Recent Developments in Mobile
Financial Services Solutions
Introduction
Mobile Financial Services
Technology Issues
Mobile Financial Services
Mobile Banking – Allows bank customers to
check balances, monitor transactions, obtain
other account information, transfer funds,
locate branches or ATMs, and, sometimes, pay
bills.
•
Mobile Payments – allows consumers to make
payments, transfer money, make donations, or
pay for goods and services.
•
Mobile banking and Mobile payments have
the potential to expand access to financial
services to the unbanked and underbanked by
reducing transaction costs and increasing the
use of financial services products and services.
•
A recent survey found that individuals under the
age of 25 are increasingly underbanked and feel
comfortable with alternative financial services.
Online Banking
•
Usage is evenly split between men and women.
•
30% - 30 and 44
Mobile Financial Services and Shopping
•
Compare prices when shopping
•
Receive offers and promotions based on
location
•
Track finances and budget
•
POS Purchases
•
May appeal more to underbanked and
unbanked consumers
Underbanked Consumers
•
Has a checking, savings or money market
account, but also uses alternative financial
services such as payday loans, check cashing
services or payroll card.
•
91% of underbanked individuals have a mobile
phone, 57 % have a smart phone. This is more
than the general population.
Unbanked Consumers
•
Do not currently have a checking, savings or
money market account
•
Among individuals who are unbanked, 64%
have a mobile phone, 18% have a smart
Advantages
Advantages for Consumers
•
Consumers do not need to carry cash or credit cards
•
Ability to send money abroad via person-to-person mobile
payment services
•
Remote wipe capability is available on smartphones and
tablet devices for added security
Advantages for Businesses
•
Can reach more customers without an increased
investment in technology
•
Merchants don’t have to keep as much cash on hand
Why not?
•
Top reasons for not using mobile banking
Banking needs are met without mobile banking
Security concerns
Lack of confidence in technology to perform
accurately
Cost of data access on mobile phones
Non-U.S. Mobile Payment Services
• Safaricom and Vodafone (Africa) launched M-PESA—an SMS-based payment service targeting the unbanked, prepaid mobile subscribers in Kenya.
• Paybox by MobilkomAustria—an SMS-based system that also has an NFC system for mobile ticketing for mobile transport
• NTT DoCoMo, Inc. (Japan)—Osaifu-Keitai® mobile wallet service
• Western Union® —Mobile application provides P2P money transfers from the sender’s bank account to the recipient’s Western Union
cash card
• e-Transfer by Interac, Inc. (Canada)—Provides the ability to send and receive money directly from one bank account to another using online or “mobile banking” through a participating financial institution without sharing any personal or financial information
Current Technologies
•
NFC (Near Field Communications) - Google
Wallet
•
Carrier Billing
•
Apps
History
Initially payments in mobile phones were made
through text messages. But this mode of payment
would sometimes be slow and unreliable and
hence could not be relied upon for making larger
payments. This led to the development of the
NFC application for mobile phones.
NFC Technology
NFC technology has enabled the exchange of
data between devices and is compatible with
the existing contactless infrastructure already in
use for payments.
NFC can also work when one of the devices is
not powered by a battery (e.g. on a phone that
may be turned off, a contactless smart credit
card, a smart poster etc.).
NFC Technology
A short-range (4 inches) high frequency wireless
communication technology which is an extension
of the ISO/IEC 14443 proximity-card standard
(contactless card, RFID) that combines the
interface of a smartcard and a reader into a single
device.
NFC Technology
NFC technology is currently aimed at being used
with mobile phones. There are three main use cases
for NFC:
* card emulation: the NFC device behaves like
existing contactless “smart” cards
* reader mode: the NFC device is active and can
read a passive RFID tag.
* P2P mode: two NFC devices are communicating
together and exchanging information.
NFC Technology
* Mobile ticketing — an extension of the existing
contactless infrastructure, airline tickets, concert/event
tickets, and others.
* Mobile payment — the device acts as a debit/credit
payment card, or as electronic money.
* Smart poster — the mobile phone is used to read
RFID tags on outdoor billboards in order to get info.
* Electronic keys — car keys, house/office keys, hotel
room keys, etc.
NFC Technology
A patent licensing program for NFC is currently under development by Via Licensing Corporation http://www.vialicensing.com.
A public platform independent Near Field Communication (NFC) library is released under the free GNU General Public License by the name libnfc.
http://www.libnfc.org
In December 2008 the application eCL0WN[2] was released which allows you to read and copy biometric passports with certain Nokia phones.
http://www.derkeiler.com/pdf/Mailing-Lists/Full-Disclosure/2008-12/msg00575.pdf
NFC Technology v. Bluetooth
NFC has shorter set-up time.
Instead of performing manual configurations to identify Bluetooth devices, the connection between two NFC devices is established at once (under a tenth of a second).
The maximum data transfer rate of NFC (424 kbit/s) is slower than Bluetooth (2.1 Mbit/s).
NFC has a shorter range, which provides a degree of security and makes NFC suitable for crowded areas where correlating a signal with its transmitting physical device (and by extension, its user) might be difficult.
NFC Technology - Hacks
Eavesdropping
The RF signal for the wireless data transfer can be picked up with
antennas. The distance from which an attacker is able to
eavesdrop the RF signal depends on numerous parameters, but
is typically a small number of meters. Also, eavesdropping is
extremely affected by the communication mode. A passive
NFC Technology - Hacks
Data modification
Data destruction is relatively easy to realize. One possibility to perturb the signal is the usage of an RFID jammer. There is no way to prevent such an attack, but if the NFC devices check the RF field while they are sending, it is possible to detect it.
