Mobile Banking: Guidance Coming?As Mobile Adoption Grows, So Could Regulatory Action
Regulators have hinted at it, and industry experts say it's coming. U.S. banking institutions can expect to see new guidance for mobile banking. The open questions are: When, and in what form?
Mobile could be addressed briefly if regulators issue an FAQ or addendum to the updated FFIEC Authentication Guidance, says banking/fraud expert George Tubin. Tubin says regulators are more likely to address mobile in its own guidance, but they probably won't release it until late 2012 or early 2013.
"I think that we're still in that discovery phase with mobile," Tubin says. "Regulators are still just getting a read on the market and what to expect over the next month to year."
In short, regulators need more time. They don't yet fully understand the market's mobile state. Acquiring that knowledge demands more in-depth interviews with financial institutions, banking associations and mobile vendors.
"There may be mention of mobile in an FAQ [related to existing authentication guidance], but it will be a very brief mention," Tubin says.
Matthew Speare, senior vice president of IT at M&T Bancorp., the 17th largest U.S. bank holding company, says he'd like to see separate mobile guidance sooner rather than later. Speare says authentication requirements laid out in the existing guidance just don't translate to mobile.
"Mobile devices present a unique channel architecture and risk, which requires further guidance," Speare says.
What the Regulators Say
Banking regulatory agencies have been discussing mobile with industry experts for at least two years. And in mid-2011, when the FFIEC Authentication Guidance was released, two agency representatives suggested mobile guidance could be forthcoming.
Last April, Gigi Hyland, board member of the National Credit Union Administration, said in an interview with BankInfoSecurity that banking regulators were reviewing emerging technologies such as mobile for future guidance. "[Mobile] is certainly on our radar screen," Hyland said.
And in July, after the authentication guidance was issued, Jeff Kopchik, senior policy analyst with the Federal Deposit Insurance Corp., said the regulatory agencies were giving mobile special consideration.
"We are thinking about mobile," he said during a BankInfoSecurity webinar, FFIEC Authentication Guidance: FDIC on Understanding and Conforming with the 2011 Update. "But we felt that this was not the time or the place to really talk about mobile specifically."
In the same session, Kopchik also said he believed mobile banking was one of the channels already covered within the FFIEC Authentication Guidance. "If you go back to the original guidance, it makes it clear that it applies basically to all forms of electronic banking," he said. "So, in that sense, the supplement is sort of channel agnostic. It doesn't care whether you're doing your banking from a cell phone sitting on a park bench or a PC at home hardwired into the Internet."
In late 2011, the FDIC did issue some thoughts about mobile and its connection to existing guidance.
In the article "Mobile Banking: Rewards and Risks," which appeared in the Winter edition of Supervisory Insights, the FDIC states: "Financial institutions should conduct a comprehensive risk assessment or update existing assessments during the design, testing, and implementation of a mobile banking product. Guidance for performing an effective risk assessment is available in the FFIEC IT Examination Handbook on Management. ... Should a risk assessment identify new risks or vulnerabilities, financial institutions should address them promptly to appropriately and effectively mitigate the risks for the institution and its customers."
The article also notes institutions should pay close attention to known risks specific to mobile, including:
- The need for secure authentication of mobile customers;
- Mobile malware and viruses;
- Data transmission security;
- Compliance risk.
Joe Rogalski, who serves as the information security officer of Buffalo, N.Y.-based First Niagara Bank [$38 billion in assets], says the existing guidance provides enough mobile direction for now.
"The guidance calls for updating your risk assessment when there are changes in the functionality offered through electronic banking," Rogalski says. "I believe that mobile banking is covered by the guidance, and I am treating it that way in my risk assessments."
The Call for Mobile Guidance
Still, many industry experts have criticized the authentication guidance for not paying special attention to mobile transactions. [See FFIEC Draft Guidance: Where's Mobile?.]
"Anything mobile is a higher risk transaction," says Phil Blank, managing director of the security, risk and fraud practice at Javelin Strategy & Research. "Device identification, apps, differing interfaces for smart phones and tablets all pose challenges and risk."
Not addressing those concerns upfront was a mistake, Blank says. The advent of mobile malware, most often waged via downloadable apps, should be concerning to regulators. [See Symantec: Malware Pushed onto Androids.]
"It is certainly possible that a user could grant permission to malware to perform a function without realizing that they have done so," Blank says.
Regardless of what regulators believe about general authentication strategies for e-commerce channels, mobile is unique, and it demands specific guidelines for authentication and security, he contends. A mere FAQ won't do the trick, he adds
"This is a serious issue," says Javelin's Blank. "The fact that the phone stores offer information that may be available to fraudsters is where the problem lies. Not only could this information be used to form a phishing attack against an end-user directly, but this information could also be used to attack an institution. Knowing transaction dates or balances or limits, along with other information, could easily convince a [financial institution] that the fraudster on the phone is really the accountholder. It raises the specter of a possible account takeover."
Areas to Address
Mobile's relatively recent introduction poses challenges. Federal agencies and regulators have not had time to fully vet risks associated with mobile banking and payments. For now, consumer adoption remains comparatively low; and though larger institutions have been beta-testing the mobile waters for a couple of years, most banks and credit unions are just now dipping in.
Industry experts suggest any number of potential mobile issues need to be addressed by prospective guidance. Among them:
- Malware risks posed by downloadable mobile apps;
- User data storage; and
In the absence of discrete guidance, industry organizations such as BITS, the Technology Division of the Financial Services Roundtable, are expected to carry the mobile torch. First Niagara's Rogalski says their role makes good sense. "Regulators aren't likely to revisit mobile in any formal capacity," he says. "They're more likely to let industry organizations and associations step in," groups that are in better positions to address mobile.
M&T's Speare agrees, but hopes regulators do step forward with formal guidance soon.
"My hope is the regulatory bodies will engage with both the financial-services industry risk-management organizations, such as BITS, FS-ISAAC and NACHA, as well as the major software vendors in the mobile banking arena," Speare says.