Identity as critical infrastructure: strengthening resilience in modern banking

The Paypers sits down with MUFG’s Stephen “Hutch” Hutchinson to discuss why identity is now a critical infrastructure and its role in strengthening resilience in modern banking. 

Hutch, could you start by telling us more about your professional background and how it connects with Mitsubishi UFJ Financial Group’s mission to maintain secure and resilient financial systems? 

My career has largely focused on identity, security architecture, and operational resilience in complex organisations. Over time, I’ve worked across identity governance, security engineering, and enterprise architecture, helping institutions move beyond perimeter-centric security models toward architectures where identity plays a central role in trust decisions. 

That perspective aligns closely with the mission of Mitsubishi UFJ Financial Group. Financial institutions operate some of the most critical digital infrastructure in the global economy, so security architecture must support both protection and continuity of service. My role focuses on designing identity-centric security models that help ensure the bank can operate securely even as threats and technology environments evolve. 

Financial institutions have traditionally focused on protecting networks and infrastructure, but the reality of modern cyber risk is that identity has become the primary attack surface.

At the organisational level, what does security and resilience look like for a modern bank? 

Security and resilience are now inseparable concepts for financial institutions. A modern bank cannot assume that incidents will never occur. Instead, the objective is to ensure that the organisation can continue operating safely even when systems are under pressure from cyber-attacks or operational disruptions. 

That requires strong identity governance, consistent access controls, continuous monitoring, and well-rehearsed response processes. It also requires architectural visibility across hybrid environments where cloud services, legacy infrastructure, and third-party platforms interact. 

Ultimately, resilience means designing systems so that disruptions can be detected quickly, contained effectively, and recovered from with minimal impact to customers or financial operations. 

What are some of the most common vulnerabilities or failure points that financial institutions face today? 

Many of today’s most impactful attacks target identity rather than infrastructure. Credentials, authentication flows, and privileged access have become the most efficient pathway for attackers to move through complex environments. 

Common failure points include poorly governed privileged accounts, excessive access rights, fragmented identity systems, and limited visibility into how identities behave across different platforms. As organisations expand into cloud services and SaaS applications, inconsistencies in identity management can introduce additional risk. 

The challenge is often one of scale. Large financial institutions manage millions of identity relationships across thousands of systems. Without strong governance and behavioural monitoring, detecting suspicious activity becomes extremely difficult. 

Security strategies often involve several layers of infrastructure. What are the key components of a strong security architecture for banks? 

A strong banking security architecture typically rests on several core principles. 

First, identity must function as the control plane for access decisions. Authentication, authorisation, and identity lifecycle governance should consistently determine who can access systems and under what conditions. 

Second, organisations need strong operational visibility. Security teams must be able to correlate identity activity, system behaviour, and security telemetry across the enterprise. 

Third, resilience must be designed into the architecture itself. Critical systems should support redundancy, rapid recovery, and secure failover. 

Finally, governance processes must connect technical controls with regulatory expectations and enterprise risk management. In financial services, security architecture ultimately supports institutional trust. 

Two concepts frequently mentioned in this space are IAM (Identity and Access Management) and ITDR (Identity Threat Detection and Response). Could you explain what these terms mean in practice? How can financial institutions deploy IAM and ITDR effectively to detect and mitigate identity-based threats in real time? 

IAM and ITDR address two complementary aspects of identity security. 

Identity and Access Management focuses on control. It governs how identities are created, how access is granted, and how authentication and authorisation policies are enforced across systems. 

Identity Threat Detection and Response focuses on behaviour. It analyses authentication events, privilege use, and identity activity to detect anomalies that may indicate compromised credentials or misuse of access. 

IAM defines how access should work, while ITDR helps organisations recognise when identity behaviour no longer matches that expected model. 

For financial institutions, the real value comes when these capabilities are integrated. When detection systems identify abnormal identity behaviour, organisations can immediately trigger response actions such as access revocation, session termination, or step-up authentication. 

Looking at the broader ecosystem, what advice would you give fraud, compliance, and security specialists in banks who are trying to build stronger resilience frameworks? 

One of the most important lessons is that resilience cannot be built in silos. 

Fraud teams, security operations centres, identity governance teams, and compliance functions often analyse different signals that originate from the same underlying activity. When those signals remain disconnected, organisations lose valuable context. 

Banks benefit from shared visibility across identity activity, transaction monitoring, and infrastructure telemetry. That allows risk indicators to be correlated more effectively and enables faster response when something unusual occurs. 

Another important principle is recognising that identity infrastructure itself is critical infrastructure. Identity platforms determine how employees, systems, and partners interact with financial systems. Designing those systems with resilience, strong monitoring, and clear recovery processes is essential. 

Every employee account, service identity, and privileged role represents a potential pathway through an organisation’s systems. For large banks operating across hybrid infrastructure and thousands of applications, managing that complexity requires more than traditional access controls.

As EIC 2026 approaches, what topics or discussions are you personally most interested in exploring? 

Identity security is evolving rapidly, and EIC has always been an important forum for discussing how identity architecture is changing in response to both technical and regulatory developments. 

One area I’m particularly interested in is the shift toward continuous authentication and authorisation. Traditional authentication models assume trust once a user has successfully logged in, but modern environments increasingly require ongoing evaluation of identity signals, device posture, and behavioural context to ensure access remains appropriate throughout a session. 

Closely related to this is the work being done within the OpenID Foundation around shared identity signals. Initiatives such as the Continuous Access Evaluation Profile (CAEP) and other identity event frameworks enable organisations to share risk signals and security events in near real time. These capabilities have the potential to significantly improve how institutions detect identity compromise and respond to threats. 

Finally, I expect continued discussion around operational resilience, particularly in the context of frameworks such as the EU’s Digital Operational Resilience Act. As identity becomes the foundation of modern security architecture, ensuring that identity systems themselves are resilient, observable, and capable of supporting secure recovery processes is becoming increasingly important. 

About the author 

Stephen 'Hutch' Hutchinson is Director of Security Architecture at Mitsubishi UFJ Financial Group (MUFG). His work focuses on identity security, enterprise security architecture, and operational resilience within complex financial environments. He specialises in designing identity-centric security models that integrate governance, monitoring, and threat detection capabilities across hybrid infrastructure and cloud platforms, helping financial institutions strengthen their ability to detect and respond to identity-based threats. 

About the company 

Mitsubishi UFJ Financial Group (MUFG) is a global financial institution providing banking, investment, and financial services to corporate, institutional, and retail customers. Operating across international markets, the Bank supports large-scale financial infrastructure and digital banking platforms. Security, regulatory compliance, and operational resilience are central to its operations, ensuring customers and partners can rely on stable and secure financial services in an increasingly digital financial ecosystem.