Mobile Payments

Mobile financial services, including mobile payments, are the products and services that a financial institution provides to its customers through mobile devices. The risks associated with traditional delivery channels, such as with RDC, apply to mobile services; however, risk management strategies may differ. As with other technology-related risks, management should identify, measure, mitigate, and monitor the risks involved and be familiar with technologies that enable mobile financial services.

The use of a mobile device to conduct banking transactions and to initiate retail payments often emulates those initiated on traditional desktop computers. Mobile payment applications are often developed by or for the credit union to allow its members to perform account inquiries, retrieve information, and initiate financial transactions. These types of transactions may present additional risk to the credit union related to device security, authentication, data security, application security, data transmission security, compliance, and third-party management. Consumers are often less likely to activate security controls, virus protection, or personal firewall functionality on their mobile devices.

Risk Mitigation

When offering mobile services, management needs to ensure its goals are compatible with the credit union's risk appetite and strategic plan. Management should identify and mitigate risks associated with the mobile service. As is the case with any product offering, management should have developed and implemented policies and procedures to comply with applicable laws and regulations. It should require appropriate internal controls for security and confidentiality of the mobile transactions. It also should have developed an internal audit program relative to the mobile service offered.

Unlike other financial services that allow the credit union to control much of the operational activity, mobile services typically require the coordinated and secure exchange of information among several unrelated entities. Depending on the type of service offered, the credit union may find that the effective management of risks involves interaction with application developers, mobile network operators, device manufacturers, specialized security firms, and other non-financial third-party service providers. The credit union should provide security awareness material to its members including material related to prudent security practices for the mobile device (for example, use of mobile anti-malware, PIN protection) so that members understand their roles in securing the device and the need for such security.

Last updated February 7, 2017