350 likes | 377 Views
Mobile Financial Services. Appendix E of the Retail Payment Systems Booklet. Agenda. Background Mobile Technologies Vendor Management Risk Management Appendix E Risk Identification Risk Measurement Risk Mitigation Monitoring and Reporting Work Program. Mobile Financial Services (MFS).
E N D
Mobile Financial Services Appendix E of the Retail Payment Systems Booklet
Agenda • Background • Mobile Technologies • Vendor Management • Risk Management • Appendix E • Risk Identification • Risk Measurement • Risk Mitigation • Monitoring and Reporting • Work Program
Mobile Financial Services (MFS) • Appendix E of the Retail Payment System Booklet - The FFIEC members updated the Information Technology examination handbook on April 29, 2016 to address financial institutions use of new and emerging technologies, specifically the rapid spread and technological advancements in the use and capabilities of mobile devices with respect to financial services. • This webinar will provide an overview of the contents of the Appendix E of the Retail Payments Systems booklet.
Mobile Financial ServicesTechnologies • Short Message service (SMS)/text messaging • Mobile-enabled Web sites and browsers • Mobile Applications • Wireless payment technologies (a/k/a person to person payments)
Vendor Management • Due Diligence • Contracts • Application development and distribution • Application Security
Customer Awareness • Customer Education • Security Awareness
Risk Management Ensure that: • Management incorporates its MFS implementation plan into its overall strategic planning process. • MFS risk management is woven into the institution’s enterprise-wide risk management processes and procedures. • The board of directors carefully monitor MFS risks and the institution’s risk mitigation strategies and performance throughout the MFS life cycle.
Risk Identification Identify associated risks: • Strategic • Operational • Compliance • Reputation
Risk Identification • Strategic Risk • Identify the risks associated with the decision to offer MFS and determine what types of MFS best fit with: • The strategic vision; • Goals; and • Risk appetite of the institution.
Risk Identification • Operational Risk - Identify the risks involved with transaction initiation, authentication and authorization, and the MFS technology itself. • SMS Technology Risk • Mobile-Enabled Web Site Risk • Mobile Application Risk • Mobile Payments Risk
Risk Identification • Operational Risk: SMS Technology Risk • Transmitted unencrypted over widely used telecommunications networks. • Vulnerable to spoofing. • Fraudulent SMS messages.
Risk Identification • Operational Risk: Mobile-Enabled Web Site Risk • Subject to many of the same vulnerabilitiesthat can compromise computer-based banking. • Limited hardware and operating systems. • Lack of anti-phishing and anti-XSS modules. • Attacks involving unvalidated "redirects and forwards.“ • Phishing message or forged websites. • Small screens may not effectively display the same visual security cues more easily seen on full-scale browsers on large screens.
Risk Identification • Operational Risk: Mobile Application Risk • Risk associated with the prevalence of downloadable applications for mobile devices. • Distribution of malware through applications. • Rooting and Jailbreaking. • Vulnerabilities that may exist in all areas of the decentralized mobile ecosystem. • Compromised user privacy.
Risk Identification • Operational Risk: Mobile Payments Risk • Portability of mobile devices can lead to the devices being misplaced or stolen, which may allow unauthorized access to the mobile wallet or user credentials. • Because mobile payments at the POS may use NFC, communications between the device and the POS terminal can be intercepted, while the device is in the user's possession. • Malicious actors using stolen identity information may establish fake accounts on Near-field Communications (NFC) enabled mobile devices to make unauthorized transactions.
Risk Identification • Compliance Risk • Financial institution management should identify the compliance risks as it determines which MFS to offer and continue to monitor these risks as the technology for MFS evolves. Consumer laws, regulations, and supervisory guidance that apply to a given financial product or payment method generally apply regardless of the technology used to provide the products and services.
Risk Identification • Reputation Risk • Reputation risk is particularly relevant in the context of privacy and data security, as public scrutiny of the treatment of customer information continues to grow.
Risk Measurement • Once the risks arising from the institution’s MFS products and services have been identified, measure the level of risks across all identified risk categories. • The measurements should give management enough information to judge the likelihood and impact of the identified risks. • The measurements should also be used to prioritize the risks in order of likelihood and impact, allowing management to implement appropriate levels of control for each risk category. • Measure the risk on an ongoing basis. • Update the risk measurement mechanisms whenever management implements changes to the institution’s MFS products and services.
