A New Mode & Modalities
Banks have been exploring the feasibility of using mobile phones as an alternative channel for delivery of banking services. Mobile banking service enables an account holder to access his bank account through his mobile phone, to make transaction inquiries, make fund transfer, pay utility bills, recharge prepaid amount to his mobile, make cheque book request, book tickets.
A mobile banking conceptual model
In one academic model, mobile banking is defined as:
"Mobile Banking refers to provision and availing of banking- and financial services with the help of mobile telecommunication devices. The scope of offered services may include facilities to conduct bank and stock market transactions, to administer accounts and to access customized information."
According to this model Mobile Banking can be said to consist of three inter-related concepts:
• Mobile Accounting
• Mobile Brokerage
• Mobile Financial Information Services
Most services in the categories designated Accounting and Brokerage are transaction-based. The non-transaction-based services of an informational nature are however essential for conducting transactions - for instance, balance inquiries might be needed before committing a money remittance. The accounting and brokerage services are therefore offered invariably in combination with information services. Information services, on the other hand, may be offered as an independent module
However the most important reasons for which institutions offer mobile banking services to their customers are:
• Lower operating costs
• Greater geographic diversification
• Improved or sustained competitive position
• Increased customer demand for services, and
• New revenue opportunities
In order to regulate mobile banking the RBI has issued a set o guidelines under sec18 of the payment and settlement Act 2007. As per the guidelines: Banks have been permitted to offer this facility subject to transactions with cap of Rs 5000/- per day for fund transfer and Rs 10000/- per customer per day for transactions involving purchasing of goods/services. But banks can, of their own, fix limit within this overall limit.
Mobile banking services can be offered only to the customers and/ or credit card holders of the bank. And only domestic transactions are permitted through mobile banking and not cross boarder transactions.
Growing Trends in Mobile Banking
The advent of the Internet has enabled new ways to conduct banking business, resulting in the creation of new institutions, such as online banks, online brokers and wealth managers. Such institutions still account for a tiny percentage of the industry. Over the last few years, the mobile and wireless market has been one of the fastest growing markets in the world and it is still growing at a rapid pace. According to the GSM Association and Ovum, the number of mobile subscribers exceeded 2 billion in September 2005, and now exceeds 2.5 billion (of which more than 2 billion are GSM).With mobile technology, banks can offer services to their customers such as doing funds transfer while travelling, receiving online updates of stock price or even performing stock trading while being stuck in traffic. Smartphones and 3G connectivity provide some capabilities that older text message-only phones do not.
According to a study by financial consultancy Celent, 35% of online banking households will be using mobile banking by 2010, up from less than 1% today. Upwards of 70% of bank center call volume is projected to come from mobile phones. Mobile banking will eventually allow users to make payments at the physical point of sale. "Mobile contactless payments” will make up 10% of the contactless market by 2010.Many believe that mobile users have just started to fully utilize the data capabilities in their mobile phones. In Asian countries like India, China, Bangladesh, Indonesia and Philippines, where mobile infrastructure is comparatively better than the fixed-line infrastructure, and in European countries, where mobile phone penetration is very high (at least 80% of consumers use a mobile phone), mobile banking is likely to appeal even more.
Mobile Banking Business Models
The bank-focused model emerges when a traditional bank uses non-traditional low cost delivery channels to provide banking services to its existing customers. Examples range from use of automatic teller machines (ATMs) to internet banking or mobile phone banking to provide certain limited banking services to banks’ customers. This model is additive in nature and may be seen as a modest extension of conventional branch-based banking.
The bank-led model offers a distinct alternative to conventional branch-based banking in that customer conducts financial transactions at a whole range of retail agents (or through mobile phone) instead of at bank branches or through bank employees. This model promises the potential to substantially increase the financial services outreach by using a different delivery channel (retailers/ mobile phones), a different trade partner (Telco / chain store) having experience and target market distinct from traditional banks, and may be significantly cheaper than the bank based alternatives. The bank-led model may be implemented by either using correspondent arrangements or by creating a JV between Bank and Telco/non bank. In this model customer account relationship rests with the bank
The non-bank-led model is where a bank does not come into the picture (except possibly as a safe-keeper of surplus funds) and the non-bank (e.g. Telco) performs all the functions.
