6 Top Mobile Banking RisksBITS: Don't Procrastinate in Addressing Key Issues
Banks and credit unions that don't take steps now to anticipate mobile banking and payment risks will suffer consequences in the long run, according to new research from BITS, the technology policy division of the Financial Services Roundtable.
"Clearly, they need to be doing a good risk assessment," says Paul Smocer, BITS' president. "Banks need to understand where there might be different and unique threats."
A good place to start: Review what's been done to mitigate risks for other e-commerce channels, such as online. But mobile risk assessment and mitigation has to go a step further.
Reducing mobile risks requires investment in innovative technologies and consumer controls. Smocer says both are important to shaping the future of security in mobile financial services.
"You need to start to think of your phone in the same way you think of your wallet today," he says. "It's something you need to protect, and ensure that you're not sharing with folks who you might not want to see the kind of information that you have available through it."
Top Mobile Risks
BITS expects to hone its mobile recommendations over the next several months, Smocer says. Soon, it expects to offer more specific recommendations, perhaps even best practices, that offer stronger advice.
For now, BITS is just getting a handle on the industry's mobile worries. Its current list of issues was compiled from a poll of mobile experts at 50 U.S. financial institutions.
The top six areas of concern, according to the poll, are:
- Rapid growth. Mobile banking and payments will continually change, and the expectation among security and mobile experts is that the mobile channel will soon become consumers' primary financial-services platform. Because the channel is convenient and can be customized, users will migrate from PC banking and payments to mobile. And the more mobile users, the greater the security risk.
- Need for new security controls. Because the mobile threat landscape is growing - Symantec in its just-released Internet Security Report says targeted attacks on mobile phones are increasing - financial institutions must be diligent in their efforts to keep up with emerging mobile threats. That means they have to make investments in security controls specific to mobile.
- More players, more risks. The mobile system depends on a number of players, many of which fall outside the scope of core financial services. Device manufacturers, operating systems, network operators, application developers and others all are involved. And they all need to address security.
- Privacy issues. Emerging mobile privacy issues, such as those revolving around geo-location, will become more critical. As more mobile technologies emerge, institutions will have to balance customer and member convenience with security and fraud prevention.
- Role of consumers. Financial institutions must develop strategies to educate their customers and members about actively managing their own mobile-device security.
- Anticipating Risk. As more mobile services hit the market, banks and credit unions must balance innovation with fraud protection. More threats will emerge as adoption grows. Anticipating new risks will be paramount.
Luckily, many consumers are as concerned about security as much as banks, especially when payments come in to play. In fact, security worries are the No. 1 reason consumers don't adopt mobile payments, according to The Federal Reserve's Consumers and Mobile Financial Services study.
"That's where we see the most churn and risk," Smocer says. "There's a bit of trepidation on the part of consumers to really want or accept that mobile-payments service, knowing how it might affect both their security and privacy."
Mobile payments will have a longer maturity cycle than mobile banking, Smocer says, because of the number of platforms and emerging players vying for market share. But banking institutions need stay ahead of the payments curve because consumer mobile payments inevitably will grow, he adds.
FFIEC Impact on Mobile
Although the FFIEC's updated Authentication Guidance doesn't mention mobile banking and payments, it's clear that the guidance is relevant.
Banking institutions are attempting to determine how implementing authentication and identification controls in the mobile channel is different from applying the technologies in the online channel. "That's been the subject of a fair amount of discussion we've had with our members." Smocer says.