FDIC Spies Mobile Risks
In a detailed paper on mobile payments published in the FDIC’s winter issue of “Supervisory Insights,” a group of agency executives explore in detail “the unique risks and supervisory issues raised by this technology.”
The FDIC’s point is that amid the loud enthusiasm for these fast-emerging technologies, there has not been a comparable focus on the security issues the new generation mobile payments tools raise. The paper, authored by four FDIC executives, aims to address these concerns. Although the mobile payments formats may seem new, in most cases, they fall under already well-established regulatory requirements.
For starters, the FDIC acknowledged that the mobile payments universe is immense and growing. “Consumers spent over $20 billion using a mobile browser or application during the year ,” the agency noted. It also observed that some one-third of mobile phone users in 2012 reported using a mobile device to make a purchase.
These numbers are “likely to grow as smartphone ownership increases and mobile payments platforms become more widespread,” wrote the FDIC team.
“It is unlikely that any one technology will become dominant” and so the FDIC envisions continued battles amongst near field communications, cloud-based payments schemes and image-based schemes (barcode readers).
The main mobile payments formats leverage off requirements that users provide bank account information or a prepaid card and thus, “The risks associated with mobile payments should be familiar to financial institutions,” wrote the FDIC executives.
A particular challenge with regard to mobile payments, noted the FDIC, is that most schemes involve nonbanks (technology companies or wireless carriers, for instance) and, importantly, most transactions also involve multiple players. The FDIC noted, “Unlike most banking products that allow institutions to control much of the interaction, mobile payments require the coordinated and secure exchange of payment information among several unrelated entities.” A further complication, said the FDIC, is that many of the key players are entrepreneurial companies with little familiarity with security expectations for financial institutions.
“Financial institutions should be particularly conscious of the potential and perceived risk of fraud in mobile payments,” warned the agency.
The FDIC observed that there are no federal laws or regulations that govern mobile payments. However, noted the FDIC, most payments piggyback on traditional formats (such as ACH or EFT) and “the laws and regulations that apply to that method also apply to the mobile payment.”