MOBILE BANKING :

Impact of Mobile Technologies on BANKING

WORK

RESEARCH METHODOLOGY:

RESEARCH DESIGN : DESCRIPTIVE

TYPE OF STUDY : SAMPLE UNIT

SAMPLING METHOD : TWO STAGE

SAMPLING AND LATER
ON APPLYING RANDOM
SAMPLING.

SAMPLE SIZE : 100

TOOLS FOR DATA COLLECTION : QUESTIONNAIRE

METHOD FOR DATA COLLECTION : FIELD SURVEY

METHOD BY PERSONAL
INTERVIEW

1
FINDINGS :-

• Most of investors are Eger about m-banking.

• Investors mostly prefer investing on monthly basis.

• Most investors prefer security in mobile banking.

• In the current scenario of banking fast and advance.

2
 TABLE OF CONTENT

Particulars Ppage
Sr.No.
no.
1. INTRODUCTION 09
2 MOBILE SERVICES IN INDIA 20
3 RULES AND REGULATION 22
4 M-BANKING SYSTEM 25
5 GETTING STARTED 28
6 M-BANKING AND WORLD 37
7 M-BANKING RISK AND SECURITY 44
8 SCOPE OF M-BANKING 76
9 CONCLUSION 79

3
1. INTRODUCTION

4
• MOBILE BANKING
The cell phone does it all: You can take pictures, send
emails, play music and watch TV. Now, you can add
banking to that list.

What is m-banking?

Mobile banking (also referred to as m-banking, phone banking, SMS

banking, etc.) means conducting account transactions via a mobile phone.
For banks, mobile banking has become the most promising medium of
reaching out to their customers because of the ability to provide services
at any time or place in the world (of course, if there is cell phone
reception). That’s why news headlines weekly report about new financial
institutions launching mobile banking.

Using comprehensive mobile technology, financial institutions can offer

a wide array of different services to their customers. The basic options
include bill payments, balance inquiries and transfers among accounts
owned by the same person. However, many banks offer more
sophisticated solutions, such as getting bank statements, receiving
minimum balance alerts or even performing stock trading.

Mobile banking provides exceptional convenience for all cell phone

users. There are various m-banking methods to cover different
capabilities of mobile phones: text messaging, the mobile Internet, and
special programs called “clients” that are downloaded to mobile devices.
So even if your phone does not support Web browsing, you can still take
advantage of m-banking.

Text messaging is the most popular method of mobile banking. However,

its functionality is limited to two or three services. Web browser-based
solutions are more sophisticated than text messaging and provide the
same range of options as online banking. M-banking clients, generally
created for smartphones, are the most comprehensive systems. They
provide a fabulous combination of speed and functionality.

5
UK:The number of mobile phone subscribers that use their phones for
mobile banking transactions will exceed 150m globally by 2011, according
to a new study by Juniper Research. These figures refer to additive banking
which is focused on developed markets rather than transformational banking
(see Note for Editors below).

The Juniper Research report determined that the mobile banking market is
currently most advanced in the Far East, but that growing numbers of mobile
banking services are being offered in North America and Western Europe.
The developed nations of the Far East, North America and Western Europe
are forecast to account for over 70% of the user base by 2011.

Mobile Banking report author Howard Wilcox gave more details:

"Transactional or "push" mobile banking is being offered increasingly by
banks via downloadable applications or the mobile web, complementing
existing SMS messaging services for balance and simple information
enquiries. Mobile banking is a key element in banks' distribution channel
strategies as they compete to attract and retain customers."

The Juniper report highlighted the extra user convenience as a key benefit.
The mobile phone is the device that people - especially Generation Y - will
6
not leave home without. Mobile banking is an addition to the wide choice of
applications and services that they can access through their handsets to make
life easier, especially via smart phones such as the iPhone.

However the report identified several factors that will need addressing to
really foster market development including financial regulations which vary
from country to country, application slickness, and security. Whatever the
reality of the strength of the security, it is the perception and image in the
mind of the user that dictates whether they will trust the service.

The Juniper Research study provides an analysis of the trends and issues
affecting this market, exploring how the mobile banking market will
develop. The report provides forecasts of user take-up, user-level messaging
traffic, user-level transaction volumes and gross transaction values for
"Push" Mobile Banking Information Services, and "Pull" transactional
banking services. The report also presents the strategies of 15 key vendors
and 12 mobile banking services pioneering in this developing market.

Mobile Banking Whitepaper and further details of the study, 'Mobile

Banking: Strategies, Applications and Markets 2008-2013' can be freely
downloaded from the Juniper Research website.People will be able to
withdraw cash and transfer funds using their mobile phones in rural areas
with the government approving the framework for introduction of such
facilities by the banks.

Banks have been advised to start mobile banking rural areas by July 31, and
complete the roll by the end of NEXT YEAR "With the acceptance of the
report of inter-ministerial group by the committee of secretaries banks are
being advised to implement the IMG framework on priority basis to extend
basic financial services to the unbanked population," said a communications
ministry release today.
As you are no doubt aware, with the rapid growth in the number of mobile
phone subscribers in India, the banks have been exploring the feasibility
of using mobile phones as an alternative channel of delivery of banking

7
 services. A few banks have also started offering, through the mobile
phone, information-based services like balance enquiry, stop-payment
instruction of cheques, record of last five transactions, etc. Considering
that the use of this technology for the banking services is relatively new
and calls for appropriate safeguards to ensure security of financial
transactions, the Reserve Bank has formulated the ‘Draft Operating
Guidelines for Mobile Payments in India', through a consultative process
and placed them on the RBI’s website in June 2008 for public
comments. It is expected that the guidelines when operationalised, would
help strengthen the operating environment for mobile banking in the
country.
Mobile banking also known as known as the M-banking it
includes balance check account transitions payment balance inqury , mini
statement cheque book request bill payment mobile top up dth, electricity
bill payment insurance premium payment

Mobile banking can offer services such as the following

it refers to provision and availment of banking and financial services
with help of mobile phoneAccount Information
• Mini-statements and checking of account history
• Alerts on account activity or passing of set thresholds
• Monitoring of term deposits
• Access to loan statements
• Access to card statements
• Mutual funds / equity statements
• Insurance policy management
• Pension plan management
• Status on cheque, stop payment on cheque
• Ordering check books

•
• Balance checking in the account
• Recent transactions

8
 • Due date of payment (functionality for stop, change and deleting of
payments)
• PIN provision, Change of PIN and reminder over the Internet
Blocking of (lost, stolen) cards Payments, Deposits, Withdrawals, and
Transfers
• Domestic and international fund transfers
• Micro-payment handling
• Mobile recharging
• Commercial payment processing
• Bill payment processing
• Peer to Peer payments
• Withdrawal at banking agent
• Deposit at banking agent

Thus as we see above mobile banking will defiantly become a giant service
and mbanking will defiantly over shadow traditional banking process and
its started old banking players like 1.Sbi

2.baroda bank

3.indin bank

And many others also come out with mobile banking

Digital wallets will subsume paper money in 30

years: Sam Pitroda (Interview) Wednesday, September 08,
2010

9
With some five billion mobile phones in use today globally and over 10
billion credit and debit cards issued each year, tech evangelist Sam Pitroda
has predicted the virtual death of paper money in 30 years thanks to
innovative convergence.

"Paper money will disappear as transactions become digitised in another

three decades," said the inventor of Casio Digital Diary, which was a rage in
the 1980s, speaking about his latest innovation -- the "digital wallet" that
uses the concept of "mobile money".

"Today all your credit, debit cards are put in an envelope and sent to you. In
the future, your plastic cards will be digital and sent to your new address --
your mobile phone," Pitroda said at the well-attended launch function.

"If you can make your home and office paperless, why not banks, trade and
your wallet? All transactions will be online in the future," Pitroda told IANS
in an interview on his invention, now explained in the book: "The March of
Mobile Money: The Future of Lifestyle Management".

"Every mobile telephony service provider will embrace it. With declining
average revenue per user, digital wallet could lure more subscribers who
would pay more for the services offered," he said.

"It is completely foolproof."

Pitroda's book covers the evolution of the mobile phone in India, which is
fast becoming a lifestyle emblem in the country, its emerging links with
banking and the concept of money, to make eventual, but certain, room for
what he calls the "mobile wallet".

"The mobile revolution is like a big train coming. India will have a billion
connected people in 10 years and everything, including health, education
and social service, will have to be done through mobile telephony," he said.

India has over 650 million mobile phone connections just behind China's

795 million.

"The mobile service provider or networks will become the management

platforms. Nobody is thinking about it -- but you cannot conduct your life

10
the way you are doing it now. The cell phone has made India younger,
mobile and connected."

First, he says, the mobile telephony blitz will deal with uploading of content
in areas such as education and health, with handset storing health data,
doctor's address, phone numbers, drug schedules, lab test reports and even a
list of regular chemists.

The mobile phone will also be a boon for the education sector, and in a a
decade's time, students will be able to solve math, trigonometry and answer
their examination on their cell phones. The concept is currently under trial
across four states in the US, he said.

Pitroda then presented a live demonstration of the services provided by his

personal digital wallet -- a sleek black blackberry with a rather large display
screen -- to explain the premise on which the technology of "digital wallet"
operated.

His mobile phone has four icons in the money menu -- for wallet, bank, my-
commerce and my-city, which lists information about Delhi, where he is
now. The wallet contains an electronic imprint of his plastic cards and
bonuses collected on it.

He said if he were to go out for lunch and decided to split the bill with the
host, all that was needed was to send two messages -- one from his phone to
the host and another to his bank to transfer the money to the host's account.

Similarly, if he wished to buy a pair of jeans, all that he needed to do was to

go to the payments icon on his phone, and the magnetic stripe of the card
will automatically be swiped and money transferred to the merchant.

"If, for example, I go to WalMart, the payments screen can even fish out my
WalMart discount card and offer me fresh discounts on my cell phone. You
could have up to 50,000 coupons stored in your mobile telephone."

But why the book?

"Several people, especially in India, have been inquiring about the security
of digital wallets, the mechanism and its feasibility. It was not possible to

11
 explain to everyone. Hence,
I thought let us write about the digital wallet and mobile money," he said.

"It is an effort to educate the average consumer on how banks started

digitising their systems and connected to our mobile phones -- changing the
nature of money transaction in a layman's language," Pitroda said of the
book, co-authored by Mehul Desai.

According to him, there were three fundamental requirements to make

banking, e-commerce and eventually the complete lifestyle management of
an individual and his family over mobile phones a reality.

"Phones have to be smarter with bigger colour displays. They must be

equipped with the underlying network infrastructure to connect to the
Internet. And they must be able to download cards, tokens and applications
directly from issuers - anywhere any time."

He said phones also have to be simple with interfaces that mock the
traditional wallet, including branding and familiar images of cards, coupons
and bills, to provide consumers a single platform to conduct a host of
transactions in the virtual world.

The telecom and tech whiz, who is advisor to Prime Minister Manmohan
Singh on public information, infrastructure and innovation and chairs the
National Innovation Council.

