As the ongoing effects of the Covid-19 pandemic continue to accelerate digital transformation, and tougher data security regulations puts greater pressure on organisations, businesses in the financial services industry are quickly realising that user authentication goes beyond a simple username and password. This hub, in partnership with Okta, will explore the range of issues affecting IT leaders at various stages of their IAM journeys. Focusing on the fintech and financial services industries, it will delve into both the opportunities and the barriers when it comes to IAM adoption, what IT pros are doing to ensure ease of use, and how all of this can help them win over users. It will also ask how organisations can look beyond regulatory compliance and see IAM as an opportunity for innovation.
Why Identity and Access Management should be front and centre for financial services
Identity and Access Management (IAM) is a complex area. Businesses often have multiple IAM solutions in place and integrating these in a way that is easy to use, without compromising on security, can be a challenge.
Welcome
Contents
Identity & Access Management (IAM) is an important part of how many of today’s organisations verify the identity of both employees and customers and ensure they have the appropriate level of access to the resources they need from within cloud and on-premises applications.
Reducing complexity in Identity & Access Management
The pandemic has seen unprecedented numbers of customers turn to digital banking, insurance, and payment services, via apps, mobile, and online portals. However, this was no overnight transformation, but an acceleration of financial services trends that predate the crisis.
Beyond compliance: How financial services are innovating through IAM
View report
Coming soon
Discover more about Okta
First introduced in 2018, Open Banking regulations have shaken up the financial services industry. Through open APIs, Open Banking grants third parties access to customer financial data, with permission, and has created opportunities for financial services organisations to develop new products.
Beyond compliance: The opportunities, challenges and future of Open Banking and Open Finance
30%
13%
17%
28%
The majority of organisations surveyed have some form of IAM – simply relying on passwords and default log ins isn’t feasible beyond the smallest organisations, and every organisation taking part in this research employs in excess of 500 people. 57 per cent of them already have advanced IAM and/or CIAM (which focuses solely on customer access) in place or are mid implementation. The majority are running more than one IAM solution. 31 per cent have two, and 25 per cent have three solutions. 17 per cent have four or more.
No plan, but interested
Planning
Incubating/ trialling
Rolling out
Fully implemented
What stage is your organisation at in implementing advanced identity and access management (IAM or CIAM) platforms?
extremely important
not at all important
0%
1%
4%
8%
10%
18%
31%
19%
7%
On a scale of 1 (not at all important) to 10 (extremely important), how important are the following use cases for IAM at your organisation?
This graph shows that, whilst employee IAM remains the most popular use case, partner and customer use cases only rank marginally behind those focused on employees. This finding highlights the erosion of traditional corporate and vertical industry borders and their replacement with increasingly complex ecosystems of related business over which data is shared and potentially accessed by customers via single digital interfaces. The API economy is booming and the proportions highly ranking both partner and customer use cases reflects this.
Internal identity and access management
Partner identity and access management
Customer identity and access management
Certainly, one of the critical functions of IAM is to mitigate the risks inherent in allowing employees to access enterprise resources purely via passwords, risks which have grown along with digitisation, SaaS and hybrid architecture. The sheer number of applications people log into daily – each requiring their own credentials – has led in many cases to a degree of password fatigue. The result is distinctly sub optimal security practices such as using the same password across multiple applications and/or the saving of password lists on phones or laptops.
Cyber Security – A Perfect Storm
By far the biggest motivation for IAM was cyber security in general, with compliance ranking a little further behind.
Score: 506
Cyber Security
Ease burden on IT
Score: 342
Competitive Advantage
Score: 226
Regulatory Compliance
Score: 374
Please rank these drivers for IAM in your organisation in order of importance
Employees being lax about security practice is not new, and cyber security education within organisations has always been challenging. However, right now organisations are facing a particularly insidious set of cyber security problems that are intensifying the impact of password fatigue. According to research by Computing, over the last 18 months not only is the volume of threats increasing, threat types are also changing. Endpoint defences are being put under increasing pressure not just by the proliferating volume of endpoints themselves, but also by malware and ransomware that is evading more traditional defences. Ransomware is designed to move laterally and silently through networks, exfiltrating data and encrypting back ups in order to maximise leverage for criminals and increase the chances of victims quietly paying up.
(1= most important 4= least important)
88
%
of contributors to this research agreed strongly or very strongly that increasing security threat frequency and sophistication meant IAM is even more important at their organisation. They are right – IAM has a key role to play in the cyber wars.
Integration Privileged user management Acceptance by staff Identity management Compliance/data protection Costs Internal skill sets Operational technology Monitoring Self-service Policies Configuration Architecture design Deployment
Which of these are the most challenging areas in the daily use of IAM solutions at your organisation?
