Table of contents Page No.

1. Introduction 3
2. Mobile Banking Services 3
3. Key Roles & Responsibility 4
4. Third Party Technology Service Provider Due Diligence 5
5. Third Party Technology Service Provider Agreement 5
6. Risk-Based Customer Due Diligence 6
7. Mobile Banking Limitations and Transaction Limit 6
8. Data & Network Security 6
9. Customer Protection and Awareness 7
10. Customer Awareness 8
11. Complaint Management 8
12. Product and Service Availability 8
13. Disclosure and Message Limitations 8
14. Scope of consent for Mobile Banking 10
15. Account Eligibility and Enrollment 10
16. System Requirements 11
17. Fees and Other Terms 11
18. Hours of Accessibility 11
19. Security 12
20. Right to Withdraw Consent 12
21. Disclaimer of Warranty and Limitation of Liability 12

1
 Tinau Mission Development Bank
Mobile Banking Policy 2076
Introduction
1.1. Background
Mobile banking represents a significantly cheaper alternative to conventional branch-based
banking that allows financial institutions and other commercial actors to offer financial services
outside traditional bank premises by using delivery channels like mobile phone. M-Banking can
be used to substantially increase the financial services outreach to the un-banked communities.
Provision of enabling regulatory environment by careful risk-reward balancing is necessary to
use such model. In line with its responsibility to promote financial inclusion without risking the
safety and soundness of banking system, Nepal Rastra Bank issued a circular on regulatory
framework for Branchless Banking, Mobile Banking, Internet Banking and eCard Services. Under
this circular, Bank has striven to adhere Bank-led Model of mobile banking and internet banking
and eCard Services.

1.2. Objectives
• To define Mobile Banking (M-Banking) activities as a new delivery channel to offer
banking services in a cost effective manner.
• To broadly outline activities which constitute M-Banking.
• To serve as a set of minimum standards of data & network security, customer protection
and risk management to offer mobile banking services.

1.3. Scope
• These guidelines are applicable to all concerned of Bank.
• To provide banking and financial services with the help of mobile telecommunication
devices. The scope of offered services may include facilities to conduct bank
transactions, to administer accounts and to access customized information.

2. Mobile Banking Services

With Mobile Banking, you can instantly access for the following services;

• Fund Transfer Facility:

• Bank Account to Bank Account- This mode of Fund Transfer allows the customers to
make fund transfers from their bank accounts to any other bank accounts maintained
within BANK
• Bank Account to Predefined Bank Account- This mode of Fund Transfer allows the
customers to make fund transfers from their own account to any predefined account
2
 within BANK. Predefined Bank Accounts are set by the customer at the time of account
registration/ opening.
• Bank Account to Bank Account by Mobile No.- This mode of Fund Transfer allows the
customer to make fund transfer to another customer with Mobile Banking using their
mobile number. The recipient (customer) receives the fund in his/her primary account.

• Payments:
• Utility Payments- The customers of BANK can pay their utility bills such as Nepal
Telecom landline/ phone bills, postpaid mobile bills for Nepal Telecom, ADSL Bills, etc.
• Merchant Payment- M-Banking shall ease the customers of paying their bills while
shopping.
• Credit Card Bill Payments- The customers can also pay their credit card bills.
• Air Time Top Up- The customers can buy top up cards for their prepaid mobile phones.

Queries:
The query service will help the customers to get information regarding their accounts.
Some of the query based services are:
• Account Balance
• Last Transaction
• Banking Hour
• Transaction Limit Status, etc.

Request:
Customers can request for full statement of their accounts, new cheque books, etc.
They can also request to stop a cheque from payment as well as request to
block/unblock their credit/ debit cards instantly without manual intervention from the
bank’s side.

Notifications and Alerts:

The customers can get alerts for transaction being completed. In addition, they can be
notified for their due date for the payment of their loans, etc.

Web Panel for Customers:

Customers can login to a web panel to check all their transactional details. The web
panel does not allow transactional facilities to the customers. The web panel is simply
built for informational services where the customer can login to their web panel with
their login detail of their mobile application.

