Compliance Blog

I hope everyone had a wonderful Thanksgiving holiday! For me, the passing of Thanksgiving means its finally late enough in the year to start planning out the next year. Over the next few weeks, countless hours will be spent reading reviews for the best 2021 planners and diligently mapping out all the events, personal and professional goals and due dates already on my calendar for next year as well as completing my annual budgeting project. For all those out there who are not overly zealous planners, that’s okay, I accept you as you are. But, for those like me, you may also be gearing up for next year already.

As we have all experienced the changes this year has brought, thinking about how to expand mobile and digital offerings at your credit union may be on the 2021 to-do list. So, today’s post covers the FFIEC’s guidance on mobile financial services. While there is nothing new to report, it can be a helpful refresher as you think about these services and how your credit union is implementing them.

The FFIEC’s discussion on mobile financial services can be found in Appendix E of the Retail Payments Systems booklet. Mobile financial services (MFS) include any services offered through a mobile device and include four main types of services: text messages, mobile-enable web sites, apps and wireless payment technologies (such as tap to pay or person-to-person transfers). When considering MFS offerings, the guidance identifies four key risks along with ways credit unions may be able to mitigate these risks.

Strategic Risk. This risk type is “associated with the [credit union’s] mission and future business plans” and can include “plans for entering new business lines, expanding existing services through mergers and acquisitions, and enhancing infrastructure.” When it comes to MFS, the guidance suggests credit unions identify how these services fit within the institution’s strategic plan and the particular types of MFS it wants to offer in accordance with that plan. Strategic risk can be mitigated by ensuring MFS offerings are aligned with the credit union’s strategic plan and implemented with strong vendor management controls.

Operational Risk. This risk type “is the risk of loss resulting from inadequate or failed internal processes, people and systems, or external events.” This can include technology failures, human error and fraud. For MFS in particular, operational risk can arise through inadequate authentication procedures, malware or viruses infiltrating the member’s app or mobile browser or loss of the mobile device. When it comes to mitigating operational risk, the guidance suggests a layered approach that addresses the security of the technology, transaction monitoring, fraud detection and user education. The guidance also urges credit unions to consider implementing an identity verification process during enrollment and authenticating users via multiple factors each time they access the service. There is more detailed information on operational risks and mitigation strategies for each of the four types of MFS offerings that can be reviewed based on a credit union’s particular offerings.

Compliance Risk. This risk type, also known as legal risk, “arises from failure to comply with statutory or regulatory obligations.” While MFS can be a new way to offer services, the underlying product is still subject to all applicable laws and regulations. For example, a person-to-person transfer done via a mobile app using a debit card is still subject to Regulation E and the card network rules. To mitigate the compliance risk associated with MFS, the guidance advises credit unions to consult compliance staff, monitor for applicable regulatory changes and carefully oversee all third parties involved.

Reputation Risk. This risk type “occurs when negative publicity regarding [a credit union’s] business practices leads to a loss of revenue or litigation.” For MFS, this predominantly comes in the form of privacy and data security. As credit unions are ultimately responsible for breaches of their data, whether directly or via a third party, the guidance notes controls to prevent unauthorized disclosure of information are key to mitigating reputation risk. Contracts with third parties should also address liability for data breaches.

While each type of MFS offering brings with it specific risks and challenges, this framework should assist credit unions in assessing the risks and determining the appropriate controls to mitigate those risks. The guidance recognizes the heavy reliance on third party technology partners that is required for MFS and places particular emphasis on working with these partners. As a result, strong vendor management controls are vital to a successful MFS offering.

As always, the NAFCU Compliance team is here to help you navigate the regulatory framework for all your mobile and digital offerings. And if you have a good recommendation for a planner, send it my way!