IAM Challenges
There is no single challenge that really stands out in the graph above in terms of how widely experienced it is, but there are two which polled noticeably more than others. The first of these is integration. The typical complexity of enterprise architectures means that integration is one of the most significant challenges that businesses face across the board. How do you integrate and secure access to on-premises applications and databases and workloads with enterprise cloud applications and SaaS applications? Standardisation remains an aspiration and Individual vendors often require their own systems for user authentication and management. When assessing IAM products and services, enterprises should look for one which is compatible with multiple integration technologies and can be managed from a single point. The goal should be to integrate new applications with SSO and user management capabilities without spending hours on configuration. This has the benefit of making both employees more productive and cyber security and helpdesk teams happier as their call load reduces. API tracking also constitutes part of the integration challenge. Centrally managed IAM should include the ability to control access to APIs if those APIs are not to become both a security and compliance risk. Privileged user management was the second most frequently raised issue. Privileged Access Management (PAM) is a category of solutions in itself but in this context should be viewed as part of a wider IAM solution. Privileged accounts are often targeted by hackers precisely because it saves them the effort of having to penetrate enterprise defences, and of course the still wide scale of remote working has made it easier for criminals to socially engineer and credential phish their way into these accounts.
The typical complexity of enterprise architectures means that integration is one of the most significant challenges that businesses face across the board.
Interestingly, the third most widely raised challenge was acceptance by staff. Similar challenges apply to customers – we’ve already touched on the issue of password fatigue from both an employee and customer perspective and the many security vulnerabilities it creates. The banking sector is an excellent example of one that uses MFA for both employees and customers alike. However, demand for a frictionless user experience has been growing, as people in their capacity as employees and consumers rebel against all those bothersome passwords, hard tokens and cards. 85 per cent of the organisations we spoke with agreed to at least some extent that expectations for a frictionless user experience are higher than they were two years ago. What does frictionless access look like? It could be in the form of a SSO where employees have all of their applications stored on a desktop and they simply click and go. It could also be a one touch MFA solution such as fingerprint access to mobile phones or other wearables. It is a fairly widely accepted fact that passwords are inherently insecure as a means of access so jettisoning them from the authentication process entirely makes it no less secure – rather the opposite. The most comprehensive IAM solutions encompass passwordless authentication options such as email magic links. This goes more than a little way to resolving the employee buy in challenge.
It is a fairly widely accepted fact that passwords are inherently insecure as a means of access so jettisoning them from the authentication process entirely makes it no less secure – rather the opposite.
Conclusions – Consolidate to Integrate
Our research paints a picture of widespread, legacy IAM being in place alongside newer deployments designed to secure access to specific customer or partner access to applications.
The remote working and likely hybrid working future have exacerbated the challenges that security teams face. 74 per cent agreed to at least some extent that the pandemic had increased the need for capable IAM solutions at their organisation. Security teams are struggling under the weight of a shortage of staff and an excess of processes and tools to manage and some of these challenges relate directly to IAM. Security teams are struggling to integrate multiple IAM solutions into SaaS, cloud and legacy on-premises applications. PAM is a worry given the frequency with which these accounts are now being targeted and many organisations are struggling with user buy in for IAM.
Suitable licensing models Product roadmap and ongoing support Technical support Initial/ongoing costs Absence of hidden costs Focus on legal/fiscal compliance Appropriate UK/EU focus Sector-specific expertise Investment in emerging technologies Commercial flexibility/willingness to negotiate
When assessing IAM vendors and solutions, enterprises should seek vendors offering open platforms and standards for other technology vendors – including public cloud vendors. This enables them to offer thousands of pre-built integrations from a single platform so that their customers can avoid reinventing the wheel every time they need to integrate new applications and systems. Not only does this bring IAM into line with flexible hybrid infrastructure, it also engenders the greater personalisation and reduced friction of user experience whilst reducing risk.
Okta is the leading independent identity provider. The Okta Identity Cloud enables organizationsto securely connect the right people to the right technologies at the right time. With more than6,500 pre-built integrations to applications and infrastructure providers, Okta provides simpleand secure access to people and organizations everywhere, giving them the confidence to reachtheir full potential. More than 9,400 organizations, including JetBlue, Nordstrom, Siemens, Slack,T-Mobile, Takeda, Teach for America, and Twilio, trust Okta to help protect the identities of theirworkforces and customers.
About the sponsor
The illustration below shows us what the organisations involved in this research really value in an IAM solution. The most frequently mentioned factors such as suitability for hybrid environments, a seamless user experience and, above all, integration are all inextricably linked.
