MANAGING THE RISK OF MOBILE BANKING TECHNOLOGIES

MANAGING THE RISK OF MOBILE BANKING TECHNOLOGIES









This report was commissioned by FinMark Trust












Bankable Frontier Associates LLC
www.bankablefrontier.com
24 March 2008



BFA-080324

---

24 March 2008

EXECUTIVE SUMMARY

1.
M-payments and m-banking are now spreading fast across the world, in developed and
developing countries. The use of mobile phones for mobile Financial Services (m-FS) is
relatively new and, as a consequence, the knowledge of the risks and the risk experience of
providers is still limited. However, the rapid take-up and potential scale of new offerings has
led to increased interest from mobile Financial Services Providers (mFSP), both banks and
non-banks, and from government regulators in understanding and managing any unique,
additional risks.
2.
Two elements of the mobile channel are distinctive relative to other e-banking channels like
Internet banking or point of sale devices:
a. The mobile handset, which comes with a wide range of functionality from basic on
standard handsets to advanced on feature phones and smart phones;
b. The mobile network, which includes all the links carrying a data message from a handset
to the mFSP or vice versa and the methods used to communicate between the handset
and the mFSP.
Both these elements contribute to a different risk environment for m-banking. Boards and
management of mFSPs as well as regulators need to have a clear basic understanding of
how these elements work, including a comparison to other established e-banking channels.
Increasingly, as handset functionality increases, mobile financial services are converging
with Internet banking.
3.
Regulators and others commonly list additional risk considerations arising from the use of
the mobile channel. These include: the higher possibility of loss of device, the restricted
screen and keypad of the device, the information security of the end-to-end network, the
availability and reliability of the communications network, and the use of outsourced service
providers. However, a priori, these factors do not in themselves make most use cases of m-
FS more or less risky than other forms of e-banking.
4.
The main technical characteristics affecting the risks of m-FS:
a. The security functionality available on the handset: the lower the security requirement
from the handset, the broader the potential market, especially in developing countries;
b. The degree of dependence or independence from a particular Mobile Network Operator
(which controls access to the SIM card and the mobile network): channel options may or
may not require downloading of an application to the SIM or phone, which in turn may
require participation of the manufacturer or MNO.
Managing the Risk of Mobile Banking Technologies
2

---

24 March 2008

These characteristics imply four main use cases as summarized in the diagram below:


Mobile Handset Capability
Standard (all)
Advanced
Use Case 2:
e
l
i


Use Case 1:
Use mobile browsing services that
ob
tor?
are provided on phones
M
Use what is there, existing generic mobile
a
r
Yes
bearer services provided on all phones
Use Case 3:

of
pe

nt
accessible directly by user
Use advanced application services
O
de
provided on phones
n
pe

Use Case 4:
Use Case 4 prime:
e
nd
Network
No
Use a secure environment on the mobile
Dedicated secure application
I

provided by the MNO or MNOs
environment on a handset

In general, in developing countries, the mass market for the foreseeable future will have
only standard handsets, hence m-FS models which seek wide reach are likely to fall into
Use Cases 1 or 4. These situations are more likely to be ―Transformational‖ because of
the potential to extend financial services to people who are without them.
For applications in the upper end of developing markets or in developed markets, Use
Cases 2 or 3 are likely to apply. Use case 4 prime is not yet widely available.
5.
m-FS are subject to many of the same vulnerabilities as e-banking. However, the risk
associated with each identified vulnerability must be evaluated in a three step process.
a. First, the likelihood and severity of the vulnerability occurring are assessed in order to
calculate the risk rating. That is done within each one of the Use Cases.
b. Second, control measures are proposed based on the assessed risk. The final risk is the
risk adjusted for the control measure.
c. Third, environmental factors may scale the adjusted risk rating upwards or downwards.
These factors include whether the mFSP is a new entrant or not; and the extent to which
the mobile channel is the main or dominant channel offered by the mFSP itself and/or on
a country basis.
6.
In general, Use Case 1, which is common in developing countries and can provide ubiquitous
access, presents higher inherent technology-related risks largely because of the lack of end-
to-end secure encryption of messages. This increased risk may be mitigated by effective
business process and or product design controls. While Use Case 4 addresses the
encryption risk by providing encryption within the SIM, and provides the most security; its use
and market may be limited by the need for MNO cooperation and a SIM with SIM Toolkit
capability. In Use Cases 2 and 3, the risks (and services) increasingly converge with
standard Internet banking risks.
7.
Emerging technology: several developments are likely to change the picture of risk:
a. An increasing proportion of smart phones will lead to more reliance on Use Case 2 and 3
even in developing countries; this will heighten the need for knowledge of e-banking risks
in countries in which Internet banking may not yet be common;
Managing the Risk of Mobile Banking Technologies
3

---

24 March 2008
b. The development of near field communication (NFC) enabled handsets which can
effectively act as a token for local purchases (already common in Japan and under trial in
several developed countries such as UK and US) is likely to further increase take-up of
m-FS. The risks of the integration of NFC into mobile banking require further
investigation and are outside the scope of this report.

