Tuesday, September 23, 2008

Indian Central Bank guidelines

While I have commented on the Indian Central Bank guidelines for mobile banking previously, it does require another look as it seems as if the bank have now confirmed these guidelines. It is not clear if the bank would move to a point where these guidelines will be enforced. If this is the intention my impression is that mobile payment is in a dire position in India as the guidelines do not serve to facilitate mobile payments, but rather to inhibit the growth of this important tool to empower so many people with financial services.

My position is based on the following points:
  • The fact that the guidelines prohibits the deployment of money remittance services by means of mobile payment. This has been one of the important drivers of mobile payments in other countries and it is not clear why the bank would limit mobile payments in India to be only for Rupee based transactions.
  • The limits on the value of transactions and daily limits imposed are so low that it would limit the deployment of services to (for instance) business users and agents. This has been the driver in many countries for the take-up of mobile payment services and it does not make sense to set these limits as this would almost close down these avenues for the growth in mobile banking.
  • The fact that all payment services must be available on all mobile networks is also strange as this would remove the incentive of mobile operators to offer mobile centric services to only their subscribers. Mobile operators were major drivers in most countries for the deployment of these services. By removing them from the equation, the RBI have effectively taken a major driver out of the eco-system.
  • The need for end-to-end (application level) encryption, basically eliminate the use of USSD, SMS and Browser-based payment solutions. It is only possible to conform to this requirement with SIM-resident applications or Java on the phone. Very few Indian solutions currently offers these options. Is it the intention of the bank that all service providers should change their channel strategy to conform to the guidelines?
  • The role of the MPFI and the requirement of them to develop the message formats for the industry is short-sighted as this has not been achieved anywhere. In countries where interoperable mobile payment schemes exist (from Austria to Zambia), these schemes developed out of economic drivers not via established industry bodies.
If the bank were to enforce the above guidelines, none of the existing deployments will conform, and mobile payment industry in India would be set back years.

6 comments:

chris said...

Hi there,

I tried contacting you a while ago but never received a response, can you please email me at chris.hamilton @ boomerang.com.au so we can discuss my proposal?

Thanks

Shumit said...

Dear sir,

I tried to disect the regulations based on my knowledge of rural India. Do let me know what you think.

Regulation 1: The RBI guidelines, by implication, say that only banks can offer mobile transaction services. The guidelines say this service can be offered only to customers of banks and/or holders of debit/credit cards. Document-based registration is called for, with the mandatory physical presence of the customer, before mobile services are offered. The banks are responsible for ensuring Know Your Customer norms, and must have core banking systems in place.

Several MFIs today act as a business correspondent (BC) (agents who work on behalf of banks) for commercial banks to reach areas where opening a bank branch is not viable. Usually at the business correspondent’s office, a bank representative is present who oversees the enrolment of clients and ensures that the KYC requirements are complied with. The bank through a BC can enroll clients, the clients can be served by the bank using mobile banking thus fulfilling the objective and the spirit of financial inclusion

Regulation 2: The RBI’s guidelines call for a two-factor authentication for validation of a customer. The industry has reacted to this by interpreting that two-factor authentication can be supported only by GPRS and not through SMS. Media has also criticized RBI by saying that the new mobile banking regulations such as the two factor authentication do not facilitate financial inclusion since basic mobile phones owned by majority of people in rural India do not support GPRS.

Secure transactions can happen even via SMS. SMS’es are of two types – Normal and Encrypted SMS. Normal SMS is what we use for day-to-day communication and is not secure. The SMS is not encrypted when it passes through the pipe it can be accessed. On the other hand, an encrypted SMS is converted into non-readable text using a RSA / AES (security) algorithm. The text that can be encrypted are numbers from 1-9, capital letters from A-Z and small letters from a-z. Special characters cannot be encrypted. When the bank client sends a sms from his phone to the server, a sms along with an encrypted key is sent to the server. If the encryption algorithm is strong enough, it is not possible to read the SMS. The server then decrypts (opens) the encrypted key using a RSA encryption algorithm. This technology is perfectly secure and GPRS is not mandatory. Not many phone users in India subscribe to GPRS and even fewer have phones that can support GPRS. Around 60 percent of the 306 million handsets or mobile connections in India are without GPRS and WAP. Due to lack of GPRS connectivity, Smart Trust applications, securea SMS based applications will be the prominent atleast in the initial years of mobile banking.

Regulation 3: The RBI has capped daily mobile transaction limits at Rs 5,000 for transfer of funds and Rs 10,000 for purchase of goods or services.

This regulation, at least in the early stages of mobile banking, does not affect customers who will be vary of performing high value transactions. It will surely not affect rural customers who rarely receive more than Rs.5000 per day through remittances. It is also unlikely that the rural customer will pay more than Rs.10,000 for paying his utility bills or other services.

regards,
Shumit Vatsal
0-900-8244-596

Hannes@Home said...

Hi Shumit
I enjoyed your comment. Allow me to comment on your comment:
1. I concur fully with your interpretation of Regulation one
2. Your suggested SMS-based dual authentication solution is totally accurate. However, it is extremely difficult to deploy such solutions on an ordinary handset. I am not aware of any Indian installation that have successfully deploy such a solution. You would also agree with me that USSD applications does not provide dual authentication solutions.
3. I agree with your assessment, except that this limit certain key participants in the mobile payment eco-system. For instance, should these limits also apply to agents (some-one with a mobile phone offering services to subscribers like cash-in and cash-out)?

Shumit said...

Hannes,

You hit the spot. I completely agree that agents need a seperate set of daily limits that needs to be significantly higher than the limits of the customer.

Thanks a lot and your blog is really interesting. I get most of my mobile knowledge from it.

regards,
Shumit

Shumit said...

Based on some research this morning, I found that the MI-token authentication system can be leveraged using USSD. From the limited knowledge I have on this topic, I hear that the MI-token authentication system is more secure than the two factor dual authentication system. An out of band authentication system is used to generate the one time password. The out of band authentication system, is generated using tightly bound transaction data. Transaction details such as the account number is used to generate the OTP. If any part of the transaction is changed before the transaction takes place, the token causes the transaction to fail thus thwarting man in the middle attacks.

Is this better for a country like India where piracy/hacking could be a huge issue? Could you throw some light on this security system in one of your posts? If in case the MI Factor authentication system is better than the two factor, would the RBI be better off passing a regulation favoring the MI Factor Authentication system?

sudhakar reddy said...

In case the MI Factor authentication system is better than the two factor, the committee on standardisation would be in a better position toadopt innovative solutions in a open manner passing a regulation favoring the MI Factor Authentication system.

please visit the site for the relevant details on MI Factor authentication system

http://www.ictsecurity.com.au/index.php?option=com_content&task=view&id=28&Itemid=69