International minimum security guidelines
for mobile device banking applications
Produced by the ATM Industry Association
G EO B R I DG E CON S ULT IN G
1. Mobile phone banking is in a high-growth phase with at least 90
companies emerging in recent years offering banking and payment
applications for mobile phones.
2. It is estimated that as much as half of the world’s population may
now own a mobile phone. This is roughly twice the number of
credit card holders. About 80% of the US population is thought to
own a mobile phone.
3. The World Bank estimates that more than two-thirds of the world's
population live within range of a mobile phone network.
4. It is expected that around 2.3 trillion SMSs will be sent in 2008.
5. The mobile phone product market is very complex with some 1,500
different kinds of handsets available around the world, with over
450 different configurations, from different screen sizes to a variety
of operating systems (Symbian, Windows Mobile, Linux, Palm) and
6. Mobile phones tend to be replaced every 18 months, compared to
PCs being replaced on average every 42 months.
7. The following are examples of mobile phone banking applications:
− Balance enquiry/update
− Paying bills
− Purchase transaction (Point of Sale)
− Assisting cash withdrawals at an ATM
− Making changes to PINs over the mobile phone
8. Today, there is a significant and real threat to all financial services
delivery channels, including mobile phones, from organized
criminal activity and insider fraud. There is also a marked increase
in identity fraud, fraud in financial transactions and theft of
9. The rate of loss of mobile phones averages one every minute in the
10. Security best practices recommend measures to protect the
business lifecycle of the mobile phone as a new self-service banking
device while striving to balance security and convenience. It is
imperative to protect the whole mobile channel.
11. The essence of security is maintaining the trust of customers
through continued safe usage to create a Trusted Environment for
12. The mobile phone has been very successfully used as
authentication tool for online banking, through a confirming SMS
sent by the bank to the customer during online transactions.
13. On-going risk assessments and hardening the chosen targets of
criminal action remain universal principles of security, as does
collaboration of the industry and law enforcement in crime
14. The terms of reference for drafting these best practices were to
cover the following topics:
− Enrollment, registration, and customer access to banking on
− Security and privacy of customer details/data
− Customer education on the mobile phone as an instrument of
− Dealing with lost or stolen mobile phones/devices
− Security of software and transmission to financial services
device (e.g. ATM)
− Defining security lifecycle for mobile phone banking
− Linking in to card fraud prevention for chipped SIM cards
− Defining strengths and vulnerabilities of each mobile phone
15. There are four channels on the mobile phone:
− Text Messaging (SMS)
− USSD Messaging
− IP Data Services
It is important from the outset to use the right channels for the
right kind of financial transaction. For example, text should only
be used for payment purposes if there is encryption.
16. The security lifecycle of the mobile phone as a banking device
includes the following phases: end-user security, the physical
security of the phone, the security of the account, the security of
the phone’s software and its SIM card, security of customer
authentication, transaction security and the security of wireless
connectivity to the banking network systems.
17. Customer education on mobile phone banking should focus on two
− Level of customer understanding
− Level of customer confidence, including perception of device
18. Customers can take three basic steps to increase mobile phone
− The owner of the SIM can prevent unauthorized usage of the
SIM, by using a PIN to manage access to it when the device is
− Key-pad lock – most devices can be setup to automatically lock
the keypad after a predefined time so that the user will need to
enter a PIN to unlock the keypad
− PIN management: (a) customers should be taught never to
store confidential information (i.e. PIN) on the device and never
to divulge their PIN to anyone and (b) customers should be
taught to change their PIN regularly
19. When customers register for mobile phone banking or open an
account for this purpose, everything needed for further registration
and authentication should be captured. In addition, the customer
should be educated there and then about the solution and its
20. It is essential to take privacy laws into account when using
location based services (LBS) on the mobile phone. Customers
must consent during registration processes to permit the bank or
card issuer to use the customer’s location information as a security
feature (for example, in red-flagging a transaction initiated in one
place where it would not be possible for the customer to be in given
his/her position during recent previous transactions).