8.
Findings:
The mobile technology options available today allow for a variety of choices when
implementing Mobile Financial Services. Options range from technologically secure end-to-
end implementations to less secure options that do not have full mobile to banking system
security.
It is possible to offset the increase in risk caused by using less secure mobile technologies
by introducing operational controls.
The ubiquity of less secure mobile technologies, namely Voice/DTMF/IVR, SMS and USSD
on all mobile handsets and the feasibility to offset the risks introduced by their use in mobile
financial service provision makes it possible to extend financial services to all mobile
subscribers.
Given the lower levels of mobile handset technology prevalent in many developing countries,
transformational mobile banking can be accomplished by a careful appraisal, introduction
and management of operational controls (including user education) necessary to offset the
higher technical risks inherent in choosing ubiquitous but less secure technologies.
The following diagram depicts the security models that can be used and the relative tradeoffs
between technical security and operational controls that are discussed in this report.
Moving to prudent and adjusted security models requires a proportionate regulatory
framework within which to ensure on-going and active supervision of risk management.
l
e
n
s
l
an
o
tr
Ch

ty
n
e
l
ri
i
u
Co
b
c
e
al
S
n
f
o
f Mo
al
c
o
ti
o
i
l
a
l
e
r
e
n
v
e
v
h
e
p
e
c
L
O
L
e
T
Prudent
Adjusted
end-to-end
mobile
mobile
Security
Security
Security
model
model
model
Use Case 2, 3 and 4
Use Case 1
Custom Implementation
Less Technology and more Process Control

Managing the Risk of Mobile Banking Technologies
4

---

24 March 2008
Recommendations:
9.1 For mFSPs:
a. To provide transformational m-FS, the mFSP should consider choosing technologies, such
as those in Use Case 1, that provide quick and widespread access to its services. Where
less secure technology is chosen, technical and operational countermeasures can be
introduced to reduce the risk both to the business and to individual clients.
b. The boards and management of mFSPs should develop a comprehensive risk framework.
This is true for banks and non-banks alike. For starting a business, a probable Use Case
should be the basis for this framework.
c. mFSPs should either implement the BIS operational risk management principles or highlight
where they intentionally intend to deviate from them.
d. After the initial business launch, the risk framework (in the form of a risk matrix) should be
updated in light of risk experience as well as other vulnerabilities identified once operational.
e. Just as large international financial institutions are increasingly sharing their experiences of
operational risk on an ongoing, confidential bases through information exchanges such as
ORX, mFSPs operating in particular Use Cases may benefit from an arrangement in which a
current industry level assessment of vulnerabilities and risk is available as a benchmark for
operational risk assessment.
9.2 For financial regulators:
f. Regulators should be careful not to entrench technology specific standards in regulations
which may unnecessarily stifle m-banking development. They should create a flexible,
proportionate framework within which an on-going, active supervision of mFSPs can take
place. This assures attention to the mobile channel risks while providing adequate room for
risk appropriate innovations.
g. Regulators engaging with domestic mFSPs should share their learning with colleagues in
other jurisdictions in a structured manner so as to contribute to and benefit from an emerging
global perspective
9.3 For mFSPs, financial regulators and organizations promoting the development of the sector:
h. Given the lower levels of mobile technology prevalent in many developing countries,
transformational mobile banking is best accomplished by a careful appraisal of the
operational controls (including user education) necessary to offset the higher technical risks
inherent in choosing ubiquitous but less secure technologies.
i. The basic level of knowledge required by board, senior management and financial regulators
to meet Basel Guidelines for awareness of operational risk management in this new area
should be defined. Training curricula should be developed to meet this need.
j. As the rapid pace of technological change continues, a trusted central organization should
maintain a list of all known vulnerabilities of the mobile channel, updated by experience, to
which regulators and mFSPs should have access as a baseline for their risk frameworks.

ACKNOWLEDGEMENTS
Specific thanks to those who gave their time to participate in our interviews, whose names are
listed in Annex N; and to the following who gave comments on drafts of the document: Jenny
Hoffmann, John Ratichek, and the participants at the Transformational Branchless Banking
Seminar in Windsor, England in March 2008.

