Top Five Wireless Banking Risks
Where the “old” paradigm of connecting to bank accounts via our desktop at home, via our laptops in coffee shops, or via telephone banking exposed us to controllable risks that we overcame upon our e-banking rollouts, Wireless Banking offers a paradigm shift from a compliance, security, and fraud perspective. We do not take our laptops into the local grocery store with us. We might leave our laptops in an airport or a taxi, but we wouldn’t lose them in a bar or movie theatre.
Our regulators don’t even call it “mobile banking.” The act of allowing customers to bank with handheld devices connected via cellular, 3G, or 4G networks, or “Wireless Banking,” as defined in the FFIEC’s E-banking Handbook, Appendix E, is a subset of what the FFIEC calls “Branchless Banking.” Confusion related to nomenclature doesn’t reside only in the compliance, and thus documentation, realm. For example, our customers are sometimes confused about the meaning of the term “Smart Phone.” Bankers assume a “Smart Phone” has the ability to install free applications from a “mobile application market” such as Apple’s 58 billion dollar iPhone market (called the App Store), or the 300,000+ applications in Google’s Android Market. But our customers sometimes confuse the meaning of the word, and think that if they can surf the web with their cell phone, they have a Smart Phone.
Who is right? Us, or the customer?
What is important is understanding that all of Wireless Banking can be reduced to three different “channels.”
- Mobile Web: Your on-line banking provider has created a Mobile Web version of your on-line banking site, reformatted for the older, web-enabled “dumb phones” such as the Treo or the BlackBerry Pearl or the Samsung Messager. Your customers who think their Treo is a Smart Phone believe this because they’ve used it to surf your on-line banking site.The Mobile Web channel includes risks inherent in portable devices, as well as risks associated with clunky browsing. More sophisticated Mobile Web deployments deliver an experience streamlined for the type of activities conducive to the cell phone experience. Examples? No one wants to add new payees to billpay processing via clunky cell phone input methods. However, we might want to review and authorize payments. Thus, the Mobile Web experience ignores data input transactions, and instead allows us to check balances, monitor transactions (such as cleared checks or deposits), and authorize payments to existing payees. Though this functionality rises from the cause of convenience, it also considers risk mitigation.
- SMS: Text banking has a lot of great features including balance alerts, transaction alerts, out-of-band passwords, and inquiries. SMS also comes with many risks including smishing and intercepted text messages, brought to us by the same innovative people who attack our on-line banking systems.Text banking is meant not only for those with “dumb phones,” but there are many text applications that make sense concurrent to Smart Phones applications. Why log into an application to see if your payroll deposit is what you expected when you can have the time, date, and amount of that deposit texted to you when it actually hits your account?
- Smart Phone Applications: The new form of Wireless Banking that has generated all the hype centers around an actual application that resides on the Smart Phone. It provides traditional on-line banking functionality more conveniently than the Mobile Web channel, but also opens a world of opportunity for other more creative banking transactions including Consumer Capture (take a picture of a check to deposit it), Mobile Payments (pay for goods with your Smart Phone), Peer to Peer (P2P) payments (loan money to a friend’s Smart Phone), stock trading, complaint submission, and secure messaging. The application provides a totally customized experience (including the language of your choice, sounds, date/time formats), and even allows interaction with the SMS channel (such as changing monitoring parameters).
Beyond the “three channels” of Wireless Banking, we must also consider the “Prevalent Platforms” in the Smart Phone market, as well as “Wallet Feature Adoption.” When we consider Prevalent Platforms, we address the strategic risk of creating an application (and all the service peripherals) for a platform that eventually loses the market share war between Smart Phone providers. In America, there are currently two “Prevalent Platforms” in the Smart Phone Application Channel: the iPhone platform (iOS) and the Android platform (Google).
