Thursday, March 20, 2008
Therefore, I was very disappointed when I saw the following headline in an on-line news-report: "Americans not interested in m-banking" (Read more about this here). I read the article and found that it was based on some research published by Harris Interactive. The poll summarised the reaction of 1000 odd sample (not a very big sample and I am not sure how representative it is). I found some of the results very positive. According to my interpretation at least a third of the respondents were interested in mobile banking in some format or other. Although much lower than in other markets, this is still huge. Any other product to be launched in the US with a potential take-up of a third of the population would be described as having massive potential.
Anyhow, the next day I saw the following headline on another website: "Cell phone users open to on-the-go banking". (Read about it here). This seemed to be a much more positive view of mobile banking and I read on with interest. It turns out that these two headlines were articles reporting on exactly the same research and the numbers referenced were exactly the same.
Which all goes to show that some people view the half empty glass as half full. It is just a pity that the "half empty" journalists seems to be reporting on mobile banking more often than not.
Sunday, March 16, 2008
Initially, especially in
Lately, a number of institutions started generating traction and the industry is being formed through their actions. These organisations are either non-profit bodies looking after the interests of their members or are philanthropic in nature. It is important to take cognizance of their actions as they have a major influence on the industry today.
I have listed some of these organisations below. This is not intended to be a comprehensive list, but rather an attempt to trigger more thoughts and contributions. (In other words: help me to make this list more comprehensive)
MobilePayment Forum is one of the earliest institutions with membership from all participants in the mobile payment eco-system. Founded during the heydays of mobile payments in 2001, the organisation is currently trying to define its role and contribution, having moved its attention more towards proximity payments and mobile marketing.
- The Mobey Forum is an organization initially established by major European banks (including Deutsche Bank, ABN Amro and others). A lot of the initial work was spent on developing security standards to be deployed amongst the banks. Since about two to three years ago Mobile Operators and Vendors were also invited to join and the organization became much more relevant.
- The GSM Association have been especially active during the past few years. The MMT program was announced during the GSM World Congress in
(2007) with a number of objectives: To increase mobile operator revenue through financial services, to activate every phone to be able to send and receive money and to actively accelerate this through well-funded programs. In executing on these objectives, the GSMA is working closely with banks and other relevant organisations (e.g. Mastercard, Western Union etc Barcelona
- Pay Circle was founded during 2002 by technology companies (like Siemens and Sun) to advance the development of relevant technology solutions. According to the website, the mission was achieved and the organisation closed. There are other organizations that were also active in the past, but have subsequently disappeared. (like Radicchio)
- CGAP (and the WorldBank) are very active to support mobile payment initiatives. A number of grants were recently announced and included amongst others grants for Consolidated Bank in Kenya, Tameer Bank in
Pakistan, Wizzit in South Africa, XAC Bank in . In addition to money CGAP also provides consulting support, excellent research and other guidance. Mongolia
- Finmark Trust is a South African based organisation with interest into Africa that supports the deployment of low cost financial services including through mobile banking
Soon afterwards major mobile operators announced the Simpay alliance. Simpay endeavoured to provide a common payment platform between Vodafone, T-systems, Telefonica and
A company that is quite visible at the moment is a company called Monitise. An initiative started by Morse with a Java based service on top of the ATM network is now being deployed by 1st Direct, HSBC and Alliance & Leicester. The company is very visible (because of a large marketing budget?) and is making big headway from a brand building perspective, but the technology offer little functionality to the subscriber. Recently Monitise listed on the LSE raising a substantial amount to fund the current burn-rate. Another company with a similar profile is the Finnish company called Meridea. With backing from Nokia and Accenture this company was the technology behind amongst others Standard Chartered mobile banking initiative. Unfortunately it closed its doors a few months ago when they ran out of funds.
A noteworthy deployment is the mobile payment solution supported by Banksys in
The deployment of Paybox in
Thursday, March 13, 2008
It is because of this threat that the industry decided to publish a standard that a bank or payment processor should adhere to in order to provide acceptable protection to cardholders. This certification is known as the PCI compliance and is being driven by the Credit Card Associations. The objective of PCI compliance - to protect the consumer - is commendable and should be accelerated. Customers should be educated and should take their business away from banks and payment operators that do not comply.
An interesting question is how the providers of mobile payment solutions should (or should not) comply with PCI standards. In as much as mobile payment solutions touches card information the application of the standard is clear: None of the card information must be in the clear and it must not be possible for an un-authorised person to get access to this information. But what if no credit card information is used? What if the routing of payments are made on the basis of a subscribers telephone-number (as is often the case)? What should the minimum conformance be.
This topic is much more complex to deal with in the space of a short blog, but it is clear that the mobile payment industry should develop unique compliance requirements. Obviously this would be very similar to Card PCI compliance (catering for instance for access, un-authorised actions, reporting, physical protection etc.). But what about not displaying a telephone number when you could potentially see phone numbers of some-one just call you? What about look-up tables and what should the controls be around security elements?
It could be worthwhile to develop some of these rules pro-actively.
Wednesday, March 12, 2008
I didn't know that the US Department of State pay good money for people with complex names like the Bureau of International Narcotics and Law Enforcement Affairs to produce reports like the International Narcotics Control Strategy Report (the INCSR). I cannot comment on the rest of the report, but the section that talks about "mobile payments - a growing threat" triggered my interest and I read it with attention.
I must say that the sentiments expressed and the conclusions reached is so far removed from the practices or the intention of the mobile payment and remittance industry. Very few of the statements regarding risks and lack of controls have been verified or tested against the existing practices employed by mobile payment vendors. Compliments to the authors for publishing the report on the Internet. (Read it here). Unfortunately, I could not find any feedback mechanism that would have enabled me to communicate with the authors in order to rectify many of the inaccuracies.
