Regulating Mobile Banking and Payments - balancing innovation and security
For anyone involved in mobile banking and payments, keeping an effective grasp on regulatory risk, while engaging with a rapidly changing market place, is often challenging. In its first dedicated review of these issues, the Financial Conduct Authority has set out the key regulatory areas for attention (Mobile Banking and Payments – Supporting an Innovative and Secure Market).
The review spans the whole range of banking and payments services accessible via mobile phones, tablets and other handheld devices and builds on the issues flagged by the FCA in its 2013 Risk Outlook as featured in our briefing Technology risk in financial services – the road ahead under the FCA
In addressing the topic, the FCA emphasises the need for businesses to consider consumer requirements at each stage of product development. Understanding the risks to consumers and taking appropriate measures to address these effectively are also highlighted as an important overarching requirement, supported by tests on the robustness of technology infrastructure and stress testing of the products.
The FCA highlights that, while many of the risks it identified have not created significant problems to date, they have the potential to do so. Thus, the review can be seen as a cautionary note for the sector about addressing these risks - it provides a context for the regulator to take action in future if it identifies significant shortcomings.
Key points of regulatory focus
- Fraud – given that mobile banking and payments may present different challenges from those in other channels such as internet banking, the FCA is concerned to see that firms have a clear strategy for identifying and mitigating the risk of fraud and detecting and addressing any fraud which arises.
- Security – security underpins the trust on which mobile banking/payments rely, so it will always be a vital component. Among the key expectations here are appropriate methods for preventing and detecting malware and viruses and, equally importantly, providing clear security information to consumers.
Outsourcing – since most, if not all, mobile banking and payments services rely to some degree on outsourced services, the FCA is concerned to see that firms can monitor the service delivery end-to-end and can readily identify who is responsible for problems or financial loss which arise.
Consumer awareness – as many mobile banking and payment services are relatively new and potentially less fully understood by consumers, there is a greater responsibility on firms to provide effective guidance to consumers on how to engage with these services and to establish suitable processes to resolve mistakes if they do occur.
Technology risk – a technology failure may not merely interrupt services, but also limit customers' access to their money and undermine the necessary trust and confidence in the service. The FCA particularly flags the risk that commercial pressures to get products to market rapidly may risk services being released without sufficient testing and protection. It therefore expects firms to operate a suitably rigorous testing programme before widespread rollout of new products.
Anti-money laundering controls – again, given the innovative nature of many mobile banking/ payments services, the systems and controls required to identify, assess and mitigate the risk of financial crime need to be put in place in a form which is proportionate and sensitive to the risks in question. Here, FCA flags the potential need for additional checks to verify the identity of the payee and recipient. The need for suitable measures to minimise the risk of money laundering becomes more significant in the case of more sophisticated services, particularly where cross-border payments are involved.
Overall, the FCA found that businesses had given some thought to the potential risks associated with mobile banking and payments, but, as a sub-text, implied that there was more work to be done in this area. The FCA will now be testing a sample of mobile banking/payments firms to assess how far they are meeting regulatory expectations. These assessments are likely to cover the full spectrum of regulatory risk issues from strategic decision-making and product governance, through product design, regulatory compliance and technology contingency arrangements to third party outsourcing. The objective is to report on the further investigations in the first half of 2014.
The FCA's review recognises the significance of the mobile banking and payments sector and the potential for huge benefits to the market and the consumer. It should also be seen as part of the regulatory push to emphasise the need for effective compliance in this fast-moving area. Thus, all players in this sector, whether established or new entrants, will need to take note and be ready to demonstrate how their operations are managed to meet the FCA's expectations.
A version of this article was first published in E-finance and Payments Law & Policy September 2013.