Fair Isaac : Customer Identity Management Is NOT the Same as Access Control

Customer identity management is a term that is subject to a number of definitions. I will define it here for financial services and regulated companies as the business strategy and processes by which an organization establishes who a customer is and ensures that activity on their accounts is carried out by them. The goal of CIM is to meet regulatory rules and legislation, prevent fraud and financial crime, and manage risk-all while making it simple for customers to transact.

Customer identity management operates today in an unpredictable environment. While some interactions are performed where the business has control, many are remote, relying on customers' devices, documents, and capabilities. It is also an area targeted by criminals for fraud and money laundering and comes under serious regulatory scrutiny.

Customer identity management is most frequently confused with identity and access management, sometimes known as identity management, which is defined as 'a framework of policies and technologies for ensuring that the proper people in an enterprise have the appropriate access to technology resources.' It's important to note the differences.

Access management is focused internally on access control and permissions rather than the official identity of the individual in question. This is primarily about ensuring correct use of resources and relies on policies, roles, and permissions to help implement technological mechanisms to allow or restrict access.

Confusingly, this term has been extended as customer identity and access management or CIAM to mean the subset of identity and access management that applies to customers -h ow they log in to websites, authenticate themselves, and are granted permissions for some customer-facing systems.

It's unsurprising then that discussions within businesses about how to implement identity management lead to misunderstandings, especially between IT, cybersecurity, and risk and compliance professionals. Their requirements must additionally consider the objectives of their colleagues concerned with customer experience - particularly for digital channels.

Customer identity management goes beyond identity and access management in these areas:

• Identity proofing
• Document verification
• Customer screening
• Criminal network analysis
• Fraud prevention

Customer identity management and identity and access management may overlap when determining who customers are when they want to transact. Access management may be seen as an IT security topic, whereas customer identity management may be led more by financial crime or compliance professionals and is likely an important focus for customer experience and digital banking leaders. It's therefore important that these groups collaborate, as solutions for access management within a business may not work at all for customers, where the need to provide acceptable if not excellent customer experiences is a driving force.

The conflation of customer identity management and access control can lead to financial institutions attempting to answer the wrong problem. As an example, in my executive brief on the subject I talk about how a bank faced with malware on their customers' devices, which had the potential to compromise the security of the banking app, needed to focus on authenticating the identity of the person accessing the account rather than enter into a technology competition with the criminals.

To understand more about the unique requirements of both customer identity management and access control read my Executive Brief. Follow my posts on fraud and identity management at @dougoclare.