Banking sector leading CIAM innovation, say Big Four

Maturity in consumer identity and access management (CIAM) differs from sector to sector, with the banking sector taking the lead in terms of innovation, according to the Big Four accounting firms.

Europe’s second Payment Services Directive (PSD2) is helping to drive innovation in the banking sector around authentication, according to Gerald Horst, digital identity partner for Europe at PwC.

“Currently, PwC is working on projects for two challenger banks wanting to become European banks by providing ease of use,” he said in a panel discussion at Consumer Identity World Europe in Amsterdam.

The EU’s General Data Protection Regulation (GDPR) is also driving the need for banks to use innovative technologies to manage and protect customer data and identities,” he said.

There are different approaches across sectors due to the fact that they are investing in consumer identity and access management (CIAM) for different reasons due to totally different business cases for its use, said Mikko Nurmi, practice manager for CIAM at KPMG in Finland.

“While GDPR is a driver for most industries, the motive for investing in CIAM for retail is totally different to the finance industry, for example. While finance companies are using CIAM to increase trust, reduce risk and improve customer experiences, companies in the retail sector are mainly focused on collecting data about customers and consent so that they can use the data,” he said.

In Belgium, the public sector took a leap ahead of the private sector in its use of CIAM due to the launch of the country’s national microchipped identity card over a decade ago, said Jan Vanhaecht, Deloitte partner responsible for identity services in Belgium.

“This prompted private sector investment in an attempt to catch up to the same level of digitisation and online digital services, which took quite a while. But now the private sector has surpassed the public sector, and we see the government trying to leap ahead again.

“Innovation is currently around looking for ways to improve services, such as providing a single user experience across all the different communication channels and finding ways of reaching citizens with a high resistance to using digital services, such as those who are non-digital natives,” he said.

In the Middle East, Vanhaecht said Deloitte worked on a project to start a digital bank, but still with offices because customers wanted somewhere to go to interact with their bank. “But first, customers step through a number of stages, starting with digital authentication.

“Only then are customers able to step through the gate towards interacting with human representatives of the bank, which I think is the way forward and where we will see things going in future,” he said.

A business case for CIAM

CIAM, said Horst, is essentially about business. “It’s about digital transformation, it’s about doing business online, it’s about ease of use and balancing that with security and privacy, so in all our GDPR-related projects, we start with engaging with the business to understand what the priorities should be and what the business case and relevance of CIAM is.

“At the same time, it is about thinking in terms of a strategic play, so not going for a point solution for addressing a specific requirement or issue, but looking at it from a more long-term perspective and thinking more in terms of a platform for CIAM rather than a solution.

“Four or five years ago, we were typically talking only to the CIO and IT teams, and it was all about competitive advantage based on features and ease of use. Nowadays, it is more about thinking in terms of what are the long-term goals and what is the role of identity,” he said.

It is absolutely necessary to have the business on board and discussions on the strategy and the expected business model of the future, said Ulrike Van Venrooy, director of advisory services, cyber security at EY in Germany.

“CIAM specialists tend to talk a lot about customer experience,” said Nurmi. “This is partly what CIAM is about, but it is not a point solution. It is about your customer experience strategy. How the customer organisation is implementing it.

“It is also about the data strategy and how you provide the single source of truth about consumers. It has to be integrated with other strategic initiatives,” he said.

Industry focus plays a big part

However, Vanhaecht said it could be challenging to involve the business. “You are talking to the finance department, marketing and many other parts of the organisation as well as the pure business channels, and that is where an industry focus comes into play.

“The true industry knowledge of people in my team has become increasingly important to know what is best to deploy and how it should be deployed,” he said, adding that deep sectoral knowledge was valuable in identifying the real problem that needs to be solved.

“I like to take it to the next level by looking at the next problem that needs to be solved, in terms of new products the business is planning to get launched and the back-office changes that need to be made to meet changing requirements. This is where I seem my team becoming embedded in a broader business transformation effort,” said Vanhaecht.

This cross-business dimension is where the Big Four can add value, said Horst. “Yes, we do digital transformation, but it starts with strategy consulting and involves architecting and designing, implementing and then running solutions.

