Central Bank presents draft of mobile payments guidelines for public
Sri Lanka's Central Bank recently uploaded draft guidelines for mobile payments, accessible through a tab on its www.cbsl.gov.lk homepage. The draft, which is open for comments from the general public and interested parties up to October 18, encompasses two alternatives for mobile payments.
The first is a customer account based facility tied into a customer's account at a licensed commercial or specialised bank or finance company. It is described as being "based on the customer accounts maintained by such financial institutions from which the service can only be offered to account holders. Under this system, account holders are able to operate their own accounts via mobile phones to debit/credit their own accounts or credit accounts of third parties within the same financial institution or across the banking system depending on the regulations/guidelines applicable for such institutions".
Basic services include information on balance inquiry, credit/debit status and other information on banking services, which do not relate to fund transfers, with a standard level of service also available which includes payment services in the nature of fund transactions such as payments, transfers and stop payments etc.
Also noted is that financial institutions providing basic level services of mobile payments are exempted from obtaining a licence under regulations provided that such financial institutions adhere to the relevant provisions in the Banking Act No.30 of 1988 or the Finance Companies Act No.78 of 1988, as the case may be, and any other legal provisions in operation in this regard.
Meanwhile, the second is a custodian account based system operated by "non-bank service providers licensed under the Regulations to operate as mobile payment service providers. Under the custodian account based system, service providers may open e-money account for each customer and issue e-money by accepting physical money from the customer. Such non-bank service providers shall operate a custodian account/s with [a licenced commercial bank] and are required to deposit all the funds collected from customers in such account/s and shall maintain the cumulative sum collected from all mobile account holders in the custodian account/s at all times".
The draft guidelines also offer up potential regulations for a number of issues pertaining to mobile payments, including technology, authentication and repudiation, encryption, marketing of this service, remittances, interest income, regular audits, minimising financial losses from lost or stolen phones as well as other pertinent areas.
Comments about the regulator's draft guidlines for mobile payments can be directed to the body's Director - Payments & Settlement at email@example.com before October 18, 2010.
The Central Bank of Sri Lanka (CBSL) last week issued draft guidelines for mobile payments and anticipates public response. Sri Lanka is not the first South Asian country to regulate m-payments, but better to be late than never. As someone rightly noted,in the face of new technologies, if you do not become part of the steamroller fast you will end up being part of the road.
Everywhere in emerging Asia the mobile handset is rapidly becoming the poor man’s credit card. By 2009, the number of credit cards in local circulation was only 840,000. Mobile SIMs exceeded that by 16 times. Both these numbers do not represent actual usage, due to single-user-multiple-accounts phenomenon, but that does not rebuff the mobile phone use by a larger section of the public at all levels. Tele-use at the Bottom of the Pyramid survey by LIRNEasia, a regional think-tank on telecom policy and regulation, reveals significant mobile usage even among the low income users. 43% urban and 36% rural low income households in Sri Lanka were equipped with a mobile handset in 2008. These statistics demonstrate the vast potential, if not the demand.
Traditionally, central banks supervised the banking and financial sector, not telcos. By issuing m-payments guidelines CBSL appears to enter a novel area but actually it does not. In everywhere, m-payments guidelines have been issued with careful means to avoid the trespass. In Philippines, the central bank - Bangko Sentral ng Pilipinas (BSP) regulates G-Exchange, a money transfer agency and a subsidiary Globe Telecom, the second largest telecom operator, in monitoring G-Cash, one of the two prominent m-payments systems. It does not regulate Globe Telecom. Central banks usually try to bring the regulation to their comfort zone.
CBSL too treads in the same path. The guidelines propose two models. The first one is exclusively for financial institutions, while the other has a financial institution in its backend. The ultimate responsibility is placed on the financial agency by specifying, ‘Licensed Commercial Banks (LCBs) maintaining Custodian Account Based System shall ensure that the funds lying in the custodian account shall be blocked in the case of bankruptcy/close of the business of the mobile service provider’. (Page 6, Draft Guidelines)
The primary reaction of any layman is relief. Isn’t prevention better than cure in the land of Sakwithi Ranasinghes’?
The problem is not all mobile transaction systems either have or should have a financial institute involved. A cash transaction to a tuk-tuk driver is not tracked by a bank, let alone the central bank. Should it bother the financial regulator when a mobile handset is used instead of currency notes? m-movie tickets.
It was pure coincidence that I received the following SMS after I started writing this piece. Produced verbatim (sans trade names), it is part of one of the popular local m-payment examples..
Buy ‘New Movie’ movie tickets on your mobile! Now showing @ NearBy cinema. Just dial 444. Charges apply.