1.2 BANKING IN INDIA

banking in india is in still tradional mode go to bank fill up the challan and
get recipt its quit manual and simple but changes coming very Fast
Banking in India originated in the last decades of the 18th century. The
first banks were The General Bank of India which started in 1786, and
the Bank of Hindustan, both of which are now defunct. The oldest bank
in existence in India is the State Bank of India, which originated in the
Bank of Calcutta in June 1806, which almost immediately became the
Bank of Bengal. This was one of the three presidency banks, the other

12
two being the Bank of Bombay and the Bank of Madras, all three of
which were established under charters from the British East India
Company. For many years the Presidency banks acted as quasi-central
banks, as did their successors. The three banks merged in 1921 to form
the Imperial Bank of India, which, upon India's independence, became
the State Bank of India.
Indian merchants in Calcutta established the Union Bank in 1839, but it
failed in 1848 as a consequence of the economic crisis of 1848-49. The
Allahabad Bank, established in 1865 and still functioning today, is the
oldest Joint Stock bank in India. It was not the first though. That honor
belongs to the Bank of Upper India, which was established in 1863, and
which survived until 1913, when it failed, with some of its assets and
liabilities being transferred to the Alliance Bank of Simla.
When the American Civil War stopped the supply of cotton to Lancashire
from the Confederate States, promoters opened banks to finance trading
in Indian cotton. With large exposure to speculative ventures, most of the
banks opened in India during that period failed. The depositors lost
money and lost interest in keeping deposits with banks. Subsequently,
banking in India remained the exclusive domain of Europeans for next
several decades until the beginning of the 20th century.

Foreign banks too started to arrive, particularly in Calcutta, in the 1860s.

TheComptoire
opened a branch in Calcutta in 1860, and another in Bombay in 1862;
branches in Madras and Pondichery, then a French colony, followed.
HSBC established itself in Bengal in 1869. Calcutta was the most active
trading port in India, mainly due to the trade of the British Empire, and so
became a banking center
The partition of India in 1947 adversely impacted the economies of
Punjab and West Bengal, paralyzing banking activities for months.
India's independence marked the end of a regime of the Laissez-faire for
the Indian banking. The Government of India initiated measures to play
an active role in the economic life of the nation, and the Industrial Policy
Resolution adopted by the government in 1948 envisaged a mixed

13
 economy. This resulted into greater involvement of the state in different
segments of the economy including banking and finance. The major steps
to regulate banking included:
• In 1948, the Reserve Bank of India, India's central banking authority,
was nationalized, and it became an institution owned by the
Government of India.
• In 1949, the Banking Regulation Act was enacted which empowered
the Reserve Bank of India (RBI) "to regulate, control, and inspect the
banks in India."
• The Banking Regulation Act also provided that no new bank or
branch of an existing bank could be opened without a license from the
RBI, and no two banks could have common directors.
However, despite these provisions, control and regulations, banks in India
except the State Bank of India, continued to be owned and operated by
private persons. This changed with the nationalisation of major banks in
India on 19 July 1969.
Nationalization
By the 1960s, the Indian banking industry had become an important tool to
facilitate the development of the Indian economy. At the same time, it
had emerged as a large employer, and a debate had ensued about the
possibility to nationalise the banking industry. Indira Gandhi, the-then
Prime Minister of India expressed the intention of the GOI in the annual
conference of the All India Congress Meeting in a paper entitled "Stray
thoughts on Bank Nationalisation." The paper was received with positive
enthusiasm. Thereafter, her move was swift and sudden, and the GOI
issued an ordinance and nationalised the 14 largest commercial banks
with effect from the midnight of July 19, 1969. Jayaprakash Narayan, a
national leader of India, described the step as a "masterstroke of political
sagacity." Within two weeks of the issue of the ordinance, the Parliament
passed the Banking Companies (Acquisition and Transfer of
Undertaking) Bill, and it received the presidential approval on 9 August
1969.
A second dose of nationalization of 6 more commercial banks followed
in 1980. The stated reason for the nationalization was to give the
government more control of credit delivery. With the second dose of
nationalization, the GOI controlled around 91% of the banking business
of India. Later on, in the year 1993, the government merged New Bank of

14
 India with Punjab National Bank. It was the only merger between
nationalized banks and resulted in the reduction of the number of
nationalized banks from 20 to 19. After this, until the 1990s, the
nationalized banks grew at a pace of around 4%, closer to the average
growth rate of the Indian economy.
The nationalized banks were credited by some, including Home minister P.
Chidambaram, to have helped the Indian economy withstand the global
financial crisis of 2007-2009.

1.3 Evolution
of Payment System in India
The history of the payment system can be said to be virtually co-
terminus with the evolution of money. The earliest form of payment
system could perhaps be traced back to the pre-historic days of barter
trade when the settlement of consideration took place through exchange
of conch shells, goods, cattle and later commodities. Such a system, in
the absence of money as a medium of exchange, was obviously very
cumbersome due to highly improbable ‘coincidence of wants’ of the two
parties to a barter transaction. Subsequently, more formalised payment
instruments, such as coins, developed. The earliest payment instruments
known to have been used in India were coins, which were either punch-
marked or cast in silver and copper; even leather is known to have been
used for making coins. Thus, with the advent of institutionalised forms of
money, initially in the form of coins and later as paper money, the barter
trade withered away and the usage of currency became the order of the
day.
Paper money, in the modern sense, has its origin in India in the late 18th
century with the note issues of private banks as well as semi-government
banks. Amongst the earliest issues were those by the Bank of
Hindoostan, which was the first joint stock bank established in 1770, the
General Bank in Bengal and Behar, and the Bengal Bank. Later, with the
establishment of three Presidency Banks since 1809, the work of issuing
notes was taken over by them and each Presidency Bank had the right to
issue notes within certain limits. The private banks and the Presidency
Banks introduced other payment instruments in the Indian money market

15
and cheques were introduced by the Bank of Hindoostan. Buying and
selling bills of exchange became one of the items of business to be
conducted by the Bank of Bengal from 1839. The Paper Currency Act of
1861 conferred upon the Government of India the monopoly of Note
Issue, thus, bringing to an end the note issues of private and Presidency
Banks. In 1881, the Negotiable Instruments Act (NI Act) was enacted,
formalising the usage and characteristics of instruments like the cheque,
the bill of exchange and promissory note. The NI Act provided a legal
framework for non-cash, paper payment instruments in India and
continues to be an operative legislation even today.
While the modern cheques came into being in India only in the 19th
century, it is noteworthy that India had pioneered the use of non-cash
based payment systems long ago, which established themselves as strong
mechanism for the conduct of trade and business. The most important
form of credit instrument that evolved in India was termed as ‘Hundis’
and their use was reportedly known since the twelfth century. Hundis
were used as instruments of remittance, credit and trade transactions, and
were of various types, each type with its own unique features. However,
with the steady rise in volumes of trade and commerce and the growing
confidence of the public in the usage of cheques, etc., there was also
rapid growth in the payment transactions using these instruments. With
the development of the banking system and higher volume of cheques
used, the need for an organised cheque clearing process emerged
amongst the banks. Clearing associations were formed by the banks in
the Presidency towns and the final settlement between member banks
was effected by means of cheques drawn upon the Presidency Banks.
With the setting up of the Imperial Bank in 1921, settlement was done
through cheques drawn on that bank. After the establishment of the RBI
in 1935, the Clearing Houses in the Presidency towns were taken over by
the RBI, and continued with it for more than five decades.

16
1.4 Objectives of the Payment
System
As some of you might recollect, a monograph on Payment Systems
in India was prepared by the RBI in 1998 to increase the awareness, both
within the country and abroad, of the payment systems existing in India.
The monograph also detailed the objectives that needed to be achieved.
To that end, a Payment System Vision Document for 2001-04 was
prepared to draw up the roadmap for consolidation, development and
integration of payment systems in the country. Once these objectives
were achieved, a Vision Document for 2005–08 was published in May
2005, articulating the Reserve Bank’s vision for the coming four years
for the payment and settlement area. The mission enshrined in the Vision
Document is the establishment of safe, secure, sound and efficient
payment and settlement systems for the country, towards which all the
upgradation efforts are focused. Whereas safety in payment and
settlement systems relates to risk reduction measures, security pertains to
confidence in the integrity of the payment systems. All payment systems
are envisaged to be on sound footing with adequate legal backing for
operational procedures and transparency norms. Efficiency enhancements
are envisaged by leveraging the benefits of technology for cost-effective
solutions. Thus, as part of its public policy objectives, the Reserve Bank
has played a major role in the design, development and functioning of
payment and settlement systems, and the multi-dimensional efforts of the
RBI over the years have been geared to realize this

17
2.MOBILE SERVICES IN
INDIA

18
 The Indian telecommunication industry, with about 688 million
mobile phone connections as of aug 2010 is the third largest
telecommunication network in the world and the second largest in terms
of number of wireless connections.The Indian telecom industry is one of
the fastest growing in the world and is projected that India will have
'billion plus' mobile users by 2015 Projection by several leading global
consultancies is that India’s telecom network will overtake China’s in the
next 10 years. For the past decade or so, telecommunication activities
have gained momentum in India. Efforts have been made from both
governmental and non-governmental platforms to enhance the
infrastructure. The idea is to help modern telecommunication
technologies to serve all segments of India’s culturally diverse society,
and to transform it into a country of technologically aware people.

India has become one of the fastest-growing mobile markets in the world.
The mobile services were commercially launched in August 1995 in
India. In the initial was 16 million, followed by 22 million in 2004, 32
million in 2005 and 65 million in 2006. As of January 2009, total mobile
phone subscribers numbered 362 million, having added 15 million that
month alone.India ranks second in mobile phone usage to China, with
506 million users as of November 2009
Telephony Subscribers (Wireless and Landline): 688.38 million
(august2010)
Cell phones: 652.42 million (august 2010)
Fixed Lines: 35.96 million (august 2010)
Broad Band Subscription: 9.77 million (august 2010)

19
Monthly Cellphone Addition: 16.92 million (august 2010)
Teledensity: 58.17% (august 2010)
Projected teledensity: 1 billion, 84% of population by 2012.

3. RULES AND
REGULATIONS

20
3.1 Business Rules Governing Mobile Banking
Services:
The Mobile Banking Service will be available to all the customers having a
satisfactory running account (Current/ Savings). The customers will have to
register for the services.
Daily transaction limits for fund transfer/ bill/ merchant payment is Rs.50,000/-
per customer with an overall calendar month limit of Rs.2,50,000.00
The service will be carrier-agnostic i.e. all customers can avail the mobile
banking service with the Bank irrespective of the service provider for their
mobiles.
The service is free of charge. However, the cost of SMS / GPRS connectivity
will have to be borne by the customer.

The Reserve Bank of India (RBI)

RBI has taken progressive steps to accelerate the rollout and adoption of
mobile banking services. The mobile phone represents a ubiquitous, low-
cost and secure platform - and in a country where less than 20% of the
population has an active bank account, the RBI was one of the first to
recognize an opportunity to leverage the mobile platform The m-banking
guidelines - covering m-banking, money transfer, m-payments and m-
commerce - were introduced in October 2008. Based on initial results in

21
 the first 12 months, the RBI has been quick to amend the guidelines to
further the uptake.
The new guidelines have three major points:
1. Transaction limit: Banks are now permitted to offer this service to their
customers subject to a daily cap of Rs 50,000 per customer for both funds
transfer and transactions involving purchase of goods and services.
2. Technology and security standard: Transactions up to Rs 1,000 can be
facilitated by banks without end-to-end encryption. The risk aspects
involved in such transactions may be addressed by the banks through
adequate security measures.
3. Provide fund transfer services that facilitate transfer of funds from the
accounts of their customers for delivery in cash to the recipients. The
disbursal of funds to recipients of such services can be facilitated at
ATMs or through an agent appointed by the bank as business
correspondent.

