Mobile security is an opportunity wrapped up in a problem. That’s because it isn’t just one more link in the transaction chain like a new branch or a unified fleet of ATMs. Rather, it’s a conglomeration of hundreds of different devices from different manufacturers, including both smartphone and tablets, all of which are further modified and customized by the end user.
Consumers love these tools in part because of that customization component, yet for a credit union that delivers services through these channels, this environment also has significant implications for compliance and cybersecurity.
“Mobile security is like an onion; it has layers,” says Kris Kovacs, senior vice president of operations at Coastal Federal Credit Union ($2.5B, Raleigh, NC). “When you’re dealing with PCs, they’re basically the same regardless of manufacturer. But each mobile device can be different, so we have to test different configurations between the device and any native apps we release.”
Balancing Security And Real Time
Mobile complications stemming from new features and functions grow daily, meaning security is a battle no credit union should fight without help, Kovacs says.
Greg Hughes, the information security officer for digital channels at Fiserv, agrees.
“Asking your mobile application vendor how they protect their own apps is always a reasonable thing to do,” he says.
On the upside, most mobile operating systems tend to build upon lessons learned from earlier platforms, like the desktop operating system. That’s why, in most cases, it makes sense to extend online banking security practices to the mobile channel, Hughes says. Still, new lessons do emerge from time to time.
That’s something Apple Pay issuers and processors realized after fraudsters quickly began provisioning purloined credit card account information — including authentication credentials — using the newly released service.
“Fraudsters exploited the weakest link in the chain,” says senior product manager Brian Day at The Members Group, an Iowa-based card processor. “But we do have the benefit of learning from that experience.”
Scott Schmidt, director of remote services at BCU ($2.2B, Vernon Hills, IL), says the credit union wrestles like everyone else with a “fragmented environment” in the mobile channel, especially when working with diverse Android apps versus the more controlled Apple universe.
In mobile, “everything has to be in real time, but we still have to mirror that with a balancing act when it comes to security,” Schmidt says.
3 Rules For Mobile Security
Greg Hughes, information security officer for digital channels at Fiserv Inc., suggests three ways to better secure mobile devices of all kinds.
Continually warn members not to respond to emails, calls, or texts requesting personal and account information; help them identify new, evolving threats.
Advise otherwise tech-savvy members not to modify their devices’ operating systems. This is known as “rooting” in the Android world and “jailbreaking” in iOS.
Conduct negative-case testing — an automated and ethical hacking attack on an app — or ask vendors to provide results of such testing they did themselves.
So Many Rules, So Little Guidance
The one thing that everyone can agree on right now is that mobile banking carries at least the same compliance requirements as walking into a branch.
According to Hoi Luk, senior manager for financial institution regulatory consulting at the California-based accounting firm Moss Adams, these include:
Check 21 regulations
Bank Secrecy Act anti-money laundering rules
The PATRIOT Act
Gramm-Leach-Bliley privacy strictures
Uniform Commercial Codes
Individual state rules and regulations
Yet little has happened so far to align today’s technologies with yesterday’s regulations, beyond authentication guidance from the FFIEC.
Andrea Stritzke, director of lending compliance at the Wisconsin-based CUNA Mutual Group, says regulators have considered mobile a separate channel only when it comes to remittance transfer disclosures.
“Otherwise, they have not taken into consideration how compliance and the disclosures consumers receive might need to evolve with the use of mobile channels,” she says.
E. Andrew Keeney, a credit union attorney with Virginia’s Kaufman & Canoles, sees potential problems in mobile for credit unions following the implementation of Truth In Lending Act/Real Estate Settlement Procedures Act (TILA/RESPA) regulations on Aug. 1 of this year.
An unintentional violation of this ruling could result in a fine of $5,000 per day, Keeney says.
“Mobile lending might also be impacted by TILA/RESPA because of the volume of pages of disclosures required,” he adds.
Another possible pitfall could occur when credit unions need to reissue electronic documents and solicit new signatures because of routine administrative efforts.
“Keeping track of the latest and correct versions will be a burden that members might not be able to handle,” Keeney says. “And that could potentially increase liability to the credit union.”
Still No Basis For Stasis
Jordan Modell, founding CEO of Internet Archive Federal Credit Union ($2.9M, Brunswick, NJ), has already seen increased NCUA interest in security audits that cover policies and particulars like penetration testing at his 3-year-old credit union.
“I think there’s a little fear about mobile right now,” Modell says. “We want to know in advance exactly what the regulators will want from us if we’re going to do this stuff. And that’s not there yet.”
Despite these numerous challenges, the credit union industry continues to push boundaries on the mobile front, and Modell is just one of many credit union managers calling on regulators for more clarification so regulation — or lack of it — does not get in the way greater member service.
For those wanting to minimize uncertainties, Luk at Moss Adams recommends using as guideposts the FFIEC guidance about RDC issued in 2009, the FFIEC IT Examination Handbook, and the BSA Examination Manual.
Luk’s other closing piece of advice? Make sure all investments the credit union does make in unchartered mobile waters have an institution-specific business case as well as a developed support system.
“Always understand the risk exposures, required controls to monitor and track transactions, and the regulatory disclosures involved,” he says.
In other words, don’t provide a product merely because the credit union down the street is. That’s good advice that extends beyond mobile matters.
You Are The Weakest Link
Member behavior remains one of the most unwieldy of all security variables in remote services, making investments in education a crucial part of any game plan.
“As much as we try to secure everything from our end, if a member picks a security question someone can get from Facebook or keeps passwords on sticky notes on their computer, our security measures aren’t going to work very well,” says Scott Schmidt, director of digital services at BCU.