By Nancy Onyango
Kenya: Like everywhere else in the world, the introduction and usage of mobile and Internet banking in Kenya is rising. Players are scrambling to launch their services, seeking to differentiate themselves from their competitors.
But fast, modern, 21st Century mobile banking products create major risks for banks and users.
One of the most significant sources of risk to banks is users.
They expose banks to risks through device loss, poor password security, unprotected wi-fi network connections, weak utilisation of security features and even letting their tech-savvy children use their devices.
Banks need to work with their users to educate them and agree on ground rules while monitoring them without infringing on their privacy.
Traditional risk management and control frameworks like audit trails and paperwork are slow and outdated for the real world.
The “business unusual” risk environment we find ourselves in requires multiple layers of mobile banking security infrastructure. These layers include the mobile user interface, mobile network, the bank’s firewall and the mobile banking server that in turn talks to the core banking system’s server.
Each layer presents different vulnerabilities and risks, including server, vendor, transmission, mobile device and end user risks. Each layer could compromise all the others if it is not secure.
Increasingly, many banks are depending on third parties for services related to their e-banking facilities, increasing their risk exposure, while reducing their ability to fully control or mitigate risks.
Boosting security
But however secure a system may be internally, it is important to work with external vendors and mobile service providers to ensure their security as well.
In managing enterprise-wide risks, banks are guided by management and other stakeholders on the risks from new product and service offerings.
However, the pace at which enterprise risk management frameworks are evolving or maturing is often slower than the pace of technological change. Many banks often find themselves exposed to risks without sufficient mitigation plans and controls in place.
Worryingly, banks may not have the skilled employees required to manage these risks, whereas fraudsters are often young, enthusiastic, extremely intelligent and agile in their approaches.
Stay informed. Subscribe to our newsletter
Fraudsters who once worked in isolation now tend to operate within established organised crime syndicates, with networks of “sleeper agents” embedded inside banks, sometimes for years. Organised crime targeted at banks is big business.
Many banks do not have much of a response to Internet and mobile risks and rely on their traditional IT, audit and business processes to respond (or not). Too many banks are still playing catch-up — and paying the price.
In themselves, mobile and Internet banking services do not expose banks to new risks, but they impact the profile of existing risks and accentuate those that any financial institution faces. The Board and senior management must be cognizant of these risks and deal with them appropriately.
Managing risks and implementing controls for mobile and Internet banking services should follow similar principles as other IT risk assurance processes, although the tools, skills and timing aspects of the processes may need to be revisited.
The greatest danger is to treat these risks as typical IT audit issues and perform checks periodically (such as annually) as part of a structured audit plan.
These risk areas should be audited continuously and proactively, with systems in place to generate alerts in the event of any anomalies and escalate them either during or soon after a transaction has been processed.
Another danger is to treat mobile and Internet banking risks as technical IT matters and leave them to IT management or security departments to manage. Generally, these are business management issues that require attention from senior management.
Impact on revenue
Although boards and management should have oversight of risks and controls frameworks, many of these individuals may lack risk expertise and will require outside counsel to explain or demonstrate exposure.
Boards and management need to appreciate their business case, risk exposure and impact on other revenue streams. Only then can they confirm if the accountability, policies and controls for which they have oversight are sufficiently robust to manage these risks.
The risks arising from mobile and Internet banking are not restricted to information security areas, but span across all areas of traditional banking as well.
All stakeholders have a role to play in helping to manage risks. By working together, they can help undermine the pervasiveness of globally organised fraudsters targeting banks and their customers.
Nancy Onyango is a partner with PwC Kenya.
[email protected]
The Standard Group Plc is a
multi-media organization with investments in media platforms spanning newspaper
print operations, television, radio broadcasting, digital and online services. The
Standard Group is recognized as a leading multi-media house in Kenya with a key
influence in matters of national and international interest.
join