Securing Mobile Money to Deliver on the Promise
Nowadays, there is not a month without multiple announcements or rumors pertaining to new mobile payments or banking offerings. Excitement tends to run high when a major mobile platform player is said to be eyeing payments. Yet in many instances, the challenges associated with securing this new channel and complying with an array of laws and regulations are poorly understood. A well-received brand or mobile device, even with a cult-like following of users and developers, doesn’t a payment solution make. Risk management, compliance with global and local regulations and integration with existing financial infrastructure are also critical success factors for a mobile money solution. To explore these issues, I have asked veteran entrepreneur and mobile visionary Carol Realini to share her ideas on the opportunity and challenges associated with delivering mobile money.
- Patrick Gauthier, Technology Editor
Over the course of the last 10 years, first as I traveled Africa and Asia, then as part of Obopay, I have become convinced of the critical importance of mobile money to allow many to escape precarious personal economic conditions. According to the International Telecommunications Union, there are over 5 billion mobile phones in use around the world , providing unparalleled access to communications and mobile applications.
This is having a profound change on the lives of consumers, business infrastructure and the way organizations tackle challenges. Specifically, mobile ubiquity has brought extraordinary access to communication for everyone, including those who have never had it before.
Now, there are a growing number of mobile money applications that are expanding upon this, changing the way traditionally-banked customers choose to be served and opening up opportunities to reach an unprecedented number of new customers. With this new access comes great opportunity and challenges, including establishing regulations, implementing new technical and operational infrastructure and ensuring security and risk management for mobile financial offerings. In addition, new pricing and business models are critical to scale. What is needed is a new financial model that allows all participants in the value chain to scale their offerings.
Worldwide, the vast majority of people are unbanked or underserved. In the United States alone, over a quarter of households  are underserved by traditional banking models. Additionally, it is not just consumers who are underserved. According to the Philadelphia Federal Reserve, 80 percent of sellers of goods and services accept payments only via cash and checks and do not accept electronic payments today. Some predict recent legislation, such as the Durbin Amendment to the Dodd-Frank Act, and economic conditions will mean that this number will increase in the coming years. At the same time, the number of mobile banking users around the world is expected to surge more than sixteen-fold to 894 million by 2015, according to Berg Insight, an industry research firm based in Stockholm.  Clearly, this represents a fundamental shift in how people bank, send and receive money and pay for goods and services.
What Is Mobile Money?
What is mobile money (i.e., mobile financial services, mobile banking, mobile payments)? As a roundabout way of defining it, let’s first answer the following question: How does mobile money get started? For consumers, adoption of mobile money typically starts with one specific need – like mobile bill pay/recharge, family money transfer, getting paid for goods or service – then quickly moves to more complex uses as consumers gain experience and comfort. Specific use cases that stand out in driving adoption in the United States are all built around sending money, getting paid and transferring money – instantly, securely and easily with a simple command, text message or smartphone app based on user preference.
Now, let’s look at what form mobile money takes, or what is the structure of mobile money. Is mobile money a way to initiate a credit or debit transaction from an existing bank or credit card account? Is it a new account where money is loaded into the mobile account and then transactions happen from this new account? Is it a “wallet” where consumers have all their financial options available and then make choices depending on what they are buying? The real answer is that mobile money is all of the above. Consumers want a choice to move money directly from their own bank account, if they have one; set up a companion mobile account similar to how PayPal operates online; or use a debit or credit card. Providers need to provide and regulators need to allow for a spectrum of options if they want to sell mass market solutions. In all cases, since mobile users have an expectation of immediate results, solutions that allow instant movement and access are strongly favored in an increasingly mobile centric world.
Globally, mobile money has the power to change the economic picture, and it is due to more than just technology and a mobile communications infrastructure. The mobile phone companies have extensive distribution networks built out to sell handsets and prepaid minutes. In countries that lack good physical banking infrastructure, like Kenya and India, the mobile players are transforming their retail networks into banking access points that enable enrollment, cash loading and unloading (agent banking). This brings new access to large numbers of consumers and businesses, offering them their first banking products, while addressing the physical infrastructure limitations of the current bank branches and ATMs. It may start by providing them with simple mobile prepaid accounts for money transfer or mobile recharge, but that is just the tip of the iceberg. Once the enrollment is done and the users start transacting, they easily migrate to and demand a more complete banking relationship and value-added services. I see this in both Kenya and India, where both types of services – mobile prepaid and mobile bank accounts – are offered. My experience leads me to conclude that these same consumers will adopt other services when they are offered.
