Download this Executive Summary as PDF version

Introduction

Mobey Forum here presents its research on best practice in support of Mobile Financial Services. Mobile Financial Services (MFS) include the ability to make daily payments and use other financial services with the help of a mobile handset anytime, anywhere and for any reason. Trust services are a key component of modern financial services. Digital Identity (ID), provided by the consumer’s bank, plays a fundamental role in today’s society when accessing various electronic services and confirming transactions. This study attempts to address the requirements and security needs of the various stakeholders (see Figure 1.1 below) to create a collaborative ecosystem for offering those services which mandate and require the sharing of secure hardware storage inside a mobile handset. The study tackles the challenge where multiple applications share the same hardware platform and are all of critical importance to their respective owners, but recognises the financial institution’s payment liability, which then leads to their need to have control over the security solutions throughout their lifecycle.

Figure 1.1: Stakeholder Impact Diagram

Special attention is given to creating understanding of the conceptual business models for the enabling enrolment processes to a shared Secure Element (SE) and the related business relationships, including maintenance and lifecycle management.

The framework for this research has been to achieve collaborative ecosystem models that are suitable for multi-application, multi-service provider mass-market services. Throughout this research and analysis, consumer needs are viewed as paramount.

1.1.1 Market Background

Today’s consumers expect all services, including MFS and payments to be conveniently available through the internet and mobile channels. Naturally, they also expect service providers to maintain sufficient security levels and banks especially to continue to take good care of their financial assets. Consumers are not the only ones exerting pressure on banks; innovative business models, new entrants, technology driven globalisation and regulatory compliance forces are focusing attention on payments, challenging the current business roles, marketing strategies and sourcing options. In summary, the growth areas are as follows:

• Mobile banking, following the e-banking trend
• Remittance services for the un-banked and migratory workforce community
• Contactless payments, which are migrating to Near Field Communications (NFC)
• Phishing and other cyber-crime and the need for out-of-band authentication and transaction confirmation

Traditional banking and telecommunications services have changed rapidly over the past two decades and supporting market information would suggest the time to invest effort and resource into providing MFS is now, across all regions. Given this background there appears to be an opportunity for banks and telecom operators to re-think their strategies and to work on collaborative business models to offer consumers cost-effective and compelling services. To this end, a great many MFS can be provided today, and banks are advised to start building their MFS offering from SMS alerts and mobile banking, continuing with trust services and remote payments, and to tackle the local payments (NFC) challenges as a final phase.

New service channels and concepts have created new requirements where cross-industry collaboration is the only way to create successful business concepts. Cross-industry cooperation is one of key success factors for mobile financial services. The conditions and requirements for this kind of new cross-industry cooperation are the central elements of this white paper.

1.1.2 Mobey Forum Research Activities

It has been the consistent position of Mobey Forum throughout the years that multiple business models must be available to answer the diverse market needs in different geographical areas. As part of this, Mobey Forum maintains the position that multiple SE alternatives need to be equally available to allow different business models. The need for this analysis work arose from the requirement to share the SE space. Therefore it was the decision of the Mobey Forum board to start looking seriously into the specific challenges of a shared SE.

This paper presents fresh cross-industry cooperation models which allow for the building of interoperable cross-border, multi-application enabled mobile financial services.

1.2 Purpose of the document

The objective of this paper is to provide a planning guide for those setting up a collaborative MFS ecosystem and to propose solutions acceptable, from a business and security perspective, to banks and other stakeholders for consumer enrolment to client and server-based applications which provide MFS and require usage and sharing of secure hardware storage between key stakeholders.

The paper identifies ecosystem models which provide clear advantages for the various business stakeholders as well as providing benefits to the end-user consumer. It is assumed that the stakeholders cooperate within the MFS and NFC ecosystems to realise the full business potential and mass consumer adoption.
A key consideration in the analysis has been the enrolment of MFS applications to the hardware Secure Element (SE), as previously recommended by Mobey Forum. In this analysis the focus has been to propose solutions to the challenges raised by the scenario in which applications from multiple issuers are stored on the same SE. This scenario means that the SE would not necessarily be owned or controlled by some of the application issuers. It is important to note, that Mobey Forum does not suggest in this report that banks should store their applications on a shared SE. The focus of this study is to consider the situation if a bank would like to do so, under which conditions this could happen.

