What Regulators Look for on Mobile That Most Financial Services Firms Miss

Financial services regulators have been asking the same questions about mobile for several years. Most firms are not prepared to answer them. Not because the questions are complex - they are not - but because the controls the questions require do not exist in most mobile environments.

The gap is not between firms that know the rules and firms that do not. Most compliance officers know the rules. The gap is between firms that have implemented the controls needed to demonstrate compliance during an examination and firms that have not.

What the examination covers

A mobile compliance examination at a regulated financial services firm touches three areas: device management (what devices are accessing corporate systems, under what controls, with what governance), communication retention (whether required business communications on mobile channels are being archived and retrievable), and data access (whether sensitive data accessible on mobile devices is subject to appropriate access controls and can be remotely removed if a device is lost or compromised).

The examination is not a technical audit. Examiners are not reviewing code or infrastructure architecture. They are asking: does the firm know what is happening on mobile, and can it demonstrate that what is happening meets the regulatory standard?

The answer to both questions is what the examination is evaluating.

Four things examiners always ask

"Can you provide a complete inventory of mobile devices that have accessed corporate systems in the last 12 months?"

This includes corporate-owned devices and personal devices used for work. The examiner wants a list - device type, user, enrollment status, security baseline at last check. If the firm does not have an MDM or UEM system that produces this list, the firm cannot answer the question with evidence. "We have a policy that requires enrollment" is not an answer.

"Where are business communications conducted on mobile, and how are they retained?"

The examiner is asking about text messages, messaging app communications, and email accessed on mobile devices. For registered firms under FINRA 4511 and SEC 17a-4, all business communications must be retained regardless of channel. The examiner wants to see the archiving system, the channels it covers, and a demonstration that it is capturing mobile communications in real time.

"What controls govern data on mobile devices, and what happens when a device is lost or an employee leaves?"

The answer requires a remote wipe capability for corporate data, a policy that defines what data can and cannot be accessed on mobile, and a record of the last time the capability was tested. Firms that have remote wipe for corporate-owned devices but not for work applications on personal devices have a partial answer.

"What is your incident response procedure for a mobile security event?"

A mobile security event includes a lost or stolen device, a compromised application, and an unauthorized data transfer from a mobile endpoint. The examiner wants a written procedure and evidence that it has been tested. "We would contact IT" is not a procedure.

What most firms cannot answer

The device inventory question is the most commonly failed. Most firms can provide a list of corporate-owned devices. Almost no firm can provide a complete list of personal devices that have accessed corporate systems, email, or communications in the last 12 months. Without a mobile application management layer that requires enrollment for work application access, personal device inventory is a manual reconstruction from IT access logs - if those logs exist.

The communication archiving question is the second most commonly failed. Firms typically have email archiving in place. Firms typically do not have archiving that covers text messages, iMessage, WhatsApp, or other messaging applications used on mobile devices. When the examiner asks whether a specific client communication from eight months ago exists in the archive, and the communication happened via text message on a personal device, it does not.

The BYOD blind spot

Every regulated financial services firm has employees using personal devices for work. This is not a policy failure - it is a reality. The question is whether the firm has governance over the work activity on those devices.

Most firms do not. A firm that has an MDM policy covering corporate devices but no MAM layer covering personal devices has a gap that an examiner will find. The typical discovery path: examiner interviews employees, an employee mentions using their personal phone to communicate with clients, examiner asks for those communications, compliance officer discovers they are not in the archive.

The fix is not to prohibit BYOD - that policy is unenforceable in most environments. The fix is to implement a mobile application management layer that governs work applications on personal devices without touching personal data, and that extends communication archiving to cover work applications on personal devices.

A firm that has implemented this can tell the examiner: personal devices are enrolled in our MAM layer as a condition of accessing work applications. Work communications on those devices go through our approved archiving channel. Here is the technical documentation and a sample archive record.

That answer closes the BYOD question.

What good looks like

A firm that can answer all four examination questions with evidence - not assertions, evidence - looks like this during an examination.

The compliance officer pulls a device inventory report from the UEM platform. It shows every device, corporate and personal, that has accessed corporate systems in the last 12 months, along with enrollment status and last security check. The report takes 30 seconds to generate.

The compliance officer pulls a communication archive search for a specific client account and date range. It returns all archived communications from that period across email and approved messaging channels, including mobile. The search takes under a minute.

The compliance officer describes the remote wipe procedure: corporate data on any enrolled device can be wiped in under four hours of a reported loss. Personal data on the same device is not affected. The procedure was last tested in Q4 of the prior year. Here is the test log.

The compliance officer describes the mobile incident response procedure: there is a written runbook, there is a named owner, there are defined escalation paths. The procedure covers lost devices, compromised applications, and unauthorized data transfers. Here is the document.

None of this is technically complex to implement. All of it requires intentional deployment of the right tools and a record of how they have been used. The difference between a finding and a clean examination is almost always the second part: the record.