The following type of services could be made available through Mobile Banking Solutions –
Push Alerts – This is a purely one-way interaction and helps the bank to inform customers about various transactions related to his/her account. The alerts that can be sent which includes credit/debit information, salary credit information, bounced cheque alert, balance below required minimum etc.
Push-pull Alerts – This requires two-way interaction. Bank-customers, usually from the retail segment, can send requests for the services listed in succeeding paragraphs. This is based on a pre-decided menu and they would receive information on demand like balance enquiry, last three transactions, cheque clearance status enquiry etc.
List of possible services (subject to bank’s preference).
• Daily Balance
• All Debit Balances
• Debit Balance Over Amount
• Debit Balance Below Amount
• Credit Balance Only
• Credit Balance Over Amount
• Credit Balance Below Amount
• All Transactions
• All Debit Transactions
• Debit Transactions Over Amount
• Debit Transactions Below Amount
- Funds Transfer
- Between own accounts
- From own account to third party account (intra bank)
- From own account to third party account (inter bank)
- From / To Credit Card
- Utility Bills
- Loan Repayment
- Insurance Premiums
- Payment Options
- Pay through credit card
- Pay through debit card
- Wire from account
- In house products & services
- Third party products & services
1. Portfolio management services
2. Real-time stock quotes
3. Personalized alerts and notifications on security prices
1. Status of requests for credit, including mortgage approval, and insurance.
2. Cheque book and card requests
3. ATM Location
1. General information such as weather updates, news
2. Loyalty-related offers
3. Location-based services
Banks can give this service directly or through their business correspondents. Only banks having core banking solution will be eligible for providing this service. However security management is a must for all the financial institutions. Financial institutions must comply with regulatory requirements and industry best practices in order to –
- Ensure the security and confidentiality of customer information;
- Protect against any anticipated threats or hazards to the security or integrity of such information; and
- Protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any customer.
The elements of security that add up to ensure protection for the Mobile solutions from the origin, i.e. customer’s handset to the transacting bank include –
1. confidentiality of transaction message.
2. Integrity of transaction message.
3. Issues related to device & Security Risks involved.
A] Authentication of both user and device.
B] Password Security.
4. Initial and Existing Users Authentication.
5. Secure Inter Bank Settlement.
Encryption of wireless banking activities is essential because wireless communications can be recorded and replayed to obtain information. Encryption of wireless communications can occur in the banking application, as part of the data transmission process, or both. Confidentiality is achieved by the sender encrypting text message to a coded message. The receiver has to use his private key to open the message. Since no body knows his private key, the receiver is assured of confidentiality.
Integrity of all financial transaction messages is essential because electronic messages can be intercepted and tampered with to modify / alter the information contained in the message packet. Integrity is ensured by “Hashing” the message. Hashing means converting the message into a string of numbers and to get a total code number for the message. The “Hash Value” is sent along with the message. The receiver passes the message through the same hashing algorithm and compares the hash value. If the hash value of the sender and the receiver are one and the same, it serves to prove that the message has not been tampered with. Changing even one letter in the message can change the hash value and hence integrity is assured.
Issues Related to Device & Security Risks Involved
Authentication of User & Device
Authenticity is ensured as the subscriber puts his digital signature by using his private key which is confidential. The receiver has to first use the senders public key to decrypt the original message and this also ensures authentication.
The Mobile Banking application is bound to each deployment of XMS Enterprise server application in turn making it bound to the bank’s server. Whenever an Mobile Banking application is issued to the user, the bank’s public key is embedded inside the application. This application is set up in a closed user group setting to accept signature messages only from the bank’s server. On installation on the mobile handset of the authorized user, the application would generate a key pair comprising a public key and private key automatically. These keys would be bound to the mobile number of the device and the user defined password (known only to the user). The user would send the device public key using the application interface through an encrypted SMS to the bank’s central key repository. To add another layer of security the keys are stored on the bank’s server in encrypted form.
Security Of Password
Wireless banking increases the potential for unauthorized use due to the limited availability of authentication controls on wireless devices and higher likelihood that the device may be lost or stolen. Authentication solutions for wireless devices are currently limited to username and password combinations that may be entered and stored in clear text view (i.e., not viewed as asterisks “****”). This creates the risk that authentication credentials can be easily observed or recalled from a device’s stored memory for unauthorized use.
