A draft set of Guidelines were issued for comment in June, but are still in development. RBI signaled several times in the prior year that it planned to look in earnest at mobile financial services.

CGAP’s Notes on Regulation of Branchless Banking in India took stock of the situation earlier this year.

Know your customer (KYC) requirements on financial institutions have received increasing attention by governments in their anti-money laundering and combating the financing of terrorism (AML/CFT) initiatives. AML/CFT regulations introduce specific obligations on account opening, including, at the very least, checking the customer’s identity. This poses a particular challenge to branchless banking for two reasons. First, the absence of branches means that banks need to find alternative ways of conducting face-to-face interviews or identity checks, where those are required. Regulations may allow banks to “outsource” this function to a third party (perhaps the cash-in/cash-out agents) , but it remains the bank’s responsibility to ensure KYC procedures are performed adequately. In the Philippines, the growth of rural agent networks has been limited because all agents need to take a Central Bank-supervised training course in Manila before they are allowed to operate. Many agents find this required training to be too costly and disruptive. Second, to the extent that branchless banking targets poorer and more remote customers, it may be more difficult for these customers to show proof of identity at all.

On the other hand, AML/CFT risks associated with branchless banking initiatives can be mitigated by capping account sizes, account functionality, and transaction volumes. As governments’ interest in access to finance grows, they are becoming increasingly pragmatic about KYC requirements, allowing for simplified procedures where risk is limited. In South Africa, the Reserve Bank permits remote account opening for certain types of accounts; this has allowed WIZZIT to undertake KYC procedures through a network of roving “WIZZkids”—often previously unemployed youths.

For branchless banking to develop, governments need to continue to work with providers to find flexible solutions that meet policy and business requirements. It is unlikely that there will be a one-size-fits-all solution. Instead, governments will need to be responsive to proposals coming from providers and to evaluate these proposals based on the risks involved.

Mobile banking raises security concerns. In principle, security concerns over mobile banking are more manage able than that of Internet banking, because they happen on a more trusted—or at least a more tightly controlled—network. On the other hand, security concerns over mobile banking are bigger than for traditional ATM or POS devices, which are more directly specified and controlled by the provider.

We still do not know the tolerance threshold for errors and fraud for both users and providers in the mobile banking context. Because the mobile banking service is intangible, it is likely that customers will react negatively to (real or perceived) security risks of mobile banking more quickly than to the risk of loss or theft of physical cash. We suspect that customers will not be very tolerant of security lapses, and therefore the security track record must be impeccable.

Security can always be tightened, but that often results in higher demands on the user (more complicated password procedures) or a less favorable customer experience (reentry of PINs, SIM swap). We do not know the extent to which the benefits of mobile banking will be sufficiently appealing to cause customers to put up with increasingly frustrating security measures or, indeed, to develop a higher tolerance for errors or fraud. The industry will need to find ways to offer sufficient security to manage risk.

Of fraud or violation of privacy, without making what is already a precarious customer experience (because of very limited user interface capabilities of mobile phones) a hopelessly frustrating one.

Here is a report from the Business Standard on the move. Excerpt:

The wait for rolling out mobile banking seems to be over, with the Reserve Bank of India’s (RBI) issuing draft operative norms for such payment system. Now, RBI said, it will be easier and safer to use mobile phones for carrying out a gamut of banking transactions.

Banks can offer mobile-based services only to their own customers. Banks should have a system of registration before commencing mobile-based payment service to a customer, RBI said.

A new study from Bankable Frontiers digs deep into the issues. Some issues are very familiar: the use of outsourced IT providers, customers protecting their PIN numbers. Several are newish, but really permutations of issues with any electronic banking channel: the reliability and end-to-end security of communication networks carrying sensitive data.

These factors do not make most mobile banking channels more or less risky than other forms of e-banking. In fact, the range of m-banking technologies already available includes some with the highest degree of security possible. But automatically requiring the most technically secure platform carries substantial tradeoffs, not least of all that high-end technologies are substantially less likely to be suitable for low-income clients.

Low-literacy clients may be very comfortable with some of the more ubiquitous but somewhat less secure mobile technologies available – e.g. USSD which simulates much of the SMS experience. They may not try internet browsing, and indeed the cheaper handsets they tend to own are unlikely to support it.

Providers targeting the unbanked may also prefer basic technologies. Smaller banks and entrepreneurs which see the unbanked niche as attractive are – due to their size – likely to lack bargaining power with mobile operators. They face a tough time negotiating the right to put a mobile banking application directly onto the sim card in mobile phones (which enables a higher standard of end-to-end encryption). And even large banks may prefer technologies that work on any handset and any operator network. They want to ensure all bank clients can access the service, and it eliminates the need to negotiate any revenue sharing with operators: the bank keeps the whole pie. This explains why USSD – with a decidedly un-pretty user interface, and lower security – is still attractive to some banks.