Relay attack
Because NFC devices are usually also implementing ISO/IEC 14443
functionality, relay attacks are also feasible on NFC. For this attack the adversary has to forward the request of the reader to the victim and relay back its answer to the reader in real time, in order to carry out a task
Carrier Billing
•
ISIS – T- Mobile and Verizon
•
Sprint - NFC based
Apps
•
Flint
•
Level up
Consumer/Regulatory Issues
•
Payment-related information is not always
easy to access, read, understand and complete
•
Billing statements are not always clear
•
Information on loyalty and rewards programs
is not always clear
Consumer/Regulatory Issues
•
Difficulty determining if transaction was
successful
•
Personal information may raise privacy issues
•
Correcting errors can be difficult, if not
impossible
Consumer/Regulatory Issues
•
Automatic repeat purchases or automatic
subscriptions
•
Termination of Trial periods, “Free” products
•
Data pass marketing
•
In multi-party payment schemes with numerous
actors (e.g., mobile operators, credit providers,
merchants, apps developers), consumers may
have difficulty understanding who to turn to in
case of problem with the transaction
REGULATORY STRUCTURES
Federal
State
DATA PROTECTION AND LIABILITY FOR
DATA THEFTS
As the market for mobile financial services has developed and grown, the protection of consumers’ financial information from unauthorized access and potential identity theft should be of paramount importance.
Authenticating consumers’ identification, keeping the data transfer process safe from viruses, malware, and other attacks is also of vital importance in this entire process.
Information held by Banks and other service providers are of vital importance and there lays a risk pertaining to leakage, tampering and unauthorized
access to data. There needs to adequate measures and safeguards to for customer data protection.
REGULATORY MEASURES
Under GLB, both the security and the privacy of a
consumer’s non-public personal information (“PI”)
are protected. PI can be considered to be as
personally identifiable information:
•Provided by a consumer to a financial institution
•Resulting from a transaction or service for the
consumer
Money Laundering
• Number of active mobile payment service accounts globally - 15 million
• Some mobile payment service providers offer open-loop prepaid cards that are connected to the accounts of their customers; through this originally domestic providers may offer cross-border services, as this
grants customers or third persons who were handed over the prepaid card access to the global ATM network.
• Some providers even allow for ATM withdrawals without the need for a card. Customers can initiate p2p transactions by passing on a certain code to third parties, who can enter the code into an ATM in order to receive the amount of money linked to that specific code.32
• Some providers cooperate with traditional money remittance services
(e.g., Western Union); the remittance service enables third parties that are
not customers of the mobile payment service provider to send or receive to or from a customer, also across borders.
REGULATORY MEASURES
PI generally includes account information, unpublished phone numbers,
other contact information, and of course more sensitive information as
well.
If there is any breach of data security with respect to PI, by any entity to whom the GLB applies, then that entity would be liable for such a breach. GLB provides for a fairly broad interpretation of the phrase "financial
institution" and not only affects banks, insurance companies, and security firms, but also brokers, lenders, tax preparers, and real estate settlement companies, among others.
REGULATORY MEASURES
Section 404 of the Sarbanes-Oxley Act requires companies to implement and practice internal controls in an effort to increase the security of financial data and systems. This section has ensured that Companies keep strict internal controls for ensuring
financial data safety. SOX mandates that organizations ensure the accuracy of financial information and the reliability of systems that generate it. Section 404 of SOX requires that management perform an assessment of internal controls over financial reporting and obtain attestation from external auditors, on an annual basis.
It would be logical to assume that chances of data theft, data loss or unauthorized access of data would be minimal in cases of entities that comply with GLB safeguards and SOX. Non compliance with these provisions would lead to hefty fines being
NYS Banking Department
•
Money Transmitter
No person or entity may engage in the business
of selling or issuing payment instruments, such as
checks, or engage in the business of receiving
money for transmission or transmit money
without a license from the Superintendent…
•
Licensing requirements - Article 13-B of the
Banking Law, Sections 640 to 652-B and
Superintendent's Regulation Parts 406, 416, 417
and 300.
NYS Banking Department
•
Budget Planner
Only type B not-for-profit corporations as defined in
section 201 of the not-for-profit corporation law of
New York, or an entity incorporated in another state
having a similar not-for-profit status, shall engage in
the business of budget planning.
•
Licensing requirements - Article 12-C of the Banking
Law, sections 579 to 587, Superintendent's Regulations
Parts 402, 404 and 300 and General Business Law
California State Banking Department
•
Money transmitters includes issuers of
payment instruments (money orders),
travelers checks and stored value
•
California Financial code, Division 1.2,
commencing with section 2000
OECD Policy Guidance
•
Service providers should give clear and
accurate information regarding the terms,
conditions and costs
•
Businesses prohibited from engaging in
fraudulent or deceptive practices
•
Regulatory monitoring to enforce consumer
protection
Disputes
•
Verizon “blockage” of Google Wallet
LIABILITY OF BANKS/ VENDORS
An interesting question to consider is that whether any bank or mobile service provider would held liable for any data loss or tampering of data in spite of complying with the above mentioned regulations. For instance there might be loss of data due to a virus attack in the system. The question then is which entity would be liable for such security breaches?
Customers still might have recourse against these entities for traditional claims of negligence, breach of contract or breach of a fiduciary duty but there is not clear cut provision holding an entity liable for loss of data due to acts like hacking.
There is however an increasing view that laws should be changed to assigned greater responsibility to service providers, and other organizations that possess large amounts of personal information.
Such organizations should be legally required to inform their customers as soon as a penetration occurs, and they should be held legally liable for the financial impact on their customers as a result of hacking and identity theft.
