Orange County 949-556-3131

San Diego 619-618-2211

Toll Free 855-203-6339

Compliance-proof your identity and access management program

Keep your financial data safe and your company compliant 

Safeguarding the confidentiality of corporate information and customers’ personal financial data is more than a best practice. Worldwide, it’s something financial institutions are required to do. It’s a prerequisite to compliance with increasingly stringent legal requirements and industry-driven mandates. 

That’s because any lapse in security that allows cybercriminals to commit fraud or theft can devastate consumers and businesses alike. 

Specifically because the banking and financial services industry (BFSI) is custodian of the crucial financial and personal data of hundreds of millions of people, it is one of the most prized 

targets for cybercriminals. According to figures compiled by 

IBM Managed Security Services, the financial services sector moved from the third most-attacked industry in 2015 (behind healthcare and manufacturing) to the first in 2016.

This white paper provides BFSI security managers with guidance in understanding and complying with access management standards unique to this business sector, and explains how access management can ease regulatory compliance burdens. The paper also explains how security measures can be business enablers both internally (for employees and business partners) and externally (for current or prospective customers or clients) by providing user-centric authentication options that connect users smoothly to the data and services they need.

“Nearly three-  quarters  of CISOs we surveyed said that intrusions resulted in significant   operational disruptions over the past two years.

Access management as a modern legal and business necessity

For financial institutions, issues of access are paramount, especially in organizations spanning dozens of systems, thousands of employees, hundreds of thousands of customers and millions of stored records. In fact, attacks such as phishing aimed directly at users rather than at technology, along with the actions of inadvertent actors, such as employees who mistakenly opened the door for an attack through an innocent mistake, made up the bulk of attacks on the financial service industry in 2016.

This underscores the importance of identity and access management (IAM) in the security environment for any organization that manages customers’ money, or stewards valuable financial information such as insurance valuations or stock holdings. 

Consider that financial institutions’ point-of-sale systems have become one of the main targets of organized crime and cyber terrorists. Besides their business interest in protecting their own assets and reputation more generally, the BFSI sector is also held 

to finance-specific governmental regulations that reflect the value financial assets represent to the public. These include European Union (EU) requirements such as those found in the Revised Payment Services Directive (PSD2), as well as US laws such as  the Sarbanes-Oxley Act (SOX) and industry-formulated data privacy schemes such as the Payment Card Industry Data Security Standard (PCI DSS). 

Centralizing the identification of authorized users, and successfully managing each legitimate user’s access to computing or data resources (including personal information), are strongly related challenges. An infrastructure that includes IAM capabilities can help financial institutions deal with both of these business needs and decrease the complexity of managing security across systems and user populations..

The size of the IAM market in the banking, financial services and insurance industries was estimated at nearly USD3 billion in 2016—with a projected compound annual growth of 8.7 percent through 2021.2

Revised Payment Services Directive: High-impact API requirements

Adopted in October 2015 by the European Parliament to extend the Payment Service Directive of 2009, the Revised Payment Services Directive (PSD2) requires enterprises that do business in Europe (even if based elsewhere) to focus on standardizing, integrating and improving payment efficiency. PSD2 requirements, which become effective in 2018, are meant to protect consumers’ online payments, promote the development and use of new online and mobile payment systems, and reduce the risks of cross-border payment services.  

PSD2 affects many kinds of payment-industry participants. It requires account service providers to make certain kinds of account information available to registered third-party providers by means of application programming interfaces (APIs), and to allow those parties to initiate payments from a specified account. By mandating access to customer accounts, PSD2 expands the ways that non-traditional financial providers can provide consumers with financial services. PSD2 introduces guidelines for risk assessment and strong customer authentication (SCA) to ensure that requiring this level of openness from banks does not jeopardize consumer’s 

security or trust in the financial system. While PSD2 does not  require a standardized API specification for these interactions, concurrent mandates such as the Open Banking initiative in the UK have arisen to define and support the development of standard APIs. The API requirements of PSD2 and Open Banking present opportunities to deliver value-added services to customers, but for every institution they present technical challenges, including: 

  • Provisions for account-owner consent, allowing third-party  providers to request account information and payment initiation services from account owners
  • The need to provide SCA and risk detection across channels and via third-party providers without compromising end-user experience and adversely impacting payment activity
  • Conflicts and lack of clarity around API specification and PSD2 is designed to  interoperability protect
  • A security-first approach with wide-ranging capability  consumers  requirements encompassing authentication, confidentiality, promote  fraud detection and adherence to regulatory technical and   standards innovative payment systems. 
  • Monitoring service levels and performance to help ensure that APIs meet existing service level agreements (SLAs)

Sarbanes-Oxley Act: Financial record keeping and reporting

The Sarbanes-Oxley Act of 2002 (SOX) is a US federal law enacted in response to major corporate and accounting scandals in which corporate financial information was manipulated, withheld or misused. SOX mandates that covered corporations (including all US company boards, management and public accounting firms) ensure that their financial data is preserved uncorrupted for government auditors. Its provisions dictate that adequate controls be implemented, tested and documented for financial reporting and governance.

