Mobile Banking: Guidance is Coming Ex-Regulator Says Institutions Must Prepare for Mobile Regs
BITS, a division of The Financial Services Roundtable, is taking a close look at mobile. In October, BITS is hosting a conference dedicated to security concerns surrounding mobile banking and mobile payments. William Henley, the senior vice president of regulation for BITS, who formerly served as the director of IT examinations for the Office of Thrift Supervision, says banking institutions can within the next 12 months expect new federal guidance regarding the use and application of mobile financial services.

"Early adopters always run the risk of having to adapt and modify technology, and here at BITS we are working to support the industry to help anticipate these changes, while improving processes, technology and security," Henley says.

The mobile banking channel is quickly emerging as a dominant channel in the financial space. There's little doubt that mobile banking, and soon mobile payments, will play a key role in the way financial institutions interact with their customers and members. As this channel grows and new technology emerges, regulators are fervently working to better understand the channel's security risks.

During this interview, Henley discusses:

  • The unique security and challenges surrounding mobile remote deposit capture;
  • The industry's view on mobile's bridge to chip & PIN or EMV payments in the United States;
  • Steps institutions already immersed in mobile offerings should take as regulators prepare new guidance.

William H. Henley Jr. joined BITS in 2010 as senior vice president of regulation. As the regulation program lead, he manages relationships with federal regulators, outlines policy positions on operations and technology issues, and provides subject matter expertise on regulator issues. Henley previously spent more than 20 years in federal government service as a financial institution regulator, most recently as the Director of IT Examinations for the Office of Thrift Supervision. In that role, he served as the principal advisor regarding the development, implementation and maintenance of policies, procedures and guidelines pertaining to the examination and supervision of saving associations in the area of information technology and technology risk management, including electronic banking activities; and was the OTS representative to the Federal Financial Institution Examinations Council's IT Subcommittee.

Henley also served as the chairman of the Federal Financial Institutions Examination Council's IT Subcommittee, which is responsible for interagency coordination of IT examination procedures and industry guidance. He served as the OTS's acting deputy chief financial officer in 2008, responsible for the oversight and policy formulation for the specialty areas of financial operations, strategic planning, performance budgeting, acquisition management, payroll, travel, and relocation. Prior to the OTS, Henley spent 17 years at the FDIC in various roles, including examination specialist in the Technology Supervision Branch and acting section chief of the Capital Markets Policy Branch.

BITS, The Financial Services Roundtable

TRACY KITTEN: The mobile banking channel is quickly emerging as a dominant channel in the financial space. As this channel grows and new technology emerges, regulators are fervently working to better understand the channel's security risks. I'm here today with William Henley, who recently joined BITS.

WILLIAM HENLEY: BITS is a division of The Financial Services Roundtable; it is the technology-policy division and it was created to foster the growth and development of electronic financial services and e-commerce for the benefit of financial institutions and their customers. BITS focuses on strategic issues, where industry cooperation serves the public good, such as critical infrastructure protection, fraud prevention and the safety of financial services, by leveraging intellectual capital to address emerging issues at the intersection of financial services, operations and technology. In my current role with BITS, I hope to prepare the BITS members and the members of the roundtable and assist them with their compliance with regulatory requirements, using my experience to explain to members what the regulatory expectations are for compliance, and manage the relationships with the regulatory agencies -- also addressing policy positions on operations and technology issues, and providing subject matter expertise on regulatory issues for the members.

National Breach Notification and Mobile Banking Tech

KITTEN: Now that you have joined BITS, you have noted a few key areas of focus: One is working to set a national standard for data breach notification, but what are some other key areas of focus and where does mobile fall into that fold?

HENLEY: National standards for Data Breach Notification is something that we are continuing to keep an eye on this issue. As you know, across the country, there are 46 different states that have legislation that address this issue; so we are keeping an eye on an eventual national standard there, and if there will be state preemption. BITS also is reviewing the mobile channel, working to better understand the types of transactions consumers are currently conducting and are expected to conduct in the near future. In October, BITS is hosting a conference to address mobile security. The agenda provides a portal into the issues that BITS is reviewing, such as remote deposit capture, to see if this convenience will now extend to the scan, send and truncation of checks via mobile phones, along with opportunities and issues. The EMV and mobile-payments session will address whether mobile payments will expedite the launch of chip and PIN security technology in the United States. In the "MCheck, eCheck or No Check" session, we will explore the impact of mobile on check electronification along with the risks of moving forward. One of the highlights on the agenda will be the regulators panel, which will provide some insight into what the agencies are doing, with respect to mobile payments.

