ABA Bank Compliance - September/October 2012

Mobile Transactions (Investigations, Transaction Monitoring)

Once a customer initiates mobile banking services, you have a host of new and old compliance considerations. The bank is responsible for Regulation E errors regardless of whether they occur when the customer uses their bank-issued debit card in a mobile application or through your mobile banking app. First and foremost, all of the traditional rules for error resolution still apply: the definition of “error,” limitations on customer liability, investigations timing, and provisional credit.

How you investigate reported errors, though, becomes more complex because people tend to share phones in a way that they do not share their wallets. For example, what happens when your customer asks a mobile app to “remember” him or her and then lends their phone to a friend? Is this a case of negligence for which the customer is not liable, such as writing their PIN on the back of a debit card? Or is the situation more akin to the customer handing a debit card to a friend for a one-time usage and then not alerting their bank that permission has been revoked? And how will you handle so-called ‘friendly fraud’ where a customer’s family member has used their device to make a purchase? You will want to develop a policy and procedures to ensure such matters are handled consistently. You should also document your reasoning in case questions later arise.

There are additional complications for investigations of mobile transaction errors. You will want to advise your investigators about how to handle instances when not all of the traditional information is available to the bank. For example, phones travel in a way that stores and computers do not so it is more difficult to prove that a customer was not in the same location as a purchase. Also, because digital content stays on the phone, there is no delivery address to review that might show the customer received a benefit from a purchase they are disclaiming.

While we don’t traditionally associate mobile banking and lending transactions, don’t forget Regulation Z. Similar to Regulation E, this rule also applies when your bank-issued credit card is used in a mobile wallet. Just because the card is linked to a mobile phone does not negate the fact that the bank issued the card. It is business as usual for disclosures and error resolution.

Investigations will be easier if transactions are
coded to indicate that they were made through
your mobile application—to the extent you or your
processor have knowledge of the origin of the pay-
ment. But just because they are coded differently,
doesn’t mean mobile transactions don’t “count.”
Regulation D limitations still apply.
Separately coded transactions can also
help with monitoring suspicious activity to
satisfy the Bank Secrecy Act. Either with or
without separate codes, you will want to
develop new protocols for determining
what is reportable “suspicious” behavior
for mobile activity. On the plus side, you
may be able to use a customer’s loca-
tion and phone to triangulate identity,
which could lower your risks. On the
The flip side of customer security concerns is data security.
Don’t forget Title V of the Gramm-Leach-Bliley Act, which re-
quires banks to keep consumer information safe. On at least an
annual basis, you will need to perform a risk assessment on mobile
banking information security threats to remain in compliance.

How you investigate reported errors, though, becomes more complex because people tend to share phones in a way that they do not share their wallets.

However, if you ultimately decide to provide the disclosures, you will want to start with Regulation E, which covers most mobile transactions including:

■ ■ bank app transactions, such as bill pay and P2P;

■ ■ debit card issued by your bank being used in a mobile wallet; and

■ ■ stored value cards (the commentary specifically mentions mobile vis-à-vis dormancy fees).

Before you begin to offer mobile banking, review your existing disclosures to see if they are covered generally. If not, don’t forget to send out updated disclosures. The updates should include any limits and restrictions for mobile banking. It should also remind customers that data storage and mobile phone usage charges will apply.

If your bank allows P2P, then don’t forget about the new remittance rule. Regulation E’s recent amendment specifically acknowledges mobile apps and allows mobile disclosures when the transactions are conducted via a mobile device.

Other disclosures you won’t want to forget are the Equal Housing Lender and FDIC Insured logos, which should go on the front page of any mobile banking application. While most banks are not advertising on their mobile applications, be cautious of trigger terms if yours decides to start. All of the standard rules apply.