22
4. M-BANKING SYSTEM

23
Mobile banking basically works two ways--either through the Web browser on
your phone or special software that you download.
browser-based service, which is a simplified version of the online site that fits
within a cell phone and PDA screen. Any customer that has Internet access
on their cell phone can log on to their accounts by typing the banks URL --
bofa.mobi or wachovia.mobi -- into their mobile browser

24
 4.1 Two general
models:
• Direct credit from bank accounts to customer’s M-
Wallet’
– Occurs through a bank or overseas money transfer office
2. Originator uses mobile network to initiate transfer
– Originator must have funds in the account (transferred from
Bank account or paid in cash to mobile network company
Agent)
International and domestic
4.2 SBI’S M-BANKING MODEL

SBI Freedom – Your Mobile Your Bank

Away from home, bills can be paid or money sent to the loved ones or
balance enquiries done anytime 24x7!!! That is what SBI FreedoM offers
-convenience, simple, secure, anytime and anywhere banking.
The service is presently available on java enabled mobile phones over SMS/
GPRS/ WAP as also non java phones with GPRS connection. The service
can be availed over the free GPRS facilities offered by various mobile
service providers. The services for other non-Java mobile phones are
under development and will be offered using Unstructured
Supplementary Services Data (USSD).
The following functionalities will be provided in the Phase I:
Funds transfer (within and outside the bank –using NEFT)
Enquiry services (Balance enquiry/ Mini statement)
Request services (cheque book request)
Bill Payment (Utility bills, credit cards)
M Commerce (Mobile Top Up,Recharge of Tatasky/ Other DTHs, Merchant

25
 payment, SBI life insurance premium)

5. GETTING STARTED

26
Getting started
To avail of these services, you need to download (specimen is provided
below)the mobile banking application from your bank’s website on to
your cell phone, and get registered for this facility. Generally, any Java
enabled cell phone model (cost starting at Rs 3,000) would be able to
support this application .
You would require a GPRS mobile Internet connection (which your cellular
operator will make available on request) to transact through this channel.
This facility is meant to be operator-agnostic, meaning, that it should be
available across cellular operators.
However, you would do well to check the list of telecom service providers
through whom your bank is offering this service currently. Some banks
also offer m-banking on the sms platform.
While the bank will not levy charges for offering this service, you may have
to pay some charges — for use of GPRS/SMS — as specified by your
cellular operator. However, some banks could levy nominal charges if
you are using your debit or credit card for the purpose.
Also, one needs to remember that if you do not use these services for six
months, it could be deactivated, necessitating fresh registration
The best part is, you don't have to enter your account number when you
use Mobile Banking. Once your wireless phone is registered, you can
bank easily and securely from anywhere you use your mobile phone —
you send us a text message command to our universal short code 455555,
and we text you back with the information you want. Here's an example:

• Text "BAL" to Mobile

Banking at 455555

27
• You'll get a text message back with the balance from three of your
checking, savings, or money market account(s)
Application form of m-banking(icici bank)

Application for INTERNET banking and M-banking

(All fields with * are mandatory to be filled.)
Name of the applicant: Mr./Ms./Mrs. ___________________
_______________________ _______________
Surname *
First Name *
Middle Name *
Mailing address
: Address
*____________________________________________________
_________
_____________________________________________________
________
City *
: ____________________
Pin Code * :
Email Address *
: ____________________ @_______________ Phone No.
_____________________

MOBILE No.
: ________________________ Mother's Maiden Name * :
____________________
Date of birth *
: _______/ _______/ ______
dd
mm yy
Instructions

28
I)
In case of joint accounts, the applicant is required to obtain the
attached mandate from the joint
account holder(s).
II)
ICICI Bank accountholders can access their bank accounts through
ICICI Bank Internet banking
only where the mode of operation of ICICI Bank account is
Single/Either or Survivor/Anyone or
Survivor.
•

CHALLANGES

The world’s second largest populated country, India, is the apple of the eye
for the world now. The world economies are seeing it as their potential
market. This has been going on since quite some time now, ever since
1991 reforms of liberalization, globalization and privatization. Indian
markets in urban areas have grown appreciably and are on the verge of
saturation, so corporates have started tapping rural markets, since more
than 60 per cent of India’s population lives in rural areas.

During this global meltdown and fall of exports, if the Fast Moving
Consumer Goods (FMCG) sector has been able to show rising quarterly
growths, it is because of the Rural Markets and their rising spending
power, which have not been affected by this meltdown. If we look at the
strategies followed by Rural Marketers in the FMCG sector, it is to sell
many small sachets of Rs. 2 shampoo pouches, Rs. 5 Magi packs and the
Rs. 5 chota Pepsi, because here, the strength lies in volume sale,
considering the large consumer base in these rural markets which won’t
spend altogether at once on buying large family packs of 500ml shampoo
or super saver packs of Maggi or a Pepsi pet bottle of 2 litres.
29
Therefore, consumption trends followed by the rural Indian are considered to
be the driver of future growth of companies. And this trend of tapping
rural markets is visible across all sectors now, be it FMCG, IT, Banking,
education etc. For example, today, India is in better state than China
because our GDP is less dependent on exports as compared to them,
where maximum revenues come from exporting to the European and US
markets. Thus, tapping the rural markets is most important for us to be a
self sustaining economy.

India has been considerably shielded from the global recession. Firstly, we
are not very dependent on the exports for our GDP and have a good
consumer base in India. Secondly, we are a saving prone economy,
unlike western economies which are consumption prone. Thirdly, when
banks across the world are falling like a pyramid of playing cards; we are
safe, steady and strong, with our banks which have acted like a strong
backbone of our economy during present turmoil. And just like thr
FMCG sector, there is tremendous growth potential in the banking sector,
because firstly, the rural masses have the habit of saving and spending
only when needed. Secondly, their small credit requirements for
agriculture, cottage industry and marriages etc.

According to researches carried out by the Reserve Bank of India (RBI),

on an all India basis, 59 per cent of the adult population in the country
has bank accounts and 41 per cent don’t. In rural areas, the coverage of
banks is 39 per cent, against 60 per cent in urban areas. There is only one
bank for a population of13000.

Tapping the rural market by banks becomes all the more important, not only
for the banking sector, but all other industrial sectors as well. If there is
growth in the banking sector, it benefits the other sectors as well. By this,
it is meant that in this sector, the trickledown theory of economic growth
or top down approach works, if we keep the banks at the apex in India
Inc. Reasons being, as banks promote savings in the economy, they speed
up the capital formation and then become the source of finance of trade
and credit for the industry. Then they provide credit to enable
entrepreneurs in their ventures, which promotes production and
employment. This production and employment generates income and
30
 consumption and supply and demand, by increasing the spending power
of people. And a sum total of all these reduces poverty and better life
styles.

But the problem is that banks have not been able to reach a vast majority of
the rural population; the rural poor have limited access to organized,
affordable and transparent financial services such as savings, loans,
remittances and insurance services etc. It is important for them to have
access to banking services, especially credit and insurance, to enlarge
livelihood opportunities and to empower themselves to take charge of
their lives.

The unorganized sector of lending is believed to be acting as a problem to

the growth impetus in these sectors. In several villages, farmers still go to
traditional money lenders like zamindars for meager sums of a few
hundred or thousand rupees and get into debt trap for their whole lives.
As a result, farmer suicides, bonded labor, naxalism and political and
social unrest and on top of it, poor financial management, which if had
been done smartly would have helped in economic growth of their own
self and economy.

Project Financial Literacy of the RBI is one such initiative of dual purpose.
First, financial inclusion of the rural poor and second, to tap the growth
potential in rural markets by volume growth for banks through
edutainment (education +entertainment).Its objective is to disseminate
information about the central bank and general banking concepts to
various target groups like children, women, self help groups etc., using
development communication and increasing the habit of saving in rural
poor. Because if in an economy, saving is more than 30% for 7
consecutive years, the GDP doubles and India can’t ignore the rural
sector to increase our savings

Mobile banking (m-banking) in India, viewed by the

government as a potent tool for financial inclusion, is yet to
clear many hurdles before it can fulfil its objective of reaching the
unbanked masses. Primarily so, say analysts, since the mobile density in
tier II and III cities, is 11 per cent and 10 per cent respectively.An

31
improved rural banking under the umbrella of the RBI by the means of
mobile banking, self help groups and microfinance institutions is
important. The effective use of development communication, using
Information and Communication Technology (ICT) will help to create
awareness for financial inclusion through banks and make it a success.
Here, it is important to use technology as an enabler via mobile banking,
because large numbers of Indians are using mobile phones. Using mobile
phones for banking operations will cut costs by branchless banking, as
there is no need for physical infrastructure and human resources, which is
a problem in rural areas and a major constraint in carrying out banking
operations. It will also make it convenient, safe, reliable and transparent.

With above initiatives and reaching out to women, self help groups, and
microfinance institutions, the banks will not only be able to reach out to
half of the population of India that is women, but as these changes
expand access to financial services for the low income segment and rural
masses, the effects can be measured in many ways, not just in the volume
of GDP growth, but new jobs and income generations, greater personal
safety for women, better education for their children, timelier health care
for themselves and their empowerment

Thus, future development of India and the growth of India Inc. lies in
financial inclusion, by tapping the rural markets through banks. This will
not only help corporates in fulfilling their social responsibilities, but is
important for fuelling growth in other industries and to keep the economy
growing and moving. Truly, there are fortunes at the bottom of the
pyramid.
In India, one of the largest microfinance companies (SKS Microfinance)
has only about 15 per cent of rural borrowers with mobile phones. If this
is any indication, it will take some time for m-banking to reach to the
unbanked. However, there are several initiatives being taken by
governments, service providers, and the like, to enhance the offering and
extend its reach. A case in point could be the initiative by the
Government of Andhra Pradesh to enhance the reach and enrol 3 million
rural citizens for m-banking services,” says Basant Shroff, associate
director, Advisory Services, Ernst & Young.
Telecom companies can play their part in mass adoption if they issue a
free SIM and set entry cost low, suggest analysts. But will banks
32
cannibalise their existing transactions set-ups in which they have spent
crores by using the mobile platform for extremely small ticket size
transactions? they ask. RBI m-banking norms have limited the value of
transaction at Rs 2,500 per transaction and Rs 5,000 per day.
Romal Shetty, executive director, Risk Advisory Services, KPMG,
explains that the low average cost of transaction (Rs 2) makes up for the
small-ticket size. “Besides, alternatives are expensive for the financially-
excluded classes such as money orders for transfer or traditional money
lenders for loans,” he notes.
Shroff adds: “Consider a customer asking for their account balance
through a toll free number and compare this with the transaction costs of
doing the same through m-banking, there is definitely savings in case of
the latter.”
In rural India, where banks reach is limited, other non-transaction based
services such as information (account balance enquiry etc) or
authentication (one time password for transactions) would be performed
through the mobile platforms, thereby supporting other systems of banks,
rather than cannibalising. In the beginning, there will be large upfront
setup costs for banks. But as transactions increase, the unit cost of
transaction will start seeing a downward trend and this will make up for
the other associated costs.
On the other hand, 50-60 per cent phones are entry-level phones,
maximum in rural areas. GPRS or WAP supported transactions are out of
question there. Vijay Balakrishnan, CMO, Obopay, says: “In such areas,
SMS-based banking will be the most viable option. Only barrier for rural
adoption is language.” Technology service providers are working on
bringing vernacular languages into their application ambit.
Dewang Neralla, Director, atom Technologies, says: “While ensuring
availability across very low-cost handsets, the issue that needs to be
looked at is primarily security. Whether such handsets will be able to
provide a secure communication channel is a question that needs to be
addressed.”
Another deterrent is that RBI regulations require mandatory physical
document based registration. In rural areas where banks are very remote
and few, it could have an impact on costs and adoption. Concludes an
optimistic Shetty: “With an expected 200 million rural connections by
2012, up from about 90 million currently, the opportunity of 110 million
potential depositors is high. Around 25 per cent of Indian households are

33
 working with informal banking mechanisms. M-banking has placed this
segment in the banking sectors radar as a means of growth.

Speaking at CII's 'Banking TECH Summit 2010', SBI

Chairman O P Bhatt said, "We are emphasizing on mobile banking along
with some major technology projects like data warehousing in 2010."

