the roadmap for consolidation, development and integration of payment systems in the country. Once these objectives were achieved, a Vision Document for 2005–08 was published in May 2005, articulating the Reserve Bank’s vision for the coming four years for the payment and settlement area. The mission enshrined in the Vision Document is the establishment of safe, secure, sound and efficient payment and settlement systems for the country, towards which all the upgradation efforts are focused. Whereas safety in payment and settlement systems relates to risk reduction measures, security pertains to confidence in the integrity of the payment systems. All payment systems are envisaged to be on sound footing with adequate legal backing for operational procedures and transparency norms. Efficiency enhancements are envisaged by leveraging the benefits of technology for cost-effective solutions. Thus, as part of its public policy objectives, the Reserve Bank has played a major role in the design, development and functioning of payment and settlement systems, and the multi-dimensional efforts of the RBI over the years have been geared to realize this

17

2.MOBILE SERVICES IN

INDIA

18

The Indian telecommunication industry, with about 688 million mobile phone connections as of aug 2010 is the third largest telecommunication network in the world and the second largest in terms of number of wireless connections.The Indian telecom industry is one of the fastest growing in the world and is projected that India will have 'billion plus' mobile users by 2015 Projection by several leading global consultancies is that India’s telecom network will overtake China’s in the next 10 years. For the past decade or so, telecommunication activities have gained momentum in India. Efforts have been made from both governmental and non-governmental platforms to enhance the infrastructure. The idea is to help modern telecommunication technologies to serve all segments of India’s culturally diverse society, and to transform it into a country of technologically aware people.

India has become one of the fastest-growing mobile markets in the world. The mobile services were commercially launched in August 1995 in India. In the initial was 16 million, followed by 22 million in 2004, 32 million in 2005 and 65 million in 2006. As of January 2009, total mobile phone subscribers numbered 362 million, having added 15 million that month alone.India ranks second in mobile phone usage to China, with 506 million users as of November 2009

Telephony Subscribers (Wireless and Landline): 688.38 million (august2010)

Cell phones: 652.42 million (august 2010)

Fixed Lines: 35.96 million (august 2010)

19

Broad Band Subscription: 9.77 million (august 2010)

Monthly Cellphone Addition: 16.92 million (august 2010)

Teledensity: 58.17% (august 2010)

Projected teledensity: 1 billion, 84% of population by 2012.

3. RULES AND REGULATIONS

20

3.1 Business Rules Governing Mobile Banking Services:

·The Mobile Banking Service will be available to all the customers having a

satisfactory running account (Current/ Savings). The customers will have to register for the services.

·Daily transaction limits for fund transfer/ bill/ merchant payment is Rs.50,000/-

per customer with an overall calendar month limit of Rs.2,50,000.00

·The service will be carrier-agnostic i.e. all customers can avail the mobile

banking service with the Bank irrespective of the service provider for their mobiles.

·The service is free of charge. However, the cost of SMS / GPRS connectivity

will have to be borne by the customer.

The Reserve Bank of India (RBI)

RBI has taken progressive steps to accelerate the rollout and adoption of mobile banking services. The mobile phone represents a ubiquitous, low-cost and secure platform - and in a country where less than 20% of the population has an active bank account, the RBI was one of the first to recognize an opportunity to leverage the mobile platform The m-banking guidelines - covering m-banking, money transfer, m-payments and m-commerce - were introduced in October 2008. Based on initial results in

21

the first 12 months, the RBI has been quick to amend the guidelines to further the uptake.

The new guidelines have three major points:1. Transaction limit: Banks are now permitted to offer this service to their customers subject to a daily cap of Rs 50,000 per customer for both funds transfer and transactions involving purchase of goods and services.2. Technology and security standard: Transactions up to Rs 1,000 can be facilitated by banks without end-to-end encryption. The risk aspects involved in such transactions may be addressed by the banks through adequate security measures.3. Provide fund transfer services that facilitate transfer of funds from the accounts of their customers for delivery in cash to the recipients. The disbursal of funds to recipients of such services can be facilitated at ATMs or through an agent appointed by the bank as business correspondent.

22

4. M-BANKING SYSTEM

23

Mobile banking basically works two ways--either through the Web browser on your phone or special software that you download.

browser-based service, which is a simplified version of the online site that fits within a cell phone and PDA screen. Any customer that has Internet access on their cell phone can log on to their accounts by typing the banks URL -- bofa.mobi or wachovia.mobi -- into their mobile browser

24

4.1 Two general models:

Direct credit from bank accounts to customer’s M-Wallet’– Occurs through a bank or overseas money transfer office2. Originator uses mobile network to initiate transfer– Originator must have funds in the account (transferred fromBank account or paid in cash to mobile network companyAgent)International and domestic

4.2 SBI’S M-BANKING MODEL

SBI Freedom – Your Mobile Your BankAway from home, bills can be paid or money sent to the loved ones or

balance enquiries done anytime 24x7!!! That is what SBI FreedoM offers -convenience, simple, secure, anytime and anywhere banking.

The service is presently available on java enabled mobile phones over SMS/ GPRS/ WAP as also non java phones with GPRS connection. The service can be availed over the free GPRS facilities offered by various mobile service providers. The services for other non-Java mobile phones are under development and will be offered using Unstructured Supplementary Services Data (USSD).

The following functionalities will be provided in the Phase I:

· Funds transfer (within and outside the bank –using NEFT)

· Enquiry services (Balance enquiry/ Mini statement)

· Request services (cheque book request)

· Bill Payment (Utility bills, credit cards)

· M Commerce (Mobile Top Up,Recharge of Tatasky/ Other DTHs, Merchant

25

payment, SBI life insurance premium)

5. GETTING STARTED

26

Getting started To avail of these services, you need to download (specimen is provided

below)the mobile banking application from your bank’s website on to your cell phone, and get registered for this facility. Generally, any Java enabled cell phone model (cost starting at Rs 3,000) would be able to support this application .

You would require a GPRS mobile Internet connection (which your cellular operator will make available on request) to transact through this channel. This facility is meant to be operator-agnostic, meaning, that it should be available across cellular operators.

However, you would do well to check the list of telecom service providers through whom your bank is offering this service currently. Some banks also offer m-banking on the sms platform.

While the bank will not levy charges for offering this service, you may have to pay some charges — for use of GPRS/SMS — as specified by your cellular operator. However, some banks could levy nominal charges if you are using your debit or credit card for the purpose.

Also, one needs to remember that if you do not use these services for six months, it could be deactivated, necessitating fresh registration The best part is, you don't have to enter your account number when you use Mobile Banking. Once your wireless phone is registered, you can bank easily and securely from anywhere you use your mobile phone — you send us a text message command to our universal short code 455555, and we text you back with the information you want. Here's an example:

Text "BAL" to Mobile Banking at 455555

27

You'll get a text message back with the balance from three of your checking, savings, or money market account(s)

Application form of m-banking(icici bank)

Application for INTERNET banking and M-banking(All fields with * are mandatory to be filled.)Name of the applicant: Mr./Ms./Mrs. ___________________ _______________________ _______________Surname *First Name * Middle Name *Mailing address : Address *__________________________________________________________________________________________________________________________City *: ____________________Pin Code * :Email Address * : ____________________ @_______________ Phone No. _____________________

MOBILE No.: ________________________ Mother's Maiden Name * : ____________________Date of birth * : _______/ _______/ ______dd mm yyInstructionsI)

28

In case of joint accounts, the applicant is required to obtain the attached mandate from the jointaccount holder(s).II)ICICI Bank accountholders can access their bank accounts through ICICI Bank Internet bankingonly where the mode of operation of ICICI Bank account is Single/Either or Survivor/Anyone orSurvivor.

CHALLANGES

The world’s second largest populated country, India, is the apple of the eye for the world now. The world economies are seeing it as their potential market. This has been going on since quite some time now, ever since 1991 reforms of liberalization, globalization and privatization. Indian markets in urban areas have grown appreciably and are on the verge of saturation, so corporates have started tapping rural markets, since more than 60 per cent of India’s population lives in rural areas.

 During this global meltdown and fall of exports, if the Fast Moving

Consumer Goods (FMCG) sector has been able to show rising quarterly growths, it is because of the Rural Markets and their rising spending power, which have not been affected by this meltdown. If we look at the strategies followed by Rural Marketers in the FMCG sector, it is to sell many small sachets of Rs. 2 shampoo pouches, Rs. 5 Magi packs and the Rs. 5 chota Pepsi, because here, the strength lies in volume sale, considering the large consumer base in these rural markets which won’t spend altogether at once on buying large family packs of 500ml shampoo or super saver packs of Maggi or a Pepsi pet bottle of 2 litres.

 

29

Therefore, consumption trends followed by the rural Indian are considered to be the driver of future growth of companies. And this trend of tapping rural markets is visible across all sectors now, be it FMCG, IT, Banking, education etc. For example, today, India is in better state than China because our GDP is less dependent on exports as compared to them, where maximum revenues come from exporting to the European and US markets. Thus, tapping the rural markets is most important for us to be a self sustaining economy.

