Belagavi District Central Co-Operative Bank LTD.
Telephone : 0831-2466896 Fax : +918312425803
 

 


INDEX


SL. No


Particulars

 


INTERNET BANKING

    1.

Internet Banking Facility (View Only)                                            

    2.

Internet Banking With Transactional Facility

 

Annexure-1
Guidelines on Internet banking facility to Customers of Cooperative banks

 

Annexure-2
Internet Banking - Security Features:

 


MOBILE BANKING

1.

Purpose

2.

Classification

3.

Previous Guidelines Consolidated

4.

Scope

5.

Introduction

6.

Regulatory & Supervisory Issues

7.

Registration of customers for mobile service

8.

Technology and Security Standards

9.

Inter-operability

10.

Clearing and Settlement for inter-bank funds transfer transactions

11.

Customer Complaints and Grievance Redressal Mechanism

12.

Transaction Limit

13.

Remittance of funds for disbursement in cash

14.

Board Approval

15.

Approval of Reserve Bank of India

16.

Amendments  to Mobile Banking & Internet Policy

 

Annexure-1 Suggestions/best practices for increasing the penetration (customer registration/on-boarding) of Mobile Banking

 

Annexure-2 Technology and Security Standards

 

Annexure-3 Customer Protection Issues

 

Annexure-4 List of Circulars consolidated for the Master Circular


INTERNET BANKING POLICY-2024-25

INTERNET BANKING FACILITY FOR CUSTOMERS OF CO-OPERATIVE BANKS(VIEW ONLY)

The RBI Department of Co-operative Bank Regulation, central office, Mumbai has permitted state co-operative banks/District Central Co-operative Banks to extend the facility of internet Banking [view only] to their customers and issued uniform guidelines to all the co-operative banks vide circular No.RBI/2015-16/229 DCBR.BPD.(PCB/RCB) Cir.No.6/19.51.026/2015-16 dated 05.11.2015. Accordingly all the licensed StCBs/DCCBs and UCBs which have implemented core banking solution [CBS] and migrated to internet protocol version 6 [IPV6] and complying with the guidelines prescribed in this policy may offer internet banking [view only] facility to their customers without prior approval from RBI.
The revised guidelines applicable to all the co-operative Banks are as follows:

1. INTERNET BANKING (VIEW ONLY) FACILITY

1) All licensed StCBs, DCCBs and UCBs which have implemented Core Banking Solution (CBS) and migrated to Internet Protocol Version 6 (IPv6) and complying with the guidelines prescribed in Annexure-I to this policy may offer Internet Banking (View only) facility to their customers, without prior approval of RBI. In case, any service offered under ‘view only’ facility requires two-factor authentication or One Time Password (OTP), banks may adopt the security features prescribed in Annexure-2 to this policy, as appropriate to such services.

2) The cooperative banks offering Internet Banking (View only) facility to their customers should ensure that the facility is strictly for non-transactional services such as balance enquiry, balance viewing, account statement download, request for supply of cheque books, etc. and no online fund-based transactions are allowed.

3) The co-operative banks have to report commencement of the service to the concerned Regional Office of RBI (and also NABARD in case of StCBs/DCCBs) within one month of operationalization of Internet Banking (View only) facility.

2. INTERNET BANKING WITH TRANSACTIONAL FACILITY:

All licensed StCBs, DCCBs and UCBs which have implemented CBS and have also migrated to Internet Protocol Version 6 (IPv6) and fulfilling the following criteria may offer Internet Banking with transactional facility to their customers with prior approval of RBI:

  1. CRAR of not less than 10 per cent.

  2. Net worth is Rs.50 crore or more as on March 31 of the immediate preceding financial year.

  3. Gross NPAs less than 7 % and Net NPAs not more than 3%

  4. The bank should have made a net profit in the immediate preceding financial year and overall, should have made net profit at least in three out of the preceding four financial years

  5. It should not have defaulted in maintenance of CRR/SLR during the immediate preceding financial year

  6. It has sound internal control system with at least two professional directors on the Board.

  7. The bank has a track record of regulatory compliance and no monetary penalty has been imposed on the bank for violation of RBI directives/guidelines during the two financial years, proceeding the year in which the application is made.

4) StCBs, DCCBs and UCBs fulfilling the above-mentioned criteria will be allowed to extend Internet Banking with transactional facility provided they comply with the guidelines prescribed in Annexure-I and II to this policy. For this purpose, the intending StCB, DCCB and UCB shall submit an application to the concerned Regional Office of RBI (through NABARD in case of StCB/DCCB) with the following documents:

  1. A copy of the Board approved policy on internet banking along with a certificate from an independent auditor (CISA qualified) that the IT and IS policy requirements prescribed in RBI guidelines have been adhered to.
  2. An undertaking to inform RBI about any material change in the services/ products offered by them.
  3. The business plan, cost and benefit analysis, operational arrangements like technology adopted, business partners, third party service providers and systems and control procedures that the bank proposes to adopt for managing risks.

5) The bank will report to the concerned Regional Office of RBI (and also NABARD in case of StCBs /DCCBs) every breach or failure of security systems and procedures and the latter, at its discretion, may decide to commission a special audit/inspection of such bank.

