FIs at a crossroads: Build or buy mobile payment apps?

 In Blog
by Rajesh Sharma, VP Mobile Banking & Payment Apps, Inside Secure

Commerce has evolved over the 10,000-plus-year history of society. The Internet age introduced online banking 20 years ago and now 80 percent of bank customers in the developed world are online.

In addition, in the span of the past four years or so, mobile banking has grown to 52 percent of smartphone owners. And now, mobile payment applications have taken the market by storm and are the hottest topic in commerce today.

Today, most bank and major card issuers are at a crossroads and asking themselves whether they should launch a standalone payment app or add mobile HCE payment capabilities to an existing bank-branded app. Although this integration might not mean instant success for mobile payments, it does offer some indication as to how mobile payments are evolving.

In the midst of all this mobile banking hoopla, some of the banks are contemplating whether they have to participate in third-party wallets such as Apple Pay, Android Pay, Samsung Pay and CurrentC.

Key factors for decision making

FIs must consider severl key factors before deciding whether to participate in third-party wallets, or build their own standalone HCE payment app, or even develp their own wallet app. These include security, trust, privacy, innovation and consumer relationship.

Mobile banking serves three major functions: informational, transactional; and marketing. Informational functions include balance and transaction history and ATM and branch locations. Transactional functions include bill pay, peer-to-peer payments, amount transfers and remote deposits. Marketing functions include consumer retention and acquisitions tools such as new product introductions, consumer service, help information and alerts.

Similarly, mobile payments serve two major functions: online or in-app payments and in-store payments. Online or in-app payments correspond to digital purchases on mobile devices, which in most cases are part of payment options embedded inside the retailer apps.

In-store payments cover payments made in physical stores using NFC built into the phone, HCE, or a similar technology used by Android Pay. This article will focus on the in-store and in-app features of mobile payment apps, where credentials are stored on the mobile device itself and need to be secured.

Given the very personal nature of mobile devices and the “always on” aspect of consumer use, this makes mobile particularly appealing as a means to offer a new and broader range of services. Thus, expectations to enrich the experience of both mobile banking and mobile payments are higher than ever as more smartphones make their way into more hands.

Security issues

The recent Consumers and Mobile Financial Services 2015 survey published by the Federal Reserve reported that the majority of the nonusers of mobile banking or payments apps (62 percent and 59 percent, respectively) choose not to engage due to concernsabout the security of the mobile technology.

And indeed, analysis of top mobile banking apps for iOS and Android devices worldwide has revealed that most apps are vulnerable to various attacks and subsequently expose sensitive information. Researchers found that all tested apps could be installed and run on compromised devices, which heightens the security risk in itself, as these hacks circumvent device-provided protections and enable malicious apps to access sensitive information within apps that are protected on noncompromised devices.

Based on the various market reports, we have every reason to believe that hackers increasingly are directing resources to attack mobile banking. We are about to see significant increases in the number and sophistication of attacks on mobile devices. Protecting mobile devices and transactions will be imperative for banks. Not only does this present a security issue, but it also touches on brand equity.

Thus, banks themselves need to ensure that their banking and payment app is secure enough — irrespective of mobile OS type or version — to protect sensitive consumer data as well as their own brand reputation. And this can be possible only when banks manage the security of their own app containing banking and payment credentials rather than relying on third-party wallet providers to protect consumer data.

In short, if a better and more secure option exists, then why trust the third-party wallet providers who might have issues protecting their own data?


Last year, a subcontractor working with the Merchant Customer Exchange on CurrentC was breached and email addresses of beta test subjects were compromised, though the company insists that many of these were “dummy” accounts.

While the CurrentC app inself wasn’t compromised nor was any sensitive bank account information lost, what if an actual data breach had occured during the beta test in Columbus, Ohio? Consumers would panic and the incident might destroy the wallet’s brand, in addition to damaging the brand of any card provider associated with a compromised wallet.

When FIs decide to embed security technology to protect their mobile payment app, the same technology can be used to protect the mobile banking app as well, if integrated. This proposition makes even a stronger case for banks and card issuers to have their own secure, integrated mobile banking and payment app.

Privacy concerns

Privacy is another key concern, because some third-party wallet providers require transaction data for each consumer in order to calculate their cut. Banks are forced to share the transaction data of their customers, which can be used for other purposes by third-party wallet providers. This is one more reason why third-party wallet providers can act as “frenemies” of card issuers. Right now, most third-party wallet providers are new to the payments market and need banks to extend their reach.

This brings the discussion to another interesting area: the consumer relationship. If a bank owns the wallet, this expands its opportunity to offer services such as mobile coupons and incentives and to cross-sell other products. This isn’t possible with third-party wallets.

A direct consumer relationship also enables the FI to innovate around their own products to develop services that directly benefit their customers.


In today’s world, a digital wallet is a natural extension of the trusted relationship between customer and financial institution. Besides payments, the integrated wallet app can incorporate valuable features that help consumers to monitor their financial position through access to balance and transaction history, as well as to manage their spending by means of real-time notifications for all transactions and instant rewards redemption options. The integrated wallet app also offers a clear differentiating factor to leapfrog the competition.

As financial institutions reach this crossroad, it seems that the obvious, wise, and now realistic solution in terms of security is to build their own payment application.

Rajesh Sharma, based in San Jose, California, serves as VP Mobile Banking and Payment Apps at Inside Secure. Rajesh joined Inside in 2007, to manage theTechnical & Professional Services group in U.S. He also led product marketing activities of Mobile Security Division, managing NFC, SE & HCE products. During this time, he has played instrumental role in making Inside the leading provider for payment contactless chips (more than 250 million units) in the U.S. market. 
Recommended Posts
Contact Us

We're not around right now. But you can send us an email and we'll get back to you, asap.

Not readable? Change text. captcha txt