Mobile banking and payment apps have seen remarkable growth in popularity and usage worldwide over the last year.
There are 4 billion mobile devices in use around the world, which means that mobile payments and banking provide game-changing access to the “unbanked," or those not served by a bank or similar financial institution. These are opportunities that even the biggest global players are only beginning to leverage.
As banks continue to invest heavily in developing mobile and web-based services for personal and business accounts, investments, money transfers, micro loans and peer-to-peer payments to make the customer experience as seamless as possible, they cannot afford to let compliance efforts lag.
As complex financial services go mobile and global at astonishing speed, new risks are being introduced. Mobile app security requires a dedicated approach that starts early in the development process. That approach should start with an understanding of the goals for the mobile application, risk assessment of the mobile application and a discussion with the compliance organization. Too many times we hear of risk and compliance being thought of as a check-the-box activity to perform at the end of a mobile application project — only for risk or compliance experts to put the brakes on deployment.
Digital transformation must align with the goals of the financial institution. Often these new customer-facing channels have broader implications and create new risks for the business. Mobile app risk management is more than just managing IT risk. Financial institutions need to measure how the projects deliver on expected reduction in teller and call center needs, manage monetized API integrations and ensure fintech compliance and other risks not previously managed by the bank. Manual and siloed approaches are insufficient as they introduce further risk. Financial firms and the third parties that develop their mobile apps must work diligently to identify, understand, measure and integrate their enterprisewide risk management and compliance practices.
Risk must be identified early to all areas impacted by mobile applications so its effectively managed. This includes the traditional, often expansive IT footprint found in most banks, including the new risks we discussed earlier. Optimizing incident response effectiveness is crucial to limiting potential damage to the institution and its customers. This requires carefully designed and tested plans that involve all stakeholders and consider the specific risks associated with mobile apps.
As a core component of risk management efforts, banks and fintech firms need to focus on the cybersecurity aspects of developing and improving their mobile apps, whether those activities are done in-house or by a third party. Essential objectives should include: creating stronger security requirements from the start, conducting penetration tests, continuously auditing the assets and networks that process data and conducting thorough IT risk assessments of contracted developers. These capabilities are central to meeting regulatory obligations from multiple countries (GDPR, PSD2), federal agencies (OCC, Federal Reserve, IRS), industry standards (PCI DSS) and state legislation (the final phase deadline for New York’s Department of Financial Services 23 NYCRR 500 was March 1, 2019).
In an effort to mature their risk management programs, organizations should leverage a governance, risk management and compliance (GRC) platform to link business objectives of mobile applications to the risks of those objectives. This allows financial institutions to link measurable controls that manage risk and promote compliance. An effective GRC implementation will monitor and measure the IT, business, financial and other aspects in a single pane of glass, allowing the banker to have the full picture of risk to the bank.
Effective GRC implementations pull this data automatically or regularly request information which results in freeing up resources to focus on identified risk priorities. Likewise, a unified view of system scans, deduplicated results and automated alerts makes it easier to identify emerging vulnerabilities and rank risk priorities. In an industry where margins are thin, teams are small and every dollar counts, proactively managing risk to mobile applications or other digital transformation, projects that the bank can make the difference between operational tweaks with quick resolutions to costly and disastrous outcomes.
This summary of risks and compliance obligations associated with mobile banking and payments is evident. Even so, it is strikingly clear that banks and fintech firms need to extend visibility, integrate controls and cultivate extended risk management. Comprehensive technology platforms with integrated GRC functions empower financial services organizations to strengthen and scale their mission-critical efforts to protect and grow their business, partnerships and customer base.
