KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
Identity & Access Management is a key requirement from banning regulations.
At Creditplus, a new IAM solution was implemented recently. Drivers for IAM as well as the overall design of the new solutions are presented in this talk.
Identity & Access Management is a key requirement from banning regulations.
At Creditplus, a new IAM solution was implemented recently. Drivers for IAM as well as the overall design of the new solutions are presented in this talk.
Hello, ladies and gentlemen, I'm really happy to discuss with you today. Our experience in access right management. I wouldn't say it's a hobby of myself, but it keeps me busy since seven years also in my former responsibility. Therefore I'm smiling a bit because listening to the presentation of mark it's, it's really a copy and paste. Okay. You can really take this, the experience in the projects, the problems that you're facing. Okay. You can copy it and you can use it for every bank more or less because it's the same struggle across all banks from my point of view.
So it was quite interesting to listen to mark. And I think it's really interesting that that everyone faces the same challenges in this area. But let me start. My name is car Mala. I'm in the board of credit, plus I'm responsible for it. Information, security, administration, business process optimization, and some other stuff. But today let's focus on it and information security. Before I start a few words about credit, plus, because I could imagine that not every one of you in her, I think quite well known, but what is credit plus? Who is credit? Plus we are a bank.
We are a specialized bank, specialized on consumer finance business. We have several channels where we distribute our products, especially at the point of sales, but we also have branches and we are within the group of, I don't know if you heard about that maybe.
Yes, because it's one of the 10 largest banks worldwide. Before I start with the next thing I could, as I said, I could repeat what mark said. Okay. But I looked at it at a bit different angle. Okay. So the questions that I want to discuss with you today is really my first question. Why is access right management so special in the finance industry? Okay. We are spending really millions of euros to implement AccessR management. We are complaining, we have problems. We are facing issues. And nevertheless, as mark said, there are audits and we still get findings. Okay.
And the, the projects take years. So also we are not at the final stage of our project. Okay. It's running now, but I will come to this point for two years, not finally implemented. Okay. It will go on. And I think we have spent, I don't know, I don't want to take, I give you the number, but it's, it's really significant, including my personal time on this topic. So this is the first question. Then core challenges in access management in the financial industry is the second topic that I would like to discuss with you. The third topic is what was our journey?
Not on the level, because I would not be able to discuss it on the level of mark. Okay. But let's say in general, what was our journey in credit plus till now to implement it, to implement access right management. And the last point, my view on what are the success criterias for a project like that in financial industry. Okay. So this is the journey that I would like to start with you within the next 15 minutes. I could talk about this topic for three hours. Okay. No problem to do that. So I try really, to focus on, let's say the main components, first question is access, right.
Management in the financial industry. So special compared to other industries. Okay. Due to the fact that I was always in financial industries, not so easy to judge the challenges that other industries are facing. Okay. There is one thing which is in common and which is a general driver. GDPR. I hope all of you sitting here. Okay. I guess you have some link to access right. Management, and therefore you should be aware what GDPR is. Okay.
GDPR, two things first is not at German law anymore. In former times, it was, let's say really focused on Germany, not GDPR, but the rule before it's a European law.
Second, it's not a law for financial industry purely. Okay. It's a law that every industry has to comply to. Okay. So what is so special in financial industry about access rate management? My answer to that is two things. First data protection, of course, as you can imagine, the data that we have from our customers. Okay. Including account statement, payment information, tax information sometimes is very special. When you talk about data, leakage, think, think yourself where it happened. Okay. And in let's say the real critical areas where it happened was financial industry. Okay.
I think Germany even paid money to get the tax data from, I dunno, Swiss Luxembourg. Okay. So data protection is really, really a, a critical topic because our clients give us their data, all the information. Okay. And we have to be really careful with this data. First thing, I think this is a difference to other industries. Second thing is fraud. Okay. Of course there's also a potential of fraud for other industries, but fraud in banking can lead to significant damage. Okay. So also there are some cases and also for this, of course, access, right. Management plays a major role.
The regulator knows this. When I talk about regulator it's B in ECB. Okay. So they're aware of this. They're aware of this risk that financial industry has. That's why they used a small trick, which is big for banks. Okay. Because you know that what is a bank bank is risk management. That's our business. Okay. We transform risk. Okay. And the same linked with that is operational risk. That's the core topic. So every time we have fraud and damage of fraud, every time we have every time, sorry, if we have a data loss, If we have a data loss, okay.
Then it will directly impact our operational risk. Okay. Maybe you are not so familiar with this topic, but what does, what does it mean just to make this clear? If we have a higher operational risk? Okay.
The, the regulatory demands that we put equity behind, the more we have to put equity behind operational risk, the less we can do additional business in other areas. So that's the small trick of the regulator. Okay. But it's a huge impact for us. That means also not only from a, let's say data protection perspective, but also from a regulator perspective, there's a huge driver behind this topic. Okay. And that's why in every audit or when the regulator comes. And also mark mentioned that, so it's really dejavu. Okay. All the topics, when a regulator comes, there's a focus on access right.
Management. And they will also always try to prove you that it's not accurate. Okay. This is the driver behind O other than that, we're the same as the others. Okay.
As I said, GDPR is the same next question. What are the core challenges from my personal point of view in, in financial industry to implement Access-A-Ride management.
For me, the biggest topic taking out of GDPR is the need to know For those of you who are aware and need to know is one of the core topics in, in GDPR or what the, what the regulator ask for is really why does a person have the need to know, to access exactly this data. Okay. To implement that and realize that really one of the core challenges. Okay.
Second, I, I, this, I have to say because it's a, it's a, it's a funny thing. Every time an auditor comes just to explain this, okay. Every time an auditor comes, first thing they do about accessoride management. Okay. They take from one person, all the access rights. Okay. And then they look at the access rights, they look at the role and function of the person, and then they say, mm, okay.
