Mobile Banking

One of the fun things of writing this blog is the right to change my mind. I have been quite critical of the Qualcomm acquisition of Firethorn in the past (read here), but a recent tit bit of information made me sit up and think. It seems that the Firethorn solution has morphed into a fully functional banking portal according to the site appletrendz (read here).

According to this website, an application for the iPhone (running on AT&T) exists (developed by Firethorn). This application allows access to thousands (yes thousands) of different financial institutions from the iPhone through the same interface. As a matter of fact, it seems as if it is possible to access more than one institutions' information on the same application at the same time. The list of features and functions available also seems to be quite extensive. The information available on this site raises a number of questions:

• What is the business model for this service? Can it be provided in a commercially sound way and is it therefore sustainable?
• How are the usernames and passwords secured (to allow login to all these thousands of financial institutions). My understanding is that access can be made with the AT&T six digit PIN only. Does this mean that bank login information is stored somewhere? Who is liable when this storage is compromised?
• What is the competitive advantage of this service over the dedicated service available from each individual bank? How does the banks feel about this service? Do they see it as a threat?

Interesting implications, but well done to Firethorn.

While it is quite common to talk about mobile banking, it seems that "SMS banking" i9s a term that is used by quite a number of professionals. SMS banking seems to be the categorisation of any interaction with banking services via mobile phone making use of SMS's. SMS banking does not use any menu's, downloadable applications or other types of bearer channels (like USSD).

If this is the definition of SMS banking, I would like to suggest that a number of sub-categories exist within the main category of SMS banking:

• Mobile terminating SMS banking would be a class of services that sends SMS messages to the subscriber. Alerting services are typical examples of such services.
• Mobile originating SMS banking would be all of the services that can be implemented by allowing a subscriber to send a SMS to a short-number. The SMS would have a special code and the banking server would respond according to the code in the message. It is possible to distinguish between different types of banking services under this heading:

1. Simple enquiry services (e.g. sending "BAL" to a number and getting the balance delivered to the phone.
2. More complex transaction services. More than one SMS and completing a more complex transaction through a number of "chained" SMS's. The system maintains a state to ensure that different SMS's can be concatenated. (e.g. to pay an account by requesting the outstanding amount and then confirming payment)
3. Combination of SMS transactions with other channels. (e.g. a SMS-based payment request, secured by means of a IVR prompt)

It is clear that SMS banking is not as simple as it sounds and would require very capable professionals to deploy properly.

The Egyptian Financial Supervisory Authority (EFSA) was established last year and brings several regulatory bodies under one umbrella. In an article in the Daily News of Egypt (Read here), the establishment of this body was described as looking after "non-bank" financial products.

Launching mobile financial products as "non-banking" products have been tried before. An approach that I have seen is to offer a mobile wallet as a mechanism to manage investments (rather than savings). This would enable a mobile wallet to be seen as a "non-banking" product and thus could be regulated by an organisation similar to EFSA. A customer would be able to place cash into an investment product and to withdraw from such an investment again utilising a mobile phone. The usual challenges with such an approach is access to other clearing switches (most notably payment systems and ATM switches).

Fortunately the article ends with an afterthought: that the Egyptian Central Bank is finishing final work on a regulatory framework for money remittances and that this will be available soon. The relevance of this paragraph in the article is interesting.

"Imagine your life if you had no access to banks, ATMs, credit cards, or savings and checking accounts -- just cash that you needed to hide or carry around. It would be hard to save, plan, get ahead, take chances, or feel secure". This is a quote from a CNN article. In the article information related to the Telenor product EasyPaisa (recently launched in Pakistan) is given.

Pakistan is a very big country. This is the second most populous Islam country (after Indonesia). The people of Pakistan are very hard working with an ingrained entrepreneurial spirit. One sees small merchants everywhere and trading is commonplace. The launch of EasyPaisa should be seen in this context and some of the comparisons with mPesa are very insightful:

• Pakistan is significantly larger than Kenya (180 to about 40 million people). Safaricom is the dominant mobile operator with a market share in access of 70%, whereas Pakistan is highly competitive with five incumbent operators.
  
• EasyPaisa is a product launched by a bank (owned by the mobile operator - the operator bought a bank in order to launch the product), whereas mPesa is a product launched by a mobile operator. mPesa is not positioned as a banking product, wheras EasyPaisa's objective is to open a bank account (with savings capability) for every subscriber.
  
• EasyPaisa started with a few simple products that could only be serviced by agents. This enabled them to grow, motivate and train the agent network, prior to the launch of the banking product aimed at individuals. According to the article, Telenor has 150 000 merchants to convert to a target of 20 000 agents within a year. mPesa currently supports more than 10 000 agents.

It would be interesting to see the Pakistan service expand and grow and to learn new lessons in a country with distinct differences.

Financial payment applications are a unique breed of applications. These are the applications installed in the ATM's on the chip in your EMV cards and running on chips in Point of Sale machines. These applications manages and sits at the heart of the fibre of electronic payments. Without them, retail operations, cash dispensing, electronic bill payment and many more essential functions would not be possible.

In order to ensure a safe, secure and predictable environment, these applications should be tamper-proof, well identified (signed), well tested and understood. These applications are always certified by an independent body and many external controls are built into the system to ensure integrity and balance.

It is most likely that mobile phones will be used to perform many of these payment functions (retail payments, cash disbursement etc.). As a matter of fact, mobile phones would be doing the bulk of these transactions as well as payment transactions that were never possible before. Utilising applications on mobile phones that break down the principles needed for security, predictability and transparency is dangerous and irresponsible to say the least.

