The application should have VIEW ONLY facility of the account

3 and in no scenario transaction facility to be enabled.

General

Different type of account should be linked to the application viz

SB, CC, CD, OD, Deposits, Loans etc. as per the Bank
1 requirement.
Registration, Re-Registration and Deregistration
a. The user should enter his/her customer ID/any
operative account number, first name, last name
etc. after downloading the app from his/her
registered mobile number.
b. The mobile number should be authenticated and
upon successful authentication the user to get an
OTP. The application should have the facility to
auto read the OTP. c. Once the OTP is
successfully read the user should be
successfully onboarded.
d. However if the user is not authenticated a prompt should be
given to the user stating that the number is not registered. *The
bidder should be qualified to provide other means of
2 authentication as well.
On successful registration, a customized welcome SMS may be sent
3 by the Bank to the users Registered Mobile number.
If mobile number is not registered suitable message should be
4 displayed suggesting ways to register mobile.
The solution should be capable of intimating the user upon
registration, de-registration through channels like email, SMS etc. as
5 suggested by Bank.
On registration of the customer, the full details of the Terms and
Conditions of the service offered by the bank should be
6 communicated to the customer as provided by the Bank.
The facility to set the PIN should be provided at the time of
7 registration.
8 The application to be PIN protected, preferably 4 digit PIN.
The solution to provide for easy de-registration. However if the
user logs in with the same account all his/her tags/remarks etc.
9 must be kept intact.
If a user forgets his/her PIN they will have to select Forgot
PIN/Pattern upon which they should follow the re-registration
10 process.
11 No previous data will get deleted if customer selects forgot
PIN/Pattern or his Account gets locked and user re-registers with
same Customer ID (user can set a new or same PIN/pattern on
 reregistration), the notes and categories added will not get deleted.

If a user selects forgot PIN or user account gets locked and he/she
tries to register with a new customer ID, the App will send a prompt
message indicating that the previous data will be deleted. If customer
selects yes then new Customer ID registration process follows and
12 all previous data is lost.
Features
Once registered, while accessing the application every time , user
should be prompted to enter the mobile number used during
registration as user name and 4 digit pin as password that was set
while registering, and validation should be done. On entering correct
mobile number/pin, user should navigate to the application. On
entering wrong mobile number/pin, error message should be
displayed prompting to enter the correct data again, and also option
13 for forgot pin to be provided.
Specific numbers of attempts have to be configured for entering of
pin. If the defined number of attempts is exceeded, the application is
to be locked. The bidders are suggested to use their innovation for
14 unlocking of the application.
15 The application to be in both Hindi and English.
The option to change the language should be provided in Settings
16 module.
The option to change the PIN should also be provided in Settings
module, where user will be prompted to enter the current pin and
17 then new pin and reset.
Tagging/Narration Feature the facility to add personalised remarks
to each transaction. This should be made available in offline mode as
18 well.
Interactive statement to be provided where user can categorize
transactions and see a break up of his/her income/expense
19 transactions.
The solution should provide for comprehensive account and
transaction search listing all the details of account as provided by
20 Bank.
Search, Sort and Filter
The application should be able to search, filter and sort the
transactions and the icons should be available at all time once the
records are fetched. The sorting should be done on amount/flags etc.
21 The filtering should be done on amount, remarks, category
etc.(List not exhaustive)
22 The transaction entry should be in passbook pattern.
23 Easy navigation between different module.
24 The application should have synchronization facility with Finacle.
The application must display real time opening and closing balances.
25
26 The application should have offline mode usability.
Solution should have the facility to register request, complaints,
feedbacks with the Bank and customized acknowledgement
message should be sent for such request, complains, feedbacks etc.
27
28 Facility to refer to friends.
Facility of Notification to receive latest updates when the application
29 upgrades to a higher version.
Facility to display various offering/product of the Banks in the
application with suitable redirection to website/other page as
30 required by Bank.
Provision to share account/transaction details through sharing
31 mechanism (SMS, Email etc.)
The solution to have a mandatory FAQ and NearMe Module(to locate
branches and ATMs).
The bidders are suggested to use their innovation for other modules.
32
The application to have breadcrumb navigation to educate user
about different functionalities on a page. The breadcrumb for the
suitable button should be automatically disabled once the user clicks
33 the respective button.
The solution should support all major Operating System
Viz Android, iOS, Windows with below versions
Android 4.0 and above iOS 6.0 and
above Windows 7.0 and above
The application should be capable of running on all major handsets.
Any device not supported by the bidder should be clearly mentioned.