This one, why do they have, why does he has the access to this application? Okay. Then they go to the person and they ask the person, can you explain why you have, why you need to have access to this application? And then if the person has not a real good answer, okay. Something like I have to have access because okay. If the person for example says, I don't need to have access, suck finding why, because you didn't respect need to know. Okay.
It's, it's really on. I want to make this clear. It's really on this level. That's why I said it has to be really accurate. And that's a challenge that means, in fact, you have to, to, to find the right balance between real individual rights. I give you exactly this, this, this, this, this access. Right. Okay. Which is not practicable, practicable and roles with a huge access right. Ability. Okay. Which is also not acceptable because of need to know. So you really have to find the right balance. It's for me, one of the core challenges, then the next thing, and mark said it toxic right.
Combinations. What, what is behind toxic right combinations also a funny thing. And the auditors every time look at exactly this. Okay. When you take a look at the application itself, usually something like four, I principle, I guess, you know what it means. Okay. Someone does something and the next one confirms, okay, so this is a four principle. Usually it's implemented within one application. Okay. That's in the banking industry standard. And I would say it's quite secured. Okay. But it's not enough. You have to also take a look at the whole functional process. Okay.
And you have to identify risks, areas of risks, where you have so-called toxic, right. Combinations. What does it mean?
It means, and I give you an example, someone who is able to change account data, master data. Okay. Should not be also able to execute payments why I could, if I, if I change master data, I enter my eyeball. Okay. No problem. My personal, I change it to my IBO. And then on the payment side, okay. I execute small payments or bigger ones, or, you know, that's the problem behind, so it's not enough to look at the application. And if there, if the application guarantees for as principle, you really have to take a look at the whole process and identify the so-called toxic. Right.
Combinations, second challenge, High privileged user, next topic, an example, database admins. Okay. Also quite interesting discussion. If you have implemented access rights properly. Okay. On the application, you have identified toxic rights and all of that. Perfect. Okay. But then there are still the users who need to have access to the, let's say circumventing the access rights. Okay. Maybe direct access to databases, Another topic. Okay. Another topic we're also the regulators look at, because again, an example, my balance is minus 100,000. Okay. Not a good situation. In fact.
So I go to the database, I change the minus plus, and I can go on spending money. Okay. So this is not a bad thing in terms of spending money, but of course, in terms of regulation, it's really a bad thing. And also a risk. Remember it's always linked to op risk. Okay. Remember it limits our ability to do further business. Okay. That's why it's so important. So that's another challenge, which from my point of view, I, I hope mark. I see you're still there. I I've touched the main challenges.
Let's say like that, but this is the challenge that we face in financial industry, our journey, we were, we were coming from a situation where we had a self implemented tool And we were granting access rights on an individual level. Okay.
Again, I give one person access, access, access to this system. Maybe I don't even know what, what is behind the access rights. Okay. And then if the next person come comes and as a manager, you say, okay, what kind of access rights? I just copy what I have given the other guy. Okay. Not reviewing if this is really what he needs for his role in this function. Okay. So this was a bit, the situation on tool, individual access rights, and it was completely not compliant. Okay. Let's face it.
Oh, five minutes. Okay. I have to hurry up a bit. So what we did is first we set up a project with the, with the aim to really be compliant and make our access secure.
Step one, very, very brief selection of the right partner. I learned that also others are choosing beta systems. Okay. So we have choosing beta systems. Why? Because we were looking for a partner which has experience in access, right management, but also financial industry. This was quite important for us.
Secondly, we were looking for a partner or a tool, okay. Which guarantees a certain flexibility and adaptation to other tools in house to our bank tools. And what we also need is we need a partner which knows the requirements for secured operations of this solution. So that's why that, where the reason why we, we have choosing better systems.
Step two, mark has already mentioned, I, I, I don't repeat it, but define the right onboarding change in off onboarding processes of employees. Okay. It's really important.
And it's, it's really important because this is crucial. Otherwise you stop the operations of the bank. Okay. So this is a process that has to be implemented.
So for me, it's not in fact, and this is important. It's not an it project. Okay.
For me, this Access-A-Ride management is an organizational project, which affects the whole organization. Okay. This is something you have to have in mind. And then migration, if you, once you have implemented, you migrate on the new tool and afterwards you assure the run, which means you have to do in regular, in regular sequence, you have to do reconciliation and re-certification of the data, Success, success criteria.
As I said, organization needs to understand that this is not an it project. It is a project where everyone has to contribute and they have to see why we do this. We do this to mitigate risks. Okay. And everyone has to be involved. You need to have a good tool and an experienced partner in order to make this happen. Okay. It's for me, the second success criteria, you need to implement smooth processes for onboarding and offboarding. That's also crucial if this is not there, okay. No one will accept it in the company and you harm the company in terms of operation.
So in a nutshell, if I summarize my experience over the last, over the last seven years, also in my former role as CIA of CASIS bank, another entity in, I would summarize like that a is one of the cornerstones for banks to mitigate the operational risks. It's not an it project. I set it twice, but I cannot not. Let's say stop to repeat it. It's not an it project. It's an organizational project. Second. There's a huge focus on the, from the re term regulator on accessoride management. Okay.
So they're really focusing on this topic, which also drives banks to really implement a proper situation. And the last one, and I repeat it again, it's not an it project, it's an organizational approach. So in a nutshell, that's all I have to say about AccessR management and my experience on summary of the over the last seven years. But I'm happy to answer question. Maybe I cannot answer it on the level as mark, but generally about AccessR ride management and financial industry, really, really to help a happy to answer question and discuss.
