Start with Identity
Industry vertical

Identity for Financial Services

Primary requirements
  • Strong customer authentication (PSD2 SCA)
  • Fraud signals integrated at authentication time
  • Privileged access control with full audit
  • Detailed, regulator-ready audit trail
Regulatory floor
PSD2GLBAPCI DSSSOC 2DORA
Vendors to consider

The job identity does in financial services

In financial services, identity is a regulated control, not a convenience feature. The system has to prove the customer is who they claim, that a transaction is legitimate, and that the institution holds a defensible audit trail when a regulator asks. It spans three populations at once: consumers and businesses logging into banking and payments, employees and contractors with access to money-moving systems, and the growing fleet of non-human identities behind trading, settlement, and APIs.

Two pressures pull in opposite directions. Fraud and regulation demand friction; customer experience and competition demand none. The institutions that win make authentication strong but mostly invisible, escalating only when risk rises.

The regulatory and compliance floor

Financial services carries one of the heaviest compliance loads in identity. PSD2 in Europe mandates strong customer authentication (SCA) and the dynamic linking of authentication to a specific payment. PCI DSS governs anything touching card data, and version 4.0 expanded MFA into the cardholder data environment (see identity controls for PCI DSS). GLBA covers safeguarding customer financial data in the US, and EU entities now fall under DORA for operational resilience, which makes privileged access, monitoring, and third-party access governance explicit obligations. SOC 2 is table stakes for partners.

The threat landscape here

Banks are a top target for account takeover, credential stuffing, and increasingly session and token theft that bypasses MFA. The Snowflake customer breaches showed how stolen credentials against accounts without MFA lead straight to mass data theft. Synthetic identity fraud and deepfake-driven onboarding fraud are rising fast, which is why identity verification and fraud signals belong at the authentication layer, not bolted on afterward.

What good looks like

  • Risk-based, phishing-resistant authentication that satisfies SCA while staying low-friction for trusted sessions.
  • Fraud and device intelligence evaluated inline at login and at high-risk actions, not in a separate silo.
  • Privileged access with vaulting, session recording, and just-in-time elevation for money-moving systems.
  • Identity governance with evidenced access reviews and segregation of duties for the audit trail.
  • Strong machine-identity and secrets hygiene for trading and settlement workloads.

Vendors and fit

Enterprise authentication and federation fit Ping Identity; combined CIAM, passwordless, and fraud fit Transmit Security; identity verification and fraud fit Persona and Socure; privileged access fits CyberArk; governance fits SailPoint. Narrow a shortlist with the vendor selector.

Common pitfalls

  • Treating fraud and identity as separate systems, so risk signals are unavailable at decision time.
  • Relying on SMS OTP, which fails SCA intent and is phishable and SIM-swappable.
  • Privileged access to money-moving systems left standing rather than just-in-time.
  • Access reviews performed but not evidenced for regulators.

Where it is heading

Expect continuous, risk-based authentication to replace one-time gates, deepfake-resistant verification to become standard at onboarding, and DORA to push privileged access and third-party governance from good practice to enforced baseline.

Independent, community-driven analysis. Vendor mentions are for identification and commentary only. See the disclaimer.