AND PAYMENTS
What are the Rules?
BY meg sczYrBa, crcm, and thomas healY, crcm
TECHNOLOGY IS EVOLVING AT AN INCREASING RATE. Banks are implementing mobile banking and payments products much faster than new regulations can be written. In order to meet compliance expectations with mobile banking and payment products, banks must apply “old” rules to new technology. This article will examine how banks can
prepare for compliance oversight as they consider offering new mobile products by analyzing the
regulatory risks involved generally and as they apply to newer innovations, such as mobile-based
remote deposit capture. It will also provide an overview of other regulatory implications.
Trends in Mobile Banking
Mobile banking and payments are rapidly expanding in today’s
market. As consumers we can now send a split check request to
office mates after sharing lunch and reply by bumping phones to
facilitate a payment or (less dramatically) sending a Person-to-Person (P2P) payment. We can donate money by sending a text
message (think Haiti Relief) for which our cell provider will bill
us later. Text messages can also come from our bank alerting us
to possible fraud. We can deposit a check from anywhere using
Remote Deposit Capture (RDC). We can also make purchases
on our phones through “in app” payments, such as Amazon.
Starbucks and other merchants have developed an app that lets
us prepay our account and then swipe our phone at the register
to checkout. Our phones may contain a microchip that allows us
to swipe the phone near a data receiver to pay for products at a
store using Near Field Communications technology (NFC). Or
you can attach a sticker to your phone that will function similarly.
With applications such as Square, small merchants can accept
our credit card payments anywhere their smart phone will work.
And banks have apps that allow us to access accounts directly
from our phones now too.
The good news for compliance officers is that most of these
payments are processed just like any other payment made or
received. As such, we can focus our efforts on those functions
which require us to rethink the application of our old rules to this
new technology, including RDC, P2P, and bank apps.
Regulatory Considerations
Initiating Mobile Services
(Authentication and Disclosures)
When you start out, you will want to consider how to authenticate
your customers in the mobile banking environment. This is especially important since security is foremost in the minds of customers.
The Federal Financial Institutions Examination Council (FFIEC)
Guidance on Authentication in an Internet Banking Environment
is a good source to consult. The guidance was originally issued
in October 2005 with a supplement issued in June 2011. While
neither specifically mentions mobile banking, the FDIC Winter
2011 Supervisory Insights refers readers to the guidance. It requires
banks to perform a risk assessment for every new technological
excursion, such as mobile banking. Be sure to complete a full assessment for mobile banking that is renewed every year.
The guidance suggests that banks, at minimum, take a layered
approach to security and authentication. For example, in the first
layer banks can require customers to register their mobile device
to an existing online account. In the second layer, they can require
customers to enter a password each time they access their account
via the mobile device. The FDIC reminds us that possession of a
mobile device is not sufficient to meet the “something the consumer
possesses” requirement, which could count as one layer. In the future
we may be using technology like biometrics. Until that happens,
we should also consider customer education as another key to
keeping mobile banking secure just as we did for Internet banking.