6) StCBs/DCCBs which are already offering Internet Banking (View only) facility to their customers should immediately review their systems in the light of these guidelines and report to the concerned Regional Office of RBI (through NABARD), within one month from the date of issuance of this circular, the type of services offered and the extent of their compliance with these guidelines. Deviations from the guidelines should be reported with an action plan indicating a timeframe for compliance.

7) StCBs/DCCBs, which are already offering Internet Banking transactional services are advised to comply with the instructions contained in this circular and submit details of their business models, projections of cost/benefits, etc. and obtain post facto approval of the concerned Regional Office of RBI within one month from the date of issuance of this circular. Such applications should be routed through NABARD to the Regional Office of RBI.


Annexure-1

Guidelines on Internet banking facility to Customers of Cooperative banks
Licensed StCBs, DCCBs and UCBs intending to offer internet banking facility to their customers should comply with the following;
  1. The bank should formulate a policy for Internet Banking with the approval of the Board.
  2. The policy should fit into the banks overall Information technology and Information Security Policy and ensures confidentiality of records and security systems.
  3. The policy should clearly lay down the procedure to be followed in respect of 'Know Your Customer' requirements.
  4. he policy should cover technology and security standards and also address the legal, regulatory and supervisory issues as enumerated in this Annexure.
  5. The banks should put in place sound internal control systems and take into account the operational risks involved in providing the service.
  6. Adequate disclosure should be made regarding the risk, responsibilities and liabilities to the customers before offering the facility.

Accordingly, the following guidelines are issued for implementation by the bank.

I. Technology and Security Standards:

  1. Cooperative banks should have appropriate Information Security policy duly approved by the Board of Directors. There should be clear segregation of duties between the Information Technology (IT) Division and the Information Security (IS) Division. The Information Technology Division will actually implement the computer systems. There should be a separate Information Security Officer dealing exclusively with Information Systems security. Further, an Information Systems Auditor will audit the Information Systems.
  2. The banks should designate a Network and Database Administrator with clearly defined roles as per the IS Audit policy duly approved by their Board.
  3. Logical access controls to data, Systems, Application software, utilities, telecommunication lines, libraries, System software, etc. should be in place.
  4. The banks should ensure that there is no direct connection between the Internet and the bank's system.
  5. The banks should have effective safeguards to prevent intrusions into the systems/network.
  6. All unnecessary services on the Application Server such as File Transfer Protocol (FTP), Telnet should be disabled. The Application Server should be isolated from the e-mail server.
  7. All computer accesses, including messages received, should be logged. Security violations (suspected or attempted) should be recorded and follow up action taken. Banks should acquire tools for monitoring Systems and networks against intrusions and attacks. These tools should be used regularly to avoid security breaches. The banks should review their security infrastructure and security policies regularly and optimize them in the light of their own experiences and changing technologies.
  8. The Information Security officer and the Information System auditor should conduct periodic penetration tests of the system, which should include:
    1. Attempting to guess passwords using password-cracking tools.
    2. Search for back door traps in the programs.
    3. Attempt to overload the System using Distributed Denial of Service (DDoS) & Denial of Service (DoS) attacks.
    4. Check if commonly known holes in the software, especially the browser and the e-mail software exist.
    5. The penetration testing may also be carried out by engaging outside experts (often called 'Ethical Hackers').
  9. Physical access controls should be strictly enforced. Physical security should cover all the Information Systems and sites where they are housed, both against internal and external threats.
  10. The banks should have proper infrastructure and schedules for backing up data. The backed-up data should be periodically tested to ensure recovery without loss of transactions in a time frame as spelt out in the bank's security policy. Business continuity should be ensured by setting up Disaster Recovery sites. These facilities should also be tested periodically.
  11. All applications should have proper record keeping facilities for legal purposes. It shall be necessary to keep all Received and Sent messages both in encrypted and decrypted form.
  12. The banks shall obtain application integrity statement from the vendor/service provider, before implementing the internet banking software.
  13. Security infrastructure should be properly tested before using the Systems and Applications for normal operations. Banks should periodicallyupgrade the Systems to newer versions which give better security and control.
  14. The guidelines issued by RBI on ‘Risks and Controls in Computers and Telecommunications’ vide circular DBS.CO.ITC.BC. 10/ 31.09.001/ 97-98 dated 4th February 1998/UBD.No.Admn.46b/17:36:00/97-98 dated March 30, 1998 and circular DBS.CO.ITC.BC.No.6/31.02.008/2010-11 dated April 29, 2011 regarding Recommendations of the Working Group on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds (Chairman: Shri G. Gopalakrishna, Executive Director); advising banks to comply with the same, will equally apply to Internet banking.
  15. In the case of StCBs/DCCBs, guidelines on 'Introduction of IS Audit Policy' in NABARD circular NB.DoS.HO.POL.No.3634/J-1/2014-15 dated February 25, 2015 will also apply.

