Identity Management for Banks

Identity management (ID management) is a broad administrative area that deals with identifying individuals in a system (such as a country, a network, or an enterprise) and controlling their access to resources within that system by associating user rights and restrictions with the established identity. The drivers licensing system is a simple example of identity management: drivers are identified by their license numbers and user specifications (such as "can not drive after dark") are linked to the identifying number.

In an IT network, identity management software is used to automate administrative tasks, such as resetting user passwords. Enabling users to reset their own passwords can save significant money and resources, since a large percentage of help desk calls are password-related. Password synchronization enables a user to access resources across systems with a single password; a more advanced version called single sign-on enables synchronization across applications as well as systems.

In an enterprise setting, identity management is used to increase security and productivity, while decreasing cost and redundant effort.

In a wider context, industry groups such as the World Wide Web Consortium (W3C)  are developing standards that would enable global identity management, in which each individual would be uniquely identified, and all applicable data would be linked to that identity. A position paper on the W3C Web site, Requirements for a Global Identity Management Service, maintains that establishing global identity management is crucial for the development of the Web and Web services. The W3C position paper stipulates, among other things, that such a system that must be universally portable and interoperable; that it must support unlimited identity-related attributes; that it must provide adequate mechanisms for privacy and accountability; and that it must be overseen by an independent governing authority.

Identity Management in Online Banking

For financial institutions, properly identifying the customer to the bank and the bank to the customer are critical aspects in providing financial services to customers. Individual consumers as well as business customers are increasingly using the online delivery channel to access banking solutions. Banks encourage this access because the channel is a low cost, highly efficient method of delivering financial services.

Traditional access to private information online, including online banking applications, have been secured by use of a personal identification number (PIN) and password login. As criminals have discovered, PIN and password identity management have long been inadequate.

In August of 2001, the Federal Financial Institutions Examination Council (FFIEC) issued guidance entitled Authentication in an Electronic Banking Environment. The 2001 Guidance focused on risk management controls necessary to authenticate the identity of retail and commercial customers accessing Internet-based financial services. In October of 2005, the FFIEC agencies issued guidance: Authentication in an Internet Banking Environment.

FFIEC Guidance

• Authentication in an Internet Banking Environment (October 12, 2005)

Resources

• FDIC - Consumer Assistance: Cybersecurity