Increasingly, millennials are utilizing digital channels for most of their banking needs. In fact, this trend is accelerating with adults of all ages on a worldwide basis. In 2015, 90 percent of adults in Norway were reported to be banking online. In the European Union, the number was 46 percent.1 In 2016, 58 percent of U.S. adults used a mobile device at least once a month to manage their bank accounts.2
Smartphones and tablets are the foundational tools for mobile banking. Banks must continuously improve their online and mobile applications in order to keep up with the rapid changes in technology and the demands of their customers. Banks must, therefore, invest in developing, maintaining, and improving their online and mobile presence in order to better serve their customers and maintain their market position. For example, Citi has made almost 85 percent of its services available via their mobile application and plans to increase its digital footprint to 100 percent by the end of 2017.3
Digital and online payment methods, including credit cards, Apple Pay and mobile applications such as Venmo (a free digital wallet that permits users to make and split payments with peers) are resulting in a diminished use of cash and check transactions. Experts have theorized that the bank branch and ATM will eventually become obsolete.4 With the rising cost per transaction at branches, combined with the improving quality of banking apps and other online tools, the customer is certainly not to blame for the decline of traditional banking methods. Banks are responding by creating mobile apps for their customers but may overlook certain risks.
One of the primary risks of online and mobile banking is cybersecurity. Mobile banking poses additional vulnerabilities because unsecured (or "open") Wi-Fi networks provide an opportunity for data theft. As a result, banks should encourage customers to manage their banking needs using secure or password-protected Wi-Fi networks. In addition, end users should always utilize their cellular provider's data connection when performing banking transactions from their mobile device when secure Wi-Fi is not available. Bank customers also should ensure that both their phone and mobile banking app are protected with strong passwords, or, if supported by their bank, fingerprint scanning (such as Apple Touch ID).
Recently, researchers have identified serious vulnerabilities in the means by which banks establish secure, encrypted connections between their servers and customers' mobile devices. Banks typically use complicated transport layer security (TLS) to secure online banking transactions. Although TLS has been successful with web browsers, developers of mobile applications for banking have been simplifying TLS, resulting in vulnerabilities which can invite cybersecurity breaches. In the beginning of 2017, a consulting firm found at least one security flaw in the banking applications used by 15 major North American financial institutions with TLS problems identified as a "recurring theme." Forty percent of the security issues were traced back to insecure communication, indicating that "security around the transfer of data across communication channels is a challenge for developers," who may be relying too much on secure end-user behavior and back-end server-side communications.5
As financial institutions increase their reliance on technology, they face a greater risk of cyberattacks, viruses and security breaches. Now is the time to implement cybersecurity measures — before a cyberattack occurs. Nick Graf, Consulting Director, CNA Information Security, provides additional techniques in his article Protecting Financial Institutions from a Cyberattack: What Steps Can You Take Today? to help reduce cybersecurity incident severity and frequency.
Title III of the Americans with Disabilities Act (ADA) requires public accommodations, such as banks, to make physical locations accessible to customers with disabilities. In response, bank branches provide ramps for customers in wheelchairs or with other mobility challenges, Braille signage for visitors who are visually impaired and in-person assistance for other needs. Similarly, should websites and mobile applications be accessible to persons with disabilities?
The answer depends upon whether a website or mobile application is considered a "public accommodation," and therefore, subject to the ADA accessibility requirements. To date, courts have not provided consistent guidance regarding whether a website or mobile application falls within the ADA's definition of a" public accommodation" — a concept traditionally associated with physical spaces, not virtual ones. Nevertheless, some courts have held that a website or mobile application that has a nexus to a physical location, such as a bank, is considered to be a "public accommodation."6
The U.S. Department of Justice (DOJ) has declared that websites and mobile applications are public accommodations and therefore must be accessible to individuals with disabilities. Notably, repeated delays by the DOJ in issuing website accessibility regulations under Title III of the ADA have only added to the confusion. However, the DOJ has stated that businesses should make their websites accessible, and has relied on a set of guidelines, known as the Web Content Accessibility Guidelines (WCAG) (available here), which were developed by the World Wide Web Consortium (W3C). Generally, The WCAG provide that all information and user interface components must permit anyone to access or use the content, regardless of any disability. W3C published a document entitled, "Mobile Accessibility: How WCAG 2.0 and other W3C/WAI Guidelines Apply to Mobile," which describes how the WCAG can be applied to mobile content and applications.7
Recent settlement agreements in accessibility cases provide some helpful guidance regarding the elements necessary to ensure website accessibility. Gil v. Winn Dixie Stores, Inc., Civil Action No. 16-23020-Civ-Scola, United States District Court, S.D. Florida, June 12, 2017,became the first trial regarding website accessibility and the ADA.8 The Florida federal district court ruled that the grocer violated Title III of the ADA because the plaintiff, who was blind, was unable to use the grocer's website to download coupons, order prescriptions and find store locations. The court referenced WCAG 2.0 AA as the standard for website accessibility. It also noted that the $250,000 to make the website accessible was not an "undue burden" in view of the cost to create the website and later make upgrades to the website, which cost approximately $7 million. In addition, the court held that the grocer also was responsible for the portions of the website that were operated by third party vendors, as the grocer must require their vendors that participate on their website to be accessible. In the Winn Dixie case, the federal district court also adopted the WCAG 2.0 as the accessibility standard — and required the grocer to implement an accessibility policy — to provide training to its employees and to conduct periodic accessibility tests.
