Monday, August 24, 2009

Compliance in real-time banking is difficult

The biggest challenges of regulatory compliance for transformational banking is the real-time nature of the transactions. Transformational banking provides a platform for true real-time payment transactions. If properly implemented, the volume of transactions are also huge (even though the average value of transactions may be low).

Compliance management in traditional systems are typically off-line solutions. These systems work through transaction history and attempt to identify non-compliant transactions (money laundering, funding of terrorism, or other illegal transactions). Banks have a regulatory obligation to find these transactions, correct them and report on them. The inability to be proactive in doing this have lead to banks being fined in the past.

Banks are now confronted with a new category of systems where transactions occur in real-time from locations that are not necessarily known (could even be outside the geographical boundaries where the bank have jurisdiction). It is often also easier to open these accounts and to easily discard them again. Sometime regulation allows for account holders not to provide proof of residence. These factors necessitate the need for a new kind of compliance management.

We at Fundamo have been doing ground-breaking work in this area during the past months. We are doing this with our clients and industry experts in the space. I believe that as these systems start to evolve, the real-time management of compliance will become more important. As banks
are starting to tackle this issue, they will find that it is significantly more difficult than what it looked like initially.

Mobile banking regulations should be tiered more

This is so obvious that I am hesitant to blog about it: Regulatory guidelines for mobile banking should be tiered - it should allow for different layers of compliance. As far as I can gather (and I have read widely), it is only in South Africa where this is explicitly stated (with the E17 exclusion). As always, I would be happy to be corrected.

Different layers of compliance should be the basis (the foundation) of thinking about banking regulations applied to the marginally banked. It stands to reason that it does not make sense to apply the same rigour to an account for low value simple transactions, compared to a high value, sophisticated bank account. This approach would give comfort to all the participants in the banking industry as it would be ideal to manage risk.

We at Fundamo have always postulated and worked towards a four layered tier for compliance. The lowest layer or tier should provide for very little KYC (or client identification), but should be very strict regarding limits and functionality. This lowest tier becomes the entry point into banking for subscribers without a strong banking relationship. This provides for rudimentary services, but does not compromise the integrity of the system. With higher levels of compliance, more rigour is added to the registration and client management process, but at the same time, more functions and higher limits are associated with the account.

Tiers are the only way to think about compliance.

Friday, August 21, 2009

The SAM side of the SIM story

The SIM card in GSM mobile phones should probably qualify as the computer device that has been produced more than any other device. Far more SIM cards are produced than phones per year and with the invention of pre-paid telephony this accelerated even more. But the SIM card is actually a rip-off. It was copied from something called a SAM. As a matter of fact, it is not much different to a SAM.

Any-one with an interest in the technology of banking would of course know what I am talking about. A SAM is the tamper resistant device found in any ATM or POS terminal and it looks exactly like a SIM card. These cards sit at the heart of bank security in the sense that a bank PIN can only properly be encrypted if a SAM is present. Bank systems expect bank PIN's to be secured properly with keys stored on a SAM in such a way that it cannot be changed or manipulated. This is a well-understood mechanism widely deployed in banking systems.

Not only is it critical how the keys on the SAM is used, but also how the keys are installed on the SAM in the first place. The control over and access to the master-keys (used to derive the keys on the SAM's) are critical in order to ensure the security of the whole system. Millions and millions of ATM and POS transactions have been secured in this way for decades and (according to my information) has never been compromised. (All ATM (and POS) fraud attacks usually focus on intercepting the PIN before the SAM encryption).

With the invention of Internet banking (and because SAM's are not found on PC's), the discipline was somewhat forgotten (or maybe not applied). This is why the security deployed in Internet banking across the globe is not of the same level of security found in ATM's neither is it standardised and auditable as is the case with PIN encryption ala SAM.

This is why it is a mystery to me why many proponents of mobile banking attempt to propagate Internet banking solutions on mobiles. The SIM card in a mobile phone, looks like a SAM card, acts like a SAM card, shares almost all of the characteristics of a SAM card. It seems absolutely logical that one should apply the proven, accepted mechanisms that banks are comfortable with regarding SAM cards and apply them to SIM cards.

