The Federal Financial Institutions Examination Council recently issued a new appendix on “Mobile Financial Services” to the Retail Payment Systems booklet of the FFIEC Information Technology Handbook.
The appendix provides guidance and a work program to assist examiners in evaluating the risks posed by an institution's mobile financial services, or “MFS”, and assessing the controls that have been implemented to mitigate those risks. Identified MFS risks include device security, authentication, data security, application security, data transmission security, compliance, and third-party management. According to the FFIEC, these risks may be elevated for MFS because consumers are often less likely to activate security controls, virus protection, or personal firewall functionality on their mobile devices compared to traditional desktop computers, and banks are prone to involve third-party service providers in offering MFS who may be unfamiliar with applicable regulations.
According to the March 2016 Consumers and Mobile Financial Services survey and report prepared by the Board of Governors of the Federal Reserve, adoption of MFS continues to increase, with the number of internet-enabled smartphones and the use of mobile banking and payments experiencing steady year-over-year growth. As noted in that report, use of MFS varies across demographics and is more prevalent among young adults, minorities and those with low levels of income. Consumers continue to have reservations over mobile security and privacy, but indicated that they would be willing to go through additional security measures implemented by their banks.
The unique risk profile of MFS, together with their rapid adoption by financially vulnerable demographic groups, perhaps explains why among all the retail payments access channels identified by the FFIEC, MFS have been singled out for discussion. Since most MFS access established payment methods such as ACH and credit/debit networks, they would not materially increase the bank’s credit or liquidity risk related to settlements. The appendix therefore focuses on the strategic, operational, compliance and reputation risk posed by MFS, and controls to mitigate such risks. Significantly, the appendix also identifies specific security risks associated with SMS technology, mobile-enabled websites, mobile applications and mobile payments, and prescribes general and specific operational controls that an institution or its third-party service providers should consider when implementing MFS.
We encourage all supervised financial institutions and their MFS service providers to review the appendix and refresh their risk evaluation and risk management procedures accordingly.