The UK’s Financial Conduct Authority issued in September a thematic review into mobile banking and payments. The report had a broad remit and covered issues ranging from consumer rights to technology and security issues. One of the five high level findings focused on how firms retain oversight and control of third parties and outsourced functions. Mike Pierides, partner, and Rich Jones, associate, within Pillsbury Winthrop Shaw Pittman’s Global Sourcing group, explain the interaction between banks and third parties, and the related risks, in the context of mobile banking

In September, the UK’s Financial Conduct Authority (FCA) issued a thematic review titled "Mobile banking and payments" (the Review). The Review outlines in total five high level findings, relevant to whether firms are delivering good outcomes for their customers. One of the findings relates to how firms that provide mobile banking products and services retain oversight of third parties and outsourced functions involved in the delivery of their product offering to consumers. Another key finding relates to firms ensuring that data and transactions are being hosted and conducted on secure and robust technology platforms.

The Review follows on from the European Banking Authority’s (and other European supervisory bodies’) report in August which included a section on IT-related operational risk and cyber risk. Mobile banking services are perceived as amongst the most vulnerable to these risks.

These reports highlight one of the inherent structural risks of mobile banking services: that a series of third parties are involved in the end to end process of a mobile service or payment. Some of these third parties will have a direct relationship with the financial institution, and some will not.

Direct Relationship Third Parties

Mobile banking, just like existing online banking technology, is still dependent on back-end information technology infrastructure. Contractual arrangements with third parties that provide these hosting services are within the regulatory purview of the Systems and Controls (SYSC) 8 of the FCA Handbook (the Handbook), which has applied to Common Platform firms (including banks) since 2007.

How well do you really know your competitors?

Access the most comprehensive Company Profiles on the market, powered by GlobalData. Save hours of research. Gain competitive edge.

View profiles in store

Company Profile – free sample

Thank you!

Your download email will arrive shortly

Not ready to buy yet? Download a free sample

We are confident about the unique quality of our Company Profiles. However, we want you to make the most beneficial decision for your business, so we offer a free sample that you can download by submitting the below form

By GlobalData

Submit

UK USA Afghanistan Åland Islands Albania Algeria American Samoa Andorra Angola Anguilla Antarctica Antigua and Barbuda Argentina Armenia Aruba Australia Austria Azerbaijan Bahamas Bahrain Bangladesh Barbados Belarus Belgium Belize Benin Bermuda Bhutan Bolivia Bonaire, Sint Eustatius and Saba Bosnia and Herzegovina Botswana Bouvet Island Brazil British Indian Ocean Territory Brunei Darussalam Bulgaria Burkina Faso Burundi Cambodia Cameroon Canada Cape Verde Cayman Islands Central African Republic Chad Chile China Christmas Island Cocos Islands Colombia Comoros Congo Democratic Republic of the Congo Cook Islands Costa Rica Côte d"Ivoire Croatia Cuba Curaçao Cyprus Czech Republic Denmark Djibouti Dominica Dominican Republic Ecuador Egypt El Salvador Equatorial Guinea Eritrea Estonia Ethiopia Falkland Islands Faroe Islands Fiji Finland France French Guiana French Polynesia French Southern Territories Gabon Gambia Georgia Germany Ghana Gibraltar Greece Greenland Grenada Guadeloupe Guam Guatemala Guernsey Guinea Guinea-Bissau Guyana Haiti Heard Island and McDonald Islands Holy See Honduras Hong Kong Hungary Iceland India Indonesia Iran Iraq Ireland Isle of Man Israel Italy Jamaica Japan Jersey Jordan Kazakhstan Kenya Kiribati North Korea South Korea Kuwait Kyrgyzstan Lao Latvia Lebanon Lesotho Liberia Libyan Arab Jamahiriya Liechtenstein Lithuania Luxembourg Macao Macedonia, The Former Yugoslav Republic of Madagascar Malawi Malaysia Maldives Mali Malta Marshall Islands Martinique Mauritania Mauritius Mayotte Mexico Micronesia Moldova Monaco Mongolia Montenegro Montserrat Morocco Mozambique Myanmar Namibia Nauru Nepal Netherlands New Caledonia New Zealand Nicaragua Niger Nigeria Niue Norfolk Island Northern Mariana Islands Norway Oman Pakistan Palau Palestinian Territory Panama Papua New Guinea Paraguay Peru Philippines Pitcairn Poland Portugal Puerto Rico Qatar Réunion Romania Russian Federation Rwanda Saint Helena, Ascension and Tristan da Cunha Saint Kitts and Nevis Saint Lucia Saint Pierre and Miquelon Saint Vincent and The Grenadines Samoa San Marino Sao Tome and Principe Saudi Arabia Senegal Serbia Seychelles Sierra Leone Singapore Slovakia Slovenia Solomon Islands Somalia South Africa South Georgia and The South Sandwich Islands Spain Sri Lanka Sudan Suriname Svalbard and Jan Mayen Swaziland Sweden Switzerland Syrian Arab Republic Taiwan Tajikistan Tanzania Thailand Timor-Leste Togo Tokelau Tonga Trinidad and Tobago Tunisia Turkey Turkmenistan Turks and Caicos Islands Tuvalu Uganda Ukraine United Arab Emirates US Minor Outlying Islands Uruguay Uzbekistan Vanuatu Venezuela Vietnam British Virgin Islands US Virgin Islands Wallis and Futuna Western Sahara Yemen Zambia Zimbabwe Kosovo