 India has been considerably shielded from the global recession. Firstly, we

are not very dependent on the exports for our GDP and have a good consumer base in India. Secondly, we are a saving prone economy, unlike western economies which are consumption prone. Thirdly, when banks across the world are falling like a pyramid of playing cards; we are safe, steady and strong, with our banks which have acted like a strong backbone of our economy during present turmoil. And just like thr FMCG sector, there is tremendous growth potential in the banking sector, because firstly, the rural masses have the habit of saving and spending only when needed. Secondly, their small credit requirements for agriculture, cottage industry and marriages etc.

 According to researches carried out by the Reserve Bank of India (RBI),

on an all India basis, 59 per cent of the adult population in the country has bank accounts and 41 per cent don’t. In rural areas, the coverage of banks is 39 per cent, against 60 per cent in urban areas. There is only one bank for a population of13000.

 Tapping the rural market by banks becomes all the more important, not only

for the banking sector, but all other industrial sectors as well. If there is growth in the banking sector, it benefits the other sectors as well. By this, it is meant that in this sector, the trickledown theory of economic growth or top down approach works, if we keep the banks at the apex in India Inc. Reasons being, as banks promote savings in the economy, they speed up the capital formation and then become the source of finance of trade and credit for the industry. Then they provide credit to enable entrepreneurs in their ventures, which promotes production and employment. This production and employment generates income and consumption and supply and demand, by increasing the spending power

30

of people. And a sum total of all these reduces poverty and better life styles.

 But the problem is that banks have not been able to reach a vast majority of

the rural population; the rural poor have limited access to organized, affordable and transparent financial services such as savings, loans, remittances and insurance services etc. It is important for them to have access to banking services, especially credit and insurance, to enlarge livelihood opportunities and to empower themselves to take charge of their lives.

 The unorganized sector of lending is believed to be acting as a problem to

the growth impetus in these sectors. In several villages, farmers still go to traditional money lenders like zamindars for meager sums of a few hundred or thousand rupees and get into debt trap for their whole lives. As a result, farmer suicides, bonded labor, naxalism and political and social unrest and on top of it, poor financial management, which if had been done smartly would have helped in economic growth of their own self and economy.

 Project Financial Literacy of the RBI is one such initiative of dual purpose.

First, financial inclusion of the rural poor and second, to tap the growth potential in rural markets by volume growth for banks through edutainment (education +entertainment).Its objective is to disseminate information about the central bank and general banking concepts to various target groups like children, women, self help groups etc., using development communication and increasing the habit of saving in rural poor. Because if in an economy, saving is more than 30% for 7 consecutive years, the GDP doubles and India can’t ignore the rural sector to increase our savings

 Mobile banking (m-banking) in India, viewed by the

government as a potent tool for financial inclusion, is yet to clear many hurdles before it can fulfil its objective of reaching the unbanked masses. Primarily so, say analysts, since the mobile density in tier II and III cities, is 11 per cent and 10 per cent respectively.An improved rural banking under the umbrella of the RBI by the means of

31

mobile banking, self help groups and microfinance institutions is important. The effective use of development communication, using Information and Communication Technology (ICT) will help to create awareness for financial inclusion through banks and make it a success.

  Here, it is important to use technology as an enabler via mobile banking, because large numbers of Indians are using mobile phones. Using mobile phones for banking operations will cut costs by branchless banking, as there is no need for physical infrastructure and human resources, which is a problem in rural areas and a major constraint in carrying out banking operations. It will also make it convenient, safe, reliable and transparent.

  With above initiatives and reaching out to women, self help groups, and

microfinance institutions, the banks will not only be able to reach out to half of the population of India that is women, but as these changes expand access to financial services for the low income segment and rural masses, the effects can be measured in many ways, not just in the volume of GDP growth, but new jobs and income generations, greater personal safety for women, better education for their children, timelier health care for themselves and their empowerment

  Thus, future development of India and the growth of India Inc. lies in

financial inclusion, by tapping the rural markets through banks. This will not only help corporates in fulfilling their social responsibilities, but is important for fuelling growth in other industries and to keep the economy growing and moving. Truly, there are fortunes at the bottom of the pyramid.

  In India, one of the largest microfinance companies (SKS Microfinance) has only about 15 per cent of rural borrowers with mobile phones. If this is any indication, it will take some time for m-banking to reach to the unbanked. However, there are several initiatives being taken by governments, service providers, and the like, to enhance the offering and extend its reach. A case in point could be the initiative by the Government of Andhra Pradesh to enhance the reach and enrol 3 million rural citizens for m-banking services,” says Basant Shroff, associate director, Advisory Services, Ernst & Young.

Telecom companies can play their part in mass adoption if they issue a free SIM and set entry cost low, suggest analysts. But will banks cannibalise their existing transactions set-ups in which they have spent

32

crores by using the mobile platform for extremely small ticket size transactions? they ask. RBI m-banking norms have limited the value of transaction at Rs 2,500 per transaction and Rs 5,000 per day.

Romal Shetty, executive director, Risk Advisory Services, KPMG, explains that the low average cost of transaction (Rs 2) makes up for the small-ticket size. “Besides, alternatives are expensive for the financially-excluded classes such as money orders for transfer or traditional money lenders for loans,” he notes.

Shroff adds: “Consider a customer asking for their account balance through a toll free number and compare this with the transaction costs of doing the same through m-banking, there is definitely savings in case of the latter.”

In rural India, where banks reach is limited, other non-transaction based services such as information (account balance enquiry etc) or authentication (one time password for transactions) would be performed through the mobile platforms, thereby supporting other systems of banks, rather than cannibalising. In the beginning, there will be large upfront setup costs for banks. But as transactions increase, the unit cost of transaction will start seeing a downward trend and this will make up for the other associated costs.

On the other hand, 50-60 per cent phones are entry-level phones, maximum in rural areas. GPRS or WAP supported transactions are out of question there. Vijay Balakrishnan, CMO, Obopay, says: “In such areas, SMS-based banking will be the most viable option. Only barrier for rural adoption is language.” Technology service providers are working on bringing vernacular languages into their application ambit.

Dewang Neralla, Director, atom Technologies, says: “While ensuring availability across very low-cost handsets, the issue that needs to be looked at is primarily security. Whether such handsets will be able to provide a secure communication channel is a question that needs to be addressed.”

Another deterrent is that RBI regulations require mandatory physical document based registration. In rural areas where banks are very remote and few, it could have an impact on costs and adoption. Concludes an optimistic Shetty: “With an expected 200 million rural connections by 2012, up from about 90 million currently, the opportunity of 110 million potential depositors is high. Around 25 per cent of Indian households are working with informal banking mechanisms. M-banking has placed this

33

segment in the banking sectors radar as a means of growth.

Speaking at CII's 'Banking TECH Summit 2010', SBI Chairman O P Bhatt said, "We are emphasizing on mobile banking along with some major technology projects like data warehousing in 2010."

He further said, "Tenders will be issued for the payment system gateway solutions to increase the use of technology."

SBI Chairman O P Bhatt:

65,000 villages in India, only 30,000 are covered by the commercial bank branches.

more banks, branches and services will be needed which necessitates greater penetration of IT

Mobile banking would improve and encourage banking in rural areas, said S R Rao, Additional Secretary – Information Technology, Ministry of Communications & Information Technology.

There is a huge scope for banking in rural areas as they still remain untapped and it can be possible through mobile banking,.

In 2009, there were 136 million mobile subscribers in rural areas which are estimated to increase to 280 million by 2012 and 320 million by 2015. By next year the mobile subscriptions will cover India's entire rural population,".

34

6.M- BANKING AND WORLD

35

M-banking is not much popular in the INDIA, but much popular around the world. The reason can vary from country to country. For example, in Europe people use m-banking because the level of mobile phone penetration is very high (at least 80% of consumers use a mobile phone). 

In Asian countries like India, Bangladesh, China, Indonesia, Korea and Philippines mobile infrastructure is better than the fixed-line infrastructure. M-banking can be performed by people with moderate and low income because it does not require a PC with an Internet connection (it is not a big obstacle if for people in the US and the European countries). In Latin America countries like Paraguay, Brazil, Uruguay, Venezuela, Colombia, Argentina, Guatemala and Mexico m-banking has a great success due to the same reason.

Mobile phones have become anintegral part of the 21st centurylandscape with an expectedpenetration of 4.5 billion by 2011.While north america and europe havethe highest penetration rates, reaching100% in many Western countries, southamerica and asia represent the fastestgrowing mobile markets.the mobile phone is the one devicethat people carry with them at all times. services beyond voice and text messaging are booming all over theglobe and users want the same serviceson their mobile phone that they can get through an internet-connected pc.Mobile phones represent a cost-effective solution for bank and unbanked users,

However, similar to the US, these countries do not have separate laws concerning m-banking. This industry is typically regulated by guidelines describing the banking transactions and handling personal financial

36

information. For example, in India only the banks that have a physical presence may offer mobile payment services. Only India rupee services should be provided. 