Dialing 444 will connect you to an automated system. After selecting the language, you are ready to purchase a movie ticket. You will be guided by voice instructions. All you have to do is to press few keys in response. You pay for the movie ticket(s), pus LKR 15 plus taxes as call charges and LKR 50 for the service. If you are on a post-paid package the aggregate is added to your monthly bill. In pre-paid mode, I guess, the user should have sufficient credit in her account. So the SIM behaves as a credit card in first instance and a debit card in the second. Only one key difference: No interests are involved.
No financial agency is directly present anywhere in this process. It is silly to expect the transaction to pass through a bank every time you purchase a movie ticket. Surprisingly, that is exactly what CBSL advises in the guidelines. This mobile movie-ticket model is not permissible under the new guidelines, which is unambiguous about how the model No. 2 should operate.
Under the custodian account based system, defined in the guidelines, service providers may open e-money account for each customer and issue e-money by accepting physical money from the customer. Such non-bank service providers shall operate a custodian account/s with LCB/s and are required to deposit all the funds collected from customers in such account/s and shall maintain the cumulative sum collected from all mobile account holders in the custodian account/s at all times. (Page 3, Draft Guidelines)
If these instructions were to be followed to the letter, whenever a user purchases a reload card (say for LKR 400) that money should end in ‘the custodian account’. This is not practical as the usage patterns are indeterminate at the moment of purchase. A user may spend full amount in calls and other services by the operator, or spend LKR 300 on a movie ticket and rest on calls. Call it air-time or m-cash (both are not fully correct, but let us not worry about definitions here), this LKR 400 is fungible.
A way out to this hurdle, at least theoretically, is to issue two kinds of cards, for call services and m-payments.. This will take away the simplicity. Introducing new m-payment cards (or alternatively reloads) is difficult. It involves extra retailer awareness creation and may be higher retailer charges, due to low initial demand. (Now, the retailers do not even have to know about m-payments.) Such complicated ‘solutions’ do not typically live long in mobile market.
App Store model
The possibilities of innovative m-payment models do not end there. The new ‘Application-Store’ (App Store) model makes it possible for third parties (neither banks nor telecom operators) to run m-payment solutions. As Dion Hinchcliffe explains in ZDNet, the key idea behind ‘App Store’ model is to let third party developers build applications for a software platform and then get the results to customers. This is certainly not new and goes back as long as there have been software platforms, since the beginning of computing. The big difference now is the focus in terms of encouraging third party developers, controlling access to the platform, and revenue sharing.
Now, where do these innovations fit in CBSL guidelines? Why prevent a movie theater selling tickets for its patrons using mobile platform? Why refute the benefit of a cheaper movie-ticket to a moviegoer? (In the App Store model she may be exempted with te LKR 15+VAT and LKR 50 applicable as earlier.)
Even within the two proposed models, CBSL guidelines are not always supportive to prevailing m-payment practices.
Now almost all commercial banks offer either Internet banking or m-banking services. A convenience offered by mine (which should remain nameless) allows me to transfer money to any mobile user from my handset. The receiver, seeing the SMS with a 12 digit number has to walk to any ATM of the same bank, and input the number. No personal identification is required. The button ‘Mobile Cash’ appears in the home page. Simple and cost-effective.. The system can be made more secure by restricting repayment only to counters (which requires a proof of identity) but that will kill the cost-effectiveness. Then it would be more logical for the bank to suspend the facility.. Even if the customers comply, staff time is costly.
The guidelines are ambiguous on the need of personal identification at the receiver end, but there is enough room for a control freak to use the language to imply it. A mobile handset can be lost or stolen. This exposes the magic 12 digit number to Mr. Criminal, who just has to walk to the nearest ATM to collect his prize money. Isn’t that scary?
Not necessarily. Loss of a phone is not an everyday event. Losing with the magic SMS is highly unlikely. Even if both happen, nobody customarily transfers large amounts through a mobile. Careless people always lose money, whether they use mobiles or not. The difference is the significance attached, to the rare possibility of losing the money in an electronic transfer. It gives the false impression that any criminal can use it to their benefit. That is not correct. This system is safer than any of the less sophisticated traditional means.
Ours is an anxious society that expects the protection of every electronic money transfer by the financial regulator. This is not possible and should not be attempted. Central banks cannot and should not play the role of police and courts. Attempting to do so, as illustrated above is to curtail the developments in the payment systems. M-payment, like any other payment method, is not 10% risk-free and it will never be. There is no point trying to make it that way too. It is always a compromise between security and efficiency. Any attempt to overly improve one, is to compromise on the other.
Mobile culture inherently loves more freedom and less regulation. Any regulations should fit somewhere within that framework. It might even mean shifting our age old paradigms. If not, the result will only be a highly secure system that nobody uses. I do not think it is what we look for.
(Chanuka Wattegama is an independent researcher in telecom policy issues. Recently as the Senior Research Manager at LIRNEasia, he managed the Mobile 2.0 research component that explored the use of non voice mobile applications, including mobile payments, in emerging Asia. He has also worked at CBSL and the Information and Communication Technology Agency. His email is firstname.lastname@example.org).