Mobile banking is quickly gaining momentum as the most important form of interaction between customers and their banks, and, by some accounts, is expected to become neck-in-neck with online banking and ATM use this year. Each year since 2011 the Federal Reserve has conducted a “Consumers and Mobile Financial Services” survey of over 2,000 U.S. adults on their use of mobile banking. While mobile banking continues to rise, the percentage of smartphone banking users has leveled off. This leveling off is correlated to nearly 75 percent of users citing security as a top concern. Mobile banking is an important tool for traditional financial institutions, who are receiving increasing pressure from Fintech digital or mobile-only banks now entering the market. To ensure the success of mobile banking, the security concerns of mobile banking customers must be addressed. In addition to consumers, these security concerns are increasingly on the radar of interagency bodies and government regulators. In fact, just last month, following recent cyberattacks targeting interbank messaging and wholesale payment functions, the Federal Financial Institutions Examination Council (FFIEC) issued a statement on safeguarding the cybersecurity of payment networks. The FFIEC also stressed that financial institutions should review risk-management practices and controls related to information technology systems and wholesale payment systems. This ‘alert’ follows on the heels of the FFIEC’s guidance on risk management for mobile financial services released in May 2016.
The FFIEC’s Appendix E of the Retail Systems Payment Booklet provides industry-wide guidance on identifying and controlling the risks posed by Mobile Financial Services (MFS) or mobile devices. The FFIEC’s guidance addresses mobile device technologies, such as SMS/text messaging, mobile website browsing, mobile applications, and wireless payment technologies, that are susceptible to security risks due to the nature of mobile devices. For example, many mobile users are less likely to activate security controls, virus protection, or personal firewall functionality on their smartphones. As a result, the FFIEC’s guidance encourages both management and board level executives to educate themselves and participate in the institution’s strategic plan for risk identification. This identification process should include those risks that exist at the institution, those associated with the use of the mobile device by the customer, and risks associated with using third-party applications or service providers. Financial institutions are encouraged to develop robust policies and procedures, as well as implement review, reporting, and organized feed-back loops between day-to-day operations and senior management as they relate to mobile device security-related risks. Financial institution management should also identify compliance risks and monitor these risks as the technology for MFS evolves. Financial institutions must also consider that the consumer laws, regulations, and supervisory guidance that apply to a particular financial product or payment method will generally apply regardless of the technology used to provide that product or service. This is often times made more complicated as third-party service providers in the technology sector who design these applications may be unfamiliar with the regulation and supervision of the financial services sector. As a result, clear communication between these third- party providers and the legal department of the financial services entity is necessary in order to fully understand the compliance and organizational risks associated with mobile banking applications.