The Federal Deposit Insurance Corp.’s (FDIC) most recent Supervisory Insight quarterly report posted in December acknowledges myriad security risks related to banks’ mobile banking products and offerings. As FDIC policy analyst Jeffrey Kopchik writes, “Financial institutions are challenged to ensure their mobile banking service is designed and offered in a secure manner …”
This cautionary statement by the FDIC reflects concern across the industry about the risks associated with mobile banking. However, it only makes sense for banks to be cautious. As a software vendor of many years to banks’ payments processing operations, we believe that banks are taking the same approach with mobile banking adoption as they have with remote deposit capture (RDC): rolling it out in a paced and deliberate manner so as to effectively identify, manage and contain potential risk.
Risk Management Mindset
It is understandable that banks have not aggressively extended RDC benefits to their commercial or merchant customers, much less to individual account holders; they are simply acting in accordance with their risk management reality and mindset. Based on what we hear from first-party sources among top tier institutions and their service providers, banks are poised to regain the technology and customer service high ground by rolling out tried-and-true RDC and mobile banking services with a multi-media marketing blitz in 2012.
Banks have been weighing the potential benefits/risks of extending the branch capture model to commercial customers or individual account holders in the form of RDC for some time now. More recently, mobile deposit, an evolution of RDC to a mobile banking technology, has come under similar scrutiny.
The current FDIC report casts considerable light on the risk factors of mobile banking services in general. It points out the need for secure authentication protocols to protect the vulnerabilities of customers’ mobile devices (lost, stolen, or misappropriated); device malware and virus protection; data transmission security awareness related to gaps in mobile telecommunications; and ensuring that institutions’ compliance responsibilities related to data storage and encryption effectively extend throughout their mobile offerings.
The last requirement falls directly on banks’ shoulders. Mobile device development and transmission-related data delivery is not banks’ core mission and will be hashed out by experts to meet industry demand and standards, as have providers of RDC image scanning and transmission technology.
One of the compelling observations from our perspective will be how successful the banks are at “connecting the dots” that will be created by the increased electronic payment transaction volume and the overarching implications on risk management. The widespread adoption of mobile banking will create a new, more diversified mix of payment types. Detecting and interpreting patterns and anomalies in this mix will be critical to managing risk in this environment, if banks are to remain competitive in the payments arena.
Now that banks have had the opportunity to “test drive” RDC, they have identified new payment anomalies, and have taken steps to manage the risk introduced by this new source of payments. As Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Federal Reserve Bank of Atlanta, blogged in late November: “To date, banks and other financial institutions have successfully managed risks for commercial RDC services. Whether by restricting the use of the service to only its most vetted commercial clients or limiting the value of allowable remote deposits, banks have implemented risk controls to effectively minimize their risk and fraud exposure associated with RDC.”
Banks that have taken the time to perfect their internal RDC deployments are in a perfect position to offer a practical, and attractive, payment alternative to their trusted customer base. This same prudent approach will hold true for mobile banking as well. Prudence, in the context of banking especially, means time testing new capabilities and new channels. Frequently, it means banks take a more circumspect approach than that which drives the marketplace in general.
Like RDC, mobile banking is transformational, which is why its adoption will be incremental based upon the development of secure, reliable devices and transmission infrastructure. From banks’ perspective, the fundamentals must apply, including: “know-your-customer” due diligence, comprehensive training and instructional resources and the execution of shared agreements that protect banks and ensure their recourse against fraud.
Simultaneously, in anticipation of the inevitable advent of mobile banking, banks need to be modeling and preparing for the imminent, although likely not immediate, spike in electronic transactions. What will at first be unfamiliar territory teeming with unforeseeable risks will, we expect, create a more highly evolved banking environment that better serves bank customers.
Compliance training and professional development courses that are efficient, effective and on-point. Give your people the latest industry-approved tools they need to improve performance, reduce operational risk and better serve your customers.