With Growth Comes Risk for the Mobile Banking Industry

With Growth Comes Risk for the Mobile Banking Industry

Mobile banking is a growth industry in both domestic and international markets. Mobile banking is expected to grow in conjunction with the growth of the smartphone user demographic. In the United States, the number of smartphone users nationwide is forecast to reach 53 million by 2013, according to The Tower Group. Moreover, New York—based ABI Research has estimated that the number of mobile banking customers nationwide will nearly triple from 9.3 million in 2009 to 27.7 million through 2011, as smart phones and text banking take off.

Increased availability of mobile banking equals increased risk and requires vigilance against exposure by financial institutions, technology providers, and consumers. Although mobile banking shares many of the same risks that apply to Internet banking, mobile banking has additional exposures to specialized vulnerabilities.

Threats to the individual users include loss of the handset and user lapses involving insecure passwords or Personal Identification Numbers (PINs). In addition, unsuspecting users may fall prey to “phishing” attacks, which trick the customer into disclosing financial or security information.

Another emerging danger to the security of the handheld device involves the “cloning” of the user’s phone information onto another phone. Beyond issues related to the user and the device, the mobile channel itself has vulnerabilities. These vulnerabilities include intermittent encryption and resulting loss or interception of data.

A final category of threats involve security lapses by the technology provider or financial institution, resulting in the infiltration of malware, such as worms and viruses, on the financial institution’s servers, the mobile phone, or any of the technologies linking the phone to the bank.

Additional Vulnerabilities

Additional mobile banking vulnerabilities have been identified by the Bankable Frontier Associates, LLC in a March 2008 report commissioned by FinMark Trust. These vulnerabilities include issues arising from the limited keypad functionality of standard handsets, which can affect the choice and security of PINs. In addition, the nature of the small screen of the handset can limit the type and form of disclosures within the communications regarding the financial transactions. Moreover, vulnerabilities of the mobile channel arise because encryption is not necessarily end-to-end, creating openings at various points where data can be intercepted and read by third parties. Finally, challenges exist in developing environments, including channel dependence, high volumes, and the use of cash agents in a situation involving a shortage of other means of accessing cash.

The effects of these security breaches range from individual loss to large-scale institutional exposure. Because these risks are similar or identical to the risks resulting from Internet banking, the same risk management principles used in Internet PC-based banking should be applied to mobile banking.

According to the FinMark Trust report, the risk management principles set out by the Bank for International Settlements (BIS) Basel Committee on Bank Supervision, provide an appropriate framework for risk management in mobile banking. Due to the specialized nature of mobile technology, however, additional steps are advisable based on the nature of the mobile channel platform. These steps have been identified by the Mobile Marketing Association.

Banks should consider incorporating the following actions within the framework of their mobile banking compliance programs:

• Use reasonable, industry-accepted measures to reduce exposure to risk, taking into consideration the applicable mobile channel platform and the banking service being provided.

• Include the BIS Risk Management Principles, as applied to banking boards of directors and upper-level management, focusing on effective management oversight, security controls, and due diligence.

• Include the BIS Risk Management Principles, as applied to security controls, including accountability for banking transactions, proper authorization controls, data integrity, clear audit trails for mobile banking transactions, and confidentiality.

• Include the BIS Risk Management Principles, as applied to legal and reputational risk, including proper disclosures, customer information privacy, contingency planning, and incident response planning.

• Adopt the BIS sound business practices relating to e-banking, including sound control practices, sound practices for managing outsourced e-banking systems and services, sound authorization practices, sound audit trail practices, sound privacy practices, and sound business capacity, continuity and contingency planning practices.

While not intended to be an exhaustive list, these practices and principles can form a framework for banks to utilize when considering mobile banking.

LexisNexis will host a complimentary CLE Webinar worth 1½ CLE credits. Learn from a panel of experts about the most popular mobile payment services and platforms, as well as growth trends during this free Webinar. The experts will review the laws and regulations governing mobile payments, who is responsible for compliance, pending legislation, liability stemming from consumer risks, and privacy challenges. They also will share best practices and industry standards. The Webinar will be held on March 21, 2012, from 2:00 to 3:30 p.m. ET. Register now!