It is possible to offset the lower security qualities of less secure mobile technologies by introducing operational controls. Balance and transaction limits can put a cap on risk, for clients and providers. The Bankable Frontiers report ends with advice for regulators: be careful not to entrench technology-specific standards in regulations which stifle m-banking development. Instead, they should create a flexible, proportionate framework which requires an active supervision of mobile financial services.

But only for banks… This shouldn’t be a surprise. SBP’s policy paper on branchless banking (last year) was clear on this point: a nonbank model “may be allowed at a later stage after we have sufficient experience in mitigating agent related risks using bank led model and need to think about mitigating only e-money related risks.” So for now, mobile phone companies are still waiting for the door to be opened to them as well, test the waters without clear permission and detailed guidance, or find a JV with a bank. For those with deep pockets, buying a bank outright might be an option, too.

Kenya’s banking law and regulations look all too familiar: if an institution accepts deposits and uses this money for lending or investment, it needs to have a bank licence. And banks can only transact through their head office or branches. Full stop. But the Central Bank of Kenya has realized that operating through full-fledged branches, which are subject to detailed regulatory requirements, is a very expensive proposition. If the huge gap of banking services in remote and rural areas is ever to be closed, alternative delivery models will be required. Branchless banking models such as mobile phone banking (pioneered in Kenya by M-Pesa, which is run by a mobile network operator and not a bank) and the use of retail agents will be low-cost alternatives allowing for increased rural penetration. The Central Bank Governor, Prof Njuguna Ndung’u, has now pledged to institute necessary regulatory changes allowing banks to offer financial services outside bank branches.

Early registration closes April 1. CGAP encourages you to register with a discount code: CGAPMMSVIP to receive a $100 discount. For questions, contact Jim Rosenberg, CGAP Communications Officer.

Mobile Money Summit 2008 is two-day conference designed for senior executives from financial services institutions, mobile network operators, development organizations, solutions vendors and regulatory and policy makers. The inaugural event will provide for the first time a comprehensive demonstration of the addressable markets, showcase new solutions, and share key success factors and learnings from around the world. The goal of the Summit is to stimulate greater understanding and collaboration between all stakeholders — globally, regionally and locally. Most importantly, Mobile Money Summit 2008 will better equip participants to develop and deploy their own Mobile Money portfolio effectively, efficiently and at scale.

At this highly interactive event, you will learn:

• How Mobile Money can drive top-line growth and customer value in both financial services and telecommunications
• How Mobile Money solutions can drive economic growth and financial inclusion for individuals, communities and countries
• Best practices in the market today, and key innovations coming to market
• Strategic, operational, regulatory and market challenges to effective deployment and scale
• Key propositions for various customer segments in different markets.
• Rationales for partnership between financial services institutions and telecom companies to deliver converged mass market Mobile Money.
• Where and how to kick-start activity most effectively.

If they want to convince central bankers that hold the keys to the payments space, mobile operators will make persuasive arguments about how mobile financial services meet traditional thinking about deposits, the new domain of payment system regulation, and the hot button issue of anti-money laundering, especially when sending money across borders.

No operator better illustrates this than Vodafone and its M-PESA money transfer service.

M-PESA’s commercial launch in Kenya required months of discussions with the Central Bank of Kenya about why M-PESA is more a payment service than a bank deposit. Once launched, the market responded with an excitement banks must marvel at: 1.8 million registered users in the first year (in a country with only 4 million bank accounts total). Central banks in other countries may be attracted by efficiency gains in the national payments system, but they won’t always be ready to allow mobile wallets if they are treated like deposits.

One solution may be payment system legislation that creates a licensing window for payment service providers that take funds from the public, but solely for the purpose of facilitating a payment or transfer. The EU’s Payment Service Directive will do just that, but much still has to be worked out by individual national governments before the November 2009 deadline. That means EU experience could become an important signpost to emerging market countries down the road. But it’s likely to be several years before a European track record emerges on carving out dedicated rules for firms in the payments business.

In the meantime, mobile operators may be better off pointing to countries that have crafted more ad hoc but, so far, very workable arrangements to oversee mobile financial services. In the Philippines, the central bank constructed accommodations allowing one mobile operator to offer a mobile wallet directly (Globe), and another model in which banks outsource the vast majority of functions to the operator (Smart). Both required some flexibility on the part of the regulator, as banking laws could easily have stood in the way. Together, Globe and Smart have over 7 million registered users for mobile financial services.

But the hurdles don’t stop here, as Vodafone seems to be finding out in switching on its UK-Kenya remittance service via M-PESA, according to this report. Moving money across borders immediately attracts concern about money laundering and terrorist financing. Vodafone is partnered with Citi, but it seems regulators still have questions about KYC. At the Kenya end, M-PESA customers open accounts via agents, who are neither employees of Citi or Safaricom, Vodafone’s Kenyan affiliate.

And that may be the one quick lesson for mobile operators: partnering with a bank may not automatically solve all your regulatory problems.