Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


10:30 AM
Sam Abadir
Sam Abadir
Connect Directly
E-Mail vvv

In the Race Toward Mobile Banking, Don't Forget Risk Management

The rise of mobile banking and payment services has sparked widespread adoption, making a focus on risk essential.

As banks race to accelerate their digital transformation efforts to accommodate emerging payment types and consumer preferences as well as to compete or partner with rising financial technology (fintech) upstarts, they must accelerate their efforts around risk management maturity.

In the last two years, mobile banking and payment apps have seen remarkable growth in popularity and usage worldwide. Banks are investing heavily in developing mobile and web-based services for personal and business accounts, including money transfers, investments and peer-to-peer transactions. The goal is to make the customer experience as seamless as possible, increase growth in the customer and deposit base, and to capture a larger portion of each account holder's financial activities.

The stunning rise of mobile banking and payment services has sparked widespread adoption and major changes such as the growth of cross-border global e-commerce. Financial institutions can't afford to delay efforts to ensure their operations, software systems, and apps are secure and in compliance. Fintech firms are under especially intense scrutiny as they await federal decisions about licensing and regulatory oversight.

App Annie's State of Mobile 2019 report highlights that finance apps downloads in 2018 were up 75% over 2016 worldwide. Even the US, which has had online banking longer than many of the other countries assessed, saw 50% growth in downloads over the same period. The number of times users checked their account through an app, the most common use, is up 35% from 2016. With 4 billion mobile devices in use around the world, mobile payments and banking promise to open unprecedented access to the "unbanked" — those not served by a bank or similar financial institution. These are opportunities that even the biggest global players are only beginning to leverage.

Of course, digital transformation must align with the goals of the financial institution. These new customer-facing channels can negatively affect the business in ways the IT team never managed before. Mobile app risk management is more than just managing IT risk. Financial institutions must measure how the projects deliver on expected reduction in teller and call center needs, manage monetized API integrations, ensure fintech compliance, and handle other risks not previously managed by the bank. Manual and siloed approaches can't keep pace with rapidly evolving businesses and digital transformation. They often can't provide the bigger risk picture and don't foster business users to have full picture of risk required to successfully identify and manage risk. Financial firms and the third parties that develop their mobile apps must work diligently to clearly document the goals and benefits of the applications as well as identify, understand, measure, and integrate their enterprise-wide risk management and compliance practices.

Central to their risk management efforts, banks and fintech firms must focus on the security aspects of their mobile apps' development and improvement, whether those actions are done in-house or by a third party. The basics of this should include:

  • Creating stronger security requirements from the beginning
  • Conducting various types of vulnerability assessments including vulnerability scanning and configuration assessments
  • Continuously auditing the assets and networks that process data and overseeing thorough risk assessments of fintech partners and other third parties.

These proficiencies are central to meeting regulatory obligations from multiple standpoints. An immediate example is the New York Department of Financial Services' March 1 deadline for compliance with the final phase of 23 NYCRR 500. Phase 4 implementation focuses on assessments, policies, and procedures for controlling third-party risks. Other examples include obligations under GDPR, PSD2, PCI-DSS, IRS mandates, state-level legislation, and the usual OCC, FDIC, and Federal Reserve regulations must be addressed and documented as well.

More responsibilities are being brought to the forefront with fewer resources available to complete the project. This puts pressure on bankers to get new products to market and therefore application developers to publish their code faster, which can lead to misconfigurations and a poor-quality product.

Technologies exist today to collect the risk-related metrics necessary to measure and monitor different aspects of risk. Many of these technologies were developed by IT teams for IT teams but do not meet the reporting and communications needs for the growing number of teams that are now responsible for risk management. Measuring risk data, especially IT risk data, once a month cannot provide the oversight and decision-making capabilities required today. New technologies are emerging that continuously collect risk information, and other technologies are maturing to report on this risk information in real time to deliver the information in the context of business objectives. 

Financial institutions with more advanced risk management capabilities find that the massive influx of data (especially when they collect real-time data) itself becomes an issue if they are not using other technologies to manage the information to support their decision-makers with up-to-date insights and elements they need to make the right decisions. These institutions are leveraging and instantly linking data not just from IT sources but also from the business objectives they are supporting, internal controls, and compliance objectives in order to understand when any type of risk is affecting the goal of better servicing current customers and attracting new ones.

Banks and fintech firms have long led the way in cybersecurity and risk management. The recent surge in competition, payment innovations, and online services is pushing the most risk mature of these organizations to manage risk across the organization in an integrated manner  — it's more than just managing cybersecurity and IT risk.

Note: The author's company is among a number of companies offering a governance, risk, and compliance platform.

Related Content:



Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Sam Abadir has over 20 years of experience helping companies realize value through improving processes, identifying performance metrics, and understanding risk. Early in Sam's career, he worked directly with financial institutions and manufacturing companies to help them ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Moderator
4/14/2019 | 11:03:51 PM
Set their priority
Financial institutions should already know this by now just how much security risk there is on the online platform. Instead of focusing simply on how to upgrade their mobile banking application to compete with their competitors, they should be making sure that security is always tighly enforced as their topmost priority.
Scott Totman
Scott Totman,
User Rank: Author
4/1/2019 | 2:19:10 PM
Mobile app usage
Great article.  It's always fascinating to see how providing new conveniences to customers, such as mobile apps, results in an increased attack surface and new risk profile for financial institutions.  Mobile apps have provided hackers and bad actors with a slew of new tools for compromising accounts and putting financial institutions at risk.  These mobile apps have become central to customer's lives and have dramatically increased therir engagement/logins frequency.  This is a very positive event for both the customers and institutions who want to deeper customer relationships, but has also resulted in a massive increase in data that needs to be collected and analyzed.  This data needs to be monitored in real time in order to limit risk exposure and take action when the risk becomes a security event.  In general, the demands of mobile offerings from a risk perspective are greater than those with traditional web.  The increased risk related to shipping code, in the form of an app, to customers comes with its own set of unique risks that companies must invest in to combat bad actors and minimize exposure.  Code obfuscation, certificate pinning, use of biometric authentication, and mandating MFA for customers are some examples of the increased investment required to keep mobile offerings conveinient yet secure.
Manchester United Suffers Cyberattack
Dark Reading Staff 11/23/2020
As 'Anywhere Work' Evolves, Security Will Be Key Challenge
Robert Lemos, Contributing Writer,  11/23/2020
Cloud Security Startup Lightspin Emerges From Stealth
Kelly Sheridan, Staff Editor, Dark Reading,  11/24/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-11-27
In Crafter CMS Crafter Studio 3.0.1 an unauthenticated attacker is able to inject malicious JavaScript code resulting in a stored/blind XSS in the admin panel.
PUBLISHED: 2020-11-27
In Crafter CMS Crafter Studio 3.0.1 an unauthenticated attacker is able to create a site with specially crafted XML that allows the retrieval of OS files out-of-band.
PUBLISHED: 2020-11-27
Crafter CMS Crafter Studio 3.0.1 has a directory traversal vulnerability which allows unauthenticated attackers to view files from the operating system.
PUBLISHED: 2020-11-27
Crafter CMS Crafter Studio 3.0.1 is affected by: XML External Entity (XXE). An unauthenticated attacker is able to create a site with specially crafted XML that allows the retrieval of OS files out-of-band.
PUBLISHED: 2020-11-27
Crafter CMS Crafter Studio 3.0.1 is affected by: Cross Site Scripting (XSS), which allows remote attackers to steal users’ cookies.