- Identity and Access Governance
- RBAC
- Role Management
- Data Loss Prevention
- DLP
- FINMA
- Compliance
Key Challenges
Swiss private banks must comply with FINMA 2008/21, specifically appendix 3, which focuses on Client Identifying Data (CID).
To meet this regulation, the client needed to implement an access control framework. This framework had to monitor data visibility and apply consistent controls across all IT systems, including the core banking system, CRM, shared drives, and ECM.
Because the bank operates internationally, another challenge was managing data visibility depending on client residency. Different rules applied depending on whether the CID was Swiss or foreign, and whether it was accessed from Switzerland or abroad.
Role Management in Banking: CBTW’s Approach
Following regulatory directives, the mission applied the “need to know” principle. This restricted access to client data strictly to those who required it for their daily tasks.
To strengthen role management in banking, CBTW supported the client through several key initiatives:
- Conducted workshops to improve the RBAC framework based on mined roles
- Applied a hybrid top-down and bottom-up role-mining approach
- Performed a Segregation of Duties (SoD) analysis to enhance information risk management and support data loss prevention in banking
Banking Data Governance and Regulatory Benefits
Today, the customer applies a rule-based RBAC framework to improve operational security. This enabled the migration of certain applications into the new access control model. As a result, access to Client Identifying Data is now restricted to Switzerland.
This mission also helped validate compliance with FINMA 2008/21 appendix 3. In doing so, it reinforced the bank’s banking data governance and fulfilled a key regulatory requirement.
Technologies & Partners
