The UK’s Financial Conduct Authority issued in September a thematic review into mobile banking and payments. The report had a broad remit and covered issues ranging from consumer rights to technology and security issues. One of the five high level findings focused on how firms retain oversight and control of third parties and outsourced functions. Mike Pierides, partner, and Rich Jones, associate, within Pillsbury Winthrop Shaw Pittman’s Global Sourcing group, explain the interaction between banks and third parties, and the related risks, in the context of mobile banking
In September, the UK’s Financial Conduct Authority (FCA) issued a thematic review titled "Mobile banking and payments" (the Review). The Review outlines in total five high level findings, relevant to whether firms are delivering good outcomes for their customers. One of the findings relates to how firms that provide mobile banking products and services retain oversight of third parties and outsourced functions involved in the delivery of their product offering to consumers. Another key finding relates to firms ensuring that data and transactions are being hosted and conducted on secure and robust technology platforms.
The Review follows on from the European Banking Authority’s (and other European supervisory bodies’) report in August which included a section on IT-related operational risk and cyber risk. Mobile banking services are perceived as amongst the most vulnerable to these risks.
These reports highlight one of the inherent structural risks of mobile banking services: that a series of third parties are involved in the end to end process of a mobile service or payment. Some of these third parties will have a direct relationship with the financial institution, and some will not.
Direct Relationship Third Parties
Mobile banking, just like existing online banking technology, is still dependent on back-end information technology infrastructure. Contractual arrangements with third parties that provide these hosting services are within the regulatory purview of the Systems and Controls (SYSC) 8 of the FCA Handbook (the Handbook), which has applied to Common Platform firms (including banks) since 2007.
Much has been written about these rules; suffice to repeat here that they focus on ‘controls’ over a third party when a bank outsources critical or important operational functions. The Handbook requires compliance in a number of related areas such as reporting, audit and co-operation with the regulator, all of which must be documented as part of the outsourcing agreement.
In July, the FCA published a series of considerations for banks when using third party technology solutions. The considerations would be of application when a bank enters into an agreement with a payments platform provider. The considerations are a ‘ground up’ set of notes relating to issues that would need to be considered by a firm’s subject matter experts, rather than a more generic set of oversight controls.
Much of what can go wrong with mobile banking, including loss of data, fraud, or service interruption, and which is within the control of the banks will take place within the boundaries of the back-end information technology infrastructure and the related hosted systems.
Ensuring that these third party arrangements are compliant with the above regulation is key; if the bank itself or a third party with a direct relationship is the cause of a consumer-affecting issue, then reputational risk for the institution is likely to follow. However, and despite the common misconception to the contrary (see below), this is no different (for mobile banking) than it is for other forms of technology enabled banking.
Indirect Relationship Third Parties
The ‘Third party oversight’ section of the Review identifies some of the potential parties in a mobile payment transaction, including mobile manufacturers, mobile network providers and mobile software companies.
Figure 2 from the Review:
The Review goes on to say that in order to ensure the effective delivery of [mobile banking solutions] it is important that everyone involved in the delivery chain understands their responsibilities to each other and to the end consumer.
From a technology delivery standpoint, we can see how this is the case, and is critically important. For example, it is important for the most secure standards to be utilised for the near field chip technology, or for the appropriate use of biometric security, or for the utilisation by banking apps of the most secure platforms within the various mobile operating systems.
However, there is little control that can be exercised by a bank when interacting with many if not most of these parties. There are industry initiatives, mostly focused on technology, which do bring some of these players together, but there is no guiding framework or control that could be effected by the banks. For example, with financial institutions and retailers increasingly seeing the benefit of funnelling their traffic through apps rather than browsers, the large app stores still, largely, take no contractual responsibility to the end user for deficient functionality, loss or damage caused through the use of such apps.
A report by Intercede published in August and which focused on mobile banking interestingly found that 53% of consumers would not use mobile banking services, because of concerns about device security i.e. use of their phone would lead to identity theft. However, the examples given of the events which have had this detrimental impact on consumer confidence such as Heartbleed and eBay’s data breach are ‘old fashioned’ hacks and bugs that take place at a lower level of infrastructure than the device level. These are not mobile-specific issues. Accordingly, the Review does not indicate that there is to be additional regulation specific to third party arrangements relating to mobile banking solutions.
Increasingly, new technology standards and robust infrastructure, including improvements in mobile device-centred technology, will increase consumer confidence in mobile banking. The report also suggests that this process will be aided by simple familiarity with the functionality available: the younger generation of users are more technology savvy than older users, and are more cognisant of the layers of technology and third parties that are involved in the provision of mobile banking. If a fault occurs with a mobile network operator, the user will typically know this is outside of a bank’s control.
What will be unforgiveable for a bank is if its own or a direct relationship third party’s infrastructure or technology is the root cause for a consumer-affecting fault.
Mike Pierides, partner, Global Sourcing Practice, and Rich Jones, associate, Pillsbury Winthrop Shaw Pittman LLP