He further said, "Tenders will be issued for the payment system gateway
solutions to increase the use of technology."

SBI Chairman O P Bhatt:

65,000 villages in India, only 30,000 are covered by the commercial bank
branches.
•
more banks, branches and services will be needed which necessitates
greater penetration of IT

Mobile banking would improve and encourage banking in rural areas,

said S R Rao, Additional Secretary – Information Technology, Ministry
of Communications & Information Technology.

There is a huge scope for banking in rural areas as they still remain
untapped and it can be possible through mobile banking,.

In 2009, there were 136 million mobile subscribers in rural areas which
are estimated to increase to 280 million by 2012 and 320 million by
2015. By next year the mobile subscriptions will cover India's entire rural
population,".

34
6.M- BANKING AND
WORLD

35
M-banking is not much popular in the INDIA, but much popular around
the world. The reason can vary from country to country. For example, in
Europe people use m-banking because the level of mobile phone
penetration is very high (at least 80% of consumers use a mobile phone).

In Asian countries like India, Bangladesh, China, Indonesia, Korea and

Philippines mobile infrastructure is better than the fixed-line infrastructure.
M-banking can be performed by people with moderate and low income
because it does not require a PC with an Internet connection (it is not a big
obstacle if for people in the US and the European countries). In Latin
America countries like Paraguay, Brazil, Uruguay, Venezuela, Colombia,
Argentina, Guatemala and Mexico m-banking has a great success due to the
same reason.

Mobile phones have become anintegral part of the 21st centurylandscape

with an expectedpenetration of 4.5 billion by 2011.While north america and
europe havethe highest penetration rates, reaching100% in many Western
countries, southamerica and asia represent the fastestgrowing mobile
markets.the mobile phone is the one devicethat people carry with them at all
times. services beyond voice and text messaging are booming all over
theglobe and users want the same serviceson their mobile phone that they
can get through an internet-connected pc.Mobile phones represent a cost-
effective solution for bank and unbanked users,

36
However, similar to the US, these countries do not have separate laws
concerning m-banking. This industry is typically regulated by guidelines
describing the banking transactions and handling personal financial
information. For example, in India only the banks that have a physical
presence may offer mobile payment services. Only India rupee services
should be provided.

Kenya. Kenya has some mobile phone services that are years ahead of
what we have right now, Eagle was at ETech to present his new startup,
Txteagle, which aims to be a kind of mobile Mechanical Turk, using
countless mobile phone users in Kenya and beyond to solve easy tasks and
earn small amounts of money in return. There’s a good write up in Wired
News today
It’s definitely an interesting idea. But to me, the real story is how mobile
phones have transformed a country like Kenya in recent years, making
not only services like Txteagle possible, but also shaking up the region’s
entire economic system.
Eagle spent the last few years going back and forth between Kenya and
the U.S., and he witnessed this transformation firsthand. According to
Eagle, local incumbent Safaricom had started a minute-sharing service
for its prepaid cell phone plans a few years back. The idea was to enable
users to send minutes to family members in rural areas, who weren’t
otherwise able to buy prepaid phone cards. However, Kenyans quickly
came up with other uses. “Lots and lots of people were using it as a
surrogate for currency,You could literally pay for taxi cab rides using cell
phone credit.”
Safaricom realized a huge opportunity and started a mobile payment
service called M-PESA. To call M-PESA a success would be an
understatement, according to Eagle. “Within about a year, (Safaricom)
became the biggest bank in East Africa.” Today you can use your phone
to pay for cab rides and electricity, to get money out of ATMs without
owning an ATM card or even having a traditional bank account.
Eagle shared another striking example of the transformative power of
mobile payments during his ETech talk. Rural communities used to have
to pay a lot of money upfront in order to get a modern well capable of
providing clean drinking water. Now, there are companies that install
these wells for free, complete with an integrated cell phone payment

37
 system. Want some water? Just pay as you go with your M-PESA
account.It has transformed the country

SRILANKA
DFCC Vardhana Bank (DVB) launched Vardhana MBanker, a mobile
banking service to improve its customer base.

DFCC Chief Executive Officer Lakshman Silva said the new product will
make banking activities even easier at the doorstep of the customers.With
the use of mobile terminals, DVB banking executives will visit customers to
carry out basic banking activities to provide banking inclusions to consumer.

People especially in rural areas who had been deprived of modern banking
facilities will benefit through this system.

Silva said the Vardhana MBanker mobile banking service will encourage the
rural business community who are not familiar with banking system to do
business with the bank. There are 74 DFCC branches and service points for
customer convenience.

The bank has 30 extension offices and 40 more service points will be added
this year expanding the network.

Customers do not have to go to the bank. Instead bank officials will go to

their houses with mobile terminals and issue receipts immediately for the
transactions done.

They can deposit any amount of money without any problem and the bank
has facilitated its staff with mobile vans to complete cash transport.

38
We want to make a revolutionary change in the banking industry by
introducing innovative products and services

A subsidiary of the DFCC Bank, Synapsys Ltd has deployed conventional

technology to extend the banks reach even further.

The Vardhana MBanker mobile banking solution involves the use of

handheld mobile computer units which can be used at any remote location
via the use of standard communications technology such as GPR and 3G.

The DFCC Bank Dambulla Branch officials visited customers in the area
launching this product yesterday.

Courtesy: DailyNews SRILANKA

Mobile Banking Overtakes Telephone Banking in the

UK and USA
Surpassing both branch and telephone banking in terms of popularity, a
survey has found that 25 percent of U.S. mobile phone users and 37
percent of U.K. mobile phone users have adopted mobile banking
services. When asked which banking method users preferred, respondents
found mobile banking more convenient and easier to use than telephone
banking (voice and touchtone) by a margin of 3 to 1 in the U.S. and by a
1 percent margin in the U.K.
Conversely, when asked about branch banking, fewer respondents
selected it as their favorite method of banking, with only 2 percent in the
U.S. and 3 percent in the U.K. choosing it as their preferred method.
According to statistics, nearly 70% of Americans use a mobile phone,
and the demographics of mobile phones users are much more diverse
than that of Internet users. That’s why m-banking, or mobile banking, is
so popular in the U.S. It opens up new opportunities for financial
institutions interested in providing their services and attracting new

39
customers.
The research, commissioned by mBlox, revealed that the greatest benefits
of mobile banking for consumers (52 percent in the U.S. and 46 percent
in the U.K.) are the ability to "access banking services anywhere, at any
time," as well as "convenience" and "time-saving."
"It's clear from the findings of this survey that consumer behavior is
shifting to adopt the capabilities afforded by mobile banking," said
Andrew Dark, CEO, mBlox. "We are seeing strong interest in the mobile
sector from a wide variety of industries including transportation, retail,
marketing and entertainment, which shows there is an opportunity for
financial services to benefit from this increasingly popular channel."
The research also identified the services consumers are most interested
in using on their mobile phones. In both countries, respondents rated as
their top four services: daily balance notifications; suspicious activity
notifications; fraud alert notifications; and low balance, overdraft, and
credit limit notifications. U.S. respondents also cited as a key service the
ability to transfer funds between accounts, while U.K. respondents
favored the ability to view statements and transaction history.
"Consumers today want real-time, round-the-clock access to their
finances and are demanding a higher level of convenience for managing
such information," said Soren Bested, Managing Director of Monitise
Americas, an mBlox partner providing mobile banking and payment
services to North American financial institutions. "It's no surprise that the
'anywhere, anytime' aspect of mobile banking was one of the greatest
benefits found in the mBlox research, and we see SMS as a key
ingredient in providing that convenience factor. Whether it be requesting
an account balance or receiving a text alert notifying consumers of
activity on their account, SMS provides a method of financial control.
We're delighted to partner with mBlox to deliver high-quality, reliable,
and secure mobile messaging to our customers."
The research highlighted two factors, however, that may be slowing
down the growth of mobile banking services. These top two reservations
were identified by respondents as "security" (33 percent in the U.S. and
49 percent in the U.K.) and "cost" (31 percent in both the U.S. and U.K.).
We understand that security will be a consumer concern with any
banking service. For this reason, mBlox continues to invest significant
sums in its data centers, processes and networks to ensure that it is on par
with the latest financial security standards.With regards to cost, SMS is

40
 an inherently cost-effective solution for the transmission of information,
with minimal or no cost to the end user. Our ability to facilitate the safety
and integrity of consumer's financial information is paramount and is
what sets us apart from our competitors. The industry needs to work
together to educate users to the secure and cost-effective nature of mobile
banking services and we at mBlox intend to lead in this respect.
some of the largest U.S. banks -- Bank of America, Citibank,
Wachovia, Washington Mutual, Wells Fargo, and ING Direct – are
launching mobile banking services that give you access to your accounts
wherever you are.

Like regular online banking, the mobile service allows consumers to

tranfer funds check balances, make bill payments, and look up branch
locations from their mobiledevices. Though still in its infancy, banks are
hoping the mobile service will catch on with consumers. Dan Schatt, a
senior analyst at Celent, says banks see it as a way to kecustomers and
“generate more payment revenue down the line” as people get more
comfortable with using mobile devices for their finances.
The more servicesthe banks offer The less likely you are to quit your bank
entirely.
Mobile banking is an obvious extension of online banking as cell phones get
more powerful and begin to mimic computers. This week's launch of
Apple's eagerly awaited iPhone is intensifying the push to have cell
phones and other mobile devices do everything that a home computer
does.

41
7.Mobile Banking
RISK&Security

42
Is mobile banking safe?Risk
The experts are very optimistic about the future perspectives of mobile
banking. They think that it will grow much faster than online banking.
Carrying a cell phone is much easier than carrying a laptop!

Mobile banking is generally considered safer than online banking. The

main threats to online security, such as viruses, Trojans or other data-
stealing software don't exist for cell phones. So the risk of being infected
on a mobile phone is minimal in comparison with a PC.

The main type of scam that mobile banking users should avoid is called
"Smishing." It is a variation of the e-mail phishing scam. Smishing
occurs when a person posing as a financial institution sends a text
message requesting personal information or a social security number.

43
 You will be asked either to click a website URL or to call a phone
number that connects to automated voice response
system.

The smishing message usually contains information that will definitely

capture your attention. For example, you will receive a notice that you
have been subscribed to a paid site, and you need to click a link to cancel
this subscription. Or the thieves can write that your account has been
suspended and you need to reactivate it by making a call.

The link will redirect you to a legitimate looking website where you will
be asked to enter your SSN, credit card number, PIN, email address, etc.
If you need to make a call, you will be connected with a legitimate
sounding automated voice response system which will ask for the same
pieces of information.

Business Risks
• Most of the business risks that rate as High are found where the
transactions pass through a common component, like the SMSC or USSD
server, or where there is a vulnerability common for all end users.

Individual Risks
• Individual risks are the union of the business risks and the individual
risks. A business risk generally effecting the business and therefore all
individuals as well as the risks that the individuals are exposed to due to
their specific use of the channel. The risks introduced by the individual
are how the individual uses the service. As such the countermeasures
usually involve user education.