Risk and Security
Ensuring strong security and managing for increased risk is critically important to successfully extending financial service to the mobile phone, and this is a big part of what we must focus on. Risk and security issues provide new challenges from both a technology perspective and from the perspective of opening up access to banking and payment services to those that have not had them before. As a front-end channel to a financial transaction system, the mobile device is in many ways similar to a PC. There are risks associated with data security, financial fraud and money laundering that need to be managed. There are significant differences in the data and tools available in developed versus developing markets. Yet in order to manage risk and security at a basic level, mobile financial service providers have to know something about the identities of users, the origin and destination of funds and the authority to conduct transactions with those funds. Addressing these challenges in developing markets also creates an opportunity to migrate existing underserved users to a more secure transaction environment than those they currently use. For example, there is certainly opportunity to migrate government disbursements to underbanked recipients to a much more secure process. Similarly, there is an opportunity to develop greater transaction transparency by moving cash and check transactions to digital transactions initiated through a mobile device.
Managing risk in a mobile environment requires that providers collect and store data in a secure manner and make that data available only to those that must have access. The methods that providers use to accomplish these goals are outlined below:
Know Your Customer (KYC)
To conduct mobile payment transactions, the provider must be able to authenticate the identities of both the sender and receiver. This is required for the prevention of both money laundering and the financial risk to the provider. Normally, this involves the collection of personal identifying information (PII) from the customer. Typically, such information include name, address, date of birth and identity credentials – like national IDs or driver’s licenses – collected from prospective users. In less developed regions, identity credentials can be an issue. Solutions are often tailored to meet regional realities. This PII is validated against third-party databases, such as credit bureaus or banks, and checked against the Office of Foreign Assets Control (OFAC ) and other restricted entity lists. Lastly, users can be subjected to knowledge-based authentication, in which they are presented with questions to which only they should know the answers. These are typically questions about previous addresses or people they may know. Where ID failures occur, follow-up discussion with the prospective user and a request for hard copy identity documentation takes place.
In addition, transactions involving movement of funds from individuals to businesses present a financial and credit risk to the service provider. In these cases, it is incumbent upon the provider and the banks that stand behind the transactions to understand the nature of the business and the financial health of the business or retailer.
Funding Source Authentication
A mobile financial system must provide ways to get money into and out of the network. Providers must adhere to basic anti-money laundering requirements, including proper KYC procedures, understanding the source funds and being on the lookout for evidence of structuring or layering. Providers and their agents must also monitor and report on large cash transactions and patterns as required by the PATRIOT Act and other regulations.
Account funding can be as simple as taking and dispensing cash at physical locations, such as retail stores. It can also include enabling electronic funding and withdrawal from the network. This is usually accomplished by a debit to the user’s checking account, which is done in the United States via the Automated Clearing House (ACH) system or by charges to user’s credit or debit card. When enabling electronic funds, the first challenge is to determine if the account is valid and if the user has authorization to transact on those accounts. Account ownership verification can be accomplished by having the user verify two, small random credits to the account. In the case of credit or debit cards, the provider will initiate an authorization against the card, usually requiring the full billing address and the card security code to authenticate ownership of the account. Increasingly, the transaction participants demand that such transaction occur on a real-time basis.
Once a user has authenticated their identity and their ownership of funding sources, access to the mobile financial account is controlled by a set of credentials (i.e. user name and password), as well as a series of system authentications of the user’s phone and PC.
In the case of a mobile phone, the account registration process can include an automated call to the phone requesting the user input a mobile PIN. This establishes that the phone is in the possession of the user at time of registration. From that point, that one phone is the only mobile device allowed to access the user’s account. Transactions on that device will require the input of the mobile PIN that was established at registration time.
In the case of PCs accessing an account, the provider uses methods to establish and insure a trusted device is used for transactions. Providers will record the device ID of the PC. If subsequent attempts to access the account are made by a PC that the provider’s system has not previously recorded (i.e. an untrusted device), again, an automated call can be made to the user’s mobile phone requesting input of the mobile PIN. This prevents the takeover of an account by someone who may have gained access to the user’s credentials.
