Risk Management of Mobile Financial Services

The Federal Financial Institutions Examination Council (FFIEC) has added a section to its IT Examination Handbook that addresses the risk management implications of mobile financial services. This new section—Appendix E of the Retail Payment Systems Booklet—emphasizes an enterprise-wide approach to the effective management and mitigation of risks associated with mobile financial services.

The FFIEC observes that although mobile financial services can provide more convenient transaction execution capabilities, offering them can pose elevated risks related to device security, authentication, data security, application security, data transmission security, compliance, and third-party management. Customers are often less likely to activate security controls, virus protection, or personal firewall functionality on their mobile devices. Moreover, mobile financial services often involve the use of third-party service providers.

Appendix E discusses the risks associated with each type of mobile technology:

  • SMS technology risk

SMS messages typically are transmitted unencrypted over widely used telecommunications networks. This may allow an unauthorized user to send an SMS message pretending to be from a different mobile number in order to obtain sensitive personal information or access codes to financial institution systems.

  • Mobile-enabled website risk

In addition to the vulnerabilities of computer-based banking, mobile devices may have a reduced level of security. Mobile-enabled browsers do not always have anti-phishing and anti-cross-site scripting capabilities to filter out malicious code from websites.  

  • Mobile application risk

Applications can be downloaded to mobile devices from many application stores. These applications may contain vulnerabilities, particularly those obtained from application stores not authorized by the device manufacturer. Distribution of malware through applications is a material risk to the institution and its customers. Another risk occurs with the user’s ability to access root user privileges in the operating system of the device, thereby removing the manufacturer’s device controls or core operating system controls and allowing the user to download untrusted applications that may introduce malware onto the device.  

  • Mobile payments risk

Because mobile payments at the point-of-sale may use near field communication, such communications can be intercepted. And even if these communications are encrypted, the potential remains for unauthorized access to transaction information.  

Appendix E advises the managements of institutions to identify compliance risks when determining which mobile financial services to offer and to continue to monitor these risks as the technology evolves.  

The above is based on an excerpt from The RMA Journal, September 2016 article “Regulators Focus on Risk Management of Mobile Financial Services” by Bernard Mason, RMA’s regulatory liaison. You can read the article in its entirety here.

Washington – The Week Ahead, June 12–16, 2017

Read More

Risk Management of Mobile Financial Services

Read More

Uncertainty in Construction Lending

Read More

comments powered by Disqus