Financial organisations (FIs) throughout Europe face a complex regulatory landscape. And rightly so – it is vital for such organisations to take robust steps to protect their clients’ money and data, to engender a sense of trust and reliability, and to be able to accurately and comprehensively trace and analyse an incident should a data breach or fault occur.
However, achieving and maintaining regulatory compliance can be difficult. There are numerous different requirements to juggle, and compliance is not just about implementing the required tools and processes – it also about being able to clearly demonstrate the steps that you have taken to protect and manage data accordingly.
Financial organisations must combine these compliance demands with the requirement to deliver truly state-of-the-art digital services. These are not only expected by customers – they are also increasingly stipulated by regulators, as part of a drive to offer greater clarity and convenience to end users.
How, then, can financial organisations balance these contrasting challenges? How can they meet the strict requirements of multiple regulatory compliance frameworks with the necessity of delivering an enhanced user experience through next-generation digital services?
What do your compliance demands look like?
First, let’s take a closer look at the compliance demands facing most financial organisations. As a bare minimum, there’s the EU General Data Protection Regulation (GDPR), the Payment Card Industry Data Security Standard (PCI DSS 3.2.1) and the updated Payment Services Directive (PSD2) to consider.
The GDPR – as has been reported heavily over the past year – governs data consent and the protection of personal data, requiring financial organisations to, amongst other actions, properly protect personal data by design, and provide information on the data held by individuals should they make a data subject access request (DSAR). PCI DSS 3.2.1 safeguards payment data and PSD2 encourages banks to collaborate and share data with technology providers. All of these frameworks also require banks to ensure secure access to protected customer data.
Ultimately, then, the compliance demands facing financial institutions all circle back to data. How is it stored, and protected? How is it processed? How is it provided to customers if and when they request it?
The importance of access management
From there, we can start to see that a key component of juggling complex compliance requirements for financial institutions is managing access to data – both for staff, and for end users. A regulated approach to data access provides data security and protection, by restricting access to verified, authorised individuals, and it generates an audit trail regarding who has been accessing what information, therefore enabling financial organisations to demonstrate compliance to regulators as and when they need to.
Indeed, as financial institutions become increasingly complex in terms of their IT infrastructures, with services comprising multiple different applications, workloads migrated to the cloud, and data shared between the organisation and its vendors, intelligent and strategic data access management has become even more important.
Financial organisations have used two-factor or multi-factor authentication (MFA) to add an extra layer of security to customer’s accounts. They may, for example, require customers to enter elements of a second password or PIN code after their initial login credentials, or use a physical card reader to generate a one-time passcode each time the user attempts to login.
Whilst such authentication processes can be effective in verifying genuine users and managing access to sensitive data, they are only part of the picture when it comes to security. Each method, whether a fingerprint, device or code sent via SMS is required alongside login credentials, varies in the level of security provided. SMS codes, for example, can be intercepted and used to gain access to customer accounts.
Foregrounding customer experience
Still, multi-factor authentication is good practice, and it is a valuable place to start. In recent guidance on PSD2 compliance, multi-factor authentication is recommended as an answer to its requirement for strong customer authentication for electronic payments. Still, each additional factor can add friction to the user experience – and this is particularly unwelcome at a time when customers are fed up with the small print, industry-specific jargon and opaqueness associated with the finance industry.
This is why next-generation, integrated Identity and Access Management (IAM) services are so relevant for the financial services industry. They can enable additional factors to be verified without input from the customer, striking a careful balance between compliance and user experience.
IAM solutions can provide a leap forward in security compared with MFA alone. IAM solutions can add extra layers of verification beyond an initial username, but they able to take a wider scope to verifying users’ identity. Modern IAM solutions can consider dynamic factors such as where the user is located, the time of the request and whether the device they are using is recognised. This means that they can automatically verify access requests that are recognised as genuine based on previous activity, whilst demanding extra action from the user only when it is truly needed. Furthermore, IAM solutions feed this information into their algorithms every time, ensuring a genuinely proactive, intelligent and self-learning approach to access management.
In turn, this enables IAM solutions to offer a far smoother customer experience – seamlessly across multiple different devices – whilst keeping intruders out. Organisations deploying next-generation IAM can offer truly intelligent security to their customers, therefore demonstrating a responsible approach to data protection, whilst automating as much of that security as possible and therefore disrupting the customer journey as little as possible.
When it comes to compliance, then, next-generation IAM has a number of benefits. It demonstrates the privacy by design and proactive, constantly improving approach to data protection that is so important to many regulators. It prevents unauthorised access to sensitive data without negatively impacting on the customer journey and experience. It also helps to future-proof financial organisations in an era of rapid technological and regulatory change.
The compliance landscape is highly complex for financial organisations – and with good reason. Organisations which can cut through that complexity for their customers, offering a smooth and streamlined experience whilst also delivering robust data protection, are one step ahead. Next-generation IAM solutions are a key part of this picture.
About Marc Vanmaele
Marc Vanmaele is the CEO of TrustBuilder Corporation, a powerful Identity Hub. Prior to TrustBuilder, Vanmaele founded SecurIT, a market leading systems integrator in the identity and access management field. He has also worked with companies such as Management Software Benelux, Soft-Switch, Philips Telesoft International and Philips Data Systems.
About TrustBuilder
TrustBuilder is a European solution provider of a state-of-the-art Identity and Access Management (IAM) solution. Established in 2017 in Belgium, the company’s customers currently supervise more than 40.000.000 digital user identities.
Every day we send out a free e-mail with the most important headlines of the last 24 hours.
Subscribe now