Click for more information
Combine this menacing threat landscape with often under-staffed cyber security teams and a surfeit of manual processes and tools for remediation and you have the perfect security storm as we can see in the diagram left. Organisations can mitigate some of the risks arising from endpoints and their users by means of cloud IAM which provides single sign on (SSO) across SaaS, cloud applications and on-premises infrastructure. IAM should also encompass not just devices but location and user behaviour. Hybrid working patterns that are likely be the future in many businesses mean that enterprises need to know that users are who they claim to be – and this information needs to be validated often. IAM also has a significant role to play in neutralising threats arising from inside organisations – or rather people leaving them. Deprovisioning soon to be ex-employees from all applications is vital for both security and compliance mandates. IAM should leverage directory services to determine and govern access to systems, applications and services and bring an auditable peace of mind for enterprises.
Don’t know
No
Yes, at least once
Yes, at least monthly
Yes, weekly
Yes, daily
Has your organisation experienced cyber security attacks on its digital platforms in the past 12 months?
25%
24%
15%
Defining IAM
Before investigating what organisations prioritise when choosing IAM solutions and the challenges that they are experiencing in this area, it is helpful to define exactly the area being discussed because IAM is a wide area encompassing policies, processes and systems and can be complex.
The resources that individual employees, third parties or customers can access is defined and managed by IAM tools. When asked to define IAM, many individuals would focus on Multi Factor Authentication (MFA) Single Sign ON (SSO) or privileged access/user management, but IAM covers a much broader architecture, including API access management, user lifecycle management and hybrid cloud gateway. As endpoints have proliferated (and a growing proportion of those endpoints do not necessarily have a human being behind them) and infrastructure has become more complex – so IAM has evolved as a discipline.
Partner and Customer IAM are only marginally less important use cases than employee IAM.
of survey respondents at least strongly agreed that increasing security threat frequency and sophistication meant IAM is ever more important for their organisations.
Most organisations have more than one IAM solution in place.
experienced with IAM solutions are user engagement, Privileged Account Management (PAM) and above all, integration with different applications, workloads and systems across hybrid architectures.
The most significant challenges
Integration capability
is the 1st consideration of enterprises, when assessing solutions and vendors.
IAM is a valuable asset in any organisation’s security arsenals, but access rights can often be difficult to manage, with increased digital complexity, changing employee roles and the growth of cloud and remote workforces meaning that ensuring that employees have access to the correct resources to carry out their job, while not compromising on security, can be a challenge. Today’s employees have a wealth of different workplace applications at their disposal, which can greatly aid with productivity. However, having multiple logins for different applications can make the process increasingly fragmented, with employees spending time logging into and switching between multiple apps and websites. What’s more, employees often reuse passwords for multiple applications, increasing the risk of an adversary gaining access to multiple corporate systems. Organisations are therefore looking for identity and access management systems that provide a central control point for IT teams enabling effective role-based access to end users who only require one set of login credentials. This digital experience, powered by bespoke research, will explore what IT leaders want from IAM and how this can be delivered in a way that ensures ease of use while remaining secure. It will ask whether consolidation would save IT teams precious time, and the impact this could have on IAM compliance and uptake.
Intro
Return to the hub
Introduction
Key findings
Cyber security – a perfect storm
IAM challenges
Conclusion
Return to hub
Okta is the leading independent identity provider. The Okta Identity Cloud enables organizations to securely connect the right people to the right technologies at the right time. With more than 6,500 pre-built integrations to applications and infrastructure providers, Okta provides simple and secure access to people and organizations everywhere, giving them the confidence to reach their full potential. More than 9,400 organizations, including JetBlue, Nordstrom, Siemens, Slack, T-Mobile, Takeda, Teach for America, and Twilio, trust Okta to help protect the identities of their workforces and customers.
Tap for more information
Combine this menacing threat landscape with often under-staffed cyber security teams and a surfeit of manual processes and tools for remediation and you have the perfect security storm as we can see in the diagram above. Organisations can mitigate some of the risks arising from endpoints and their users by means of cloud IAM which provides single sign on (SSO) across SaaS, cloud applications and on-premises infrastructure. IAM should also encompass not just devices but location and user behaviour. Hybrid working patterns that are likely be the future in many businesses mean that enterprises need to know that users are who they claim to be – and this information needs to be validated often. IAM also has a significant role to play in neutralising threats arising from inside organisations – or rather people leaving them. Deprovisioning soon to be ex-employees from all applications is vital for both security and compliance mandates. IAM should leverage directory services to determine and govern access to systems, applications and services and bring an auditable peace of mind for enterprises.
Our survey of IT leaders in 150 medium-sized enterprises in professional sectors of the economy – including financial services such as banking, payments, and insurance – found that 38 percent have experienced either daily (13 percent) or weekly (25 percent) cyber-attacks on their digital platforms.
A further 19 percent say attacks have been monthly occurrences since 2020, while 24 percent report at least one serious incident over the past year. In total, 81 percent of companies have experienced attacks since the pandemic began. For financial services respondents specifically, daily cyber security attacks were not reported, but 25 percent reported weekly attacks, and an additional 25 percent said they had experienced at least one attack in the past 12 months. The remaining respondents have either not experienced an attack in the past 12 months or were unsure whether they had.
