1

General Security and Internal Control

Microenterprise Access to Banking Services Program

Accreditation and Implementation Training On

Mobile Phone Banking Services

2

Objectives

  Provide security features for mobile phone banking pursuant to the Bangko Sentral ng Pilipinas (BSP) - regulations on electronic banking circulars 240 and 269

  To provide security and internal control requirements to secure mobile phone banking transactions;

  To provide overview on the roles and responsibilities of bank personnel involved in the implementation and operation of mobile phone banking services

  Define internal process control using audit trails and reports for all mobile phone banking transactions which includes compliance to Anti Money Laundering Act (AMLA)

  Regulate movement of electronic money to conform with existing Philippine Laws and standard banking practices

3

General Security Features

•  A one-time over-the-air (OTA) registration is required by Globe Telecom to access the GCash services

•  A downloadable GCash Menu is required for mobile phone banking transactions

•  A Mobile Personal Identification Number (MPIN) is required for all mobile phone banking transactions

•  All clients availing of mobile phone banking services must enroll at their respective bank branch. Customers are required to sign a Mobile Phone Banking Agreement listing all terms and conditions

•  GCash uses Two-factor authentication process requiring customers to use their own registered mobile phone number (linked automatically to their SIM) and confirm their identity using a Mobile Personal Identification Number (MPIN) increases security for all mobile phone banking transactions

4

General Security Features (cont.)

•  Know your customer (KYC) procedures are followed for all clients. All clients are required to submit proper identification (government issued IDs with photo) photographs and references and background checking when necessary

•  AMLA requirements are followed for all covered and suspicious transactions

•  Approved BSP mobile phone wallet and transaction limits are in place

•  Accredited Banks are required to perform Users Acceptance Test (UAT) before offering mobile banking services to the general public

5

Multi-level Security

•  Level 1 – GCash wallet is linked to the mobile phone SIM. All balances and transactions are maintained within the Globe Telecom’s GCash system

•  Level 2 – GCash wallet is protected with a four-digit Mobile Personal Identification Number (MPIN) which provides the same security offered by Automatic Teller Machines (ATMs). The MPIN is required for all mobile phone banking transactions. Note that the MPIN can be changed at anytime using the mobile phone

•  Level 3- Confirmation Message is automatically sent following each transaction to both the bank and the client

6

Multi-level of Security (cont.)

•  Level 4 - Suspension of Service allows customers to immediately deactivate or suspend their GCash services after calling the Globe customer service hot line (2882) using any landline or mobile phone

•  Level 5 – Menu Driven – all banking transactions are required to download and utilize a Menu Interface to protect MPIN which is masked and not stored on the mobile phone

•  Level 6 – Customer Service Inquiries follow appropriate verification procedures to determine the identity of the GCash subscriber

7

Anti-Money Laundering Compliance

•  GCash is BSP and AMLA compliant and it is recognized as an electronic payment platform under Monetary Board Resolution 116

•  Customer Verification procedures are in place for all GCash accredited partner establishments for converting money to GCash or vice versa

•  All GCash accredited partner establishments are required to report covered and suspicious transactions to Anti-Money Laundering (AML) council on a monthly basis

8

•  Globe/GXI also tracks and reports any covered or suspicious transactions to the AML council

•  The GCash wallet is automatically limited to 40,000 pesos and daily and monthly transactions are automatically limited to 40,000 and 100,000 respectively. These limits are within the ranges set for ATMs transactions

•  All GCash Cash-in/Cash-out transactions require a valid ID to be presented

Anti-Money Laundering Compliance (cont.)

9

Customer Verification Flow Diagram:

RECEIVE AND VERIFY

Bank in-charge/teller receives and verifies enrollment forms,

GCash service forms, valid IDs and/or Cash

REQUIREMENTS

Client fills-out enrollment and GCash service forms and present

Valid Identification (ID) documents

CHECKING AND APPROVAL

Bank officer counter checks documents and approve the

transaction RECORDING &

POSTING

Bank records enrollment and post transactions in the system

RELEASE/SEND

Bank teller/in-charge sends copies of the forms, GCash and/

or Cash to the Client

10

Internal Control Features

•  Client information are verified when using the banking services

•  Audit trail is kept for all mobile phone banking transactions •  All messages related to transactions are logged Daily •  Transaction Reports are maintained •  Mobile Phone is kept at the Vault at the end of the day. •  Officers of the bank are custodian of the mobile phone and

MPIN •  Internal documentary and procedural requirements are

followed to ensure appropriate Dual Control for all transactions in terms of Making and Approving authorities

11

Security and Internal Control Requirements (Bank Level)

1) The custodian of the mobile phone must be an officer of the bank (Cashier/Manager/Designated Officer of the Bank)

2) M-PIN (Mobile Personal ID No.) and security code of the mobile phone must be secured and should not be known to anyone other than the designated custodian of the mobile phone.

3)  It is required that GCash Menu-Driven Interface must be used. To access Menu-Driven Interface in your cellphone, go to Globe Services (Globe Svcs+) then click on myFavorites>GCash

4)  All mobile banking transactions (incoming/outgoing) must be checked and approved by officers of the bank

12

Security and Internal Control Requirements (Bank Level)

5)  Withdrawal (Text-A-Withdrawal) must be drawn against Cleared/Withdrawable Balance

6)  Phone-to-Phone (P2P) Fund Transfer transactions must be supported by receipts and recordings in the Logsheet and GCash Journals

7)  The bank’s mobile phone must be used only for purely GCash/RBAP Text a Payment related activities.

8)  Branch’s Mobile Phone Phonebook/SIM must contain Head Office’s mobile phone number in case of a branch or branches mobile phone numbers in case of a Head Office

13

Security and Internal Control Requirements (Bank Level)

9)  Bank In-charge must explain to the client the terms and conditions of the mobile phone banking service during client’s enrollment including security and risk involved

10)  Follow enrollment procedure and requirements if enrollment is required for a particular mobile phone banking service

11)  Any internal/security control violations should not be tolerated and must be reported immediately for proper action (Please see information security policy manual).

14

Security and Internal Control Requirements (Client Level)

1) Complete KYC (Know-your-customer) procedure must be followed in all clients availing of mobile phone banking services - Valid ID is required upon opening an account and/or enrolling to the service - Background/Credit checking is performed when necessary - References must be asked and checked when necessary

2) Clients must be oriented/briefed in each mobile phone banking service he/she is availing including security and risk involved.

3) Ensure that client understands the terms and conditions of the service and client must agree and sign to the service enrollment form if enrollment is required.

15

End of Presentation