The FFIEC Gets it Right With New Mobile Financial Services Guidance

John Gunn, June 24, 2016

The debate over the relative importance of mobile banking was settled long ago. Mobile banking is already the number one channel for many customers of financial institutions, it is being used by about half of those with a banking relationship, it has grown to become the number two preferred channel overall and will soon become number one, and there is nothing on the horizon that can reverse these trends.

Unlike many technology promises, mobile banking is becoming the panacea that was promised. It allows anytime and anywhere access to banking services of all types. It is remarkably profitable for banks as well; it reduces the costs associated with branch transactions, and mobile banking customers are simply better customers for financial institutions – they buy 2.3 products on average versus 1.3 for their in-branch peers and they stay with their financial institution longer.

So, what is the only threat that could derail this lovefest you ask? Well, it’s those pesky and persistent hackers. The same hackers that breached Sony, Anthem, Home Depot, OPM, Target, and thousands of other well-protected places. The same hackers that have doubled their attacks on mobile apps in just the past year. The same hackers that are growing in numbers and skills while you are reading this missive.

In a timely response to the increase in hacking, banking regulators have added emphasis to the need for financial institutions to ensure the security of the assets they protect. Appendix E: Mobile Financial Services, the FFIEC's new mobile guidance, expands on that mission and in a wonderfully detailed manner. The FFIEC highlights the complexity of the mobile technology infrastructure and identifies specific vulnerabilities that exist in the mobile ecosystem.

The guidance is comprehensive and addresses every key area including SMS/text messaging, mobile enabled websites, mobile applications, and wireless payments. They present information about identifying risks and mitigating those risks across all of these areas. The preceding summary doesn’t do justice to the full document. It is available at this link.

The regulators really get it right in understanding that mobile apps present new and unique risks. To address this, they provide specific guidance for building apps that are secure and they place the burden of following the best practices that they have outlined squarely on financial institutions. This includes designing anti reverse-engineering technology into the app, detecting if the mobile device has been rooted or jailbroken, using multiple methods to verify the identity and security of the mobile device, and using geolocation and transaction monitoring. They even go so far as to describe the capabilities of Runtime Application Self-Protection, or RASP, but without actually using the technical term. This may seem like a long list or overly burdensome, but these capabilities are conveniently already available in a single solution – DIGIPASS for Apps.

DIGIPASS for Apps - An all-in-one developer's toolkit for mobile

There will always be gripes and swipes at any new regulation, but this time the FFIEC has presented an intelligent and actionable roadmap for mobile financial services security. Love it or hate it, it identifies the biggest risks and shows how to mitigate them. What a wonderful world it would be if all regulations were so helpful.

John Gunn is OneSpan’s CMO and brings two decades of leadership experience in the IT security and software segments. Before joining OneSpan, John led the Security Solutions Group at Harland Clarke where he launched a popular SaaS consumer identity protection and anti-fraud solution.