Identity Theft: Trends and Challenges
If there is a crime most indicative of the modern information age, it is that of identity theft. In 2004, the UK Credit Industry Fraud Avoidance Scheme (UK CIFAS) identified and protected over 50,000 victims of identity theft, up from 43,000 victims in 2002. Breaches of identity and access management (IAM) lead to billion-pound losses each year, both reported and unreported. On the flip side, there’s the confusion, frustration and lost productivity which organisations must deal with as they struggle to manage legitimate access for their employees, partners and customers to the electronic systems they need.
The identity crisis is prevalent across all industries yet no other industry has been as squarely in the hot seat as financial services. Public scrutiny of its policies and experiences with protecting customers and their sensitive information has known no limits. This is understandable, given that the financial arena is one in which people are at great risk for seeing sensitive data compromised. Consumers live in constant fear about unauthorised persons gaining access to their bank account data, credit card numbers, and other financial information. As an industry that relies on customers’ trust and confidence, the mounting public concern has put the crime at the top of the agenda for the finance sector.
As part of one of the most highly regulated industries in the world, companies in financial services are increasingly driven by the growing need to comply with regulatory and legal requirements governing the integrity, security, and privacy of the data they manage. Trends such as the convergence of payments and a focus on wealth management require the right systems to organise and tap into the customer base. This means a continued drive towards outsourcing and offshoring, which in turn demands access to sensitive customer information in remote countries. The financial services industry is one that routinely handles extremely sensitive and private information for individuals and businesses.
At the same time, the sheer need to keep track of who’s who, and who has access to which resources, and for how long, has meant that the industry itself has also partly attributed to the identity fraud crisis and today faces the challenge of finding ways to reduce operational risks associated with keeping such data secure. Meeting these challenges – regulatory compliance and risk reduction – can be a costly proposition if it’s not approached in the right way. That can create a third challenge. As long as companies have their hands full and their budgets tied up with these internal challenges, they will find it difficult to turn their focus toward opportunities to improve quality of service and successfully pursue new growth and revenue. It’s no wonder that financial services organisations are investing in IAM solutions to address these challenges.
The financial services industry is governed by some of the most rigorous regulatory mandates today. Companies in the sector are subject to laws such as the Sarbanes-Oxley Act, European Union Data Protection Directive, Know Your Customer (KYC) and Basel II, which addresses capital adequacy. With so many different regulations in play, the risk of compliance failure is significant. And the cost can be high, whether it’s a large fine for an audit failure or a tarnished reputation associated with a compliance failure becoming public.
Currently there are numerous safeguards against identity fraud, yet how do we ensure that the technology implemented does not create another back door into an organisation’s systems? Identity management solutions that deliver comprehensive capabilities for monitoring, tracking, reporting on, and auditing access to relevant information and resources can help limit the risk of non-compliance. Within this context, to be an effective tool for financial services companies, identity management technology should specifically address essential capabilities to provide secure and compliant identity infrastructure. These include:
Federated identity management allows different departments or organisations to share identity information, so that users are identified once to gain access to various systems or information. In the process, organisations can cut costs, increase security, improve user satisfaction and enhance service. Federated identity management links elements of a user’s identity among various accounts without centrally storing all of the user’s personal information. Trust is a key element. In a true federated model, there’s no centralised repository of identity information or centrally operated identity management solution. Open standards – along with the supporting technology and legal agreements to enforce the trust model – allow this approach to work.
Data storage outsourcing is one area where federated identity is used. Over the past decade many large financial institutions have outsourced the electronic storage of certain customer financial data to a third party. These service providers often used web applications to look up and view customer information. They require a different set of authentication procedures for access to the third-party application than those they used for access to their own internal network. Yet how many different passwords and logins could employees reasonably be expected to remember? How much time were they wasting on multiple logins, password lookups, and other processes? And what security holes were being opened up due to this inefficient process? Now with federation technology, organisations have found the answer in a standards-driven, federation-based single sign-on (SSO) solution. By allowing the two to securely share identity attributes (including authentication) across domains, the solution makes it possible for the third-party information-access application to function as if it were part of the service company’s existing internal application for access to stored data. The service company also leverages federated identity management to provide its commercial customers with access to value-add services that originate from third-party service providers. As with many financial service companies that provide services from third parties – a trend we see in other industries such as telecommunications – companies offer a growing number of such services, and its customers are likely to use more than one of them.
Identity management can make it possible for financial services companies to meet complex challenges. By providing them with the tools to closely control and manage access to sensitive information and valuable resources online, reducing risk and increasing security to:
Even with the challenges faced today, the financial services industry faces unprecedented opportunity. The Internet opened the door for financial services companies to deliver more services to more customers than ever before. But they need to be ready. They must have the plans and processes in place for dealing with the fundamentals of compliance and risk reduction. And they must put in place the ecosystem that will enable them to pursue growth and cost efficiency. Identity management is the key component in this mix to cope with today’s unique challenges.
Access control: Mechanisms and policies that allow or restrict access to electronic resources such as applications and information.
Authentication: The process of identifying a user, usually based on a username and password.
Authorization: The process of granting or denying users access to electronic resources, based on their identity.
Directory: A repository of information about user identity.
Federated identity management: The sharing of identity information across departments or enterprises, so that users are identified once to gain access to various systems or information.
Identity management: The infrastructure and processes, including authentication, authorization, directories and provisioning, which enable an organization to keep track of users and their access to information resources.
Provisioning: The process, typically involving both the HR and the IT departments, of providing users with access to electronic resources.
Strong authentication: Authentication by using technologies, such as public key infrastructure (PKI) or biometrics, that are difficult to bypass by both computer programs and other people.