Identity and Access Management (IAM) is a topic that is becoming increasingly relevant – we have already written numerous articles on the subject. For banks, this is an extremely promising topic. There are many reasons for this, which I will discuss in detail in this article – however, I can already mention that banks store overly sensitive data, which is why a suitable Identity and Access Management system is essential. Segregation of Duties (SoD) is also incredibly important – this is where an IAM solution comes into play. Yet, this is quite difficult to implement, especially for small banks. However, let me first discuss the importance of IAM for banks in general.
Improved Security through Segregation of Duties
Imagine the following scenario: several high-ranking employees of various financial institutes plan to use illegal means to influence an important interest rate in their favor. They hold secret meetings and agree to specifically report false interest rates for their interbank transactions. As long as no one controls them, this should work, right?
Well, Segregation of Duties could have prevented this. Now imagine if both Mandatory Vacations and Job Rotations were enforced. This means that employees, especially highly active managers, must take the vacation they are entitled to several times a year. While they are doing this, Job Rotation takes effect: during this time, a manager from another functional area is given access to their colleague’s area through an IAM system to cover for them. Collusions like the one above would be easily uncovered in such a way. And in case you are wondering where this interesting example stems from – the manipulation of such an interest rate became known as the Libor Scandal in 2011.
As we have seen in this example, one task that an Identity and Access Management system can perform is the functional Segregation of Duties in IT systems. This way, errors like the one above could be avoided, as well as the resulting damage.
Company-wide guidelines and processes are extremely helpful in avoiding such errors: A well-implemented IAM system provides certain employees only with the authorizations they really need to perform their jobs. This process is strongly related to the Need-to-Know principle, which states that only those authorizations should be assigned that are absolutely necessary to perform one’s own task.
For this purpose, in banks, the following questions can be posed: Who is allowed to release credits, who has access to which systems, and who can access which accounts? Issues such as sick leave substitutions, rights assignment, risk management and special approvals for certain accounts are also relevant here. Though, User Experience and compliance guidelines must not be forgotten either.
Improved User Experience
In this article, we’ve already covered how an IAM system can significantly improve the end-user experience. For example, IT administrators can set up a unique digital identity for internal employees, eliminating the need to manually manage all those accounts. This allows employees to be integrated into the daily workflow more quickly. An IAM system can also be helpful for bank customers when combined with a single sign-on implementation: This makes it easier for customers to log in, possibly also with so-called social logins, like verimi or yes.
Improved Adherence to Compliance Guidelines
Just like other companies, banks are subject to certain regulatory guidelines which they must follow. The basic components of compliance are regulated by the MaComp (Minimum Requirements for the Compliance Function). How exactly these guidelines are implemented is up to the respective credit institution based on a risk profile with the analysis of customers, products and business areas.
Certainly, an IAM solution can also cover part of this by managing certain roles and access rights, for example. This not only ensures that you only have access to the content and processes that are relevant to you, but also that the Segregation of Duties described above can be enforced. In addition, a stronger authentication of users can also be applied through such a system.
But What About the Small Banks?
Small banks are plagued by the same problems as large banks, including fraud prevention and risk assessment, but they usually lack the resources of their bigger counterparts. Banks with more than 1000 employees need a dedicated IAM system – financial institutions with only 200 employees also need this, even though they don’t earn any money with it. Nevertheless, such regulations must also be adhered to by smaller banks – to be able to implement this adequately, ready-made solutions are necessary. Industry standards must be created for this purpose so that the regulations, which also include compliance guidelines, can be adhered to while saving a reasonable amount of money and time.
Which Services Can I Use Here?
There are a few IAM vendors which offer features specifically tailored to the requirements of banks. In the European market, the Omada software is widely popular in the banking sphere, as it is perfectly tailored to the Identity Governance Processes of banks. It also provides a standardized process so that these requirements can be implemented more easily. And best of all, we work very closely with Omada and can therefore provide you with the best advice.
If you have further interest in this topic and require a consultant, we would be happy to work with you – we look forward to meeting you!