II. Legal Issues

  1. Banks may provide Internet Banking facility to a customer only at his/her option based on specific written or authenticated electronic requisition along with a positive acknowledgement.
  2. Considering the prevailing legal position, there is an obligation on the part of banks not only to establish the identity but also to make enquiries about the integrity and reputation of the customer opting for internet banking. Therefore, even though request for opening an account may be accepted over Internet, accounts should be opened only after verification of the identity of the customer and adherence to KYC guidelines.
  3. From a legal perspective, security procedure adopted by banks for authenticating a user needs to be recognized by law as a substitute for signature. The provisions of the Information Technology Act, 2000, and other legal requirements need to be scrupulously adhered to while offering internet banking.
  4. Under the present regime, there is an obligation on banks to maintain secrecy and confidentiality of customers' accounts/information. In the Internet banking scenario, the risk of banks not meeting the above obligation is high on account of several factors. Despite all reasonable precautions, banks may be exposed to enhanced risk of liability to customers on account of breach of secrecy, denial of service etc., because of hacking/technological failures. The banks should, therefore, have in place adequate risk control measures to manage such risks.

III. Internal Control System
The banks should develop sound internal control systems before offering internet banking. This would include internal inspection/audit of systems and procedures related to internet banking as also ensuring that adequate safeguards are in place to protect integrity of data, customer confidentiality and security of data. Banks may also consider prescribing suitable monetary limits for customers on transactions put through internet banking. The internal control system should cover the following:

  1. Role and Responsibilities/Organisational structure: The Board of Directors and senior management are responsible for ensuring that the internal control system operates effectively. Audit Committee of the Board should have a designated member with requisite knowledge of Information Systems, related controls and audit issues.
  2. Audit Policy to include IS Audit: IS audit should be an integral part of the internal audit of banks. The banks should put in place a system to ensure that a robust audit trail is generated to facilitate conduct of audit, serving as forensic evidence when required and assist in dispute resolution.
  3. Reporting and Follow-up: This involves having a system of reporting by the functionaries to the higher authorities. Any breach or failure of security systems and procedures will be reported to the next higher authority and to the Audit Committee. IS Auditors will prepare an audit summary memorandum providing overview of the entire audit processing from planning to audit findings, discuss the findings with auditee and obtain responses. The Cooperative banks should have a time bound follow-up policy for compliance with audit findings. The Board of Directors need to be kept informed of serious lapses in security and procedures.

    4. Banks may have a communication plan for escalating/reporting to the Board/ Senior Management/RBI/NABARD to proactively notify major cyber security incidents.

IV. Other Issues and Disclosures: The existing regulatory framework over banks will be extended to Internet Banking also. In this regard, it is advised that:

  1. The products under internet banking should be restricted to account holders only.
  2. The services should include only local currency products.
  3. Cooperative banks should make disclosure of risks, responsibilities and liabilities of customers in doing banking through internet.
  4. The banks need to adhere to the KYC guidelines/AML standards and the provisions and directions issued under the PMLA 2002 while offering internet banking.

Annexure-2

Internet Banking - Security Features:

  1. Cooperative banks need to ensure suitable security measures for their web Applications and take reasonable mitigating measures against various web security risks.
  2. Web Applications should not store sensitive information in HTML hidden fields, cookies, or any other client-side storage leading to compromise in the integrity of the data. Critical web Applications should enforce at least SSL v3 or Extended Validation-SSL / TLS 1.0 128 bit encryption level for all online activity.
  3. Re-establishment of any session after interruption should require normal user identification, authentication, and authorization. Moreover, strong server side validation should be enabled.
  4. Cooperative banks need to follow a defense-in-depth strategy by applying robust security measures across various technology layers.

Authentication practices for internet banking:

1. Authentication methodologies involve three basic ‘factors’:
- Something the user knows (e.g., password, PIN);
- Something the user has (e.g., ATM card, smart card); and
- Something the user is (e.g., biometric characteristic, such as a fingerprint).
2. Properly designed and implemented multifactor authentication methods are more reliable and stronger fraud deterrents and are more difficult to compromise. The principal objectives of two-factor authentication are to protect the confidentiality of customer account data and transaction details as well as enhance confidence in internet banking by combating various cyber attack mechanisms like phishing, key logging, spyware/malware and other internet based frauds targeted at banks and their customers.

Implementation of two-factor authentication and other security measures for internet banking:

