Tuesday, September 23, 2008

Indian Central Bank guidelines

While I have commented on the Indian Central Bank guidelines for mobile banking previously, it does require another look as it seems as if the bank have now confirmed these guidelines. It is not clear if the bank would move to a point where these guidelines will be enforced. If this is the intention my impression is that mobile payment is in a dire position in India as the guidelines do not serve to facilitate mobile payments, but rather to inhibit the growth of this important tool to empower so many people with financial services.

My position is based on the following points:
  • The fact that the guidelines prohibits the deployment of money remittance services by means of mobile payment. This has been one of the important drivers of mobile payments in other countries and it is not clear why the bank would limit mobile payments in India to be only for Rupee based transactions.
  • The limits on the value of transactions and daily limits imposed are so low that it would limit the deployment of services to (for instance) business users and agents. This has been the driver in many countries for the take-up of mobile payment services and it does not make sense to set these limits as this would almost close down these avenues for the growth in mobile banking.
  • The fact that all payment services must be available on all mobile networks is also strange as this would remove the incentive of mobile operators to offer mobile centric services to only their subscribers. Mobile operators were major drivers in most countries for the deployment of these services. By removing them from the equation, the RBI have effectively taken a major driver out of the eco-system.
  • The need for end-to-end (application level) encryption, basically eliminate the use of USSD, SMS and Browser-based payment solutions. It is only possible to conform to this requirement with SIM-resident applications or Java on the phone. Very few Indian solutions currently offers these options. Is it the intention of the bank that all service providers should change their channel strategy to conform to the guidelines?
  • The role of the MPFI and the requirement of them to develop the message formats for the industry is short-sighted as this has not been achieved anywhere. In countries where interoperable mobile payment schemes exist (from Austria to Zambia), these schemes developed out of economic drivers not via established industry bodies.
If the bank were to enforce the above guidelines, none of the existing deployments will conform, and mobile payment industry in India would be set back years.

Monday, September 15, 2008

Complexity of Transactional systems

I have always believed that software development is an engineering discipline. Although software cannot be touched like other engineering structures, it should nevertheless be designed, constructed and quality assured according to the same engineering disciplines that one would use for construction of anything else. This is the way that we at Fundamo approach the building of our software and this is why we are so confident about the software's ability to deal with complexity.

I was therefore intrigues when reading the results of research done by Finextra and Mysis recently (read here). According to this research based on interviews with 100 product managers and directors at banks, IT complexity is viewed as the biggest obstacle to corporate transaction banking. The survey shows that 45% of banks believe that their ability is average to worse and that they are moving more and more of the functionality on-line to solve the problem. "At the top of the list of technical problems that banks say their customers want them to solve is greater integration with corporate systems and delivery of cross-border, multi-currency cash pooling services."

Anybody that worked on transactional systems would concur with these observations. One could possibly add that it is likely that the needs (and complexity) would increase substantially as markets develop and clients see more and more of need to be on-line and to perform financial transactions in realtime. What is the key thing that banks should do? Well, lets look at the art of engineering. The more complex the structure the more time is spent in designing and testing the architecture of the design. Get the architecture wrong and the bridge will collapse, get it right and even the construction is a breeze.

Banks should think carefully (and consult with experts) to get the architecture of their transactional systems right... and this is not a trivial task.

Thursday, September 11, 2008

Pakistan Mobile Banking

Pakistan is the sixth most populous country in the world and has the second largest Muslim population in the world after Indonesia. The country is also listed among the "Next Eleven" economies. With a population of 175 million, a population growth of 2% and an average age of 21, this is a country with major economic growth potential (averaging almost 8% growth for the past five years). The country have almost a negligible Internet subscriber population (less than 200 000), yet 90 million mobile phone subscribers.

In addition to all of the above, a number of other factors make Pakistan an ideal market for the growth of mobile banking. These factors are the following:
  • A well-developed and balanced guideline to the development of branchless banking by the Pakistan Central bank exist. This guideline was published pro-actively and is state-of-the-art regulations that will support mobile banking development well.
  • A good mix of well-run local banks as well as international banks are present in Pakistan. Most banks have good management and are well funded. In an environment that is becoming more and more competitive, banks will be looking at ways to compete and develop unique selling points.
  • The five mobile operators are innovative and aggressive. All of them are backed by strong international shareholders with access to good international practices as well as resources.
  • A clear need exist with a large portion of the population dependent on international money remittances or running SMME businesses.
  • Excellent (and sometimes unique) inter-bank settlement and clearing systems with a growing ATM and POS network.
I expect that major growth will be seen in the take-up of mobile banking in this country in the next eighteen months.


It is unlikely that all mobile banking/payment subscribers in the world will be served by one deployment. This is not practical and will be highly unlikely (if not impossible) given the current state of success in the markets. It is just not conceivably possible that all Smartmoney subscribers in the Philippines will all be converted to MTN Mobile Money system hosted in South Africa. In all the countries where mobile money deployments are successful, many (or at least more than one) deployments can be found.