Kenya. Kenya has some mobile phone services that are years ahead of what we have right now, Eagle was at ETech to present his new startup, Txteagle, which aims to be a kind of mobile Mechanical Turk, using countless mobile phone users in Kenya and beyond to solve easy tasks and earn small amounts of money in return. There’s a good write up in Wired News today It’s definitely an interesting idea. But to me, the real story is how mobile

phones have transformed a country like Kenya in recent years, making not only services like Txteagle possible, but also shaking up the region’s entire economic system.

Eagle spent the last few years going back and forth between Kenya and the U.S., and he witnessed this transformation firsthand. According to Eagle, local incumbent Safaricom had started a minute-sharing service for its prepaid cell phone plans a few years back. The idea was to enable users to send minutes to family members in rural areas, who weren’t otherwise able to buy prepaid phone cards. However, Kenyans quickly came up with other uses. “Lots and lots of people were using it as a surrogate for currency,You could literally pay for taxi cab rides using cell phone credit.”

Safaricom realized a huge opportunity and started a mobile payment service called M-PESA. To call M-PESA a success would be an understatement, according to Eagle. “Within about a year, (Safaricom) became the biggest bank in East Africa.” Today you can use your phone to pay for cab rides and electricity, to get money out of ATMs without owning an ATM card or even having a traditional bank account.

Eagle shared another striking example of the transformative power of mobile payments during his ETech talk. Rural communities used to have to pay a lot of money upfront in order to get a modern well capable of providing clean drinking water. Now, there are companies that install these wells for free, complete with an integrated cell phone payment system. Want some water? Just pay as you go with your M-PESA account.It has transformed the country

37

SRILANKADFCC Vardhana Bank (DVB) launched Vardhana MBanker, a mobile

banking service to improve its customer base.

DFCC Chief Executive Officer Lakshman Silva said the new product will make banking activities even easier at the doorstep of the customers.With the use of mobile terminals, DVB banking executives will visit customers to carry out basic banking activities to provide banking inclusions to consumer.

People especially in rural areas who had been deprived of modern banking facilities will benefit through this system.

Silva said the Vardhana MBanker mobile banking service will encourage the rural business community who are not familiar with banking system to do business with the bank. There are 74 DFCC branches and service points for customer convenience.

The bank has 30 extension offices and 40 more service points will be added this year expanding the network.

Customers do not have to go to the bank. Instead bank officials will go to their houses with mobile terminals and issue receipts immediately for the transactions done.

They can deposit any amount of money without any problem and the bank has facilitated its staff with mobile vans to complete cash transport.

We want to make a revolutionary change in the banking industry by introducing innovative products and services

A subsidiary of the DFCC Bank, Synapsys Ltd has deployed conventional

38

technology to extend the banks reach even further.

The Vardhana MBanker mobile banking solution involves the use of handheld mobile computer units which can be used at any remote location via the use of standard communications technology such as GPR and 3G.

The DFCC Bank Dambulla Branch officials visited customers in the area launching this product yesterday.

Courtesy: DailyNews SRILANKA

Mobile Banking Overtakes Telephone Banking in the UK and USA

Surpassing both branch and telephone banking in terms of popularity, a survey has found that 25 percent of U.S. mobile phone users and 37 percent of U.K. mobile phone users have adopted mobile banking services. When asked which banking method users preferred, respondents found mobile banking more convenient and easier to use than telephone banking (voice and touchtone) by a margin of 3 to 1 in the U.S. and by a 1 percent margin in the U.K.

Conversely, when asked about branch banking, fewer respondents selected it as their favorite method of banking, with only 2 percent in the U.S. and 3 percent in the U.K. choosing it as their preferred method.

According to statistics, nearly 70% of Americans use a mobile phone, and the demographics of mobile phones users are much more diverse than that of Internet users. That’s why m-banking, or mobile banking, is so popular in the U.S. It opens up new opportunities for financial institutions interested in providing their services and attracting new customers. The research, commissioned by mBlox, revealed that the greatest benefits of mobile banking for consumers (52 percent in the U.S. and 46 percent

39

in the U.K.) are the ability to "access banking services anywhere, at any time," as well as "convenience" and "time-saving."

"It's clear from the findings of this survey that consumer behavior is shifting to adopt the capabilities afforded by mobile banking," said Andrew Dark, CEO, mBlox. "We are seeing strong interest in the mobile sector from a wide variety of industries including transportation, retail, marketing and entertainment, which shows there is an opportunity for financial services to benefit from this increasingly popular channel."

The research also identified the services consumers are most interested in using on their mobile phones. In both countries, respondents rated as their top four services: daily balance notifications; suspicious activity notifications; fraud alert notifications; and low balance, overdraft, and credit limit notifications. U.S. respondents also cited as a key service the ability to transfer funds between accounts, while U.K. respondents favored the ability to view statements and transaction history.

"Consumers today want real-time, round-the-clock access to their finances and are demanding a higher level of convenience for managing such information," said Soren Bested, Managing Director of Monitise Americas, an mBlox partner providing mobile banking and payment services to North American financial institutions. "It's no surprise that the 'anywhere, anytime' aspect of mobile banking was one of the greatest benefits found in the mBlox research, and we see SMS as a key ingredient in providing that convenience factor. Whether it be requesting an account balance or receiving a text alert notifying consumers of activity on their account, SMS provides a method of financial control. We're delighted to partner with mBlox to deliver high-quality, reliable, and secure mobile messaging to our customers."

The research highlighted two factors, however, that may be slowing down the growth of mobile banking services. These top two reservations were identified by respondents as "security" (33 percent in the U.S. and 49 percent in the U.K.) and "cost" (31 percent in both the U.S. and U.K.).

We understand that security will be a consumer concern with any banking service. For this reason, mBlox continues to invest significant sums in its data centers, processes and networks to ensure that it is on par with the latest financial security standards.With regards to cost, SMS is an inherently cost-effective solution for the transmission of information, with minimal or no cost to the end user. Our ability to facilitate the safety and integrity of consumer's financial information is paramount and is

40

what sets us apart from our competitors. The industry needs to work together to educate users to the secure and cost-effective nature of mobile banking services and we at mBlox intend to lead in this respect.

some of the largest U.S. banks -- Bank of America, Citibank, Wachovia, Washington Mutual, Wells Fargo, and ING Direct – are launching mobile banking services that give you access to your accounts wherever you are. 

Like regular online banking, the mobile service allows consumers to tranfer funds check balances, make bill payments, and look up branch

locations from their mobiledevices. Though still in its infancy, banks are hoping the mobile service will catch on with consumers. Dan Schatt, a senior analyst at Celent, says banks see it as a way to kecustomers and “generate more payment revenue down the line” as people get more

comfortable with using mobile devices for their finances.The more servicesthe banks offer The less likely you are to quit your bank

entirely.Mobile banking is an obvious extension of online banking as cell phones get

more powerful and begin to mimic computers. This week's launch of Apple's eagerly awaited iPhone is intensifying the push to have cell phones and other mobile devices do everything that a home computer does.

41

7.Mobile Banking RISK&Security

42

Is mobile banking safe?Risk

The experts are very optimistic about the future perspectives of mobile banking. They think that it will grow much faster than online banking. Carrying a cell phone is much easier than carrying a laptop! 

Mobile banking is generally considered safer than online banking. The main threats to online security, such as viruses, Trojans or other data-stealing software don't exist for cell phones. So the risk of being infected on a mobile phone is minimal in comparison with a PC.

The main type of scam that mobile banking users should avoid is called "Smishing." It is a variation of the e-mail phishing scam. Smishing occurs when a person posing as a financial institution sends a text message requesting personal information or a social security number. You will be asked either to click a website URL or to call a phone number that connects to automated voice response

43

system. 

The smishing message usually contains information that will definitely capture your attention. For example, you will receive a notice that you have been subscribed to a paid site, and you need to click a link to cancel this subscription. Or the thieves can write that your account has been suspended and you need to reactivate it by making a call.  

The link will redirect you to a legitimate looking website where you will be asked to enter your SSN, credit card number, PIN, email address, etc. If you need to make a call, you will be connected with a legitimate sounding automated voice response system which will ask for the same pieces of information.

Business Risks Most of the business risks that rate as High are found where the

transactions pass through a common component, like the SMSC or USSD server, or where there is a vulnerability common for all end users.

Individual Risks Individual risks are the union of the business risks and the individual

risks. A business risk generally effecting the business and therefore all individuals as well as the risks that the individuals are exposed to due to their specific use of the channel. The risks introduced by the individual are how the individual uses the service. As such the countermeasures usually involve user education.

The report so far has considered the risks associated with the choice of mobile specific technology. However, these technology choices do not exist in a vacuum: they are dynamic not only in that they change over time, as technology changes (which will be discussed inSection 5.1) and as knowledge of vulnerabilities and how to exploit them

spreads but also because final risk evaluation is shaped by context: both at the level of the environment within which the mFSP firm operates and

44

by the inherent risk of the firm‘s business model. This section therefore sets out the scaling factors which should be applied to the results of

the preceding process to determine the scaled final level of risk faced by the mFSP.