Johann Bezuidenhoudt


David Porteous
Johannesburg, South Africa

Somerville, MA USA
Managing the Risk of Mobile Banking Technologies
5

---

24 March 2008

FOREWORD—the FinMark Trust Mandate
FinMark Trust has established a strong reputation for producing credible research which supports
the development of innovative approaches to extend access to financial services. FinMark Trust
then seeks to make this research widely available to market participants, unlike proprietary
research which is not easy or affordable for many to access.
In pursuit of its mission, FinMark has commissioned a series of reports on m-banking, most
recently ―Mobile Banking Technology Options‖ by Troytyla (Gavin Kruegel) which overviews the
different mobile banking technology options available in the market.
In pursuit of its mission, and specifically building on the last report, FinMark Trust commissioned
this report on the risks of the different technology options and how best to manage them. As the
terms of reference stated, ―The lack of information about the level of risk inherent in the different
technologies and the opportunities to mitigate the risk through business processes and strategies
may be leading to choices which do not necessarily match the needs of the market most in need of
innovative access to financial services.‖ This report should therefore not only provide relevant
information but support choices which match the needs of the market which FinMark Trust seeks
ultimately to serve.















Disclaimers
This report is intended to provide a general overview of risk patterns and trends attaching to the
use of the mobile channel for providing financial services. The report is for information and
guidance of readers and it is not intended to support a specific plan of action since this would
require additional information and insight into each particular situation.
The vulnerabilities, analyses and risks shown and analysed in this report are intended to be
indicative of what risks which a mFSP may or will face. The analysis is not intended as an
exhaustive or a fully objective list. Each mFSP should assess and validate their own risks in terms
of their own situation, the intended functionality to be offered and the process controls that will be
put and or are already in place.
Additional advice should be sought where necessary from expert advisors before taking action.
Neither BFA nor FinMark Trust may be held liable for the consequences of implementing any or all
of the recommendations of this report.
Managing the Risk of Mobile Banking Technologies
6

---

24 March 2008
TABLE OF CONTENTS
EXECUTIVE SUMMARY ............................................................................................ 2
ACKNOWLEDGEMENTS .......................................................................................... 5
FOREWORD—the FinMark Trust Mandate ............................................................... 6
Disclaimers .......................................................................................................... 6
TABLE OF CONTENTS ............................................................................................. 7
SECTION 1. INTRODUCTION .................................................................................. 9
1.1 Context of report ............................................................................................ 9
1.2 Scope of report ............................................................................................ 10
1.3 Methodology ................................................................................................ 11
1.4 Structure of report ........................................................................................ 11
SECTION 2: ELEMENTS OF THE MOBILE CHANNEL .......................................... 13
2.1 Mobile device ............................................................................................... 13
2.2 Network ....................................................................................................... 15
2.3 Technology-related Use Cases ................................................................... 17
2.4 M-banking compared to other e-channels .................................................. 22
SECTION 3. VULNERABILITIES, RISKS & CONTROLS ........................................ 24
3.1 Structured process of risk evaluation .......................................................... 24
3.2 Vulnerabilities of the mobile channel ........................................................... 27
3.3 Prudent Practice in Addressing Technological Vulnerabilities ..................... 28
3.4 Risk Identification and Assessment by Use Case ........................................ 29
3.5 Summary of Risk Controls ........................................................................... 31
SECTION 4. ENVIRONMENTAL FACTORS, BUSINESS MODEL CHOICE, AND
GOVERNANCE PROCESSES ................................................................................ 33
4.1 Risk in context: scaling for the environment and the business model .......... 33
4.2 Regulatory oversight: Good practice principles ........................................... 37
SECTION 5. EMERGING ISSUES AND CONCLUSIONS ..................................... 39
5.1 Emerging risk scenarios .............................................................................. 39
5.2 Conclusions: Risk Approach ........................................................................ 39
5.3 Recommendations ....................................................................................... 41
Managing the Risk of Mobile Banking Technologies
7

---

24 March 2008

REFERENCES ........................................................................................................ 43
ANNEX A: Categories of Operational Risk ....................................................... 44
ANNEX B: Functional Survey of m-FS Technologies ....................................... 45
ANNEX C: Use Cases – Definitions and Technology ....................................... 48
ANNEX D: Particular vulnerabilities of the Mobile Channel .............................. 53
ANNEX E: Use Case Scenarios ....................................................................... 55
ANNEX F: List of Transaction available by Use Case ...................................... 58
ANNEX G: Vulnerabilities in specific Use Cases .............................................. 61
ANNEX H: Summary Risk Evaluation by Use Case ......................................... 63
ANNEX I: Business Model Choices - Elements of the service offering ............. 68
ANNEX J: Examples of Fielded mFSP Implementations .................................. 70
ANNEX K: Regulatory Oversight Principles ....................................................... 71
ANNEX L: Emerging Issues and Case Study .................................................... 74
ANNEX M: Comparison of GSM and CDMA Mobile Channel Technology ....... 76
ANNEX N: List of Interviewed Organisations .................................................... 77
ANNEX O: Glossary of Terms .......................................................................... 78
Managing the Risk of Mobile Banking Technologies
8