In addition, the Financial Services Technology Consortium, or FSTC, along with BITS, forms the technology group under the Financial Services Roundtable. The Technology Consortium completed a project series earlier this year that brought together a significant cross-section of organizations, including financial institutions, technologists, innovators, academics, and consultants with notable financial and wireless industry organizations, to collaborate on efforts and provide guidance. Guidance was provided to a project team, which includes (representatives from) the American Bankers Association, the Federal Reserve system, NACHA, the Smart Card Alliance and Swift, to name a few. They looked at security applications, network operators, handset manufacturers, infrastructure, architecture, standards and regulations to develop a database for information around current mobile capabilities.

BITS: Mobile Security

KITTEN: What are some of the primary security and fraud concerns associated with mobile and what are some of the concerns you expect to address at this conference in October?

HENLEY: So some of the primary concerns would be the open architecture associated with emerging technologies, generation of safe software protocols and concerns, coupled with profit motives in unregulated markets. Consumers should be wary of shortcut alternatives, and consumer awareness needs to be raised, relative to working with trusted organizations to support financial and privacy-sensitive transactions.

So, three overall tips that I could provide regarding privacy, security ad fraud concerns are:

  • Know your service provider; know who you are dealing with. Some institutions protect customers with zero liability against fraud, so you should deal with reputable providers, both with the institutions that they choose to complete mobile transactions and also on the consumer side, if they are using any third-parties in development of their applications and software;
  • Security protocols, and that relates to customer-authentication protocols; making sure that there are strong authentication procedures, both on the consumer side and the financial institution side;
  • Password strength; financial institutions should require their customers to use strong passwords and should advise consumers not to try to shortcut that for their protection. They should use strong passwords in their access to their account through the mobile channel.

Mobile: Current Regulation

KITTEN: Given your history with the OTS and the FDIC, can you provide any insight into how the mobile channel is currently regulated? For instance, under what regulations are certain types of transactions being governed, if at all?

HENLEY: The regulations that would cover it, of course, would be the Federal Reserve Board's Regulation E, as it talks to electronic transactions. And the agencies continue to take a very principles-based approach, with respect to the mobile channel, rather than a prescriptive approach. The message from regulators, generally, has been that they will review the risk assessment and the method that an institution has chosen to mitigate those risks that they have identified, with the expectation being that the institution has reached a conclusion that is most appropriate for their institution and they understand their decision and are able to defend their decision.

KITTEN: Over the next 12 months, do you expect new guidance regarding mobile banking and regulatory reform to affect this emerging channel?

HENLEY: Yes, I do. This is something that the agencies for a while now have been reviewing, and even before the expansion of consumer use of mobile banking, this was something that the agencies were aware of and were reviewing and trying to determine the best way to address through guidance. So, I do expect that the regulatory agencies will issue something within the next 12 months.

Impact of Mobile Regulations

KITTEN: What impact might new guidance or new regulations have on institutions that have already deeply developed and deployed their mobile banking offers?

HENLEY: I think the agencies will take into account that there are institutions that are using this delivery channel, so they will focus on best practices. Once again, has management completed a thorough risk assessment prior to the deployment, or were they only motivated by keeping up with their competition or being the first to market? That being said, however, early adopters always run the risk of having to adapt and modify technology, and here at BITS we are working to support the industry to help anticipate these changes, while improving processes, technology and security.

Mobile and New Tech

KITTEN: What final thoughts or considerations, regarding mobile banking, can you offer bankers listening to this interview?

HENLEY: Well, the bottom line is new technology associated with mobile banking is providing opportunities for consumer convenience and business sufficiency in many ways. Our goal should be to take advantage of these new technologies, not only to improve service, but also to raise the bar in security and privacy issues associated with transacting business in the digital world in which we live.

Around the Network