Mobile banking and payments: What are the US rules?
Thought Paper
www.infosys.com/finacle Universal Banking Solution | Systems Integration | Consulting | Business Process Outsourcing
Mobile banking and payments: What are the US rules? Technology is evolving at an increasing rate and banks are ready to jump on board to meet tomorrow‟s challenges today. As part of this revolution, banks are increasingly implementing mobile banking and payments solutions to
address the evolving needs of the marketplace. But questions remain around the compliance challenges that coincide with these developments. Let‟s take a look at what will be expected.
Authentication and data security Before jumping into mobile banking, banks need to prepare a formal risk assessment with regard to both authenticating customers as well as how they can keep the data they provide secure. This is especially important since security is top of mind for customers and a primary reason some customers are still reluctant to use this new technology.
When developing their approach to authenticating customers, banks need a layered security approach. Layered security combines multiple controls where the failure of one defense mechanism is compensated by another mitigating control. For example, mobile banking enrollment should require the customer to register their
phone through their internet banking access (Layer 1), followed by authenticating the enrollment by entry of a one-time password sent to the mobile phone (Layer 2). Another control may include sending an alert to the customer email on record after the mobile device has been registered.
As a best practice, banks should also consider customer education another key to keeping mobile banking secure. This could include suggesting mobile security practices like maintaining current anti-virus software, password protecting their phone and using a unique bank login password.
Disclosures Once customers are authenticated and their data kept secure, banks will need to consider appropriate disclosures. In today‟s environment, banks are not utilizing their mobile apps for account initiation. Rather, customers must establish an account either at a branch or via the internet, receive their account disclosures through those means and use the mobile app to access their account. (Although, nothing prevents customers from accessing a bank‟s internet site via a mobile phone browser.) This is, in part, due to high hurdles that need to be
02
Thought Paper
met in providing disclosures via a mobile device. Limited storage on cell phones may prevent consumers from storing electronic disclosures and the limited screen size may make displaying disclosures prohibitive.
In whatever way a bank ultimately decides to provide its mobile banking disclosures, the legal and compliance departments should review existing disclosures to see if the new processes are covered. If not, the bank must send out updated disclosures at least 21 days prior to
product launch. The updates should include any limits and restrictions for mobile banking and include reminders that data storage and mobile phone usage charges will apply. If the bank offers Person-to-Person (P2P) payments, then the bank can also consider mobile delivery of disclosures for transactions conducted via a mobile device.
Also, when designing the mobile application site, the bank should remember to include the Equal Housing Lender and FDIC Insured logo‟s on the initial sign in page of the app. (Note that if any advertising occurs on the site, all of the standard rules continue to apply so be cautious of using trigger terms.)
Transaction specific Once the bank has mobile banking customers, there are additional compliance considerations. For example, the bank remains responsible for Reg E and Reg Z error resolution regardless of whether the problem occurs when the customer uses their bank-issued debit and credit cards in a mobile application, or through its mobile banking app. First and foremost, all of the traditional rules for error resolution still apply. How a bank investigates reported errors, though, becomes more complex because people tend to share phones in a way that they do not share their wallets. For example, what happens when a customer uses the “Remember Me” functionality within a site or mobile app and then lends their phone to a friend? And how will so-called „friendly fraud‟ be handled where a customer‟s family member has used their device to make a purchase? Banks will need to quickly develop a policy and procedures to ensure such matters are handled consistently. It should also document its reasoning in case questions later arise.
mobile channel. Separately coded transaction can also help with suspicious activity monitoring to satisfy the Bank Secrecy Act. Either with or without new transaction coding, banks need to develop new protocols for determining what is reportable as “suspicious” behavior for mobile activity. On the plus side, you may be able to use a customer‟s location and phone to triangulate identity, which could lower fraud risk. On the down side, OFAC (Office of Foreign Asset Control Act) transaction blocking may become more difficult as the IP address may not be there to block. Another complication for OFAC is that if you allow customers to make P2P payments in an open loop environment, you will not be able to screen the recipient.
Along similar lines, banks will also need to consider and formally document what red flags may point to identity theft in the mobile banking environment. Banks should develop a policy for handling lost and stolen phones.
Investigations will be made easier if transactions can be coded to indicate they came through a
Thought Paper
03
Privacy concerns Mobile privacy should also be a key consideration for banks. Using today‟s technology, businesses can use a customer‟s geo-location to make location-based offers. For banks, this typically assists in showing customers the nearest ATM or branch locations, but this technology has the ability to expand into many other areas as well. As a result of these new innovations, consumer protection groups, media, and Washington types are emphasizing geo-location concerns which translate into mobile privacy and do-not-track considerations. Both the FTC and White House issued reports in late winter
this year noting these as chief concerns. Several proposed bills address mobile privacy. There will surely be more to come soon on this sensitive issue so banks should remain alert to new rules governing tracking. Until further guidance is provided, be wary of implementing any innovation that requires your bank to know or track a customer‟s precise location. Or, if your bank utilizes this service, be prepared to clearly explain to customers how you are using it to avoid any privacy issues or claims that you were unfair and deceptive in your usage.
Community development – the mobile advantage The Federal Reserve Board recently completed a study on mobile usage in the US and the results will be of interest to banks‟ community developmentteams.Most “underbanked” consumers (thought to be 11% of the US population) have a cell or smart phone. Of those, 29% have used mobile banking and 17% made a mobile payment in the last year. This is a significantly higher rate than the overall population where 20% used mobile banking and 12% mobile payments. “Unbanked” consumers (thought to be 8-11% of US population) also exhibit strong mobile usage: 10% used mobile banking while 12% used mobile payments in the last year.
is reduced transaction costs and increased accessibility. Banks may find it to their advantage to reach out to the underbanked or unbanked customers who may have access to a smart phone but not a branch – this is especially true for remittances. You may even get CRA credit for your efforts.
The mobile world continues to expand rapidly with new innovations and technologies, sweeping banks along for the ride. It is exciting to be on the cutting edge of these new developments – and necessary to keep up with customer demand. With consideration given to the compliance requirements discussed above, banks should be well-positioned for the challenges ahead.
The Fed believes the appeal of mobile banking to underbanked and unbanked consumers
Meg Sczyrba Industry Principal, Infosys
04
Thought Paper
About Finacle Finacle from Infosys partners with banks to transform process, product and customer experience, arming them with „accelerated innovation‟ that is key to building tomorrow‟s bank.
For more information, contact Finacleweb@infosys.com
www.infosys.com/finacle
© 2012 Infosys Limited, Bangalore, India, Infosys believes the information in this publication is accurate as of its publication date; such information is subject to change without notice. Infosys acknowledges the proprietary rights of the trademarks and product names of other companies mentioned in this document.