Despite this, IAM adoption is running significantly behind the attack rate: less than 30 percent of respondents have fully implemented an advanced IAM / CIAM platform, while less than 28 percent are actively rolling one out. The good news is many others are either planning or trialling such a system, but nearly 14 percent have either no plan to do so or (in just one percent of cases) no interest at all.
No plan, no interest
To what extent has your organisation adopted an advanced identity and access management (IAM or CIAM) platform?
(1= most important, 4= least important)
That said, our survey found that IT leaders recognise the elevated security risk: cybersecurity is top of the list of concerns that need to be tackled via IAM, above (in descending order) regulatory compliance, easing the burden on IT, and gaining a competitive advantage in the marketplace. Financial services respondents awarded the same ranking, rating cyber security as the most important driver of IAM adoption and competitive advantage as least important.
Cyber security
Regulatory compliance
Competitive advantage
1
2
3
4
How confident are you in the security of your current IAM solutions?
(On a scale of 1 to 10, ‘1’ being ‘not at all confident’ and ‘10’ being ‘extremely confident’)
But what about confidence in the security of the IAM platform itself? Answers to this question were generally positive but stopped short of comprehensive support. The average score was 7.4 out of 10, with most responses spread between 6 (quite confident) and 9 (very confident).
5
6
7
average 7.4
8
9
10
In the context of enterprise applications, every type of organisation is at similar risk of fraudsters, cyber-criminals, and hackers gaining a foothold in the system.
The security imperative
The global security context is a massive factor. Financial crime, fraud, ransomware, and phishing have all been on the rise since the pandemic began, with even tech savvy consumers having their account and log-in details stolen and compromised.
Choosing the right vendor or solutions is not a simple matter of listening to marketing spiel or reading up on the options and features. IT leaders must consider a wide range of factors, including technical support, licensing, ongoing costs, product roadmap, compliance, sector expertise, and a focus on the complex UK and EU context.
Choosing a vendor
For many IT leaders, however, one of the biggest or most complex challenges is choosing the right vendor and the right solution – and both of these areas were looked at in depth by our survey.
One challenge may be the number of IAM solutions deployed within the enterprise, which has both management and friction implications.
Managing the system
While our survey found that over one-quarter of enterprises (27 percent) operate just one IAM solution, nearly one-third have two solutions and nearly 25 percent operate three solutions. Twelve percent of respondents said they have four or five separate IAM systems. This has the potential to create complexities when it comes to managing IAM solutions.
27%
5%
6%
five
four
three
two
five +
one
How many separate IAM solutions do you operate at your organisation?
“For many IT leaders, one of the biggest or most complex challenges is choosing the right vendor and the right solution”
Meanwhile, when it comes to choosing the right solution, IT teams must consider integration, policy options, employee lifecycle management, a seamless user experience, multi-platform access, support for multiple security standards, certification, and levels of automation, among several other issues.
“While the deployment of IAM is partially in response to rigorous industry rules, such as the recently introduced Strong Customer Authentication regulations, this is not the only driver of adoption. IAM is also an opportunity for innovation”
From the research, it is clear that those in the financial services sector and beyond are investing in IAM as a means of improving trust, reducing risk and enhancing customer experiences. With high-profile cyber security incidents hitting the headlines with alarming regularity, one thing is clear: if businesses of all sizes want to bolster their cyber defences, passwords are no longer enough. For the financial services sector, data security is a top concern, and keeping up with stringent data regulations and cyber threats, while also offering the round the clock access that consumers demand, requires a security strategy with identity at its core. While improving organisations’ security posture is a clear benefit of IAM, the research indicates that the technology brings with it other benefits. Improved efficiency and agility, thanks to automation and the cloud, mean that leveraging IAM can help streamline the process of securing your ecosystem, and for the financial services sector, a comprehensive digital identity strategy is key to creating an innovative and secure experience across all channels. The message is clear: in order to make collaborative working, remote access, low-friction services, and sector innovation really work for customers, partners, and employees, IAM is a critical factor.
Conclusions
While the deployment of IAM is partially in response to rigorous industry rules, such as the recently introduced Strong Customer Authentication regulations, this is not the only driver of adoption. IAM is also an opportunity for innovation.
But the critical issues and deciding factors in IAM purchases would appear to be what is happening in the world outside of the enterprise: digital disruption and market upheaval in many sectors, especially financial services; the rapid rise of remote and homeworking; and the explosion of theft, phishing, fraud, ransomware, identity theft, and other cybercrimes. Our survey found broad agreement from IT leaders about these environmental issues and practical challenges:
For any sector, application or data source striking the right balance between security and ease-of-use is critical, especially as remote working and mobility become the norm for many. All IT leaders need to ensure that identity and authentication are paramount to maintain trust and integrity within the organisation.
