June 2016 SAFE Newsletter
By Shivani Malik
Mobile Financial Services: The Service vs Security Conundrum
In April 2016, the Federal Financial Institution Examination Council (FFIEC) introduced updated guidance that addresses the risk posed by Mobile Financial Services (MFS) and how best to manage and mitigate those risks. MFS are products and services that a financial institution provides to its customers through any mobile device, including but not limited to, mobile phones, portable computers, and smart watches. These mobile devices inherit the information security risks from traditional delivery channels, however, the strategy to manage and mitigate this risk varies based upon the MFS services implemented within the financial institution.
Utilizing MFS technologies presents strategic, operational, compliance, and reputational risk and each technology requires different strategies to manage and mitigate these risks. Most financial institutions implement MFS services through the following technologies:
· Short message service (SMS)/ Text message
· Mobile-enabled Web sites and browsers
· Mobile applications
· Wireless payment technologies
SMS/ Text message is utilized by both customers and the financial institution. Customers use SMS to provide instructions to the financial institution in order to process financial transactions. Furthermore the financial institution utilizes SMS to send information to customers like, account alerts and one-time authentication code communications. Although SMS messaging seems simple and convenient, it presents a substantive amount of risk for the exposure of customer information because SMS messages cannot be encrypted and is highly susceptible to phishing attacks. Pre-registration, the use of security tokens, strong PINs, and readily available customer awareness materials may help to mitigate some of the risks presented by SMS, however, the financial institution should strongly consider whether this type of MFS is aligned with its strategy and more importantly whether it is commensurate with risk tolerance and the legal obligation to vigilantly protect consumer financial information.
Mobile-enabled Web sites and browsers
Mobile-enabled Web sites and browsers are created by the financial institution to improve the customer experience by displaying the web page in the best format for a particular mobile device. Design and customer use present the greatest risks that surround the use of a mobile-enabled web sites and/or browsers. Implementing proper design standards, following a formal life cycle, and customer education and awareness are activities that can assist in mitigating the risk posed by mobile-enabled Web sites and browsers.
Mobile financial applications are developed by or for the financial institution to allow customers to perform account queries, retrieve information, and initiate financial transactions. Mobile financial applications present the same security risks as desktop applications so a variety of security mechanisms should be implemented to mitigate this risk. These mechanisms include: policy enforcement, biometric security, security awareness training, patching, and being able to remotely wipe the device if it is lost or stolen.
Wireless payment technologies
Initiates the exchange of payment credentials and authorizations between the mobile device and the financial institution. These types of technologies utilize different core technologies that present various types of risk. The financial institution should work with its mobile payments providers to identify and minimize potential risk factors.
While implementing MFS technologies improves the customer experience it also has a significant impact to the risk of an organization. Mitigating controls can assist in decreasing this risk, but MFS must now be managed and monitored by the financial institution so it can ensure that confidential consumer information is not leaked and the banking experience remains secure.
Mobile Financial Services: The Service vs Security Conundrum
The release of the Federal Financial Institution Examination Council (FFIEC) Mobile Financial Services guidance on the heels of the Cybersecurity Assessment Tool may present some additional concerns to small and mid-sized financial institutions. These financial institutions face the very real issue that in order to demonstrate adherence to guidance expectations, the financial institution will face increased expenses. For a community financial institution these expenses could have a significant financial impact on the bottom line.
In an effort to ease the burden on smaller institution’s the FFIEC attempted to provide clear guidance on how Mobile Financial Services will be evaluated during an exam. This guidance clearly integrates MFS into information security activities already required by the financial institution. It ensures that MFS technology, if offered through the bank, is considered by mapping out seven (7) objectives:
Objective 1: Management effectively responds to issues raised or problems related to MFS.
Objective 2: Financial institution management incorporates (or plans to incorporate) its plan for implementing MFS into its strategic planning process.
Objective 3: Financial institution management identifies the risks associated with offering MFS.
Objective 4: Financial institution management appropriately and effectively measures risks associated with MFS and determines the likelihood and impact of those risks.
Objective 5: Financial institution management effectively identifies and implements controls to mitigate identified and prioritized risks associated with the MFS offerings.
Objective 6: Financial institution management maintains effective oversight of MFS activities. Management maintains appropriate reporting for various levels of management to support that oversight.
Objective 7: Discuss corrective action and communicate findings.
Initially small to medium sized financial institutions may find this guidance burdensome but failing to evaluate and mitigate the risk that MFS perpetuates may present larger compliance violations, like a lack of adherence to the Red Flag Rule, decreased protection of consumer financial information, and increased likelihood of fraudulent activity.
Because of the fiduciary obligation owed to its customers, financial institutions must balance the benefit of offering new technology against the cost of decreased protection of customer data and closely evaluate whether that risk is acceptable to the financial institution, while still offering required protection to its customers. In order to offer new technology and convenience to the customer while proactively providing protections, MFS security should become an integrated part of the information security program.
True or False:
Choose the best answer:
Mobile Financial Services
A. Inherit the same information security risks as traditional delivery channels and require the use of the same strategies to manage and mitigate those risks.
B. Present different information security risks than traditional delivery channels but require the use of the same strategies to manage and mitigate those risks.
C. Present different information security risks than traditional delivery channels and require the use of different strategies to manage and mitigate those risks.
Inherit the same information security risks as traditional delivery channels but require different strategies to manage and mitigate those risks.
Information Security Tip of the Month:
Implementing Mobile Financial Services requires a cost benefit analysis to ensure that the cost of providing MFS does not decrease the protection to consumer identifiable information.