Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


10:30 AM
Sam Abadir
Sam Abadir
Connect Directly
E-Mail vvv

In the Race Toward Mobile Banking, Don't Forget Risk Management

The rise of mobile banking and payment services has sparked widespread adoption, making a focus on risk essential.

As banks race to accelerate their digital transformation efforts to accommodate emerging payment types and consumer preferences as well as to compete or partner with rising financial technology (fintech) upstarts, they must accelerate their efforts around risk management maturity.

In the last two years, mobile banking and payment apps have seen remarkable growth in popularity and usage worldwide. Banks are investing heavily in developing mobile and web-based services for personal and business accounts, including money transfers, investments and peer-to-peer transactions. The goal is to make the customer experience as seamless as possible, increase growth in the customer and deposit base, and to capture a larger portion of each account holder's financial activities.

The stunning rise of mobile banking and payment services has sparked widespread adoption and major changes such as the growth of cross-border global e-commerce. Financial institutions can't afford to delay efforts to ensure their operations, software systems, and apps are secure and in compliance. Fintech firms are under especially intense scrutiny as they await federal decisions about licensing and regulatory oversight.

App Annie's State of Mobile 2019 report highlights that finance apps downloads in 2018 were up 75% over 2016 worldwide. Even the US, which has had online banking longer than many of the other countries assessed, saw 50% growth in downloads over the same period. The number of times users checked their account through an app, the most common use, is up 35% from 2016. With 4 billion mobile devices in use around the world, mobile payments and banking promise to open unprecedented access to the "unbanked" — those not served by a bank or similar financial institution. These are opportunities that even the biggest global players are only beginning to leverage.

Of course, digital transformation must align with the goals of the financial institution. These new customer-facing channels can negatively affect the business in ways the IT team never managed before. Mobile app risk management is more than just managing IT risk. Financial institutions must measure how the projects deliver on expected reduction in teller and call center needs, manage monetized API integrations, ensure fintech compliance, and handle other risks not previously managed by the bank. Manual and siloed approaches can't keep pace with rapidly evolving businesses and digital transformation. They often can't provide the bigger risk picture and don't foster business users to have full picture of risk required to successfully identify and manage risk. Financial firms and the third parties that develop their mobile apps must work diligently to clearly document the goals and benefits of the applications as well as identify, understand, measure, and integrate their enterprise-wide risk management and compliance practices.

Central to their risk management efforts, banks and fintech firms must focus on the security aspects of their mobile apps' development and improvement, whether those actions are done in-house or by a third party. The basics of this should include:

  • Creating stronger security requirements from the beginning
  • Conducting various types of vulnerability assessments including vulnerability scanning and configuration assessments
  • Continuously auditing the assets and networks that process data and overseeing thorough risk assessments of fintech partners and other third parties.

These proficiencies are central to meeting regulatory obligations from multiple standpoints. An immediate example is the New York Department of Financial Services' March 1 deadline for compliance with the final phase of 23 NYCRR 500. Phase 4 implementation focuses on assessments, policies, and procedures for controlling third-party risks. Other examples include obligations under GDPR, PSD2, PCI-DSS, IRS mandates, state-level legislation, and the usual OCC, FDIC, and Federal Reserve regulations must be addressed and documented as well.

More responsibilities are being brought to the forefront with fewer resources available to complete the project. This puts pressure on bankers to get new products to market and therefore application developers to publish their code faster, which can lead to misconfigurations and a poor-quality product.

Technologies exist today to collect the risk-related metrics necessary to measure and monitor different aspects of risk. Many of these technologies were developed by IT teams for IT teams but do not meet the reporting and communications needs for the growing number of teams that are now responsible for risk management. Measuring risk data, especially IT risk data, once a month cannot provide the oversight and decision-making capabilities required today. New technologies are emerging that continuously collect risk information, and other technologies are maturing to report on this risk information in real time to deliver the information in the context of business objectives. 

