Examiners will be paying more attention to mobile financial services (MFS) using new guidance recently issued by the Federal Financial Institutions Examination Council (FFIEC).
What happened
In FIL-31-2016, the FFIEC announced the addition of a new appendix to the Retail Payment Systems booklet of the FFIEC Information Technology Handbook. Intended to assist examiners in evaluating the risks associated with MFS, Appendix E applies to all Federal Deposit Insurance Corporation FDIC supervised institutions.
"The mobile channel provides an opportunity for financial institutions of all sizes to increase customer access to financial services and decrease costs," according to the guidance. But "MFS can pose elevated risks related to device security, authentication, data security, application security, data transmission security, compliance, and third-party management."
Emphasizing "an enterprise-wide risk management approach for effectively managing and mitigating the risks associated with mobile financial services," the guidance discusses four forms of MFS: short message service (SMS) and text messaging, mobile-enabled websites and browsers, mobile applications, and wireless payment technologies.
The first step in using MFS: identifying the risks associated with the type of services being offered and incorporating those risks into the financial institution's existing risk management process. "The complexity and depth of the MFS risk identification varies depending on the functionality provided through the mobile channel and the type of data in transit and at rest," the FFIEC said.
Strategic, operational, compliance, and reputation risks are all relevant, and management should consider risks not just at the institution but also those associated with the use of mobile devices where the customer implements and manages the security settings. Risks associated with the specific devices involved should also be assessed.
The guidance suggests that management should identify the risks associated with the decision to offer MFS and determine what types of services best fit with the vision, goals, and risk appetite of the institution. Unique operational risks are posed by MFS, ranging from transaction initiation to authentication and authorization, as well as the MFS technology itself. Malware and viruses are a real threat, for example, and basic device access controls such as PIN numbers may be insufficient to protect data.
The Appendix highlighted service-specific risks, such as the fact most SMS messages are unencrypted and vulnerable to spoofing, while the portability of mobile devices can lead to them being lost or stolen, resulting in unauthorized payments or fraudulent purchases.
While compliance risks presented by MFS include consumer laws, regulations, and supervisory guidance that may apply to a particular financial product or payment method, MFS are often developed and driven by entities outside the traditional financial services sector, the FFIEC pointed out. "These entities may be unfamiliar with regulatory requirements and supervisory expectations that apply to regulated financial institutions and their services providers," the guidance said. "Management should understand how the institution's risk profile changes when it uses any third party, but particularly a third-party service provider that is unfamiliar with the regulation and supervision of the financial services sector, to design applications."
Reputational risk is particularly relevant in the context of privacy and data security, the FFIEC said. Management should identify and consider how providing MFS may create reputation risk for the institution.
Once risks have been identified, financial institutions need to measure potential risks across all applicable risk categories, with the results prioritized to determine which controls may be appropriate for the services provided by the institution. Then the process of risk mitigation can begin.
"When offering MFS, management should mitigate identified risks by implementing effective controls across the institution," the FFIEC wrote. "Depending on the type of MFS offered, institutions may find that the effective management of risks involves interaction with application developers, mobile network operators, device manufacturers, specialized security firms, and other nonfinancial third-party service providers. Additionally, financial institution management should provide security awareness materials to the institution's customers, which may include prudent security practices for the device (e.g., use of mobile anti-malware, PIN protection) so that customers understand their roles in securing the device and the need for such security."
A "layered approach" to operational risk mitigation will best serve institutions, the guidance suggested, implementing security techniques at the server and database level along with transaction monitoring and geolocation techniques to identify anomalous MFS transactions, topped by customer education. Controls should be in place at enrollment, authentication and authorization, application development and distribution, application security, contracts, customer awareness, and logging and monitoring, the FFIEC said.
Technology risks require a close look from financial institutions, and several controls should be considered to mitigate risks, depending on the type of services, ranging from compensating controls for SMS technology (such as redacting customer account numbers) to requirements for developers of mobile-enabled websites to conduct security testing performed at all post-design phases for mobile apps.
As for compliance risk management, the compliance officer should take appropriate steps, including determining whether applicable disclosure requirements are fully accessible on the mobile device and ongoing monitoring for any legal and regulatory changes with regard to MFS.
Monitoring and reporting systems should be put in place by the institution's management, the FFIEC said, with limits on the level of acceptable risk exposure that the board and management are willing to assume and specific objectives and performance criteria—with qualitative benchmarks to evaluate the success of the product or service—identified.
The guidance also included a work program with a separate set of seven objectives intended to assist examiners in determining the state of risk and controls at an institution (or third party) providing MFS. Tracking the guidance in the Appendix, objectives include "Management effectively responds to issues raised or problems related to MFS," "Financial institution management appropriately and effectively measures risks associated with MFS and determines the likelihood and impact of those risks," and "Financial institution management maintains effective oversight of MFS activities. Management maintains appropriate reporting for various levels of management to support that oversight."
To read Appendix E, click here.
Why it matters
For financial institutions considering MFS—or already making use of mobile financial services—the Appendix is a "must read," offering insight into how examiners will evaluate an institution with regard to its mobile services. The FFIEC emphasized an enterprise-wide risk management approach, with the guidance offering many of the relevant risks to consider while noting that the list of risks and controls was not exhaustive.