Mobile Banking functions (e.g., viewing balances, searching for transactions, viewing
transactions, specific types of funds transfers) may be added, reduced or modified by us from
time to time without prior notice. We may also modify, reduce or expand the geographic areas
in which we offer Mobile Banking or any of its functions or services. We reserve the right to
refuse to make any transaction you request through Mobile Banking.

3
 3. Key Roles & Responsibility

The ultimate responsibility for mobile banking lies with the Bank. Bank may, however, takes
steps it deems necessary to safeguard it against liabilities arising out of the actions of service
providers. Within the bank, Board of Director is responsible for strategic decisions, senior
management for effective oversight and compliance and audit functions for ensuring soundness
of internal controls and adherence to operational guidelines.

4. Third Party Technology Service Provider Due Diligence

Use of Technology Service Provide exposes Bank to significant operational and reputational
risks. Efficient and fool proof Due Diligence (ADD) procedures must exist to mitigate these risks.
Third-party service providers provide services related to technological infrastructure etc. They
have no direct contact with M-Banking customers and do not perform activities that are
attributed to the customers, nor do they hold any customer data in their server.
Minimum selection criteria for Technology Service provider shall be as follows:
• Should be registered in Nepal.
• Should have sound establishment of business in Nepal.
• Technology should be compatible with the rules and regulations of Central Bank. If
required, approved by the Central Bank.

5. Third Party Technology Service Provider Agreement

The Bank shall submit a Service Level Agreement (SLA) (duly signed by concerned parties),
and any amendments thereto, detailing the functions/activities to be performed, the respective
responsibilities of the bank and its Service provider and a confidentiality clause.
The written service level agreement with the service provider shall, at a minimum:
i. Define the rights, expectations and responsibilities of both parties;
ii. Set the scope of, and the fees/revenue sharing structure, the work to be performed by
the service provider;
iii. State that the outsourced services are subject to regulatory review and that Nepal
Rastra Bank inspecting officers shall be granted full and timely access to internal
systems, documents, reports, records and staff of the service provider;
iv. State that the service provider will not perform management functions, make
management decisions, or act or appear to act in a capacity equivalent to that of a
member of management or an employee of the Bank;
v. Specify that the agents must ensure safe-keeping of all relevant record, data and
documents /files for at least five years; or alternately, such record is shifted to the Bank
at regular pre-specified intervals which will then ensure safe-keeping of this record for
at least 5 years.
vi. State that all information/data that the service provider collects in relation to mobile
banking services, whether from the customers or the Bank or from other sources, is the
property of the Bank, and the Bank will be provided with copies of related working
4
 papers/files it deems necessary, and any information pertaining to the Bank must be
kept confidential; and
vii. Establish a protocol for changing the terms of the service contract and stipulations for
default and termination of the contract.

6. Risk-Based Customer Due Diligence

To optimize the gains of Mobile Banking and to extend financial services outreach to the
unbanked strata of the society without compromising the requirements of AML (Anti Money
Laundering) / Combating the financing of terrorism (CFT) policies, risk-based approach to
customer due diligence is outlined. According to which, M-Banking facilities shall only be given
to the customers of BANK where proper KYC is conducted and the customer is graded with the
risk level as guided by NRB Directive no 19 on Anti Money Laundering and Combating the
Financing of Terrorism.

7. Mobile Banking Limitations & Transaction Limit

Transactions conducted via Mobile Banking are subject to all withdrawal and transfer
limitations and accesses defined by BANK on timely basis.

Initially, limit set for Fund Transfer by M-Banking shall be NPR 15000.00 per day for an M-
Banking Facility Holder. Similarly, 15000.00 per day shall be the limit for Utility Payment/
Merchant Payment/ Credit Card Payment or Mobile Top Up. These limits can be amended by
the Management with the approval of the CEO on need basis or to comply with regulatory body
directives.

8. Data & Network Security

Data and Network security are of paramount concern to ensure authenticity, confidentiality,
integrity and accountability for financial transactions performed by M-Banking users and also to
ensure availability of mobile banking services to M-Banking user.

8.1 Global System for Mobile Communication (GSM) Networks Risks

Most of the mobile communication takes place over GSM networks. GSM network protocol has
built-in mechanisms to provide security like mobile station authentication and data encryption.
Though it's not easy for anyone with malicious intent to crack into GSM network without
placing sophisticated techniques and equipment but GSM network security might be under a
threat, where the Bank has to be careful to mitigate the risks involved.

