ABA Banking Journal
No Result
View All Result
  • Topics
    • Ag Banking
    • Commercial Lending
    • Community Banking
    • Compliance and Risk
    • Cybersecurity
    • Economy
    • Human Resources
    • Insurance
    • Legal
    • Mortgage
    • Mutual Funds
    • Payments
    • Policy
    • Retail and Marketing
    • Tax and Accounting
    • Technology
    • Wealth Management
  • Newsbytes
  • Podcasts
  • Magazine
    • Subscribe
    • Advertise
    • Magazine Archive
    • Newsletter Archive
    • Podcast Archive
    • Sponsored Content Archive
SUBSCRIBE
ABA Banking Journal
  • Topics
    • Ag Banking
    • Commercial Lending
    • Community Banking
    • Compliance and Risk
    • Cybersecurity
    • Economy
    • Human Resources
    • Insurance
    • Legal
    • Mortgage
    • Mutual Funds
    • Payments
    • Policy
    • Retail and Marketing
    • Tax and Accounting
    • Technology
    • Wealth Management
  • Newsbytes
  • Podcasts
  • Magazine
    • Subscribe
    • Advertise
    • Magazine Archive
    • Newsletter Archive
    • Podcast Archive
    • Sponsored Content Archive
No Result
View All Result
No Result
View All Result
Home Compliance and Risk

Mobile apps: Ensuring BSA and FFIEC compliance

January 19, 2023
Reading Time: 5 mins read
Mobile apps: Ensuring BSA and FFIEC compliance

Protections for mobile apps must have the capability to recognize and block the tools that criminals use and abuse to commit fraud.

By Karen Hsu

The global COVID-19 pandemic forced consumers to find contactless ways to take care of shopping, banking and other transactions, and many turned to mobile apps. A new way of doing things that seems to have stuck. Nearly 60 percent of mobile consumers said that they use and download a greater number of mobile apps and are using them to purchase more goods and services since early 2020, according to the Appdome 2021 Global Mobile Security Survey. Payment apps such as Venmo, Zelle, ApplePay and other fintech or mobile-based peer-to-peer consumer apps are seeing exponential growth.

Regulators have taken note. They have issued regulations and guidance to create standards that financial app makers need to meet to ensure that consumers are properly protected.

rightwards arrow
View more
risk and compliance articles

In the US, the Federal Financial Institutions Examination Council and the Federal Crimes Enforcement Network have laid out detailed regulations governing which and how mobile financial applications are to be protected. Banks that publish financial apps must be familiar with these regulations and create plans to make sure that they comply with the Bank Secrecy Act and can satisfy an FFIEC examination.

Compliance with BSA

The May 2019 FinCEN guidance further detailed the regulatory requirements for mobile wallets and other applications with similar functionality. Non-compliance can be extremely expensive and in some cases could result in prison time, so financial app publishers should definitely take these regulations seriously.

The BSA/AML regulations lays out the primary requirements that organizations must meet:

  • Maintain effective know your customer and AML programs.
  • For each transaction over $10,000, file a currency transaction report.
  • When the organization suspects or knows that transactions may involve money laundering or represents attempts to evade BSA requirements, file suspicious activity reports.

Mobile apps: Ensuring BSA compliance and passing FFIEC examinations

“FFIEC IT Examination Handbook” is published by the FFIEC to assist technology service providers, financial institutions and examiners with identifying and controlling the risks that retail payment systems and related banking activities may face.

A new appendix was added by the FFIEC in 2016 that is specifically for mobile applications, detailing the main risks that they carry. In broad terms, they include:

  • The ability for consumers and other end-users to download applications from app stores that not authorized by the manufacturer and may contain malicious code
  • Applications acting as a vector for the delivery of malware
  • The ability of end-users to run financial apps on rooted (Android) or jailbroken (iOS) devices in order to access root user privileges and remove the manufacturer’s device controls. Doing so could result in the user using untrusted sources to download apps which could install malware onto the device
  • Unencrypted storage of personal information on the device or in the app, such as email addresses, passwords and usernames
  • Unsecured secrets, tokens and URLs that can provide hackers with unauthorized access to back-end databases.

