The rise of mobile payments and the rapid growth of new nonbank competitors have provided consumers with an abundance of banking alternatives.
Internet companies such as PayPal have been gaining in popularity as convenient, secure channels for executing monetary transactions. At the same time, the telecom industry has ventured into the payments space, enabling users to make payments through text messages and other means. The East African region is leading the world on this front, taking the concept of mobile payments to a new level.
As expected, the explosion of mobile banking has ignited a race to develop mobile banking applications, in response to increasing customer demand for service anywhere and anytime. In our region, mobile banking is most often performed through Short Message Service (SMS) or the mobile web. Elsewhere around the world and progressively in our region, Apple’s iPhone and iPad, Google’s Android operating system and Research In Motion’s (RIM) BlackBerry have collectively transformed the ways in which consumers interact with their mobile devices. Mobile banking is now largely transacted using special client programs called applications, or “apps,” which are downloaded to mobile devices.
PwC surveys and other publications in several markets however indicate that in many banks, the design and the implementation of sound security measures have failed to keep pace. Yet banks are at a turning point where it is more likely than ever before that a security incident will cause customers to switch financial institutions. The proliferation of social media has taken word-of-mouth marketing to exponential levels. Customers are using this platform to actively spread the word in real time about their customer service experiences and a minor security incident can become national news in a matter of minutes. This is no longer alien to us here in Rwanda. We have many social blogging sites where consumers are actively discussing their experiences.
As the impact from mobile application security breaches becomes ever more frightening for consumers, it can only be anticipated that regulators’ focus on data protection will intensify in the coming years. In other markets, regulators are already beginning to develop mobile application guidelines designed require certain security thresholds to be implement by banks. However, compliance with regulations alone may not provide sufficient protection against security breaches. Strong security measures are required.
When an institution’s application development lifecycle lacks sufficient security focus, both the institution and the customers who use its mobile banking applications are vulnerable. As with any information technology related development, this security focus should be driven by senior management, who should never allow the need for speed in rolling out a new mobile banking product to trump the need for data security.
The complex structure of financial institutions and the global, interconnected marketplace in which they operate make it difficult to effectively track and manage customer data as well as the criminals that infiltrate it. Complicating this difficulty, the use of third party service providers makes traditional protection methods such as perimeter controls less effective, resulting in inadequate measures to protect sensitive data. Different providers may be regulated differently and use conflicting security controls and privacy policies to secure sensitive customer information.
There is therefore a need for senior non-IT management to appreciate the importance and to take the lead role in ensuring that security is integrated into their mobile banking products applications development process. Appropriate security management requires a coordinated effort among corporate groups, with a focus on security, privacy, fraud prevention, and records management. The process also requires a high level of cooperation and understanding from the business units that own the data and the bank’s compliance department.
Samuel Kariuki is a Manager with PwC Rwanda