Initial Users & Existing Customers Authentication
Verifying a customer’s identity, especially that of a new customer, is an integral part of all financial services. In addition to the initial verification of customer identities, the financial institution must also authenticate its customers’ identities each time they attempt to access their confidential information. Financial institutions need to weigh the cost of the authentication method, including technology and procedures, against the level of protection it affords and the value or sensitivity of the transaction or data to both the institution and the customer.
Use of digital signature
The use of digital signature provides security to electronic transactions. It provides four functions, namely, authenticity, confidentiality, integrity and legal non-repudiation to secure electronic transactions.
Authenticity is ensured as the subscriber puts his digital signature by using his private key which is not known to anybody. Legal non repudiation means the sender/subscriber cannot deny later that it was not his digital signature. Since digital certificate is issued by a licensed certifying authority it goes to provide legal non-repudiation.
Secure Inter Bank Settlement
Once the user’s inputs are received securely at the bank’s server through XMS Mobile Banking Solutions, the bank’s server would interface with its core banking infrastructure as well as other participating banks for the background settlement. It is assumed that appropriate security controls existing within the banks infrastructure would provide for intra as well as interbank transfer and settlements / information notifications.
Key Challenges for a Mobile Banking Solution
Key challenges in developing a sophisticated mobile banking application are :
There are a large number of different mobile phone devices and it is a big challenge for banks to offer mobile banking solution on any type of device. Some of these devices support J2ME and others support SIM Application Toolkit, a WAP browser, or only SMS. Initial interoperability issues however have been localized, with countries like India using portals like R-World to enable the limitations of low end java based phones, while focus on areas such as South Africa have defaulted to the USSD as a basis of communication achievable with any phone. The desire for interoperability is largely dependent on the banks themselves, where installed applications (Java based or native) provide better security, are easier to use and allow development of more complex capabilities similar to those of internet banking while SMS can provide the basics but becomes difficult to operate with more complex transactions. There is a myth that there is a challenge of interoperability between mobile banking applications due to perceived lack of common technology standards for mobile banking. In practice it is too early in the service lifecycle for interoperability to be addressed within an individual country, as very few countries have more than one mobile banking service provider. In practice, banking interfaces are well defined and money movements between banks follow the IS0-8583 standard. As mobile banking matures, money movements between service providers will naturally adopt the same standards as in the banking world.
Scalability & Reliability:
Another challenge for the banks is to scale-up the mobile banking infrastructure to handle exponential growth of the customer base. With mobile banking, the customer may be sitting in any part of the world (true anytime, anywhere banking) and hence banks need to ensure that the systems are up and running in a true 24 x 7 fashion. As customers will find mobile banking more and more useful, their expectations from the solution will increase. Banks unable to meet the performance and reliability expectations may lose customer confidence. There are systems such as Mobile Transaction Platform which allow quick and secure mobile enabling of various banking services. Recently in India there has been a phenomenal growth in the use of Mobile Banking applications, with leading banks adopting Mobile Transaction Platform and the Central Bank publishing guidelines for mobile banking operations.
Due to the nature of the connectivity between bank and its customers, it would be impractical to expect customers to regularly visit banks or connect to a web site for regular upgrade of their mobile banking application. It will be expected that the mobile application itself check the upgrades and updates and download necessary patches (so called "Over The Air" updates). However, there could be many issues to implement this approach such as upgrade / synchronization of other dependent components.
It would be expected from the mobile application to support personalization such as :
1. Preferred Language
2. Date / Time format
3. Amount format
4. Default transactions
5. Standard Beneficiary list
Mobile banking will be attractive mainly to the younger, more "tech-savvy" customer segment. A third of mobile phone users say that they may consider performing some kind of financial transaction through their mobile phone. But most of the users are interested in performing basic transactions such as querying for account balance and making bill payment.
Mobile banking has come in handy in many parts of the world with little or no Infrastructure development, especially in remote and rural areas. This part of the mobile commerce is also very popular in countries where most of their population is unbanked. In most of these places banks can only be found in big cities and customers have to travel hundreds of miles to the nearest bank. Thus mobile banking has brought a new revolution in banking and financial system.
Upali Aparajita is Dy. Manager (Operations), Axis Bank Ltd, Cuttack, Orissa