Financial services sector head John Salmon and the Pinsent Masons financial services sector team bring you insight and analysis on what really matters in the world of financial services.
This week the Financial Conduct Authority (FCA) published its initial look into mobile banking. Described as a thematic review, the regulator’s interim report lists a number of aspects of mobile banking that need further investigation.
These are not entirely surprising: fraud; security; the use of third parties; consumer awareness; ‘technology risk and interruptions to service’, and anti-money laundering systems and controls. Each issue however, was given no more than two paragraphs, indicating just how early a stage the FCA is at in its review process.
The FCA said that it was conducting the review because it wants banks to have clear mobile banking strategies backed by sustainable business models; it wants data and IT system risks to be thoroughly thought through, and it wants consumer benefit to be at the core of banks’ decisions.
The report also revealed that the FCA will be “representing the UK at European negotiations on mobile banking security.”
The FCA’s next step is to ‘test’ a sample of firms which provide mobile banking services and determine whether those firms are meeting its expectations.
Banks and other mobile banking and payment service providers therefore now have an opportunity to influence both UK regulatory measures to be taken on mobile banking and overriding EU regulation, if they engage with the FCA in a meaningful way over the coming months.
Fraud, security and mobile banking
The FCA will need assistance in understanding how mobile banking compares with phone and internet banking in terms of security risks and fraud.
Banks and regulators have long accepted that the risks associated with phone banking can be mitigated by relying on customers answering security questions over the phone in order to identify themselves and authenticate that they are the holders of current accounts.
For internet banking, banks rely on SSL secure transmissions of encrypted data between browsers and bank servers; chip-and-pin card readers; secure logout protocols, and restrictions on ‘browsing away’ from secured pages.
While it is appropriate for the FCA to ensure that an appropriate level of security is maintained in a mobile banking environment, it should not set a security standard that is out of proportion and inconsistent with that required for phone and internet banking facilities.
Use of third parties
Financial institutions must ensure that they engage in proper, full supervision of outsourcing service providers. In addition to due diligence undertaken before engaging a supplier, resources must be allocated to ensure that proper governance is put in place during the life of an outsourcing relationship so that business continuity programs and supply chain interfaces are kept resilient and up-to-date.
As the FCA’s predecessor the Financial Services Authority had recommended, internal third party supplier issues must also be addressed and financial institutions should even be aware of the methods suppliers use to “vet their staff ” in order to avoid security breaches.
In a mobile context, financial institutions need to understand the added level of complexity as to who is doing what, what each party is responsible for and the level of effectiveness of supervision over, not just each party, but each link in the chain.
Supervision of outsourcing providers, however, is not a mobile specific issue in itself and while it is appropriate for the FCA to consider supply chain risks in the context of mobile services, it should also consider the mobile specific risks that third parties present.
How individual financial service apps collect data, whether through screen scraping techniques, API feeds or other data transfer protocols should be investigated before regulatory decisions are made as to the consequences of using one technique over another.
If the FCA is to make appropriate mobile banking rules and effectively negotiate standards at EU level that reflect consumer expectations and enable banks to maintain sustainable operating models, they must ensure that they now conduct a review that addresses issues in depth and not just at a high level.