Magazine article The RMA Journal

Regulators Focus on Risk Management of Mobile Financial Services

Magazine article The RMA Journal

Regulators Focus on Risk Management of Mobile Financial Services

Article excerpt

THE FEDERAL FINANCIAL Institutions Examination Council (FFIEC) has added a section to its IT Examination Handbook that addresses the risk management implications of mobile financial services. This new section--Appendix E of the Retail Payment Systems Booklet--emphasizes an enterprise-wide approach to the effective management and mitigation of risks associated with mobile k financial services. The FFIEC observes that although mobile financial services can provide more convenient transaction execution capabilities, offering them can pose elevated risks related to device security, authentication, data security, application security, data transmission security, compliance, and third-party management. Customers are often less likely to activate security controls, virus protection, or personal firewall functionality on their mobile devices. Moreover, mobile financial services often involve the use of third-party service providers.

Appendix E lists the types of technologies employed to offer mobile financial services, such as short message service (SMS) messaging, mobile-enabled websites and browsers, mobile applications, and wireless payment technologies (including near field communication, image based, carrier based, and mobile P2P).

The FFIEC advises managements to identify the risks as part of the strategic plan and to incorporate the identification of risks associated with mobile devices, products, services, and technologies into the existing risk management process. Risks include those at the institution and those linked to the use of mobile devices where the customer implements and manages the security settings.

Mobile financial services introduce unique operational risks. The FFIEC warns that some of these risks are associated with the mobile device and with how the device communicates with the point-of-sale or other terminal. Also, the varying access points provide challenges with authentication and security. The prevalence of mobile devices, common operating systems, and downloadable applications makes these devices a target for malware and viruses. Inadequate access controls may fail to protect data stored on a mobile device.

Mobile Technology Risks

Appendix E discusses the risks associated with each type of mobile technology:

SMS technology risk

SMS messages typically are transmitted unencrypted over widely used telecommunications networks. This may allow an unauthorized user to send an SMS message pretending to be from a different mobile number in order to obtain sensitive personal information or access codes to financial institution systems.

Mobile-enabled website risk

In addition to the vulnerabilities of computer-based banking, mobile devices may have a reduced level of security. Mobile-enabled browsers do not always have anti-phishing and anti-cross-site scripting capabilities to filter out malicious code from websites.

Mobile application risk

Applications can be downloaded to mobile devices from many application stores. These applications may contain vulnerabilities, particularly those obtained from application stores not authorized by the device manufacturer. Distribution of malware through applications is a material risk to the institution and its customers.

Another risk occurs with the user's ability to access root user privileges in the operating system of the device, thereby removing the manufacturer's device controls or core operating system controls and allowing the user to download untrusted applications that may introduce malware onto the device.

Mobile payments risk

Because mobile payments at the pointof-sale may use near field communication, such communications can be intercepted. And even if these communications are encrypted, the potential remains for unauthorized access to transaction information.

Appendix E advises the managements of institutions to identify compliance risks when determining which mobile financial services to offer and to continue to monitor these risks as the technology evolves. …

Search by... Author
Show... All Results Primary Sources Peer-reviewed


An unknown error has occurred. Please click the button below to reload the page. If the problem persists, please try again in a little while.