This is particularly true in financial services, where the sensitive nature of the data, and stringent regulations, makes robust security imperative, from both customer and employee perspectives. However, with digital banking and payment platforms, striking a balance between security and the types of positive, low-friction, omnichannel experiences that customers expect is key. Employees also do not want too many barriers in the way of their daily workflow.
The system needs to be robust and secure, but if users must jump through too many hoops to access their own data or cash, they may choose a different brand that handles the experience more intuitively and seamlessly. This white paper, powered by bespoke research, will explore what IT leaders in the fintech and financial services industries want from IAM. It will look at how they use IAM to address the challenges of managing identities in a context of rapid digital transformation, and at the ways in which they are creating frictionless, yet highly secure, experiences for users.
operate just one IAM solution, nearly one-third have two solutions and nearly 25 percent operate three solutions.
27
of survey respondents have experienced either daily (13 percent) or weekly (25 percent) cyber-attacks on their digital platforms.
38
When it comes to choosing the right solution, IT teams must consider integration, policy options, employee lifecycle management, a seamless user experience, multi-platform access, support for multiple security standards, certification, and level of automation.
of respondents have fully implemented an advanced IAM or Customer Identity Access Management (CIAM) platform, while less than 28 percent are actively rolling one out.
Less than
30
System integration, privileged user management, identity management overall, acceptance by staff, compliance, data protection, and cost are the biggest challenges for IT teams to overcome when it comes to managing IAM solutions.
Striking the right balance
Some analysts now put mobile banking penetration at 76 percent of banking customers in the UK. And with Open Banking bedding in, more and more consumers are attracted to the idea of being able to move their data to more competitive options in the marketplace. As a result, many customers – and businesses too – now see low-friction services and on-demand finance as being much better than the old model of slow, static, in-branch services. But making this work demands that security, trust, and identity are front and centre of the system: the big IAM is critical to that process. Identity Access Management (IAM) refers to the group of technologies that is used to manage user identities, making it a must-have for modern businesses in the new context of low-friction, anywhere, any device access. Simply put, it is a mechanism to determine what information users can access and what tasks they can perform. As an ever-growing number of services make their way online, it is more important than ever to ensure that users – be they customers, employees, or third parties – are exactly who they say they are (and can only access what they are permitted to). This is where IAM can help.
How financial services are innovating through IAM
Beyond compliance:
“For many organisations, authenticating remote staff and ensuring they can only access the appropriate data and applications is an overriding concern”
Integration
Privileged user management
Acceptance by staff
Identity management
Compliance/data protection
Costs
Internal skill sets
Operational technology
Monitoring
Architecture design
Self-service
Policies
Configuration
40%
20%
0
Deployment
Our survey found that system integration, privileged user management, identity management overall, acceptance by staff, compliance, data protection, and cost are the biggest challenges for IT teams to overcome when it comes to managing IAM solutions within their enterprise. This reveals that IAM adoption has technical, management, and cultural dimensions, which all need to be understood by IT leaders.
Another notable finding is that more IT leaders regard internal identity and access management as being of critical importance than authenticating partners or customers, though all are seen as important by most respondents. The message is clear: for many organisations, authenticating remote staff and ensuring they can only access the appropriate data and applications is an overriding concern. However, respondents from the financial services sector place more emphasis on the importance of IAM both internally and externally, with 44 percent rating internal identity and access management as “extremely important”, and 38 percent rating customer identity and access management as “extremely important”. When financial data is concerned the consequence of a security slip-up could be devastating, so it comes as no surprise that financial services respondents take customer identity so seriously, with the industry subject to stringent regulations in this area.
How important are the following use cases for IAM at your organisation?
10: Extremely important
1: Not at all important
(On a scale of 1 (not at all important) to 10 (extremely important)
Which of the following factors are most important when choosing an IAM vendor?
For the financial services industry, access to technical support was most important when choosing an IAM vendor, selected by 56 percent of respondents, followed by product roadmap. Compared with respondents from other sectors, a focus on legal and fiscal compliance was also more highly rated. When it comes to choosing an IAM solution, survey respondents from the sector also valued the ability to integrate with a current or future environment the most, as well as seamless user experience. Compared with other industries, suitability for hybrid environments and employee lifecycle management were not ranked as highly.
Suitable licensing models
Product roadmap and ongoing support
Technical support
Initial/ongoing costs
Absence of hidden costs
Investment in emerging technologies
Focus on legal/fiscal compliance
Appropriate UK/EU focus
Sector-specific expertise
Commercial flexibility/willingness to negotiate
“Financial crime, fraud, ransomware, and phishing have all been on the rise since the pandemic began, with even tech savvy consumers having their account and log-in details stolen and compromised”
Which of the following factors are most important when choosing an IAM solution?