Wednesday, August 12, 2009

The next step for the USAA iPhone check application

My previous post on the USAA iPhone application was extremely popular. I suddenly had much more visits to my blogpage, which implied that I have a lot of US readers (thank you), or this check imaging system is really groundbreaking...

I have not used a check (nor seen one) for years (I do all of my payments electronically), so I had to do some thinking to get my head around what the application actually do. My recollection is that a check is a paper instruction to my bank to pay money into the bank account of the beneficiary. Typically, I would give the check to the beneficiary that passes it on to his/her bank and then this bank passes it on to my bank. Ultimately the check lands up at my bank where the money is duly subtracted from my account and paid over to another bank. It seems in the US it is now possible to pass an image of the check from bank to bank, rather than the physical check itself. And this is possible because we now have technology that is powerful enough to replicate the physical process exactly.

Surely, one should use technology to improve, rather than replicate the manual process? The obvious (and simple) application would be for me (rather than getting the beneficiary and his/her bank to do it), to pass the image of my own check to my own bank, instructing them to pay the money over to the beneficiary. As an even more bold step, we could remove the image and just ask my bank (electronically), using my iPhone to subtract the money and pay the money into the account of the beneficiary.

This would have been real innovation in my book.

Tuesday, August 11, 2009

London University to the rescue of mobile banking security!

City University London received a three year grant from the Government’s UK-India Education and Research Initiative (UKIERI) to "secure the future of mobile banking". Read more here. According to the report, the researchers are under the impression that most banking systems requires a separate (second) SIM card in order to produce a secure session. This means that subscribers have to swap their SIM's in order to do banking. (I am quoting from the article on the Universities website - I am serious!). The article describes how the researchers are busy pioneering "a new form of security software, which generates a personal code or “crypto key” to each user via their existing SIM card."

I suppose they could use the grant money to catch a flight to Africa (the majority of countries in Africa) to come and see how this kind of solution actually works in production, where millions of people do banking with one SIM.... and where every transaction are encrypted with a personal crypto key.

How can one get excited about an iPhone image of a check?

As part of my job, I am regularly exposed to great innovations in the mobile banking domain. Recently, when I read about the USAA iPhone application (Read here and many, many more places), I first thought someone was pulling my leg. In short, USAA (a relatively small US bank catering for the military) will be launching a service where one can take a photo of a check and send it to the bank for processing. I soon realised that many people (predominantly from first world countries) actually thought this was cool and great progress in mobile banking technology.

This reaction for me is a clear indication that mobile banking is way behind in the US compared to most other countries. Many things about this application is strange.
  • The iPhone is a great phone, but most people will agree that the camera technology is probably the worst on the market. The business process for fuzzy checks will be interesting.
  • It is doubtful that people with checks would want to use a phone to bank the checks. Typically most of these people would have access to a PC. The user experience on a PC would be much easier to manage than utilising a phone.
  • Risk and fraud management will be particularly difficult
  • Future extension to this application (to ultimately turn this into a real mobile banking solution) will be difficult, architecturally.
I suppose these kind of applications will be developed in a country with a large part of the payment economy still based on checks. But it does say something about the state-of-the-art of the technology.

Tuesday, August 04, 2009

Will smartcards out-smart mobile banking in India?

India recently announced an ambitious plan to deploy a national biometric smartcard to everybody in the country. (Read here). Seen as the biggest IT project ever attempted, this project aims to provide every-one in the country with a digital identity, while connecting many other services to this central system. The good guys at CGAP make the point that it would actually be easy to provide rudimentary banking services on this card. (Read here).

A national smart card with a cheap mechanism to store money electronically would have a major impact on the fledgling mobile banking industry in India. The impact on business plans, payment switches and distribution strategies would be huge. While the jury is still out if it would be possible at all to deploy this system effectively, it is important for mobile banking operators and vendors in India to consider this implication and to develop complimentary strategies.