  1. In view of the proliferation of cyber attacks and their potential consequences, banks should implement two-factor authentication for fund transfers through internet banking.
  2. The implementation of appropriate authentication methodologies should be based on an assessment of the risk posed by the institution’s Internet banking systems. The risk should be evaluated in light of the type of customer (e.g., retail or corporate/commercial); the customer transactional capabilities (e.g., bill payment, fund transfer), the sensitivity of customer information and the volume of transactions involved.
  3. Beyond the technology factor, the success of a particular authentication method depends on appropriate policies, procedures, and controls. An effective authentication method should take into consideration customer acceptance, ease of use, reliable performance, scalability to accommodate growth, and interoperability with other systems.
  4. There is a legal risk in not using the asymmetric cryptosystem and hash function for authenticating electronic transactions. For carrying out critical transactions like fund transfers, the banks, at the least, need to implement robust and dynamic two-factor authentication through user id/password combination and second factor like (a) a digital signature (through a token containing digital certificate and associated private key, preferably for corporate customers) or (b) One Time Password (OTP)/dynamic access code through various modes (like SMS over mobile phones or hardware token).
  5. To enhance online processing security, confirmatory second channel procedures (like telephone, SMS, e-mail, etc.) should be applied in respect of transactions above pre-set values, creation of new account linkages, registration of third party payee details, changing account details or revision to funds transfer limits. In devising these security features, banks should take into account their efficacy and differing customer preferences for additional online protection.
  6. Based on mutual authentication protocols, customers could also authenticate the bank’s web site through security mechanisms such as personal assurance messages/images, exchange of challenge response security codes and/or the Secure Sockets Layer (SSL) server certificate verification. In recent times, Extended Validation Secure Sockets Layer (EV-SSL) Certificates are increasingly being used. These are special SSL Certificates that work with high security web browsers to clearly identify a website's organizational identity. It should, however, be noted that SSL is only designed to encrypt data in transit at the network transport layer. It does not provide end-to-end encryption security at the application layer.
  7. An authenticated session, together with its encryption protocol, should remain intact throughout the interaction with the customer. Else, in the event of interference, the session should be terminated and the affected transactions resolved or reversed out. The customer should be promptly notified of such an incident as the session is being concluded or subsequently by email, telephone or through other means.
  8. Changes in mobile phone number may be done through request from a branch only.
  9. Virtual keyboard should be implemented.
  10. A cooling period for beneficiary addition and SMS/e-mail alerts may be introduced when new beneficiaries are added.
  11. Customers should be advised to adopt various good security precautions and practices in protecting their personal computer and to avoid conducting financial transactions from public or internet café computers.
  12. Risk-based transaction monitoring or surveillance process needs to be considered as an adjunct.
  13. An online session would need to be automatically terminated after a fixed period of time unless the customer is re-authenticated for the existing session to be maintained. This prevents an attacker from keeping an internet banking session alive indefinitely.
  14. By definition, true multifactor authentication requires the use of solutions from two or more of the three categories of factors. Using multiple solutions from the same category at different points in the process may be part of a layered security or other compensating control approach, but it would not constitute a true multifactor authentication.
  15. As an integral part of the two factor authentication architecture, banks should also implement appropriate measures to minimise exposure to a middleman attack which is more commonly known as a man-in-the-middle attack (MITM), man-in-the browser (MITB) attack or man-in-the application attack.
  16. The banks should also consider, and if deemed appropriate, implement the following control and security measures to minimize exposure to man-in-the middle attacks:
  • Specific OTPs for adding new payees: Each new payee should be authorized by the customer based on an OTP from a second channel which also shows payee details or the customer’s handwritten signature from a manual procedure which is verified by the bank.
  • Individual OTPs for value transactions (payments and fund transfers): Each value transaction or an approved list of value transactions above a certain monetary threshold determined by the customer should require a new OTP.
  • OTP time window: Challenge-based and time-based OTPs provide strong security because their period of validity is controlled entirely by the bank and does not depend on user behavior. It is recommended that banks should not allow the OTP time window to exceed 100 seconds on either side of the server time since the smaller the time window, the lower the risk of OTP misuse.
  • Payment and fund transfer security: Digital signatures and Key-based Message Authentication Codes (KMAC) for payment or fund transfer transactions could be considered for detection of unauthorized modification or injection of transaction data in a middleman attack. For this security solution to work effectively, a customer using a hardware token would need to be able to distinguish the process of generating a one-time password from the process of digitally signing a transaction. What he signs digitally must also be meaningful to him, which means the token should at least explicitly show the payee account number and the payment amount from which a hash value may be derived for the purpose of creating a digital signature. Different crypto keys should be used for generating OTPs and for signing transactions.
  • In internet banking scenario, there is very little scope for banks to act on stop-payment instructions from the customers. Hence, banks should clearly notify to the customers the timeframe and the circumstances in which any stop-payment instructions could be accepted.
  • The Consumer Protection Act, 1986 defines the rights of consumers in India and is applicable to banking services as well. The rights and liabilities of customers availing of internet banking services need to be clearly explained to customers opting for internet banking. Considering the banking practice and rights enjoyed by customers in traditional banking, the banks' liability to the customers on account of unauthorized transfer through hacking, denial of service on account of technological failure, etc. needs to be assessed and banks providing internet banking should insure themselves against such risks.
  • Hyperlinks from banks' websites often raise the issue of reputational risk. Such links should not mislead the customers into believing that banks sponsor any particular product or any business unrelated to banking. Hyperlinks from banks' websites should be confined to only those portals with which they have a payment arrangement. Hyperlinks to banks' websites from other portals are normally meant for passing on information relating to purchases made by banks' customers in the portal. Banks must follow recommended security precautions while dealing with requests received from other websites relating to customers' purchases.
  • Second channel notification/confirmation: The bank should notify the customer, through a second channel, of all payment or fund transfer transactions above a specified value determined by the customer.
  • SSL server certificate warning: Internet banking customers should be made aware of and shown how to react to SSL or EV-SSL certificate warning.
  • Banks should put in place risk-based transaction monitoring and surveillance process. Study of customer transaction behaviour pattern and stopping irregular transaction or obtaining prior confirmation from customers for outlier transactions may be incorporated in the software.