5
 8.2 Mobile Banking Security Features:

Mobile Banking is a Short Message Service (SMS) based platform. It should be equipped
with the latest security features and should be fully complied with the directive issued by the
Nepal Rastra Bank. All the transactions originated from a mobile phone/cell should be secured
in the following ways:

1. Device Level Security: Bank Accounts are associated with a particular mobile number
during the registration process. Only messages originated from such registered mobile
numbers can make banking operations to bank accounts associated with that particular
mobile. SMS origination from unregistered mobile numbers is ignored by the system.
2. Marketing Partner Identification Number (MPIN) Security: Each Mobile Banking
subscriber is provided with a four digit MPIN during the registration of the service.
Subscriber must use the MPIN along with any commands to make banking transactions
or even for an enquiry based services.
3. Network Level Security: All the communications between the Telecom Service provider
and the Banks Core Banking System are carried out in secure Virtual Private Network
(VPN).
4. SMS Encryption: All SMS originated from the mobile banking application are encrypted
by the application before sending them over the network. These messages are received
by the Mobile Banking Server in the encrypted format which is decrypted by the system
before initiating the process. This ensures that SMS does not travel in plain text and
does not reveal the MPIN even while inside the Mobile Network Operator’s network.

8.3 Additional Techniques for Risk Mitigation

Bank shall ensure proper mechanisms in place to address these concerns.

8.3.1. Client Accountability and Non-Repudiation

Client financial transactions should be logged for evidence purpose for auditing and
maybe forensic investigations in case of criminal incidents. The other main purpose is to make
sure that client may not deny the transaction s/he has performed using the mobile banking
application service.

8.3.2. Error Messaging and Exception Handling

Mobile banking application server shall properly handle exceptions and reporting errors. It may
be noted that if error reporting and exception handling are not properly managed, they can
reveal information that can be misused to perform illegitimate queries.

9. Customer Protection and Awareness

Appropriate customer protection against risks of fraud and loss of privacy is needed for
establishing trust among consumers as trust and customer confidence is the single most
necessary ingredient for growth of M-Banking. As we will be dealing with a large number of first
6
time customers with low financial literacy level, banks need to ensure that adequate measures
for customer protection, awareness and dispute resolution are in place.

10. Customer Awareness

Customer awareness is a key defense against fraud and identity theft and security breach.
Appendix A provides for the minimum Customer Awareness that bank shall conduct.

11. Complaint Management:

Customer Services Department of the bank shall be the unit for handling complaint received
from M-Banking customers efficiently and quickly as guided by Complaint Management
Guidelines of the bank.

12. Product and Service Availability

Communication “dead zones”: Geographic locations where users may not access mobile
banking systems may expose institutions and service providers to reliability and availability
problems in some parts of the country. For some areas, the communications dead zones may
make mobile banking an unreliable delivery system. Consequently, some customers may view
the institution as responsible for unreliable mobile banking services provided.
Bank may find it beneficial to inform mobile banking customers that they may encounter
telecommunication difficulties that will not allow them to use the mobile banking products and
services.

13. Disclosure and Message Limitations

Slow communication speeds may limit a bank's ability to deliver meaningful disclosures to
customers. However, use of a mobile banking system does not absolve a financial institution
from disclosure requirements. On that basis, agreement with a mobile banking subscriber is
made as described in Appendix B.

7
 Appendices

Appendix A

Safety Suggestions/ Tips:

