Wednesday, April 29, 2009

The importance of Identity

A lot has been said and more written about "identity theft". We all also know it is not as if some-one "stole" your identity. It is more about someone collecting enough information about you to be able to represent you for a specific purpose. I found this article about identity written by Robert Siciliano particularly stimulating.

The differences between verification and authentication was also very interesting as this has a direct implication in the deployment of mobile banking and refers to the two most complex problems that must be solved in deploying an effective mobile banking solution:

Authentication is about the first step in setting up a mobile banking account. During the registration process it is preferable to authenticate the account holder. This is usually done by comparing a photo-ID with the person (or sometimes with a realtime image of the person). Mobile banking applications not doing a proper authentication of the subscriber runs a number of risks (from regulation to fraudulent transactions). The best way to do this is by means of some biometric data (picture of the face)

At the time of each transaction, a mobile banking solution should verify the subscriber. This is usually done by a combination of a certificate and secret information. This certificate and secret information should have been connected to the subscriber's identity during authentication.

The degree of rigour utilised in designing mobile banking solutions will help defend against identity theft.

Saturday, April 18, 2009

Mobile banking patents

The number of patents that have been lodged to claim ownership of the concept of using a mobile phone to make a payment is staggering. Because this is important to me, I have tried to stay on top of any Intellectual Property claim that is made in this space, and I am amazed. Maybe because it is sheer magic to see a payment transaction being performed by means of a hand-held device that makes people think they own the concept.

It is unlikely that any of the overall claims regarding mobile payments will ever stand the test of proper patentability. The concept is too generic and obvious (?). Also some of the existing prior art (that has been tested in court) did not stand up to scrutiny. (the Vazvan patent). I am much more interested in the claims that is being made of inventions that are closely related to mobile payments. As the industry and the technology starts to mature, it is likely that some of these patents will become much more relevant.

Thursday, April 16, 2009

A Framework for Compliance

We at Fundamo have worked hard over the past ten years to find a mechanism to ensure that our clients' deployments comply with local banking regulations. During this time, we developed significant collateral that we refined with each new deployment. We produced a substantial document with a clever model to assist our clients to ensure compliance. We have called it a Framework for Compliance.

During the recent WWU worksession organised by the GSMA, we made a number of aspects of this framework available to everybody. This was done because we believed that general access to this information by all, will improve the industry's ability to comply. It will also demonstrate that the industry has a genuine drive to find ways to comply. While others may be surprised that this intellectual property was made available, we believe that it will improve the general capability of the industry for everybody to benefit.

Aspects of the framework will appear on Fundamo's website soon and players in the industry will be welcome to download this compliance framework.

MPI as a new regulatory entity?

Since the growth of Micro Finance Institutes (MFI's) in many parts of the world, new regulatory bodies were established to regulate Micro Finance. It was (wisely) recognised that existing regulation and control for lending products cannot be made applicable (as-is) to the micro-lending industry. The much more smaller amounts and a risk profile very different to traditional mainstream lending products necesitated a new thinking. The format of regulatory bodies for MFI's are diffirent from one country to another, but many similarities exist.

As we are grapling with mobile payments, money transfer and providing banking services to the underbanked, one should consider a new category of Financial Services. At the same time it may be advisable to establish a new regulatory dispensation (with different rules and applications), to not only govern these financial services, but also facilitate the growth of the industry. The question is, will central banks and national regulators be bold enough to do this?

Wednesday, April 15, 2009

Card number or Cellphone number

Here is a question:
" When requesting some-one to send you money via a mobile payment schema, would you want them to send it to your card-number or your cell-phone number?" What is the most suitable routing number for a mobile payment?

If we were to pose this question to consumers, I am sure that the majority would pick a cell-phone number. Using a cellphone number as a target number for mobile payments will also be more secure as it would not compromise a card number (which, if it falls in the wrong hands, can be used for fraudulent transactions).

This means that, if we were to deploy a P2P solution based on credit (or debit) cards, a mapping between the cellphone number and a card number will have to be maintained. An interesting question for me is who should ideally be in charge of this mapping table: a bank, the mobile operator or the card association?

Feedback from MMU worksession

Gavin and his team is doing an amazing job at making sure that the mobile money initiative retain the momentum that it currently enjoys. The Worksessions organised by the GSMA is a critical instrument in making sure that the industry develops into a sustainable environment for all participants in the eco-system.

During the recent worksession held at the Mount Nelson in Cape Town, the following insights struck me:
  • The complexity associated with the establishment of a viable agent network. It is critical that the micro-economics of a typical agent be designed in such a way that it is sustainable for prospective agents.
  • The mZanzi initiative of South African banks to sign-up millions of account holders offers many answers. Dave Porteous' presentation on this topic was very informative
  • Regulatory dispensations are well understood by the experts and should not be the hurdle experienced by many. However, a lot of work must still be done to ensure that it is understood better by all.

mPesa Macarena

Lets face it, mPesa has been so successful that we can now give them idol status. Almost every person with an interest in mobile payments and banking (especially when looking at emerging economies), want to do mPesa. This reminded me of that song of madness: "Macarena". The dance that everyone wanted to do to show how clever they are to be able to remember all the steps.

mPesa is very specifically applicable on the Kenya situation. The size of Safaricom, the composition of the management team, the regulatory dispensation, the need of the subscribers... all of these contributed to this amazing success. I am sure it will be recognised at some stage, that not all of us have to dance the Macarena, especially if the tune is different.

