The Federal Financial Institutions Examination Council (FFIEC) has issued new guidance to its examiners regarding mobile financial services (MFS), which includes mobile banking and mobile payments. The guidance also provides valuable insight for industry participants in the MFS space as to regulators’ expectations and tips for mitigating applicable risks.
On April 29, 2016, the FFIEC released Appendix E: Mobile Financial Services, which is a new appendix to its Retail Payment Systems booklet, which is in turn part of its Information Technology (IT) Examination Handbook. The new appendix is designed to help examiners evaluate how financial institutions and their third-party service providers manage the risks associated with MFS. It emphasizes the need for robust, enterprise-wide risk management protocols for MFS.
Among other risks, the FFIEC emphasizes the need to address risks related to data security and the use of third parties, cautioning that “MFS can pose elevated risks related to device security, authentication, data security, application security, data transmission security, compliance, and third-party management. Customers are often less likely to activate security controls, virus protection, or personal firewall functionality on their mobile devices, and MFS often involve the use of third-party service providers.” The appendix advises steps to take to address such risks.
To mitigate operational risks related to MFS, for instance, the appendix recommends that financial institutions develop a layered approach, including operational controls for 1) enrollment, 2) authentication and authorization, 3) application development and distribution, 4) application security, 5) contracts, 6) customer awareness, and 7) logging and monitoring of MFS. Appendix E also contains a separate set of work-program objectives for examiners to use to access the state of risk and controls that an institution has in place for MFS.
As with other agency examination and supervision guides, while the primary audience for this issuance is examiner staff, financial institutions and others should also find it useful because it indicates what the agencies expect from supervised institutions and what the agencies expect their examiners to focus on in the exam process. Financial institutions involved with MFS should, for example, incorporate the principles articulated in the appendix into their risk management, compliance, and internal audit programs.
The MFS appendix is just one of a number of recent issuances from the FFIEC and individual agencies indicating an increasing focus on cybersecurity, including as it relates to financial technology.
In June 2015, the FFIEC released the Cybersecurity Assessment Tool, designed to help financial institutions measure their cybersecurity preparedness. The CAT incorporates cybersecurity-related principles from the FFIEC IT Examination Handbook and regulatory guidance, and concepts from other industry standards, including the National Institute of Standards and Technology (NIST) Cybersecurity Framework. The release of the CAT followed a 2014 pilot assessment of cybersecurity preparedness at more than 500 financial institutions. The FFIEC agencies have stated that they plan to update the CAT in the future as threats, vulnerabilities, and operational environments evolve.
The FFIEC provides several resources to further financial institutions’ awareness of cyberthreats and to help financial institutions improve their cybersecurity. These resources are available on the FFIEC website at http://www.ffiec.gov/cybersecurity.htm.