Environmental risks The environmental risks linked to the use of the mobile channel may be

heightened when:A significant proportion of the users are first time users of electronic banking of any form, and hence have had less exposure and practice with issues like PIN protection or with the need to check statements for unauthorized transactions. Transformational models are likely to have more first time users, since targeted customers of m-FS may be previously unbanked at the time when they sign up for

With the rapid development of mobile banking, users have faced a very serious problem: there are no specific laws concerning this industry. The lawyers just can’t follow the pace at which mobile banking is developing. Banks need to take into consideration regulatory and security issues involved with implementing mobile solutions. First of all, it concerns third-party vendors (such as software developers, telecommunications companies, etc.). Some of them may not have any experience handling personal financial information. There are just a few states that require vendors providing services to a bank and its customers to license as money services businesses. That’s why it is necessary for financial institutions to evaluate the risks associated with outsourcing mobile solutions to a vendor. Banks can implement a system that will help them evaluate vendor’s capability to provide such services.

So even though mobile banking data is encrypted, it is necessary to impose privacy requirements on vendors, because some of them might not fall within statutory requirements to keep all customer information confidential.Mobile phone banking is in a high-growth phase with at least 90 companies emerging in recent years offering banking and payment applications for mobile phones It is estimated that as much as half of the world’s population may now own a mobile phone, with about 80% of the US population thought to

45

own one The World Bank estimates that about two-thirds of the world's population live within range of a mobile phone network It is expected that around 2.3 trillion SMSs will be sent in 2008

Mobile phones tend to be replaced every 18 months, compared to PCs being replaced on average every 42 months

Fraudsters will target any channel which distributes value, customer data or electronic money. The rate of loss of mobile phones averages one every minute in the world. If the whole industry could adopt a holistic approach and plug any gaps in the security lifecycle by applying these best practices and conforming to standards a Trusted Environment for mobile banking will prevail.

The new best practice manual covers the following steps in the security lifecycle: SIM card security, mobile software security, enrolment, registration, and customer access to banking on mobile devices, security and privacy of customer details/data, customer education on the mobile phone as an instrument of value, dealing with lost or stolen mobile phones/devices, security of software and transmission to financial services device (e.g. ATM), , defining strengths and vulnerabilities of each mobile phone channel/protocol and outlining the regulatory framework for mobile banking.

The mobile phone has been used very successfully as authentication tool for online banking, through a confirming SMS sent by the bank to the customer during online transactions. It has already proved its worth in the field of banking security.

Credit unions and banks across the country employ multiple forms of identification authentication, log-in procedures and encrypted communications to make sure cyber criminals can’t access confidential banking information while consumers are using a mobile banking application. However, the biggest threat to mobile security isn’t the technology; it’s the fact that many consumers are ignorant of the many fraudulent applications that exist online and on mobile platforms.

SOME STEPS TO SECURITY -Password-protect your mobile device and lock your device when it’s not

in use. Keep your mobile device in a safe location.

46

-Frequently delete text messages from your financial institution on your mobile device, especially if they contain sensitive information.

-Never disclose personal information about your accounts via text message, i.e. account numbers, passwords, or any combination of information that can be used to steal your identity.

-If you change your mobile number or lose your mobile phone, immediately contact your financial institution to change the details of your mobile banking profile.

-Do not hack or modify your device, as this will leave it susceptible to infection from a virus or Trojan. When possible, install mobile security software on your device (if it’s available). Some mobile security solutions include: AhnLab Mobile Security, avast! PDA Edition, Kaspersky Mobile Security, and Norton Smartphone Security.

-Be aware that malware exists and fraudulent applications will continue to pop up. Don’t download applications onto your phone without checking them out first. Verify the legitimacy of an application with your financial institution before downloading it to your smartphone- verify that the app publisher or seller is your financial institution, or if possible, go through your financial institution’s website to download the application.

-Report any banking application that appears to be malicious to your financial institution right away.

-Monitor your financial records and accounts on a regular basis and consider having electronic alerts on account activity sent to your email or mobile device. Regularly review your statements with online banking. This will enable you to spot any suspicious activity

-If you have been a victim of identity theft, contact your financial institution immediately. You should also place a fraud alert on your credit report and continue to review your credit reports, close the accounts that you know (or believe) have been tampered with or opened fraudulently, and file a complaint with the Federal Trade Commission

Finally, Smilgys points out that using mobile banking can actually help deter some fraud because it gives a person an easy way to check their account on a regular basis and notify their credit union or bank more quickly if they see suspicious act

47

If you are a user of a mobile banking service, you can experience the ease of accessing your account balance, last statement, but when it comes to transactions, bill payments, it gets challenging. On the market there are different solutions of the transaction authorisation especially in browser based mobile bankings;- simple PIN (unsecure)

- one-time-password generated by an other device (two-device misery) - one-time-password received in SMS (application switching misery) - one time-password generated by the another phone app (same as above) - simple PIN and no possibility to transfer to new payees, but only to

partners registered in the online banking (what if i need a new one?)

So far there is no silver bullet, but i advise you to keep an eye on an upcoming technology: voice verification of the transactions in a biometric automated way.

The model is simple: after you have initiated a transaction on the mobile (to new payee or over a limit), the "machine lady" calls you to read back the transaction details and ask for your confirmation, so you need to say a sentence to the phone. If it is you, the biometric voice check and your transaction passes.

No need for an authentication device, biometric security, it sounds promising doesn't it? Still, the market uptake is not yet there, we are waiting on real success stories and 100% reliability.

Would you consider such a solution secure enough and user friendly?

Voice based authentication has been tried in the past - I am aware of at least one provider in the US. At the time, several years ago, the technology wasn't fully mature and there were instances of genuine account holders with a sore throat finding their access blocked! If the technology has matured since then, voice verification is surely an option that strikes a good balance between security and convenience.

48

For all biometric technologies, error rates are highly dependent upon the population andapplication environment. The technologies do not have known error rates outside of a controlled test environment

It's outrageous, when the primary concern allegedly addressed by biometrics is crime, that biometric bench testing bears no resemblance to real life efficacy against criminals.

  Someone asked me recently whether I thought mobile banking was safe

or not. I admitted that I don't do it but that doesn't really say much. Then I mumbled something incoherent and vowed to get a real answer.

After talking to a number of mobile and security experts, I've come to the conclusion that far from being less secure, mobile banking may even be more secure than logging on to your bank Web site over your PC. And the consensus is that it's probably less risky than using checks, which can be forged, and credit cards, which can be stolen or skimmed at ATM machines for clones to be made. That's good news for the brave few who have ventured into the market. Of all U.S. Internet users, 6 percent have done mobile banking in the last week, and 12 percent have done it in the last month, according to Javelin figures. An estimated 30 million consumers in the U.S. do mobile banking, and half of all consumers think it's not secure, the research firm said in a mobile banking security standards report in December.

Despite the fact that online banking options abound in the U.S.--from AT&T, Nokia, Sprint Nextel, Visa, and the major banks--consumers have been reluctant. That could be for several reasons, my colleague Marguerite Reardon has concluded: they don't like downloading apps to their phones as is required by some banks, they are turned off by the small screen, and they can do it on their PCs more easily.

We're not hearing of security issues in the mobile world," because the security benefits with mobile banking outweigh the disadvantages.

First, the con to mobile banking security:

49

Mobile devices are easy to lose: It's more or less as safe as banking you would do from your home computer, maybe slightly more risky, similar to using a laptop at Starbucks.The biggest difference is you are carrying the thing around with you and are more likely to lose physical custody of it than a computer.

Even so, the convenience outweighs the risk, he said. "It is no riskier than calling someone using your debit card or buying on Amazon with a debit card."

Now for the pros:

Mobile banking can be done anywhere at any time: Because people can do mobile banking at any time, they are more likely to log on more frequently and thus the chances of them detecting fraud are increased, said Van Dyke.

Mobile has a diversity of platforms: In the mobile world in the U.S., there is no one dominant mobile platform that can be targeted by malicious hackers like there is with Windows in the PC market. The lack of standardization also reduces the chances that malware will be interoperable with a broad range of mobile software and get widely distributed

No banking-related mobile viruses or malware yet: "In the mobile era, we're not seeing any such Trojans, which has partnered with Barclays in the U.K. to offer security software to mobile customers.

Mobile banking functions are limited at this time: In general, U.S. consumers can check their account balances, transfer funds between their accounts, and see recent transactions over their mobile devices.

In most instances, if someone found your phone and logged into your mobile banking account, the worst they could do is pay your electricity bill.

However, things will change as more transaction functions are enabled on mobile devices, the experts said. For instance, point-to-point transactions

50

and cross-border money transfers are on the horizon, according to Holland.

There will be more risk as payments move over to mobile devices because criminals will put more focus there and you will get spoofing attempts.

The ability to use your cell phone to buy things will undoubtedly put a dent in the credit card business, but it will also give mobile carriers additional revenue to make up for voice business they are losing to things like Skype and text messaging,.

