NAIROBI, KENYA: All it takes is a couple of clicks on a mobile phone keypad or screen and a handset is instantly upgraded into a banking platform, and its owner can make all sorts of transactions.
Opening a bank account no longer requires one to visit to a teller at a bricks-and-mortar branch to fill in forms in triplicate, and submit a passport-sized photo, Kenya Revenue Authority PIN certificate and copies of your ID and salary slips.
With just your mobile phone, you can pay for goods, buy airtime, transfer or deposit cash from your phone to your account, make withdrawals, all in seconds — making the long journey to a bank to stand in line for hours is now nearly a thing of the past.
The uptake of mobile phones in Kenya has been unprecedented, with more than 31 million Kenyans subscribed to a mobile network by December last year. And in just the first three months of this year, the local mobile handset market has grown by 21.5 per cent, according to a recent report by the International Data Corporation.
MONEY TRAIL
As more and more people rely on mobile phones, banking services have naturally followed the money and come up with financial services that take advantage of the device’s ubiquity.
To further heighten the stakes in the industry, Equity Bank has gone beyond just partnering with mobile phone providers to acquiring its own licence.
As the line between financial institutions and telecommunications firms gets blurred, there has been more scrutiny of both the Central Bank of Kenya and Communications Authority of Kenya, on whose shoulders the overall oversight of the banking and telecoms industries, respectively, lies.
While details of what Equity plans to do with its telecoms licence are still scanty, senior officials at the bank have disclosed that their intention is to fully integrate telecoms and financial services.
“The future of financial services the world over is in the mobile phone. This is why we are keen to have this merger between telecoms and financial services using the licence,” said Mr John Staley, Equity Bank’s chief officer in charge of finance, innovation and technology, during a recent investor briefing.
“Handling of cash remains expensive, and this is why we are encouraging customers to use agent networks or their mobile phones. We are thinking of increasing over-the-counter charges to decongest our banking halls,” added Dr James Mwangi, Equity’s Chief Executive Officer.
There is no denying that the mobile phone has worked to the advantage of both corporates and individuals. The more obvious benefits have been the savings enjoyed on costs and time, and customers being able to better monitor cash movements in and out of their accounts.
But this is perhaps where the happy narrative on mobile banking — whose overriding promise to customers is services anywhere, anytime — ends, and concerns over security, and operational and regulatory weaknesses begin.
Despite Kenyans’ impressive awareness of mobile banking platforms and high usage numbers at most banks, engagement beyond routine transactions is hampered by usability and security issues.
Stay informed. Subscribe to our newsletter
And in the rush to secure deposits and customer numbers, some financial institutions have overlooked international regulations, such as know your customer (KYB) processes, that are intended to ensure a bank does not inadvertently facilitate activities such as money laundering or terrorism.
BACKGROUND CHECKS
Already, according to a source in the banking industry who spoke on condition of anonymity, some international banks have said they will not work with local banks that fail to perform due checks to ensure customers are using their real names and are not involved in terrorism or other illegal activities.
“Some international correspondent banks feel that their local partners are overlooking important KYB regulations, and they have issued notices that they will not carry out any international transactions on behalf of such banks,” the source told Business Beat.
Under the guise of getting more Kenyans to hold accounts as quickly and easily as possible, background and verification checks are becoming rare, increasing institutions’ exposure to holding high-risk accounts.
“Most of the processes in mobile banking are user initiated, and little or no verification is done by the banks. The appetite for profit has largely superseded the need for tighter cash management controls. It is easy to use a fake ID dropped on the street to register an account,” said Mr Dennis Omondi Otieno, a business analyst.
He added that, despite its upsides, opening an account without visiting a bank may be opening the doors and windows to fraud.
“Once the bank gets it wrong at the registration level, they can never get it right at the transaction level.”
With lost IDs being displayed in several public places, it is easy for both money launderers and fraudsters to seize the opportunity to open bank accounts that cannot be traced back to them.
“Registration for some mobile banking platforms does not require one’s physical presence, signing of documents or capturing of facial images,” said Mr Otieno.
VULNERABLE SYSTEMS
While many financial services companies have been relatively quick to jump on the mobile bandwagon, the industry still has a long way to go to capture the full potential of this rapidly evolving technology.
“We found in a recent study that an estimated 75 per cent of critical financial applications and portals are vulnerable to cyber attacks, while 85 per cent of Kenyan web applications are insecure and vulnerable to attacks,” said Mr Chris Senanu, chairman of industry lobby group Telecommunications Service Providers of Kenya (TESPOK).