The report so far has considered the risks associated with the choice of
mobile specific technology. However, these technology choices do not exist
in a vacuum: they are dynamic not only in that they change over time, as
technology changes (which will be discussed in
Section 5.1) and as knowledge of vulnerabilities and how to exploit them
spreads but also because final risk evaluation is shaped by context: both
at the level of the environment within which the mFSP firm operates and
44
 by the inherent risk of the firm‘s business model. This section therefore
sets out the scaling factors which should be applied to the results of
the preceding process to determine the scaled final level of risk faced by the
mFSP.
Environmental risks
• The environmental risks linked to the use of the mobile channel may be
heightened when:A significant proportion of the users are first time users
of electronic banking of any form, and hence have had less exposure and
practice with issues like PIN protection or with the need to check
statements for unauthorized transactions. Transformational models are
likely to have more first time users, since targeted customers of m-FS
may be previously unbanked at the time when they sign up for
With the rapid development of mobile banking, users have faced a very
serious problem: there are no specific laws concerning this industry. The
lawyers just can’t follow the pace at which mobile banking is
developing. Banks need to take into consideration regulatory and security
issues involved with implementing mobile solutions. First of all, it
concerns third-party vendors (such as software developers,
telecommunications companies, etc.). Some of them may not have any
experience handling personal financial information. There are just a few
states that require vendors providing services to a bank and its customers
to license as money services businesses. That’s why it is necessary for
financial institutions to evaluate the risks associated with outsourcing
mobile solutions to a vendor. Banks can implement a system that will
help them evaluate vendor’s capability to provide such services.

So even though mobile banking data is encrypted, it is necessary to

impose privacy requirements on vendors, because some of them might
not fall within statutory requirements to keep all customer information
confidential.
Mobile phone banking is in a high-growth phase with at least 90
companies emerging in recent years offering banking and payment
applications for mobile phones
It is estimated that as much as half of the world’s population may now
own a mobile phone, with about 80% of the US population thought to
45
 own one The World Bank estimates that about two-thirds of the world's
population live within range of a mobile phone network It is expected
that around 2.3 trillion SMSs will be sent in 2008

Mobile phones tend to be replaced every 18 months, compared to PCs

being replaced on average every 42 months

Fraudsters will target any channel which distributes value, customer data
or electronic money. The rate of loss of mobile phones averages one
every minute in the world. If the whole industry could adopt a holistic
approach and plug any gaps in the security lifecycle by applying these
best practices and conforming to standards a Trusted Environment for
mobile banking will prevail.

The new best practice manual covers the following steps in the security
lifecycle: SIM card security, mobile software security, enrolment,
registration, and customer access to banking on mobile devices, security
and privacy of customer details/data, customer education on the mobile
phone as an instrument of value, dealing with lost or stolen mobile
phones/devices, security of software and transmission to financial
services device (e.g. ATM), , defining strengths and vulnerabilities of
each mobile phone channel/protocol and outlining the regulatory
framework for mobile banking.

The mobile phone has been used very successfully as authentication tool
for online banking, through a confirming SMS sent by the bank to the
customer during online transactions. It has already proved its worth in the
field of banking security.

Credit unions and banks across the country employ multiple forms of
identification authentication, log-in procedures and encrypted
communications to make sure cyber criminals can’t access confidential
banking information while consumers are using a mobile banking
application. However, the biggest threat to mobile security isn’t the
technology; it’s the fact that many consumers are ignorant of the many
fraudulent applications that exist online and on mobile platforms.
SOME STEPS TO SECURITY
-Password-protect your mobile device and lock your device when it’s not
in use. Keep your mobile device in a safe location.

46
-Frequently delete text messages from your financial institution on your
mobile device, especially if they contain sensitive information.
-Never disclose personal information about your accounts via text
message, i.e. account numbers, passwords, or any combination of
information that can be used to steal your identity.
-If you change your mobile number or lose your mobile phone,
immediately contact your financial institution to change the details of
your mobile banking profile.
-Do not hack or modify your device, as this will leave it susceptible to
infection from a virus or Trojan. When possible, install mobile security
software on your device (if it’s available). Some mobile security
solutions include: AhnLab Mobile Security, avast! PDA Edition,
Kaspersky Mobile Security, and Norton Smartphone Security.
-Be aware that malware exists and fraudulent applications will continue
to pop up. Don’t download applications onto your phone without
checking them out first. Verify the legitimacy of an application with your
financial institution before downloading it to your smartphone- verify
that the app publisher or seller is your financial institution, or if possible,
go through your financial institution’s website to download the
application.
-Report any banking application that appears to be malicious to your
financial institution right away.
-Monitor your financial records and accounts on a regular basis and
consider having electronic alerts on account activity sent to your email or
mobile device. Regularly review your statements with online banking.
This will enable you to spot any suspicious activity
-If you have been a victim of identity theft, contact your financial
institution immediately. You should also place a fraud alert on your
credit report and continue to review your credit reports, close the
accounts that you know (or believe) have been tampered with or opened
fraudulently, and file a complaint with the Federal Trade Commission
Finally, Smilgys points out that using mobile banking can actually help
deter some fraud because it gives a person an easy way to check their
account on a regular basis and notify their credit union or bank more
quickly if they see suspicious act

47
If you are a user of a mobile banking service, you can experience the ease
of accessing your account balance, last statement, but when it comes to
transactions, bill payments, it gets challenging. On the market there are
different solutions of the transaction authorisation especially in browser
based mobile bankings;
- simple PIN (unsecure)
- one-time-password generated by an other device (two-device misery)
- one-time-password received in SMS (application switching misery)
- one time-password generated by the another phone app (same as above)
- simple PIN and no possibility to transfer to new payees, but only to
partners registered in the online banking (what if i need a new one?)

So far there is no silver bullet, but i advise you to keep an eye on an

upcoming technology: voice verification of the transactions in a
biometric automated way.

The model is simple: after you have initiated a transaction on the mobile
(to new payee or over a limit), the "machine lady" calls you to read back
the transaction details and ask for your confirmation, so you need to say a
sentence to the phone. If it is you, the biometric voice check and your
transaction passes.

No need for an authentication device, biometric security, it sounds

promising doesn't it? Still, the market uptake is not yet there, we are
waiting on real success stories and 100% reliability.

Would you consider such a solution secure enough and user friendly?

Voice based authentication has been tried in the past - I am aware of at least
one provider in the US. At the time, several years ago, the technology
wasn't fully mature and there were instances of genuine account holders
with a sore throat finding their access blocked! If the technology has
matured since then, voice verification is surely an option that strikes a
good balance between security and convenience.

48
 For all biometric technologies, error rates are highly dependent upon the
population andapplication environment. The technologies do not have
known error rates outside of a controlled test environment
It's outrageous, when the primary concern allegedly addressed by
biometrics is crime, that biometric bench testing bears no resemblance to
real life efficacy against criminals.

Someone asked me recently whether I thought mobile banking was safe

or not. I admitted that I don't do it but that doesn't really say much. Then
I mumbled something incoherent and vowed to get a real answer.

After talking to a number of mobile and security experts, I've come to

the conclusion that far from being less secure, mobile banking may even
be more secure than logging on to your bank Web site over your PC. And
the consensus is that it's probably less risky than using checks, which can
be forged, and credit cards, which can be stolen or skimmed at ATM
machines for clones to be made. That's good news for the brave few who
have ventured into the market. Of all U.S. Internet users, 6 percent have
done mobile banking in the last week, and 12 percent have done it in the
last month, according to Javelin figures. An estimated 30 million
consumers in the U.S. do mobile banking, and half of all consumers think
it's not secure, the research firm said in a mobile banking security
standards report in December.

Despite the fact that online banking options abound in the U.S.--from
AT&T, Nokia, Sprint Nextel, Visa, and the major banks--consumers have
been reluctant. That could be for several reasons, my colleague
Marguerite Reardon has concluded: they don't like downloading apps to
their phones as is required by some banks, they are turned off by the
small screen, and they can do it on their PCs more easily.

We're not hearing of security issues in the mobile world," because the
security benefits with mobile banking outweigh the disadvantages.

First, the con to mobile banking security:

49
• Mobile devices are easy to lose: It's more or less as safe as banking you
would do from your home computer, maybe slightly more risky, similar
to using a laptop at Starbucks.The biggest difference is you are carrying
the thing around with you and are more likely to lose physical custody of
it than a computer.

• Even so, the convenience outweighs the risk, he said. "It is no riskier than
calling someone using your debit card or buying on Amazon with a debit
card."

Now for the pros:

• Mobile banking can be done anywhere at any time: Because

people can do mobile banking at any time, they are more likely to
log on more frequently and thus the chances of them detecting
fraud are increased, said Van Dyke.

• Mobile has a diversity of platforms: In the mobile world in the

U.S., there is no one dominant mobile platform that can be
targeted by malicious hackers like there is with Windows in the
PC market. The lack of standardization also reduces the chances
that malware will be interoperable with a broad range of mobile
software and get widely distributed

• No banking-related mobile viruses or malware yet: "In the mobile

era, we're not seeing any such Trojans, which has partnered with
Barclays in the U.K. to offer security software to mobile
customers.

Mobile banking functions are limited at this time: In general, U.S.

consumers can check their account balances, transfer funds between their
accounts, and see recent transactions over their mobile devices.

In most instances, if someone found your phone and logged into your
mobile banking account, the worst they could do is pay your electricity
bill.

However, things will change as more transaction functions are enabled on

mobile devices, the experts said. For instance, point-to-point transactions
50
and cross-border money transfers are on the horizon, according to
Holland.

There will be more risk as payments move over to mobile devices

because criminals will put more focus there and you will get spoofing
attempts.

The ability to use your cell phone to buy things will undoubtedly put a
dent in the credit card business, but it will also give mobile carriers
additional revenue to make up for voice business they are losing to things
like Skype and text messaging,.

There is no reason people have to pull out a plastic card with a magnetic
strip, technology developed 30 years ago, to buy a latte.Just hold the
phone next to a cashier, it goes beep and there you go.

Other countries are already offering mobile transactions. For example,

NTT Docomo in Japan, which uses McAfee security software to monitor
for malicious activity on its mobile phones, initially started allowing
consumers to use their phones to pay for public transport, and then added
payments for things like ice cream and eventually banking.

In the U.S., banks are more cautious. Payments and banking are the
biggest security concern for mobile device manufacturers, according to a
Mobile Security Report .

At the same time, the manufacturers aren't installing additional security

protection on the vast majority of the devices and won't allow consumers
to install security software like they can with computers, said Volzke.

To safeguard against security risks, mobile users should use their device
PIN codes, download mobile apps only from their financial institution,
switch Bluetooth off when not in use, and avoid lending their phone to
strangers to minimize the chance of someone downloading a malicious
app onto the device.

All in all, "mobile banking is secure and there's not really any cause for
concern,

51
Security
Mobile Banking Security Model

Introduction
An effective approach to security involves a delicate trade-off between
security and customer convenience. Often customers can perceive security
requirements as an inconvenience. Therefore, mFoundry has made many
of the components of its mobile security approach optional. This allows
banks and credit unions that select mFoundry's mobile solution to
determine the best blend of security and convenience for their customers.
The majority of security approaches today work along two lines: first, make
it more difficult for an attacker to obtain customer credentials; second,
make it more difficult for an attacker to use those credentials to execute a
fraudulent transaction. Customer education is an important step in the
first approach. A knowledgeable customer is less likely to be ensnared by
phishing attempts. Similarly, a bank or credit union may eschew
the use of a channel that may be used in phishing. For example, customers
have been trained not to click on links in e-mails that purport to come
from financial institutions. An attacker may use this method to direct the
consumer to a malware or phishing site. In the balance of this document
we discuss mFoundry's approach to these key security considerations:

• End-User Education
• Preventing Code Insertion
• Limiting Spoofing

52
End-User Education
mBanking works via a Java, BREW or BlackBerry application (soon to be
extended to Windows Mobile and iPhone). As such, the application needs to
be either
downloaded to the phone, or pre-installed by the operator.

Signed Applications
The first step is to train consumers to only download signed applications -
the signing process allows the consumer to verify the identity of the
application creator. process creates a set of signed binaries for every
supported device, signed with correct signature for the operator/phone
combination in question. signing certificate from either the financial
institution or the operator. If signed by the FI, the user receives a prompt
on installation indicating that the application has been provided by the
financial institution. Please note that the FI would need to procure the
appropriate certificate from VeriSign (Sun Java Signing Digital ID) as
the domain owner is required to initiate code signing.

