Improving Mobile Banking SecurityWells Fargo: Communication, Strategic Planning for Risk are Key
Mobile banking platforms and applications offer unique security risks and challenges, but many financial institutions fail to adequately address those risks upfront.
What steps can financial institutions take to control and enhance security of their mobile platforms and applications? Brian Pearce and Amy Johnson of Wells Fargo start with customer communication.
Wells Fargo has launched two separate mobile banking platforms: Wells Fargo Mobile for retail customers and CEO Mobile for commercial customers. Each offers unique customer awareness training.
"We've done a tremendous amount of work around helping our customers understand the risks and be safe about their behavior, so that they can protect themselves as they begin to use these mobile devices," says Pearce, head of retail mobile for Wells Fargo's Internet Services Group, in an interview with BankInfoSecurity's Tracy Kitten (transcript below).
For institutions launching mobile apps, it's important to monitor app stores to ensure customers are downloading the right apps.
"We also take a very proactive approach, in that we're constantly scanning the app stores and staying on top of people's use of those apps," Pearce says.
It's also important to take a layered security approach when developing mobile-app environments and platforms, ensuring they're secure from the ground up, Pearce says.
Johnson, who heads up strategy and execution for CEO Mobile, says other security measures included in Wells Fargo's offerings are encryption and active session management monitoring.
"We even partner with law enforcement as needed when there has been some attempted fraud," she says.
Mobile is constantly evolving, and that means institutions need to evolve with it. "We're very much actively engaged in scanning the fraud landscape so that we know what's really going on," Peace says.
During this interview, Pearce and Johnson discuss:
- The role emerging mobile payments in the person-to-person, person-to-business and business-to-business spaces will play;
- Steps financial institutions can take to control and enhance security of mobile platforms and apps;
- Why listening to user needs and demands is the best way to drive growth and mitigate risk.
Pearce is senior vice president and head of the retail mobile channel for Wells Fargo's Internet Services Group, where he oversees strategy and manages wf.com, downloadable apps and the text/SMS banking. Over his nearly 20-year career in financial services, Pearce has led a variety of business development, product and project management, business analysis and product operations functions. His career with Wells Fargo began in 2001 in the Investment Internet Services group and continued in Online Payments in 2005. Before Wells Fargo, Pearce worked for First Data Corp. and Andersen Consulting.
Johnson is a senior vice president with Wells Fargo's Wholesale Customer Experience Group, part of Wells Fargo's Wholesale Internet Solutions Group, where she oversees strategy and execution of all projects for the CEO Mobile service. As an alternate channel to Wells Fargo's Commercial Electronic Office [CEO] portal, the CEO Mobile service provides commercial, corporate and institutional customers with the ability to perform various financial functions via mobile devices. Johnson led the development of Mobile Fastpath, a patent-pending alert tool for customers who use the CEO Mobile service. Johnson has more than 20 years of experience in applications and tools development for financial services. Before joining Wells Fargo, Johnson worked as a manager for Accenture and as a managing director and head of financial services for Proxicom, an Internet services firm.
Wells Fargo's Mobile Offerings
KITTEN: Wells Fargo offers two separate mobile banking platforms - Wells Fargo Mobile, designed for retail customers, and CEO Mobile, designed for commercial customers. Before we jump in, I'd like for each of you to explain to our audience a bit about the mobile strategies you oversee.
BRIAN PEARCE: On the retail side, we offer three modes of access for our customers. We have a website at wf.com that's mobile-optimized and designed for mobile browsers. We have a selection of mobile apps for BlackBerry, Android, Apple and Palm users that they can download from the app stores. We also offer text banking as well, so for customers that prefer text or have feature phones that aren't capable of using apps or mobile web, they can get quick balances and see account activity on their phones by sending us text commands.
AMY JOHNSON: I oversee our mobile browser app and device strategies and execution for the Wells Fargo commercial and corporate customers, and I've been with the channel since inception back in 2006, and our subsequent launch back in 2007 as CEO Mobile. Our services on CEO Mobile include payment initiation and approval, credit management, funds transfer, information reporting, mobile deposit, reception alerts and decisioning, and some self-administration function.
KITTEN: When did Wells Fargo start offering mobile banking, and how have the mobile demands for consumers, as well as commercial customers, evolved since then?
PEARCE: We launched our mobile web application in July of 2007, so it's been nearly five years, and we've taken an approach that we refer to as "launch, listen, and learn" and we've gradually added more and more functionality in the channels. We started out with some of the basics - balances, account summary, transfers, and have added things like P2P payments and bill pay since then.
JOHNSON: For commercial customers on CEO Mobile, we were actually the first in the industry, right after our retail side in 2007, and we started with text message alerts and information reporting. Our customers quickly asked for the ability to do payment approval over their phones and to perform funds transfer, as well as the ability to monitor cash positions and account activity. Our early customers were largely from treasury departments, so monitoring and approving cash payments, or any kind of payments, and transactions, was key for them - and it still is. We have since added many other capabilities to offer corporate and commercial customers on the go.
KITTEN: Brian, did you receive similar bits of feedback from some of the retail customers that use mobile banking?
