Risk

4/1/2019
10:30 AM
Sam Abadir
Sam Abadir
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

In the Race Toward Mobile Banking, Don't Forget Risk Management

The rise of mobile banking and payment services has sparked widespread adoption, making a focus on risk essential.

As banks race to accelerate their digital transformation efforts to accommodate emerging payment types and consumer preferences as well as to compete or partner with rising financial technology (fintech) upstarts, they must accelerate their efforts around risk management maturity.

In the last two years, mobile banking and payment apps have seen remarkable growth in popularity and usage worldwide. Banks are investing heavily in developing mobile and web-based services for personal and business accounts, including money transfers, investments and peer-to-peer transactions. The goal is to make the customer experience as seamless as possible, increase growth in the customer and deposit base, and to capture a larger portion of each account holder's financial activities.

The stunning rise of mobile banking and payment services has sparked widespread adoption and major changes such as the growth of cross-border global e-commerce. Financial institutions can't afford to delay efforts to ensure their operations, software systems, and apps are secure and in compliance. Fintech firms are under especially intense scrutiny as they await federal decisions about licensing and regulatory oversight.

App Annie's State of Mobile 2019 report highlights that finance apps downloads in 2018 were up 75% over 2016 worldwide. Even the US, which has had online banking longer than many of the other countries assessed, saw 50% growth in downloads over the same period. The number of times users checked their account through an app, the most common use, is up 35% from 2016. With 4 billion mobile devices in use around the world, mobile payments and banking promise to open unprecedented access to the "unbanked" — those not served by a bank or similar financial institution. These are opportunities that even the biggest global players are only beginning to leverage.

Of course, digital transformation must align with the goals of the financial institution. These new customer-facing channels can negatively affect the business in ways the IT team never managed before. Mobile app risk management is more than just managing IT risk. Financial institutions must measure how the projects deliver on expected reduction in teller and call center needs, manage monetized API integrations, ensure fintech compliance, and handle other risks not previously managed by the bank. Manual and siloed approaches can't keep pace with rapidly evolving businesses and digital transformation. They often can't provide the bigger risk picture and don't foster business users to have full picture of risk required to successfully identify and manage risk. Financial firms and the third parties that develop their mobile apps must work diligently to clearly document the goals and benefits of the applications as well as identify, understand, measure, and integrate their enterprise-wide risk management and compliance practices.

Central to their risk management efforts, banks and fintech firms must focus on the security aspects of their mobile apps' development and improvement, whether those actions are done in-house or by a third party. The basics of this should include:

  • Creating stronger security requirements from the beginning
  • Conducting various types of vulnerability assessments including vulnerability scanning and configuration assessments
  • Continuously auditing the assets and networks that process data and overseeing thorough risk assessments of fintech partners and other third parties.

These proficiencies are central to meeting regulatory obligations from multiple standpoints. An immediate example is the New York Department of Financial Services' March 1 deadline for compliance with the final phase of 23 NYCRR 500. Phase 4 implementation focuses on assessments, policies, and procedures for controlling third-party risks. Other examples include obligations under GDPR, PSD2, PCI-DSS, IRS mandates, state-level legislation, and the usual OCC, FDIC, and Federal Reserve regulations must be addressed and documented as well.

More responsibilities are being brought to the forefront with fewer resources available to complete the project. This puts pressure on bankers to get new products to market and therefore application developers to publish their code faster, which can lead to misconfigurations and a poor-quality product.

Technologies exist today to collect the risk-related metrics necessary to measure and monitor different aspects of risk. Many of these technologies were developed by IT teams for IT teams but do not meet the reporting and communications needs for the growing number of teams that are now responsible for risk management. Measuring risk data, especially IT risk data, once a month cannot provide the oversight and decision-making capabilities required today. New technologies are emerging that continuously collect risk information, and other technologies are maturing to report on this risk information in real time to deliver the information in the context of business objectives. 