Downloading From A Known Source

53
A second, optional step is to educate consumers that the application can be
downloaded only from a known source. In other words, make the
application available for download from a bank or operator domain, and
only after the user has been able to verify the identity of the
domain. For example, allowing the download only from a site using bank-
controlled adaptive authentication meets the requirement:
• User enters the bank's domain on his mobile phone).
• User presents his user ID over a secure connection (128 bit SSL).
• Bank responds with a shared secret (for example, an image and/or
passphrase previously selected by the user) to confirm the identity of the
bank.
• User authenticates with password (potentially subject to a challenge
question).
• Once verified, user is allowed to download application.
The bank may choose to educate the user that the URL must always be
manually entered, even on a phone, to minimize response to phishing
scams. In this case, the bank would educate the user that any text
message purporting to be from the bank containing a download URL is
by definition fraudulent. Similarly, use of adaptive authentication inside
the application minimizes the risk of spoofing:
• User launches the bank's application on his mobile phone.

• User presents his user ID over a secure connection (128 bit SSL) to the
bank. There is no possibility of a man in the middle attack as the bank
can mandate an integralend-to-end secure connection, and the services
end-point requested by the phone application is set in advance by the
bank.
• If the device is known to the bank, and has been previously associated with
the user in question, the device is considered trusted and authentication
continues. Otherwise, the user is presented with a challenge question,
drawn from a set of questions and answers created by the user in another
channel. Proceed to next step only on
successful response to the challenge.
• Bank responds with a shared secret (for example, an image and/or
passphrase previously selected by the user) to confirm the identity of the
bank.
• User authenticates with password.
• Once authenticated, the user is allowed to download application.
Through the above process, the user can verify that he is indeed connecting
to the bank (by verifying that she is seeing the correct shared secret
54
 presented by the bank).out of the box support for RSA Adaptive
Authentication as a means to allow the consumer to verify the identity of
the bank, reduce spoofing/phishing, and of course implementing two-
factor authentication.

Two-Factor Authentication
two-factor authentication through its concept of a Mobile User ID
(MUID). The principle consists of uniquely identifying devices, requiring
that they be authorized individually, and registering them in the user
profile maintained by the bank. Each instance of the downloadable
application instance is assigned a MUID from the bank's mFoundry
server on first use. It is important to note that the MUID does not replace
the user’s unique ID (which is typically the online banking user ID). The
mapping between MUID and user ID could be one-to-one or many-to-
many, or combinations thereof:
• One MUID -> One User ID: stan

dard case, user can only

access his accounts from the single registered phone
• One MUID -> Multiple User IDs: user has multiple separate profiles with
the bank, e.g.personal and business, wants to be able to access all from
the same phone
• Multiple MUIDs -> One User ID: user has multiple phones, wants to be
able to access same account from either The user then has to register the
device in his mobile user profile - which requires proving his identity to
the bank. On all subsequent requests, the MUID is automatically
appended to the request from the application. Therefore:
• Initiating a secure session requires two factor of authentication: the user's
secret knowledge (passcode), plus the correct end user device. The user
must have previously proven to the bank that the device in question is in
the user's possession and have it authorized for access.
• If the MUID presented by the application does not match one of the ones
on recor Finally, end users are simply not prepared for mobile application
fraud. Criminals will exploit the naivety of mobile subscribers who have
no reason to be suspicious of apparently legitimate applications that have
gone through stringent checks. Further compounding this will be the high
degree of differentiation between devices; while banks could educate
customers about nuanced differences between an online banking session
with their actual institution and one with a phishing fraudster (typos, SSL

55
 session indicators, etc.), mobile devices present so many permutations in
terms of operating systems, visual displays and icons that education of
end users for each and every device on the market would be an
unmanageable undertaking.
The key to prevention of this type of mobile fraud will be stringent checks
by app store providers to ensure authenticity of financial institution
applications. Application stores need to be trustworthy entities, but in a
competitive environment where quantity trumps quality, the stringency
required to mitigate this type of fraud may not be possible. It will also be up
to financial institutions to remain vigilant about the products bearing their
brand in application stores since the app store providers may have other
priorities. While mobile application fraud may not be widespread at this
time, the threat to mobile banking security is undoubtedly on the horizon.
could educate customers about nuanced differences between an online
banking session with their actual institution and one with a phishing
fraudster (typos, SSL session indicators, etc.), mobile devices present so
many permutations in terms of operating systems, visual displays and icons
that education of end users for each and every device on the market would
be an unmanageable undertaking.
The key to prevention of this type of mobile fraud will be stringent checks
by app store providers to ensure authenticity of financial institution
applications. Application stores need to be trustworthy entities, but in a
competitive environment where quantity trumps quality, the stringency
required to mitigate this type of fraud may not be possible. It will also be up
to financial institutions to remain vigilant about the products bearing their
brand in application stores since the app store providers may have other
priorities. While mobile application fraud may not be widespread at this
time, the threat to mobile banking security is undoubtedly on the horizon.
India has about 688 MM (AUG 2010 TRAI Data) mobile phone subscribers,
a number that is larger than the number of bank accounts or Internet users.
Given the mobile tele-density of about 20% and development of secure
mobile technology solutions, banks are well-positioned bridge the digital
divide and introduce the unbanked sector to the financial mainstream
You may be aware that Reserve Bank of India had set up the Mobile
Payments Forum Of India (MPFI), a ‘Working Group on Mobile Banking’
to examine different aspects of Mobile Banking (M-banking). The Group
had focused on three major areas of M-banking, i.e., (i) technology and
security issues, (ii) business issues and (iii) regulatory and supervisory

56
issues. A copy of the Group’s report is enclosed. RBI has accepted the
recommendations of the Group to be implemented in a phased manner.
Accordingly, the following guidelines are issued for implementation by
banks. Banks are also advised that they may be guided by the original report,
for a detailed guidance on different issues.
However to start with , we must understand who the various stakeholders are
and what there expectation are:
Stakeholders are as follows
• Consumers
• Merchants
• Mobile Network operators
• Mobile device manufacturers

• Financial institutions and banks

• Software and technology providers

• Government

Each stakeholder group has the following expectations:

a) To meet the following Consumer expectations:
• Personalized service
• Minimal learning curve
• Trust, privacy and security
• Ubiquitous – anywhere, anytime and any currency
• Low or zero cost of usage
• Interoperability between different network operators, banks and
devices
• Anonymity of payments like cash
• Person to person transfers
b) To meet the following Merchant expectations:

57
 • Faster transaction time
• Low or zero cost in using the system
• Integration with existing payment systems
• High security
• Being able to customize the service
• Real time status of the mobile payment service
• Minimum settlement and Payment time
c) To meet the following Telecom Network Providers expectations:
• Generating new income by increase in traffic
• Increased Average Revenue Per User (ARPU) and reduced churn
(increased loyalty)
• Become an attractive partner to content providers
d) To meet the following Mobile Device Manufacturers expectations:
• Large market adoption with embedded mobile payment application
• Low time to market
• Increase in Average Revenue Per User (ARPU)
e) To meet the following Banks expectations:
• Network operator independent solutions
• Payment applications designed by the bank
• Exceptional branding opportunities for banks
• Better volumes in banking – more card payments and less cash
transactions
• Customer loyalty
f) To meet the following Software and Technology Providers
expectations:
• Large markets
g) To meet the following Government expectations
• Revenue through taxation of m-payments
• Standards

58
I. Technology and Security Standards
The technology used must be secure and at the same time convenient to
deploy and cost effective. The following technology basis provides a
summary of the available models. Banks must deploy only secure
channels that provide a non-repudiable platform to transact.
Telecom Data BearerUser Method of Security Hardware / Setup
Standard Interface Invoking / Requirements
Initiating
Transactions
GSM Plain Text Structured SMS / J2ME Weak Works on any phone.
SMS Text Encryptio Workarounds like IVR
n call backs for sensitive
information are possible
GSM USSD / GUI SMS / J2ME Secure J2ME client requires
Application (Graphic Channel Java enabled phone.
SMS User
Interface) /
Structured
Text
GSM GPRS / GUI J2ME / BrowserSecure Java enabled phone with
WAP Channel GPRS. Without GPRS
this can work within the
Telecom provider’s
walled garden.
CDMA Application GUI Brew / Browser Secure Operator centric usage
SMS / GPRS Channel
/ WAP
The overall security framework should ensure.
• Encrypted messaging / session between consumer’s phone and third
party service provider / telecom company. Minimum encryption
standards to be specified to make the transaction banking grade (E.g.
Min 128 bit SSL)
• All subsequent routing of messages to the bank’s servers must be with
the highest level of security with dedicated connectivity like leased
lines / VPNs.

59
• If any sensitive information is stored in third party systems, banks
must ensure that access to this information is restricted with
appropriate encryption and hardware security standards.
• All transactions that affect an account (those that result in to an
account being debited or credited, including scheduling of such
activity) should be allowed only after authentication of the mobile
number and the mPIN associated with it. Transactions only for
information such as balance enquiry, mini statements, registered
payee details, etc may be allowed with either mobile number or PIN.
• Unless fool proof security is used in compiling and deploying the
mobile banking applications, the PIN number should not be allowed
to be stored in the mobile banking application on the phone. As,
generally the application installed on the phone would be developed in
Java, it may be possible to decompile it extract the mPIN.
Alternatively, the application should be so compiled that it should not
be feasible to extract the PIN on decompilation.
• All accounts, credit or debit cards allowed to be transacted through the
mobile phones should have the mobile phone number linked to the
account, credit or debit card. This mobile number should be used as
the second factor authentication for mobile transactions.
• During the transaction, the PIN should not travel in plain text. Doing
this, there is risk of the PIN being snooped out of the phone from sent
items and also it being exposed at the SMSC level. Also, it may be
able to snoop out the PIN during transmission, although, this is very
difficult in cellular communications.
• Proper level of encryption should be implemented for communicating
from the mobile handset to the mobile payments service provider’s
server. It has been assumed that proper security checks would be
made by the banks to ascertain the security levels of the service
providers. This may include PCI DSS certification in addition to
bank’s own audits.
• Proper system of verification of the phone number should be
implemented, wherever possible. This is so as to guard against
spoofing of the phone numbers as mobile phones would be used as
the second factor authentication.
• It is also recommended that Internet Banking login ids and passwords
may not be allowed to be used through the mobile phones. As

60
 fraudsters get more sophisticated, the chances of phishing attacks on
mobile phones would become more probable. Allowing Internet
banking login id and password usage on the mobile phone may
compromise their usage on the Internet banking channel. This
restriction may be communicated to the customers through an industry
wide effort so as to ensure that Internet banking passwords are not
compromised through mobile phones.
• The payment authorisation message from the user’s mobile phone
should be securely encrypted and checked for tampering by the
service provider or the bank. It should not be possible for any
interceptor to change the contents of the message.
• Provided the above security recommendations are reviewed, the
mobile payment service could use any of the preferred mode of
communication viz., SMS, IVRS, WAP/GPRS, USSD and NFC.
There are couple of security issues in some of these modes of
communications, which are listed below:
• SMS is the simplest form of communication, but is vulnerable
to tampering. As long as there is a second level of check on the
details of the transaction so as to guard against data tampering
and the mPIN does not travel in plain text, this mode of
communication can be used.
• IVRS is also a simple mode of communication and therefore
does not have any inbuilt security measures. The system should
be capable of encrypting the DTMF tone entries, if required to
be stored or transmitted.
• USSD communication uses its inbuilt encryption technology to
talk between the cell phone and the operator’s server. However,
the decryption of the information happens at the cell phone
operator’s server. Vulnerability of data may exists at this point.
This information should be re-encrypted and transmitted to the
service provider.
• Any of the following modes of user interface may be used, provided
the above listed security measures are taken into consideration:
• SMS
• Menu driven application
• Menu driven USSD application

61
 • WAP/GPRS website
• Formats need to be specified for exchange of information between
banks. On the debit/credit card front, the exiting ISO 8583 message
format may be used for communication between bank switches.
However, for account number based mobile transfers, a message
format may need to be frozen.
• Banks should designate a network and database administrator with
clearly defined roles as indicated in the technology Group’s report
• Banks should have a security policy duly approved by the Board of
Directors. There should be a segregation of duty of Security Officer /
Group dealing exclusively with information systems security and
Information Technology Division which actually implements the
computer systems. Further, Information Systems Auditor will audit
the information systems.
• Banks should introduce logical access controls to data, systems,
application software, utilities, telecommunication lines, libraries,
system software, etc. Logical access control techniques may include
user-ids, passwords, smart cards or other biometric technologies
• At the minimum, banks should use the proxy server type of firewall so
that there is no direct connection between the Internet and the bank’s
system. It facilitates a high level of control and in-depth monitoring
using logging and auditing tools. For sensitive systems, a stateful
inspection firewall is recommended which thoroughly inspects all
packets of information, and past and present transactions are
compared. These generally include a real time security alert.
• All the systems supporting dial up services through modem on the
same LAN as the application server should be isolated to prevent
intrusions into the network as this may bypass the proxy server.
• The information security officer and the information system auditor
should undertake periodic penetration tests of the system, which
should include:
• Attempting to guess passwords using password-cracking tools.
• Search for back door traps in the programs.
• Attempt to overload the system using DDoS (Distributed
Denial of Service) & DoS (Denial of Service) attacks.