Risk Mitigation • Strategic Risk Mitigation • Incorporate decisions on providing MFS into its strategic planning process. • Various elements should be part of any mobile strategy, including: • The products and services to be offered; • Types of transactions allowed; • Limits over transaction amounts; • Mobile architecture design; • Supported mobile devices; • Customer needs; and • Use of third parties.
Risk Mitigation • Operational Risk Mitigation - Management should develop a layered approach to mitigate operational risks from MFS. This may include: • Have security controls installed at both the server and database levels; • Using transaction monitoring and geolocation techniques to identify anomalous MFS transactions; • Employ fraud prevention, detection, and response programs to facilitate rapid notification of potentially fraudulent transactions; • applying additional controls (e.g., stronger authentication, encryption) to prevent unauthorized access to sensitive customer information stored on the device; and • Educating customers and employees on how to detect attempted fraud through MFS.
Risk Mitigation • Operational Risk Mitigation Continued… The MFS system used by the institution should incorporate general operational controls, such as the following: • Verification of a customer’s identity upon enrollment in MFS services and at the point of usage. • Authentication and authorization processes, such as biometric (voice, fingerprint, facial recognition) or out-of-band authentication. • Thorough design and architecture review using threat-modeling techniques that reduce the institutions exposure to intrusion. • Applications that use secure coding techniques, have been rigorously tested for vulnerabilities at least annually, and have built-in anti-malware capabilities. • Timely and secure distribution of applications and updates. • Applications that do not retain sensitive customer information on the device, such as user IDs and passwords
Risk Mitigation • Operational Risk Mitigation Continued… The MFS system used by the institution should incorporate general operational controls, such as the following: • Applications that securely wipe any sensitive customer information from memory when customers exit. • Log-on credentials use in addition to access controls. • Multi-factor authentication. • Re-authentication each time a user launches an MFS application and whenever a customer’s device or mobile transactions are unused for a designated period of time. • Contracts with third parties developed by legal counsel and written specifically to cover the institution’s mobile services.
Risk Mitigation • Operational Risk Mitigation Continued… The MFS system used by the institution should incorporate general operational controls, such as the following: • Contracts with third parties that clearly identify each party’s roles and responsibilities. • Agreements with the institution’s customers and third parties that cover the types of data collected and circumstances for data sharing. • Customer awareness programs that advise customers about the need to maintain the physical and logical security of mobile devices and the importance of regularly installing operating system and firmware updates. • Logging and monitoring capabilities on all MFS products and services to track customer activity and security changes and to identify anomalous behavior and transactions.
Risk Mitigation • Operational Risk Mitigation Continued… • SMS Technology Risk Mitigation • The MFS system employs compensation controls to mitigate the inability to encrypt SMS messages (such as redacting or truncating customer account numbers when sent via SMS). • The system should limit access or functionality available to customers through SMS banking. • For more significant MFS transactions, the system should incorporate other risk mitigation methods, such as pre-registration and the use of security tokens. • If using PINs to authenticate MFS transactions, the system should require customers to strengthen the security of PIN usage, such as by requiring PINs to be changed regularly. • In its customer awareness efforts, the institution should convey information on avoiding phishing messages by SMS.
Risk Mitigation • Operational Risk Mitigation • Mobile-Enabled Web Site Risk Mitigation • Require developers to build a secure website for mobile devices and instruct them to follow the guidelines from the Open Web Application Security Project Top 10 for web applications and Top 10 for mobile applications. • Educate customers to use a baseline set of controls to protect their devices and information. • Determine whether mobile browsers incorporate available safeguards, such as anti-XSS modules and deny access to devices with mobile browsers that do not meet minimum standards. • Determine whether mobile-enabled websites are designed with mitigating controls to minimize the potential for exploitation of “redirect and forward” vulnerabilities.