Financial institutions with more advanced risk management capabilities find that the massive influx of data (especially when they collect real-time data) itself becomes an issue if they are not using other technologies to manage the information to support their decision-makers with up-to-date insights and elements they need to make the right decisions. These institutions are leveraging and instantly linking data not just from IT sources but also from the business objectives they are supporting, internal controls, and compliance objectives in order to understand when any type of risk is affecting the goal of better servicing current customers and attracting new ones.

Banks and fintech firms have long led the way in cybersecurity and risk management. The recent surge in competition, payment innovations, and online services is pushing the most risk mature of these organizations to manage risk across the organization in an integrated manner  — it's more than just managing cybersecurity and IT risk.

Note: The author's company is among a number of companies offering a governance, risk, and compliance platform.

Related Content:



Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Sam Abadir has over 20 years of experience helping companies realize value through improving processes, identifying performance metrics, and understanding risk. Early in Sam's career, he worked directly with financial institutions and manufacturing companies to help them ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Moderator
4/14/2019 | 11:03:51 PM
Set their priority
Financial institutions should already know this by now just how much security risk there is on the online platform. Instead of focusing simply on how to upgrade their mobile banking application to compete with their competitors, they should be making sure that security is always tighly enforced as their topmost priority.
Scott Totman
Scott Totman,
User Rank: Author
4/1/2019 | 2:19:10 PM
Mobile app usage
Great article.  It's always fascinating to see how providing new conveniences to customers, such as mobile apps, results in an increased attack surface and new risk profile for financial institutions.  Mobile apps have provided hackers and bad actors with a slew of new tools for compromising accounts and putting financial institutions at risk.  These mobile apps have become central to customer's lives and have dramatically increased therir engagement/logins frequency.  This is a very positive event for both the customers and institutions who want to deeper customer relationships, but has also resulted in a massive increase in data that needs to be collected and analyzed.  This data needs to be monitored in real time in order to limit risk exposure and take action when the risk becomes a security event.  In general, the demands of mobile offerings from a risk perspective are greater than those with traditional web.  The increased risk related to shipping code, in the form of an app, to customers comes with its own set of unique risks that companies must invest in to combat bad actors and minimize exposure.  Code obfuscation, certificate pinning, use of biometric authentication, and mandating MFA for customers are some examples of the increased investment required to keep mobile offerings conveinient yet secure.
US Formally Attributes SolarWinds Attack to Russian Intelligence Agency
Jai Vijayan, Contributing Writer,  4/15/2021
Dependency Problems Increase for Open Source Components
Robert Lemos, Contributing Writer,  4/14/2021
FBI Operation Remotely Removes Web Shells From Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/14/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-04-21
The ABUS Secvest wireless alarm system FUAA50000 (v3.01.17) fails to properly authenticate some requests to its built-in HTTPS interface. Someone can use this vulnerability to obtain sensitive information from the system, such as usernames and passwords. This information can then be used to reconfig...
PUBLISHED: 2021-04-21
Authelia is an open-source authentication and authorization server providing 2-factor authentication and single sign-on (SSO) for your applications via a web portal. In versions 4.27.4 and earlier, utilizing a HTTP query parameter an attacker is able to redirect users from the web application to any...
PUBLISHED: 2021-04-21
The Debian xscreensaver 5.42+dfsg1-1 package for XScreenSaver has cap_net_raw enabled for the /usr/libexec/xscreensaver/sonar file, which allows local users to gain privileges because this is arguably incompatible with the design of the Mesa 3D Graphics library dependency.
PUBLISHED: 2021-04-21
An issue was discovered in retdec v3.3. In function canSplitFunctionOn() of ir_modifications.cpp, there is a possible out of bounds read due to a heap buffer overflow. The impact is: Deny of Service, Memory Disclosure, and Possible Code Execution.
PUBLISHED: 2021-04-21
An issue was discovered in Bento4 through v1.6.0-637. A NULL pointer dereference exists in the function AP4_StszAtom::GetSampleSize() located in Ap4StszAtom.cpp. It allows an attacker to cause Denial of Service.