MOBILE BANKING POLICY-2024-25

MOBILE BANKING POLICY-2024-25

The Reserve Bank of India has, from time to time, issued a number of circulars containing guidelines on Mobile Banking. This Policy has been prepared to facilitate the banks and other stakeholders to have all the extant instructions on the subject at one place.
The Master Circular has been updated as on 12.11.2021 by incorporating all the instructions/ guidelines issued on Mobile Banking and has been placed on the RBI web-site (http://www.rbi.org.in). A list of circulars finding reference in this master circular is enclosed as Appendix-4 to this policy

1. PURPOSE:

To provide a consolidated document containing all rules/regulations/procedures prescribed to be followed by banks for operationalising Mobile Banking in India.

2. CLASSIFICATION:

Statutory Guidelines issued by Reserve Bank of India under section 18 of Payment & Settlement Systems Act, 2007, (ACT 51 of 2007).

3. PREVIOUS GUIDELINES CONSOLIDATED:

The Master Circular compiles the instructions contained in the circulars issued on Mobile Banking as listed in Appendix.

4. SCOPE:

The guidelines are applicable to all commercial banks (including Regional Rural Banks), Urban Cooperative Banks, State Cooperative Banks and District Central Cooperative Banks.

5. INTRODUCTION:

5.1 Mobile phones, as a medium for extending banking services, have attained greater significance because of their ubiquitous nature. The rapid growth of mobile users in India, through wider coverage of mobile phone networks, have made this medium an important platform for extending banking services to every segment of banking clientele in general and the unbanked segment in particular.

5.2 In order to ensure a level playing field, Reserve Bank brought out a set of operating guidelines for adoption by banks. The guidelines, opulariz following a wide consultative process with the stakeholders, were first issued in October 2008 and since then have been updated keeping in view the developments taking place.

5.3 For the purpose of the instructions contained in this Master Circular, ‘Mobile Banking transaction’ means undertaking banking transactions using mobile phones by bank customers that involve accessing / credit / debit to their accounts

5.4 Banks are permitted to offer mobile banking services (through SMS, USSD or mobile banking application) after obtaining necessary permission from the Department of Payment & Settlement Systems, Reserve Bank of India. Mobile Banking services are to be made available to bank customers irrespective of the mobile network.

6.REGULATORY & SUPERVISORY ISSUES:

6.1 Banks which are licensed, supervised and having physical presence in India, are permitted to offer mobile banking services. Only banks who have implemented core banking solutions are permitted to provide mobile banking services.

6.2 The services shall be restricted only to customers of banks and/or holders of debit/credit cards issued as per the extant Reserve Bank of India guidelines.

6.3 Banks may also use the services of Business Correspondent appointed in compliance with RBI guidelines, for extending this facility to their customers.

6.4 The guidelines issued by the Reserve Bank on ‘Risks and Controls in Computers and Telecommunications’ vide circular DBS.CO. ITC.BC.10/31.09.001/97-98 dated 4th February 1998 will apply mutatis mutandis to Mobile Banking.

6.5 The guidelines issued by Reserve Bank on “Know Your Customer (KYC)”, “Anti Money Laundering (AML)” and “Combating the Financing of Terrorism (CFT)” from time to time would be applicable to mobile based banking services also.

6.6 Banks shall file Suspicious Transaction Report (STR) to Financial Intelligence Unit – India (FIU-IND) for mobile banking transactions as in the case of normal banking transactions.

7. REGISTRATION OF CUSTOMERS FOR MOBILE SERVICE:

7.1 Banks shall put in place a system of registration of customers for mobile banking. Banks should strive to provide options for easy registration for mobile banking services to their customers, through multiple channels, thus minimizing the need for the customer to visit the branch for such services. The time taken between registration of customers for mobile banking services and activation of the service should also be minimal.

7.2 The system put in place by banks for registration of customers for mobile banking for new as well as existing account holders (where mobile number is either registered with the bank or is not available) , is varied across banks. Thus, there is a need for greater degree of standardization in procedures relating to the above particularly when customers are using inter-operable mobile banking platforms. Few best practices that can be adopted by banks for registering/on-boarding customers for mobile banking, under the scenarios indicated above, are given in the Annexure-1

7.3 With a view to simplify the procedure of registration for Mobile Banking, Reserve Bank of India has advised National Payment Corporation of India (NPCI) to develop the mobile banking registration service/option on National Financial Switch (NFS). Accordingly all banks shall carry out necessary changes in their respective ATM switches to enable customer registration for mobile banking at all their ATMs. (Circular DPSS.CO.PD.No./1265/02.23.001/2015-2016 dated December 17, 2015)

7.4 In order to address the challenges in extending the facility of MPIN generation to the customers registered for mobile banking, banks have to explore various options. In order to quicken the process of MPIN generation and also widen the accessibility to their mobile banking registered customers, banks can consider adopting various channels / methods such as

  1. Through the ATM channels (similar to option available for change of PIN on their own ATMs as well as in inter-operable ATM networks)
  2. Through an option provided in the USSD menu for mobile banking (both their own USSD platform, if any, as well as under the inter-operable USSD Platform for mobile banking)
  3. Banks’ own internet banking website, with necessary safeguards
  4. Use of MPIN mailers (like PIN mailers for cards)
  5. Common website can also be designed as an industry initiative

7.5 Banks may also undertake customer education and awareness programme in multiple languages through different channels of communication to papopularize their process of mobile banking registration/activation and its usage etc.