Financial institutions with more advanced risk management capabilities find that the massive influx of data (especially when they collect real-time data) itself becomes an issue if they are not using other technologies to manage the information to support their decision-makers with up-to-date insights and elements they need to make the right decisions. These institutions are leveraging and instantly linking data not just from IT sources but also from the business objectives they are supporting, internal controls, and compliance objectives in order to understand when any type of risk is affecting the goal of better servicing current customers and attracting new ones.

Banks and fintech firms have long led the way in cybersecurity and risk management. The recent surge in competition, payment innovations, and online services is pushing the most risk mature of these organizations to manage risk across the organization in an integrated manner  — it's more than just managing cybersecurity and IT risk.

Note: The author's company is among a number of companies offering a governance, risk, and compliance platform.

Related Content:

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Sam Abadir has over 20 years of experience helping companies realize value through improving processes, identifying performance metrics, and understanding risk. Early in Sam's career, he worked directly with financial institutions and manufacturing companies to help them ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
EdwardThirlwall
50%
50%
EdwardThirlwall,
User Rank: Apprentice
4/14/2019 | 11:03:51 PM
Set their priority
Financial institutions should already know this by now just how much security risk there is on the online platform. Instead of focusing simply on how to upgrade their mobile banking application to compete with their competitors, they should be making sure that security is always tighly enforced as their topmost priority.
Scott Totman
100%
0%
Scott Totman,
User Rank: Author
4/1/2019 | 2:19:10 PM
Mobile app usage
Great article.  It's always fascinating to see how providing new conveniences to customers, such as mobile apps, results in an increased attack surface and new risk profile for financial institutions.  Mobile apps have provided hackers and bad actors with a slew of new tools for compromising accounts and putting financial institutions at risk.  These mobile apps have become central to customer's lives and have dramatically increased therir engagement/logins frequency.  This is a very positive event for both the customers and institutions who want to deeper customer relationships, but has also resulted in a massive increase in data that needs to be collected and analyzed.  This data needs to be monitored in real time in order to limit risk exposure and take action when the risk becomes a security event.  In general, the demands of mobile offerings from a risk perspective are greater than those with traditional web.  The increased risk related to shipping code, in the form of an app, to customers comes with its own set of unique risks that companies must invest in to combat bad actors and minimize exposure.  Code obfuscation, certificate pinning, use of biometric authentication, and mandating MFA for customers are some examples of the increased investment required to keep mobile offerings conveinient yet secure.
Russia Hacked Clinton's Computers Five Hours After Trump's Call
Robert Lemos, Technology Journalist/Data Researcher,  4/19/2019
Tips for the Aftermath of a Cyberattack
Kelly Sheridan, Staff Editor, Dark Reading,  4/17/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-11378
PUBLISHED: 2019-04-20
An issue was discovered in ProjectSend r1053. upload-process-form.php allows finished_files[]=../ directory traversal. It is possible for users to read arbitrary files and (potentially) access the supporting database, delete arbitrary files, access user passwords, or run arbitrary code.
CVE-2019-11372
PUBLISHED: 2019-04-20
An out-of-bounds read in MediaInfoLib::File__Tags_Helper::Synched_Test in Tag/File__Tags.cpp in MediaInfoLib in MediaArea MediaInfo 18.12 leads to a crash.
CVE-2019-11373
PUBLISHED: 2019-04-20
An out-of-bounds read in File__Analyze::Get_L8 in File__Analyze_Buffer.cpp in MediaInfoLib in MediaArea MediaInfo 18.12 leads to a crash.
CVE-2019-11374
PUBLISHED: 2019-04-20
74CMS v5.0.1 has a CSRF vulnerability to add a new admin user via the index.php?m=Admin&c=admin&a=add URI.
CVE-2019-11375
PUBLISHED: 2019-04-20
Msvod v10 has a CSRF vulnerability to change user information via the admin/member/edit.html URI.