Mobile Banking: The Regulatory Challenge

Consumer Privacy is Top Concern of Agencies, Institutions
Mobile Banking: The Regulatory Challenge
Editor's Note: This is the third in a series of stories on mobile banking, looking at consumer adoption, types of services, emerging technologies and how institutions are overcoming security concerns.

In October, BITS, a division of The Financial Services Roundtable, will host a forum dedicated to the emerging mobile channel. Regulators, bankers and consumer advocacy groups will spend two days sharing their security concerns and insights about mobile banking and payments. Government oversight of mobile financial transactions is going to increase, and consumer privacy will dictate a great deal.

To date, mobile financial transactions have fallen under the purview of e-commerce, meaning they are regulated in the same way as Internet or online banking transactions. But technological nuances make the mobile channel a little different, and the financial industry is only beginning to wrap its brain around some of the fraud and security-risk potentials.

Consumer Privacy

At the moment, consumer privacy is the primary concern. One of the most puzzling issues relates to mobile location tracking. Global positioning that allows mobile applications to provide consumers with addresses for the nearest branches and ATMs is stirring debate.

Brian Tretick, managing director of privacy and security consultancy Athena Privacy LLC, expects consumer privacy mandates to play a big role in new regulatory guidance. "Will my mobile app give my location, and how is that location information collected and stored?" Tretick asks. "How is the information sent over the network, and how is the bank making sure that information is secure?"

For now, Tretick says, regulatory guidance for the online channel has set the security standard for mobile. The mobile channel and the Internet are very similar, he says. Up until recently, most mobile banking also was browser-based, so it made sense for mobile controls to mirror those already in place for the online channel. But as mobile banking features have enhanced, that reflection in guidance is no longer sufficient, Tretick says.

"Security of the mobile platform, security of the applications and privacy," are the top three concerns surrounding mobile, he says. Second to privacy is malware -- malware that is specifically designed to target mobile banking apps and platforms. "I'm not aware of anything insidious at this time, but the platform providers and the cell phone providers should be defending against potential malware attacks."

Regulators' Challenge

Donald Saxinger, senior examination specialist with the Federal Deposit Insurance Corp. and an FDIC representative on the Federal Financial Institutions Examination Council, says mobile is unique -- particularly because a number of non-financial players touch the mobile channel. Wireless carriers and mobile-phone platform providers, such as BlackBerry, are not required to comply with e-commerce regulations like Regulation E, and financial institutions have little control over how those entities manage and secure the information they send, receive and store.

The FFIEC's Information Technology Examination Handbook, which includes individual books about several electronic-banking and information security standards, is the best guide currently available for mobile, Saxinger says. "Our recent Retail Payment Systems book even addressed mobile, slightly," he says.

Another challenge: Mobile network operators themselves could soon compete with banks for a piece of the mobile banking share, by offering their own methods and modes for mobile payments, Saxinger says. "Who's going to enforce consumer protection rules, when it's the mobile network operator that's doing mobile payments?" he asks. "If it doesn't go through the bank, it might not be the banking regulators who have the first say."

The Federal Trade Commission, which also is working with BITS, is advising regulators to ensure discussions revolving around mobile take consumer privacy into consideration. "I don't think that the mobile channel is that different from the online channel," an FTC spokeswoman says. "If someone is compromising data, the technology might be different, but the concerns are the same.

The FCC declined to comment, saying mobile financial transactions fall outside the bounds of what wireless network carriers oversee. Tretick compares the wireless carrier's role with the role of the Internet service provider. "Today, the ISP has very little responsibility," he says. "The level of encryption is up to the user. I doubt you will see the telco industry take responsibility or have any obligation to ensure security or privacy. That's going to be up to the banks."

Institutions Set Own Standards

Financial institutions, in the absence of any specific mobile guidance, are setting their own standards for security. Bank of America, which launched its mobile banking platform in May 2007, in many ways views mobile security in the same way it sees online security. Similar to online banking, BofA requires its mobile users to rely on two-factor password authentication to access mobile banking accounts. But like the regulators, Michael Upton, an e-channels and customer solutions executive for BofA, says some mobile unknowns do exist from a security perspective, as well as from a regulatory-compliance standpoint. That's why BofA expects to play an active role in working with regulators, as well as testing and piloting mobile apps for security and consumer preference.

"Regulation is just a natural part of the financial-services industry," Upton says. "(BofA just wants) to ensure there is a level playing field, as it pertains to payment."

Financial institutions, Upton says, are concerned about competition from third-parties, especially where mobile payments are concerned. "There are some folks that are looking to get into the space that might not be quite so familiar," he says. "We want to help ensure that the regulations that come in the future, as they relate to mobile and the payments space," make sense and apply to all applicable entities.


About the Author

Tracy Kitten

Tracy Kitten

Former Director of Global Events Content and Executive Editor, BankInfoSecurity & CUInfoSecurity

Kitten was director of global events content and an executive editor at ISMG. A veteran journalist with more than 20 years of experience, she covered the financial sector for over 10 years. Before joining Information Security Media Group in 2010, she covered the financial self-service industry as the senior editor of ATMmarketplace, part of Networld Media. Kitten has been a regular speaker at domestic and international conferences, and was the keynote at ATMIA's U.S. and Canadian conferences in 2009. She has been quoted by CNN.com, ABC News, Bankrate.com and MSN Money.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing cuinfosecurity.com, you agree to our use of cookies.