“We can do all of that, from consulting all the way through to execution, which is what sets us apart as the Big Four from firms that are focused on consulting only or integration only. There is a lot of dynamics in the market today, so organisations need to ensure the products they choose are wisely chosen.

“Ensure you do proof-of-concept trials and understand what particular products really bring to your business and if they really fit your strategic agenda rather than being just the point solution you are looking for in the short term. We have learned that organisations need to look at solutions from a much more strategic point of view,” he said.

Things to look for when choosing CIAM products

One commonality across the various industry sectors when it comes to CIAM, said Horst, is the requirement for single sign-on [SSO] capabilities, as well as ease of use, easy authentication, controlling personal data and many other things that are becoming a necessity across all industry sectors.

The level of friction, said Vanhaecht, is another important aspect. “How do you lower the bar for your customers to engage with you? Faster time to market is also still an important play,” he said.

“SSO is typically a quick winner because it means you don’t have to confront your customers with the complexity of your own organisation. Customers are able to interact with an organisation, be it in the public or private sector, as though it were a single entity, without being aware of the diversity of separate business areas under the surface,” he said.

Another common requirement is scalability, said Horst. “Getting a CIAM solution that performs really well for 50 million users is totally different to getting a solution up and running for only 100,000 employees in the context of traditional enterprise identity and access management [IAM].

“Other common requirements include interoperability and standard protocols. All these things are relevant if you are implementing a CIAM solution,” he said.

Build trust with security and privacy

In terms of privacy and control over personal data, not much has changed since the GDPR came into full force, said Nurmi. “However, I see that changing in the next six months, as consumer expectation grows around having control over their personal data and the consents they have given.”

PwC’s mission statement, said Horst, is bringing trust to society and solving important problems. “So the trust aspect is really important for us, which means we have a role to consult our clients on the security and privacy part of CIAM, but I guess that is true for all of us.

“However, that can be difficult because the business case for the largest CIAM implementations mostly comes from the marketing and business development side of the organisation, and then you start implementing the solution because the business wants to set itself apart from the competition by introducing ease of use and so on.

“But we have a role to ensure privacy by design, starting with the fact that client organisations often get it for free if they implement a Siem [security information and event management] system, the consent automation part is already there. So when implementing Siem systems, we consult them on the fact that they need to be addressing the GDPR and PSD2 security requirements,” he said.

However, as time has gone by since the GDPR became mandatory, Vanhaecht said organisations are beginning to understand that GDPR is not simply a single tick in a check box.

“The way the GDPR is written and conceived means it is not a one-time thing. It is something that organisations need to live day by day and show in anything they do, and that you may not necessarily know what evidence you are going to have to provide when a breach is discovered.

“Now the trend is towards more sustainable compliance, and this is where I see solutions like consent management and integrating that into the customer journey being introduced.

“The next step – and some early adopters are already there – is where the whole privacy issue becomes non-negotiable for customers; they will not engage with businesses unless they can demonstrate an acceptable level of trust and assurance that they are doing the right thing and are in control.”

However, Vanhaecht said there had not been much progress in this regard in terms of technology. “But we are seeing some telcos attempting to leap ahead of the market to demonstrate that they are the most privacy aware in Europe,” he said, adding that he expected to see industries attempting to do the same.

Reiterating that much of the innovation around CIAM is taking place in the banking sector, Horst cited as an example the way financial institutions are incorporating risk management systems aimed at combatting fraud into the user journey, especially in new challenger banks.

“They are using those risk management systems to understand whether there is anything out of the ordinary, then introduce a second and even third factor to authenticate the consumer concerned,” he said.

Top recommendations from the panel to organisations implementing CIAM projects included ensuring that offline channels are not forgotten and preparing for the fact that a human-to-human interaction will be required at some point in the lifecycle of a customer; ensuring that the CIAM system is aligned with the organisation’s data strategy for cross-silo activities such as consent checking; ensuring that the information security strategy is aligned with the CIAM strategy so there is a single goal to work towards; and ensuring that the organisation is prepared for a data breach and to report it within 72 hours.

Source computerweekly

Industry: Cyber Security News