U.S. banking institutions should be bracing now for new mobile banking and payments security guidelines from regulators or updates to existing guidance, a growing number of banking leaders and mobile experts are concluding.
Recent discussions among regulators and banking leaders about mobile risks, as well as the issuance of papers related to mobile best practices, suggest some type of security update related to mobile is on the way.
Doug Johnson, vice president of risk management policy for the American Bankers Association, says the timing for more mobile guidance is right, and banking regulatory agencies are using different vehicles to push security recommendations. "While we don't have anything formal related to what the agency actions might be, it would not be surprising to me if the agencies [used] one of those vehicles to address mobile security risks," he says.
The Federal Financial Institutions Examination Council likely will issue guidance or mandates regarding the use of layered security for mobile within the next 12 months, predicts Dave Jevans, founder of online-security and authentication provider Marble Security, formerly IronKey.
But those new requirements or guideposts could come in the form of an update to the existing IT handbook, Authentication in an Internet Banking Environment, which covers online-banking transactions, he says.
"We'll probably see something, but I don't think it will be immediate," Jevans says. "We will see updates around mobile apps and the kinds of devices that are in use, particularly the Android. ... And I also think using mobile for a second factor of authentication will come up, as well as what the risks are there. That issue is becoming more clearly understood."
But Joe Rogalski, a security consultant and former fraud and compliance officer for First Niagara Bank, a $36 billion institution in New York state, says he doesn't expect to see any new guidance aimed at mobile.
"Personally, I think we should see some guidance, but don't think we will," he says. "We will eventually see problems with mobile, just as we did with ACH and wire. Now, will the losses get to the level that we now see with ACH and wire fraud? That's what we have to ask and consider."
Layers for Mobile?
In June 2011, when the FFIEC issued its first update regarding authentication in online banking since 2005, practitioners questioned why mobile was not specifically addressed.
Since that update, regulators, such as the Federal Deposit Insurance Corp., and industry groups, such as the ABA and BITS, have stressed that institutions should apply to mobile banking the same authentication and layered-security principles they have been asked to apply to online banking.
In fact, the FDIC has been addressing mobile banking and payments concerns in its Supervisory Insights Journal since late 2011, says William Henley, associate director for the Federal Deposit Insurance Corp.'s technology supervision branch. "The FDIC recognizes that mobile financial services are rapidly gaining popularity with consumers and businesses. And mobile financial services is a frequent topic of conversation with our regulatory counterparts."
Jim Pitts, who oversees mobile innovations for BITS, the technology policy division of the Financial Services Roundtable, says banking executives need to be thinking ahead, anticipating unforeseen mobile risks. That's why BITS just released a layered security model for mobile banking that aims to help senior banking executives better understand mobile risks and mitigation strategies.
"This is to help anyone in the financial institution understand the risks," Pitts says. "There are lots of different devices out there; it's not just phones. It's complicated, but I think this document has a whole lot of applicability."
The 15-page document highlights authentication considerations, risks posed by mobile carriers, protocol and security standards requirements, and network and security assessments. It also touches on customer education, vendor management and device identification, as well as emerging malware trends.
Mitigating Mobile Risks
The FDIC has addressed mobile risks through articles it's published for banks and consumers, Henley says. "[These articles] describe strategies for mitigating the risks, describe the mobile payments marketplace and examine critical issues, including the adequacy of legal protections and disclosures received by consumers," he says.
Some of those recommendations touch on other existing standards, such as the Payment Card Industry Data Security Standard, to which banking institutions should turn, Pitts notes. He says new guidance isn't really needed if banking institutions adequately address these risks in their assessments and mobile strategies.
But Jevans says some unique risks, such as those related to encryption of data in near-field communications, or NFC, used for mobile payments, are going to require additional security guideposts. "NFC payments, for example, are going to have to get covered, certainly within PCI and maybe under the FFIEC. But PCI is not a magic bullet, and, frankly, PCI is really just a best-effort thing. It's not hack-proof, and the industry knows this."
Johnson of the ABA says the banking industry is aware of the limitations of existing security standards and guidance. "But I don't sense there is a march to put out mobile guidance swiftly," he adds.
Still, consumer demands for more mobile financial services are putting pressure on institutions and regulators to ensure they address security concerns, Johnson says.