34
The solution to be made available to all the Domestic and
35 International numbers.
The application to have a dashboard/suitable graph/image for a
pictorial representation of the various Active accounts with different
colour legends. Below the dashboard, a list of all the available
accounts
to be displayed with available balance, and on tap on the individual
accounts, their respective statements are to be displayed in
36 passbook format.
Option to request statement should be available wherein a list for all
the accounts owned by the
customer should be displayed, and on selection of the account, the
respective statement for the selected period should be sent to the
37 registered email id.
38 Transaction history to be available in offline mode as well.
 The application should allow customers to view their accounts
transactional data of last 12 months from the day the user registers
39 and uses mPassbook for first time.
There should be no maximum limit on transactions/or time period in
case the user requests for the transaction statement. The limit from
which the user can get the statement should be set from the users
40 account opening date till present date.
The application to automatically detect and prompt the user for
insufficient storage space on device (if such is the case) and suggest
the user to clear some space.
This functionality should also be made available at time of
41 registration so that the User can be informed prior to onboarding.
Application should be made available on Apple-i-store, Google play/
Blackberry app store, windows play stores.
42
Total transaction data up to a period of 12months can be stored in
the app. Transaction data for more than 12 months will be
43 automatically deleted from the app.
The application to have the facility to set the storage period for
44 6/9/12 months as required by the customer.
Contact us facility to be provided before logging in wherein any call
centre detail is provided by
the Bank, the contact information of call centre (with option of clickto-
call) should be available even without login using account number
45 and password.
The amount of information present on one screen should be limited.
The bidder is suggested to use their innovation.
46
Post login Screen navigation should start with more simple and
familiar fields. The bidders are requested to use their innovation in
47 making the application user friendly.
Text information should be in mixed/sentence case instead of upper
48 case.
There should be a bank logo, title page and frame on every screen.
49
White spacing between fields should be sufficient to view labels
50 without overlapping
Available balance to be always shown.
51
Ability to manage personal profile.
52
The app should be tested for varying network bandwidth, device
models (make and screen size), flip/bump, back button and other
buttons on the device, stylus, trackball/pad, swipe operations, screen
53 rotation, mobile keys etc
 The version updates should be done on regular basis and ensured to
keep past favourites intact. All the mandatory features should be as
force updates, however for other updates the user should be given
choice.
54
Error Handling
System messages should be classified as Information, Warning and
Error and suitable colour should be used for the same.
55
Error messages while filling a form should be displayed next to the
fields and button.
56
The message should provide the reason for error and suggests the
next possible action.
57
Application should maintain user action persistence and recovery
from abrupt exits (network connection lost, session timeout, battery
down, memory shortage, etc.).
58
The error message should be in layman language and easy to
understand and avoid displaying any bank specific error messages.

59
The help icon should always be available and contextual to the
screen.
60
Administrative Portal
61 The administrative portal to have user management.
Encrypted communication should be present between all entities of
62 the system.
The administrative portal should have the capability* for a)Blocking
users Mobile handset temporarily
b)Blocking user mobile handset if lost or not in use
c)Reset of solution PIN etc.
d) Resending the download link
e) Sending various type of alerts for campaign of product
feature
f) Password management for administrative users
g) Approving/registering and de-registering users
h) Hot-listing of registered users account *The list is not
63 exhaustive.
 Ability to provide various reports* like
1. Daily summary report
2. Uptime report (daily/weekly/monthly)
2. Total number of users registered, denied registration,
deregistered, re-registered etc.
3. PIN change report
4. Number of Hindi/English user report
5. Number of users who have requested statement.
6. Number of users not having registered from non-
registered mobile number
7. Audit trail report of all administrative functions.
All the details should be properly mapped to CUST_ID so that the
Bank
can identify the adoption rate state-wise, zone-wise etc. as and when
required by the Bank.
*List not exhaustive
64
65 Facility to generate ad hoc reports.
66 Dashboard for administration of software and user.
67 Dashboard for MIS.
Back end Applications should be platform independent i.e. should
work with all major Web Servers, Application Servers and
68 Databases.
69 Administrative portal should work over SSL.
Back end Application should be capable of working under cluster
70 environment with high availability load balancing.
71 All administrative activities should be properly logged with
appropriate audit trail.
The audit logs should be capable of being used for forensic
72
evidence
Compliance of web portal with OWASP (Open Web Application
73
Security Project) standards/guidelines
The portal support to work on maker and checker concept for any
74 addition, deletion, modification request made by the authorized
users.
With respect to risk, following are the reports that are mandatory
*i) Suspicious onboarding and registration process ii)
User activity based reports
75
*Note The list is not exhaustive and additional reports can be
sought by the Bank.
The portal should have different levels for administration, each with
varying degrees of access.
76 Capability to create administrators that can in turn delegate
administration tasks to other users.
The administrative portal should have various tabs like User
77 Accounts, Dashboard, Settings, Hosting Options, Latest Onboarded
etc. for easy navigation.
 The portal to reflect the mapping of user, unsuccessful
78 authentication, account reset, account blocked etc. to clearly show
all the details related to a user.