There is no reason people have to pull out a plastic card with a magnetic strip, technology developed 30 years ago, to buy a latte.Just hold the phone next to a cashier, it goes beep and there you go.

Other countries are already offering mobile transactions. For example, NTT Docomo in Japan, which uses McAfee security software to monitor for malicious activity on its mobile phones, initially started allowing consumers to use their phones to pay for public transport, and then added payments for things like ice cream and eventually banking.

In the U.S., banks are more cautious. Payments and banking are the biggest security concern for mobile device manufacturers, according to a Mobile Security Report .

At the same time, the manufacturers aren't installing additional security protection on the vast majority of the devices and won't allow consumers to install security software like they can with computers, said Volzke.

To safeguard against security risks, mobile users should use their device PIN codes, download mobile apps only from their financial institution, switch Bluetooth off when not in use, and avoid lending their phone to strangers to minimize the chance of someone downloading a malicious app onto the device.

All in all, "mobile banking is secure and there's not really any cause for concern,

51

 

SecurityMobile Banking Security Model

IntroductionAn effective approach to security involves a delicate trade-off between security and customer convenience. Often customers can perceive security

requirements as an inconvenience. Therefore, mFoundry has made many of the components of its mobile security approach optional. This allows banks and credit unions that select mFoundry's mobile solution to determine the best blend of security and convenience for their customers.

The majority of security approaches today work along two lines: first, make it more difficult for an attacker to obtain customer credentials; second, make it more difficult for an attacker to use those credentials to execute a fraudulent transaction. Customer education is an important step in the first approach. A knowledgeable customer is less likely to be ensnared by phishing attempts. Similarly, a bank or credit union may eschew

the use of a channel that may be used in phishing. For example, customers have been trained not to click on links in e-mails that purport to come from financial institutions. An attacker may use this method to direct the consumer to a malware or phishing site. In the balance of this document we discuss mFoundry's approach to these key security considerations:

• End-User Education• Preventing Code Insertion• Limiting Spoofing

52

End-User Education mBanking works via a Java, BREW or BlackBerry application (soon to beextended to Windows Mobile and iPhone). As such, the application needs to

be eitherdownloaded to the phone, or pre-installed by the operator.

Signed Applications The first step is to train consumers to only download signed applications -

the signing process allows the consumer to verify the identity of the application creator. process creates a set of signed binaries for every supported device, signed with correct signature for the operator/phone combination in question. signing certificate from either the financial institution or the operator. If signed by the FI, the user receives a prompt on installation indicating that the application has been provided by the financial institution. Please note that the FI would need to procure the appropriate certificate from VeriSign (Sun Java Signing Digital ID) as the domain owner is required to initiate code signing.

Downloading From A Known Source

53

A second, optional step is to educate consumers that the application can be downloaded only from a known source. In other words, make the application available for download from a bank or operator domain, and only after the user has been able to verify the identity of the

domain. For example, allowing the download only from a site using bank-controlled adaptive authentication meets the requirement:

• User enters the bank's domain on his mobile phone).• User presents his user ID over a secure connection (128 bit SSL).• Bank responds with a shared secret (for example, an image and/or

passphrase previously selected by the user) to confirm the identity of the bank.

• User authenticates with password (potentially subject to a challenge question).

• Once verified, user is allowed to download application.The bank may choose to educate the user that the URL must always be

manually entered, even on a phone, to minimize response to phishing scams. In this case, the bank would educate the user that any text message purporting to be from the bank containing a download URL is by definition fraudulent. Similarly, use of adaptive authentication inside the application minimizes the risk of spoofing:

• User launches the bank's application on his mobile phone.

• User presents his user ID over a secure connection (128 bit SSL) to the bank. There is no possibility of a man in the middle attack as the bank can mandate an integralend-to-end secure connection, and the services end-point requested by the phone application is set in advance by the bank.

• If the device is known to the bank, and has been previously associated with the user in question, the device is considered trusted and authentication continues. Otherwise, the user is presented with a challenge question, drawn from a set of questions and answers created by the user in another channel. Proceed to next step only on

successful response to the challenge.• Bank responds with a shared secret (for example, an image and/or

passphrase previously selected by the user) to confirm the identity of the bank.

• User authenticates with password.• Once authenticated, the user is allowed to download application.Through the above process, the user can verify that he is indeed connecting

to the bank (by verifying that she is seeing the correct shared secret

54

presented by the bank).out of the box support for RSA Adaptive Authentication as a means to allow the consumer to verify the identity of the bank, reduce spoofing/phishing, and of course implementing two-factor authentication.

Two-Factor Authenticationtwo-factor authentication through its concept of a Mobile User ID(MUID). The principle consists of uniquely identifying devices, requiring

that they be authorized individually, and registering them in the user profile maintained by the bank. Each instance of the downloadable application instance is assigned a MUID from the bank's mFoundry server on first use. It is important to note that the MUID does not replace the user’s unique ID (which is typically the online banking user ID). The mapping between MUID and user ID could be one-to-one or many-to-many, or combinations thereof:

• One MUID -> One User ID: stan

dard case, user can only access his accounts from the single registered phone

• One MUID -> Multiple User IDs: user has multiple separate profiles with the bank, e.g.personal and business, wants to be able to access all from the same phone

• Multiple MUIDs -> One User ID: user has multiple phones, wants to be able to access same account from either The user then has to register the device in his mobile user profile - which requires proving his identity to the bank. On all subsequent requests, the MUID is automatically appended to the request from the application. Therefore:

• Initiating a secure session requires two factor of authentication: the user's secret knowledge (passcode), plus the correct end user device. The user must have previously proven to the bank that the device in question is in the user's possession and have it authorized for access.

• If the MUID presented by the application does not match one of the ones on recor Finally, end users are simply not prepared for mobile application fraud. Criminals will exploit the naivety of mobile subscribers who have no reason to be suspicious of apparently legitimate applications that have gone through stringent checks. Further compounding this will be the high degree of differentiation between devices; while banks could educate customers about nuanced differences between an online banking session with their actual institution and one with a phishing fraudster (typos, SSL

55

session indicators, etc.), mobile devices present so many permutations in terms of operating systems, visual displays and icons that education of end users for each and every device on the market would be an unmanageable undertaking.

The key to prevention of this type of mobile fraud will be stringent checks by app store providers to ensure authenticity of financial institution applications. Application stores need to be trustworthy entities, but in a competitive environment where quantity trumps quality, the stringency required to mitigate this type of fraud may not be possible. It will also be up to financial institutions to remain vigilant about the products bearing their brand in application stores since the app store providers may have other priorities. While mobile application fraud may not be widespread at this time, the threat to mobile banking security is undoubtedly on the horizon. could educate customers about nuanced differences between an online banking session with their actual institution and one with a phishing fraudster (typos, SSL session indicators, etc.), mobile devices present so many permutations in terms of operating systems, visual displays and icons that education of end users for each and every device on the market would be an unmanageable undertaking. The key to prevention of this type of mobile fraud will be stringent checks by app store providers to ensure authenticity of financial institution applications. Application stores need to be trustworthy entities, but in a competitive environment where quantity trumps quality, the stringency required to mitigate this type of fraud may not be possible. It will also be up to financial institutions to remain vigilant about the products bearing their brand in application stores since the app store providers may have other priorities. While mobile application fraud may not be widespread at this time, the threat to mobile banking security is undoubtedly on the horizon. India has about 688 MM (AUG 2010 TRAI Data) mobile phone subscribers, a number that is larger than the number of bank accounts or Internet users. Given the mobile tele-density of about 20% and development of secure mobile technology solutions, banks are well-positioned bridge the digital divide and introduce the unbanked sector to the financial mainstream You may be aware that Reserve Bank of India had set up the Mobile Payments Forum Of India (MPFI), a ‘Working Group on Mobile Banking’ to examine different aspects of Mobile Banking (M-banking). The Group had focused on three major areas of M-banking, i.e., (i) technology and security issues, (ii) business issues and (iii) regulatory and supervisory

56

issues. A copy of the Group’s report is enclosed. RBI has accepted the recommendations of the Group to be implemented in a phased manner. Accordingly, the following guidelines are issued for implementation by banks. Banks are also advised that they may be guided by the original report, for a detailed guidance on different issues. However to start with , we must understand who the various stakeholders are and what there expectation are:  Stakeholders are as follows

Consumers Merchants Mobile Network operators Mobile device manufacturers

Financial institutions and banks

Software and technology providers Government

 Each stakeholder group has the following expectations:a) To meet the following Consumer expectations:

Personalized service Minimal learning curve Trust, privacy and security Ubiquitous – anywhere, anytime and any currency Low or zero cost of usage Interoperability between different network operators, banks and

devices Anonymity of payments like cash Person to person transfers

b) To meet the following Merchant expectations: Faster transaction time

57

Low or zero cost in using the system Integration with existing payment systems High security Being able to customize the service Real time status of the mobile payment service Minimum settlement and Payment time

c) To meet the following Telecom Network Providers expectations: Generating new income by increase in traffic Increased Average Revenue Per User (ARPU) and reduced churn

(increased loyalty) Become an attractive partner to content providers

d) To meet the following Mobile Device Manufacturers expectations: Large market adoption with embedded mobile payment application Low time to market Increase in Average Revenue Per User (ARPU)

e) To meet the following Banks expectations: Network operator independent solutions Payment applications designed by the bank Exceptional branding opportunities for banks Better volumes in banking – more card payments and less cash

transactions Customer loyalty

f) To meet the following Software and Technology Providers expectations:

Large markets g) To meet the following Government expectations

Revenue through taxation of m-payments Standards

  I. Technology and Security Standards

58

The technology used must be secure and at the same time convenient to deploy and cost effective. The following technology basis provides a summary of the available models. Banks must deploy only secure channels that provide a non-repudiable platform to transact.  Telecom Standard

Data BearerUser Interface

Method of Invoking / Initiating Transactions

Security Hardware / Setup Requirements

GSM Plain Text SMS

Structured Text

SMS / J2ME Weak Encryption

Works on any phone. Workarounds like IVR call backs for sensitive information are possible

GSM USSD / Application SMS

GUI (Graphic User Interface) / Structured Text

SMS / J2ME Secure Channel

J2ME client requires Java enabled phone.