In Farmer v. Sweetgreen, Inc., two blind individuals sued salad restaurant Sweetgreen, Inc., asserting that the company discriminated against them because the online portal and mobile app were not accessible to them, in violation of Title III of the ADA, the New York State Human Rights Law and the New York City Human Rights Law. The settlement required the company to improve accessibility to the portal and the app to conform, at a minimum, to the WCAG 2.0 Level A and AA Success Criteria and to maintain that conformity. The settlement also required the company to provide a link on its webpage for customers to provide feedback on accessibility, to attempt to remedy accessibility issues within 30 days of receipt, and, for a period of two years, provide web accessibility training to employees who write or develop code for, or publish content to, the website and mobile applications.
Many businesses, including banks, have received demand letters or have been served with lawsuits asserting that their websites and/or mobile applications violate the ADA because they are not accessible to individuals with disabilities. According to law firm Seyfarth Shaw, in 2016, more than 250 lawsuits were filed containing allegations that websites and mobile applications were not accessible to individuals with disabilities, in violation of the ADA.9 In addition to these lawsuits, hundreds of businesses have received demand letters asserting website inaccessibility claims.10
What should a bank do? The best and easiest way to ensure accessibility of a website or mobile application is to address accessibility issues during the creation of the website or mobile application. Considering accessibility at the outset is typically less expensive than trying to retrofit a website or mobile application after it has launched.
The various settlement agreements and injunctions in the website accessibility cases include some common provisions which offer some guidance for banks to take proactive steps to address this issue:
- Ensure that the website is accessible to disabled individuals by conforming to the WCAG 2.0 criteria, which provide guidance on website and mobile application accessibility and are considered the current de facto standard.
- Create a website accessibility policy and make it available to the public, preferably on the website or application, with an accessible means of submitting accessibility questions and comments.
- Provide accessibility training to employees who write or develop programs for, or code for or publish content to, the website or application.11
- Periodically test the website and applications to identify any accessibility problems.12
Failing to make a website or mobile application accessible to disabled individuals also becomes a lost business opportunity. Individuals with disabilities and the elderly represent a large and growing consumer group, with as many as 22 percent of Americans are classified as disabled.13 Thus, websites and mobile apps which are accessible to individuals with disabilities help to avoid litigation. Most importantly, accessibility is simply good business.
3 American Banker, Why Citi Puts a Premium on Mobile Users, (6/6/17), https://www.americanbanker.com/news/why-citi-puts-a-premium-on-mobile-users-satisfaction (last read on 6/8/17).
4 Business Insider. Feb. 7, 2017. BI Intelligence. Ahead of the Curve - The Digital Disruption of Retail Banking
5 American Banker, The Mobile App Security Hole that Should Keep Bankers Up at Night, (5/1/17) https://www.americanbanker.com/news/the-mobile-app-security-hole-that-should-keep-bankers-up-at-night (last viewed 6/6/17).
6 National Federation for the Blind v. Target, Inc., 452 F. Supp. 2d 946 (N.D. Cal. 2006).
9 Seyfarth Shaw, ADA Title III blog, 1/27/17, http://www.adatitleiii.com/2017/01/ada-title-iii-lawsuits-increase-by-37-percent-in-2016/, last viewed 6/5/2017.
10 Id. An Independent Community Bankers of America (ICBA) survey found that 19 percent of community banks had received a demand letter about ADA accessibility of the bank's website. http://www.lexology.com/library/detail.aspx?g=69ca3db2-684c-4a0b-bb92-f20bd4c8d307
11 There are many resources available to assist companies with accessibility, such as the ADA Guidance on Effective Communication, at http://www.ada.gov/effective-comm.htm, and Cornell University's Northeast ADA Center Website Accessibility Resources page, at http://www.northeastada.org/.
12 The WAVE Web Accessibility Evaluation Tool, is a free community service from WebAIM, available at http://wave.webaim.org/.
13 Thus, websites and mobile apps which are accessible to individuals with disabilities help to avoid litigation. Most importantly, accessibility is simply good business.