The predefined pages of the Administrative web portal should handle

web application security threats like Cross-site scripting, SQL
injection flaws, Malicious file execution, Information leakage,
79 Improper error handling, Broken authentication and session
management, Insecure Cryptographic storage, Failure to restrict URL
access. In addition to it, system should not be vulnerable to known
security threats.

The portal should show the system status* like

a) Number of total user onboarded/registered
b)Number of successful onboarding /registration
c) Number of rejected onboarding/registration
80
d)Number of status unknown onboarding/registration
e)Total running time in hours, minutes and seconds

This list is not exhaustive

Clause-Logs
Description
Sl No
Detail logging capabilities must be available within the solution for
81 fraud investigation
Logs should be kept as audit trail.
82
The log content should give enough information for onboarding
which should include, originated front-end type, authentication details
, IP Address, Device ID, User name, Mac ID etc which are all
83 required at time of investigating fraud.
The administrative console should have the capability to enable /
84
disable on screen log
The administrative console should have the capability to enable /
85
disable file log
The administrative console should have the capability to enable /
86
disable database log
The administrative console should have the capability to reset on
87
screen log
File Log All activities has to be logged in to a flat file with a proper
88
delimiter and in encrypted format
Database log All activities has to be logged in to database with all
89
required data.
The log setting should be changed through front-end
90 configuration manager. Any one log should always be available; no
activity should be performed without log.
Interface/Integration

Solution should integrate with different interfaces using standard

message protocols like ISO 8583, Web services, Biz Talk, MQ
91 server, XML based protocols, APIs etc.

Integration with CBS: The proposed solution to integrate with CBS

Finacle based on the message specifications provided by the Bank.
The proposed solution to have interface FRMD and SIEM as
92 required by the Bank.

The proposed solution should be seamlessly integrated with the

Banks Alternate Delivery Channels like ATM, Internet Banking,
Mobile Banking, SMS and Banks CBS,USSD, Cash
93 Management system, Financial Inclusion gateway, Multi Function
Kiosks, Remittance Agencies, Bulk File Upload facility for payment
etc. as and when required by the Bank.

The solution should support SMS integration.

94
95 The solution should support E-Mail integration.
The solution should provide support for Interface Standard like
96 Web services/XML over HTTP/HTTPS, Message format ISO 8583
etc.
97 The solution should also support SFTP.

Message communication between Application and server should be

98 in XML format over HTTPS and all the messages should be digitally
signed using SHA 2.

Clause-Security
Compliance
Sl No Description (Yes/No)
All the Bank customer related data will be stored inhouse by the
99
Bank.
A single user should be registered on a single device at one time
100

101 The solution should not process any fraudulent request.

Sensitive data like PIN/Password etc should be transmitted with
102
end to end encryption.
 An online session should be automatically terminated after a
103 fixed period of time i.e. session time out feature should be
parametrized.
An authenticated session, together with its encryption protocol,
should remain intact throughout the interaction with the
104
customer. Else, in the event of interference, the session should
be terminated.
105 The solution should not support concurrent session.
The solution to have the ability to lock the application after 5
106
incorrect credential details.
The solution should have the capability to send security alert on
registered mobile number on account of unauthorized activity on
107
user account. Like in scenario of multiple session or multiple
attempts to log in with incorrect pin.
The solution should have inbuilt security mechanism to prevent
108 account data from being compromised while entering
,processing and transmission.
The solution should have security to protect against user against
109 Phishing Attacks, Man-In-The-Middle Attacks, Trojans Attacks,
Man-In-The-Phone Attacks etc.
The private data of the user should always be stored in
110
encrypted format.
Data (like PIN, Password, Biometrics, Card No, Expiry Date,
OTP) transmission with end to end encryption (Standard
111
encryption algorithms like 3DES, AES, RSA, PKI scheme, with
minimum encryption strength of 256 bit).
Compliance of web portal with OWASP (Open Web Application
112
Security Project) standards/guidelines
The solution should provide for account reset on changes upon
113
factory reset and device setting as per standard practice etc.

114 Solution should support SSL and external certifying authority.

Solution onboarding and registration to be auditable and reliable.
115
Solution to have the intelligence to handle interruption like
battery run out, data connection drops, back-end host system
116
down while onboarding and registration, and to notify the user
accordingly.
If the device is lost/stolen and the SIM is blocked by the user the
117
application should detect the same and should stop working.

Disaster Recovery
Sl No Description
118 The solution should facilitate online DC DR replication and retrieval capability
in a seamless manner
119 The disaster recovery drill for the solution should be tested periodically as and
when scheduled by the Bank. The test set up to include all the components
required for business continuity of the service.
120 Reports pertaining to total uptime, system not responding, should be submitted
as and when required by the Bank at the time of DR drills.
121 The DR solution should also provide means to monitor the solution post drill and
at other times for measuring the availability of the DR Solution.

Others
Sl No Description
122 The bidder should provide for best-in-class logo and banner design for
the application.