After the provider has authenticated a user’s identity, account access and devices, the user is ready to transact. Transactions can be governed by a set of hard limits and by a flexible set of parameters established by modeling the behavior of the user and the account over time. These limits are generally the number of transactions and the value of those transactions that a user may perform to put funds into or take funds out of the system in any given time period.
These parameters may also govern how much and how often a user can send or receive money.
Limits and parameters are used to reduce both financial and money laundering exposure. But they also establish benchmarks against which suspicious activity is monitored, allowing the provider to look for red flags for both money laundering and financial crime. While transaction monitoring is a common practice, it is important to acknowledge the unique attributes of mobile money and apply specific monitoring to transactions conducted through the mobile channel.
In addition to transaction monitoring, providers also look to see who accesses their system, how often they do it and who their customers might be associated with. For example, a fraud or money laundering ring may use a single PC to set up and transact on multiple accounts. A provider may notice suspicious access or transaction patterns on one of those accounts that can be used to identify other problem accounts.
Setting up and maintaining a financial transaction system requires the collection of and access to sensitive data. Providers should adhere to industry best practices regarding data collection, encryption, storage and access. At the very least, providers who store this type of data should be PCI DSS Level 1 certified. Further, in extending access to mobile channels, providers should be very attentive to data that is sent to or stored on the mobile device. Sensitive data should not be stored on the device. Similarly, data sent to the device via SMS or within a mobile application should not expose sensitive data.
The Need for Collaborative Models
The challenges listed above are complex but clearly surmountable. The only discouraging force for me is an undercurrent of fragmentation – too many players thinking they can do this as an independent provider instead of as part of a larger ecosystem. This will hamper growth and stunt value. It won’t be visible in the first wave, but the ceiling will exist because fragmentation lowers value and confuses the market. We saw this when computers were connected in groups but not in one global network; when bank ATMs only supported one bank and not all banks. Adoption happened, but plateaus were created that could only be addressed by an open, interoperable model. Closed, non-interoperable systems mean fewer participants, fewer uses and far less value.
Potential Impact of Mobile Money
I just returned from the Davos World Economic Forum, where one of the key themes was “Inclusive Growth.” What does that really mean, and why is it important? It means that when developing countries and emerging markets experience growth, low-income households in those countries should participate and benefit. For example, India has 200 million people who are participating in the strong growth that is underway.  Their incomes are growing, their wealth is increasing and the environment they live in is improving. Yet the lives of the remaining 700 million people in India are basically unchanged. Inclusive growth means the 700 million will experience the benefits of growth versus being left out.
Most people reading this article will have trouble visualizing a life without banking. A low-income individual in India or Africa can live eight hours or more from a bank branch, so keeping money in a bank is both inconvenient and impractical. As a result, they pay for everything in cash and are always paid for work or services in cash. Just paying bills can involve travel and long queue times. If family members live or work in another place, sending or receiving money can be inconvenient and expensive. Thus, people who have the greatest need have the greatest costs.
With over 5 billion mobile phones in the world but only half of the adults using bank services , the potential game change is significant. It creates an unprecedented access to affordable financial services for people with a mobile phone who are currently underserved by traditional banking. Affordable financial services will empower their life and work. This will democratize banking and enable low-income individuals everywhere to participate in the economic growth in their countries. Mobile money will also empower people in developed markets with access to new service, like accepting electronic payments, and provide greater convenience for how they interact with banking and payment services
This year at Davos, I was impressed with the new awareness of the potential power, business opportunity and social mandate to make banking available to all mobile users. The topic was a part of many sessions. Sessions that focused on mobile financial services were well attended, and the energy level was high. I’m sure that this interest level will translate into increased market momentum for solutions.
Those who know me know I am a very passionate, optimistic person. So, it’s no surprise that I am more optimistic today than ever. The awareness, investment and momentum of mobile money is building. The early part of most new implementations will still take longer than we want to scale, but growth after the tipping point will be much faster than expected. This makes the possibility of banking for all a real possibility for the world. Not so hard to believe, since we are so close to achieving universal communication with those 5 billion mobile phones.
 ICT: ‘The world in 2010 – ICT Facts and Figures,” December 2010
 FDIC: “National Survey of Unbanked and Underbanked Households,” December 2009
 Berg Insight; “VAS Research Series – Mobile Banking and Payments,” April 2010
 National Council for Applied Economic Research (NCAER) – August 2010
 McKinsey – “Half the world is unbanked”, August 2009