As banks race to accelerate their digital transformation efforts to accommodate emerging payment types and consumer preferences as well as to compete or partner with rising financial technology (fintech) upstarts, they must accelerate their efforts around risk management maturity.
In the last two years, mobile banking and payment apps have seen remarkable growth in popularity and usage worldwide. Banks are investing heavily in developing mobile and web-based services for personal and business accounts, including money transfers, investments and peer-to-peer transactions. The goal is to make the customer experience as seamless as possible, increase growth in the customer and deposit base, and to capture a larger portion of each account holder's financial activities.
The stunning rise of mobile banking and payment services has sparked widespread adoption and major changes such as the growth of cross-border global e-commerce. Financial institutions can't afford to delay efforts to ensure their operations, software systems, and apps are secure and in compliance. Fintech firms are under especially intense scrutiny as they await federal decisions about licensing and regulatory oversight.
App Annie's State of Mobile 2019 report highlights that finance apps downloads in 2018 were up 75% over 2016 worldwide. Even the US, which has had online banking longer than many of the other countries assessed, saw 50% growth in downloads over the same period. The number of times users checked their account through an app, the most common use, is up 35% from 2016. With 4 billion mobile devices in use around the world, mobile payments and banking promise to open unprecedented access to the "unbanked" — those not served by a bank or similar financial institution. These are opportunities that even the biggest global players are only beginning to leverage.
Of course, digital transformation must align with the goals of the financial institution. These new customer-facing channels can negatively affect the business in ways the IT team never managed before. Mobile app risk management is more than just managing IT risk. Financial institutions must measure how the projects deliver on expected reduction in teller and call center needs, manage monetized API integrations, ensure fintech compliance, and handle other risks not previously managed by the bank. Manual and siloed approaches can't keep pace with rapidly evolving businesses and digital transformation. They often can't provide the bigger risk picture and don't foster business users to have full picture of risk required to successfully identify and manage risk. Financial firms and the third parties that develop their mobile apps must work diligently to clearly document the goals and benefits of the applications as well as identify, understand, measure, and integrate their enterprise-wide risk management and compliance practices.
Central to their risk management efforts, banks and fintech firms must focus on the security aspects of their mobile apps' development and improvement, whether those actions are done in-house or by a third party. The basics of this should include:
- Creating stronger security requirements from the beginning
- Conducting various types of vulnerability assessments including vulnerability scanning and configuration assessments
- Continuously auditing the assets and networks that process data and overseeing thorough risk assessments of fintech partners and other third parties.
These proficiencies are central to meeting regulatory obligations from multiple standpoints. An immediate example is the New York Department of Financial Services' March 1 deadline for compliance with the final phase of 23 NYCRR 500. Phase 4 implementation focuses on assessments, policies, and procedures for controlling third-party risks. Other examples include obligations under GDPR, PSD2, PCI-DSS, IRS mandates, state-level legislation, and the usual OCC, FDIC, and Federal Reserve regulations must be addressed and documented as well.
More responsibilities are being brought to the forefront with fewer resources available to complete the project. This puts pressure on bankers to get new products to market and therefore application developers to publish their code faster, which can lead to misconfigurations and a poor-quality product.
Technologies exist today to collect the risk-related metrics necessary to measure and monitor different aspects of risk. Many of these technologies were developed by IT teams for IT teams but do not meet the reporting and communications needs for the growing number of teams that are now responsible for risk management. Measuring risk data, especially IT risk data, once a month cannot provide the oversight and decision-making capabilities required today. New technologies are emerging that continuously collect risk information, and other technologies are maturing to report on this risk information in real time to deliver the information in the context of business objectives.
Financial institutions with more advanced risk management capabilities find that the massive influx of data (especially when they collect real-time data) itself becomes an issue if they are not using other technologies to manage the information to support their decision-makers with up-to-date insights and elements they need to make the right decisions. These institutions are leveraging and instantly linking data not just from IT sources but also from the business objectives they are supporting, internal controls, and compliance objectives in order to understand when any type of risk is affecting the goal of better servicing current customers and attracting new ones.
Banks and fintech firms have long led the way in cybersecurity and risk management. The recent surge in competition, payment innovations, and online services is pushing the most risk mature of these organizations to manage risk across the organization in an integrated manner — it's more than just managing cybersecurity and IT risk.
Note: The author's company is among a number of companies offering a governance, risk, and compliance platform.
- 7 Steps to Start Your Risk Assessment
- 4 Reasons to Take an 'Inside Out' View of Security
- Stay Ahead of the Curve by Using AI in Compliance
- Privacy Ops: The New Nexus for CISOs & DPOs
Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.