
The FFIEC recently updated the IT Examination HandBook – Retail Payment Systems. The new information can be found in Appendix E “Mobile Financial Services”. Mobile financial services are growing in popularity and are radically changing how consumers pay for goods and services. Convenience is key; however, that means new threats and risks are introduced into a consumer’s life.
Mobile devices present new risks since they are in fact mobile and are brought out from the confines of an assumed safe corporate or home network. Users tend to exercise less caution with mobile devices, and many do not even give thought to protecting these devices against malware. With the rise in availability and low (or no) cost of apps, users are installing apps on mobile devices at a greater degree than ever experienced with the home or work computer.
This appendix identifies the major risks and mitigation controls that should be implemented for mobile financial services (MFS). The FFIEC specifically identifies four new MFS technologies: SMS Technology, Mobile-Enabled Website, Mobile Application Website and Mobile Payment Technologies. These new technologies are not only vulnerable to the same threats as traditional online banking but also the new risks brought on by being a technology that resides on and is intended for a mobile device.
This guidance is a critical read for electronic banking department personnel or individuals responsible for risk management. In it, specific risks that you should be aware of are identified along with controls that should be considered when utilizing MFS. As a reminder, this is not an all-inclusive list; however, it should aid in assessing risk and implementing appropriate controls.
The appendix discusses general operational controls that should be considered for any MFS technology and specific controls for the four different MFS technologies. The general operational controls are as follows.
- Enrollment
- Authentication and authorization
- Application development and distribution
- Application security
- Contracts
- Customer awareness
- Logging and monitoring
The specific risks and controls for each MFS technology are identified below.
SMS Technology | |
Text messages are used for customers to communicate with their financial institutions and initiate transactions. Financial institutions use text messages to provide information to customers or as an out-of-band (multi-factor) means of customer verification. | |
Risks | Controls |
|
|
Mobile-Enabled Website | |
Websites are programmed to detect a mobile device and deliver the content that can be rendered appropriately for the smaller screen of the detected device. The functionality and security controls may also change for the mobile-enabled version. | |
Risks | Controls |
|
|
Mobile Application | |
Software specifically written for mobile devices. In the financial institution industry, most apps are written to mimic the functionality of the Internet banking site. Mobile apps can have additional functionality based upon the native features of the device, such as the camera, location services and biometric capture abilities. | |
Risks | Controls |
|
|
Mobile Payment Technologies | |
Mobile payments include wireless payments at point-of-sale (POS) terminals, person-to-person (P2P) or any other contactless payment system involving the mobile device. Wireless payments can work using various technologies including, but not limited to, near field communication (NFC), image-based (e.g., QR codes), carrier-based or mobile P2P. | |
Risks | Controls |
|
|
RESOURCES
- Click here for Appendix E.
- Click here for FIL-31-2016: Mobile Financial Services Update to FFIEC IT Examination Handbook Series.