The Steps to Managing MFS Risk

By Ruth Razook

It goes without saying that mobile financial services (MFS) are here to stay. The majority of consumers—including millennials—use some type of digital payment service for all of their monetary transactions. Some of them may not have ever experienced something like manually depositing a check at a bank. According to the Consumers and Mobile Financial Services 2016 study completed by the Board of Governors of the Federal Reserve System, 43% of all mobile phone users with a bank account had used mobile banking in the 12 months prior to the survey. This number is up from 39% in 2014 and 33% in 2013.

While some people claim that statistics like these point to the coming extinction of traditional bank branches, it can be argued that banks actually play a key role in MFS risk management. It is important for financial institutions to not only keep up with the times by offering MFS, but to also identify the unique risks associated with such services and establish a plan to mitigate those risks for their own safety, as well as the safety of their customers.

Until recently, identifying MFS risks was a huge problem. In 2015, more than 50 financial institutions were surveyed by Transaction Directory and 97% of them reported having no strategy on how to address internet purchasing. Luckily, new guidance for mobile banking was released this year when the Federal Financial Institutions Examination Council (FFIEC) updated its Retail Payment Services Handbook and added Appendix E – Mobile Financial Systems. These guidelines examined what risk assessments should look like, how financial institutions should monitor risk, what tools should be used, and more.

Step 1: The first step in the MFS risk management process is risk identification. This must include risks associated with mobile devices where the customer implements and manages security settings; unique risks associated with specific devices; and associated risks in the areas of strategy, operations, compliance, and reputation. For example:

  • Short message service (SMS) messages are easily fraudulent as they are unencrypted over widely-used networks.
  • Mobile apps may be unauthorized or contain malware.
  • Mobile payments may be compromised if portable devices are misplaced or stolen.

In addition, financial institutions must identify how providing MFS may create reputational risks, especially in the context of privacy and data security, as public scrutiny of the treatment of customer information continues to grow.

Step 2: After the potential risks have been identified, financial institutions need to begin the process of measuring those risks. They must develop consistent risk criteria and have it published for all decision makers to review, as well as periodically review that risk criteria for potential environmental changes and share their findings with the board.

Along those lines, financial institutions must implement the measurement of the level and types of risks involved in offering MFS, in addition to the measurement of potential risks across all applicable risk categories. It is important to note that this process is ongoing and requires updates whenever a change is implemented.

Step 3: Finally, financial institutions should determine whether their controls are effective and their goals are compatible with the company’s strategic plan in order to best mitigate the identified risks. Implementing effective controls includes communicating policies and procedures during enrollment, authenticating users of MFS, and using well-constructed contracts developed with legal counsel to provide necessary security for both the financial institutions and their customers.

This also requires developers to follow a secure development life cycle, determining whether mobile browsers have available safeguards implemented, employing tools like device fingerprinting, and performing security testing at all post-design phases of the system development life cycle.

Of course, all policies and procedures implemented must comply with laws and regulations. MFS must be included in retail payments systems audits. And security awareness materials must be provided to customers so that they understand their role in security. This includes things like the use of anti-malware and PIN protection. Additional security settings can be added to the digital login process—such as a list of previous account activity with the date, time, and type of device that initiated the login. This allows the consumer to audit all transactions that have taken place from their account.

MFS risk management is much more than installing “safe” digital payment software. It includes identifying potential risks, measuring them effectively, and establishing a plan to mitigate those risks. Not only does taking this seriously allow financial institutions to remain in compliance with the updated FFIEC guidelines, but it also protects their customers and the institutions themselves from multiple types of harmful fraud.

Ruth Razook is founder and chief executive officer of RLR Management Consulting, a consulting firm servicing community banks nationwide in four primary categories: technology, regulations/compliance, operations and M&A. RLR’s clientele includes community and regional banks of all sizes. RLR has offices in both Reno, Nev. and Palm Desert, Calif. LinkedIn. Twitter.