Written by Shari R. Pogach, Regulatory Paralegal
The Federal Financial Institutions Examination Council (FFIEC) has added a new Appendix E to the Retail Payment Systems Booklet within its Information Technology Examination Handbook (IT Handbook). As more consumers turn to the convenience of mobile banking, more financial institutions are providing financial services through mobile device channels such as: short message service (SMS)/text messaging; mobile-enabled websites and browsers; mobile applications; and wireless payment technologies.
The appendix provides a broad overview of the steps a financial institution should take as part of its risk identification process with the types of mobile services it offers. How complex and deep this process should be will depend on the type of functionality an institution allows through the mobile channel and the type of data in transit and at rest. In addition, this process should include risks at the institution and those associated with mobile devices where the consumer implements and manages the security settings. The FFIEC notes that management should identify what risks are involved with an institution’s implementation of mobile products and services, particularly in these areas: strategic, operational, compliance and reputation.
Mobile services technology continues to evolve with any innovations mostly driven by entities outside of the financial industry. However, current consumer laws, regulations and supervisory guidance that apply to a given financial product or payment method generally still apply, regardless of the technology used to provide the product or service.
In terms of compliance risk, the appendix states an institution’s management and system designers should work with compliance staff to minimize compliance risk. An institution’s mobile service services should be reassessed regularly with management, compliance and legal staff reviewing those laws and regulations (including consumer protection laws and regulations) that may apply to its offerings. According to the FFIEC, in order to minimize compliance risk, a compliance officer should:
- Determine whether applicable disclosure requirements are fully accessible on the mobile device.
- Review the institution's existing compliance management system and ability to make appropriate modifications to policies and procedures to address the products, services, and operating features of the mobile financial service technology.
- Monitor for any legal and regulatory changes that may be applicable to mobile financial service on an ongoing basis.
- Train institution staff regarding compliance implications of mobile financial service.
The appendix also includes a detailed outline of work program objectives to assist an examiner in determining "the inherent risk and adequacy of controls at an institution or third party" providing mobile financial services.