OCC Bulletin 2016-14| April 29, 2016
FFIEC Information Technology Examination Handbook: Mobile Financial Services, New Appendix to the Retail Payment Systems Booklet
Chief Executive Officers of All National Banks, Federal Branches and Agencies, and Federal Savings Associations; Technology Service Providers; Department and Division Heads; All Examining Personnel; and Other Interested Parties
The Federal Financial Institutions Examination Council (FFIEC) has released a new appendix, “Mobile Financial Services,” to the “Retail Payment Systems” booklet of the FFIEC Information Technology (IT) Examination Handbook. This new appendix E focuses on risks associated with activities and devices for mobile financial services. The appendix emphasizes an enterprise-wide risk management approach for effectively managing and mitigating existing and evolving risks. Additionally, the appendix contains work program objectives to assist examiners in determining the state of risk and controls at an institution or third-party provider. “Retail Payment Systems” is one of the 11 booklets in the FFIEC IT Examination Handbook.
Note for Community Banks
This guidance applies to all national banks and federal savings associations (collectively, banks) that offer mobile financial services. Community banks should adopt risk management practices commensurate with the level of risk and complexity of the mobile financial services offered and the technologies supporting such services. Bank management should identify, measure, mitigate, and monitor the risks involved with mobile financial services.
Appendix E addresses the following:
- Mobile financial services technologies.
- Risk identification.
- Risk measurement.
- Risk mitigation.
- Monitoring and reporting.
Mobile financial services are the products and services that banks provide to their customers through mobile devices. Customers’ mobile transactions often emulate those initiated on traditional desktop computers; mobile financial services, however, can provide more convenient transaction execution capabilities, such as the initiation or acceptance of mobile payments. Mobile financial services can pose elevated risks related to device security, authentication, data security, mobile malware, data transmission security, compliance, and third-party management. Customers are often less likely to activate security controls, virus protection, or personal firewall functionality on their mobile devices, and mobile financial services often involve the use of third-party service providers.
Please contact Kevin Greenfield, Director for Bank Information Technology, at (202) 649-6340.
Bethany A. Dugan
Deputy Comptroller for Operational Risk