The central bank has been both lauded and criticised by different sections of the industry over its moves related to allowing mobile banking in the country. It had constituted a technical committee under the chairmanship of B Sambamurthy, director, Institute for Development and Research in Banking Technology, to provide suggestions for boosting financial inclusion by harnessing the reach of the mobile phone.
The committee has studied the present challenges faced in mobile banking, the adoption of particular technologies to meet the requirements of banks as well as vast numbers of mobile users and drew up a road-map for implementation of the solutions on mobile banking.
Its approach is to offer a "product in a box" that covers the entire process of SIM card registration, enrolment, authentication until the customer begins to use mobile banking.
Here are some recommendations.
Alternative channels for mobile number registration need to be made available, such as interoperable ATM network across banks as well as the banking correspondent/agent network using biometric authentication, so that the customer can register the mobile number conveniently.
It said the process of M-PIN generation may be simplified and standardised without necessitating a visit to the bank branch by the customer, so that the customer can be on-boarded in an easy manner and start transacting using mobile payments, and reduce barriers to entry. This can be done by allowing the customer to set and change his/her M-PIN from the handset itself using authentication parameters defined by the banks permissible by their security guidelines.
It added that the customer may have the facility to set or change the M-PIN from at least one additional channel (apart from mobile handset itself) such as phone banking, IVR, ATM, internet banking.
Banks may implement multiple channels (application, SMS, USSD etc.) for mobile banking so that options are available to all types of customers with any type of handsets with suitable level of security.
For better authentication of the transaction by the bank, mobile operators could facilitate the mobile banking transaction by providing the mobile number from where transaction is originated when customers transact using mobile banking application (currently the mobile number in the header is suppressed).
For facilitating fund transfer using mobile banking, the remitting customer may be facilitated to effect person-to-person funds transfer using just the mobile number and bank or just the Aadhaar number of the beneficiary.
Customer may be able to make merchant payment using just his/her mobile number and M-PIN/OTP on the merchant interface. The M-PIN can be only interfaced on acquiring bank's interface such as USSD, application, etc. for security reasons. The merchant based interfaces can accept OTP (One-Time Password) for authentication.
Every bank may offer OTP services on SMS request with the standard syntax of SMS such as "MOTP XXXXXX" to the short or long code. (XXXXXX â€“ last 6 digits of the account number). This will help to expand the use of OTP in mobile payments.
It said the limit of unsecured transaction (without end-to-end encryption) may be raised from the existing Rs 5,000 to Rs 10,000 subject to having certain velocity checks at the bank's side. The banks may take the decision of limit enhancement depending on their security policy and internal risk management control measures.
Common USSD gateway
To overcome the challenges faced by each bank in tying up with a large number of mobile operators, and to facilitate the reach and usage of mobile banking through USSD, there is a need for common USSD gateway for mobile banking.
White-label multi-bank STK application
Banks and mobile operators may initiate pilots using white-label multi-bank STK application which can be distributed using application on SIM that allows SMS encryption. Customers, merchants, agents of any bank can transact through this interface.
The committee said the mobile operators may support, application loading on new SIMs with single mobile banking application be made available in all new SIMs which uses encrypted SMS for transaction processing.
It added single mobile banking application may be made available across all existing SIMs in SMS encrypted environment through dynamic STK and the common mobile banking application can be pushed over the air.
The report says large corporates, third-party players and mobile operators, handset manufacturers/resellers may initiate pilot programmes to develop the single multi-bank mobile banking applications which can use published public keys of the banks/banks' agents for encryption.
Similarly, the common application may be pre-loaded in the handset and handset manufacturers can burn the application on all new handsets after the government makes it mandatory.
(Edited by Joby Puthuparampil Johnson)