Although the primary scope of the paper is to focus on the enrolment phase of the MFS, the business models consider maintenance and management of these services; in other words, a set of initial as well as operational business models are developed and presented.

The requirements of all key ecosystem stakeholders are taken into account in the business model considerations but the key concern is to ensure that security and business control remains at such a level that banks can feel safe and retain the trust of the consumers and continue to take good care of their liabilities.
Some technical implementation discussions are included but the paper’s primary focus is on business model analysis. Practical implementation examples within the document are examples only, reflecting real-world applications and processes in selected geographical locations. However as such they need to be viewed as proposals or examples for further discussion and development in MFS.

Please also note that the documentation is not meant to be viewed as a detailed implementation guideline but rather represents a viable high level model that may lead to further development of a vast range of MFS – i.e., ID, banking and payment services. Another function of this document is to initiate and facilitate the process of mutual MFS development between various stakeholders and provide understanding of different roles, responsibilities and respective requirements.
It should also be noted, that with more than 100 pilots currently ongoing in the market, not all of the details and nuances experimented in them are covered by the models presented in this analysis. The aim of this piece of work is to focus on new ideas and concepts, which should help the market actors to develop their preferred business models and successfully to start offering mobile financial services.

1.3 Project Findings and Recommendations

There is increasing interest in the market in offering mobile financial services. The market predictions are very positive and an increasing number of pilots in all regions are supporting the assumption of a promising new business area. Most importantly the consumer feedback from the pilots is very encouraging.

Although there are an increasing number of pilot cases globally, there still appears to be a long way to go to wide-scale commercial deployment of multi-issuer, multi-application mass-market services on a shared Secure Element. As stated previously the challenges for commercial mass-market launches appear to lie in the following;

1. Definition of exact roles and responsibilities between the ecosystem stakeholders in a collaborative model; especially

• Clarifying various liability issues and customer care responsibilities between the stakeholders.
• Ensuring that life-cycle management and security processes are arranged according to the application with the highest security demand.
• Business models – money flows and conditions have not been discussed in most of the pilot cases in creation of the roles.

2. Ensuring that long-term business sustainability is guaranteed for all stakeholders.

• Ensuring consumer freedom to choose and change operators, banks and handsets independently of each other.
• Identifying mass-market proof processes for enrolment of multiple issuers’ applications to a shared SE.
• Justifying the business case for all Key Stakeholders simultaneously.

In this work, the Ecosystem players are divided into the Principal Stakeholder, the consumer, the Key Stakeholders, which are banks, mobile operators and merchants all active in the operational business, and Supporting Stakeholders, which are Trusted Service Managers, terminal vendors, system integrators, and other supporting players (Figure 1.1).

It was also recognised that the role of Trusted Service Manager (TSM; ex Platform Manager) is needed in the ecosystem. Any or some of the Key Stakeholders may jointly decide to delegate some of their tasks to the TSM. The TSM may also be one or several of the Key Stakeholders and the TSM role may be split. Any Key Stakeholder should have the right to determine if they wish to delegate some of their tasks to a TSM and, if so, which one they would like to use and under what conditions. Also the tasks for the TSM are clarified to some extent in this document, but further clarification of the TSM process and business model alternatives may still be required.

An interesting finding was that the mandatory requirements for the Key Stakeholders, banks, operators and merchants are largely the same. All of these players want to retain their business independence and control over their existing business as well as to ensure that the emerging business area delivers a business case, to name a few.

The business models must be based on existing models like the traditional financial industry 4-corner model. During the operational phase this will be the model used in the MFS business. If say the UICC is to be shared for storing both financial and telecom applications, mobile operators have been identified as one of the Key Stakeholder being involved in the enrolment phase. During the enrolment phase, new stakeholders like the TSM may need to be involved.
As of today, there are no directly available SE options for banks to start independently issuing their ID credentials and (EMV) profile applications for mobile handsets. Neither the secure memory cards nor the Embedded Chip are yet fully standardised or widely available. In addition, it does not seem to be fully guaranteed that these options will be widely available in the long term. Thus the best option today available for banks to start issuing their applications seems to be to utilise the UICC – if the business model complexity regarding cooperation with operators can be solved. If the business model challenges between the industries cannot be solved, the only option left for banks wishing to enter the kind of MFS business that requires a hardware-based SE in the short term appears to be to start their own Mobile Virtual Network Operator (MVNO) business. However, it must be noted that banks can start offering a wide range of mobile financial services already without any SE hardware support.

