Thursday, March 20, 2008

Two Versions of the Same Story?

It is so important to read the media to follow what is happening with mobile banking. Many of the findings and research results related to mobile banking are published and discussed the media. I regularly scan what gets published.

Therefore, I was very disappointed when I saw the following headline in an on-line news-report: "
Americans not interested in m-banking" (Read more about this here). I read the article and found that it was based on some research published by Harris Interactive. The poll summarised the reaction of 1000 odd sample (not a very big sample and I am not sure how representative it is). I found some of the results very positive. According to my interpretation at least a third of the respondents were interested in mobile banking in some format or other. Although much lower than in other markets, this is still huge. Any other product to be launched in the US with a potential take-up of a third of the population would be described as having massive potential.

Anyhow, the next day I saw the following headline on another website: "Cell phone users open to on-the-go banking". (Read about it here). This seemed to be a much more positive view of mobile banking and I read on with interest. It turns out that these two headlines were articles reporting on exactly the same research and the numbers referenced were exactly the same.

Which all goes to show that some people view the half empty glass as half full. It is just a pity that the "half empty" journalists seems to be reporting on mobile banking more often than not.

Sunday, March 16, 2008

Institutions influencing mobile banking and payments

Initially, especially in Europe, the industry has seen the establishment of many standards bodies all trying to influence the industry. These bodies ultimately tried to advance the case of their sponsors or owners rather than the industry as a whole.

Lately, a number of institutions started generating traction and the industry is being formed through their actions. These organisations are either non-profit bodies looking after the interests of their members or are philanthropic in nature. It is important to take cognizance of their actions as they have a major influence on the industry today.

I have listed some of these organisations below. This is not intended to be a comprehensive list, but rather an attempt to trigger more thoughts and contributions. (In other words: help me to make this list more comprehensive)

  • The Mobile Payment Forum is one of the earliest institutions with membership from all participants in the mobile payment eco-system. Founded during the heydays of mobile payments in 2001, the organisation is currently trying to define its role and contribution, having moved its attention more towards proximity payments and mobile marketing.
  • The Mobey Forum is an organization initially established by major European banks (including Deutsche Bank, ABN Amro and others). A lot of the initial work was spent on developing security standards to be deployed amongst the banks. Since about two to three years ago Mobile Operators and Vendors were also invited to join and the organization became much more relevant.
  • The GSM Association have been especially active during the past few years. The MMT program was announced during the GSM World Congress in Barcelona (2007) with a number of objectives: To increase mobile operator revenue through financial services, to activate every phone to be able to send and receive money and to actively accelerate this through well-funded programs. In executing on these objectives, the GSMA is working closely with banks and other relevant organisations (e.g. Mastercard, Western Union etc
  • Pay Circle was founded during 2002 by technology companies (like Siemens and Sun) to advance the development of relevant technology solutions. According to the website, the mission was achieved and the organisation closed. There are other organizations that were also active in the past, but have subsequently disappeared. (like Radicchio)
  • CGAP (and the WorldBank) are very active to support mobile payment initiatives. A number of grants were recently announced and included amongst others grants for Consolidated Bank in Kenya, Tameer Bank in Pakistan, Wizzit in South Africa, XAC Bank in Mongolia. In addition to money CGAP also provides consulting support, excellent research and other guidance.
  • Finmark Trust is a South African based organisation with interest into Africa that supports the deployment of low cost financial services including through mobile banking
There this is a start. See if we can increase and add to the list

A perspective on Mobile Payments in Europe

Europe’s venture into mobile banking is characterised by many small initiatives that all failed. A case in point is the example of small Dutch company Global Payways with a product called Moxmo launched during 2003 with a mild take-up in the Netherlands. During the collapse of Paybox, Global Payways acquired the subscriber base of Paybox in Germany. This small company was soon in financial difficulties and had to disband services within six months of having taken over the larger subscription base. (Many reference, but read the following blog.)

