Mitigating Security Risks in the Mobile Banking Era

Over recent years, the adoption of mobile banking has led to significant and transformative changes within the global financial services industry. In the post pandemic era there has been a ~70% increase in customers using digital banking channels, propelling the global mobile banking market from $692.5 million in 2021 to an anticipated $1.3 billion by 2028.

The growing adoption from customers is attributed to the easy access to banking services and banking providers, combined with having more control over their money. Customers can now make financial decisions faster and therefore rely on digital channels for their daily financial needs.

For example, Revolut customers can set transaction limits and automatically round up transactions to save leftover change. For example, if a customer spends £3.60 on a coffee, the bank will round up the amount to £4.00 and place £0.40 in a chosen savings pot. Customers are, therefore, able to reach their saving goals faster. On the other hand, Barclays customers can use their banking app to block transactions from certain specified merchants, providing added control to customers with a gambling addiction.

Whilst the majority of press concerning app-based banking has been positive, it is important to recognise there are several cases where consumers have lost faith in their mobile banking providers or are reluctant to use their service.

As the use of these channels increases, so does the number of fraud related incidents. Since 2020, about one in every 20 fraud attacks is associated with a mobile banking app.

With technology providing us no limit to what we can achieve, hackers are becoming more sophisticated and cyberattacks smarter. A slight misstep in taking the right security measures can cause huge repercussions to a bank’s reputation. In 2021, personal details of Chase bank customers including statements, transaction list, names and account numbers were exposed to other Chase banking members due to a technical bug on the online banking app. Chase immediately wrote letters to the impacted customers, asking them to take certain safeguarding measures against potential fraud.

In fact, The UK Finance Annual Fraud Report 2022 uncovered approximately 12,000 cases of fraud specific to mobile banking apps. A total of £29.6 million of attempted fraud was stopped from robust banking security systems that were implemented.  

Now more than ever, Financial Institutions (Fis) need to strengthen their security measures and position themselves strongly against such risks by adopting best practices:

1. Understanding your mobile banking application and its limitations

Banks must possess a thorough understanding the technical and operational security of their app. Performing test controls and due diligence processes can uncover any potential risks and issues inherent within the app’s framework. Third party experts like Woodhurst can support technical assessments, third party assessments, a thorough review of industry best practice, regulatory compliance, training and awareness, or general strategic guidance.

Customer satisfaction surveys are also a great way to understand how comfortable the consumers of the app feel with the way that their data and finances are being handled. Surveys can provide an opportunity for customers to flag any unusual phishing behaviour they may have noticed recently.

Taking a step in this direction is necessary. Blindly following and implementing security measures that have been implemented by a competitor could not only cost an FI time and money but could also introduce further vulnerabilities within their banking app.  

For example, an outcome of an initial assessment could be that the application possesses weak authentication methods. A potential solution could be for the FI to partner with a third party fintech to implement multi factor or biometric authentication. If the FI is not able to do this, then at minimum they must create stronger password policies or implement other measures to combat current challenges such as Authorised Push Payment fraud or to conform with protective controls such as Confirmation of Payee.

Taking any step is better than not reacting at all. Keeping user privacy and data protection intact is of upmost importance and while competitor analysis can provide valuable insights, the bank’s security strategy should be tailored to its unique offerings, user base, and risk profile.

2. Forming partnerships with the right technology vendors

To mitigate the possibility of fraud related incidents, FIs are forging strategic partnerships with innovative fintechs to embed security measures within their mobile banking applications. These collaborations represent a proactive approach towards safeguarding user data and mitigating potential risks, leveraging the strengths of both entities.

Keyless offers a cost effective passwordless authentication solution from just one selfie, limiting any phishing or hacking possibilities as there is nothing to remember or steal. The fintech has enabled multiple banks to become PSD compliant. The enhanced security provides huge confidence within its customer base and an improved user experience overall. Complycube, on the other hand, provides robust biometric checks to ensure that customer activities, such as payments and verification documents, are genuine. This enables rapid onboarding of new customers and limits any chance of identity fraud.  

Fintechs bring agile technologies and specialised expertise that FIs can benefit from. Their innovative solutions, often built on advanced algorithms and advanced encryption techniques, offer FIs access to state-of-the-art security frameworks.

The benefits are huge but to ensure a successful collaboration, due diligence activities are important, for several reasons. They highlight any potential compatibility or regulatory concerns, scalability or reliability concerns, helps understand data ownership and also provides a clear overview of end-to-end user experience.

A successful partnership revolves around a shared goal of improving security while fostering innovation. The partnership must enable the FI to adapt swiftly to evolving threats, deploy security measures and instil trust amongst users.

3. Having security and fraud management teams in place  

Customers expect to receive a trustworthy and painless experience when interacting with their mobile banking app. Many FIs have set up dedicated security and fraud management teams to help mitigate security risks within this area.

The primary role for this team is to safeguard the financial and personal information of customers. Their role involves monitoring security controls to ensure that they continue to prevent any unauthorised access to customer data. These teams would also ensure that the measures in place are in line with the Data Privacy regulations such as GDPR.

In the event of a data breach, these teams would monitor and manage that particular ‘incident’ from end to end, and implement further measures based on learnings to ensure a similar incident does not occur in the future.

Customer education on the security measures available is a priority. If customers understand how to identify a threat, the fraud preventative measures they should take and who to reach out to for further support, the chances of falling victim to these reduce by a significant margin. It also enhances the trust between both the FI and the customer. Receiving feedback or notifications from the consumer on a potential threat they may have seen, can be a huge help in mitigating some of the biggest threats possible on banking applications. Many banking apps now allow users to report suspicious behaviour directly, and Monzo, as an example, has a 24/7 call centre to quickly resolve data concerns or fraudulent activity.

As customers continue to embrace mobile banking apps for a secure banking experience at their fingertips, the risks and issues arising from fraud and data breaches increases. If an FI falls victim to this, the consequences are not just limited to loss of customer financials or data breaches. The real loss is the damage to reputation, loss of customer faith and the potential regulatory issues they can find themselves caught in. Financial Services providers must prioritise implementing the right data security measures for them, understand any additional protective steps they can take and regularly educate their customers on fraud prevention measures.

Adopting these practices is crucial to remain competitive in the evolving landscape of mobile banking.