GSM GPRS / WAP

GUI J2ME / BrowserSecure Channel

Java enabled phone with GPRS. Without GPRS this can work within the Telecom provider’s walled garden.

CDMA Application SMS / GPRS / WAP

GUI Brew / Browser Secure Channel

Operator centric usage

The overall security framework should ensure. Encrypted messaging / session between consumer’s phone and third

party service provider / telecom company. Minimum encryption standards to be specified to make the transaction banking grade (E.g. Min 128 bit SSL)

All subsequent routing of messages to the bank’s servers must be with the highest level of security with dedicated connectivity like leased lines / VPNs.

If any sensitive information is stored in third party systems, banks must ensure that access to this information is restricted with appropriate encryption and hardware security standards.

59

All transactions that affect an account (those that result in to an account being debited or credited, including scheduling of such activity) should be allowed only after authentication of the mobile number and the mPIN associated with it. Transactions only for information such as balance enquiry, mini statements, registered payee details, etc may be allowed with either mobile number or PIN.

Unless fool proof security is used in compiling and deploying the mobile banking applications, the PIN number should not be allowed to be stored in the mobile banking application on the phone. As, generally the application installed on the phone would be developed in Java, it may be possible to decompile it extract the mPIN. Alternatively, the application should be so compiled that it should not be feasible to extract the PIN on decompilation.

All accounts, credit or debit cards allowed to be transacted through the mobile phones should have the mobile phone number linked to the account, credit or debit card. This mobile number should be used as the second factor authentication for mobile transactions.

During the transaction, the PIN should not travel in plain text. Doing this, there is risk of the PIN being snooped out of the phone from sent items and also it being exposed at the SMSC level. Also, it may be able to snoop out the PIN during transmission, although, this is very difficult in cellular communications.

Proper level of encryption should be implemented for communicating from the mobile handset to the mobile payments service provider’s server. It has been assumed that proper security checks would be made by the banks to ascertain the security levels of the service providers. This may include PCI DSS certification in addition to bank’s own audits.

Proper system of verification of the phone number should be implemented, wherever possible. This is so as to guard against spoofing of the phone numbers as mobile phones would be used as the second factor authentication.

It is also recommended that Internet Banking login ids and passwords may not be allowed to be used through the mobile phones. As fraudsters get more sophisticated, the chances of phishing attacks on mobile phones would become more probable. Allowing Internet banking login id and password usage on the mobile phone may compromise their usage on the Internet banking channel. This

60

restriction may be communicated to the customers through an industry wide effort so as to ensure that Internet banking passwords are not compromised through mobile phones.

The payment authorisation message from the user’s mobile phone should be securely encrypted and checked for tampering by the service provider or the bank. It should not be possible for any interceptor to change the contents of the message.

Provided the above security recommendations are reviewed, the mobile payment service could use any of the preferred mode of communication viz., SMS, IVRS, WAP/GPRS, USSD and NFC.  There are couple of security issues in some of these modes of communications, which are listed below:

SMS is the simplest form of communication, but is vulnerable to tampering. As long as there is a second level of check on the details of the transaction so as to guard against data tampering and the mPIN does not travel in plain text, this mode of communication can be used.

IVRS is also a simple mode of communication and therefore does not have any inbuilt security measures.  The system should be capable of encrypting the DTMF tone entries, if required to be stored or transmitted.

USSD communication uses its inbuilt encryption technology to talk between the cell phone and the operator’s server. However, the decryption of the information happens at the cell phone operator’s server. Vulnerability of data may exists at this point. This information should be re-encrypted and transmitted to the service provider.

Any of the following modes of user interface may be used, provided the above listed security measures are taken into consideration:

SMS Menu driven application Menu driven USSD application WAP/GPRS website

Formats need to be specified for exchange of information between banks. On the debit/credit card front, the exiting ISO 8583 message format may be used for communication between bank switches.

61

However, for account number based mobile transfers, a message format may need to be frozen.

Banks should designate a network and database administrator with clearly defined roles as indicated in the technology Group’s report

Banks should have a security policy duly approved by the Board of Directors. There should be a segregation of duty of Security Officer / Group dealing exclusively with information systems security and Information Technology Division which actually implements the computer systems. Further, Information Systems Auditor will audit the information systems.

Banks should introduce logical access controls to data, systems, application software, utilities, telecommunication lines, libraries, system software, etc. Logical access control techniques may include user-ids, passwords, smart cards or other biometric technologies

At the minimum, banks should use the proxy server type of firewall so that there is no direct connection between the Internet and the bank’s system. It facilitates a high level of control and in-depth monitoring using logging and auditing tools. For sensitive systems, a stateful inspection firewall is recommended which thoroughly inspects all packets of information, and past and present transactions are compared. These generally include a real time security alert.

All the systems supporting dial up services through modem on the same LAN as the application server should be isolated to prevent intrusions into the network as this may bypass the proxy server.

The information security officer and the information system auditor should undertake periodic penetration tests of the system, which should include:

Attempting to guess passwords using password-cracking tools. Search for back door traps in the programs. Attempt to overload the system using DDoS (Distributed

Denial of Service) & DoS (Denial of Service) attacks. Check if commonly known holes in the software, especially the

browser and the e-mail software exist. The penetration testing may also be carried out by engaging

outside experts (often called ‘Ethical Hackers’)

62

1. Physical access controls should be strictly enforced. Physical security should cover all the information systems and sites where they are housed, both against internal and external threats.

2. Banks should have proper infrastructure and schedules for backing up data. The backed-up data should be periodically tested to ensure recovery without loss of transactions in a time frame as given out in the bank’s security policy. Business continuity should be ensured by setting up disaster recovery sites. These facilities should also be tested periodically

Business & Legal Issues

 The following kinds of business applications are envisaged under the purview of this circular. Banks may permit the following transactions to its existing customers. They will encompass three key areas:  

Mobile banking (basic saving account – balance enquiry, bill payment, credit card payment, Draft issuance, Deposit booking, Stop payment request, funds transfer to another bank account including 3rd party transfers, change f personal PIN

M Commerce (using mobile as a payment instrument either linked to a bank account or through stored value)

Remittance: Allowing funds transfer between bank accounts, bank to cash(where the beneficiary does not have a bank account) and cash to cash

  Banks may additionally facilitate transactions for their customer’s

customers (E.g. Bill Payments for their corporate clients and other transactions that facilitate transactional convenience and also the inclusion of the financially excluded into the banking mainstream. Thus banks may also permit following transactions for non-customers/non-account holders.

i. Small value person-to-person remittances (not exceeding Rs 15,000) including the use of bank branches, ATMs and other 3rd

party outlets approved by Banks or Telcos for facilitating cash in / cash out. In such cases, banks may rely on KYC processes

63

performed by other intermediaries (such as Telcos) as detailed in section III A of this circular. ii. International remittances - i.e. Non resident Indians sending money back home to their families (To be read in conjunction with the MTSS guidelines)

Considering the legal position prevalent, there is an obligation on the part of banks not only to establish the identity but also to make enquiries about integrity and reputation of the prospective customer. Therefore, even though request for opening a savings / current account can be accepted over Mobile Telecommunication, these should be opened only after proper introduction and physical verification of the identity of the customer. 

From a legal perspective, security procedure adopted by banks for authenticating users needs to be recognized by law as a substitute for signature. In India, the Information Technology Act, 2000, in Section 3(2) provides for a particular technology (viz., the asymmetric crypto system and hash function) as a means of authenticating electronic record. Any other method used by banks for authentication should be recognized as a source of legal risk. Customers must be made aware of the channel risk prior to sign up.

Under the present regime there is an obligation on banks to maintain secrecy and confidentiality of customers‘ accounts. In the Mobile-banking scenario, the risk of banks not meeting the above obligation is high on account of several factors. Despite all reasonable precautions, banks may be exposed to enhanced risk of liability to customers on account of breach of secrecy, denial of service etc., because of hacking/ other technological failures. The banks should, therefore, institute adequate risk control measures to manage such risks.