---

24 March 2008
SECTION 1. INTRODUCTION
1.1 Context of report
Mobile banking brings new opportunities and risks to financial providers, carriers and the financial
system.
On the one hand, it holds out the prospect of adding new convenience for accessing banking and
payment services to existing banked customers (‗additive m-banking‘). Especially in developing
countries, it may go even further to offer banking and payment services to those who have never
participated in the formal electronic banking system before. This is called transformational m-
banking to distinguish it from additive m-banking (BFA 2006). In the process, banks, mobile
network operators (MNO) and third party suppliers stand to gain. These opportunities have caused
new players to enter this market.
On the other hand, the addition of a new channel brings new operational risks to providers, just
as the introduction of Internet banking more than a decade ago opened new categories for risk.
For this reason, mobile Financial Service Providers (mFSP) seeking to enter the market, or those
already in the market, have to assess their risks and develop strategies to mitigate them on an
ongoing basis. As adoption of mobile financial services (m-FS) increases, financial regulators in
various countries are also paying increasing attention to the specific risks brought by the use of the
mobile channel.
Although some providers in m-banking are not banks and are not subject directly to banking
regulation, we use as a benchmark the principles of operational risk management developed for
national regulators by the Bank for International Settlement (BIS).
Operational risk is defined as the risk of loss arising from the failure of operational procedures. A
number of categories of operational risk have been defined by the BIS. The operational risks
related to the choice of technology include: internal fraud (including theft and unauthorized
activity), external fraud (including theft and systems security), business disruption and system
failures, failures in the execution and maintenance of transactions, and failures on the part of
vendors and suppliers. For a full listing with descriptions of the Categories of Operational Risks,
see Annex A.
The portion of technology risk related to the mobile channel specifically is a further subset. This
report focuses on identifying the specific vulnerabilities of different payment models in different
contexts related to m-banking and m-payments.
Previous reports such as that of the Mobile Payment Forum (2003) have considered the
technological vulnerabilities and have assessed the risks related to certain specific use case
scenarios for mobile payments. In addition, the recent report for FinMark Trust by Troytyla (2007)
considers the channel choice and risks around the bearer channel and MNO integration.
However, vulnerability and risk assessment are never independent of the choice of business model
or the context in which the model is to be operated. This report differs from previous reports in that
the risk framework developed here is a dynamic one, which varies by model and context. This
enables it to be more widely applied than a static framework. Because the permutations around
model are many, the focus of this report is on models which target unbanked customers and
developing market contexts, although the framework is valid for all markets.
Managing the Risk of Mobile Banking Technologies
9

---

24 March 2008

1.2 Scope of report

This report focuses on the specific technology risks of the mobile channel and does not consider
the integration of mFS platforms with other typical IT system components, such as financial
switches, data depositories or applications as shown in Figure 1 below. The risks arising from the
integration between these components are not specific to the use of mobile, and have received
attention in other reports.


Figure 1: Technology components of m-banking models
Bank Generic
Data
Application
Repository
Development
Mobile
Financial
Switch
Channel
Scope of
this report

Source: Troytyla (2007)


The report should be of interest to:
mobile Financial Service Providers, whether banks, MNOs or non-banks, who are
considering introducing m-FS, and
financial regulators who are increasingly interested in the risks of m-banking and the extent
to which providers are understanding and managing these risks.

This report is written containing the information which a senior executive or financial regulator
should know about the vulnerabilities and risks of the mobile channel for financial transactions.
Indeed, part of the purpose of this report is to benchmark the levels of knowledge which a non-
specialist manager or board member should have about this new and dynamic area, in line with
BIS Operational Risk principle No.1: “the board of directors should be aware of the major aspects
of operational risks, and should approve and periodically review the bank’s operational risk
framework.‖ Prior detailed knowledge of m-banking is therefore not assumed, although
comparisons are made to banking via other electronic channels such as the Internet with which
readers may be familiar.

More detailed information on the technology can be found in the Annex C - Use Cases –
Definitions and Technology of the report.

Managing the Risk of Mobile Banking Technologies
10

---