7 essential strategies to secure mobile-first consumer-driven banking

North America is catching up fast to the open banking initiatives that are currently thriving across Europe, South America and Asia Pacific. As financial sectors across the world dutifully retool to support and protect open banking initiatives, North America and Canada is uniquely placed to capitalise on their learnings.  While the US and Canadian major banks are not compelled by country banking regulators to facilitate sharing of information, all institutions recognize the need to facilitate consumer-driven banking to offer choice and remain competitive. In this blog, we will highlight the 7 essential strategies that North American and Canadian banks need to know to support open banking and protect the sensitive data of their customers.

Background

This past year, Canada’s Finance Minister announced a commitment to open banking, and the US Consumer Financial Protection Bureau (CFPB) are opening the door to personal consent models to access bank accounts by third parties. This has been labeled “consumer-driven banking” rather than “open banking,” but the chosen preferred method of banking platform is clear: Mobile-First. 

Whether consumer-driven or open banking, this revolution offers numerous exciting opportunities, and all of them are mobile-first. According to the Canadian Bankers Association, over 33% of consumer financial transactions are done on a mobile device. In a survey conducted by ABA of consumers aged 60 or below, over 52% primarily use mobile banking to initiate any transaction or payment. 

the OPPORTUNITY

By focusing on mobile-first solutions, banks can offer unparalleled convenience for their customers. This enables banks to concentrate on their core operations while serving clients from anywhere. But for banks, mobile-first allows a holistic customer overview by integrating insights from both banking and fintech sectors and mobile device telemetry, leading to a deeper understanding of customer needs and behaviors, anticipating needs, and providing the ability to suggest products and capture consent with clear intended purpose. The customer can easily exercise privacy rights when products do not fulfill intended objectives and withdraw their consent. 

THE CHALLENGE

This would all be love and roses if the banking industry did not have to operate in a hostile internet rife with money laundering and fraud, and stringent controls from regulators for compliance, uptime fines, and customer service standards. 

Mobile-first comes with increased risk of data breaches and unauthorized access. Many banks still rely on legacy technology that may not be equipped to manage the demands of consumer-driven and mobile-first banking. These banks will be left behind and not be able to address the security measures described in better detail below. 

THE ESSENTIAL STRATEGIES

One - Implement Know Your Customer (KYC) Standards:

Continuously verify the identity of payment initiators or transferors using real-time telemetry, biometric, or behavioral data before transactions are permitted. Although KYC processes can be costly and introduce friction, they are essential for preventing fraud and ensuring compliance.

Two - Robust Customer Consent Management:

Efficiently manage the collection, storage, and accessibility of customer consent for accessing confidential information. This involves enabling users to review and withdraw consent as needed, ensuring data minimization, and avoiding misconfigurations that could lead to data disclosure and liability.

three - Adaptive Authorization and Authentication:

Employ adaptive authentication that adjusts access based on user behavior, device, and contextual factors. This minimizes unnecessary security checks and ensures a seamless user experience by requiring additional verification only when necessary.

four - Adhere to Established Security Standards:

Follow comprehensive guidelines such as those provided by OWASP and ENISA for securing web and mobile applications. These standards emphasize secure development practices and robust threat mitigation strategies, helping banks adhere to privacy and data sovereignty laws.

five - Device Binding:

Bind the mobile application to a specific device to ensure that it cannot function on any other device if copied or tampered with. This adds an additional layer of security against malicious actors attempting to exploit the application.

six - Secure Storage of Sensitive Data:

Ensure that personal or payment-sensitive data remains inaccessible and does not leave the device. Protecting card identity, PIN, and CVV data from being accessed by the phone OS or malicious apps prevents data breaches, especially if the device is lost, compromised, or jailbroken.

seven - ensure Compliance with PCI DSS and FINRA Regulations from day one:

Adhere to the stringent security requirements for handling cardholder data set by PCI DSS and the rigorous standards for data security and customer privacy mandated by FINRA. These regulations reinforce the need for advanced security measures like adaptive authentication and secure API management.

CONCLUSION

While the transition to consumer-driven mobile-first banking is fraught with challenges, it also offers immense opportunities for innovation and growth. By leveraging adaptive authentication, data governance, and protecting app data in secure storage on devices is crucial. So is adhering to established security standards such as those from OWASP, ENISA, PCI DSS, and FINRA. 

Banks should mitigate the security and privacy risks associated with open banking by having a zero-trust posture with a clear security strategy. This approach not only protects sensitive data but also fosters a collaborative ecosystem where banks and fintech companies can innovate securely. By embracing these strategies, banks can enhance their security posture, build trust with their customers, and ultimately drive the success of open banking initiatives. 

Cryptomathic's experience working with leading European banks puts us in prime position to help North American and Canadian banks capitalise on the opportunities presented by open banking, without having to worry about security and regulatory compliance.

Securing Mobile Banking Apps with MASC

Understand the threat landscape and how MASC's evolutionary security strategy can overcome such threats and provide 360º protections against attacks.

Learn more

Connect with Davin on LinkedIn

EMV KEY MANAGEMENT EXPLAINED

This paper explains EMV, seen from a crypto angle, for all involved parties in acquiring and issuing.

Learn more