Integration with current or future environment
Seamless user experience
An auditable solution
Suited for hybrid environments
Password management/policies
Employee lifecycle management/ease of adding or removing users
Support for multiple security standards
Profile and personal ID managemen
Flexible access policies/role-based access
Web/mobile access
Varied authentication methods
Full IAM technology stack
Automated policie
Delegation authority capability/shared acces
Certification management
Supporting underlying repositories
Social media ID integration
Strongly agree
Somewhat agree
Neither agree nor disagree
Somewhat disagree
Strongly disagree
“Expectations for frictionless user experience are higher than they were 2 years ago”
To what extent do you agree with the following statement?
“The Covid-19 pandemic has increased the need for capable IAM solutions at my organisation”
“Increasing security threat frequency and sophistication mean IAM is ever more important at my organisation”
“With digital banking and payment platforms, striking a balance between security and the types of positive, low-friction, omnichannel experiences that customers expect is key”
From the research, it is clear that those in the financial services sector and beyond are investing in IAM as a means of improving trust, reducing risk and enhancing customer experiences. With high-profile cyber security incidents hitting the headlines with alarming regularity, one thing is clear: if businesses of all sizes want to bolster their cyber defences, passwords are no longer enough. For the financial services sector, data security is a top concern, and keeping up with stringent data regulations and cyber threats, while also offering the round the clock access that consumers demand, requires a security strategy with identity at its core. While improving organisations’ security posture is clear benefit of IAM, the research indicates that the technology brings with it other benefits. Improved efficiency and agility, thanks to automation and the cloud, mean that leveraging IAM can help streamline the process of securing your ecosystem, and for the financial services sector, a comprehensive digital identity strategy is key to creating an innovative and secure experience across all channels. The message is clear: in order to make collaborative working, remote access, low-friction services, and sector innovation really work for customers, partners, and employees, IAM is a critical factor.
Some analysts now put mobile banking penetration at 76 percentof banking customers in the UK. And with Open Banking bedding in, more and more consumers are attracted to the idea of being able to move their data to more competitive options in the marketplace. As a result, many customers – and businesses too – now see low-friction services and on-demand finance as being much better than the old model of slow, static, in-branch services. But making this work demands that security, trust, and identity are front and centre of the system: the big IAM is critical to that process. Identity Access Management (IAM) refers to the group of technologies that is used to manage user identities, making it a must-have for modern businesses in the new context of low-friction, anywhere, any device access. Simply put, it is a mechanism to determine what information users can access and what tasks they can perform. As an ever-growing number of services make their way online, it is more important than ever to ensure that users – be they customers, employees, or third parties – are exactly who they say they are (and can only access what they are permitted to). This is where IAMcan help.
Employee lifecycle management
60%
80%
100%
50%
The opportunities, challenges and future of Open Banking and Open Finance
Open Banking has allowed for greater innovation in how consumers manage their finances, prompting less tech-savvy organisations to adapt to new ways of working or risk being left behind. However, Open Banking has received mixed responses from those in the financial services industry. While some organisations have embraced Open Banking and the opportunities it can create, others have taken a more cautious approach, focusing purely on compliance rather than transformation projects. As a result, progress has at times been slow. But almost four years after regulations were brought in, what impact has Open Banking had, and how will it develop in the years to come? This report brings together insights from two industry expert in order to explore the state of play of Open Banking: how have financial services organisations reacted to the regulations, what vendors are they using, and what challenges have they faced in both complying with regulations and harnessing the opportunities they can create? It will examine both the attitudes of consumers towards Open Banking and Open Finance and also what financial institutions, both incumbent and challenger, have gained from the technology, and what they hope to gain moving forward.
Open Banking is arguably the most significant regulatory change in the financial services industry in recent history.
What is Open Banking?
The second Payment Services Directive' (PSD2)
European Union, 2018
Requires banks to give third parties access to customer account data via open APIs.
The regulation also includes Secure Customer Authentication (SCA) which improves customer security for payment providers.
Firstly, it is important to establish what exactly is meant by Open Banking; arguably the most significant regulatory change in the financial services industry in recent history.
In 2018, the European Union introduced the second Payment Services Directive' (PSD2), which requires banks to give third parties access to customer account data via open APIs, and for payment providers to introduce secure customer authentication (SCA) in order to improve customer security. The UK Competition and Markets Authority then introduced UK-specific Open Banking legislation. There is little to differentiate the two regulations, aside from Open Banking requiring banks to make customer data available in a standardised format. Furthermore, Open Banking only applies to the nine largest UK banks whereas PSD2 applies to all payment account providers. While PSD2 and Open Banking are EU and UK-specific, similar regulations are now cropping up around the globe. The purpose of the regulations was to introduce more competition and innovation to the industry for the benefit of customers. By opting-in to their transaction and other financial data being shared, customers can access new financial products and insights into their money. For example, Open Banking enables consumers to link their transaction data with a third-party app that analyses their spending habits and recommends new products such as credit cards.