The BlackBerry 6 OS platform (Blackberry Torch, Style, Bold, etc.) and the Windows Mobile platform (Samsung Focus, HTC Arrive, and many others), though promising, do not currently warrant inclusion in my current Prevalent Platform. BlackBerry enthusiasts will point to the enterprise nature of their platform; Windows Mobile enthusiasts will point to the simplified interface and unbridled licensing. These two platforms should be on our radar, but if you are just starting your Wireless Banking deployment, you will have enough to do to focus on the two Prevalent Platforms.
The most stable platform is the iPhone platform, even though it already has less market share than the Android platform. The reason: loyalty. Though Apple’s market share has plateaued at less than 20%, and has already been eclipsed by the Android platform in market share (currently 26%), I believe that iPhone users will trade their iPhone in for a new iPhone. Android users, on the other hand, might not be so loyal. Still, I include the Android in my declaration of Prevalent Platforms because it is the second most stable market at this time, and will remain stable through an early majority deployment strategy.
Beyond Apple and Google? We’re just going to have to wait and see. There has been a lot of hype and predictions that the Windows Mobile market will hit 50% market share by 2015. However, we don’t have to blindly buy this: let’s just wait and see.
But that’s only my opinion. Your bank should make your own declarations, and that will be based in part on your vendor due diligence, and in another part on your own research.
The key difference between Wireless Banking and Branchless Banking is what we call “Wallet Capabilities” of the Smart Phone applications. This capability not only allows us to provide Mobile Payment capabilities to our customers, but it also gets non-financial institutions into the banking business. Starbucks, Subway, Amazon, Best Buys and many other organizations distribute Smart Phone Applications with wallet capabilities. There are many competing methods to transfer money from the Smart Phone Application’s wallet to the retailer’s cash drawer. “Scan and Pay” and “Wave and Go” are examples of the buzzwords used to describe different mobile payment methodologies. We can monitor the consumer electronics news to watch Google and Apple battle against the likes of Twitter and PayPal. How do we know what retailers in general are going to adopt at the point of purchase? We don’t yet and, thus, we must wait and see.
Before I reveal the Top Five Risks, I am compelled to summarize all the hype surrounding Smart Phones. The adoption of Smart Phones is exploding faster than any other technology revolution since the Information Age started. Why? Anytime, anywhere. We can do anything we want anywhere we want with our Smart Phones, making them the ultimate in convergence, convenience, and customization.
Having identified the basics surrounding Wireless Banking, let’s consider the top five risks:
- The risk of being a late majority adopter. If you do not offer all three channels of “Wireless Banking” by 2013, I believe you will start to lose customers. Right now, without a Smart Phone Application, you are already losing “millennial customers” to Chase and Bank of America and other “big banks” because when Generation Y (born 1976 to 2000) customers try to find you in their Smart Phone Application market, you are not there. Their search for you was genuine. They gave you a chance. But you were “lame” and thus they randomly selected one of the “related search” items that were returned by their App Store (iPhone) or their App Market (Google) and they signed up for an account with Chase, Bank of America, Wells Fargo, or one of the many early adopters already out there.You might be right when you shrug and say “well the Gen Y customers are risky, fickle, and have no money anyway.” But by 2013, we expect to move from Early Majority to Late Majority adoption, meaning that over half of us will be using Smart Phones. In other words, Smart Phones will be used by Generation Xers and Baby Boomers . . . and they will be just as impatient as their kids (or grandkids.) Why? Anytime, anywhere.
- The risk of “Tepid Adoption.” You will lose customers if you do not adopt all three channels: Mobile Web, SMS Banking, and Smart Phone Applications. I’ve seen bankers try to adopt one channel and not the other two, and they’re failing to meet their often undefined objectives. I’ve seen some bankers, in an effort to “save money,” abandon their Mobile Web channel because they have an iPhone app. Not a good choice. Why? If the market share, which is always changing and always in dispute, is 30%, then 70% of your customers are still using “dumb phones.” Those who dropped their Mobile Web channel have had customers call thinking their “mobile banking app” doesn’t work. After frantic investigation and confirmation that the i-Phone and Android app does indeed still work, they concluded that the complaining customers were talking about the Mobile Web they have grown dependent upon using with their “dumb” phones. To them, it’s mobile banking.Meanwhile, I’ve heard bankers swear that their iPhone app really didn’t take off until they rolled out the SMS channel. Why? Because Smart Phone Users know that SMS offers features Smart Phone Applications do NOT offer, and they want them.