The UICC supporting the GlobalPlatform framework is seen as a valid SE option because of new technical capabilities and large market pull due to other reasons (SIM application) - given that the business model complexities can be solved between the Key Ecosystem Stakeholders. However, the other SE options should not be forgotten but they should be made widely available and standardised by the industry in order to offer an equal alternative to the UICC and to enable alternative business models for varying market conditions.

Key challenges with the “default process” of Over-the Air (OTA) enrolment of Financial Institution (FI) credentials to an existing UICC on the market:

• Consumer inconvenience; the consumer is first requested to go through an OTA process of changing the SIM to UICC and then enrolment of the financial application in a non-guided environment. If no pre-installation is in place, the downloading of the financial application is expected to take minutes.
• There is no standards-based way for the FI to influence either the security requirements or the technical platform selection of the UICC up front, nor to check the capabilities of the UICC before issuing the credentials there.
• Current OTA solutions in use are often limited by capacity and full EMV applications usually require at least partial pre-installation of the application. Currently several OTA processes are in use but no fully standardised mass-market proof process is available yet.
• Since the OTA issuing of payment cards has challenges, other remote enrolment options and more pragmatic approaches, like the joint issuing or utilising of the TTP as suggested by GlobalPlatform, must be considered.
• UICC Standardisation to mature and EMV acceptance still missing. The Payment Associations need to test and certify the used card platforms.
• TSM network should be well established and in place. Currently large numbers of players are entering the TSM market with little cooperation.
• Single enrolment process for multiple SE-handset-operator combinations. Banks require to be able to provide their applications to all of their customers independently of the operator-relationship of the customer.
• The installed base of SIM requires to be changed to UICC and the question is who bears the costs and makes the choices. Operators should not make choices on behalf of the FI without consulting them first.
• The replacement cycle and security framework needs to be arranged according to the application requiring the highest security level (e.g., Financial application).
• A rather big change requested for the FI compared to the current card issuing process. FI cards are currently pre-personalised with a highly sophisticated existing process.

Since payment cards are pre-personalised and the risk with the financial application is much higher (FI products require more security throughout the process) it is suggested to take the payment card issuing process as the basis for the enrolment process of a shared SE.

Figure 1.2: UICC (SIM) Integration into Payment Card

To manage the Secure Element, UICC, when multiple Key Stakeholders are involved, three operational business process framework models are proposed based on a property analogy.

1. The Hotel Concept
2. The Rental Concept
3. The Ownership Concept

The models proposed should be scalable to enable different business strategy options in varying market conditions in the global marketplace. It should be possible for a bank, depending on its strategic interests, to choose to “rent a hotel room”, or to “rent an apartment” or to “buy a flat” in the market, or to buy the whole apartment house and start renting out space to others. All these models refer to different levels of control over the solution and naturally different cost levels and engagement on business and technical level for the issuing bank respectively. The ownership model is seen as best fulfilling the bank requirements set up front in this analysis.

The revenue streams in the MFS ecosystem for capital and operational revenues and expenses are identified and some analysis is presented on the revenue streams per conceptual model.

For determining the business case content, the key questions is whether the consumer is expected to pay extra for mobile financial service compared to existing payment mechanisms. This may vary from market to market. If not, the benefits for banks are restricted to cost savings because of cash displacement, and the creation of new electronic transactions. However, if transactional revenue sharing is widely requested by the MNO community, the cannibalisation effect on other electronic payment revenues must to be taken in account while calculating the business case for mobile payments.

The business case will also depend on the conceptual model chosen; with the hotel concept, operational costs are expected to be the highest for the bank while with the ownership model they are expected to be lowest. With the ownership model banks are expected to make upfront investments, and to get more flexibility, business independence and determination power in return.

The ownership model seems to best fulfil the requirements of all Key Stakeholders stated in this analysis but the final choice of conceptual model will be taken by the market actors depending on local market conditions and other factors. However, it is assumed that the business case might be easier to build with the ownership model due to higher business independency, cost savings while sharing the investment costs upfront, and consistent marketing messages creating a better response from consumers. However, the consumer freedom to change service providers needs to be guaranteed by the market implementation of this model.