However, as of January 2020, there were 202 FCA-regulated providers who are enrolled in Open Banking, with the number of certified third-party providers in the EU and UK nearly doubling between January 2020 and September of 2021. Jacquelyn Painter, Senior Manager, Solutions Product Marketing for Financial Services at Okta explained that while adoption is picking up, it has been slow: “What we’re seeing is there is adoption, there is implementation, but it’s still slower than expected. There’s a lot of things that banks have to work around and this regulation really changed their whole strategy. They’re having to deal with legacy systems and how to maintain privacy for customer data across all these different systems and open APIs. It can become very complex so while there is adoption and implementation because it’s mandatory, I think not everyone is where they want to be.”
The discussion has also frequently pitted more traditional financial organisations against more agile challenger banks or tech startups, with banks often presented as lagging behind their more tech-savvy counterparts. New competitors in the market are offering innovative digital products and user experiences, aided by a way of working that often allows them to move faster, putting pressure on banks to develop their own products or risk getting left behind. However, Painter believes that in reality, the development of Open Banking solutions is often more collaborative than it may appear: “The conversation at first was ‘fintechs: are they friend or foe?’ but some of these legacy banks are now choosing to partner with fintechs so they can have a joint solution and offer those products and services to their customers while complying with Open Banking and PSD2…you have smaller, mid-size banks and credit unions and they need to be able to partner with a fintech provider as they just don’t have the resources or bandwidth to implement such as big undertaking.”
It’s important that banks and other financial services organisations move beyond simply complying with regulations and now look at how they can leverage the benefits of Open Banking and rethink their business model to suit digitally-minded consumers. Once APIs are in place, they can build new products and services and in turn generate new revenue streams. “Open Banking started as something to give customers control of their data and create these new experiences and there are endless opportunities for what that’s going to look like in the future”, said Painter. “I also think that if a bank is strategic enough and can really see the vision and the innovation in how to get there, they’ll be set up for success especially as we continue to go digital and these experiences are no longer a nice to have, but as a consumer they’re a must-have.”
of certified third-party providers in the EU and UK between January 2020 and September of 2021.
~200
FCA-regulated providers enrolled in Open Banking as of January 2020
202
“The conversation at first was ‘fintechs: are they friend or foe?’ but some of these legacy banks are now choosing to partner with fintechs so they can have a joint solution and offer those products and services to their customers."
But is this actually the case and if so, what should banks be doing to ensure they embrace the opportunities created by Open Banking? Some banks have faced criticism for being slow to make their APIs available to third parties, thus impeding their ability to access data and develop new products. While the initial regulations were brought in in 2018, deadlines for complying with various elements of PSD2 and Open Banking have been extended several times to accommodate this.
While the regulations were brought about to help consumers get more out of their financial data, as well as encouraging greater financial inclusion, conversations around Open Banking have not always been positive. Some financial institutions have been accused of being slow to comply with regulations or doing the bare minimum to comply.
Going beyond compliance
Security
While consumers are increasingly becoming aware of Open Banking, the concept of banks sharing what is inevitably highly sensitive data with third parties may initially cause alarm bells among some. Therefore, security is paramount at every stage.
Security surrounding API management is robust and rigorously tested, and by law, Strong Customer Authentication must be used before data can be transferred. Furthermore, only regulated third parties can be a part of the Open Banking Directory. Hans Tesselaar, Executive Director at Banking Industry Architecture Network, a not-for-profit association that works to establish and promote a common architectural framework for enabling banking interoperability, said that for financial services organisations, security is a top priority: “I think it's fair to say that the security for banks is more than okay. The whole mechanism for Open Banking is you as a consumer need to give approval to your bank that they are allowed to share your data with a third party, otherwise it's not allowed. And in the EU and in the UK, both the bank and the third party need to be certified by the regulator.”
“The whole mechanism for Open Banking is you as a consumer need to give approval to your bank.”
With Open Banking, consent is also key, with consumers having to opt in and choose the data third parties are allowed to access and for how long. Organisations must therefore have a system in place to manage what data customers have given permission to share, and what they haven’t. “One aspect of [security] is when you’re opening up these Open Banking APIs, you need to be able to give a level of detail, fine grained authorisation, on what information they’re willing to share”, said Painter. “So if I am using an application or a vendor that takes all of my bank accounts and puts them into their platform so that I have one view of my finances, I should be able to pick very granularly what I want to be able to share within each of these bank accounts.” “Identity is a crucial part of this puzzle as the consumer’s identity needs to be secure. There’s also customer data privacy that needs to be enforced and there needs to be very strict controls in terms of how that data is shared and the approval the consumer is giving to share that specific type of data." "But when you’re creating these extra security measures they need to be frictionless because consumers don’t want to be always asked to type in a password or an answer to a question.”
But do banks have the technical know-how to fully embrace Open Banking?