Tepid adoption also includes skimping on training. Your call center personnel will need to be trained not only on your Smart Phone Application, but they will also need to understand and be able to properly convey your adoption strategy as well as offer the features of SMS banking. Your customers will be calling saying “I just purchased a new Mesmerize” and your help desk people will need to know they have the Android Operating system.
- Security Risk: Yes, lots of security risk exists and it’s going to continue to change shapes as the bad guys get more sophisticated. They, like us, are quickly learning about Wireless Banking. But security risk can no longer be the barrier to adoption, because market and reputational risk far outweighs security risk. To fully convey the myriads of security risks inherent in Wireless Banking, I have developed a risk assessment that you can download for free at m.infotex.com/mobilerisk. This assessment focuses on more than 40 vulnerabilities due to the paradigm shift, so I will not drill down into all forty of them in this article.However, two primary controls will help us manage security risk: Customer Awareness Training and Vendor Due Diligence. Some bankers believe customer awareness training is a waste of time because, after-all, it is Generation Y customers we’re trying to make aware. That may be true to a certain extent. But I also think you should consider the training effort as legal risk mitigation. Meanwhile, developing a program before the Gen X and Baby Boomers adopt (2013) makes sense, because they WILL listen for the same reasons Gen Y customers won’t. They have accounts worth breaking into, they don’t learn as easily, and they WILL appreciate your efforts.
At m.infotex.com/mobilerisk, you will find some great mobile banking tools including a risk assessment, a vendor due diligence kit, and a customer awareness training kit.
- Compliance Risk: The regulations that are affected by Wireless Banking include GLBA, AML, CTF, CIP (KYC), OFAC, the E-sign Act, the EFT Act, the BSA, the Red Flags regulation, and the US Patriot Act. That’s ten different regulations!The good news? The way to mitigate compliance risk is with strong vendor due diligence. At m.infotex.com/mobilerisk you can download a free vendor due diligence kit that will get you started in asking the right questions. The list of vendors in that kit can put you in a position where you don’t have to blindly use your existing on-line banking or core processor vendor. To clarify, staying with your existing on-line provider does provide some economies (for example, you don’t have to pay for a brand new infrastructure if you use your existing provider.) But you owe it to your self and your bank and that vendor management program you were required to develop to look around. I have clients who have been waiting for their on-line provider to get the iPhone app approved and they still don’t have an Android app. Meanwhile, third-party providers have a lot to offer, and if you press them they will open up to price pressure. After all, they’ve already got the money in the app, and I can’t believe they’re going to be willing to lose their business over pricing.
Without going into the checklist, the heart of compliance processes is indeed the way the app is designed. Don’t let the vendors push that back on you. We’ve heard it before: “Ultimately compliance is the bank’s responsibility.” While of course we agree with that, we see some vendors who help bankers develop their compliance processes, and some vendors who push it all back on the bank. In the new paradigm, the bank can’t design the forms necessary to collect information. The bank doesn’t design the database to track GPS positions and feed that information into anomaly monitoring fraud prevention applications. To be clear, you can’t watch where the users are logging in from if the application doesn’t track this information. Likewise, the bank can’t design the app to restrict high-risk transactions, or to automatically check MICR codes during consumer capture to prevent duplicate deposits. Another great example: The provider will need to overcome disclosure and message limitations. If the application allows one to check rates, then the app must allow the bank to provide the disclosures in cell-size formatting or in some other, out-of-band yet verifiable method.
As always, a healthy tension separates convenience and compliance. Many of the ten regulations simply go away if we do not allow new users to register via their Smart Phone. But then, what’s the point? Without new user registration, we lose the competitive advantage of being an early majority adopter of Wireless Banking.
