RBI Guidelines on Mobile Banking (last updated 30 June 2014)
The guidelines issued by Reserve Bank of India on ‘Risks and Controls in Computers and Telecommunications’ vide circular DBS.CO.ITC.BC. 10/ 31.09.001/ 97-98 dated 4 February 1998 will apply mutatis mutandis (‘the necessary changes having been made’) to mobile banking. The guidelines issued by RBI on ‘know your customer’ (KYC), ‘anti-money laundering’ (AML) and ‘combating the financing of terrorism’ (CFT) from time to time will be also applicable to mobile-based banking services. Banks should offer mobile-based banking service only to their own customers, be it bank account or credit card account holders. However, for the purposes of remittance of funds for disbursement in cash, the receipts could be non-account holder also. Banks should have a system of document-based registration with mandatory physical presence of their customers before commencing mobile-banking service. There can be two levels of mobile-based banking service. The first level is in the nature of information like balance enquiry, SMS alert for credit or debit, status of last five transactions, and many other information-providing services. The account-opening form, at the time of opening new bank account, should clearly indicate the option for ‘mobile banking’. The second or standard level of mobile-banking services could involve financial transactions such as payments, transfers and stop payments. Banking transactions up to Rs 5,000 can be facilitated by banks without end-to-end encryption. Banks are permitted to offer mobile-banking facility to their customers without any daily cap for transactions involving purchase of goods/services. In case of cash-out, the maximum value of such transfers shall be Rs 10,000 per transaction. Banks may place a suitable cap on the velocity of such transactions, subject to a maximum of Rs 25,000 per month per beneficiary. Banks are required to maintain security and confidentiality of customers’ accounts since in the mobilebanking scenario the risk of banks not meeting the above obligation is high. Banks are required to make mandatory disclosures of risks, responsibilities and liabilities of the customers on their websites and/or through printed material. Banks may carry out due diligence of the persons before appointing them as authorized agents for such services. Banks shall, however, be responsible as principals for all the acts of omission or commission of their agents. The existing mechanism of handling customer complaints/grievances may be used for mobile-banking transactions as well. However, in view of the fact that the technology is relatively new, banks should set up a help desk and disclose on their websites the details of the help desk and escalation procedure for lodging complaints. Such details should also be made available to the customers at the time of sign-up. In cases where the customer files a complaint with the bank disputing a transaction, it will be the responsibility of the service-providing bank to address the customer grievance. Banks should formulate charge-back procedures for addressing such customer grievances. The grievance-handling procedure including the compensation policy should be disclosed. Customers’ complaints/grievances arising out of mobile-banking facility will be covered under the Banking Ombudsman Scheme.