Risk Revisions


An FFIEC guidance update addresses risks for mobile financial services

By Cheryl Winokur Munk

New federal regulatory guidance provides a more-defined risk management road map to banks navigating the fast-changing territory of mobile financial services.

A recently published new Appendix E to the Federal Financial Institutions Examination Council’s Information Technology Examination Handbook provides specific information about several types of mobile technologies, including text messaging, mobile-enabled websites and browsers, and wireless payment technologies. The added appendix updates guidance with details on various risks associated with each mobile channel, and it discusses several risks that banks should assess when offering them.

“We want the financial institutions to understand what the expectations are and what the examiners will be assessing,” explains Kevin Greenfield, director for bank information technology at the Office of the Comptroller of the Currency.

The new mobile services addition to the FFIEC handbook doesn’t prescribe specific controls banks must implement. Instead, federal regulators leave it to banks to determine the best way to implement its requirements, explains Tom Wills, a data security expert with Ontrack Advisory Pte. Ltd., a management consulting firm based in Singapore with a San Francisco office serving the United States.

That flexible approach in the guidance is a wise move, offers Wills, because “specific methodologies will change frequently as technology evolves and as threats and vulnerabilities evolve.”

The expanded joint-agency guidance does offer suggestions on how banks can best mitigate risk. It urges banks to implement effective, institutionwide controls and coordinate efforts with customers and third-party service providers, for instance.

“As banks start to expand their footprint in wireless, there are going to be added cybersecurity risks,” says Andy Obuchowski, director of the national security and privacy group with Chicago-based consulting firm RSM US LLP. “Regulators want banks to identify those potential risks and manage them by putting in stronger safeguards to make sure their systems and data are secure.”

To mitigate operational risk, the guidance states that banks should consider implementing controls such as tools to verify a customer’s identity during enrollment for a mobile service. They also should have a secure process for authenticating customers to protect against fraud. Banks should not rely on single-factor authentication for mobile applications, as they shouldn’t rely on single-factor authentication in general for any online channel carrying sensitive personal information.

The guidance also stresses the need to educate customers about security risks and states that banks should implement well-constructed, legally sound contracts with third parties to mitigate risk and address potential unforeseen problems in the future. “For various reasons, including cost, some banks may choose not to fully adhere to the highest level of guidance from the FFIEC,” says Marc DeCastro, a research director at the technology research and consulting firm IDC Financial Insights in Framingham, Mass. However, those banks that uncover prominent variances from the guidance should address them as quickly as possible, and certainly in advance of an examination, he notes.

When working with third-party providers, banks still need to apply appropriate due diligence, control oversight and monitoring, says the OCC’s Greenfield. “Banks need to understand that they are not outsourcing risk, they are outsourcing the operational processing,” he says.

Main Point:

FFIEC guidance appraises the latest risks for various mobile service channels.

Cheryl Winokur Munk is a financial writer in New Jersey.