The main recommendations based on this piece of work are as follows:

• In order to achieve a successful business ecosystem, the Key Stakeholders (Banks, Mobile Operators and Merchants) must work together to agree on a sustainable business model that they all can accept.
• The conceptual model of ownership seems best to fulfil the business requirements of all parties, based on evaluation of the requirements as stated in this white paper.
• The current card issuing processes of banks and telecoms operators in different geographical regions should be carefully examined in greater detail.
• Because of current processes (pre-personalisation by the banks) and higher security requirements on the financial institutions’ side, it is suggested that the payment card issuing process may need to be taken as a starting point for defining the joint issuing process for the variety of applications provisioned to the shared SE.
• Simultaneously, it has to be ensured that multiple applications and issuers can be catered for in real market situations.
• Various liability issues, customer care and division of other related roles and responsibilities between the Key Stakeholders should be carefully examined in detail and main principles agreed between the players.
• OTA processes are currently rather fragmented. Standardisation of these processes should take place. Optimally there should be one standard process for banks to enrol their applications to all handsets, Secure Elements and MNOs.
• Common security criteria for SE’s should be agreed and the SE should be certified accordingly.

It is the opinion of the task force that, although the standardisation and certification activities are needed, they might not be fast enough to enable time-to-market enrolment of mobile financial services. Therefore the task force has considered more pragmatic enrolment options as alternative ways to kick off the market faster.

1.3.1 The Industry Views

The following are views solicited from various industry ecosystem players;

• GSMA prefers to see UICC used as the SE, although it acknowledges other SE options. GSMA also sees multiple TSM models.
• Global Platform supports the Mobey business models and has created specifications with which they are possible to be implemented by the market actors.
• EMVco has an important role to play in the standardisation of mobile payments and creation of acceptance of the payments industry.
• NFC Forum is currently working on the NCI specifications, which will ensure that the other SE alternatives are made equal to the UICC alternative, which is good for market creation and the enabling of business model alternatives.

1.4 Proposals for Further Work

This paper aims to shed some new light on the challenges in terms of describing conceptual models for collaboratively using a shared SE and enrolling services for that. However, it is recognised that the main principles still need to be defined in greater detail and in particular detailed roles and responsibilities need to be agreed between the parties before any mass-market commercial deployments can be planned or implementation guidelines written.

Related to the above, a challenge, specific to this area, is that the UICC is seen as a valid option for MFS enrolment, but in practice this will require the existing base of SIM cards (94%) being replaced by UICC cards. If Single Wire Protocol (SWP)-compliant UICCs are to be used, 100% of the installed based will need to be replaced, as there are no commercial SWP UICCs on the market as of today (June 2008).  Additionally, if NFC is to be used for local services and payments, the current installed base of phones will need to be upgraded to NFC-enabled handsets.

Again related to the additional work required, the area of more advanced definition of roles and responsibilities is a challenge faced in the pilots with OTA enrolment. Customers seem to be requiring a considerable amount of support and education in order to carry the process through. On the other hand, the requirement is that enrolment should be as easy as receiving a credit card in the mail, signing it and starting to use it.

A more technical challenge is that remote enrolment processes are currently not standardised but are rather fragmented. Processes should optimally be standardised to a level at which the bank could use one process through a standardised TSM interface to enrol to all handset-SE-MNO combinations. However, the timeline for achieving this kind of standardisation might not be sufficient for the market requirements.

Technical enrolment examples described in this document should be elaborated in further detail, use cases written, and perhaps implementation guidelines should be written, at least on the chosen options depending on market acceptance.

In general the views of different industries and key players referred in the documentation i.e. GlobalPlatform, GSMA, NFC Forum and Mobey Forum reflect each other very well. There are some differences in terminology and in details but the overall setups resemble each other. However, Mobey Forum would point out that further harmonisation in terms of terminology, technical standardisation and architecture is still needed for the industry by major forums and industry stakeholders to drive the development of MFS towards common goals so that all the requirements are met within the future.

In conclusion feedback will be monitored. Pilots encouraged and new task force activities will be created when needed to address follow-up work.

