July 1, 2013
The Chairman and Managing Director / Chief Executive Officers
All Scheduled Commercial Banks including RRBs /
Urban Co-operative Banks / State Co-operative Banks /
District Central Co-operative Banks
Madam /Dear Sir,
Master Circular – Mobile Banking Tansactions in India – Operative Guidelines for Banks
As you are aware, the Reserve Bank of India has, from time to time, issued a number of circulars containing guidelines on Mobile Banking. This Master Circular has been prepared to facilitate the banks and other stakeholders to have all the extant instructions on the subject at one place.
2. The Master Circular has been updated by incorporating all the instructions/guidelines issued on Mobile Banking up to June 30, 2013 and has been placed on the RBI web-site (http://www.rbi.org.in). A list of circulars finding reference in this master circular is enclosed as Appendix.
Chief General Manager
Master Circular – Mobile Banking
To provide a consolidated document containing all rules / regulations / procedures prescribed to be followed by banks for operationalising Mobile Banking in India.
Statutory Guidelines issued by Reserve Bank of India under section 18 of Payment & Settlement Systems Act, 2007, (ACT 51 of 2007).
3. Previous Guidelines consolidated
The Master Circular compiles the instructions contained in the circulars issued on Mobile Banking as listed in Appendix.
The guidelines are applicable to all commercial banks (including Regional Rural Banks), Urban Cooperative Banks, State Cooperative Banks and District Central Cooperative Banks.
5.1 Mobile phones, as a medium for extending banking services, have of-late attained greater significance because of their ubiquitous nature. The rapid growth of mobile users in India, through wider coverage of mobile phone networks, have made this medium an important platform for extending banking services to every segment of banking clientele in general and the unbanked segment in particular.
5.2 In order to ensure a level playing field and considering that the technology is relatively new, Reserve Bank brought out a set of operating guidelines for adoption by banks. The guidelines, finalised following a wide consultative process with the stakeholders, were first issued in October 2008 and since then have been updated keeping in view the developments taking place.
5.3 For the purpose of the instructions contained in this Master Circular, ‘Mobile Banking transaction’ means undertaking banking transactions using mobile phones by bank customers that involve accessing / credit / debit to their accounts.
5.4 Banks are permitted to offer mobile banking services after obtaining necessary permission from the Department of Payment & Settlement Systems, Reserve Bank of India. Mobile Banking services are available to bank customers irrespective of the mobile network. Customers need to first register for Mobile Banking with their bankers and download the Mobile Banking application on their mobile handsets.
6. Regulatory & Supervisory Issues
6.1 Banks which are licensed, supervised and having physical presence in India, are permitted to offer mobile banking services. Only banks who have implemented core banking solutions are permitted to provide mobile banking services.
6.2 The services shall be restricted only to customers of banks and/or holders of debit/credit cards issued as per the extant Reserve Bank of India guidelines.
6.3 Only Indian Rupee based domestic services shall be provided. Use of mobile banking services for cross border inward and outward transfers is strictly prohibited.
6.4 Banks may also use the services of Business Correspondent appointed in compliance with RBI guidelines, for extending this facility to their customers.
6.5 The guidelines issued by the Reserve Bank on ‘Risks and Controls in Computers and Telecommunications’ vide circular DBS.CO.ITC.BC. 10/ 31.09.001/ 97-98 dated 4th February 1998 will apply mutatis mutandis to Mobile Banking.
6.6 The guidelines issued by Reserve Bank on “Know Your Customer (KYC)”, “Anti Money Laundering (AML)” and “Combating the Financing of Terrorism (CFT)” from time to time would be applicable to mobile based banking services also.
6.7 Banks shall file Suspicious Transaction Report (STR) to Financial Intelligence Unit – India (FIU-IND) for mobile banking transactions as in the case of normal banking transactions.
7. Registration of customers for mobile service
7.1 Banks shall put in place a system of document based registration with mandatory physical presence of their customers, before commencing mobile banking service. Reserve Bank would consider relaxation in specific cases while approving the proposals of banks.
7.2 On registration of the customer, the full details of the Terms and Conditions of the service offered by the bank shall be communicated to the customer.
8. Technology and Security Standards
8.1 Information Security is most critical to the business of mobile banking services and its underlying operations. Therefore, technology used for mobile banking must be secure and should ensure confidentiality, integrity, authenticity and non-repudiability.
