Do Several Founders, Co-Founders, CXO Bankers, CXO Fintech professional & people who participated in the e-Panel discussions:

  • Mr. Sudhish Sudhakaran, Head of Enterprise Architecture and Applications, Commercial Bank of Dubai
  • Mr. Amit Jadhav, former Senior Vice President, DBS Bank
  • Mr. Rahul Dayal, Head- Information Technology, Aditya Birla Sun Life Mutual Fund
  • Mr. Neeraj Chandra, Head of Operations and Technology, India, Abu Dhabi Commercial Bank
  • Mr. Abhishek Arun, Chief Operating Officer, Paytm Payments Bank
  • Mr. Probir Roy, Co-founder, Paymate
  • Mr. Mohan Bharatia, Consulting Partner, Ripple Analytics Consulting
  • Mr. Shashank Chowdhury, Former Executive VP- Inclusion Initiatives, Vakrangee Software Ltd
  • Mr. Ajay B Panicker, CEO & Founder, NetPay Limited
  • Mr. Anupam Mishra, SVP- Product Management, Transaction Banking at IndusInd Bank
  • Mr. Rakesh Watal, Head Liability Operations Western Region, HDFC Bank
  • Mr. Hemal Shah, former Technical Product Manager, Mastercard
  • Mr. Arun Tanksali, Co-founder & CTO, Nearex
  • Mr. Kaunain Esmile, Vice President- Country Lead Customer experience, DBS Bank
  • Mr. Alok Bhargava, former Senior banker, Bank of Maharashtra
  • Vikas R Panditrao, Co-Founder, Forum of Industry and Academic Knowledge Sharing (FIAKS)
  • Many other CEO/CXO Bankers & Fintech professionals on FIAKS Forum requested to remain anonymous

Here’s a simple problem statement shared by a member- “banks should not make me enter a password for accessing my statement sent to my registered email with the bank. If someone wants to choose one give him an option but why make me enter a password?”  The reasons for this additional check are typical –

  • inadvertent forward of email, access of email to service providers, storage in temp folders/temp downloads.
  • It was said that it’s an additional factor of authentication/safety. Just in case mail is received by an unintended recipient.
  • Member questioned, why would it be received by someone else if you send it to the correct email? If the email is taken over by someone else matter is completely different. Also logging into a mobile app with a password is better than entering into my email box after putting in a password. In short, isn’t it a bad design for a genuine user and a pain?
  • There are many cases of incorrect email id captured at the time of account opening. Both customers mentioning wrong mail ids also mistake from sales guys. It’s a risk mitigation factor.
  • Essentially customer account opening form is not filled by the customer but by a salesperson and the customer just signs the form and possible errors could be there in the data. When the account is opened, KYC is completed, email details aren’t validated
  • How will you ever validate your email id? Agreed, but when the customer signs the form, it is expected that everything is verified. So why the risk mitigant. Well, that’s why mail passwords!
  • In the physical form world, the digital world is still minuscule. In the digital onboarding journey, the mail is verified. Very common these days. There is an inherent risk in a paper-based journey. Aadhaar based account opening takes care of it.
  • So now how do you validate mobile numbers? Welcome calling on a mobile number is done. Any return of deliverable for a new account is tracked separately/ flagged for risk.
  • There are reported frauds wherein the sales executive mentioned his mobile number for a newly opened account. All these risks for newly opened accounts. Later every change needs to be authenticated as per the process

Well, you can download a statement on your own through Netbanking/mobile banking – you will not get a password protected statement;

  • Citi does password even for that. HSBC needs a password to see the mail body of the content and/or any attachment. Its sent encrypted by bank servers. PGP email encryption but not sure if something proprietary.
  • While HDFC bank doesn’t have password protection when you download after logging through your customer id password. Through mobile banking, you can even send the pdf file to your Whatsapp too.

Now there can be two types of bank account statements- 1) Download Open directly from internet banking(ib) /mobile banking(mb), via the View eStatement section. 2) Send an email to the customer account.     

  • If at any point in time, you can able to access your internet banking(ib) /mobile banking(mb) – view statement, then why the bank is sending it as password protected pdf. It’s easy for customers to log in and download on a when-you-need basis. Depending on regulatory requirements, banks can store these pdf/ generate on-the-fly pdf up to 7 to 10 years of data. This will reduce the so-called ‘complicated’ password maintenance logic of dob/personal questions/customer information file/name letters plus date of birth.
  • Many info security teams from banks accept password-less in-app pdf and are okay to send an email about eStatement readiness, rather than password protected pdf. If the customer can view that all his statements are available in-app, he never opens a password-protected pdf. Practically performance cannot be seen as an issue here.
  • The risk is – if the bank is sending my statement to you and the password is to save that scenario, then banks need a solid e-statement management system.
  • Member states, “Why even send a statement? Login & download when you need. Any unnecessary communication from the bank is a potential phishing/fraud risk, these days! What if a hacker sent you an email looking like a statement from the bank? You would happily open the attachment & it could be a trojan or virus. In this age of phishing & fraud by cloning, cloning an email is the easiest to do!”
  • Well, a neatly architected e-statement service can able to generate your savings/current account statement by the second day of a new month (allow one day to process data.) for you to access via ib/mb. Notification should be on your phone, every month on the second evening. If not then banks ‘digital’ system needs improvements. For credit card and invoice statement, it can follow regular cycles. Plus provide ad-hoc statement generation features. That’s basic nowadays.

Here’s another food for thought– When the customer is doing an app transaction (bank mobile app) why is a text message mandatory? Why can’t in-app notification work? The logic of regulator for text message – if the customer is not on Wifi or is a feature phone user then will not get to know in case of a fraudulent transaction.

  • But given that telcos have increased cost and SMS scrapping is such a big thing and there are enough companies reading my financial data; in-app notification is safer than text, isn’t it?
  • Member opines, “I think mobile app bank transactions will supersede net banking and ATM very fast if not already done. And there are people like Paytm payments bank which does not have net banking and may never offer it. Somehow banks don’t fight to save their own power/knowledge of their customer and also educate the regulator.”

Now a pretty good number of members are in favor of having a password, let’s check out why they think so? 

REGISTER And READ the complete bespoke discussions 

Please register to unlock the full content!

Related Post

Why Can’t Aadhaar OTP Mention Merchant Name In SMS...
IPO’s Of Fintechs v/s Banks
How To Address Frauds Due To Phishing Messages?
The Issues Of Monies Stuck In Pending Status