Any time you log into Mobile Banking, be sure to be aware of the people around you.
Don’t disclose personal information, including account numbers or Personal
Identification Number (PIN), if someone else can read your screen or hear your voice.
Always secure your phone with a password to prevent unauthorized access. It may be a
bit of a hassle, but if your phone is ever lost or stolen, you’ll be glad you took this extra
precaution.
Do not leave your mobile device unattended. It may be used wrongly by someone
having access to your personal information and/or PIN.
Be sure to log out completely every time you finish a Mobile Banking session. This will
prevent someone from having easy access to your information if they gain access to
your phone.
Regularly change password or PIN and avoid using easy-to-guess passwords such as your
name, spouse name, birthdays, etc.
Do not save any financial or personal information on your phone, including PINs. If you
lose your phone, not only have you lost that information, but it could fall into the hands
of someone with bad intentions.
Regularly check transaction history details and statements to make sure that there are
no unauthorized transactions.
Review and reconcile periodic bank statements for any errors or unauthorized
transactions promptly and thoroughly.
Some web browsers have an “auto-fill” function that remember your username and
password, and pre-fill these fields for you the next time you log in. If you are prompted,
tell your phone NOT to remember or auto-fill this information.
Beware of third-party applications (“apps”) for your phone. There are some programs
that you can download that claim to organize your various online banking accounts or
other passwords. Many of these are basically phishing scams designed to steal your
information and send it to fraudsters.
If you use BANK Mobile Banking, know that we will never send you an unsolicited
message or ask you for a password or personal information via text. If you get a
message requesting such information, do not respond.

8
 While BANK will never send personal or account identifying information via text, being
in the habit of periodically deleting your archived texts will help ensure there is never
information on your phone that might jeopardize your account’s security.

Appendix B

AGREEMENT ON MOBILE BANKING

This Mobile Banking Agreement states the terms and conditions that you agree to use
Mobile Banking product of Bank.

Please read this entire Agreement prior to using TMDBL Mobile banking product. By signing
the agreement and using Mobile Banking, you acknowledge your receipt and understanding
of this disclosure and agree to all terms and conditions of this agreement.

DEFINITIONS
As used in this Agreement and Mobile Banking product, the following words have the meanings
given below:
“Account(s)” means eligible and authentic account of yours with BANK that can be
accessed through Mobile Banking.
"Device" means a supportable mobile device including a cellular phone or other mobile
device that is web-enabled and allows Secure Sockets Layer (SSL) traffic which is also
capable of receiving text messages.
"Mobile Banking" means the banking services accessible from the device you have
registered with BANK for Mobile Banking.
"You" and "Your(s)," mean each person with authorized access to your Account(s) who
applies for and uses the Mobile Banking product.
"We," "Us," and "Bank" means BANK

14. Scope of consent for Mobile Banking

By using the Mobile Banking product, you accept and agree to be bound by the general
terms and conditions governing the Mobile Banking product, including without limitation all the
terms and conditions in this Agreement. You agree to be bound by any and all laws, rules,
regulations and official issuances applicable to Mobile Banking now existing or which may
hereafter be enacted, issued or enforced, as well as such other terms and conditions governing
the use of other facilities, benefits or services that BANK may from time to time make available
to you in connection with the Mobile Banking product. Further, BANK has the discretion from
time to time, and upon giving notice to you, to modify, restrict, withdraw, cancel, suspend or
discontinue the Mobile Banking product without giving any reason and you understand that by
using the Mobile Banking product after any modification or change has been affected, you
would have agreed to such modification or change. Customers wishing to use this product must

9
read and agree to this Mobile Banking Agreement, which describes the requirements for the
product in more detail.

15. Account Eligibility and Enrollment

Mobile Banking is available to any person(s) who have subscribed to BANK Mobile
Banking Product and has an account with BANK.

16. System Requirements

BANK endeavors to provide customers with superior Mobile Banking services. To access
Mobile Banking, your phone or other mobile communication device must be enabled and
connected to your mobile communication service provider. BANK does not guarantee that your
mobile phone/mobile phone service plan will be compatible with our Mobile Banking product.
You are responsible for understanding the operation and maintenance of your mobile phone.
BANK is not responsible for any errors or problems related to your mobile phone, mobile
provider, or mobile communication service provider. Nor are we responsible for any fees
assessed by your telephone company or any other outside party.
Customers are responsible for making sure that the mobile phone they are using to access
Mobile Banking is protected from and free of viruses, worms, Trojan horses, or other similar
harmful components (collectively, referred to as "viruses"), which could result in damage to
programs, files, and/or your phone or could result in information being intercepted by a third
party. BANK will not be responsible or liable for any indirect, incidental, special or
consequential damages that may result from such harmful components being present on the
mobile, nor will BANK be responsible or liable if sensitive information accessed via our Mobile
Banking product is intercepted by a third party due to any of the above named “viruses”
residing or being contracted by the customer’s mobile phone at any point or from any source.
We are not responsible for errors or delays or your inability to access the service caused by
your equipment. We are not responsible for the cost of upgrading your equipment to stay
current with the services nor are we responsible, under any circumstances, for any damage to
your equipment or the data resident thereon.