62
 • Check if commonly known holes in the software, especially the
browser and the e-mail software exist.
• The penetration testing may also be carried out by engaging
outside experts (often called ‘Ethical Hackers’)
1. Physical access controls should be strictly enforced. Physical security
should cover all the information systems and sites where they are housed,
both against internal and external threats.
2. Banks should have proper infrastructure and schedules for backing up
data. The backed-up data should be periodically tested to ensure recovery
without loss of transactions in a time frame as given out in the bank’s
security policy. Business continuity should be ensured by setting up
disaster recovery sites. These facilities should also be tested periodically
Business & Legal Issues

The following kinds of business applications are envisaged under the

purview of this circular. Banks may permit the following transactions to its
existing customers. They will encompass three key areas:
• Mobile banking (basic saving account – balance enquiry, bill
payment, credit card payment, Draft issuance, Deposit booking, Stop
payment request, funds transfer to another bank account including 3rd
party transfers, change f personal PIN
• M Commerce (using mobile as a payment instrument either linked to
a bank account or through stored value)
• Remittance: Allowing funds transfer between bank accounts, bank to
cash(where the beneficiary does not have a bank account) and cash to
cash

• Banks may additionally facilitate transactions for their customer’s

customers (E.g. Bill Payments for their corporate clients and other
transactions that facilitate transactional convenience and also the
inclusion of the financially excluded into the banking mainstream.
Thus banks may also permit following transactions for non-
customers/non-account holders.

63
 i. Small value person-to-person remittances (not exceeding Rs
15,000) including the use of bank branches, ATMs and other 3rd
party outlets approved by Banks or Telcos for facilitating cash
in / cash out. In such cases, banks may rely on KYC processes
performed by other intermediaries (such as Telcos) as detailed
in section III A of this circular.
ii. International remittances - i.e. Non resident Indians sending
money back home to their families (To be read in conjunction
with the MTSS guidelines)
• Considering the legal position prevalent, there is an obligation on the
part of banks not only to establish the identity but also to make
enquiries about integrity and reputation of the prospective customer.
Therefore, even though request for opening a savings / current
account can be accepted over Mobile Telecommunication, these
should be opened only after proper introduction and physical
verification of the identity of the customer.
• From a legal perspective, security procedure adopted by banks for
authenticating users needs to be recognized by law as a substitute for
signature. In India, the Information Technology Act, 2000, in Section
3(2) provides for a particular technology (viz., the asymmetric crypto
system and hash function) as a means of authenticating electronic
record. Any other method used by banks for authentication should be
recognized as a source of legal risk. Customers must be made aware
of the channel risk prior to sign up.
• Under the present regime there is an obligation on banks to maintain
secrecy and confidentiality of customers‘ accounts. In the Mobile-
banking scenario, the risk of banks not meeting the above obligation
is high on account of several factors. Despite all reasonable
precautions, banks may be exposed to enhanced risk of liability to
customers on account of breach of secrecy, denial of service etc.,
because of hacking/ other technological failures. The banks should,
therefore, institute adequate risk control measures to manage such
risks.
• In Mobile banking scenario there is very little scope for the banks to
act on stop-payment instructions from the customers. Hence, banks
should clearly notify to the customers the timeframe and the
circumstances in which any stop-payment instructions could be
accepted.

64
 • The Consumer Protection Act, 1986 defines the rights of consumers in
India and is applicable to banking services as well. Currently, the
rights and liabilities of customers availing of Internet banking
services are being determined by bilateral agreements between the
banks and customers. Considering the banking practice and rights
enjoyed by customers in traditional banking, banks’ liability to the
customers on account of unauthorized transfer through hacking, denial
of service on account of technological failure etc. needs to be assessed
and banks providing Mobile banking should consider insuring
themselves against such risks, as is the case with Internet Banking.
• Banks may determine their own pricing for the use of these services.
• Banks should get the scheme for facilitating Mobile banking
approved by their respective boards / LOMC before offering it to their
customers. The LOMC approval must document the extent of
Operational and Fraud risk assumed by the bank and the bank’s
processes & policies designed to mitigate such risk.

KYC Process
Banks are permitted to rely on Financial Intermediaries as recommended by
the relaxed KYC guidelines issued vide RBI circular
DBOD.NO.AML.BC.28 /14.01.001/2005-06 dated August 23, 2005 A Bank
can sponsor the small value remittance service by entering into arrangements
with intermediaries in order to manage distribution, technology and scale.
In the same spirit, Banks may partner with Telecom companies, Technology
companies etc to facilitate such small value transfers. Banks may rely on
introductions from any person on whom KYC has been done and certificates
of identification issued by the intermediary. Thus the intermediary can be a
Telecom company, another bank or financial institution or a stand alone
Trust Company dedicated to the purpose of facilitating such transactions.
It is proposed that in cases where the remitter is the owner of the mobile
phone, the Bank relies on the telecom company’s KYC and obtains a copy
of the registration documents from the telecom company. In cases where the
remitter is not the owner of the mobile phone, a letter of introduction is
taken from the owner and the remitter registers with a limited KYC
comprising of photograph and address proof. Wherever address proof is not
available, the introducer can certify the genuineness of the remitter’s

65
address.

III. Regulatory & Supervisory Issues

As recommended by the Group, the existing regulatory framework over
banks will be
extended to Mobile banking also. In this regard, it is advised that:
• Only such banks which are licensed and supervised in
India and have a physical presence in India will be
permitted to offer Mobile banking products to residents
of India. Thus, both banks and virtual banks incorporated
outside the country and having no physical presence in
India will not, for the present, be permitted to offer
mobile banking services to Indian residents.
• The products should be restricted to account holders only
and should not be offered in other jurisdictions.
• The services should only include local currency products.
• The ‘in-out’ scenario where customers in cross border
jurisdictions are offered banking services by Indian
banks (or branches of foreign banks in India) and the
‘out-in’ scenario where Indian residents are offered
banking services by banks operating in cross-border
jurisdictions are generally not permitted and this
approach will apply to Internet banking also. The
existing exceptions for limited purposes under FEMA i.e.
where resident Indians have been permitted to continue
to maintain their accounts with overseas banks etc., will,
however, be permitted.
• Overseas branches of Indian banks will be permitted to
offer Internet banking services to their overseas
customers subject to their satisfying, in addition to the
host supervisor, the home supervisor.

Given the regulatory approach as above, banks are advised to follow the
following
instructions:

66
• All banks, who propose to offer transactional services on the
Mobile services should obtain prior approval from RBI. Bank’s
application for such permission should indicate its business
plan, analysis of cost and benefit, operational arrangements like
technology adopted, business partners, third party service
providers and systems and control procedures the bank
proposes to adopt for managing risks. The bank should also
submit security policy covering recommendations made in this
circular and a certificate from an independent auditor that the
minimum requirements prescribed have been met. After the
initial approval the banks will be obliged to inform RBI any
material changes in the services / products offered by them.
• The guidelines issued by RBI on ‘Risks and Controls in
Computers and Telecommunications’ vide circular
DBS.CO.ITC.BC. 10/ 31.09.001/ 97-98 dated 4th February
1998 will equally apply to Mobile banking. The RBI as
supervisor will cover the entire risks associated with electronic
banking as a part of its regular inspections of banks.
• Banks should develop outsourcing guidelines to manage risks
arising out of third party service providers, such as, disruption
in service, defective services and personnel of service providers
gaining intimate knowledge of banks’ systems and misutilizing
the same, etc., effectively.
• It will become important to set up ‘Inter-bank Payment
Gateways’ for settlement of such transactions. The protocol for
transactions between the customer, the bank and the portal and
the framework for setting up of payment gateways as
recommended by the Group should be adopted fro Mobile
Banking
• Only institutions who are members of the cheque clearing
system in the country will be permitted to participate in Inter-
bank payment gateways for Internet payment. Each gateway
must nominate a bank as the clearing bank to settle all
transactions. Payments effected using credit cards, payments
arising out of cross border e-commerce transactions and all
intra-bank payments (i.e., transactions involving only one bank)
should be excluded for settlement through an inter-bank
payment gateway.

67
 • Inter-bank payment gateways must have capabilities for both
net and gross settlement. All settlement should be intra-day and
as far as possible, in real time.
• Bilateral contracts between the payee and payee’s bank, the
participating banks and service provider and the banks
themselves will form the legal basis for such transactions. The
rights and obligations of each party must be clearly defined and
should be valid in a court of law.
• Banks must make mandatory disclosures of risks,
responsibilities and liabilities of the customers in doing
business through Mobile, through a disclosure template.The
banks should also provide their latest published financial results
over the net.

Regulatory Roles and Responsibilities of Stakeholders

Role of Banks
• Any money exchange i.e. Payments, P2P, remittance, etc – should be
executed through Banking instruments & Infrastructure.
• This is to ensure compliance with all financial controls and regulation.
Payments can be made by the following
• Savings Bank Account/Debit Card
• Credit Card Account
• Pre-paid Cards
• Virtual Cards (Credit & Debit Cards)
• Bank’s role should be of providing normal transactional services to
customers using the full range of services including Cash, Saving’s
account, Credit Card, Debit Card and Prepaid Cards services.
• Transactions should be maintained within the banking network and
all the stakeholders in transaction processing and should be subject to
equal level of scrutiny and regulation as are other bank accounts.
• Transaction settlement should ride on the existing infrastructure for
efficient settlement and payment systems.