Soon afterwards major mobile operators announced the Simpay alliance. Simpay endeavoured to provide a common payment platform between Vodafone, T-systems, Telefonica and Orange. While the European industry waited, Simpay had the central stage for three years and produced… nothing. This fiasco had a lasting impact on the European mobile payment industry.

A company that is quite visible at the moment is a company called Monitise. An initiative started by Morse with a Java based service on top of the ATM network is now being deployed by 1st Direct, HSBC and Alliance & Leicester. The company is very visible (because of a large marketing budget?) and is making big headway from a brand building perspective, but the technology offer little functionality to the subscriber. Recently Monitise listed on the LSE raising a substantial amount to fund the current burn-rate. Another company with a similar profile is the Finnish company called Meridea. With backing from Nokia and Accenture this company was the technology behind amongst others Standard Chartered mobile banking initiative. Unfortunately it closed its doors a few months ago when they ran out of funds.

A noteworthy deployment is the mobile payment solution supported by Banksys in Belgium. Banksys is the central ATM and POS switching company owned by the major banks. Banksys recently announced a SIM card based solution supported by all the major mobile operators that allows subscribers to make payments from their existing bank cards utilising the mobile phone.

The deployment of Paybox in Austria is still operational today and very successful. The service is available on more than one network, provides excellent functionality and utility and is used by close to half a million people on a regular basis. (This is quite a big coverage considering the size of Vienna where most of the subscriber services are available). The service is claimed to be profitable and is one of the best examples of a mobile payment solution that ultimately became successful because of dedication of management.

Thursday, March 13, 2008

PCI compliance for mobile payments

Many research reports and experts warn about the risks of allowing fraudsters and criminals access to sensitive credit card details. It is especially operators of financial and payment services that tend to be the biggest targets. Quoting Jon Kerr from Verisign: "It's no surprise that online banks and retailers are some of the most popular targets for identity theft since so many personal details are required by users,... With the average UK consumer worth over £10,000 to criminals, it's clear that each of us is a target."

It is because of this threat that the industry decided to publish a standard that a bank or payment processor should adhere to in order to provide acceptable protection to cardholders. This certification is known as the PCI compliance and is being driven by the Credit Card Associations. The objective of PCI compliance - to protect the consumer - is commendable and should be accelerated. Customers should be educated and should take their business away from banks and payment operators that do not comply.

An interesting question is how the providers of mobile payment solutions should (or should not) comply with PCI standards. In as much as mobile payment solutions touches card information the application of the standard is clear: None of the card information must be in the clear and it must not be possible for an un-authorised person to get access to this information. But what if no credit card information is used? What if the routing of payments are made on the basis of a subscribers telephone-number (as is often the case)? What should the minimum conformance be.

This topic is much more complex to deal with in the space of a short blog, but it is clear that the mobile payment industry should develop unique compliance requirements. Obviously this would be very similar to Card PCI compliance (catering for instance for access, un-authorised actions, reporting, physical protection etc.). But what about not displaying a telephone number when you could potentially see phone numbers of some-one just call you? What about look-up tables and what should the controls be around security elements?

It could be worthwhile to develop some of these rules pro-actively.

Wednesday, March 12, 2008

INCSR getting involved

I didn't know that the US Department of State pay good money for people with complex names like the Bureau of International Narcotics and Law Enforcement Affairs to produce reports like the International Narcotics Control Strategy Report (the INCSR). I cannot comment on the rest of the report, but the section that talks about "mobile payments - a growing threat" triggered my interest and I read it with attention.

I must say that the sentiments expressed and the conclusions reached is so far removed from the practices or the intention of the mobile payment and remittance industry. Very few of the statements regarding risks and lack of controls have been verified or tested against the existing practices employed by mobile payment vendors. Compliments to the authors for publishing the report on the Internet. (Read it here). Unfortunately, I could not find any feedback mechanism that would have enabled me to communicate with the authors in order to rectify many of the inaccuracies.

