April 02, 2008	Wednesday	Rabi-ul-Awwal 24, 1429

KARACHI, April 1: The State Bank of Pakistan issued on Tuesday branchless banking regulations applicable to all banks, including Islamic and microfinance banks, with immediate effect to encourage innovation and increase outreach of the banking system.

The SBP says the objectives of these regulations are to define branchless banking activities as a new delivery channel to offer banking services in a cost-effective manner, to broadly outline activities which constitute branchless banking and to provide a framework for offering these services and to serve as a set of minimum standards of data and network security, customer protection and risk management to be followed by the banks desirous to offer mobile banking services.

According to these regulations, only authorised financial institutions (FIs) can provide branchless banking services. Before applying for such an authorisation, FIs should thoroughly prepare themselves in the light of these regulations. The process should start from top-level strategic decision of entering into branchless banking activities. Once the decision is made, preparation of necessary policies and procedure manuals, strengthening of existing risk management and audit functions as required and identification of partners, service providers and agents should be done. The FI may then approach the central bank for a formal authorisation to conduct branchless banking.

The banks wishing to provide branchless banking services or to bring in substantial changes in underlying technological infrastructure shall submit to the State Bank, an application describing the services to be offered/infrastructure modifications and how these services fit in the bank’s overall strategy. This shall be accompanied by a certification signed by FIs presidents/CEOs to the effect that the FI has complied with the some minimum preconditions including an adequate risk management process is in place to assess, control, monitor and respond to potential risks arising from the proposed branchless banking activities; a manual on corporate security policy and procedures exists that shall address all security issues affecting its branchless/e-banking system in line with these regulations; a business continuity planning process and manual have been adopted which should include a section on electronic banking channels and systems.

These regulations have been issued as part of the broader strategy to create enabling regulatory environment to promote bank-led model of branchless banking. However, as financial institutions cannot take on branchless banking without the help of other market players, like telecom companies, technology service providers, agents, etc., knowledge of these regulations is also helpful for other parties to understand their roles and responsibilities.

Under these regulations, permissible branchless banking models and activities have been outlined. At present only bank-led model of branchless banking is allowed which may be implemented in different ways. Firstly, it can be implemented either by using agency arrangements or by creating a joint venture between bank and telecom firm/non-bank.

Further, the mobile phone banking which make up for large part of branchless banking can be implemented by using one-to-one, one-to-many and many-to-many models or alternative channels. It is the responsibility of the FI to carry out detailed analysis of pros and cons of each model before offering any of them.

In addition, these regulations also prescribed several branchless banking activities including opening and maintaining an account, account-to-account fund transfer, person-to-person fund transfers, cash-in and cash-out, bills payment, merchant payments, loan disbursement/repayment and remittances.

A risk-based approach to customer due diligence is outlined to optimise the gains of branchless banking and to extend financial services outreach to the unbaked strata of the society.

However, the ultimate responsibility for branchless banking lies with the FI. However, the financial institution may take steps necessary to safeguard itself against liabilities arising out of the actions of its agents, service providers or partners.Within the FI, board of directors is responsible for strategic decisions, senior management for effective oversight and compliance and audit functions for ensuring soundness of internal controls and adherence to rules, regulations and operational guidelines.

Under these regulations, the board and senior management of banks must ensure that the scope and coverage of their internal audit function has been expanded to commensurate with the increased complexity and risks inherent in branchless banking activities and the audit department has been staffed with personnel having sufficient technical expertise to perform the expanded role.

It is also incumbent upon the board and FIs’ senior management to take steps to ensure that their institutions have updated and modified where necessary, their existing risk management policies and processes to cover their current or planned branchless banking services.

The integration of branchless banking applications with legacy systems implies an integrated risk management approach for all banking activities.

These regulations also deal with consumer protection and consumer awareness. Appropriate customer protection against risks of fraud, loss of privacy and even loss of service is needed for establishing trust among consumers as trust and customer confidence is the single most necessary ingredient for growth of branchless banking. As banks will be dealing with a large number of first-time customers with low financial literacy level, they need to ensure that adequate measures for customer protection, awareness and dispute resolution are in place.

Likewise, customer awareness is a key defence against fraud and identity theft and security breach. Customer awareness programme should cover, at minimum, usage of branchless banking account, account activities and protection against fraud, SIM/account blocking procedures if mobile is lost or snatched. To be effective, banks should implement and continuously evaluate their customer awareness programme.

Methods to evaluate a programme’s effectiveness include tracking the number of customers who report fraudulent attempts to obtain their authentication credentials (ID/password), the number of clicks on information security links on websites, the number of inquiries, etc.