Tuesday, April 14, 2009

Another word on Fraud

During the past few weeks, many reports highlighted the alarming growth in fraudulent transactions. Without having an authoritative body providing a holistic overview, it is unclear how big this problem is, but judging from these reports, it is probably huge:
  1. UK payment association reports that online banking fraud grew 132% form 2007 to 2008. Most of this seems to be driven by phishing and Malware attacks.
  2. The Association of Financial Professionals (AFP) of the US estimate that more than 70% of firms in the US were victims of attempted or actual payment fraud. While the majority of the fraud were check related, a large percentage were electronic payment fraud
  3. Symantec announced that they detected a growth of 66% in phishing sites and 47% in active bots creating risks for electronic fraud
  4. Gartner reports that more than five million Americans lost money because of electronic fraud during the 12 months ending September 2008
  5. The Australian Bureau of Statistics (ABS) estimated that more than 5% of Australians fell victim to electronic fraud in 2007
  6. Verizon reported that hackers stole 285 million electronic records in 2008. Of these, by far the biggest percentage were sensitive financial information destined for sale on the black market.
The lessons for mobile banking and payments are that one cannot ignore the immense threat of criminals and innovative mechanisms to defraud individuals. It is of critical importance to this young industry to design bank grade security into the solutions being deployed at the moment. As mobile payments start growing in scale, it will attract the attention of experienced cyber criminals.

Thursday, April 02, 2009

EU Electronic Money Directives

A lot is being made about the new (about to be accepted) EU electronic money directives. The fact that other organisations (read "mobile operators") can now potentially start issuing electronic money with lighter compliance and less reserves (Euro 350 thousand). (Read more here) is of interest.

The question is, is this really removing the regulatory barrier? Have the COREPER solved the problem that mobile operators have with the deployment of mobile payment solutions ? While this is definitely an interesting proposition, it does not solve the biggest hurdle: open access to clearing and settlement.

Mobile payment solutions that are not provided with acceptable access to clearing and settlement streams are like very small islands in a massive sea of payments. Without an elegant way of routing payment transactions to and from the rest of the payment world, very little progress will be made. E-money schemes are interesting propositions in some way, but in the end (and if properly analised) they are effective ring-fencing mechanisms that will keep these transactions away from the rest of the payment world.

Pricing of Mobile Banking Solutions

Me and my wife have built quite a few houses - some that we lived in and others to speculate with. We have always been careful to use reputable contractors. and most often not the cheapest. We saw some of the disasters of half-finished houses or lousy quality with houses having been built by contractors with little experience or with low prices.

In looking at the mobile banking industry, I am surprised by the price-points quoted by inexperienced solution providers. These are sometimes so low, that it would be impossible to deliver solutions of acceptable quality. I assume that Enterprise customers often do not realise the complexity (see some of my blogs on complexity here and here) of the deployments of mobile banking solutions. By selecting solution providers on the basis of price, customers run the following risks:
  • The solution provider have underestimated the effort and now have to fund the effort themselves - this often translates into cutting corners and unacceptable quality.
  • The solution provider, having lost money on the deployment, tries to recover the cost in subsequent phases or getting a slice of the recurring revenue
  • The solution provider cannot effectively support the solution because of limited available resources.
  • Because the solution provider is not running the business on sound commercial principles, he goes out of business and the customer must move to another solution at great cost.
It is one of the biggest risks to this young industry that some solution providers are competing on price-points. The industry is far from mature and it is not possible to evaluate the differences between suppliers solely on the basis of price.

In the ten years that I have worked in this industry, I have seen all of the above risks materialise in practice with companies selecting solution providers on the basis of price only.

Failures and lessons learned

The mobile banking industry is (for some or other reason) extremely competitive. Many solution companies compete with each other to win the business on offer. During the ten years that we have been active in the industry many companies have come and gone. Quite a few projects that were attempted failed and a number of enterprises were disappointed with service delivery.

It is not common to talk about these failures and to name the companies by name. (I think it is because it is such a close-knit community and none of us like to see projects fail). It is not my intention to name companies in this blog, but I have learned of at least three projects that failed (did not deliver on the expectations of the client) and felt that it is important to try and learn from what has gone wrong. This is my summary:
  1. These projects set out to do things for the first time. The contract (in all these cases) were won on the basis of specifications and not actual delivery and proven technology. It is important for enterprises to select companies with a proven track record as mobile banking projects are often much more complex than what is the initial thought.
  2. What works in one country cannot be transported to another country. Technology that worked (for instance in India) cannot be transported into (lets say) Africa. Or even from one country in Africa to another. Differences in culture, the competitive landscape and regulations often have significant impact in the ultimate success of the deployment (or not).
  3. Enterprises that negotiate suppliers into "no-win" situations. This is often the case where one of the suppliers see the project as a "must-win" at all cost scenario and then agree to contractual terms that are not possible. These include pricing, timelines, scope of delivery, conformance to standards etc. The impossibility of the project often degenerate into missed timelines, bad quality and general disappointment.
Part of working towards the maturity of the industry would be to look at the failures and to start taking the decisions that produces win-win opportunities for client and supplier.