Risk Mitigation • Operational Risk Mitigation • Mobile Application Risk Mitigation • Management should employ a sufficient variety of security mechanisms for mobile applications, such as controls to mitigate the risks of unauthorized access, rooted or jailbroken devices, unpatched devices, or devices or applications that are no longer supported. • Management should establish processes for security testing at all post-design phases of an application’s life cycle. • The institution’s computer system should secure back-end servers containing the MFS application and customer data. • Management should favor MFS applications that were developed in a “sandbox” configuration to create a more secure area within the device for processing transactions. • Management should maintain an awareness of vulnerabilities in MFS applications by participating in online forums and monitoring vendor websites. • Management should periodically test the functionality of MFS applications with other integrated mobile applications and services.
Risk Mitigation • Operational Risk Mitigation • Mobile Payments Risk Mitigation • Management should engage in ongoing discussions with MFS providers to mitigate the risks arising from mobile payments. • Management should require mobile payments platform developers to use various security techniques to secure mobile payments, such as traffic filtering to ward off denial-of-service attacks, trusted platform modules, secure telecommunications protocols, encryption during payments transmission, anti-malware software, and encryption of personal information stored on mobile devices that access the institution’s MFS products and services.
Risk Mitigation • Compliance Risk Mitigation • Management • Consult with compliance staff to minimize compliance risks when developing and implementing MFS. • Reassess its current mobile service offerings regularly and, in conjunction with appropriate compliance and legal staff, examine applicable laws and regulations, including those for consumer protection, to determine which may apply to their specific mobile financial service offerings. • Compliance Officer • Determine whether applicable disclosure requirements are fully accessible on the mobile device. • Review the institution's existing compliance management system and ability to make appropriate modifications to policies and procedures to address the products, services, and operating features of the MFS technology. • Monitor for any legal and regulatory changes that may be applicable to MFS on an ongoing basis. • Train institution staff regarding compliance implications of MFS.
Risk Mitigation • Reputation Risk Mitigation • Adopt appropriate and effective controls over customer information accessed, transmitted, or stored by the MFS to minimize or prevent disclosure of personal information and the potential for fraudulent transactions. • Implement such controls whether it is providing the MFS directly or through a third party.
Monitoring and Reporting Adopt appropriate performance monitoring systems for assessing whether the product or service is meeting operational expectations. Such systems should do the following: • Include limits on the level of acceptable risk exposure that management and the board are willing to assume. • Identify specific objectives and performance criteria, including quantitative benchmarks for evaluating success of the product or service. • Periodically compare actual results with projections and qualitative benchmarks to detect and address adverse trends or concerns in a timely manner. • Modify the business plan, when appropriate, based on the performance of the product or service. Such changes may include exiting the activity should actual results fail to achieve projections.
Monitoring and Reporting • Is periodic internal reporting of MFS activities required, and do the reports meet the needs of various levels of management? • Do the reports address both point-in-time activity and usage trends? • Do reports indicate the volume of activity from the point of MFS start-up and also document changes in customer usage or volume over time? • Do the reports document the nature of MFS users, including individuals and organizations, and monitor changes in customer segments served? • Does management refine or adjust the institution’s MFS strategy in response to the periodic management reports? • Does the institution’s internal auditor issue an audit report on MFS products and services at least annually?
Work Program The work program is provided for examiners to use for evaluating the risks and risk management practices at financial institutions offering mobile financial services. The work program contains seven objectives. • Objective 1. Determine whether management effectively responds to issues raised or problems related to mobile financial services. • Objective 2. Determine whether financial institution management incorporates or plans to incorporate its plan for implementing mobile financial services into its strategic planning process.
Work Program • Objective 3. Determine whether financial institution management identifies the risks associated with offering mobile financial services. • Objective 4. Determine whether financial institution management appropriately and effectively measures risks associated with mobile financial services and determines the likelihood and impact of those risks. • Objective 5. Determine whether financial institution management effectively identifies and implements controls to mitigate identified and prioritized risks associated with the mobile financial services offering.
Work Program • Objective 6. Determine whether financial institution management maintains effective oversight of mobile financial services activities and maintains appropriate reporting for various levels of management to report that oversight. • Objective 7. Discuss corrective action and communicate findings to the financial institution.
Appendix E: Mobile Financial Services The FFIEC handbook appendix on MFS risk management may be found at: https://ithandbook.ffiec.gov/it-booklets/retail-payment-systems/appendix-e-mobile-financial-services.aspx
Questions? Thank you for your participation! We hope you found value in the presentation. If you have any additional questions, contact Compliance Alliance at hotline@compliancealliance.com or 888-353-3933.