While tech divisions and many financial services institutions have the capabilities to develop their own solutions in-house, for organisations bound by legacy systems or smaller financial services firms lacking the resources to develop their own products, partnering with a suitable vendor is key. This is particularly important when it comes to security, as organisations from outside of the financial services industry may have products that are well-suited to Open Banking solutions that are being developed. “As banks, especially these bigger banks, look to go beyond Open Banking and look at Open Finance and embedded finance and this Open Economy concept, they do need guidance,” said Painter. “We’ve had customers say to use before ‘we started building this on our own but now we need help as we’re not in the identity business, we’re not in the security business, we’re in the banking business’ and so it’s very hard for them to keep up with the evolving mandates and regulations and security enhancements that are needed.”
When choosing a vendor it is important that solutions can be easily integrated with other solutions, both existing and future, especially in the fast-moving world of digital transformation. “It’s really important to use a vendor-neutral partner” said Painter. “You want someone that you don’t have to rely on fully for everything, especially if your strategy changes…being able to make sure you have this best-of-breed environment where you’re picking and choosing and having a solution that can integrate into all these different applications [is important.]”
Tesselaar explained that developing a solution does not necessarily mean everything must be done in-house: “When you look at the car manufacturer, they also don't develop everything themselves. So if there are good things already in place, then you should put all those different bits and pieces in place and connect them.” “There are more resources outside the bank than inside the bank so if you can pick and choose, cherry pick what you want and connect them to a best-of breed-solution, then you’re onto a winner at a lower cost than developing it yourself.”
“Cherry pick what you want and connect them to a best-of breed-solution, then you’re onto a winner at a lower cost than developing it yourself.”
“There’s a quote out there that says ‘at some point every company will be a fintech company’ and this is absolutely the case.”
“The next level of Open Banking would be Open Finance. So we move a little bit away from current account and payments and we also go into loans and mortgages and maybe insurance. There is a wider range of products that you are not offering today to the clients but you can offer when you embrace Open Finance.” However, he warned that this is dependent on consumer demand, with the extent to which consumers will embrace Open Banking and its future iterations still unfolding. “If there is no need from your customers, then why? Banks are always a little traditional and if they're all still making enough profits they will ask is there a business need? Are customers moving away? And if so why? And would they stay if we could offer them [these services]? So those are the discussions that ensue in the banks because you need to do the investment and what is then the return on the investment?” However, Painter emphasised the importance of financial services organisations keeping pace with these new innovations: “There’s a quote out there that says ‘at some point every company will be a fintech company’ and this is absolutely the case. This is why financial institutions need to be able to strategies their long-term plans for how they fit into that picture. If you look at Uber, Amazon, all kinds of organisations out there, they are acting as a bank by paying their employees through their applications. They’re providing loans or payment plans.”
The future of Open Banking
With organisations still getting to grips with Open Banking, it is still too early to say what the full impacts of the regulations will be, and whether they will achieve their aims. Considering the rapid pace at which innovators within the industry move, it is likely that new and exciting products will emerge as a result of Open Banking and the demands of tech-savvy consumers.
“The next level of Open Banking would be Open Finance. We move a little bit away from current account and payments and we also go into loans and mortgages and maybe insurance."
However, the conversation has already moved beyond Open Banking alone, with the industry now watching how concepts such as Open Finance and Open Economy will develop, and the impact they will have. Open Finance adds additional elements of an individual’s financial footprint, such as mortgages, savings, pensions, insurance and utilities to the Open Banking model, allowing third parties to access additional data from which to develop products. Tesselaar explained that Open Finance has the potential to introduce a wide range of new products to the industry.
“What we’re seeing is there is adoption, there is implementation, but it’s still slower than expected."
Thanks to the widespread adoption of digital banking, and the rapid emergence of fintech startups over the past few years, the financial services industry is ripe for innovation. Open Banking is at the centre of this, with the regulations having the potential to enable products that will transform the ways in which consumers manage their finances.
However, progress in this area has often been slow, leading to fears that Open Banking could fail to deliver on these promises, or that digitally native consumers will abandon more traditional banks in favour of challengers.
It therefore is vital that financial institutions view Open Banking regulations not as a hurdle but an opportunity for customer-centric innovation, either through developing their own solutions in-house or through collaboration with third-parties. Rather than framing Open Banking as incumbent versus challenger, organisations should instead view this as an opportunity for collaboration and partnering with the right vendor is crucial to rolling out secure, innovative and intuitive products. Tesselaar summarises this in saying that banks should look beyond the financial services industry: “The impact of Open Banking is that it has forced the financial industry to look outside the four walls of their organisation. We can learn from other industries in how they interconnect… I think that is the most important win, that it opens up the windows and people are looking outside and learning from the things that are going on.”
“The impact of Open Banking is that it has forced the financial industry to look outside the four walls of their organisation.”
