New FFIEC Mobile Guidance Designed to Prevent “Crash and Burn”
May 11th, 2016
The long-anticipated Mobile Financial Services (MFS) guidance to the Retail Payments Systems apparently has been released without much fanfare. How great it is that we are all so well prepared for a surge in mobile – NOT! Seriously, in reading this year’s guidance, I noticed, that in comparison to past FFIEC guidance which I found mainly prescriptive, the newest guidance aims to push institutions to build a stronger governance framework with its recommendation. Of course, the Guidance also includes detailed prescriptive guidance for adopting mobile financial services within an institution.
A vivid picture came to mind when thinking about how the product owners of “mobile” categories at financial institutions might react to this guidance. I can see a Formula One car speeding around the track. This year, the driver probably needs a stronger safety helmet, better guard rails, and even with all this help, he still might be skidding out a bit before getting control of the speed of innovation. To protect our financial institution “drivers”, the guidance does specifically call for stronger objectives that address my favorite areas of fraud and risk.
With the new guidance a lengthy work, here are some of the higher level objectives that specifically address the necessary steps to take to create a robust mobile risk program. First, and most important, is that mobile planning needs to be incorporated as part of a financial institution’s overall strategic planning process. With so many customers preferring mobile and with continued adoption clearly on the rise, I think that would be a natural fit. Moving further down the objectives list, the need to identify risks associated with mobile offerings, which certainly includes fraud risk, is required. Mobile fraud and authentication risk can no longer be an afterthought. The combination of mobile and the speed of payments in general are rapidly changing the risk profile for mobile payments, so it is important to cover off on that in your “identified risks” list.
Business intelligence and measurement continues to be a theme mentioned in the guidance, not only from measuring the risks themselves, but understanding the impact. A “what if” analysis in mobile can be a bit of “new discovery process”, since not all risks necessarily understood right away with mobile.
It is important to note, as part of the objectives specific to reporting and oversight, that it will be critical to find expertise with the right mobile knowledge (both in mobile technology and mobile risk) to inform that oversight function, which may be easier said than done.
For those of you are incorporating the new mobile framework guidance into existing governance and strategy routines, it will obviously be a lot easier to accomplish than for those who may be building this framework from the ground up. Regardless, some important aspects need to be taken under consideration, no matter which stage you are in.
Mobile education will continue to be important across the organization as the MFS guidelines are implemented. SME’s are leading in the fraud, risk and oversight function and strategy vision recommendations, attracting and retaining this talent and applying it to your program development will be critical. Most importantly in your awareness of mobile-related risk considerations don’t forget about your customers’ education and safety within your program, your customers using mobile will be savvy to your safety recommendations.
Lastly, ensure that your MFS governance framework is digestible, workable, and agile and business enablement friendly, or else your speeding Formula One car will crash and burn. Good communication and translations of risk will be key for your executive audience. Get started now on your plan — the sooner you do, the better prepared you will be at examination time.