In Mobile banking scenario there is very little scope for the banks to act on stop-payment instructions from the customers. Hence, banks should clearly notify to the customers the timeframe and the circumstances in which any stop-payment instructions could be accepted.

The Consumer Protection Act, 1986 defines the rights of consumers in India and is applicable to banking services as well. Currently, the rights and liabilities of customers availing of Internet banking services are being determined by bilateral agreements between the

64

banks and customers. Considering the banking practice and rights enjoyed by customers in traditional banking, banks’ liability to the customers on account of unauthorized transfer through hacking, denial of service on account of technological failure etc. needs to be assessed and banks providing Mobile banking should consider insuring themselves against such risks, as is the case with Internet Banking.

Banks may determine their own pricing for the use of these services. Banks should get the scheme for facilitating Mobile banking

approved by their respective boards / LOMC before offering it to their customers. The LOMC approval must document the extent of Operational and Fraud risk assumed by the bank and the bank’s processes & policies designed to mitigate such risk.

  KYC Process Banks are permitted to rely on Financial Intermediaries as recommended by the relaxed KYC guidelines issued vide RBI circular DBOD.NO.AML.BC.28 /14.01.001/2005-06 dated August 23, 2005 A Bank can sponsor the small value remittance service by entering into arrangements with intermediaries in order to manage distribution, technology and scale.  In the same spirit, Banks may partner with Telecom companies, Technology companies etc to facilitate such small value transfers. Banks may rely on introductions from any person on whom KYC has been done and certificates of identification issued by the intermediary. Thus the intermediary can be a Telecom company, another bank or financial institution or a stand alone Trust Company dedicated to the purpose of facilitating such transactions.  It is proposed that in cases where the remitter is the owner of the mobile phone, the Bank relies on the telecom company’s KYC and obtains a copy of the registration documents from the telecom company. In cases where the remitter is not the owner of the mobile phone, a letter of introduction is taken from the owner and the remitter registers with a limited KYC comprising of photograph and address proof. Wherever address proof is not available, the introducer can certify the genuineness of the remitter’s

address.   III. Regulatory & Supervisory Issues 

65

As recommended by the Group, the existing regulatory framework over banks will beextended to Mobile banking also. In this regard, it is advised that: 

Only such banks which are licensed and supervised in India and have a physical presence in India will be permitted to offer Mobile banking products to residents of India. Thus, both banks and virtual banks incorporated outside the country and having no physical presence in India will not, for the present, be permitted to offer mobile banking services to Indian residents.

The products should be restricted to account holders only and should not be offered in other jurisdictions.

The services should only include local currency products. The ‘in-out’ scenario where customers in cross border

jurisdictions are offered banking services by Indian banks (or branches of foreign banks in India) and the ‘out-in’ scenario where Indian residents are offered banking services by banks operating in cross-border jurisdictions are generally not permitted and this approach will apply to Internet banking also. The existing exceptions for limited purposes under FEMA i.e. where resident Indians have been permitted to continue to maintain their accounts with overseas banks etc., will, however, be permitted.

Overseas branches of Indian banks will be permitted to offer Internet banking services to their overseas customers subject to their satisfying, in addition to the host supervisor, the home supervisor.

 Given the regulatory approach as above, banks are advised to follow the followinginstructions:

All banks, who propose to offer transactional services on the Mobile services should obtain prior approval from RBI. Bank’s application for such permission should indicate its business plan, analysis of cost and benefit, operational arrangements like technology adopted, business partners, third party service

66

providers and systems and control procedures the bank proposes to adopt for managing risks. The bank should also submit security policy covering recommendations made in this circular and a certificate from an independent auditor that the minimum requirements prescribed have been met. After the initial approval the banks will be obliged to inform RBI any material changes in the services / products offered by them.

The guidelines issued by RBI on ‘Risks and Controls in Computers and Telecommunications’ vide circular DBS.CO.ITC.BC. 10/ 31.09.001/ 97-98 dated 4th February 1998 will equally apply to Mobile banking. The RBI as supervisor will cover the entire risks associated with electronic banking as a part of its regular inspections of banks.

Banks should develop outsourcing guidelines to manage risks arising out of third party service providers, such as, disruption in service, defective services and personnel of service providers gaining intimate knowledge of banks’ systems and misutilizing the same, etc., effectively.

It will become important to set up ‘Inter-bank Payment Gateways’ for settlement of such transactions. The protocol for transactions between the customer, the bank and the portal and the framework for setting up of payment gateways as recommended by the Group should be adopted fro Mobile Banking

Only institutions who are members of the cheque clearing system in the country will be permitted to participate in Inter-bank payment gateways for Internet payment. Each gateway must nominate a bank as the clearing bank to settle all transactions. Payments effected using credit cards, payments arising out of cross border e-commerce transactions and all intra-bank payments (i.e., transactions involving only one bank) should be excluded for settlement through an inter-bank payment gateway.

Inter-bank payment gateways must have capabilities for both net and gross settlement. All settlement should be intra-day and as far as possible, in real time.

Bilateral contracts between the payee and payee’s bank, the participating banks and service provider and the banks

67

themselves will form the legal basis for such transactions. The rights and obligations of each party must be clearly defined and should be valid in a court of law.

Banks must make mandatory disclosures of risks, responsibilities and liabilities of the customers in doing business through Mobile, through a disclosure template.The banks should also provide their latest published financial results over the net.

 Regulatory Roles and Responsibilities of  Stakeholders

Role of Banks Any money exchange i.e. Payments, P2P, remittance, etc – should be

executed through Banking instruments & Infrastructure. This is to ensure compliance with all financial controls and regulation.

Payments can be made by the following Savings Bank Account/Debit Card Credit Card Account Pre-paid Cards Virtual Cards (Credit & Debit Cards)

Bank’s role should be of providing normal transactional services to customers using the full range of services including Cash, Saving’s account, Credit Card, Debit Card and Prepaid Cards services.

Transactions should be maintained within the banking network and all the stakeholders in transaction processing and should be subject to equal level of scrutiny and regulation as are other bank accounts.

Transaction settlement should ride on the existing infrastructure for efficient settlement and payment systems.

Intra Bank - Transactions involving Bank A/c to Bank A/c funds Transfer should be real time or near real time transactions

Inter Bank - Transactions involving Bank A/c to Bank A/c funds Transfer should ride on the NFS or other existing switches available for inter-Bank transactions.

Intra Bank – Transactions involving Card A/c ( including Credit & Debit Cards) to Merchant/ recipient account should ride on

68

the existing settlement & payment systems available with Banks.

Inter Bank – Transactions involving Card A/c ( including Credit & Debit Cards) to Merchant/ recipient account should ride on either on India Switch , VISA, MasterCard or any other available switching infrastructure.

The bank should take responsibility for audit, fraud management, account security etc. under its normal banking license. Banks should ensure that the service operates entirely within the RBI framework.

Banks should be responsible for ensuring the identity of the sender and the receiver of funds. Banks can design the process of verification of sender and receiver as per the existing guidelines. In case where the existing process of KYC compliance cannot be met, new methods of verification such as mobile based PIN verification and transaction limit fixation can be considered

In case of m-wallet propositions the pooled funds should be held with a  bank so that systemic risk of defaults is minimized.

Banks may end up playing a limited role in P2P and cash to cash payments other than settler of funds via the pooled account. This should be permissible subject to transaction limits etc.

Role of banks Telcos should provide the KYC and customer history for Banks to

offer the services to the customer and full responsibility for fraud management at their outlet as per TRAI guidelines.

In order to ensure Mobile Payments reaches the critical customer mass, KYC documents required to offer financial products should be made similar to Telco’s KYC guidelines.

Distribution network of Telcos should be used to provide the services of Mobile Payments to maximum possible locations across the country.

External low-cost hosting at Telco should be explored – Banks will not have to reinvent the technology platform & billing systems for such an offering.

Policies enabling audit and governance of such a model to be framed. Setting up of infrastructure for undertaking Domestic Money

Remittances along with Bank’s. Domestic Money Remittances using 

69

both Telco’s dealer network and Bank’s Financial infrastructure should piloted along with controls on transaction limit and frequency. Pilot should test the feasibility running such a model for domestic money remittances.

Role of Third party payment processors External low-cost hosting at Third party payment processors should

be encouraged to have a truly cross-bank , cross-carrier payment system .

Policies enabling audit and governance of such a model to be framed including a centralized settlement mechanism

Third party processors should have the responsibility of Fraud management and should have systems and process in place to check and control frauds.

 Regulatory Framework suggested for Mobile Payments Payment Account to be used for Mobile Payments e.g. Credit card account, Savings Bank Account, virtual account, Pre-paid account should be similar existing Credit card , Debit Card / bank account issuance framework.  While we can use innovative mechanisms to enable payments through mobile phones, following should be taken into considerations

RBI’s Guidelines and policies on KYC RBI’s Guidelines and policies on AML Financial settlement between the various entities should be undertaken

as per the existing Guidelines and processes. The messaging system between Application and Bank needs to be

regulated and standardized to ensure standard transaction processes and settlement systems.