It is therefore important to consider how subscribers to different mobile payment networks would be able to make payments to subscribers on other networks. Cellphone users are accustomed to phone subscribers on other networks. It stands to reason that they would expect to be able to pay subscribers on other networks. Unfortunately this is an extremely tough problem. Anyone suggesting a "easy" solution to this interoperability problem should not be taken seriously. The problem is multi-dimensional. A workable solution will have to consider many of the following aspects: technological problems, clearing and settlement challenges, legal and regulatory, consumer protection (including mechanisms to cater for disputes, warrenties and claims). The problem is almost unsurmountable.

So what is the way forwards? For a start one will be seeing many point-to-point solutions. (Two installations allowing bi-lateral agreements between each other). It is essential that interoperability is tested and experienced in these one-on-one situations first. We at Fundamo have now deployed sufficient installations running our technology (more than thirty) that make these one-on-one interoperable situations possible. After we see success with these, expect more complex network interoperable deployments to start appearing.

Also expect the industry to start working on solutions that will drive interoperability. A recent announcement in this regard is relevant.

ATM PIN fraud and implications

The recent action of banks (Citi, Lloyds TSB, HSBC, Dubai Bank, National Bank of Abu Dhabi (NBAD) amongst others) in the AUE to contact their customers about a PIN compromise was widely reported (see here). The thing is that this is not new. It seems that the cloning of cards have turned into an epidemic (see for instance here, here, and here). It is actually relatively easy to clone a card (especially magstripe cards). One of the more common ways of doing this is by attaching a device to the cardslot on an ATM. (See the picture). It is also doubtful how diligently banks are reporting on these activities and how exposed we really are to this kind of crime (see one of my recent blogs).

The banks are responding to this threat by turning to chip based security. This is (rightly so) why a lot of effort is being placed on making all payment solutions EMV compliant. But indications exist that even these measures don't seem to be ample protection for the consumer (see here and here). I am of the strong believe that the only mechanism to defend against this kind of identity theft is to provide bank customers with a personal device that is connected all the time to the bank system with a secure chip in the device. In this way, the security is stored in a device that is carried by the customer and can only be unlocked with a private key, yet the bank can access the device anytime and anywhere in the world. The only device that this is possible today is the mobile phone. (Providing proper use is made of the security chip in the phone for banking too).

Wednesday, September 10, 2008

Security for break-ins

TraceSecurity is a company that gets contracted by banks to break into their security. The company employs specialists that can think like criminals and can crack all security. The advantage of getting this company in to break your security is that you can fix the holes before the real crooks try and break into your bank.

TraceSecurity recently announced that they could compromise more than a 1000 banks' security in less than 30 minutes. (read more here). What does this mean? Well for a start, holes exist in all banking systems. It is possible to break into banking systems, no matter how hard it is made. If banking systems are un-penetrable, they would also be un-usable. The question is not if it is impossible to break into systems, but rather if all transactions can be traced, that disputes can be handled effectively and that a legal basis exist to resolve security issues and to be able to prosecute succesfully in the case that breaches occur.

Even though it is possible to build mobile banking systems that are more secure and more difficult to break into than any other banking system. (see one of my previous blogs). It is also important to build traceability into mobile banking systems. It is important to have mechanisms available so that a solid legal framework can be built to protect both the bank and the subscriber. Because mobile banking security systems are often built by techies, solutions are unfortunately not all designed to cater for situations when security is breached - as it is always possible.


This was one of the most intriguing news articles that I have read in a while... I have always thought of BarclayCard as an icon in the business of credit cards. As far as I am concerned, BarclayCard invented the card payment systems - or at least made it mainstream in the 60's. They believed so much in Cards, that they incorporated "card" in their name: Barclaycard.

It was thus interesting when the CEO of Barclaycard (Antony Jenkins) said in a recent article that the future of plastic-cards was dead. (Read more here). He indicated that the chip currently embedded in an EMV-card can as easily be built into a mobile phone (or other devices). Of course he is right. I just wonder if they would consider changing their name to Barclaymobile or Barclaymo. I have checked both domains are still available...

Americans are getting more mBanked

In a recent survey conducted in the US (sponsored by Fiserv), it was found that 75% of US consumers would now consider using mobile banking if it was offered. This is up from 49% in 2006. (Read more here). As can be expected, security and cost were the two factors that concerned US consumers most. The most telling result of the survey in my opinion is that 23% of the sample surveyed have already used mobile banking in some form or another. I suppose that it was important for Fiserv to sponsor this research because they annouced the launch of their new mobile banking offering powered by MCom (from Australia) soon afterwards (here). This was a re-launch of the same solution announced in February 2008 (here). At least the solution will be available mid-2009 as a hosted solution as per the announcement. The press release also refer to this solution as "the industry's most complete mobile banking and payments solution"... It would be a good idea for Fiserv to do a little bit more research before making such an "un-informed" statement.