So, if the app does allow users to register from their Smart Phone, not only do disclosures have to be provided using some methodology hopefully designed by your provider, but the database needs to have controls over which fields must be populated prior to allowing certain transactions. For example, the app might allow product purchases with the wallet features, but not billpay until after the Know Your Customer fields are confirmed at the branch. The bank can’t design the application to facilitate the Customer Identification Program. That’s the vendor’s job.
Everything you do in normal bank transactions, or in on-line banking transactions, has to be designed into the Smart Phone Application from a compliance perspective. Making matters worse, our regulators don’t know what to look for yet. We can’t really blame them: most banks are not even in the decision-phase of adoption. So if you do adopt in the early majority, your risk assessment, vendor due diligence paperwork, and other paper trails should help you consult with your examiners when it’s that time.
But know that part of the regulators’ confusion over Wireless Banking compliance comes from the fact that there are some regulations that are still not stable. During vendor due diligence, your Compliance Officer must learn what is and what is not stabilized in the area of compliance. For example, if your Wireless Banking Provider starts talking about voice recognition features in the Smart Phone Application, you should know of the uncertain status of voice recognition under the E-SIGN Act. We simply don’t know what you need to do to comply with that regulation.
Let’s consider a regulation prioritized as low by many community banks: Counter Terrorism Financing. When banking was something that required us to come to the branch, many rural banks thankfully didn’t have to worry too much about terrorists. But with the paradigm shift, if all a terrorist needs to open an account is our mobile app in the Android Market, we’re increasing compliance risk. We better be sure our application developers have carefully matched which database fields must be populated before we can allow transactions that would violate the CTF regulations. Do we as community banks in the middle of America need to do this? Again, ultimately it is our responsibility, but it’s a question we should ask in vendor due diligence. The same goes for the US Patriot Act.
How about AML? With consumer capture, how are we going to monitor deposits that meet our normal BSA thresholds? Again, you can say it’s ultimately the bank’s responsibility, but if we haven’t already selected a vendor, it should be a question in our due diligence process.
Wireless banking may expose your bank to liability under the Electronic Fund Transfer Act (Regulation E) for unauthorized activities if a customer’s Smart Phone is lost or stolen. The risk exposure is a function of the products, services, and capabilities you are providing through your mobile banking application. For example, the loss of a Smart Phone used to conduct electronic fund transfers would be similar to losing an ATM or debit card with a personal identification number written on it. Who gets to pay the bill? (And, have we updated our insurance?) Your risk may increase depending on the types of wireless banking services offered (e.g., bill pay, person-to-person payments, mobile payments, etc.).
There is also tension between convenience and security, especially in the authentication process used to access wireless banking services. We must consider compliance with the multi-factor authentication guidance and recognize that if we want convenience, we’ll increase our risk exposure over two-factor, strong authentication.
Under the Electronic Signatures in Global and National Commerce Act (E-SIGN Act), to obtain effective consumer consent to receiving electronic disclosures, financial institutions must among other things inform consumers of the hardware and software requirements for retention of electronic records that will be provided as disclosures. Will your application handle this? What if you allow customers to register from their Smart Phone? How do you get these disclosures out to them? These requirements should be carefully considered by a team that includes your technology professionals, information security professionals and of course your compliance staff.
Compliance risk is always the last risk that seems to be considered. In an effort to put the horse ahead of the cart this time, we have made a “vendor due diligence kit” available at m.infotex.com/mobilerisk. Please know that these templates act merely as starting points. But I hope they can point you in the right direction. Careful consideration of all ten regulations by your compliance officer will need to be organically integrated into your strategic plan, not only prior to deployment, but during the confirmation phase as well.