In practice, great care is taken to ensure that subscribers are enrolled with proper KYC compliance. The implications of the Patriot act and FinCEN are carefully researched and deployed to ensure compliance. Most of the vendors in the industry (and I know most) have a genuine intent to build an accessible electronic financial infrastructure for the poor, but that will also eliminate (and block) the actions of criminals and terrorists. These vendors work with the Worldbank and associated agencies (like CGAP) and reputable banks and other financial organisations to try and build well-governed solutions to the massive problem of the poor that is effectively eliminated from modern financial services.
The statements in the report not only harm the delivery of financial services worldwide, but also delay the deployment of electronic tools that would enable legit agencies to monitor transactions and to identify fraudulent and illegal activities. I would like to urge the author of the above report to contact representatives from the mobile payment industry so as to clarify mis-understandings, but also to assist the industry to build better (for all) financial instruments.
Monday, March 10, 2008
It was interesting for me when I realised how few of these companies actually can claim to be independent. Not that independence is that important, but still it is important to know where companies "fit in". This will help you to understand their actions and what drives them to be successful.. but also in what way could they be made to act by other forces.
The best examples are solutions predominately developed (or at least) owned by large operators. It would be unlikely that these solutions would be deployed by other operators. Examples of these are Vodafone's mPesa, Smart's Smartmoney and Globe's gCash.
Other examples are companies that have deployed a successful mobile payment solution in a specific market. Sometimes these deployments are quite spectacular. These companies then try and sell their solutions elsewhere. They try turning an operational solution into a packaged solution. This is particularly difficult and the jury is still out if this can be done commercially. Examples of this are Trumpet Mobile now selling technology as Affinity, Wizzit now offering a solution under the brand r-Qubed and others.
Many solution providers are a small sub-company of a much larger company. Even though these solution providers project themselves as a big supplier of mobile payment solutions, the division providing this product line is often very small. Because these companies also have other interest, the provision of mobile payment solutions may suffer in the interest of other priorities. Examples of these are multiple and include Eversystems, GFG, mFormation and Telesoft.
Few companies can claim to be independent suppliers of mobile payment solutions. These companies are often focused companies with excellent solutions and track records. Examples of such companies are Fundamo, mShift and Paybox.
Once again this is not a comprehensive list. It is my intention to trigger discussion on my (often controversial) positions which is always welcomed.
Based on what I have seen in the industry, I think that one can identify four categories of regulatory conformance in the provision mobile banking based on a new bank account. The four are:
- Full banking, where the underlying account that is created for a new subscriber conform to all the banking law requirements. The customer is properly identified and conforms to KYC prescriptions. The bank account is properly reflected on the deposit-taking balance sheet of a bank and all legal requirements have been met.
- Relaxed conformance, which is typically the same as a full bank account with some relaxation of the KYC requirements (both in content and in process), although the customer is still properly identified.
- Pre-paid debit, where the client is not identified. KYC requirements are postponed to a later stage where the client would be identified (for instance) where cash is to be withdrawn from the account, or when the balance is to exceed a specific limit.
- No conformance
Recently, Citi-bank announce a joint venture with South Korea's telco SK Telecom. This will be a 50:50 JV called... Mobile Money Ventures and will be based in San Francisco. The objective of the venture will be to "develop an advanced mobile banking platform..." See any similarities?
Also see a previous post on Mobile Money.
Tuesday, March 04, 2008
The "tapping" techniques to capture unsuspected cardholder's PINs require little technical know-how and fraudsters can easily attach to the PED a "tap" that records PIN and account details as they are transmitted between the card and the PIN pad. Criminals can then use this data to create counterfeit cards that can be used to withdraw cash at ATMs in countries where Chip and PIN hasn't yet been implemented. (Read more)
The biggest exposure to fraudulent transactions in my view is the lack of control that a subscriber have on what can be done with his/her PIN. How is the PIN dealt with, can it be intercepted or is it stored anyway along the line. Any third party device or transmission line that the subscriber does not have control over is a possible source of attack. PIN entry devices that are not under the direct control of the subscriber is the weak point. It is possible to utilise these devices to capture a PIN fraudulently without the knowledge of the subscriber.
Techniques are available that enable a subscriber to enter their PIN on a mobile phone in a secure way that can also be certified by banks and credit card associations. The difference with this approach is that the PIN is entered on a personal device that is (usually) under the control of the subscriber and tampering in order to capture a PIN fraudulently is much more difficult.
Most mobile payment solutions provide a mobile payment experience that integrate into an existing value store. For instance, mobile banking solutions that provide a mobile channel to existing bank accounts or mobile payment solutions that mobile enable an existing credit card. The challenge with these solutions is to ensure a seamless integration to the existing systems. Some of the challenges is to ensure that the registration process (when a mobile phone gets linked to a credit card for instance) does not create an opportunity for fraud. Also the boundaries and rules related to liabilities and disputes are not always easy to implement consistently.
Other solution providers (only a few) provide the ability to open a new type of value store that can be utilised to perform mobile payment transactions with. This facility is particularly interesting in markets where more people have mobile phones than does have bank accounts or credit cards. The advantage of this approach is that the value-store can be designed in such a way that it is much more tightly integrated with the mobile payment solution. At the same time many challenges must be overcome, like conformance to regulations, compliance with international protocols and the ability to perform audits and reconciliations that will be acceptable to a central bank.
The selection of and deployment of the value store element of the solution is probably the most important decision that can be taken. The different components that must ideally be present in a mobile enabled value store are:
- Real-time clearing
- Push and pull payment support
- Support for a multitude of primitive transaction types
- Security paradigms compatible with mobile enablement
- Ease of use