1.5 Enrolment Taskforce Summary Process & Insights

The Mobey Forum Enrolment Taskforce has progressed towards its goals following the process, which also includes the principal insights from the work of the Taskforce, as outlined below:

1. Defining the scope

• MFS business models specifically for enrolment of services enabling mass-market usage with a shared SE
• Assessment of previous work from the area
• Main recognition: the operational and enrolment phases cannot be separated; if the business case is to be successful they need to be combined
• Definition of key tools and terminology

2. Drivers and application areas defined

• Creation of better services for the consumer was recognised as the key driver
• Important industry drivers are cash displacement for banks, the opportunity for generation of new revenues for both banks and operators, and faster throughput, better results and customer services for merchants
• Mobile Financial Services desired to be enabled include a broad range of application areas ranging from mobile banking, support for e-banking and trust services to remote and proximity payment services
• Key challenges defined: sharing of the SE space between the key stakeholders (banks and operators) to enable those MFS applications which mandate secure hardware storage inside the handset.

3. Status check on the current market situation and the definition of common requirements

• Increasing market understanding by collecting case studies globally and drawing conclusions on the necessary further action
• Geographical markets are different, but the main challenges are the same globally
• Requirements for consumer and each Key Stakeholder defined in isolation
• Since the lists were similar, a common set of requirements was created

4. Review of the implementation timelines

• Looking at different markets; recognising differences in market needs and readiness
• Drawing conclusions on the required further action
• Recognition that a lot can be done and services started with today’s technology

5. (Re)Defining ecosystem models and analysing Key Stakeholder role alternatives:

• Hierarchy of stakeholders created
• Creating the “extended 4-corner model” for enrolment and maintenance
• Trusted Service Manager (TSM) role is needed (equals Platform Manager in earlier Mobey Forum documentation)
• Analysing TSM options

6. Analysing current shared SE options and issuing processes

• UICC seems to be the most suitable shared SE option at least until embedded chip and secure memory/SD cards are standardised on the same level
• SIM card need to be changed to UICC for 3G
• Analysing the OTA issuing process to a pre-issued UICC
• The application owner with the highest security requirements should be able to determine the security standard
• A main challenge and potential request for changing processes is that payment cards are currently pre-personalised and SIM cards are post-personalised

7. Creating conceptual models for the sharing of the SE

• Hotel, rental and ownership models were created
• Analysing the conceptual models
• The amount of involvement and investment up front from the bank’s side has an impact to the level of control over security and business ownership, and also on the operational costs.
• If the bank wants to influence the rules under which the shared SE is governed, the ownership model seems to be the best choice
• Although it requires up-front investments from the bank, the ownership model seems to best fulfil the requirements set up front
• All of the models can co-exist in a market and even on the same SE

8. Analysing technical enrolment options

• Creating examples of how the current issuing processes could be combined
• Depending on the current issuing processes in use in the market, FI card issuing process may need to be taken as the starting point because of pre-personalisation of payment card applications and higher security- and business control requirements at the bank’s end
• Recognising a main challenge: if an operator issues the UICC without pre-negotiation with the security-critical application issuers, it is likely that the security and other requirements will not be met and that the UICC will not be used for financial services
• Presenting alternative options for enrolment practices: the bank’s ATM network or branches could be utilised here

9. Revenue streams

• Analysing the revenue streams in the extended MFS ecosystem in general; Capital and operational revenues and expenses identified
• Analysing revenue streams per conceptual model

10. Key findings

• Consumer convenience should always been viewed as paramount when designing enrolment of new services
• The ownership model seems best to fulfil the requirements of all Key Stakeholders as defined in this analysis
• Co-issuing seems to represent a pragmatic enrolment option enabling cost savings and business independence
• It is considered healthy to have different conceptual models for different market conditions and needs; the key is to understand the impacts and inter-dependencies specific to each model
• Standardised and certified SE and TSM processes are also required for the future; adding new applications will in any case be based on remote enrolment

11. Recommendations for further work and next steps

• The Key Stakeholders should continue to work together to agree on a sustainable business model and to work out the details - to clarify the detailed roles, liability and customer service issues
• Pilots are recommended to test the models in practice
• Business case examples, including money flows and costs/savings for issuing and acquiring, should be developed
• Enrolment process, implementation alternatives to be described in greater detail
• Use cases for issuing, acquiring and lifecycle management processes should be created
• Example agreements/articles should be drafted at least for the ownership model
• Detailed proposals for required standardisation are to be developed

 

Download this Executive Summary as PDF version

« Back to press release