For some time now, the financial services industry has been anxiously awaiting updated regulations regarding mobile banking security. In a response to the rise of digital banking usage, the Federal Financial Institutions Examination Council (FFIEC) updated its Retail Payment Services Handbook and added Appendix E—Mobile Financial Systems (MFS).
Appendix E highlights the complexity of the mobile technology infrastructure and identifies specific vulnerabilities that currently exist in the mobile banking ecosystem. The new guidance is fairly comprehensive and addresses key areas, including SMS/text messaging, mobile browser sites, mobile apps, and wireless payments.
The FFIEC really gets it right in understanding that mobile apps present new and unique risks. To address the issue, this appendix provides specific guidance for building apps that are secure, and the FFIEC places the burden of following best practices squarely on financial institutions. This includes designing anti-reverse-engineering technology into the apps, detecting if the mobile device has been rooted or jailbroken, using multiple methods to verify the identity and security of the mobile device, using geolocation, performing transaction monitoring, and providing adequate reporting.
Each financial institution should identify the risks associated with the types of MFS being offered as part of the institution's strategic plan. Each should incorporate the identification of risks associated with mobile devices, products, services, and technologies into its existing risk management process. The risk identification process should also include recognizing risks associated with the use of mobile devices for which the customer implements and manages security settings; unique risks associated with specific devices; and risks in the areas of strategy, operations, compliance, and reputation.
The FFIEC also mentions that financial institutions should take precautions, such as requiring developers to follow a secure development life cycle, determining whether mobile browsers have available safeguards implemented, employing tools such as device fingerprinting, and performing security testing for all design phases of the system development life cycle.
This time around, the FFIEC has presented actionable guidance for financial institutions to follow by identifying the biggest mobile-related risks and describing how to mitigate them.
The full document is available here.
Add new comment