8.2 Transactions up to Rs 5000/- can be facilitated by banks without end-to-end encryption. The risk aspects involved in such transactions may be addressed by the banks through adequate security measures. (Circular DPSS.CO.No.2502/02.23.02/ 2010-11 dated May 4, 2011)
8.3 An illustrative framework is given at Annex- I.
9.1 Banks offering mobile banking service must ensure that customers having mobile phones of any network operator are in a position to avail the service, i.e. should be network independent. Restriction, if any, for the customers of particular mobile operator(s) are permissible only during the initial stages of offering the service, up to a maximum period of six months subject to review.
9.2 The long term goal of mobile banking framework in India would be to enable funds transfer from account in one bank to any other account in the same or any other bank on a real time basis irrespective of the mobile network a customer has subscribed to. This would require interoperability between mobile banking service providers and banks and development of a host of message formats. To ensure inter-operability between banks, and between their mobile banking service providers, banks shall adopt the message formats like ISO 8583, with suitable modification to address specific needs.
10. Clearing and Settlement for inter-bank funds transfer transactions
10.1 To meet the objective of nation-wide mobile banking framework facilitating inter-bank settlement, a robust clearing and settlement infrastructure operating on a 24x7 basis is necessary. Bank and non-bank entities putting such systems in place, bilateral or multilateral, need authorisation from Reserve Bank of India, under the Payment and Settlement System Act, 2007.
11. Customer Complaints and Grievance Redressal Mechanism
11.1 The customer / consumer protection issues assume a special significance in view of the fact that the delivery of banking services through mobile phones is relatively new. Some of the key issues in this regard are given at Annex-II.
12. Transaction limit
12.1 Banks are permitted to offer mobile banking facility to their customers without any daily cap for transactions involving purchase of goods/services. (Circular DPSS.CO.PD.No. 1098/02.23.001/2011-12 dated December 22, 2011).
12.2 However, banks may put in place per transaction limit depending on the bank’s own risk perception, with the approval of its Board.
13. Remittance of funds for disbursement in cash
13.1 In order to facilitate the use of mobile phones for remittance of cash, banks are permitted to provide fund transfer services which facilitate transfer of funds from the accounts of their customers for delivery in cash to the recipients. The disbursal of funds to recipients of such services can be facilitated at ATMs or through any agent(s) appointed by the bank as business correspondents. The recipient can be a non-account holder also. (Circular DPSS.CO.No.1357/02.23.02/ 2009-10 dated December 24, 2009)
13.2 Such fund transfer service shall be provided by banks subject to the following conditions:-
In case of cash out, the maximum value of such transfers shall be Rs 10,000/- per transaction. Banks may place suitable cap on the velocity of such transactions, subject to a maximum value of Rs 25,000/- per month, per beneficiary (Circular DPSS.CO. PD. No. 622/02.27.019/2011-12 dated October 5, 2011).
The disbursal of funds at the agent/ATM shall be permitted only after identification of the recipient. In this connection, attention of banks is drawn to the provisions of the Notification dated November 12, 2009, issued by Government of India, under Prevention of Money Laundering Act, 2002, as amended from time to time.
Banks may carry out proper due diligence of the persons before appointing them as authorized agents for such services.
Banks shall be responsible as principals for all the acts of omission or commission of their agents.
14. Board approval
14.1 Approval of the Board of Directors (Local Board in case of foreign banks) for the product, as also the perceived risks and mitigation measures proposed to be adopted must be obtained before launching the scheme.
15. Approval of Reserve Bank of India
15.1 Banks wishing to provide mobile banking services shall seek prior one time approval from Reserve Bank of India by furnishing full details of the proposal.
Technology and Security Standards
1. The security controls/guidelines mentioned in this document are only indicative. However, it must be recognised, the technology deployed is fundamental to safety and soundness of any payment system. Therefore; banks are required to follow the Security Standards appropriate to the complexity of services offered, subject to following the minimum standards set out in this document. The guidelines should be applied in a way that is appropriate to the risk associated with services provided by the bank and the system which supports these services.
2. Banks are required to put in place appropriate risk mitigation measures like transaction limit (per transaction, daily, weekly, monthly), transaction velocity limit, fraud checks, AML checks etc. depending on the bank’s own risk perception, unless otherwise mandated by the Reserve Bank.