In practice, great care is taken to ensure that subscribers are enrolled with proper KYC compliance. The implications of the Patriot act and FinCEN are carefully researched and deployed to ensure compliance. Most of the vendors in the industry (and I know most) have a genuine intent to build an accessible electronic financial infrastructure for the poor, but that will also eliminate (and block) the actions of criminals and terrorists. These vendors work with the Worldbank and associated agencies (like CGAP) and reputable banks and other financial organisations to try and build well-governed solutions to the massive problem of the poor that is effectively eliminated from modern financial services.

The statements in the report not only harm the delivery of financial services worldwide, but also delay the deployment of electronic tools that would enable legit agencies to monitor transactions and to identify fraudulent and illegal activities. I would like to urge the author of the above report to contact representatives from the mobile payment industry so as to clarify mis-understandings, but also to assist the industry to build better (for all) financial instruments.

Monday, March 10, 2008

It is not what you have, but where you fit in

Such a lot of companies are doing good things in the mobile banking and payment space. It is great to live and work in such a vibrant industry. I recently made a list of companies that play a role in the development of the industry. These are companies that are making an impact and can be looked at for solutions (or at the least as a benchmark).

It was interesting for me when I realised how few of these companies actually can claim to be independent. Not that independence is that important, but still it is important to know where companies "fit in". This will help you to understand their actions and what drives them to be successful.. but also in what way could they be made to act by other forces.

The best examples are solutions predominately developed (or at least) owned by large operators. It would be unlikely that these solutions would be deployed by other operators. Examples of these are Vodafone's mPesa, Smart's Smartmoney and Globe's gCash.

Other examples are companies that have deployed a successful mobile payment solution in a specific market. Sometimes these deployments are quite spectacular. These companies then try and sell their solutions elsewhere. They try turning an operational solution into a packaged solution. This is particularly difficult and the jury is still out if this can be done commercially. Examples of this are Trumpet Mobile now selling technology as Affinity, Wizzit now offering a solution under the brand r-Qubed and others.

Many solution providers are a small sub-company of a much larger company. Even though these solution providers project themselves as a big supplier of mobile payment solutions, the division providing this product line is often very small. Because these companies also have other interest, the provision of mobile payment solutions may suffer in the interest of other priorities. Examples of these are multiple and include Eversystems, GFG, mFormation and Telesoft.

Few companies can claim to be independent suppliers of mobile payment solutions. These companies are often focused companies with excellent solutions and track records. Examples of such companies are Fundamo, mShift and Paybox.

Once again this is not a comprehensive list. It is my intention to trigger discussion on my (often controversial) positions which is always welcomed.

Regulatory discussion

One of the discussion topics that is dominating progress with mobile banking, is the regulatory constraints/dispensations. This is especially relevant when the delivery of mobile banking is based on the creation of a "new account" for every subscriber. The banking law that would govern the opening of such an account is always a topic for discussion.

Based on what I have seen in the industry, I think that one can identify four categories of regulatory conformance in the provision mobile banking based on a new bank account. The four are:
  • Full banking, where the underlying account that is created for a new subscriber conform to all the banking law requirements. The customer is properly identified and conforms to KYC prescriptions. The bank account is properly reflected on the deposit-taking balance sheet of a bank and all legal requirements have been met.
  • Relaxed conformance, which is typically the same as a full bank account with some relaxation of the KYC requirements (both in content and in process), although the customer is still properly identified.
  • Pre-paid debit, where the client is not identified. KYC requirements are postponed to a later stage where the client would be identified (for instance) where cash is to be withdrawn from the account, or when the balance is to exceed a specific limit.
  • No conformance
In selecting a specific approach, the provider of mobile banking should consider all implications and the potential impact on the business case. A valid strategy could also be to deploy a platform where more than one of the categories above are supported.