21. The transactional options and functionality provided to the mobile
phone banking customer should be matched with the appropriate
level of secure authentication in a “tiered” approach.
22. Unique information about the customer’s handset (IMEI) and SIM
card (IMSI) may be used as a second factor authentication
mechanism. This will create confidence that the customer is using
his/her device/SIM (something they have), and their PIN
(something they know).
23. The ideal is for the banking application to be deployed on the
mobile phone as browser- based, secure, HTTPS enabled
application or an encrypted channel application (PPTP – Point to
Point Tunneling Protocol, equivalent or higher).
24. Voice biometrics offers the potential for secure, non-threatening
authentication of mobile phone banking and payment transactions.
25. Most regulatory guidance requires financial institutions to manage
their service providers in accordance with these regulations. Both
financial institutions and the providers of mobile phone banking
services must comply with the regulations.
26. There are currently no defining international regulatory standards
for mobile banking, but a range of guideline documents have been
issued by various international associations or groups.
27. Compliance with these types of regulations as well as adopting best
practices for protecting non-public personal information should be
integrated into daily operations. In addition to policy and
procedures, an organization needs to develop compliance
monitoring and oversight processes including the ability to report
compliance for each of the requirements.
28. Banks offering mobile banking generally view delivery of banking
services over a mobile phone as an alternate delivery channel for
existing banking customers. This model is used within the existing
regulatory framework covering banking transactions. However, if a
bank offers mobile banking using an agent network and not just
utilizing the existing bank branch infrastructure, different
regulations will apply.
29. Know your customer (KYC) requirements form an essential part of
a properly regulated mobile banking environment. Governments
have placed increasing attention on anti-money laundering and
combating the financing of terrorism (AML/CFT) initiatives.
30. In the case of non-banks offering mobile banking, customers do not
deal with a bank or have a bank account; instead, customers deal
with either mobile network operators or prepaid card issuers.
Generally, regulations to govern non-banks have not yet been
created, especially in developing countries where no set regulations
for e-money and stored value instruments have been created.
31. Mobile Banking overlaps with several regulatory domains; these
include banking, telecommunications, payment systems and anti-
money laundering agencies. Banking regulations cover multiple
categories of risk that the regulators seek to mitigate; these
categories include credit risk, operational risk, legal risk, liquidity
risk and reputational risk.
32. The first step in adopting regulations and best practices is to
perform an organization risk assessment for each requirement
focused on the processes surrounding the mobile phone activity.
33. Once a risk assessment is completed, any gaps related to high risks
items need to be closed first. Then gaps for lesser risk items need
to be closed until each one is adequately addressed, based on the
business risk appetite. Specifically, companies need to focus their
efforts in a number of areas, including:
− Assessment—Measure the current risk. Procedures must be
implemented to assess and monitor the applicable regulation
− Strengthen Governance—Create policies. Information
Technology must confer with business management to
understand what regulations apply to particular mobile phone
banking processes and data.
− Strengthen Controls—Develop procedures. At a minimum,
procedures should include a breach incident response program,
protection of non-public personal information at all times, and
security of the information technology network.
− Enforcement—Assign ownership/accountability for
compliance programs. Having policies and procedures in place
are effective only if they are followed. Ownership and
accountability for the various compliance programs (policy and
procedures) should be clearly defined and in a position of
authority to implement/enforce the rules throughout the
− Continuous Monitoring—Continuously monitor and assess
risk. Ensure the proper management oversight structure is
established with ongoing reporting of the program effectiveness
to the risk. In some cases, the risk/reward identified may
require re-evaluation of various business activities and the
effectiveness of this program allows for modification of such
activities while minimizing unnecessary disruption of business.
34. Finally, it is recommended that these best practices be read in
conjunction with ANSI X9.49 which sets out security standards for
portable financial services devices.
Please note that this Executive Summary cannot replace reading the whole
manual. The summary is merely a guide as to the content and main
principles of mobile device banking best practices.