Mobile-Specific Guidance and Regulations Surely Lie Ahead
o Regulations, guidance specific to the mobile channel seen on the horizon.
o Some say that will be hastened by a security breach or other negative event.
o Strength of the regulations and guidance may be influenced by industry reaction to security events.
o Regulatory veteran sees 'principles-based' rather than 'prescriptive' guidance.
o Specific responsibilities among ?stakeholders in delivery channel remain ?to be worked out.
Rules and regulations specific to the fast-growing mobile banking channel will be a fact of life. It's just a matter of time.
That's according to people who make their living helping credit unions and other financial institutions accommodate new technologies and the compliance challenges that come along with them, as well as shape the rules themselves.
"I would not be surprised if the regulatory agencies issue some form of mobile banking guidance. Because of the growing volume of mobile banking transactions, I believe the agencies have this issue on their radar and will address it," said William Henley, senior vice president for BITS, the technology policy division of the Financial Services Roundtable in Washington, D.C.
"This issue is one that is important to regulators, but speculation on a delivery date is of no value," said Henley, who spent more than 20 years in federal government roles, including most recently as director of IT examinations for the Office of Thrift Supervision.
"I am certain the agencies will deliver the guidance when they deem it appropriate," Henley said. "I would expect that any guidance would be principles-based, rather than prescriptive, and would encourage financial institutions to complete a thorough risk assessment and develop a comprehensive mitigation strategy."
Still, that will likely happen after something bad happens, said some credit union industry consultants and compliance specialists.
"Regulators in most cases are reactive instead of proactive," said Paul Schaus, managing partner with Catalyst Consulting Group in Phoenix. "There's already security guidance out there now for online banking, but as P2P grows and smart phones keep getting more intelligent, you know there's going to be more. It's just a matter of when and how bad it'll be."
Jim Kisch, chief strategic officer at compliance software specialist Continuity Control in New Haven, Conn., also sees new rules and regs for mobile banking being shaped by reaction to events yet to occur.
"Ultimately, we're going to run across a situation where some information is going to be compromised, and it's a matter of having procedures in place," he said. "You're going to have to be able to manage the risk. And you're going to see things built into mobile apps, such as separate logins for mobile and online banking, as the regulations come in."
The inherent complexity of mobile banking, which involves multiple stakeholders along the delivery channel, also will necessitate some shaking out as those new rules and regulations take shape, beginning with who's in charge.
"There has been a long-standing dispute between financial institutions and service providers over who owns the customers. It's a complex environment that requires extensive knowledge of the telco market, handset manufacturers, mobile banking application providers and financial institutions," said Adam Dolby, channel sales and development manager for the Americas, at the big Dutch digital security global provider Gemalto.
That shakeout will come, however, and regulations and guidance will result, Dolby said, just as they did during the evolution of the first two channels of remote banking delivery-the telephone and the Internet.
"The attacks will follow the money," he said. "Mobile banking will undoubtedly be highly regulated, following a trajectory similar to Internet banking. Remember, Internet banking had very few regulations around it was it was rolled out, and stricter regulations were enforced only as threats were determined," Dolby said, pointing to the authentication rules that came out in 2005 from the Federal Financial Institutions Examinations Council.
He added that, based on that experience, the weight of the new rules may depend on financial institutions' reaction to problems.
"In many ways, evolving threats and related losses were viewed as a cost of doing business, something the FFIEC didn't want to have happen as they were not only showing monetary losses, but confidence in the channel was being eroded," Dolby said.
"The same will hold true of mobile-if threats emerge and are largely ignored, FFIEC will be forced to be stronger in guidance," he said.
Right now, compared to the rules governing online banking, mobile banking "is the Wild West out there," said Adrian Mendoza, co-founder of Marlin Mobile in Brookline, Mass., and a specialist in factoring regulations and guidance into mobile design and user experience for financial institutions.
He noted that mobile banking, for instance, currently does not include the fastidious requirements faced by Internet financial sites, where "there are rules for everything, down to the type size and button copy."
Design and usability considerations aside, functionality unique to the mobile channel, such as the remote-deposit capture of checks by smart phone cameras, will "raise the red flags and help push the envelope to the financial regulators of the world," Mendoza said.
Mendoza also agreed that working out "where the transaction lives" will be a challenge for regulators, especially when it comes to, for instance, credit card transactions by mobile phone.
"Right now, where credit card information is even stored is viewed as outside of Web services," he said. "You've been doing all your work on the PCI compliance side, but now you're finding mobile is completely different, with separate devices accessing secure information."
Dolby at Gemalto expects the FFIEC to take the lead again by forming a committee that produces guidelines for the industry based on applications being used. The telecoms will get involved, too.
"Moving forward, there will be a need for collaborative effort between banks, technology providers and network providers," he said. "There's still that gray area around the breach of security in regards to mobile banking, as financial institutions and network carriers have separate obligations for liability."
Banking institutions themselves will weigh in, as they demand safe delivery systems as functional capabilities grow, Dolby predicts. "As stronger platforms rollout later this year and in 2011, financial institutions and carriers will start to enact stronger regulations."
He expects the main areas to be addressed will be "what functionality can be pushed out, how to protect the consumer, for example with credentials at log-in, and how to safeguard money movement, similar to Internet banking.
An NCUA spokeswoman said her agency has no mobile-specific rules coming. Credit unions can get ready now, however, and might find it a bit easier than their larger competitors.
"The great thing about credit unions is that they work with smaller groups of users, and you can communicate with them, actually talk to them," said Mendoza at Marlin Mobile. "Imagine if Bank of America wanted to do that, when you're talking about a user base in the millions."
"A credit union can talk to their members, find out what their needs and pain points are and translate those things to mobile-specific applications. It's also time for people at the managerial and business level to begin the conversations about what kind of security they're going to need to protect this at the back end," he said.
Meanwhile, veteran regulator Henley at BITS said, "The preparation for credit unions would be the same as for any other financial institution charter type. Credit unions that are considering products and services to be offered via a mobile channel should complete a thorough risk assessment and develop a comprehensive risk mitigation strategy before deployment."