68
 • Intra Bank - Transactions involving Bank A/c to Bank A/c
funds Transfer should be real time or near real time transactions
• Inter Bank - Transactions involving Bank A/c to Bank A/c
funds Transfer should ride on the NFS or other existing
switches available for inter-Bank transactions.
• Intra Bank – Transactions involving Card A/c ( including Credit
& Debit Cards) to Merchant/ recipient account should ride on
the existing settlement & payment systems available with
Banks.
• Inter Bank – Transactions involving Card A/c ( including Credit
& Debit Cards) to Merchant/ recipient account should ride on
either on India Switch , VISA, MasterCard or any other
available switching infrastructure.
• The bank should take responsibility for audit, fraud management,
account security etc. under its normal banking license. Banks should
ensure that the service operates entirely within the RBI framework.
• Banks should be responsible for ensuring the identity of the sender
and the receiver of funds. Banks can design the process of verification
of sender and receiver as per the existing guidelines. In case where the
existing process of KYC compliance cannot be met, new methods of
verification such as mobile based PIN verification and transaction
limit fixation can be considered
• In case of m-wallet propositions the pooled funds should be held with
a bank so that systemic risk of defaults is minimized.
• Banks may end up playing a limited role in P2P and cash to cash
payments other than settler of funds via the pooled account. This
should be permissible subject to transaction limits etc.
Role of banks
• Telcos should provide the KYC and customer history for Banks to
offer the services to the customer and full responsibility for fraud
management at their outlet as per TRAI guidelines.
• In order to ensure Mobile Payments reaches the critical customer
mass, KYC documents required to offer financial products should be
made similar to Telco’s KYC guidelines.

69
 • Distribution network of Telcos should be used to provide the services
of Mobile Payments to maximum possible locations across the
country.
• External low-cost hosting at Telco should be explored – Banks will
not have to reinvent the technology platform & billing systems for
such an offering.
• Policies enabling audit and governance of such a model to be framed.
• Setting up of infrastructure for undertaking Domestic Money
Remittances along with Bank’s. Domestic Money Remittances using
both Telco’s dealer network and Bank’s Financial infrastructure
should piloted along with controls on transaction limit and frequency.
Pilot should test the feasibility running such a model for domestic
money remittances.
Role of Third party payment processors
• External low-cost hosting at Third party payment processors should
be encouraged to have a truly cross-bank , cross-carrier payment
system .
• Policies enabling audit and governance of such a model to be framed
including a centralized settlement mechanism
• Third party processors should have the responsibility of Fraud
management and should have systems and process in place to check
and control frauds.

Regulatory Framework suggested for Mobile Payments

Payment Account to be used for Mobile Payments e.g. Credit card account,
Savings Bank Account, virtual account, Pre-paid account should be similar
existing Credit card , Debit Card / bank account issuance framework.
While we can use innovative mechanisms to enable payments through
mobile phones, following should be taken into considerations
• RBI’s Guidelines and policies on KYC
• RBI’s Guidelines and policies on AML
• Financial settlement between the various entities should be undertaken
as per the existing Guidelines and processes.

70
 • The messaging system between Application and Bank needs to be
regulated and standardized to ensure standard transaction processes
and settlement systems.
• Guidelines need to be evolved to ensure complete interoperability of
between all the stakeholders of mobile payments. This will lead to the
growth of ecosystem and will benefit all the stakeholders.
• Guidelines need to be evolved for allowing domestic money
remittances by Cash In and Cash Out at Telco Outlets including usage
of Telco’s KYC and adherence of AML guidelines.
Telco’s role should include providing platform to initiate transactions and
carry the messages to the bank’s systems
Regulatory policies and standards
Service providers, Telcos should have the independence to develop and
launch customized applications targeted towards their customer base
however messaging system between application and Banks needs to be
regulated. This will lead to standardization of the transaction processes and
settlement systems. These should include
• Instruction formats for all mobile initiated payments, remittances and
banking
• Instruction formats for all mobile initiated payments, remittances and
banking
• Security standards for instructions, interfaces, data storage and
transactions
• Technology standards and guidelines for various modes of data
transfer like SMS, GPRS etc.
Anti Money Laundering control for Telcos especially for proposed services
like deposits being accepted and held by Telcos for Funds Transfer and
remittances. While Telcos provide an opportunity to reach out to the
unbanked and underbanked population of the country, proper regulatory
control should be established to ensure conformation to KYC and AML
guidelines. The Telcos offering these services should follow bank-approved
processes that fulfill the regulatory requirements while performing such
transactions. The Bank may appoint payout agents such as the Post Office,
other FIs, selective merchants etc
• Sign up for service: Existing or new customer: Bank controlled
through regulated KYC

71
 • Transaction: PIN based transactions in terms of domestic transfers.
• Anti Money Laundering: monitoring carried out by the Bank
• Transactions monitoring controlled at the banking end
• Agent appointment responsibility with the bank

MANAGING THE RISK OF MOBILE BANKING TECHNOLOGIES

M-payments and m-banking are now spreading fast across the world, in
developed and developing countries. The use of mobile phones for
mobile Financial Services (m-FS) is relatively new and, as a
consequence, the knowledge of the risks and the risk experience of
providers is still limited. However, the rapid take-up and potential scale
of new offerings has led to increased interest from mobile Financial
Services Providers (mFSP), both banks and non-banks, and from

72
 government regulators in understanding and managing any unique,
additional risks. Two elements of the mobile channel are distinctive
relative to other banking annels like Internet banking or point of sale
devices:
• The mobile handset, which comes with a wide range of functionality
from basic on tandard handsets to advanced on feature phones and
smart phones;
• The mobile network, which includes all the links carrying a dat
masage from a handset to the mSP or vice versa and the methods used
to communicate between the handset and the mFSP. Both thes ements
contribute to a different risk environment for m-banking. Boards and
management of mFSPs as well as regulators need to have a clear basic
understanding of how these elements work, including a comparison to
other established e-banking channels.
Increasingly, as handset functionality increases, mobile financial
services are converging with Internet banking.
Regulators and others commonly list additional risk considerations arising
from the use of the mobile channel. These include: the higher possibility
of loss of device, the restricted screen and keypad of the device, the
information security of the end-to-end network, the availability and
reliability of the communications network, and the use of outsourced
service providers. However, a priori, these factors do not in themselves
make most use cases of m- FS more or less risky than other forms of e-
banking.
The main technical characteristics affecting the risks of m-FS:
The security functionality available on the handset: the lower the security
requirement from the handset, the broader the potential market,
especially in developing countries; The degree of dependence or
independence from a particular Mobile Network Operator
(which controls access to the SIM card and the mobile network): channel
options may or may not require downloading of an application to the SIM
or phone, which in turn may require participation of the manufacturer or
MNO.

encryption risk by providing encryption within the SIM, and provides the
most security; its use and market may be limited by the need for MNO
cooperation and a SIM with SIM Toolkit capability. In Use Cases 2 and
3, the risks (and services) increasingly converge with standard Internet
banking risks.

73
Emerging technology: several developments are likely to change the
picture of risk:
• An increasing proportion of smart phones will lead to more reliance
on even in developing countries; this will heighten the need for
knowledge of e-banking risks in countries in which Internet
banking may not yet be common;

• The development of near field communication (NFC) enabled

handsets which can effectively act as a token for local purchases
(already common in Japan and under trial in several developed
countries such as UK and US) is likely to further increase take-up of
m-FS. The risks of the integration of NFC into mobile banking
require further investigation and are outside the scope of this report.
• Moving to prudent and adjusted security models requires a
proportionate regulatory framework within which to ensure on-going
and active supervision of risk management.

Device Management
The association of MUID with a user profile is the key to device
management. Scenarios such as "lost device", "stolen device", or maybe
even "sold on eBay" are handled through the MUID registration. In the
default mBanking implementation, each valid MUID is given a state,
which can be either:
• Valid
• Temporarily disabled
• Permanently disabled
The application must present a MUID that is registered as 'valid' to be able
to continue with authentication. If the device is lost/stolen, the MUID
should be set to 'temporarily disabled'. This can be accomplished via a
self-service channel (authenticated online banking session)
or via a call center or teller channel. If the device was only temporarily lost,
and is then recovered by the user, the MUID can be reset to valid through
the same channels above. If the MUID is temporarily disabled, no set of
user credentials will permit access to the mBanking system.

74
However, a device attempting to authenticate using a 'temporarily disabled'
MUID would be given a limited number of attempts before the
mBanking server would convert the MUID to permanently disabled.
Alternatively, the user could request the MUID to be set to disabled
through one of the channels above in the case of a phone upgrade (for
example, buys a new phone and sells the old one on eBay). If an
application attempts to connect to the bank servers with a permanently
disabled MUID, it will receive a control message back from the
mBanking server that overwrites certain key sections of the
authentication logic on the phone, permanently disabling the application
on the phone. Again, in this state, no set of credentials will permit access
to the system. However, once the application on the phone has been
disabled, it can no longer be used to access the system, even if the MUID
state is eversed to 'valid' and the correct passcode is used.

8.SCOPE OF M-
BANKING

75
Appropriate scope of Mobile banking
The above discussion shows that Mobile banking offers could become
indispensable for banks in a not-so-distant future. The question is no more of
“whether” but of “when”. Even more important seems the question of “what,
how and whom”, if one wishes to avoid making past mistakes. That is, what
services (scope) should be offered how (mediums) and to whom (target
groups). Apart from the fact that the scope of the offered services should be
selected carefully to suit one’s own customers, following two factors ought
to be kept in mind
Mobile banking (m-banking) in India, viewed by the government as a potent
tool for financial inclusion, is yet to clear many hurdles before it can fulfil its
objective of reaching the unbanked masses. Primarily so, say analysts, since
the mobile density in tier II and III cities, is 11 per cent and 10 per cent
respectively
customer survey establishes that there are sufficiently large groups of
customers interested in

76
utilizing M-banking. A superficial evaluation often fails to gauge the true
extent of the potential. If the results of the customer survey are any indicator,
then the time seems to be ripe for a proactive attitude on the part of banks in
advertising their MFS so as to induce customer demand
The survey results have demonstrated unambiguously that Mobile banking
has staged a remarkable comeback.Whereas most banks and indeed many
experts believed Mobile banking to be dead after the dotcom burst, banks
are seeing themselves increasingly forced to induct Mobile banking services
in their
product portfolios.

The reasons for this extraordinary

resurrection are:
• The phenomenal growth of the telecommunication sector and the
resultant (unparalleled) penetration of the society by mobile phones
present unique business opportunities.
• A new generation of technology- and innovation friendly consumers
is taking centre stage in business- and social life of the society. This
generation is more open to the opportunities presented by mobile
telecommunication.
• The ongoing process of Globalisation and the integration of the world-
economy are forcing working professionals to be on the move within
national and international geographic boundaries. These professionals
need to carry out their bank business also while on the move.
• The “anytime, anywhere” feature of Mobile Banking is thus nothing
less than a professional necessity for many of them. The banks are
thus, on the one hand, forced to take cognizance of the needs and
wishes of some of their most attractive customer groups. On the other
hand, the advantages that Mobile services potentially bring to a bank
or any other provider of financial services are too palpable to deny. In
the following we list some relevant factors that ought to be taken into
account while making decisions on the launch, maintenance and scope
of Mobile Banking

77
9. CONCLUSIONS

78
Mobile Banking, as has been demonstrated, has gained non-negligible
relevance for banks today.Developments in the banking sector, e.g.
increased competition on account of technological developments coupled
with the process of globalisation have produced new challenges for
banks. Mobile Banking presents an opportunity for banks to retain their
existing, technology-savvy customer base by offering value-added,
innovative services. It might even help attracting new customers.
Further, Mobile Banking presents a chance to generate additional revenues.
Its main contribution, however, can be expected to take place in the strategic
field as it is all set to become an instrument of differentiation. Many
banks recognize this threat and are already taking preventive measures by
introducing mobile services. The foremost significance of Mobile
Banking would therefore be of a defensive nature. Instead of providing a
positive differentiation, Mobile Banking would be employed to thwart
negative differentiation vis-à-vis rivals.Mobile Banking seems to possess
the potential to become one of the widely spread and accepted
application in the field of Mobile Commerce, particularly in the backdrop
79
of its high acceptance across commercially important sections of the
society. We may expect to see Mobile Banking go into the footsteps of
Online Banking, i.e. to become a standard service offered by every bank
worth its name.

80