Community

So, there, there are many nonbanking services who reuse banking credentials. Therefore, I'm not sure if the basic premise of this blog post is valid any longer. Now that there's at least one bank that finds a compelling reason to lend its credentials infrastructure to third party services, others should find a strong enough business case to follow suit. Time will tell how many customers will feel comfortable about (i) sharing their banking credentials with nonbanks (ii) being forcibly logged out of third party services after a few minutes of inactivity just because banking regulators often impose short expiry period of banking credentials on banking websites.

@ChandrashekarG:

Knowing how slowly banks introduce new features, I'm sure this bank has thought about the audit angle before introducing this feature but, even it hasn't, (a) As a customer, I'm only interested in the feature I get (b) When I trust my bank with my money, I'll easily trust that, if the said feature failed audit, my bank would withdraw it. 

Interesting that you mention FFIEC. This body mandated 2FA for Internet Banking transactions for US banks in 2005, issued a revised guideline last year, but there are still so many banks in USA that have not yet implemented 2FA as is evident from Mint, BillGuard and other startups being able to access over 10M people's bank accounts using only a username and password. Eight years later, I'm not aware of a single bank being taken to court over this (The 3:2 tally of courtroom verdicts I'd referred to in my previous comment was for lawsuits arising from fraudulent fund transfers, not non-conformance with FFIEC). So, let's forget about regulation and courtrooms - all this regulatory bogey is coming from third-party security pundits. In any case, I'm sure that banks know how to deal with regulation.

Convenience versus friction is a matter of personal choice. I'd rather not go thru' the hassle of entering a password while on a smartphone if I simply wanted to access my account balance - or forex rates or last few transactions or credit card outstanding amount. Since the smartphone is in my possession, the analogy of open door is flawed. If my smartphone falls into the wrong hands, someone getting to see my bank balance will be the least of my worries and, I can imagine, lowest on that someone's to-do list either. I don't need to read any article or book to know this. As a bank customer, I'll always opt for convenience and only deal with entities who I trust know enough about how to provide it without compromising security.

When I last checked, doing what has proven to be effective - whether it's old or new - was a good business strategy. I personally doubt if saving taxpayer money provides any direct benefit for any bank but I could be wrong. As long as banks see a strong business case in doing so, most banks I know would jump at it.

Agreed but, in the perpetual conflict between the quest for efficiency versus effectiveness, I tend to side with the latter even if the ways to achieve it might appear stupid and wasteful at times. Certain countries have enjoyed a basic level of public-private partnership for a long enough time for loftier goals like greater alignment of the partnership make sense. However, in other countries where the expression is almost an oxymoron, public services are better run by the government - in any case, there's no commercial incentive for banks to do so. While citizen ID projects undertaken by the government might have failed in other countries, its success in India proves that there's nothing fundamentally wrong with the model, just that its implementation must be gotten right.

Maybe saving taxpayer's money is a good item on a private sector bank's CSR agenda but, personally, I believe that such social causes are best driven by - warts and all - the government. UIDAI / Aadhar stands testament to this. This government agency is in the midst of issuing a biometric ID for all citizens of India. It has a long way to go before it can hang its boots but, even after successfully rolling it out to 200M citizens - 20% of its mandate - it has earned the distinction of becoming the world's largest national ID program. At this point, an Aadhar # is sufficient for opening a bank a/c in any bank in India and for enabling direct cash transfers from the government to beneficiaries. Going forward, it could qualify as the common credential system for all public services. It could be questioned why, when there are so many banks that have already built credential system, a separate program is required for this. However, with so many banks involved and the difficulties involved in demarcating roles and responsibilities between banks and the public agencies, it has proven impractical for this task to be carried out by any one bank, even in India where many banks are state owned.

It is not obvious that a bank would be willing to permit use of its credential system by others. I remember reading a report recently which clearly stated that banks are not comfortable authenticating users for services over which they have no control. 

As a member of the male species, I find it extremely difficult to believe that women in rural areas are too scared to visit public sector banks staffed with men but are bold enough to visit moneylenders who are inevitably men. According to anecdotal evidence and personal observation, such women don't visit banks because they know that they'd never qualify for a bank loan and visit moneylenders because they know that they'd be able to walk out with money in hand in five minutes. As long as this reality continues - and I don't see why it shouldn't, since banks are for-profit businesses - I don't see a, b and c making the slightest difference to bringing more women into the banking system.

@FinextraM: Interesting point. Maybe it's because (a) it affects fewer than 5% of cardholders in UK, (b) it's already under the purview of SEPA and, most importantly, (c) the 3% charged by issuer banks is much lower than the commission levied for GBP:EUR currency changes by exchange houses in airports, railway stations and hotels all over Europe. 

Can you please throw some light on what exactly would happen if a bank does not comply with Basel-III? Will it lose its banking license or will its CEO simply have to appear on the proverbial 6 o'clock news?   

At the risk of a double alliteration, reuse is one of those perpetually promising concepts that have forever failed to deliver. Several reasons have been proferred to explain this, the Rule of Three being my favorite: "It takes three times as much effort to make something reusable as to make it usable". While reusable systems might save money in the long term, their higher frontend costs make them impractical in many situations. In my personal experience, reuse is no more common in the private sector than the government, if that's any consolation. That said, those who do bite the cost bullet to build reusable systems upfront do reap a rich harvest at the end.