7.6 On registration of the customer, the full details of the Terms and Conditions of the service offered by the bank shall be communicated to the customer.

8.TECHNOLOGY AND SECURITY STANDARDS:
8.1Information Security is most critical to the business of mobile banking services and its underlying operations. Therefore, technology used for mobile banking must be secure and should ensure confidentiality, integrity, authenticity and non-repudiability.

8.2 Transactions up to Rs.5000/- can be facilitated by banks without end-to-end encryption. The risk aspects involved in such transactions may be addressed by the banks through adequate security measures. (Circular DPSS.CO.No.2502/ 02.23.02/ 2010-11 dated May 4, 2011)

8.3 An illustrative framework for technology and security is given at Annexure-2.

9. INTER-OPERABILITY:
9.1Banks offering mobile banking service must ensure that customers having mobile phones of any network operator is in a position to avail of the service, i.e. should be network independent. Restriction, if any, for the customers of particular mobile operator(s) are permissible only during the initial stages of offering the service, up to a maximum period of six months subject to review.

9.2 The long term goal of mobile banking framework in India would be to enable funds transfer from account in one bank to any other account in the same or any other bank on a real time basis irrespective of the mobile network a customer has subscribed to. This would require interoperability between mobile banking service providers and banks and development of a host of message formats. To ensure inter-operability between banks, and between their mobile banking service providers, banks shall adopt the message formats like ISO 8583, with suitable modification to address specific needs.

10. CLEARING AND SETTLEMENT FOR INTER-BANK FUNDS TRANSFER TRANSACTIONS:
10.1 To meet the objective of nation-wide mobile banking framework facilitating inter-bank settlement, a robust clearing and settlement infrastructure operating on a 24x7 basis is necessary. Bank and non-bank entities putting such systems in place, bilateral or multilateral, need authorisation from Reserve Bank of India, under the Payment and Settlement System Act, 2007.

11. CUSTOMER COMPLAINTS AND GRIEVANCE REDRESSAL MECHANISM:
11.1 The customer/consumer protection issues assume a special significance in view of the fact that the delivery of banking services through mobile phones is relatively new. Some of the key issues in this regard are given at Annexure-3.

12. TRANSACTION LIMIT:
12.1 Banks are permitted to offer mobile banking facility to their customers without any daily cap for transactions involving purchase of goods/services. (Circular DPSS.CO.PD.No.1098/ 02.23.001/ 2011-12 dated December 22, 2011).
12.2 However, banks may put in place per transaction limit depending on the bank’s own risk perception, with the approval of its Board.

13. REMITTANCE OF FUNDS FOR DISBURSEMENT IN CASH
13.1 In order to facilitate the use of mobile phones for remittance of cash, banks are permitted to provide fund transfer services which facilitate transfer of funds from the accounts of their customers for delivery in cash to the recipients. The disbursal of funds to recipients of such services can be facilitated at ATMs or through any agent(s) appointed by the bank as business correspondents. The recipient can be a non-account holder also. (Circular DPSS.CO.No.1357/02.23.02/2009-10 dated December 24, 2009)

13.2 Such fund transfer service shall be provided by banks subject to the following conditions:-

    1. In case of cash out, the maximum value of such transfers shall be Rs 10,000/- per transaction. Banks may place suitable cap on the velocity of such transactions, subject to a maximum value of Rs 25,000/- per month, per beneficiary (Circular DPSS.CO.PD.No. 622/02.27.019/2011-12 dated October 5, 2011).
    1. The disbursal of funds at the agent/ATM shall be permitted only after identification of the recipient. In this connection, attention of banks is drawn to the provisions of the Notification dated November 12, 2009, issued by Government of India, under Prevention of Money Laundering Act, 2002, as amended from time to time.
    1. Banks may carry out proper due diligence of the persons before appointing them as authorized agents for such services.
    1. Banks shall be responsible as principals for all the acts of omission or commission of their agents.

 

14. BOARD APPROVAL:
14.1 Approval of the Board of Directors for the product, as also the perceived risks and mitigation measures proposed to be adopted must be obtained before launching the scheme.

15. APPROVAL OF RESERVE BANK OF INDIA:
15.1 Banks wishing to provide mobile banking services shall seek prior one time approval from Reserve Bank of India by furnishing full details of the proposal.

16. AMENDMENTS TO INTERNET & MOBILE BANKING POLICY:
The authority to make any amendments to the Internet Banking & Mobile Banking Policy, in the interest of the Bank, will rest with the Board. This Policy has been approved by Board of Directors of the bank in the board meeting held on ………………… vide No………………….. and came into force with immediate effect.

