Mobile banking is quickly gaining momentum as the most important form of interaction between customers and their banks, and, by some accounts, is expected to become neck and neck with online banking and ATM use this year. Each year since 2011, the Federal Reserve has conducted a “Consumers and Mobile Financial Services” survey of over 2,000 U.S. adults on their use of mobile banking. While mobile banking continues to rise, the percentage of smartphone banking users has leveled off. This leveling off is correlated to nearly 75 percent of users citing security as a top concern. At the same time, a recent Salesforce report on what millennials expect from their banks found that at least 75 percent of millennials are reliant on a mobile banking application. At least a quarter of this same population cites a lack of mobile application as the main barrier to bank engagement, or a reason to pick one bank over another. Customer demand for secure mobile banking applications and mobile financial services is not only here to stay, but is becoming a staple of modern banking practice.
Mobile banking is an important tool for traditional financial institutions, who are receiving increasing pressure from fintech digital or mobile-only banks now entering the market. To ensure the success of mobile banking, the security concerns of mobile banking customers must be addressed. In addition to consumers, these security concerns are increasingly on the radar of interagency bodies and government regulators. In fact, in June, following cyberattacks targeting interbank messaging and wholesale payment functions, the Federal Financial Institutions Examination Council issued a statement on safeguarding the cybersecurity of payment networks. The FFIEC also stressed that financial institutions should review risk management practices and controls related to information technology systems and wholesale payment systems. This article follows on the heels of the FFIEC’s guidance on risk management for mobile financial services released in May 2016.
The FFIEC’s guidance on mobile devices, or Appendix E of the Retail Systems Payment Booklet, provides industrywide instruction on identifying and controlling the risks posed by mobile financial services or smartphone technology. The FFIEC’s guidance addresses mobile device technologies, such as SMS/text messaging, mobile website browsing, mobile applications and wireless payment technologies, that are susceptible to security risks due to the nature of mobile devices. For example, many mobile users are less likely to activate security controls, virus protection or personal firewall functionality on their smartphones, which may expose nonpublic personal information to third parties. As a result, the FFIEC’s guidance encourages both management and board-level executives to educate themselves and participate in the institution’s strategic plan for risk identification relating to these products and services. This identification process should include those risks that exist at the institution, those associated with the use of the mobile device by the customer, and risks associated with using third-party applications or service providers. Financial institutions are encouraged to develop robust policies and procedures, as well as implement review, reporting and organized feedback loops between day-to-day operations and senior management as they relate to mobile device security-related risks. Financial institution management should also identify compliance risks and monitor these risks as the technology for mobile financial services evolves. Financial institutions must also consider that the consumer laws, regulations and supervisory guidance that apply to a particular financial product or payment method will generally apply regardless of the technology used to provide that product or service. This is often made more complicated as third-party service providers in the technology sector who design these applications may be unfamiliar with the regulation and supervision of the financial services sector. As a result, clear communication between these third-party providers and the legal department of the financial services entity is necessary in order to fully understand the compliance and organizational risks associated with mobile banking applications.
Financial institutions should also identify specific legal and regulatory risks associated with the use of mobile financial services. The increased use of mobile banking, coupled with a recent increase in regulatory scrutiny of data privacy and security, creates a prime environment for potential new legislation, as well as an opportunity for regulatory agencies to use existing legislation to monitor and regulate mobile devices. For example, in March 2016, the Consumer Financial Protection Bureau entered into a consent order and fined Dwolla, an online payment platform, $100,000 for deceiving consumers about its data security practices and the safety of its online payment system. Dwolla utilized a payment application that allowed customers to transfer funds to third parties from funds stored in a linked bank account or from funds stored in a Dwolla account. As part of providing this service, the CFPB claimed that Dwolla collected a variety of information from its customers, including name, contact information and bank account numbers. The CFPB’s allegations and subsequent consent order were based on violations of the Consumer Financial Protection Act for unfair, deceptive or abusive acts or practices (UDAAP). The Dodd-Frank Act provides the CFPB with: (1) rulemaking authority and (2) enforcement authority with respect to entities within its jurisdiction to prevent unfair, deceptive, abusive acts or practices in connection with any transaction with a consumer for any consumer financial product or service. This now appears to include mobile and online applications utilized by regulated financial entities. Dwolla makes it clear that the CFPB intends to utilize its authority to address data privacy and information security concerns.
UDAAP remains a vague and relatively undefined regulatory device, particularly as it relates to abusive practices. The challenge of UDAAP compliance is that the standard is intentionally broad and inherently flexible. While, UDAAP’s vague and relatively subjective laws against unfair, deceptive, or abusive acts and practices can serve as powerful deterrents to innovation, financial institutions are unable to wait until there is clear precedent on what mobile device issues may fall under UDAAP. Financial services innovators by definition will be offering new products and services that won’t have the advantage of formal regulatory review. Recognizing this, the American Bankers Association sent a letter to the Office of the Comptroller of the Currency, titled "Supporting Responsible Innovation in the Federal Banking System: An OCC Perspective." The ABA requested formal clarification of the applicability of UDAAP to innovative products and services, including financial services technology, stating: “We believe that clarification of the application of UDAAP would do much to remove a major inhibition to innovation within the banking industry. It is hard for financial firms to focus on expanding access when doing so may also invite expanded (and hitherto undefined) legal vulnerability.”
As the Dwolla case demonstrates, mobile financial services and related mobile applications are subject to UDAAP scrutiny. The Dwolla consent order is particularly significant because it represents the CFPB’s first formal venture into the data security area. As the technology develops and regulatory and supervisory scrutiny increases, financial institutions face a number of operational challenges to ensure that mobile financial services remain compliant with applicable laws and regulations. In light of these challenges, financial institutions should incorporate the process of reviewing and updating existing policies, procedures, and systems for existing and new mobile financial products and services to ensure they have the necessary infrastructure to comply with applicable regulations. It is important that financial institutions not only develop a robust compliance program and legal oversight for specific regulations for products and services that are used by customers via mobile devices, but also create similar programs and oversight for the more elusive UDAAP issues. Financial institutions should pay particular attention to customer complaints relating to mobile services, regulatory and supervisory guidance, and legal precedents. Keeping abreast of the most recent technological innovations, industry standards and legal climate is the most practical way to meet consumer and regulatory expectations alike.Republished with permission. This article first appeared in Law360 on August 30, 2016.