PEARCE: Our mobile banking customers are some of our most satisfied customers of our services. They're super engaged. On average, our text banking customers are trading up to 27 texts a month with us, so these are folks that are really actively managing their finances and really staying on top of balances and using our services almost every day.
Emerging Mobile Areas
KITTEN: Amy, in addition to some of the requests that you've noted from the CEO Mobile side, what other areas did you see customers demanding more or different types of services since the launch in 2007?
JOHNSON: Our feedback has also been largely positive, but when we got out there first, we were out there alone, so to speak, in the commercial space, so it has taken them a little while to get used to us. The feedback has been very positive. We responded with specific requests with enhancements every quarter since we launched. Our customers also participate in our design process. We have active, hands-on user research sessions throughout the year. And every one of those sessions gives us something that we can improve upon and so our robust set of services includes pretty much everything they've asked for to date.
Wells Fargo Mobile
KITTEN: Now Brian, I'd like to go back to you for a second. You oversee Wells Fargo Mobile, which of course is the retail mobile offer. What devices does Wells Fargo support for the retail side, and what types of services are currently available?
PEARCE: That's a key point for us. With more than seven million customers using our mobile channel, we actually end up supporting a wide range of devices. The key for us is we have our text banking solution that works for every customer with a phone. Everyone has text capabilities, and it's a great way to stay on top of your finances while on the go. We also offer our browser solution that works for any of the smart phones. So any phone with a browser that can get to the mobile web can go to wf.com, and we have support for a range of devices. We see a really wide variety of different users and different phone types accessing the wf.com site in any given month. And then on the app side, we've built apps for the Android, Apple, BlackBerry and Palm operating systems, and so that's a very popular channel as well. A lot of customers like downloading those apps and having them on their phone for the quick launch and get to Wells Fargo services.
KITTEN: Amy, I'd like to ask you about CEO Mobile, which is a mobile deposit service that you launched in November 2011, specifically for commercial and corporate banking customers. The service offers these commercial customers the ability to deposit checks and money orders, but is there any plan to expand the service?
JOHNSON: That's a great point. Thank you. When we launched in 2011, it was kind of a quiet launch. We didn't talk about it too much. We launched it out there and we've had millions of dollars of checks deposited, which was a very pleasant adoption that we're very happy to see. I can't comment as to specific plans, but as more customers use devices with good cameras, of course we're taking a look at that, but that's all I can say.
KITTEN: And Amy, for now, CEO Mobile is available only for iPhone, is that correct?
JOHNSON: Actually our CEO Mobile is available on hundreds of devices, via the mobile browser. We designed it that way from the beginning, so that any of our commercial customers could use banking on the go. A lot of our commercial customers, especially several years ago, were issued BlackBerries and issued corporate-owned devices, so we didn't want to tie ourselves in, right at the very beginning, to a specific platform. So everything that we've done is available on the mobile browser. We did develop the iPhone app which has been very popular with customers, especially the push alerts that let them know, for example, that they have a wire payment to approve. The iPhone app, which we launched a couple of years ago, also subsequently allowed us to launch that mobile deposit service, where you can take a picture of your check or money order, so that's been popular. As for other devices, we actively monitor what our customers are using to try to determine the best delivery mechanism. I can't speak to specific plans, but we watch what our customers are using and what's popular with them and what they ask for. So we definitely have some things on our radar screen.
KITTEN: So the ability to remotely deposit checks is not limited to just the iPhone?
JOHNSON: It is. Right now, you do need an app because you need to be able to interact with the camera on the phone itself. And so you do need to have something beyond just a web browser. And so the mobile deposit service is available in the iPhone app, and everything else is available on both the iPhone app and the mobile browser.
Addressing Mobile Security Risks
KITTEN: Security experts suggest that downloadable apps often pose the greatest risk where malware is concerned. How's Wells Fargo addressing those risks by ensuring that mobile apps that customers download are not malicious?
PEARCE: Where we really start is with customer communication. We've done a tremendous amount of work around helping our customers understand the risks and sort of be safe about their behavior, so that they can protect themselves as they begin to use these mobile devices. And we really encourage them and direct them to only download apps from the official app stores, and to make sure that they're downloading the right app. We also take a very proactive approach, in that we're constantly scanning the app stores and staying on top of peoples' use of those apps, so we know what's happening in the app stores and are sure that the apps that are out there that are Wells Fargo are, in fact, the correct apps.
JOHNSON: And for CEO Mobile, we also have an active education campaign with our customers to make sure that they're performing any banking transactions in a safe and secure manner, especially through mobile devices and apps. And for CEO Mobile, along with our retail partners, we have very tight controls with Apple, to ensure the app integrity, and we don't have other apps at this time.
Mobile Security Precautions
KITTEN: Brian, I'd like to go back and talk to you a little bit about some of the open store versus proprietary platforms. I know CEO Mobile is a little more closed. But what security precautions are you taking on the retail side. What are you doing to help vet some of these different types of applications and platforms?