Chief Executive officer                                   Vice President                                    President

Annexure-1
Suggestions/best practices for increasing the penetration (customer registration/ on-boarding) of Mobile Banking

      1. New Customer: at account opening time
  1. Account opening form should clearly indicate the option for mobile banking-the option for mobile banking services should be clear and distinct from the contact details of the customer where mobile number is also accepted; it should also be clearly indicated that alerts (if sent through SMS) will be sent to this registered mobile number.
  2. Customer should be made aware of the mobile banking facilities while opening the account. Further, the form should also clearly indicate that opting for mobile banking services will provide an alternate delivery channel to the customer; related inputs/materials/booklet etc. should be provided to the interested customers outlining the features of mobile banking services offered by the bank, the process involved, roles and responsibilities etc.

 

      1. Existing Customer- Mobile numbers registered with the bank but not active for mobile banking:

As mobile number registration has already taken place and available with the bank (is linked with the account), wider and more accessible platforms should also be made use of by the banks to increase awareness on mobile banking at every opportunity to get more and more customers to register for mobile banking services. Some of the methods that can be adopted by banks for having targeted customer awareness programs could include:

  1. sending SMS/e-mails to their customers on registered mobile numbers / e-mail ids about activating mobile banking, providing necessary URLs / customer care numbers from which the customer can obtain additional information on mobile banking activation process;
  2. ATMs and self-service Kiosks at branches can also alert the customers to activate the mobile banking options;
  3. social media can also be used by the banks to build awareness and encourage customers to register on mobile banking;
  4. through the internet banking website of the bank especially when the customer logs in for net banking operations (taking into account the security architecture and authentication mechanism already prevalent in the bank/s);
  5. banks can use their IVR and phone banking channels to encourage and facilitate registration and activation of customers for mobile banking;
  6. Banks can also harness the potential of inter-operable channels such as the NFS (which is widely used by customers for transacting with their cards) to provide a widely accessible channel for mobile banking registration.

 

      1. Existing Customer- Mobile number not registered with the bank at all

Banks need to find ways of obtaining mobile numbers of the account holders first for registration in their database and subsequently for mobile banking registration. Some of the options that can be used for this purpose are:

  1. Through ATM channel-an alert/message can be given (at the ATM itself) by banks when the customer transacts at the ATM, that she/he has not registered any mobile number with the bank
  2. Branch visit- at teller level, when the customer comes to the teller for any cash deposit/withdrawal transaction, the customer profile should indicate that he/she has not registered the mobile number at the bank and should be asked to do so immediately
  3. Similarly, at passbook printing counters/kiosks too, the customer profile should be verified for existence of mobile number and customer should be advised to register the mobile number when he/she uses the passbook printing kiosk
  4. At BC level with biometric authentication.

 

Annexure-2
Technology and Security Standards-An Illustrative Framework

  1. The security controls/guidelines mentioned in this document are only indicative. However, it must be recognised, the technology deployed is fundamental to safety and soundness of any payment system. Therefore; banks are required to follow the Security Standards appropriate to the complexity of services offered, subject to following the minimum standards set out in this document. The guidelines should be applied in a way that is appropriate to the risk associated with services provided by the bank and the system which supports these services.
  2. Banks are required to put in place appropriate risk mitigation measures like transaction limit (per transaction, daily, weekly, monthly), transaction velocity limit, fraud checks, AML checks etc. depending on the bank’s own risk perception, unless otherwise mandated by the Reserve Bank.
  1. Authentication

Banks providing mobile banking services shall comply with the following security principles and practices for the authentication of mobile banking transactions:

    1. All mobile banking transactions involving debit to the account shall be permitted only by validation through a two factor authentication.
    2. One of the factors of authentication shall be mPIN or any higher standard.
    3. Where mPIN is used, end to end encryption of the mPIN is desirable.
    4. The mPIN shall be stored in a secure environment.
    • Proper level of encryption and security shall be implemented at all stages of the transaction processing. The endeavor shall be to ensure end-to-end encryption of the mobile banking transaction. Adequate safe guards would also be put in place to guard against the use of mobile banking in money laundering, frauds etc. The following guidelines with respect to network and system security shall be adhered to:
      • Implement application level encryption over network and transport layer encryption wherever possible.
      • Establish proper firewalls, intruder detection systems (IDS), data file and system integrity checking, surveillance and incident response procedures and containment procedures.
      • Conduct periodic risk management analysis, security vulnerability assessment of the application and network etc at least once in a year.
      • Maintain proper and full documentation of security practices, guidelines, methods and procedures used in mobile banking and payment systems and keep them up to date based on the periodic risk management, analysis and vulnerability assessment carried out.
      • Implement appropriate physical security measures to protect the system gateways, network equipments, servers, host computers, and other hardware/software used from unauthorized access and tampering. The Data Centre of the Bank and Service Providers should have proper wired and wireless data network protection mechanisms.
        1.  
      1. The dependence of banks on mobile banking service providers may place knowledge of bank systems and customers in a public domain. Mobile banking system may also make the banks dependent on small firms (i.e mobile banking service providers) with high employee turnover. It is therefore imperative that sensitive customer data, and security and integrity of transactions are protected. It is necessary that the mobile banking servers at the bank’s end or at the mobile banking service provider’s end, if any, should be certified by an accredited external agency. In addition, banks should conduct regular information security audits on the mobile banking systems to ensure complete security.
      2. For mobile banking facilities which do not contain the phone number as identity, a separate login ID and password is desirable to ensure proper authentication.