Industry * Academia & Education Aerospace, Defense & Security Agriculture Asset Management Automotive Banking & Payments Chemicals Construction Consumer Foodservice Government, trade bodies and NGOs Health & Fitness Hospitals & Healthcare HR, Staffing & Recruitment Insurance Investment Banking Legal Services Management Consulting Marketing & Advertising Media & Publishing Medical Devices Mining Oil & Gas Packaging Pharmaceuticals Power & Utilities Private Equity Real Estate Retail Sport Technology Telecom Transportation & Logistics Travel, Tourism & Hospitality Venture Capital

Tick here to opt out of curated industry news, reports, and event updates from Retail Banker International.

Submit and download

Visit our Privacy Policy for more information about our services, how we may use, process and share your personal data, including information of your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.

Much has been written about these rules; suffice to repeat here that they focus on ‘controls’ over a third party when a bank outsources critical or important operational functions. The Handbook requires compliance in a number of related areas such as reporting, audit and co-operation with the regulator, all of which must be documented as part of the outsourcing agreement.

In July, the FCA published a series of considerations for banks when using third party technology solutions. The considerations would be of application when a bank enters into an agreement with a payments platform provider. The considerations are a ‘ground up’ set of notes relating to issues that would need to be considered by a firm’s subject matter experts, rather than a more generic set of oversight controls.

Much of what can go wrong with mobile banking, including loss of data, fraud, or service interruption, and which is within the control of the banks will take place within the boundaries of the back-end information technology infrastructure and the related hosted systems.

Ensuring that these third party arrangements are compliant with the above regulation is key; if the bank itself or a third party with a direct relationship is the cause of a consumer-affecting issue, then reputational risk for the institution is likely to follow. However, and despite the common misconception to the contrary (see below), this is no different (for mobile banking) than it is for other forms of technology enabled banking.

Indirect Relationship Third Parties

The ‘Third party oversight’ section of the Review identifies some of the potential parties in a mobile payment transaction, including mobile manufacturers, mobile network providers and mobile software companies.

Figure 2 from the Review:

The Review goes on to say that in order to ensure the effective delivery of [mobile banking solutions] it is important that everyone involved in the delivery chain understands their responsibilities to each other and to the end consumer.

From a technology delivery standpoint, we can see how this is the case, and is critically important. For example, it is important for the most secure standards to be utilised for the near field chip technology, or for the appropriate use of biometric security, or for the utilisation by banking apps of the most secure platforms within the various mobile operating systems.

However, there is little control that can be exercised by a bank when interacting with many if not most of these parties. There are industry initiatives, mostly focused on technology, which do bring some of these players together, but there is no guiding framework or control that could be effected by the banks. For example, with financial institutions and retailers increasingly seeing the benefit of funnelling their traffic through apps rather than browsers, the large app stores still, largely, take no contractual responsibility to the end user for deficient functionality, loss or damage caused through the use of such apps.

Changing Perceptions

A report by Intercede published in August and which focused on mobile banking interestingly found that 53% of consumers would not use mobile banking services, because of concerns about device security i.e. use of their phone would lead to identity theft. However, the examples given of the events which have had this detrimental impact on consumer confidence such as Heartbleed and eBay’s data breach are ‘old fashioned’ hacks and bugs that take place at a lower level of infrastructure than the device level. These are not mobile-specific issues. Accordingly, the Review does not indicate that there is to be additional regulation specific to third party arrangements relating to mobile banking solutions.

Increasingly, new technology standards and robust infrastructure, including improvements in mobile device-centred technology, will increase consumer confidence in mobile banking. The report also suggests that this process will be aided by simple familiarity with the functionality available: the younger generation of users are more technology savvy than older users, and are more cognisant of the layers of technology and third parties that are involved in the provision of mobile banking. If a fault occurs with a mobile network operator, the user will typically know this is outside of a bank’s control.

What will be unforgiveable for a bank is if its own or a direct relationship third party’s infrastructure or technology is the root cause for a consumer-affecting fault.

Mike Pierides, partner, Global Sourcing Practice, and Rich Jones, associate, Pillsbury Winthrop Shaw Pittman LLP