Mobile Money Partnerships

During 2004 the largest African bank (Standard Bank) and the largest African telco (MTN) formed a joint venture called Mobile Money Holdings. This is a 50:50 venture with the objective of developing product that will enable subscribers to have access to new and advanced mobile banking products. The company launched an exciting solution in South Africa the next year (2005) and is in the process of launching more solutions trough-out Africa and the Middle-East.

Recently, Citi-bank announce a joint venture with South Korea's telco SK Telecom. This will be a 50:50 JV called... Mobile Money Ventures and will be based in San Francisco. The objective of the venture will be to "develop an advanced mobile banking platform..." See any similarities?

Also see a previous post on Mobile Money.

Tuesday, March 04, 2008

Who can see your PIN

Researchers claim to have found flaws in some famous brand PIN entry devices - certified by Apacs and Visa. These devices have loopholes that can enable fraudsters to access unencrypted PINs and account numbers.

The "tapping" techniques to capture unsuspected cardholder's PINs require little technical know-how and fraudsters can easily attach to the PED a "tap" that records PIN and account details as they are transmitted between the card and the PIN pad. Criminals can then use this data to create counterfeit cards that can be used to withdraw cash at ATMs in countries where Chip and PIN hasn't yet been implemented. (Read more)

In another report, a British criminologist has warned that the new security card technology could actually increase, rather than solve, the problem of identity theft and fraud. The researcher said that identity cards and chip and pin technology for credit cards were unlikely to alleviate the problem, as fraudsters react with more creative responses and individual vigilance and knowhow, which remains the best protection against fraud and identity theft will decrease. (Read more).

The biggest exposure to fraudulent transactions in my view is the lack of control that a subscriber have on what can be done with his/her PIN. How is the PIN dealt with, can it be intercepted or is it stored anyway along the line. Any third party device or transmission line that the subscriber does not have control over is a possible source of attack. PIN entry devices that are not under the direct control of the subscriber is the weak point. It is possible to utilise these devices to capture a PIN fraudulently without the knowledge of the subscriber.

Techniques are available that enable a subscriber to enter their PIN on a mobile phone in a secure way that can also be certified by banks and credit card associations. The difference with this approach is that the PIN is entered on a personal device that is (usually) under the control of the subscriber and tampering in order to capture a PIN fraudulently is much more difficult.

Value Store System

It is impossible to provide a payment system (any payment system) without connecting (or being able to access) some kind of value store. A credit card based payment system must debit a credit card account and an EFT payment system must debit a bank account somewhere along the line. This is the case for mobile payments too. Without being able to debit (or credit) some kind of value store, it would be impossible to deploy a payment system.

Most mobile payment solutions provide a mobile payment experience that integrate into an existing value store. For instance, mobile banking solutions that provide a mobile channel to existing bank accounts or mobile payment solutions that mobile enable an existing credit card. The challenge with these solutions is to ensure a seamless integration to the existing systems. Some of the challenges is to ensure that the registration process (when a mobile phone gets linked to a credit card for instance) does not create an opportunity for fraud. Also the boundaries and rules related to liabilities and disputes are not always easy to implement consistently.

Other solution providers (only a few) provide the ability to open a new type of value store that can be utilised to perform mobile payment transactions with. This facility is particularly interesting in markets where more people have mobile phones than does have bank accounts or credit cards. The advantage of this approach is that the value-store can be designed in such a way that it is much more tightly integrated with the mobile payment solution. At the same time many challenges must be overcome, like conformance to regulations, compliance with international protocols and the ability to perform audits and reconciliations that will be acceptable to a central bank.

The selection of and deployment of the value store element of the solution is probably the most important decision that can be taken. The different components that must ideally be present in a mobile enabled value store are:
  • Real-time clearing
  • Push and pull payment support
  • Support for a multitude of primitive transaction types
  • Security paradigms compatible with mobile enablement
  • Ease of use
  • Transparency
The key to deciding on a value store strategy should not be dictated by available technology, but rather be based on market realities and business objectives.