      Annexure-3
      Customer Protection Issues

        • Any security procedure adopted by banks for authenticating users needs to be recognized by law as a substitute for signature. In India, the Information Technology Act, 2000, provides for a particular technology as a means of authenticating electronic record. Any other method used by banks for authentication is a source of legal risk. Customers must be made aware of the said legal risk prior to sign up.
        • Banks are required to maintain secrecy and confidentiality of customers' accounts. In the mobile banking scenario, the risk of banks not meeting the above obligation is high. Banks may be exposed to enhanced risk of liability to customers on account of breach of secrecy, denial of service etc., on account of hacking/ other technological failures. The banks should, therefore, institute adequate risk control measures to manage such risks.
        • As in an Internet banking scenario, in the mobile banking scenario too, there is very limited or no stop payment privileges for mobile banking transactions since it becomes impossible for the banks to stop payment in spite of receipt of stop payment instruction as the transactions are completely instantaneous and are incapable of being reversed. Hence, banks offering mobile banking should notify the customers the timeframe and the circumstances in which any stop-payment instructions could be accepted.
        • The Consumer Protection Act, 1986 defines the rights of consumers in India and is applicable to banking services as well. Currently, the rights and liabilities of customers availing of mobile banking services are being determined by bilateral agreements between the banks and customers. Taking into account the risks arising out of unauthorized transfer through hacking, denial of service on account of technological failure etc. banks providing mobile banking would need to assess the liabilities arising out of such events and take appropriate counter measures like insuring themselves against such risks, as in the case with internet banking.
        • Bilateral contracts drawn up between the payee and payee’s bank, the participating banks and service provider should clearly define the rights and obligations of each party.
        • Banks are required to make mandatory disclosures of risks, responsibilities and liabilities of the customers on their websites and/or through printed material.
        • The existing mechanism for handling customer complaints / grievances may be used for mobile banking transactions as well. However, in view of the fact that the technology is relatively new, banks should set up a help desk and disclose the details of the help desk and escalation procedure for lodging the complaints, on their sign up.
        • In cases where the customer files a complaint with the bank disputing a transaction, it would be the responsibility of the service providing bank, to expeditiously redress the complaint. Banks may put in place procedures for addressing such customer grievances. The grievance handling procedure including the compensation policy should be disclosed.
        • Customers complaints / grievances arising out of mobile banking facility would be covered under the Reserve Bank - Integrated Ombudsman Scheme, 2021 (as amended from time to time).
        • The jurisdiction of legal settlement would be within India.

List of Circulars consolidated for the Master Circular



Sr. No.

Circular No.

Date

Subject

1.

DPSS.CO.No.619/02.23.02/2008-09

08.10.2008

Mobile Banking Transactions in India - Operative Guidelines for Banks

2.

DPSS.CO.No.1357/02.23.02/2009-10

24.12.2009

Mobile Banking Transactions in India - Operative Guidelines for Banks

3.

DPSS.CO.No.2502/02.23.02/2010-11

04.05.2011

Mobile Banking Transactions in India - Operative Guidelines for Banks

4.

DPSS.PD.CO.No.622/02.27.019/2011-2012

05.10.2011

Domestic Money Transfer- Relaxations

5.

DPSS.CO.PD.No.1098/02.23.02/2011-12

22.12.2011

Mobile Banking Transactions in India - Operative Guidelines for Banks

6.

DPSS.CO.PD.No.1017/02.23.02/2014-15

04.12.2014

Mobile Banking Transactions in India - Operative Guidelines for Banks

7.

DPSS.CO.PD.No./1265/02.23.001/2015-2016

17.12.2015

Mobile Banking Transactions in India - Operative Guidelines for Banks- Customer Registration for Mobile Banking

8.

RBI/2015-16/229 DCBR.BPD.(PCB/RCB) Cir. No. 6 /19.51.026/2015-16

05.11.2015

Internet Banking Facility for Customers of Cooperative Banks

9.

RBI/2016-17/17 DPSS.CO.PD.MobileBanking.No./2/02.23.001/2016-2017
(Updated as on November 12, 2021) (Updated as on January 10, 2020)

01.07.2016

Master Circular-Mobile Banking transactions in India-Operative Guidelines for Banks

The Belagavi District Co-operative Bank (BDCC) was founded in 1919. Belagavi was the first registered office of the bank.

Get In Touch

Near Central Bus Stand,
Old P B Road,
Belagavi, Karnataka 590016

ho@belagavidccb.com
ceo@belagavidccb.com

0831-2466896

Quick Links

Savings and Deposits Loans and Advances Services Interest Rate Financial Progress President's Message

Popular Links

History Our Achievements Photo Gallery

©2021. All Rights Reserved.     Website updated: 27-10-2021

     Privacy Policy