In my compliance world, I like to write about topics that are black and white. But this month I’m going to discuss mobile banking compliance, which currently features a few more shades of gray. Mobile banking compliance receives minimal guidance from the regulators, and regulations haven’t been updated to keep up with this technology.
So, consider the following four areas as more credit unions offer mobile banking for members:
As with any new product, you must account for mobile banking in your existing risk assessments, such as those covering the Bank Secrecy Act, identity theft red flags, vendor management, and online banking.
NCUA has specifically indicated that a credit union’s online banking risk assessment should cover mobile banking. A credit union should
perform, review, update, and document a risk assessment as new information becomes available, before implementing new electronic financial services, or at least every 12 months, according to the January 2012 NCUA Report. “The risk assessment should cover all forms of electronic banking, not just Internet-based transactions. Mobile banking is a good example.”
Existing regulations such as the Electronic Funds Transfer (EFT) Act/Regulation E do apply to mobile banking, so you must provide proper disclosures. You may include the mobile banking Reg E disclosure as part of your account agreement, or you can provide it separately. Under Reg E, your initial disclosure contained in your account agreement may cover all EFT services (ATMs, debit cards, mobile banking, online banking, etc.) even if members haven’t arranged to receive all services at the time you provide the account agreement. Thus, if you include mobile banking in the account agreement, you don’t need to provide members a new Reg E disclosure when they actually sign up for and/or begin using mobile banking.
If you have existing members who want to sign up for mobile banking and it wasn’t part of their initial Reg E disclosures, you’ll need to determine how to provide the disclosures. If your member already has Reg E services (such as a debit card) and received the initial Reg E disclosures for that service, then you only need to disclose the terms and conditions that differ.
Terms and conditions
You should have an agreement with your member for the use of mobile banking. Some credit unions think the required regulatory disclosures are enough, but that isn’t the case.
You might include the regulatory disclosures in the agreement. But there are other contractual terms you might want to impose, such as security, access, notifications, illegal use, termination, liability, or indemnification.
If you’re advertising loans through mobile banking, you still must provide the proper disclosures. If you state the annual percentage rate (APR) for your credit card through a text message advertisement, you must provide the required additional disclosures including:
If you’re advertising a deposit product and you include the annual percentage yield, not only do you need additional Truth in Savings disclosures, but you also need the official advertising statement. Will all of it fit into a text message?
Although there may be little explicit guidance on mobile banking compliance issues, look at existing regulations to see how they apply to mobile banking. The compliance issues still exist, even if they’re not all in black and white.
The services provided by PolicyWorks shouldn’t be construed as legal services, legal advice, or in any way establishing an attorney-client relationship.