28 May 2019

Identity Governance – Private Banking


Données Client et Gouvemance des Identités - Banque Privée SERIAL

Company Description

The private bank operating as a wealth management firm. The company offers banking, financing, and investment management services to individuals and institutional investors worldwide.

Business Challenges

​Swiss private banks have to comply with FINMA 2008/21 regulation and specifically with the appendix 3 regarding Client Identifying Data (CID). ​ ​

The client had to implement an access control framework in order to monitor its data visibility and apply it to each of its IT systems : core banking system, CRM, shared drives and ECM. ​ ​The private bank operating internationally, a specific challenge was to apply different data visibilities whether client CID are Swiss or foreigner, and whether they are accessed from Switzerland or abroad.

​Our Solution

Following regulator directives, the mission implemented the « need to know » principle in order to restrict access to the client data only to the persons for which its required in their daily tasks.

  • Conduct workshops to improve RBAC framework based on mined roles.
  • Hybrid top-down & bottom-up approach for role-mining.
  • Segregation of duties (SOD) analysis to improve information risk management and data loss prevention.

To address the international challenge we used a multi-dimensional RBAC framework defining business roles through user attributes, application permissioning and specific context like the location.


The project was conducted over 122 man-days. The delivery time was extended to 6 months.


The project consisted of a project manager.


  • Avaloq
  • IBM Ondemand
  • Varonis DatAdvantage
  • Symantech Data Loss Prevention

Contract Type

We were involved in a Time & Material Project.

Articles in the same category

carre1 carre2 circle1 circle2 circle3 triangle1 triangle2 triangle3