In the process of teaching them how to monitor their balances online, we ran into the oddest problem: we could install our bank's mobile app on each of their devices, and the eldest were able to log in without any issues. However, the younger ones got an error along the lines of "the service is not available" when trying to log in. After a few back-and-forth conversations with customer service, we ultimately discovered that the bank blocks access from the mobile app to the user account for any child under 13 years old. The reason is a federal regulation that took effect last summer.
So let me get this straight: a 12-year-old child may have a checking and savings account, checks, an ATM card, and may log in and manage their accounts through the browser-based web site, but not through the mobile app. They can use a browser that could be compromised, instead of a dedicated-purpose mobile app provided by the bank. They can use a browser that uses traditional username/password access instead of the mobile app that uses an added layer of "trusted security."
The specific regulation quoted by customer service was the Children's Internet Protection Act - an FCC regulation first enacted in December 2000 and updated in 2011. This act applies to schools and libraries and requires that they provide protection measures that block Internet access to inappropriate pictures. I suspect however that the service representative was mistaken and meant to say COPPA, the Children's Online Privacy Protection Act.
COPPA is intended to give parents control over the types of information that a website can collect from children. It was updated with new rules that took effect July 1, 2013. The absurdity of this situation though is that a child cannot open a bank account, nor setup online access, without the parent's explicit assistance, and the bank in question provides very strong parental control over dependent children's banking accounts as well as login accounts. The bank already met the requirements of COPPA through its own account management design.
So what is likely to happen? Since the mobile app is tied to a specific device, its use is a form of two-factor authentication, meaning even with a simpler password or PIN on the device, you still get relatively strong overall protection. Through this bank's interpretation of COPPA, some children are likely to use a relatively weak password in the browser, WITHOUT the second authentication factor. Yes, the browser login can be set up to require a code to be sent by text message, but that's less convenient. One of the truisms of security is, if you make security convenient, your audience will in general comply; if you make security inconvenient, the audience will find ways around it.
How long until a child's bank account is compromised because this bank prevents use of a secure and convenient means of managing bank accounts, in the name of protecting children? Oh the irony...