IAM can help organizations ensure compliance by limiting access to sensitive records; a solution with built-in reporting capabilities can make it easier to document user interactions with data.

A strong access management platform can help IT and security managers comply with the SOX mandate by:

  • Assigning and controlling user access rights
  • Enforcing segregation-of-duties policies
  • Adjusting access rights when job function changes, providing efficient, timely and secure role-based adjustments, and revoking user access upon termination, helping reduce the risk that formerly legitimate access will be turned into unauthorized use
  • Cost-efficiently managing details of user accounts (including identity, access and authorization) using centralized controls
  • Producing automated reports to meet SOX requirements for timely, complete and accurate compliance reports

SOX noncompliance can trigger criminal penalties, as well as civil penalties ranging as high as USD15 million.

PCI DSS: Industry standards and best practices for card data

The Payment Card Industry Data Security Standard (PCI DSS) was first released in 2004 by a coalition of major credit card providers, with the goal of enhancing cardholders’ security and facilitating the adoption of consistent data security measures among these card issuers. The compliance details have evolved with a series of updates reflecting changing security risks and leaps in credit card technology, but the core principle has remained consistent: credit card issuers and merchants must minimize the risks to cardholder data by employing the best practices specified in the regularly updated standard, several of which have implications for access management. The practices outlined by the PCI DSS are backed by an incentive to comply: an entity that is compromised while it was not compliant is subject to fines.

The PCI DSS specifies 12 requirements for organizations that handle credit cards, such as assigning a unique ID to each person who has access to the credit processing system.

A strong access management platform can help IT and security managers comply with the SOX mandate by:

  • Assigning and controlling user access rights
  • Enforcing segregation-of-duties policies
  • Adjusting access rights when job function changes, providing efficient, timely and secure role-based adjustments, and revoking user access upon termination, helping reduce the risk that formerly legitimate access will be turned into unauthorized use
  • Cost-efficiently managing details of user accounts (including identity, access and authorization) using centralized controls
  • Producing automated reports to meet SOX requirements for timely, complete and accurate compliance reports

The costs of a data breach include customer turnover, customer acquisition activities, reputation losses and diminished goodwill.

Enable digital business with IAM solutions from IBM

An integrated approach to IAM and systems access isn’t just about regulatory compliance. An effective IAM approach can help organizations use security as a driver for business, giving users simple, flexible access to services, and helping assure that their information is secure. Innovations such as multi-factor authentication (MFA), federation and fraud protection can help financial institutions meet their access management challenges, while still delivering superlative user experiences. These three capabilities can be united with a well-implemented IAM solution such as IBM Security Access Manager. With a robust IAM system in place, your security team can implement:

  • MFA: To achieve greater security than is possible with a single password, MFA requires that authentication be based on more than one kind of security credential, such as physical tokens or biometric identifiers. With MFA, an intruder, even an insider, is unlikely to be able to replicate or possess the necessary identifiers. IBM Security Access Manager can be flexibly configured to use MFA. With the optional integration of IBM Verify mobile security software, IBM Security Access Manager can be a launching point for secure push notifications sent to users’ mobile devices.
  • Federation: Federation allows the task of authenticating users—with conventional login/password pairs or MFA—to unite divisions of your business (such as banking and insurance products), so logins can be securely shared between services, transparently to users.
  • Fraud protection: IBM Security Access Manager can integrate with the fraud detection features of IBM Trusteer® Fraud Protection Suite to spot both insider threats and outside attackers. With a tuned alert and response system, suspicious activity can trigger associated actions in IBM Security Access Manager, and these actions can be tiered for quick, unobtrusive response.

Users at risk: Keeper Security recently analyzed a set of 10 million compromised accounts and found that nearly 17% of accounts were guarded with the password “123456.”

For more information

To learn more about IBM Security solutions, including IBM Security Access Manager, please contact your IBM representative or IBM Business Partner, or visit: ibm.com/security

About IBM Security solutions

IBM Security offers one of the most advanced and integrated portfolios of enterprise security products and services. The portfolio, supported by world-renowned X-Force research and development, provides security intelligence to help organizations holistically protect their people, infrastructures, data and applications, offering solutions for identity and access management, database security, application development, risk management, endpoint management, network security and more. These solutions enable organizations to effectively manage risk and implement integrated security for mobile, cloud, social media and other enterprise business architectures. IBM operates one of the world’s broadest security research, development and delivery organizations, monitors 15 billion security events per day in more than 130 countries, and holds more than 3,000 security patents.

Additionally, IBM Global Financing provides numerous payment options to help you acquire the technology you need to grow your business. We provide full lifecycle management of IT products and services, from acquisition to disposition. For more information, visit: ibm.com/financing