“In February 2014, we conducted an independent review of critical web applications and online portals for insurance, banking and Government. The study revealed that Kenyan online portals have limited security mechanism to protect customer’s login credentials to the platform.”
In Kenya, each bank has its own controls and safeguards to ensure no unauthorised access to the mobile banking platform happens.
“A number of layers have been put in place by each bank, which, if compromised, will not lead to loss of cash from the customer’s account.
“For instance, when one is moving cash from one account to others, there are several controls to ensure this transaction is authentic including sending an alert to the customer to confirm. The bank can also use other channels like an email to ensure it is the account holders performing the transaction,” said Mr Habil Olaka, the Kenya Bankers Association (KBA) chief executive.
Mr Olaka added that most core banking systems are very secure, as would be expected generally. The interception of data is quite minimal in modern mobile banking platforms and the risk of data being compromised is quite low, he said.
“There are enough safeguards to stop unauthorised access, including lead times to allow the system to interrogate all transactions before they are executed.”
While KBA assures about safety of the mobile banking platform, especially when all registration is done according to book, there are still no uniform standards on how banks should deal in this platform. This means there could be banks that have weaker systems.
“The real concern is not in interception of data, but at the point of registration. It is worth noting, also, that the compromise of sensitive data can be made possible by rogue staff who work in cahoots with fraudsters. The one PIN/password format is not very secure either. Banks should move to token systems,” said Otieno.
DATA VERIFICATION
Mobile banking is a fairly new concept in Africa, and even if there were a global standard, it would most likely be difficult to implement locally. While there are CBK rules that are meant to ensure safe and accountable movement of money, these guidelines are generally weak. Curiously, regular banking supervision bulletins published by CBK rarely pay attention to mobile banking, amounts moved through this platform or even the prudential guidelines for the segment, despite its rapid growth.
“Banks operating a mobile banking platform must ensure daily reconciliations are up to the mark and any mismatch is always a red flag. Secondly, the one-password system should be replaced with token systems. Tokens are small portable electronic gadgets with capabilities of generating passwords that can be used to access the system only once,” said Otieno.
The token keeps generating different passwords every time one needs to log in. As such, users do not need to write their passwords somewhere or worry about someone looking over their shoulder and memorising them as they input them in their phones.
Thirdly, Otieno said, the registration by a customer should never be an end in itself. The data and information must be verified by a competent bank officer to complete KYC requirements before the customer is activated into the system.
“Banks must ensure that even as they compete to boost their profits and increase their sales, they do not jeopardise national security. There are banks that are doing pretty well in this and they do insist on fresh documentation, proof of residence and other records.
“In other words, controls, sales and customer service should and must be in balance,” said Otieno.
BANKING BEHAVIOUR
Even in developed markets like the US, a vast majority of mobile interactions have not progressed beyond the most routine banking behaviours.
According to a January 2014 online survey conducted by Andrews Research Associates on behalf of the Deloitte Centre for Financial Services, US subscribers said concerns over security, privacy and ease of use made them hesitant to use mobile services.
A little over one third of respondents were insecure about transacting financial services business on mobile devices because they do not trust the security of the wi-fi and mobile networks transmitting their data.
The field of m-Banking is evolving fast, perhaps too fast for regulators and security agencies to formulate rules to supervise and regulate the segment. It also rests at the overlap of several domains, including banking, telecommunications and security, a nightmare for regulators keen to monitor the sector.
FIRST-TIME CUSTOMERS
Since a large number of transformational m-Banking clients are first-time customers with low financial literacy, the risks of fraud become even higher. These, however, can be mitigated by entering into mobile banking activities with known and meticulously regulated players and agents.
Further, the field of biometrics provides hope for a more secure future, as financial services companies could leverage on it make customer interactions easier and more secure.
Some of the current devices in the market, such as the iPhone 5 and Samsung Galaxy S5, already have fingerprint scanners. In the next few years, more advanced biometric solutions in the form of palm, iris and facial-recognition features embedded in mobile devices are expected to emerge.
[email protected]
The Standard Group Plc is a
multi-media organization with investments in media platforms spanning newspaper
print operations, television, radio broadcasting, digital and online services. The
Standard Group is recognized as a leading multi-media house in Kenya with a key
influence in matters of national and international interest.
join