Barton FinTech Series: Mobile Banking

Mar 10, 2020 | Blog
Partner

Mobile banking involves the execution of financial transactions with a bank using a mobile device (cell phone, tablet, etc.) This article focuses on the applications and technologies that enable users to execute these types of transactions. For the purposes of this article, we assume that a licensed bank is a counterparty to all transactions.

Broadly speaking, three categories of technologies are used in a majority of mobile banking applications:

  • SMS Messaging: texting
  • Mobile Web: login to a bank via a mobile web browser
  • Bank Software Applications: proprietary software provided by a bank and downloaded onto a device, connecting the user directly to the bank server

The third method provides the best encryption at the device level as well as encryption of data passing through the mobile web browser.  Most major banks now require users to download proprietary software applications on their devices in order to execute transactions.

Key Regulatory Considerations

Every mobile banking technology solution must comply with the following legal and regulatory regimes:

Banking

Lending transactions are subject to federal banking regulations. In some cases, state banking regulations will also apply, though this depends largely on where the bank is chartered and where the user or borrower is located. In cases where the mobile banking user is a consumer, the federal and/or state banking regulations will apply to the transactions.  Most of the relevant banking regulations address mandatory disclosures (collectively, “Consumer Finance Regulations”)[1]. The federal Consumer Finance Regulations substantially preempt consumer protection disclosure regulations at the state level. In certain states, however, additional consumer protection regulations supplement federal law; particularly those that pertain to (i) interest rate limitations and (ii) debt collection practices (which are regulated under the Unfair and Deceptive Practices Laws of many states). Other regulations apply if the lending bank holds FDIC-insured deposits[2].  Additionally, both consumers and business customers are governed by the Electronic Funds Transfer Act[3] and the Expedited Funds Availability Act.[4]

Data Privacy

More than ever before, protection of financial and personal information occupies a central role in the data privacy discussion as this information is among the most sensitive (perhaps second only to health-related data). Federal regulation[5] governs any and all handling of a consumer’s non-public information. The relevant federal regulation requires, collectively:

  • yearly written disclosure of the bank’s privacy policies and practices;
  • consumer opt-out rights to block disclosure of non-public information to any third parties;
  • prohibition of sharing account numbers with third parties;
  • implementation of “standards” to protect the security and confidentiality of consumer non-public information;
  • implementation of strict guidelines as to when and how the bank can contact a consumer; and
  • conducting ongoing training sessions for bank personnel to keep them updated on evolving practices.

State regulations are also evolving rapidly in this sector. Many states have developed their own data privacy regulations that banks and Fintech companies must comply with in order to offer mobile banking solutions in that state. In many cases, they will need to enhance their federally compliant policies with applicable state-specific provisions to ensure that they remain compliant.

Information Security

Along with the intense focus on data privacy, federal and state regulations require stringent policies to protect sensitive information. Federal regulations require all banks to create and implement written policies that outline the methods the bank uses to safeguard the confidentiality and security of customer information (the “Information Security Policy”).  Among other requirements, an acceptable Information Security Policy must contain policies and procedures regarding the bank’s risk assessment, controls, testing, service-provider oversight, periodic review and updating, and reporting to its board of directors.  The bank must implement a similar set of policies with respect to its third-party service providers.

Cybersecurity

In addition to protecting sensitive information, consumers and regulators expect banks to maintain robust cybersecurity systems measures to protect electronic data from being compromised. The Financial Services Sector Coordinating Council has published a profile for use by financial institutions to determine the scope of their cybersecurity risk.  The profile is based on guidelines published by the National Institute of Standards and Technology, the IOSCO guidance published on cyber resilience for financial market infrastructures, and guidance provided by the International Organization for Standardization with respect to digital security. The profile allocates a risk level to each financial institution based on the potential impact of a cybersecurity event occurring at that institution.[6] Once an institution is classified by risk level, the profile outlines best practices and guidance for the relevant entity.

What’s Next?

We expect the following trends to accelerate within the next 18 months:

  • Open Banking Applications – Expanded access to applications that utilize application programming interfaces (APIs) permitting third party access to an account holder’s information available on the bank’s server. This technology will facilitate the coordination of services between Fintechs and traditional banks and will expand the use of BaaS technology (where the bank system and software is utilized as a service that supports the Fintech technology.)
  • Enhanced Authentication – Increased transition to biometric scanning to access bank applications, such as thumbprint, facial recognition and voice prints.
  • Enhanced Fraud Detection – Use of more efficient big data engines to improve risk assessments.

The mobile banking sector is propelled by emerging technologies. The implementation of such technologies is beneficial to banks and users and provides expanding opportunities for Fintechs.   The banks benefit from cost reduction related to reduction in physical banking locations and streamlined regulatory reporting.  The users benefit from the expanding menu of banking services available on mobile devices and the implementation of robust cybersecurity protection. The Fintechs benefit from the emergence of more open banking applications and the need for enhanced technology in the area of regulatory oversight of capital and liquidity compliance.  A win for everyone!

 

REFERENCES

[1] Truth in Lending Act (Regulation Z); Consumer Lease Financing Act (Regulation M); Equal Credit Opportunity Act (Regulation B); Fair Debt Collection Practices Act and MOBILE ACT (Making Online Banking Initiation Legal and Easy).

[2] Advertisement of FDIC Membership (12 CFR § 328).

[3] Regulation E (12 CFR 205), which establishes the rights, liabilities, and responsibilities of parties in electronic funds transfers.

[4] Regulation CC (12 CFR 229), which updated the availability of funds to reflect the fact that substantially all remittances are electronic (and no longer paper-based).

[5] Right to Financial Privacy Act (“RFPA”), the Gramm Bliley Leach Act (“GBL”) , the Financial Services Regulatory Relief Ac (“FSRRA”), the Dodd-Frank Wall Street Reform and Consumer Protection Act (“Dodd Frank”), and the relevant portions of the Consumer Finance Regulations discussed above (collectively, the “Privacy Regulations”).

[6]  National/Supernational Impact, Subnational Impact, Sector Impact and Localized Impact.