- Strategic Risk: Speaking of your strategic plan, it is indeed the strategic risk that scares us the most. Beyond the fact that strategy as a control is interlaced in the remediation of the previous four risks I’ve delineated, the complexity of Wireless Banking (3 channels x 4 Prevalent Platforms + “dumb phones” x 10 regulations) is only compounded by uncertainty. Do we believe the iPhone and Android will be around five years from now? The instability in platforms, wallet features, and regulations makes it understandable that we’re all fearful of early majority adoption.The ultimate question: “What makes us confident our current commitment isn’t a dead end?”
I hope you answer that question with this one: “Who must sit on our strategy committee?” I hope this question is answered with: Technology, Compliance, Security, Information Security, and Marketing. The key control for strategic risk is the creation of your Strategy Team.
Those on your technology team have made a parlor game of arguing about Apple versus Google and the future of Windows Mobile. The market share predictions for Windows Mobile are based partially on the fact that the operating system will be licensed on more hardware platforms and thus will win the market share battle like VHS did over BETA in the 1980’s. However, did anybody stop to think that Symbian already has a 37% market share and Android a 26% market share? VHS did not compete against two quickly adopting companies who do not want to lose more than half the market. Meanwhile, who is to say that Microsoft can even develop a good operating system? I’ve seen it, and the simplicity does offer the potential for quick Generation X and Baby Boomer adoption. But I’m not ready to bank on it, especially when I look at the existing BlackBerry penetration into the enterprise solution market.
We do not know what the future holds. Most of my clients who have thought this through and who are very smart about Wireless Banking are mitigating strategic risk by having a long-term strategy that is heavy on short term tactics. Once in all three channels, they stagger platform deployment, only looking down the road at one platform. If they lucked out timing-wise, and took vendor due diligence seriously, they transferred some of the strategic risk to their vendors. If there is one question that is worth asking your vendor: “Do we get updates and new platforms at no additional cost?” If your vendor has decided BlackBerry is the next direction to take, and they are wrong, they should at least share in that risk.
Your strategy committee must pay close attention to the consumer electronics press when they look down the road. But this year? Continually update a regular schedule of what you’re rolling out next, taking it one step at a time. In the early phases of deployment, when a customer calls, your call center employees should know what you have now and what you will have next. But your strategy committee will hopefully have a “feel” for what comes after that.
- June (now): Mobile Web (m.ourbank.com or ourbank.mobi)
- July: SMS
- October: iPhone App
- January: Android App, Scan and Pay on both apps
- April: Consumer Capture??
- The rest of 2012: Possibly new platforms (such as Blackberry RIM or Windows Mobile) or new features.
The tactical plan can change as the year goes on, but the phone center people must be well trained on the short-term tactical objectives.
The call goes like this:
“I just bought a Droid.”
“Good for you! We only have the iPhone app now but we’re rolling our Android app out in about two months. For your protection, you should use our Mobile Web interface by going to m.ourbank.com (or ourbank.mobi). Meanwhile, you should enroll in our SMS banking app, it really offers a lot of the cool features you’ll eventually see in our Android app and we’ll text you when our Android app is ready. Oh, and also, you’d be better off downloading that Android app from our on-line banking website, that way you know you don’t have a fraudulent app. I’d be wary of any bank apps you get from the Android Market.”
And then, after the customer is enrolled in text banking and instructed on how to complete the registration, usually by texting a message to your app number (i.e.: Wells Fargo’s text number is 93557, which spells WELLS), you’d really look good if you sent them to the place they can download your “Protecting Your Smart Phone Experience” flyer. If you’d like a starting point for this (and fodder for your social media presence as well as ongoing text messages about safe wireless banking), simply go to m.infotex.com/mobilerisk and download the free tools we’ve made available there.
Yes, Wireless Banking reeks of risk. But I submit that a team of motivated technology, marketing, security, and compliance personnel can rise to the challenge of managing this risk. The risk of doing nothing now outweighs all other risk.
Dan Hadaway, CISA, CISM, CRISC
Leave a comment
Hiding in a VirtualBox VM, the new Ragnar Locker ransomware is currently undetectable
A Webinar Short Small banks who outsource network supports have a conundrum on their
Another awareness poster for YOUR customers (and users). Now that we have our own em