Mobile Payment Forum of India:Regulatory Sub-Committee

Sachin KhandelwalJune 07, 2008

Mobile Infrastructure and Banking system in India

• Mobile subscribers – 261 million as on 31st March 2008 and growing 8 million per month

• Population of 1.2 billion• Bank accounts – 360 million December 2007• 67 percent of adult population have bank accounts• Nearly 45,000 out of 72,000 bank branches are under the core

banking solution (CBS) of banks• Electronic payment predominantly happens through the CBS

branches• Internet banking penetration is very low though picking up fast in

last two years• Money transfer to/from remote places is still a big challenge• Electronic benefit transfer (EBT) is a big task ahead

Mobile banking infrastructure at present

• A good number of banks have started using mobile as a delivery channel

• SMS alert for transaction updation, reminder for payments, balance enquiry, last five transactions etc. being provided by many banks

• Utility bill payments, intra-bank funds transfer offered by a few banks

• Many pilot runs, many solutions and little interconnectivity – banks are not sure whether they are too early or too late

1. Introduction

• Mobile phone has become an alternate channel for delivery of banking & financial services

• Mobile banking is defined as information exchange between a bank and its customers for financial and/or non-financial transactions

• Three players – banks, mobile payment service providers & mobile operators

• Guidelines are restricted to banked customers using the mobile platform

• Extending the service to non-banked customers will be examined later

2. Regulatory & Supervisory Issues

• Products restricted to bank account holders

• Services to be in INR• Guidelines on Risks &

Controls in Computers & Telecommunication to be applicable

• Banks should develop & enforce outsourcing guidelines to manage 3rd party service providers

• Current KYC & AML guidelines will be applicable

• Whether NRIs can carry out Rupee denominated transactions

3. Registration of Customers

• Banks should offer service to own customers only

• Two levels of service – informational & transactional

• In case of customer having multiple accounts within/across banks, service provider should enable designation of primary account or card

• One-time registration through a signed document

4. Technology & Security Standards

• Ensure authentication & non-repudiation

• Online transactions– mPIN– End-to-end encryption– 2nd factor (optional)

• Offline transactions– Offline PIN– End-to-end encryption

• Payment service provider to comply with PCI DSS or bank’s security guidelines

• Use of mobile number as 2nd factor?

• Suggest –– For what all txns?– (Mobile # + PIN) 1st factor– (Password / DOB / Txn PIN)

2nd factor• Card number / OTP as 2nd

factor is impractical• On WAP & Web, getting

mobile numbers as a mandatory field from Telcos

• Mpin to be encrypted• If SMS is encrypted, then it

does not pose any additional risk as compared to other channels

5. Interoperability

• Service should be available across all telcos

• Use standard messaging formats (prescribed by MPFI and/or ISO 8583) to ensure interbank transactions

• How do we ensure that service is available across both GSM and CDMA operators, given that CDMA operators adopt a different approach

• Use of SFMS and NEFT for interbank non-card txns

6. Clearing & Settlements

• Option of bilateral / multilateral arrangements for Interbank settlements

• Banks to not participate in any e-money / stored-value prepaid product

• Discuss the stance on other prepaid systems recently allowed

• Understand the concept of Interbank Payment Gateways

7. Legal Issues• Customer to be made

aware of any additional channel risk prior to sign up

• Banks could be exposed to enhanced risk of liability on account of mobile technology – bank to take adequate risk control measures

• All precautions taken in the case of Internet Banking become directly applicable in the Mobile scenario

Questions / Suggestions?

Thank You