As consumers use mobile apps now more than ever before COVID-19 to manage payments and transactions, they continue to embrace Zelle, Venmo, ApplePay and other fintech or mobile based Peer-to-Peer (P2P) solutions. As mobile financial applications have exploded in use, regulators around the world have issued guidance and regulation on how financial app makers need to increase consumer protections. In the US, Fincen and FFIEC have called out specific ways mobile financial applications need to be protected. We’ll discuss what these regulations are and how organizations can help ensure their financial apps are BSA compliant and pass FFIEC examinations.
Making Mobile Apps BSA Compliant
In Fincen’s May 2019 guidance, Fincen clarifies the regulatory treatment given to mobile wallets and applications. The financial services organizations creating the P2P apps need to prove to FINCEN and other regulators they comply with all Bank Secrecy Act and Anti-Money Laundering (BSA/AML) laws. The consequences of non-compliance can be costly, including imprisonment.
Compliance with the BSA/AML requires organizations to complete four primary tasks:
- Maintain an adequate AML and Know Your Customer (KYC) program;
- File Currency Transaction Reports (“CTRs”) for transactions over $10,000;
- File Suspicious Activity Reports (“SARs”) when the organization “knows, suspects, or has reason to suspect that the transaction involves money laundering, is designed to evade the requirements of the BSA and
- Register with the Department of Treasury.
FFIEC Examinations and Mobile Apps
In the US, the FFIEC includes five banking regulators, the Federal Reserve Board of Governors (FRB), the Federal Deposit Insurance Corporation (FDIC), the National Credit Union Administration (NCUA), the Office of the Comptroller of the Currency (OCC), and the Consumer Financial Protection Bureau (CFPB). The FFIEC publishes the FFIEC IT Examination Handbook (IT Handbook) to provide guidance to examiners, financial institutions, and technology service providers on identifying and controlling risks associated with retail payment systems and related banking activities.
In 2016, the FFIEC added a new appendix to its IT Examination Handbook specifically for mobile applications. In this appendix, mobile application risk is described as:
- Ability to download applications for application stores not authorized by the manufacturer that have malicious code
- Distribution of malware through applications
- End user’s ability to access root user privileges (e.g. rooting) or removing the manufacturer’s device controls (e.g. jailbreaking), which may lead to the user downloading apps from untrusted sources and introducing malware onto the device in the process
- Personal information, including usernames, passwords, email addresses are stored in the clear
- Access to back-end databases using information gathered through mobile apps that have not been properly secured
Making Your Financial Apps BSA Compliant and Ready for FFIEC Examinations
With Appdome, financial organizations can build in security and fraud prevention as part of DevSecOps to comply with BSA and FFIEC regulations. As a result, organizations can release security into new Android and iOS apps on a regular basis. Through DevSecOps, organizations don’t have to make tradeoffs between releasing new features and implementing mobile app security. They can have both because each group, whether it’s development, operations or security are coordinated in one continuous workflow. To help comply with BSA and prepare for FFIEC examinations,
- Appdome provides information on how fraudsters are committing fraud (e.g. the tools and methods they are using to commit fraud). This type of information is different from the indicators of transactional fraud typically reported in SARS. In addition to using Appdome to report on the tools fraudsters use to commit fraud, organizations can use Appdome to stop mobile fraud prevention at the source. In this way, organizations can have a great impact on reducing the fraud number, compared to waiting until fraud has been committed to address the financial and reputational damage already done.
- Appdome prevents anyone from copying an app, stealing IP, re-packaging, re-signing, and publishing alternative versions of Android & iOS apps, including on malicious app stores.
- Appdome prevents Android and iOS apps from becoming trojan apps or used to carry malicious code onto users’ mobile devices. Appdome prevents mobile apps from being weaponized to conduct attacks on other apps or users. Appdome prevents mobile malware from sneaking onto devices through clones, fakes, or mods (replicas of popular or useful apps, which contain malware embedded inside). Appdome blocks malware methods such as dynamic instrumentation, method hooking, script injection, code injection and accessibility abuse from being used to modify or interfere with your mobile app.
- With Appdome, organizations can address the complexities of protecting from hackers who jailbreak or root devices other solutions don’t offer. Beyond simple jailbreak and root detection, Appdome provides different ways to respond, from having the app shut itself down to protect itself, to passing the event back to the app or to an external threat response system to enforce. Appdome gives developers the flexibility to enforce the corrective action that fits their specific use case or threat response model. Furthermore, with hackers ever-evolving, the attack surfaces ever-expanding, addressing the threat from external forces can be daunting. Appdome has the expertise and focus on the latest and most advanced jailbreak and rooting methods as well as jailbreak and root bypass & root hiding/cloaking methods – to protect apps now and in the future.
- Unlike SDK-based and manual encryption methods that only encrypt application sandbox data, Appdome encrypts both data stored in the sandbox AND data stored throughout the code. Without data in the code, the app does not work. This data is stored in in the app preferences, strings, resources and in-app secrets, strings.xml value, and java class .dex files. This data includes usernames, passwords, API keys, SSL certificates, server URLs and passwords, authentication tokens, client certificates, and more. Appdome dynamically encrypts all data generated and stored in the app at runtime using industry-standard AES 256 cryptographic protocols.
- Appdome also prevents the abuse of services that maybe used to obtain back-end information SSL certificates, server addresses, API keys, usernames, passwords that are then used to attack back-end servers. Appdome prevents abuse of AccessibilityServices, as well as abuse of app permissions that enable fraudsters to take control of devices or apps remotely, or to inject/alter touch events. Appdome prevents key injection by blocking several methods attackers use to inject keys or touch events (Appdome blocks keylogging, malicious keyboards, and also blocks the use of ADB to establish a remote shell access to apps or devices).
With Appdome, organizations can automate the process of protecting from hackers. Instead of waiting until the end of app development, you can code in mobile app security and security and fraud prevention at any time in your development process with a few simple clicks. No need to code. No SDK.