Bank IT execs don't have to be control freaks to worry about the rapidly multiplying risks that result from the use of mobile devices outside the firewall by both executives and consumers.
"The mobile channel certainly presents a challenge to GRC [governance, risk and compliance] because one of the core elements of GRC is continuous monitoring. These new mobile platforms have various levels of support for monitoring, and some of them have very little capability to monitor," says Chenxi Wang, vp and principal analyst for Forrester Research.
There are emerging middleware options born from enterprise content management systems (ECM) for CIOs concerned about how to marry mobile activities to the institution's overall crime prevention, compliance and performance measurement operations. The technology is being developed during a time in which a substantial and growing percentage of financial transactions are happening on mobile devices, while sales, service and executive staffs increasingly use BlackBerrys and other handsets for sales and business purposes-in some cases using the mobile devices for non bank-related personal activities that expose the bank to extra risk.
"People are doing things with the devices that institutions wouldn't let them do if they were hooked up to the PC environment," says Phil Blank, senior research analyst for security, risk and fraud at Javelin Strategy & Research.
That creates problems for not only regulatory compliance and audit trails, but also security. Julie Conroy McNelley, senior analyst at Aite, says that as use of mobile devices expands, there's a whole new venue for fraud. "In terms of locking down any of these devices, it's a problem for IT staff," she says. "The types of data that can be compromised is pretty broad."
Nara Bank has licensed an ECM suite from Laserfiche to manage workflow security, accuracy and compliance and to integrate mobile activity with the bank's core systems. The $3 billion-asset Los Angeles-based bank, which specializes in business banking, does not offer corporate mobile banking, but does outfit its internal staff with BlackBerrys for sales, marketing and general business purposes.
The institution is using ECM to link the flow of information resulting from mobile communication or transactions to various internal systems inside the bank, such as HR, risk management, security and CRM. That enables the bank to see who's accessing the information and how it's being used, track the flow of data into and through the enterprise, and perform analysis to ensure any transactions or communications are in compliance with any regulations that may be involved.
"One benefit of ECM is [technology] asset management, we're able to determine access to mobile devices and whether a new device needs to be activated," says Mona Chui, senior vice president and IT manager for Nara, who says other uses include accumulating data originating from mobile devices and electronically archiving it.
Tim Welsh, a senior consultant to LaserFiche, says most of the interest in LaserFiche has come from community banks and smaller institutions, as large banks tend to have their own ECM systems. Another small financial firm, Asset Dedication, has implemented an integrated platform using Laserfiche, SharePoint and iPads. The wealth management firm uses the platform to provide remote linkage for its small group of Bay Area staff, which can access and move documents that are updated with new transaction and market information that is routed internally by the ECM system.
In addition to LaserFiche, a few other mobile monitoring firms offer enterprise mobile GRC technology, such as Mobile Active Defense, a smartphone security firm which helps companies lock down the flow of communications and data to and between mobile devices; and SecurityMetrics, which offers mobile data secruity audits among its services.
"The mobile GRC industry is still pretty new," Forrester's Wang says, warning that banks should still tread carefully about getting too mobile too soon. "We get a lot of inquiries from firms that want to give their board members access to their board books on iPads, to avoid printing and carrying around lots of documents and folders," she says. "But I would think about the infrastructure involved in providing security for that. These books have a lot of confidential information."
This story has been reprinted with permission from
