Cliff Stanford was quoted in Bank Safety & Soundness Advisor in an article discussing the risks of mobile banking.
After the FFIEC’s recent guidance on authentication and online banking, the FDIC warns of the risk of a potential increase of fraud that could harm financial institutions and customers who use mobile banking and the unique set of security, due diligence and compliance challenges that banks need to follow closely.
“Even at the height of the recession, banking regulators worried quite a bit about electronic banking in all its forms and the potential for security breaches and that interest hasn’t abated,” Stanford said.
As the recent FFIEC guidance notes, regulators gave electronic banking “continued attention even during the financial crisis,” he said. “It has been about the bigger picture issues and the evolving threat environment. It was a big deal in the 2008-2009 time frame, when bank corporate customers had accounts taken over by malware and Trojan horses. The recent FFIEC guidance is pretty good. It draws attention to the issue and shows that, for regulators, it’s still a concern. Regulators are paying attention.”
Stanford suggested treating the FDIC comments “as good advice but something less than guidance. The commentary may not be guidance, but banks should pay attention to it.”
“The FFIEC’s recent authentication guidance, released last summer, deals broadly with electronic banking,” Stanford explained. “For those banks interested in better understanding how the FFIEC’s general electronic banking guidance applies specifically to mobile banking, they can find it in the FDIC’s commentary.”
“The FDIC may not want to put out specific guidance on mobile banking or else it may not want to put out official guidance in advance of FFIEC endorsed guidance, but the FDIC seems to feel as though it was important to articulate how [the recent FFIEC authentication guidance] applies to mobile banking,” he said.
“Examiners won’t likely hold banks to the FDIC’s opinions,” Stanford said, “but that doesn’t mean that the article won’t turn up in exams.”
“The article draws attention to the issue [of mobile banking risk] and it’s a good thing for banks to pay attention to this,” he added. “I don’t think an FDIC examiner will look for specific compliance with this, but that doesn’t mean that the examiner won’t bring this to the attention of a bank moving into mobile banking or dealing with a new mobile banking vendor. This is the midpoint between guidance and nothing.”