To comply with FFIEC and BSA regulation, mobile app publishers need to integrate fraud prevention and cybersecurity protections in their development, security and operations processes to ensure that they can regularly add new security protections into their new and updated Android and iOS apps. When combined with sufficient automation, DevSecOps enables organizations to avoid having to make terrible decisions about whether to delay the app, cut new features or release apps with unaddressed security vulnerabilities. It can do this because operations, security and development are synchronized and coordinated into a continuous workflow.

Security measures that enable compliance

Compliance requires a number of fundamental protections built into an app. For starters, a mobile app’s protections must be able to recognize and block the tools that criminals use and abuse to commit fraud. Most commonly, fraudsters abuse common developer tools that enable dynamic instrumentation, code injection, script injection, accessibility abuse and method hooking—all of which enable them to interfere with or modify the app. By blocking these functions, developers can deprive fraudsters of their tools of the trade, stopping fraud before it starts.

Additionally, the protections inside an app should prevent anyone from copying, altering, repackaging and resigning the app. This will help protect against many exploits, including weaponizing the app by creating a Trojan app that looks like the original and and generally mimics the original user experience. But they carry malicious code that can enable criminals to take over financial accounts and steal sensitive information.

A further tactic that hackers use is to elevate their permissions on the device by rooting (Android) or jailbreaking (iOS) it, which enables them to manipulate the financial apps that run on it. When an app is operating in a rooted / jailbroken environment, the app’s protections should be able to recognize the threat and shut down to protect itself.

Another fundamental protection for a financial app is strong encryption, which usually means encryption via the AES 256 standard. Often, protections in financial apps only encrypt data when it’s in the application sandbox, which is a protected area where applications run within the mobile device. However, this isn’t sufficient to protect data in the financial app. There are many other places where hackers can extract data if it’s left in the clear, most notably in an app’s code. The app needs to encrypt data in the strings, preferences, resources, in-app secrets and much more.

Data in an app’s code is especially sensitive because it includes login credentials, security certificates, back-end server URLs and keys that enable the app to connect to other services. With this data, hackers can successfully mount devastating attacks that target a financial institution’s core systems. They, too, must be protected using strong cryptographic protocols.

Protecting data within code, however, is particularly difficult to implement in a way that doesn’t negatively impact the app, and incorporating the other protections listed above requires a great deal of complicated, manual coding. Software development kits can reduce the amount of manual work that would be required starting from scratch, but they’re far from plug-and-play solutions. They can require a great deal of manual coding, which may be beyond the skills and resources of many development teams. Plus, these tools themselves may contain vulnerabilities, as they often depend on many layers of libraries and other code which could threaten compliance.

There are now, however, AI-powered, no-code platforms that can integrate security into the app, which saves time and increases precision and protection. When integrated into a development organization’s DevSecOps’ process, organizations can incorporate strong security without having to make trade-offs with their release schedule or app functionality.

Whatever choices are made regarding security implementation and anti-fraud protections, these are not areas where banks can afford to skimp. The risk of fraud and non-compliance is simply too large.

Karen Hsu is CMO of Appdome. She previously served as CEO of BlockchainIntel, which she co-founded. She also co-founded the non-profit Blockchain By Women.

Tags: Anti-money launderingBank Secrecy ActFraudMobile banking
ShareTweetPin

Related Posts

FCC grants ABA-requested extension of ‘revoke all’ rule’s effective date

ABA joins with consumer rights group to protect fraud alerts

Compliance and Risk
July 1, 2026

ABA joined with the National Consumer Law Center and ACA International in proposing to the FCC a rewrite of the “revoke all” rule. The rule is set to take effect on January 31, 2027, but the FCC is...

