Is Mobile Guidance on the Way?

Emerging Security Risks a Focus for Regulators

By , June 28, 2013.
Is Mobile Guidance on the Way?

U.S. banking institutions should be bracing now for new mobile banking and payments security guidelines from regulators or updates to existing guidance, a growing number of banking leaders and mobile experts are concluding.

See Also: Cloud Infrastructure: Same Security Needs, Dynamic New Environment

Recent discussions among regulators and banking leaders about mobile risks, as well as the issuance of papers related to mobile best practices, suggest some type of security update related to mobile is on the way.

Doug Johnson, vice president of risk management policy for the American Bankers Association, says the timing for more mobile guidance is right, and banking regulatory agencies are using different vehicles to push security recommendations. "While we don't have anything formal related to what the agency actions might be, it would not be surprising to me if the agencies [used] one of those vehicles to address mobile security risks," he says.

The Federal Financial Institutions Examination Council likely will issue guidance or mandates regarding the use of layered security for mobile within the next 12 months, predicts Dave Jevans, founder of online-security and authentication provider Marble Security, formerly IronKey.

But those new requirements or guideposts could come in the form of an update to the existing IT handbook, Authentication in an Internet Banking Environment, which covers online-banking transactions, he says.

"We'll probably see something, but I don't think it will be immediate," Jevans says. "We will see updates around mobile apps and the kinds of devices that are in use, particularly the Android. ... And I also think using mobile for a second factor of authentication will come up, as well as what the risks are there. That issue is becoming more clearly understood."

But Joe Rogalski, a security consultant and former fraud and compliance officer for First Niagara Bank, a $36 billion institution in New York state, says he doesn't expect to see any new guidance aimed at mobile.

"Personally, I think we should see some guidance, but don't think we will," he says. "We will eventually see problems with mobile, just as we did with ACH and wire. Now, will the losses get to the level that we now see with ACH and wire fraud? That's what we have to ask and consider."

Layers for Mobile?

In June 2011, when the FFIEC issued its first update regarding authentication in online banking since 2005, practitioners questioned why mobile was not specifically addressed.

Since that update, regulators, such as the Federal Deposit Insurance Corp., and industry groups, such as the ABA and BITS, have stressed that institutions should apply to mobile banking the same authentication and layered-security principles they have been asked to apply to online banking.

In fact, the FDIC has been addressing mobile banking and payments concerns in its Supervisory Insights Journal since late 2011, says William Henley, associate director for the Federal Deposit Insurance Corp.'s technology supervision branch. "The FDIC recognizes that mobile financial services are rapidly gaining popularity with consumers and businesses. And mobile financial services is a frequent topic of conversation with our regulatory counterparts."

Jim Pitts, who oversees mobile innovations for BITS, the technology policy division of the Financial Services Roundtable, says banking executives need to be thinking ahead, anticipating unforeseen mobile risks. That's why BITS just released a layered security model for mobile banking that aims to help senior banking executives better understand mobile risks and mitigation strategies.

"This is to help anyone in the financial institution understand the risks," Pitts says. "There are lots of different devices out there; it's not just phones. It's complicated, but I think this document has a whole lot of applicability."

Follow Tracy Kitten on Twitter: @FraudBlogger

  • Print
  • Tweet Like LinkedIn share
Get permission to license our content for reuse in a myriad of ways.
ARTICLE Windows 10: No More Monthly Patches

With the upcoming release of Windows 10, Microsoft plans to inaugurate 24/7, cloud-based patching,...

Latest Tweets and Mentions

ARTICLE Windows 10: No More Monthly Patches

With the upcoming release of Windows 10, Microsoft plans to inaugurate 24/7, cloud-based patching,...

The ISMG Network