PEARCE: The great news is, when we started the mobile channel, we started from all of the learning that we had in the online channel, so we take a very layered security approach, where we approach each of these application environments and platforms in a way that ensures that we're really secure from the ground up. We don't store any customer information on the devices. We're actively scanning and reacting to threats that may be out there, and then the great news for customers is that, at the end of the day, we stand behind everything that we do with our online security guarantee, so that we'll help them if anything happens.
KITTEN: Do you see Wells Fargo branching out in 2012 into the mobile payments arena? What does the mobile roadmap for 2012 look like for Wells Fargo?
PEARCE: We just completed a near-field communication pilot for iPhone users. We had 200 employees here in San Francisco that had a sleeve they could put on their iPhone and actually make payments at certain merchant terminals. We've definitely been looking at the payment space, and thinking about how we might help our customers and what types of things we might be doing in the payment arena. And as we begin to think about 2012, one of the things we're really trying to focus on is trying to be mobile unique. You begin to think of the power of a mobile device, the amazing things that people are starting to do with mobile devices, and the capabilities of those mobile devices. We're really thinking hard about how we can help our customers manage their finances better using all of those capabilities. We're really focused on mobile-unique innovation for 2012.
KITTEN: I want to ask this question to both of you, and this relates to security risks and where payments come in. What risks do payments pose? For instance, are person-to-person payments more concerning than person-to-business or business-to-business payments?
PEARCE: I wouldn't say that one is riskier than the other. I think each has their own unique risk characteristics. The good news is we're really experienced in this area, and we have a very proactive way of managing those risks through active monitoring or layered security approaches, and making sure that we're here 24/7 to be on top of the activities that are occurring.
JOHNSON: And for our commercial and corporate customers, I actually think that the security measures we take are very similar on the retail side. We may emphasize certain areas a little differently. For business-to-business payments, we employ a multi-layer approach, similar to our retail folks. We don't rely on any single process or technology, but we use them together. We employ data encryption, we have active session management monitoring, we even partner with law enforcement as needed when there has been some attempted fraud. We also believe that there's an active partnership with our customers, as well as on the commercial side, for business-to-business payments. We actively engage in customer education. We also highly encourage our customers to perform payments under something called dual-custody. And that simply means that a payment or other secure transaction needs to be performed by at least two separate people. One is an initiator, and another is an approver. So some security measures are not so technical at all. They're very much baked in a process we try to enforce.
KITTEN: Then what about other security concerns relating to the mobile channel? What's Wells Fargo anticipating, and when it comes to differing types of threats that consumers and commercial accountholders face, where are you addressing those areas of risk?
PEARCE: For us, I think the key is that security is not a new thing. It's just something we've taken very seriously from the beginning of the channel, and have built it from the ground up to be very secure. And we're very much engaged both with our customers in terms of education and being on the lookout for new types of threats, as well as industry and law enforcement, understanding the broader landscape and the types of things that are happening. So I feel like it's constantly evolving. Mobile is exploding. Everybody is excited about it. We're seeing a lot of traction, but it's also important for us to be alert and be out there helping our customers and protecting them. So we're very much actively engaged in scanning the fraud landscape so that we know what's really going on.
JOHNSON: And we do as well on the commercial side. We continually monitor threats, and assess any at-risk areas that we have, especially in the mobile arena and mobile devices, and sense any new technology that we might be able to apply to help us in monitoring some of our transactions. Some of that's behind the scenes and some of that is we try something out and see how it works for us. The key thing is it's not a one-time thing. We don't just do a risk analysis and walk away from it. It's a continuous enhancement and a process for us here, so I wouldn't say that there's any specific concern for the mobile channel, as long as we remain diligent and stay on top of both the industry trends, as well as technology trends.
KITTEN: Before we close, I'd like for each of you to offer some advice to other banking institutions as they enhance or initiate new mobile initiatives.
PEARCE: The key for us has always been, "start with the customer." And we spend a lot of time and energy listening to our customers and engaging with them and really understanding their needs, and really delivering services that are there to address their needs. We're not looking to drive our customers to use mobile; we want to be on mobile because that's where our customers are. We're not trying to lead; we're trying to really partner with our customers. And when you look at it from a security standpoint, we really think that education and partnering with customers is really the starting point, the corner stone. We want to help our customers understand how to be secure when they do anything on their mobile device, and we think that we've done a great job in terms of getting education out there. Then we brought our own sort of layered security approach so we don't rely on single points to make sure that the channel and transactions are secure. We make sure that there are multiple checkpoints to ensure that we've delivered the best experience that we can in terms of both security and customer experience.
And then, the other thing is that when we begin to make new offerings and begin to advance things, we take a very methodical approach. We make sure that before we launch new features or before we make changes, we've done a really thorough job in terms of looking at anything we're doing from multiple points-of-view, thinking about our customers and how they're going to use it, but also thinking about it from a security point-of-view, to make sure that what we're doing absolutely delivers on our promise of a safe and secure experience for our customers.
JOHNSON: I would echo everything Brian just said, because we definitely want to take the multi-layered approach and remain vigilant. For other banking institutions, we obviously can't speak for them, but we all want to continue to invest the time and resources to stay ahead of the fraudsters. We all have a vested interest in online and mobile banking security, and protecting our customers' information and financial assets. I think all financial institutions want to succeed in this area.