Mobile Banking: The Regulatory ChallengeConsumer Privacy is Top Concern of Agencies, Institutions
In October, BITS, a division of The Financial Services Roundtable, will host a forum dedicated to the emerging mobile channel. Regulators, bankers and consumer advocacy groups will spend two days sharing their security concerns and insights about mobile banking and payments. Government oversight of mobile financial transactions is going to increase, and consumer privacy will dictate a great deal.
To date, mobile financial transactions have fallen under the purview of e-commerce, meaning they are regulated in the same way as Internet or online banking transactions. But technological nuances make the mobile channel a little different, and the financial industry is only beginning to wrap its brain around some of the fraud and security-risk potentials.
Consumer PrivacyAt the moment, consumer privacy is the primary concern. One of the most puzzling issues relates to mobile location tracking. Global positioning that allows mobile applications to provide consumers with addresses for the nearest branches and ATMs is stirring debate.
Brian Tretick, managing director of privacy and security consultancy Athena Privacy LLC, expects consumer privacy mandates to play a big role in new regulatory guidance. "Will my mobile app give my location, and how is that location information collected and stored?" Tretick asks. "How is the information sent over the network, and how is the bank making sure that information is secure?"
For now, Tretick says, regulatory guidance for the online channel has set the security standard for mobile. The mobile channel and the Internet are very similar, he says. Up until recently, most mobile banking also was browser-based, so it made sense for mobile controls to mirror those already in place for the online channel. But as mobile banking features have enhanced, that reflection in guidance is no longer sufficient, Tretick says.
"Security of the mobile platform, security of the applications and privacy," are the top three concerns surrounding mobile, he says. Second to privacy is malware -- malware that is specifically designed to target mobile banking apps and platforms. "I'm not aware of anything insidious at this time, but the platform providers and the cell phone providers should be defending against potential malware attacks."
Regulators' ChallengeDonald Saxinger, senior examination specialist with the Federal Deposit Insurance Corp. and an FDIC representative on the Federal Financial Institutions Examination Council, says mobile is unique -- particularly because a number of non-financial players touch the mobile channel. Wireless carriers and mobile-phone platform providers, such as BlackBerry, are not required to comply with e-commerce regulations like Regulation E, and financial institutions have little control over how those entities manage and secure the information they send, receive and store.
The FFIEC's Information Technology Examination Handbook, which includes individual books about several electronic-banking and information security standards, is the best guide currently available for mobile, Saxinger says. "Our recent Retail Payment Systems book even addressed mobile, slightly," he says.
Another challenge: Mobile network operators themselves could soon compete with banks for a piece of the mobile banking share, by offering their own methods and modes for mobile payments, Saxinger says. "Who's going to enforce consumer protection rules, when it's the mobile network operator that's doing mobile payments?" he asks. "If it doesn't go through the bank, it might not be the banking regulators who have the first say."
The Federal Trade Commission, which also is working with BITS, is advising regulators to ensure discussions revolving around mobile take consumer privacy into consideration. "I don't think that the mobile channel is that different from the online channel," an FTC spokeswoman says. "If someone is compromising data, the technology might be different, but the concerns are the same.
The FCC declined to comment, saying mobile financial transactions fall outside the bounds of what wireless network carriers oversee. Tretick compares the wireless carrier's role with the role of the Internet service provider. "Today, the ISP has very little responsibility," he says. "The level of encryption is up to the user. I doubt you will see the telco industry take responsibility or have any obligation to ensure security or privacy. That's going to be up to the banks."
Institutions Set Own StandardsFinancial institutions, in the absence of any specific mobile guidance, are setting their own standards for security. Bank of America, which launched its mobile banking platform in May 2007, in many ways views mobile security in the same way it sees online security. Similar to online banking, BofA requires its mobile users to rely on two-factor password authentication to access mobile banking accounts. But like the regulators, Michael Upton, an e-channels and customer solutions executive for BofA, says some mobile unknowns do exist from a security perspective, as well as from a regulatory-compliance standpoint. That's why BofA expects to play an active role in working with regulators, as well as testing and piloting mobile apps for security and consumer preference.
"Regulation is just a natural part of the financial-services industry," Upton says. "(BofA just wants) to ensure there is a level playing field, as it pertains to payment."
Financial institutions, Upton says, are concerned about competition from third-parties, especially where mobile payments are concerned. "There are some folks that are looking to get into the space that might not be quite so familiar," he says. "We want to help ensure that the regulations that come in the future, as they relate to mobile and the payments space," make sense and apply to all applicable entities.