Compliance: CUs need plan for mobile payment security

June 20, 2016

Examiner guidance issued in May from the Federal Financial Institutions Examination Council (FFIEC) essentially tasks credit unions with having a documented plan for mobile payments security and business risk. The guidance could potentially play a key role in upcoming credit union examination, according to CUNA’s CompBlog.

An 18-page appendix to the FFIEC’s information technology handbook offers significant detail without being too prescriptive.

The appendix does not specify the required methods of assessment, nor does it weigh in on the acceptable level of risk for an individual financial institution.

John Best of CUNA partner Best Innovation Group recommends credit unions ensure they are taking the following steps:

  • Prepare a mobile risk assessment specifically addressing payments-related software;
  • Implement biometric security routines. Text messages and similar types of mobile authentication are likely to receive added scrutiny since an unauthorized party can see the codes and sent emails if they gain possession of the phone;
  • Make sure their mobile software provider is not storing unencrypted data on the phone;
  • Make sure their mobile software provider is obfuscating the code to the mobile application so that it cannot be reverse engineered; and
  • Review their enrollment procedures for mobile; the FFIEC guidance appears to recommend extra controls for mobile enrollment for mobile payments applications.

In addition to CompBlog, CUNA’s Compliance Community contains discussion boards and a number of other resources for credit union compliance professionals around the country.