17. Fees and Other Terms

Yearly subscription fee for Mobile Banking shall be levied for the subscribers.

The Bank reserves the right to change the terms and conditions of this agreement at any time,
which includes:
The addition and deletion of Mobile Banking product and services; and/or
The right to institute or change fees for Mobile Banking by sending prior notice.

Customer is responsible for providing their own Mobile Device to access Mobile Banking.
They are responsible for all fees and charges they may incur to any mobile communication
service provider or other third parties while using Mobile Banking. TMDBL is not a party to, and
has no duty, liability or responsibility with respect to or in connection with (i) customer’s mobile
communication service agreement, or (ii) any Mobile Device, hardware, software or other any
product or service they may purchase from others relating to their use of Mobile Banking.
10
Finally, customer’s mobile carrier may charge you for Internet-related use and text (SMS)
messages, so please contact your mobile carrier for further details about these charges.

18. Hours of Accessibility

In general, Mobile Banking is accessible 24-hours per day, seven days a week; however,
some Bank system services may not be available at certain times due to maintenance and/or
computer, communication, electrical or network failure or any other causes beyond Bank’s
control.

19. Security
If customer lose their Mobile Device, user name (Login ID), password, or notice
unauthorized transactions or any other discrepancies they must contact TMDBL.

Mobile Banking server security is important for any organization that is connected to the
Internet. Server security comes to being confidentially, integrity, availability of appropriate
information and authentication. Databases store confidential and sensitive information. Hence,
it is the most important task of an organization to safeguard crucial information from being
stolen and misused.

20. Right to Withdraw Consent

Bank reserves the right to terminate the Mobile Banking product, in whole or in part, at
any time with or without cause and without prior written notice. In that event, or in the event
that customer gives the Bank a termination notice, Bank may (but are not obligated to)
immediately discontinue making previously authorized transfers, including recurring transfers
and other transfers that were previously authorized but not yet made. Bank also reserve the
right to temporarily suspend the Services in situations deemed appropriate by us, in our sole
and absolute discretion, including when Bank believes a breach of system security has occurred
or is being attempted. Bank may consider repeated incorrect attempts to enter your Mobile
Banking PIN as an indication of an attempted security breach. Termination of the Services does
not affect customer’s obligations under this Agreement with respect to occurrences before
termination.

21. Disclaimer of Warranty and Limitation of Liability

Tinau Mission Development Bank Ltd makes no warranty of any kind, express or implied,
including any implied warranty of merchantability or fitness for a particular purpose, in
connection with the Mobile Banking product to you under the Agreement. BANK does not and
cannot warrant that the Mobile Banking product will operate without error, or that the Mobile
Banking product will be available at all times. Except as specifically provided in this Agreement,
or otherwise required by Law, you agree that the bank’s officers, directors, employees, agents
or contractors are not liable for any indirect, incidental, special or consequential damages
under or by reason of any services or products provided under the Agreement or by reason of
your use of the Mobile Banking product, including, but not limited to, loss of profits, revenue,
data or use by you or any third party, whether in an action in contract or based on a warranty
or any other legal theory.
BANK makes no warranty that:
11
 The service will be uninterrupted, timely, or error-free
The service will meet your requirements
The quality of any products, services, information or other material purchased or
obtained by you through Mobile Banking will meet your expectations

BANK shall not be liable for any direct, indirect, incidental, special, consequential or exemplary
damages, including but not limited to, damages for loss of profits, goodwill, use, data or other
intangible losses resulting from:
The use or the inability to use the product
The cost of procurement of substitute goods and services resulting from any goods, data
information or services purchased from the product
Unauthorized access to your transmission
Unauthorized alteration of your data
Statements or conduct of the third party service provider
Any other matter relating to the service

Governing Law This Agreement is governed by applicable laws of Nepal.

Complaint Resolution Procedures: When a complaint is received from customer consumer

complaint representative or department will attempt to resolve the problem at earliest.

12