The document discusses the essential aspects of digital identity in financial services, emphasizing the importance of customer-centric approaches that enhance user experience and comply with regulatory requirements such as PSD2 and GDPR. It outlines the need for effective identity management, secure authentication, and the integration of customer data to deliver personalized services across digital channels. Additionally, it highlights the challenges and recommendations for organizations to adapt to evolving regulations and improve operational efficiency in the digital economy.

1. Go Beyond PSD2 Compliance
with Digital Identity
Nick Caley
VP, Financial Services and Regulatory
ForgeRock

2. Identity, Financial Services and
the Digital Economy
Protect
Borrow
Invest
Spend
Save
Financial
Services
Capabilities
Customers
Developers
The Bank as a
single point of
access
Commerce
Capabilities
Energy
Restaurants
Acquisitions
Shopping
Lifestyle
Capabilities
Culture
Travel
Entertainment
Loyalty
Business
Capabilities
CFO Services
Procurement
Business Management
Payroll
Managing
consumer identity
and being able to
associate multiple
digital identities
with a single
customer is
“super critical” to
success…

3. Digital Financial Services: Customer-
Centric
§ Be one of the drivers of change within the industry
§ Ease of use across your ecosystem
§ Build on your unique and stable core assets
§ Fundamentally anchor around the customer
§ Impact required now, not in 1-2 years
§ Increase revenue from digital channel
§ Cost effective operations
§ Geographical Expansion with Cross-Border
Controls
§ Enhanced functionality
§ Improve profitability
Customer

4. Find Me
Want to be found
not based on
some broad
demographic, but
on very specific
characteristics
Advise Me
Want their
Institution to
provide advice
based on
transaction data,
social data and on
all the different
pieces of
information they
have shared
Protect Me
Want to feel that
the security and
protection the
bank offers are
not painful or
irritating
Know Me
Want to feel like
their Financial
Services provider
has a 360-degree
view of their
relationship with
the institution.
Ask Me
Want to be asked
about financial
products and
given suggestions
about services
Alert Me
Expect their
Institution to know
what is going on
in the world, and if
something
changes in the
market, to bring
them information
that will help
Delivering a Consistent, Seamless and Secure
Customer Experience at Scale…
Personal, Convenient and Trusted
Contextual Customer Engagement

5. § Onboarding new customers
§ Use existing information
§ Profile data aggregation
§ Workflows
§ Consent to store aggregated data
and proof that it was consented
§ Regulations in each country for
data storage and processing
§ Customize UI or Create your own
UI (REST Interface) Identity Relations
Identity Store
Identity Store
Know Your Customer (KYC)

6. Increasing Regulatory Demands
Identity
Composite Identity is fundamental
to complying with regulatory
requirements .
PSD2
BCB239
FRTB
GDPR
FATCA
AML
Basel III
CCAR
Open Banking
KYC/AML
Costs continue to rise, complex processes are needed
and 3rd party services are inflexible and expensive.
PSD 2
Banking services must be opened up to third parties,
users must be able to consent to data sharing and
strong authentication must be enforced.
Open Banking
Open Banking Working Group proposals to open up
consent based access to third party services with
open API’s and standards.
GDPR
New data protection law with massive penalties for
non-compliance and challenging demands for
compliance and security
MAS/MAHK
Challenging 2 factor security requirements mandated
by the Monetary Authority Of Singapore & Hong Kong.
eIDAS
A joined up banking experience for customers across Europe
enabling the use of regional ID’s to open banks accounts in
new countries re-using existing KYC.

7. 8
Timeline for the Implementation of
PSD2 with GDPR
4 6 9
7
JANUARY 13, 2018
Deadline for member
states to transpose
PSD2 into law within
all 28 EU member
states.
JANUARY 12, 2016
PSD2 published in the Official
Journal of the European Union
DECEMBER 8, 2015
EBA releases discussion paper
on authentication and secure
communication
SEPTEMBER
2019
Earliest date for
EBA’s RTS to
apply
FEBRUARY 23, 2017
EBA publishes final draft of
Regulatory Technical
Standards (RTS) on strong
customer authentication and
common and secure
communication
NOVEMBER 27, 2017
European Commission
publishes final text of
RTS
AUGUST – OCTOBER 12,
2016
Consultation phase for draft
RTS* – considering industry
input
2015 2016 2017 2018
1 3
2
Timeframe when PSD2 has become national
law, but RTS has not yet been fully
implemented
5
JUNE 1, 2017
EBA publishes the European
Commission’s amended
version of the RTS.
MAY 25, 2018
GDPR becomes enforced. From this
point, every Global enterprise processing
EU citizen data need to be compliant
2019

8. PSD2 Scenarios
A PISP, the service provider initiating a payment on behalf of the user, will enable a software
construct between the customer’s and the merchant’s accounts where the necessary
information is exchanged to make the transaction.
PISP use case
Customer Merchant
Issuer Bank Acquirer Bank/
processor
Card Network
Customer Merchant
Issuer Bank
PISP
Before After

9. Customer
Customer’s Bank A Customer’s Bank B Customer’s Bank C
AISP
Customer
Customer’s Bank A Customer’s Bank B Customer’s Bank C
Before After
AISP are service providers that will be granted access by customers to their accounts’
information in their banks. AISP can make use of transaction data to analyze a user’s
spending behavior or aggregate a user’s account information from several banks in a single
view.
AISP use case
PSD2 Scenarios

10. PSD2 – RTS Security Scenarios
Strong customer authentication shall be implemented where the payer: accesses its payment account
online; initiates an electronic payment transaction or carries out any action through a remote channel
potentially exposed to fraud or other abuses.
SCA should leverage at least two of three types of authentication “knowledge”, “possession”,
“inherence”
NOTE: There are a number of exemption conditions, where SCA is not mandated.
Strong Customer Authentication
SOMETHING
YOU KNOW
SOMETHING
YOU OWN
SOMETHNG
YOU ARE
• Password
• Passphrase
• Pin number
• Sequence
• Secret facts
• Mobile
phone
• Wearable
device
• Smart card
• Token
• Badge
• Fingerprint
• Facial features
• Voice patterns
• Iris format
• DNA signature

11. API Integration
APIGateway
Any App
API
DMZ
REST
End Point
Mobile
M2M API
IoT
§ API security
§ Acting as Authorization server
§ Mobile integration
§ Integration with IoT gateways
§ Security for microservices
architecture
§ Multi-protocol
§ Able to integrate with other
gateways
AS
AM
IG

12. Responsiveness
Context / Intelligence / AI Biometrics / Marketplace
Killer Contextual
Authentication/Authorization
Relationship
Dashboards
Connect to Anything
ForgeRock Delivers: Responsive Identity

13. Social Identity
Aggregation
Smart Profiling Privacy / Consent /
GDPR
People /
Services /
Things
Unified APIRelationship Modeling
Data Orchestration
ForgeRock Delivers: Relationship Management

14. UNKNOWN KNOWN TRUSTED
PSD2
Smart
Payments
Access
Authentication
Privacy
Consent
THE POWER OF
TRUSTED IDENTITIES
Smart Home
Healthcare
Connected Car
Context
Identity
Graph
Intelligent
Orchestration
Biometrics
Open Banking
GDPR
Connected
Building
Customer
Data Asset
ID Aware APIs
Omnichannel
Retail
API Ecosystem

15. THANK YOU!