Guidelines need to be evolved to ensure complete interoperability of between all the stakeholders of mobile payments. This will lead to the growth of ecosystem and will benefit all the stakeholders.

Guidelines need to be evolved for allowing domestic money remittances by Cash In and Cash Out at Telco Outlets including usage of Telco’s KYC and adherence of AML guidelines.

Telco’s role should include providing platform to initiate transactions and carry the messages to the bank’s systems

70

Regulatory policies and standards Service providers, Telcos should have the independence to develop and launch customized applications targeted towards their customer base however messaging system between application and Banks needs to be regulated. This will lead to standardization of the transaction processes and settlement systems. These should include 

Instruction formats for all mobile initiated payments, remittances and banking

Instruction formats for all mobile initiated payments, remittances and banking

Security standards for instructions, interfaces, data storage and transactions

Technology standards and guidelines for various modes of data transfer like SMS, GPRS etc.

Anti Money Laundering control for Telcos especially for proposed services like deposits being accepted and held by Telcos for Funds Transfer and remittances. While Telcos provide an opportunity to reach out to the unbanked and underbanked population of the country, proper regulatory control should be established to ensure conformation to KYC and AML guidelines. The Telcos offering these services should follow bank-approved processes that fulfill the regulatory requirements while performing such transactions. The Bank may appoint payout agents such as the Post Office, other FIs, selective merchants etc

Sign up for service: Existing or new customer: Bank controlled through regulated KYC

Transaction: PIN based transactions in terms of domestic transfers. Anti Money Laundering: monitoring carried out by the Bank Transactions monitoring controlled at the banking end Agent appointment responsibility with the bank

71

MANAGING THE RISK OF MOBILE BANKING TECHNOLOGIES

M-payments and m-banking are now spreading fast across the world, in developed and developing countries. The use of mobile phones for mobile Financial Services (m-FS) is relatively new and, as a consequence, the knowledge of the risks and the risk experience of providers is still limited. However, the rapid take-up and potential scale of new offerings has led to increased interest from mobile Financial Services Providers (mFSP), both banks and non-banks, and from government regulators in understanding and managing any unique, additional risks. Two elements of the mobile channel are distinctive relative to other banking annels like Internet banking or point of sale devices: The mobile handset, which comes with a wide range of functionality

from basic on tandard handsets to advanced on feature phones and smart phones;

The mobile network, which includes all the links carrying a dat masage from a handset to the mSP or vice versa and the methods used to communicate between the handset and the mFSP. Both thes ements contribute to a different risk environment for m-banking. Boards and management of mFSPs as well as regulators need to have a clear basic

72

understanding of how these elements work, including a comparison to other established e-banking channels.

Increasingly, as handset functionality increases, mobile financial services are converging with Internet banking.Regulators and others commonly list additional risk considerations arising

from the use of the mobile channel. These include: the higher possibility of loss of device, the restricted screen and keypad of the device, the information security of the end-to-end network, the availability and reliability of the communications network, and the use of outsourced service providers. However, a priori, these factors do not in themselves make most use cases of m- FS more or less risky than other forms of e-banking.

The main technical characteristics affecting the risks of m-FS: The security functionality available on the handset: the lower the security

requirement from the handset, the broader the potential market, especially in developing countries; The degree of dependence or independence from a particular Mobile Network Operator

(which controls access to the SIM card and the mobile network): channel options may or may not require downloading of an application to the SIM or phone, which in turn may require participation of the manufacturer or MNO.

encryption risk by providing encryption within the SIM, and provides the most security; its use and market may be limited by the need for MNO cooperation and a SIM with SIM Toolkit capability. In Use Cases 2 and 3, the risks (and services) increasingly converge with standard Internet banking risks.

Emerging technology: several developments are likely to change the picture of risk: An increasing proportion of smart phones will lead to more reliance

on even in developing countries; this will heighten the need for knowledge of e-banking risks in countries in which Internet banking may not yet be common;

The development of near field communication (NFC) enabled handsets which can effectively act as a token for local purchases

73

(already common in Japan and under trial in several developed countries such as UK and US) is likely to further increase take-up of m-FS. The risks of the integration of NFC into mobile banking require further investigation and are outside the scope of this report.

Moving to prudent and adjusted security models requires a proportionate regulatory framework within which to ensure on-going and active supervision of risk management.

Device ManagementThe association of MUID with a user profile is the key to device

management. Scenarios such as "lost device", "stolen device", or maybe even "sold on eBay" are handled through the MUID registration. In the default mBanking implementation, each valid MUID is given a state, which can be either:

• Valid• Temporarily disabled• Permanently disabledThe application must present a MUID that is registered as 'valid' to be able

to continue with authentication. If the device is lost/stolen, the MUID should be set to 'temporarily disabled'. This can be accomplished via a self-service channel (authenticated online banking session)

or via a call center or teller channel. If the device was only temporarily lost, and is then recovered by the user, the MUID can be reset to valid through the same channels above. If the MUID is temporarily disabled, no set of user credentials will permit access to the mBanking system.

However, a device attempting to authenticate using a 'temporarily disabled' MUID would be given a limited number of attempts before the mBanking server would convert the MUID to permanently disabled. Alternatively, the user could request the MUID to be set to disabled through one of the channels above in the case of a phone upgrade (for example, buys a new phone and sells the old one on eBay). If an application attempts to connect to the bank servers with a permanently disabled MUID, it will receive a control message back from the mBanking server that overwrites certain key sections of the authentication logic on the phone, permanently disabling the application on the phone. Again, in this state, no set of credentials will permit access to the system. However, once the application on the phone has been

74

disabled, it can no longer be used to access the system, even if the MUID state is eversed to 'valid' and the correct passcode is used.

8.SCOPE OF M-BANKING

75

Appropriate scope of Mobile banking The above discussion shows that Mobile banking offers could become indispensable for banks in a not-so-distant future. The question is no more of “whether” but of “when”. Even more important seems the question of “what, how and whom”, if one wishes to avoid making past mistakes. That is, what services (scope) should be offered how (mediums) and to whom (target groups). Apart from the fact that the scope of the offered services should be selected carefully to suit one’s own customers, following two factors ought to be kept in mindMobile banking (m-banking) in India, viewed by the government as a potent tool for financial inclusion, is yet to clear many hurdles before it can fulfil its objective of reaching the unbanked masses. Primarily so, say analysts, since the mobile density in tier II and III cities, is 11 per cent and 10 per cent respectivelycustomer survey establishes that there are sufficiently large groups of customers interested inutilizing M-banking. A superficial evaluation often fails to gauge the true extent of the potential. If the results of the customer survey are any indicator, then the time seems to be ripe for a proactive attitude on the part of banks in advertising their MFS so as to induce customer demandThe survey results have demonstrated unambiguously that Mobile banking has staged a remarkable comeback.Whereas most banks and indeed many experts believed Mobile banking to be dead after the dotcom burst, banks are seeing themselves increasingly forced to induct Mobile banking services in theirproduct portfolios.

The reasons for this extraordinary resurrection are:

76

The phenomenal growth of the telecommunication sector and the resultant (unparalleled) penetration of the society by mobile phones present unique business opportunities.

A new generation of technology- and innovation friendly consumers is taking centre stage in business- and social life of the society. This generation is more open to the opportunities presented by mobile telecommunication.

The ongoing process of Globalisation and the integration of the world-economy are forcing working professionals to be on the move within national and international geographic boundaries. These professionals need to carry out their bank business also while on the move.

The “anytime, anywhere” feature of Mobile Banking is thus nothing less than a professional necessity for many of them. The banks are thus, on the one hand, forced to take cognizance of the needs and wishes of some of their most attractive customer groups. On the other hand, the advantages that Mobile services potentially bring to a bank or any other provider of financial services are too palpable to deny. In the following we list some relevant factors that ought to be taken into account while making decisions on the launch, maintenance and scope of Mobile Banking

77

9. CONCLUSIONS

78

Mobile Banking, as has been demonstrated, has gained non-negligible relevance for banks today.Developments in the banking sector, e.g. increased competition on account of technological developments coupled with the process of globalisation have produced new challenges for banks. Mobile Banking presents an opportunity for banks to retain their existing, technology-savvy customer base by offering value-added, innovative services. It might even help attracting new customers.

Further, Mobile Banking presents a chance to generate additional revenues.Its main contribution, however, can be expected to take place in the strategic

field as it is all set to become an instrument of differentiation. Many banks recognize this threat and are already taking preventive measures by introducing mobile services. The foremost significance of Mobile Banking would therefore be of a defensive nature. Instead of providing a positive differentiation, Mobile Banking would be employed to thwart negative differentiation vis-à-vis rivals.Mobile Banking seems to possess the potential to become one of the widely spread and accepted application in the field of Mobile Commerce, particularly in the backdrop of its high acceptance across commercially important sections of the society. We may expect to see Mobile Banking go into the footsteps of Online Banking, i.e. to become a standard service offered by every bank worth its name.

79