On April 29, 2016, the Federal Financial Institutions Examination Council (FFIEC) released the first Information Technology Examination Handbook (IT Handbook) update providing guidance on mobile financial services. The guidance includes security recommendations for SMS/text message services, mobile-enabled websites, mobile apps, and the range of wireless payment options. The original handbook was released in 2003.
As a result of the newly released guidance, financial institutions will need to retroactively apply the guidance to existing environments and to any new mobile financial service projects.
How should financial institutions respond?
- Verify that risk assessments address all mobile financial services
- Communicate mobile security awareness to customers
- Work with vendors on biometrics and out-of-band authentication needs
- Report accepted risk levels and mobile security incidents to the board
The first key area of the guidance focus on properly assessing risk, including strategic, operational, compliance, and reputation risks. Mobile-specific risks include SMS spoofed messages to customers/members, limited options for applying anti-phishing controls to a mobile-optimized website, and the security (or lack of) within mobile apps and jailbroken customer devices.
Additional control requirements focus on people, process, and technology. Some of these entity-wide controls could have been inferred from the 2003 electronic banking guidance, such as ongoing board awareness, formalized policies, and strategic planning to guide mobile financial services. Similarly, the new guidance also identifies mobile-specific counterparts to the transaction monitoring and fraud prevention controls, which should be in place for all financial transactions.
Vendor oversight concerns are also heavily stressed, as financial institutions typically rely on third parties for mobile service development and related security. This includes ensuring application servers are properly secured, websites are developed with Open Web Application Security Project (OWASP) guidance in mind, and authentication requirements include true multifactor offerings, with biometrics and out-of-band authentication becoming more commonplace.
In line with recent handbook updates and the cybersecurity assessment tool, customer/member security awareness is also critical, especially as they are the responsible parties for implementing many physical and logical mobile device controls.
We recommend all financial institutions review the updated handbook to ensure their existing mobile financial services are properly secured. Any updates should be included in planning discussions for additional mobile offerings.