A close call with fraud

ABA Fraudcast: Defending customers from wire fraud

Compliance and Risk
July 1, 2026

'It's asking questions like: Have you been coached? Is someone telling you to do this? Is this going into an account that you opened or authorized to be opened?'

Republican lawmakers urge Trump officials to preserve CDFI Fund

House committee advances ABA-backed bills on fair credit liability, check fraud

Compliance and Risk
June 30, 2026

The House Financial Services Committee advanced legislation that would align Fair Credit Reporting Act liability with other financial consumer protection laws, reform the Securities and Exchange Commission and give banks more time to verify suspicious checks. The three...

FinCEN issues alert on oil smuggling schemes along southwest border

FinCEN issues alert on fuel smuggling schemes linked to Mexican cartels

Compliance and Risk
June 30, 2026

FinCEN issued a supplemental alert for financial institutions on suspicious activity connected to Cartel de Jalisco Nueva Generacion and other Mexico-based transnational criminal organizations smuggling fuel from the U.S. into Mexico in schemes involving Mexican tax evasion known...

ABA unveils key policy priorities for 2025

House advances ABA-backed bill to reauthorize Terrorism Risk Insurance Program

Compliance and Risk
June 29, 2026

The House passed legislation to reauthorize the Terrorism Risk Insurance Act program, which Congress created after the September 2001 terrorist attacks.

OFAC revises blocked fund reporting rule

OFAC launches online portal for sanctions reconsideration requests

Compliance and Risk
June 29, 2026

OFAC launched a new online “reconsideration portal” for the submission of requests to be removed from an OFAC sanctions list. It also released FAQs on delisting.

NEWSBYTES

Fed: Noncash payments continue to grow, credit cards more frequently used

July 3, 2026

ABA DataBank: 2026 Fourth of July cookout

July 3, 2026

ABA joins with consumer rights group to protect fraud alerts

July 1, 2026

SPONSORED CONTENT

Why Your Systems Keep Slowing Down — and What to Do About It

Examiners Are Now Looking at Your Non-Core Systems

June 11, 2026
Your Floorplan Audit and Your Credit Decision Are Weeks Apart. That Gap Has a Price.

Your Floorplan Audit and Your Credit Decision Are Weeks Apart. That Gap Has a Price.

June 1, 2026
A Modern Blueprint for Serving High-Net-Worth Families

A Modern Blueprint for Serving High-Net-Worth Families

May 28, 2026
Why Your Systems Keep Slowing Down — and What to Do About It

AI Is in Your Bank. Is Your Cloud Contract Governing It?

May 20, 2026

PODCASTS

Podcast: Financing America’s independence

June 29, 2026

Podcast: Talent and innovation in community banking

June 18, 2026

Podcast: Understanding bank regulators’ guidance on illegal immigration

June 11, 2026

American Bankers Association
1333 New Hampshire Ave NW
Washington, DC 20036
1-800-BANKERS (800-226-5377)
www.aba.com
About ABA
Privacy Policy
Contact ABA

ABA Banking Journal
About ABA Banking Journal
Media Kit
Advertising
Subscribe

© 2026 American Bankers Association. All rights reserved.

No Result
View All Result
  • Topics
    • Ag Banking
    • Commercial Lending
    • Community Banking
    • Compliance and Risk
    • Cybersecurity
    • Economy
    • Human Resources
    • Insurance
    • Legal
    • Mortgage
    • Mutual Funds
    • Payments
    • Policy
    • Retail and Marketing
    • Tax and Accounting
    • Technology
    • Wealth Management
  • Newsbytes
  • Podcasts
  • Magazine
    • Subscribe
    • Advertise
    • Magazine Archive
    • Newsletter Archive
    • Podcast Archive
    • Sponsored Content Archive

© 2026 American Bankers Association. All rights reserved.