By Robert M. Tammero, Jr., Craig and Macauley Professional Corporation
2011 was a difficult year for community banks. Heightened regulatory scrutiny, a shortage of capital, increased compliance costs resulting from the Dodd-Frank Act, a low interest rate environment, and higher funding costs relative to the largest banks due to implicit government subsidy made the crowded, competitive Massachusetts community banking market even more challenging. Indications are that most or all of these challenges will persist in 2012. Massachusetts community banks, therefore, are tasked with developing new ways to differentiate from competitors. Mobile banking, heralded for several years now as the future of banking, is emerging as both a requisite product offering for community banks to remain competitive with larger banks and an area of opportunity to build brand value and deepen customer relationships.[i]
Just a few years ago, mobile banking usage was sparse. In August 2009, the Federal Reserve Bank of Boston and the New England ACH Association published a report on the state of the mobile banking market in New England based on survey responses from more than 300 New England banks and credit unions, the majority of which were from depository institutions with less than $500 million in assets.[ii] Only 12% of survey respondents indicated that they had already implemented mobile banking services, and nearly 50% indicated that they had no plans to offer mobile banking services within the next three years.[iii] The chief barriers to adoption cited by respondents were concerns about security, both actual and as a matter of customer perception, regulation, and lack of customer demand.[iv]
Today, less than three years after the report’s publication, mobile banking is ubiquitous and growing quickly. Approximately 32.5 million Americans accessed banking information through a mobile device in the second quarter of 2011, compared to 26.7 million in the fourth quarter of 2010,[v] and analysts expect mobile banking use to expand from 19 million U.S. households as of the end of 2011 to 38 million by 2015.[vi] Alongside product innovations, such as person-to-person payments, remote check deposit, and GPS-based services, growth is being driven by smartphone penetration – a trend which facilitated a near 75% increase in application-based mobile banking in 2011 compared to 2010.[vii] Accordingly, the American Banker reported in February 2012 that 42% of banks nationally currently offer mobile banking or mobile payments, and among those that do not, 40% have firm plans to do so within the next 12 months.[viii]
Still, for community bankers, security remains a prime concern. Consumers agree; during the past two years, the number of consumers rating online banking as unsafe rose from 26% to 40%.[ix] Although mobile providers are working to reduce security risks through stronger authentication protocols and, on the cutting edge, biometrics, significant risks such as malware and wireless theft remain. These risks are due in part to the lack of effective mobile security and antivirus technology available in the market, which may be attributable to the relatively low incidence of large-scale mobile security breaches to date.[x] These security risks, coupled with well-publicized critiques of mobile technology, for example the recent “white hack” of Google’s mobile wallet technology, have community bankers concerned about mobile security and the associated reputational and financial risks.[xi]
The FDIC’s December 2011 “Supervisory Insights” article entitled “Mobile Banking: Rewards and Risks” (the “Article”) is a reminder that, in addition to the reputational and financial risks that mobile banking poses, mobile banking presents significant regulatory risks.[xii] The Article describes the prevailing mobile banking delivery channels, identifies risks particular to each, identifies other, more general risks relating to mobile banking, and offers advice to banks for mitigating these risks. Although it expressly is not supervisory guidance, the Article may be considered an advance look at how the FDIC will treat mobile banking as a supervisory matter in the near future.
As the fastest-growing mobile banking delivery channel in the market, community banks should take particular note of the Article’s discussion of application-based mobile banking (“apps”). The Article advises that banks are expected to develop mobile banking apps with reliable, knowledgeable, and reputable mobile banking vendors using secure coding techniques, and warns that banks and their vendors should not forego adequate testing and a robust security assessment of an app in a rush to get the app to market.[xiii] The Article further advises banks to distribute apps and updates securely, make reasonable efforts to educate customers that apps should be downloaded from reputable sources, such as the bank’s website, and promptly develop and deploy security patches when vulnerabilities are discovered.[xiv]
The Article cites to a body of discrete statutes, regulations, and guidance which address the steps that the FDIC expects banks to take to manage mobile banking risks. Among these are guidance particular to information technology, such as the FFIEC IT Examination Handbook on Outsourcing Technology Services, and other guidance of more general applicability, such as the FDIC’s Guidance for Managing Third-Party Risk.[xv] In addition, the Article affirms the FDIC’s position that the consumer laws and regulations that apply to traditional financial services delivery channels, for example the Electronic Funds Transfer Act and Regulation E promulgated thereunder, also apply to services provided to customers through mobile banking.[xvi]
Although the Article does not fundamentally alter the mobile banking regulatory landscape, it is noteworthy as an indication that mobile banking is rising on the FDIC’s supervisory agenda. Furthermore, it is reason for banks that are developing mobile products to reflect on their risk management processes. Community banks, which may lack sophisticated information technology expertise in house, should view the Article as fair warning that the FDIC expects all banks that offer mobile products to have a coherent plan for mobile banking risk assessment and management. Accordingly, the Article advises that each bank should “broadly consider the impact of its mobile banking strategy on operations and take steps to ensure [that its] compliance management system addresses the types and level of mobile banking technology used by the institution.” [xvii] Further, the Article urges banks to conduct a comprehensive risk assessment during the design, testing, and implementation of a mobile banking product, and to update the risk assessment in response to changes in technology, business strategy, security threats, product functionality, and legal requirements.[xviii]
As mobile technology becomes even more widespread, it is clear that the winners in community banking will be those, in Massachusetts and nationally, that are able to leverage mobile banking products to enhance their customers’ banking experience. Community banks should not, however, lose sight of the significant security risks associated with mobile banking and the potential for adverse regulatory consequences. Especially for community banks that are new to mobile banking, risk assessment and management that is both effective and satisfactory to the FDIC will require close, well-documented consultation with their technological and legal advisors.
[i] Mobile banking is commonly understood to mean the use of a mobile device, such as a smartphone or tablet computer, to interface with a depository institution in order to conduct banking activities, such as balance inquiry, account alerts, and bill payments. See Jeffrey M. Kopchik, Senior Policy Analyst, Federal Deposit Insurance Corporation, Mobile Banking: Rewards and Risks (2011), available at http://www.fdic.gov/regulations/examinations/supervisory/insights/siwin11/siwin11.pdf.
[vi] Kopchik, supra note 1, at 14, citing Online Banking Report, no. 188, Jan. 18, 2011, at 5.
[vii] ComScore, supra note 5, at 20.
[viii] Penny Crosman, Banks’ Top Aim for Mobile Apps? Customer Bonding, AM. Banker, Feb. 7, 2012, at 11.
[ix] See Kopchik, supra note 1, at 15, citing Javelin Strategy and Research, Smartphone Banking Security: Mobile Banking Stalls on Consumer Fears (2011).
[x] John Adams, Small Banks Still Skeptical of Mobile Banking Security, AM. Banker, Feb. 15, 2012, at 16.
[xi] A “white hack” is an intentional security breach that is meant to educate (in this case, by exposing vulnerabilities) rather than steal or destruct. See Jeremy Quitter, Security Shortcomings are Thinning Google’s Wallet, AM. Banker, Feb. 14, 2012, at 1.
[xii] See Kopchik, supra note 1.
[xiii] Kopchik, supra note 1, at 17.
[xvi] Kopchik, supra note 1, at 18.
[xvii] Kopchik, supra note 1, at 19.
[xviii] Kopchik, supra note 1, at 20.