Identity and access management for business and people

Identity and access management — new challenges for the banking industry

Identity and Access Management allows fine-grained management of user management processes. This is especially critical in the banking world, where, if access to IT is not managed in a rational way, it can be a source of major operational risks, which directly translate into financial losses.

The new Basel capital accord introduced the notion of operational risk into the evaluation of the minimum capital solvency requirements for banks. Among the risk evaluation methods proposed by the accord, the advanced measurement approaches (AMA) authorize the financial establishment itself to evaluate the operational risks linked to its activity.

To do this, the bank has to set up an operational risk management system and an entity responsible for installing and managing it. The operational risk internal management system relies in particular on the following data:

  • Data on the losses actually experienced
  • Data on the operational incidents liable to generate costs (loss data)

Correlation of these data produces regular reports, which contribute to evaluating minimum capital solvency requirements.

More than a regulatory requirement, the new accord must be seen as an opportunity to significantly improve identity and access management. Such an overhaul can generate considerable return on investment by improving the productivity of users and IT personnel. It can also allow you to easily deploy procedures that are critical in a banking environment, such as "de-provisioning" and role-based management.

Implementing an identity and access management solution

Setting up an identity and access management solution can offer significant advantages:

  • Immediate reduction in operational risks, by reducing the possibility of data access loopholes
  • Information accessible and auditable on (a) authorized or illicit accesses and (b) allocation of access rights. This information makes it easier for the entity concerned to measure the operational risks and can be directly used by the reporting tools already in place
  • Possibility of immediate reaction when a source of operational risk is detected. These management tools have a centralized console for managing all access rights. After diagnosing a risk indicator, the detected loophole (typically an over-generous access rights policy or a rights allocation error) can thus be closed immediately
  • Simplification of technical concepts. In an identity and access management solution, the technical IT aspects are masked to enable the users to concentrate on the allocation of access rights.

The table below summarizes, in a non-limitative way, the possible roles that modules of an identity and access management solution can play in operational risk management. These modules can be deployed in a progressive way.
Risk types (according to Basel II Accord) Primary
sub-category
for IAM		 Identity manage-ment Secure SSO Provisioning
Internal fraud Theft and fraud X X  
Unauthorised activity X X  
External fraud Theft and fraud X X  
Systems security X X X
Clients, products and business practices Conformity, information distribution and fiduciary duty X   X
Execution, delivery and process management Input, execution and monitoring of transactions X   X
Customer account management X   X
PrivacyLegalCopyright