The Android operating system is probably the most open operating system for mobile phones today with extremely rich features. With Android it is now possible for anyone to build applications and trick others to load it on their phone. These applications (quite unique to Android) can easily be loaded on the phone in a (relatively) uncontrolled way, can run in the background (unique to Android), can interact with applications residing on other devices (remote from the actual phone) and can launch other applications (unique to Android) with no information to the consumer.

I am not the best hacker that I know, but I can tell you this: Android is the perfect platform to build the perfect application with ill intent, and those applications will be built.

The big pity is that a few unfortunate incidents created in this way, will lead to immeasurable damage to the trust in mobile money solutions in the eye of the man in the street.

One of the biggest stumbling blocks for mobile money deployments is the regulatory controls designed to ensure that mobile money are not to be used for criminal activities. (By criminal activities it is meant funding of terrorism, money laundering and application of money collected in illegal ways). This is way the need exists to know with a high degree of certainty who did what transaction.

The result of this "need to know who did what transaction" got translated into a dreaded three-letter word: KYC (Know your customer). Anyone that have done a serious (and legal) mobile money deployment will tell you that KYC requirements and compliance are probably the biggest challenge. Without the need for KYC, many deployments would be much easier, less expensive and will be more effective in bringing financial services to the people that need it.

Many people are of the opinion that the level of rigour prescribed are not in line with the risk that is being mitigated. The fact that a poor person in Africa cannot have a mobile money wallet, because he/she does not have a proper ID-document (or proof of residence) is a shame and does very little to help the world fight organised crime and terrorism.

I have became a fan of Dave Birch's thoughts recently and one should read a recent blogpost on this topic. His recommendation makes a lot of sense:

I really respect individuals that are prepared to say things the way they see it and not the way that they think people want to hear it. In a recent article Sandy Shen, a research director for Gartner made very valid points (that I think should be made - even thought these may be unpopular).

It seems that consumers really like NFC payments and that they would want to have this deployed quickly. The ease of use and the intuitive application seems to be exactly what consumers want, but huge barriers still exist before this will be a viable solution.

• It is unclear how the business case would work for the deployment of NFC payments, or as Sandy described it: "...that there is no convincing business case for either banks or mobile phone operators,"
• Availability of handsets remains a significant problem. Estimates of the number of handsets that will be NFC enabled keeps declining year by year. Sandy says: “The handset vendors are sitting on the sidelines to see how the market will pick up.”
• Lastly the perceived security remains a big stumbling block.
  

It is important that these constraints be highlighted in order to deploy solutions that are viable and that are based on a workable business case.

Many people representing many different organisations are working extremely hard at building a new world off mobile financial services. The operators of mobile payment services, mobile network operators, banks and regulators all have dedicated staff that are very committed to mobile money initiatives. Engineers and architects working for vendors (like our dedicated people at Fundamo) also contribute to the shared vision.

Yet, people that perform an essential role in growing this industry are often overlooked. These are the analysts and researchers that observe, measure and give feedback to the practitioners. Without their efforts, it would be impossible to motivate sales, investment and regulatory changes. If we are not able to point to improvements, growth and successes, this industry would die. Similarly, we also have to be accurate at what has been done wrong. It is analysts that help us do this.

Many organisation do stirling work in this regard. I am thinking of institutions like the Finmark Trust, MicroSave and Bankable Frontiers. This article has been triggered by the excellent work being done by the guys at CGAP. Mark, Ignacio (who is now at the Gates Foundation), Jim and all the rest; keep up the good work.

When Android was announced as an operating system (eighteen months ago), I predicted that that it could lead to serious security attacks (Read the last paragraph in my blog). In a recent (much publicised) incident, this is exactly what happened. A rouge application that utilise phishing techniques to steal banking details appeared for Android-based mobile phones. While this is the first known incident, expect many more to follow. Android as an operating system is just ideal for developing applications with ill intent.

I believe that there are two sides to this story:

a. This is the end of the promise of secure mobile banking (at least on Android-driven) phones. All the potential of not repeating the challenges of browser-based banking has now disappeared. Developers of mobile banking solutions (and operational executives) will have to consider this reality whenever they launch products or design business processes.

b. Android is here to stay. It is a reality that we as mobile banking professionals will have to live with. It is important that solutions are designed in such a way so as to take cognisance of the holes in Android, but more importantly: that consumers are educated on how to work with necessary new security mechanisms (like memorable items)

A recent discussion on one of the LinkedIn discussion groups initiated by Meneke made some fascinating points on the possibility of cash ever getting replaced by mobile money (Read here). I was a bit late in contributing to the discussion and when I wanted to, all has been said. yet, the discussion made me think about the topic. This discussion was followed up with a panel discussion where more thoughts were shared. The proceedings of this discussion is documented here. One should also read what Dave Birch has to say on the topic (Read here). The points that he makes and the way that he does it is always entertaining. One should also read the many other articles and opinions published on the Internet on this topic (For instance here).

The most important consideration for this discussion is to realise that less than 5% of actual money supply is actually represented by physical cash. A very small percentage of money is utilised for retail payment transactions. Whereas the demise of cash will mean a significant change in the total value of money, it would have a small impact on electronic money. The majority of the world's money is electronic anyhow (already). Electronic money is used for big item transactions (investment, funding transactions, foreign currency etc.) as well as retail transactions (cards and mobile payments). A move to totally replace physical cash will be a very small move (say an increase in 2 to 3%). I believe that this is quite possible and can happen swiftly.

Much of the discussions on the LinkedIn group was on ways to make this happen (user confidence, ease of use, acceptance, fraud etc.). If we figure out how to offer consumers an electronic way to pay while considering these imperatives, electronic payments would start to dominate cash easily. Mobile payments (if implemented correctly), is the only way to address the valid constraints. Mobile payments will ultimately lead to the elimination of cash.