Banks providing mobile banking services shall comply with the following security principles and practices for the authentication of mobile banking transactions:
a) All mobile banking transactions shall be permitted only by validation through a two factor authentication.
b) One of the factors of authentication shall be mPIN or any higher standard.
c) Where mPIN is used, end to end encryption of the mPIN is desirable, i.e. mPIN shall not be in clear text anywhere in the network.
d) The mPIN shall be stored in a secure environment.
4. Proper level of encryption and security shall be implemented at all stages of the transaction processing. The endeavor shall be to ensure end-to-end encryption of the mobile banking transaction. Adequate safe guards would also be put in place to guard against the use of mobile banking in money laundering, frauds etc. The following guidelines with respect to network and system security shall be adhered to:
a) Implement application level encryption over network and transport layer encryption wherever possible.
b) Establish proper firewalls, intruder detection systems (IDS), data file and system integrity checking, surveillance and incident response procedures and containment procedures.
c) Conduct periodic risk management analysis, security vulnerability assessment of the
application and network etc at least once in a year.
d) Maintain proper and full documentation of security practices, guidelines, methods and
procedures used in mobile banking and payment systems and keep them up to date based on the periodic risk management, analysis and vulnerability assessment carried out.
e) Implement appropriate physical security measures to protect the system gateways, network equipments, servers, host computers, and other hardware/software used from unauthorized access and tampering. The Data Centre of the Bank and Service Providers should have proper wired and wireless data network protection mechanisms.
5. The dependence of banks on mobile banking service providers may place knowledge of bank systems and customers in a public domain. Mobile banking system may also make the banks dependent on small firms (i.e mobile banking service providers) with high employee turnover. It is therefore imperative that sensitive customer data, and security and integrity of transactions are protected. It is necessary that the mobile banking servers at the bank’s end or at the mobile banking service provider’s end, if any, should be certified by an accredited external agency. In addition, banks should conduct regular information security audits on the mobile banking systems to ensure complete security.
6. For mobile banking facilities which do not contain the phone number as identity, a separate login ID and password is desirable to ensure proper authentication.
Customer Protection Issues
1. Any security procedure adopted by banks for authenticating users needs to be recognized by law as a substitute for signature. In India, the Information Technology Act, 2000, provides for a particular technology as a means of authenticating electronic record. Any other method used by banks for authentication is a source of legal risk. Customers must be made aware of the said legal risk prior to signup.
2. Banks are required to maintain secrecy and confidentiality of customers' accounts. In the mobile banking scenario, the risk of banks not meeting the above obligation is high. Banks may be exposed to enhanced risk of liability to customers on account of breach of secrecy, denial of service etc., on account of hacking/ other technological failures. The banks should, therefore, institute adequate risk control measures to manage such risks.
3. As in an Internet banking scenario, in the mobile banking scenario too, there is very limited or no stop payment privileges for mobile banking transactions since it becomes impossible for the banks to stop payment in spite of receipt of stop payment instruction as the transactions are completely instantaneous and are incapable of being reversed. Hence, banks offering mobile banking should notify the customers the timeframe and the circumstances in which any stop-payment instructions could be accepted.
4. The Consumer Protection Act, 1986 defines the rights of consumers in India and is applicable to banking services as well. Currently, the rights and liabilities of customers availing of mobile banking services are being determined by bilateral agreements between the banks and customers. Taking into account the risks arising out of unauthorized transfer through hacking, denial of service on account of technological failure etc. banks providing mobile banking would need to assess the liabilities arising out of such events and take appropriate counter measures like insuring themselves against such risks, as in the case with internet banking.
5. Bilateral contracts drawn up between the payee and payee’s bank, the participating banks and service provider should clearly define the rights and obligations of each party.
6. Banks are required to make mandatory disclosures of risks, responsibilities and liabilities of the customers on their websites and/or through printed material.
7. The existing mechanism for handling customer complaints / grievances may be used for mobile banking transactions as well. However, in view of the fact that the technology is relatively new, banks should set up a help desk and disclose the details of the help desk and escalation procedure for lodging the complaints, on their websites. Such details should also be made available to the customer at the time of sign up.
8. In cases where the customer files a complaint with the bank disputing a transaction, it would be the responsibility of the service providing bank, to expeditiously redress the complaint. Banks may put in place procedures for addressing such customer grievances. The grievance handling procedure including the compensation policy should be disclosed.
9. Customers complaints / grievances arising out of mobile banking facility would be covered under the Banking Ombudsman Scheme.
10. The jurisdiction of legal settlement would be within India.
List of Circulars consolidated for the Master Circular