The federal body tasked with creating standards for the uniform regulation of financial institutions has released new information to assist examiners in evaluating mobile services offered by financial institutions and their third-party service providers.

"Appendix E: Mobile Financial Services" of the "Retail Payment Systems Booklet" of the Federal Financial Institutions Examination Council (FFIEC) IT Examination Handbook focuses on identifying the risks associated with mobile financial services. It emphasizes the importance of an enterprise-wide risk management approach for effectively managing and mitigating risks as they evolve.

The Handbook, including Appendix E, applies to any financial institution supervised by the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, the National Credit Union Administration, the Office of the Comptroller of the Currency, or the Consumer Financial Protection Bureau.

Mobile financial services may be offered through a number of technologies, including:

  • Short message service (SMS)/text messaging
  • Mobile-enabled websites and browsers
  • Mobile applications
  • Wireless payment technologies

Consequently, offering mobile financial services can elevate risks related to device security, authentication, application security, data transmission, compliance, and third-party management. The FFIEC notes that there are numerous types of mobile devices that present different risks, and financial institutions must identify the unique risks associated with specific devices and operating systems.

Two other risk areas that the FFIEC highlights in the appendix are risks introduced by customers, as well as risks arising from third parties involved in offering mobile financial services. Customers tend to neglect activating security controls, virus protection, or personal firewall functionality on the devices through which they use mobile financial services. Furthermore, customers are often left with the responsibility to implement the security settings related to individual mobile financial services. This ultimately results in increased dependence on the customer to manage the controls over sensitive financial data. Managing this risk may require financial institutions to provide security awareness materials to customers, such as prudent security practices for the device (for example, use of mobile anti-malware or PIN protection), so that customers understand their roles in securing their devices and the need for such security.

It is also critical to understand, the FFIEC notes, that mobile financial services are conducted in a broader mobile ecosystem. This ecosystem includes carriers, networks, platforms, operating systems, developers, and application stores that enable mobile devices to function and interact with other applications and devices. Effective management of risks involves working with other parties involved in the mobile ecosystem. Depending on the type of mobile financial services offered, financial institutions may need to interact, and manage risks associated, with application developers, mobile network operators, device manufacturers, specialized security firms, and other nonfinancial third-party service providers.

The Handbook continues to offer essential guidance to financial institutions in identifying and managing risk. As the popularity of mobile financial services continues to grow, financial institutions should keep themselves apprised of such key resources.

Attorneys in Ballard Spahr's Consumer Financial Services and Privacy and Data Security Groups regularly advise companies on developing products in the mobile channel to ensure compliance with the full range of state and federal consumer financial services, privacy and data protection laws as well as structuring and documenting new consumer financial services products.


Copyright © 2016 by Ballard Spahr LLP.
www.ballardspahr.com
(No claim to original U.S. government material.)

All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, including electronic, mechanical, photocopying, recording, or otherwise, without prior written permission of the author and publisher.

This alert is a periodic publication of Ballard Spahr LLP and is intended to notify recipients of new developments in the law. It should not be construed as legal advice or legal opinion on any specific facts or circumstances. The contents are intended for general informational purposes only, and you are urged to consult your own attorney concerning your situation and specific legal questions you have.