Contents
Identity management policies
Integration into Access Management (Article 20(1) RTS RMF)
- Identity management policies and procedures form part of the control of access management rights.
- Financial entities must develop, document, and implement these policies to ensure unique identification and authentication of natural persons and systems accessing the financial entity’s information.
- These policies support the assignment of user access rights in accordance with Article 21 RTS RMF.
Mandatory Content Elements (Article 20(2)(a)–(b) RTS RMF)
Unique Identity and User Account Assignment
The policies must ensure that:
- A unique identity, corresponding to a unique user account, is assigned to each:
– staff member of the financial entity, and
– staff member of ICT third-party service providers
who access the financial entity’s information assets and ICT assets. - Financial entities must maintain records of all identity assignments.
These records must be retained:
– following any reorganisation of the financial entity, and
– after the end of the contractual relationship,
without prejudice to Union or national retention requirements.
Identity and Account Lifecycle Management
The policies must include a lifecycle management process covering:
- the creation of identities and accounts,
- changes and updates,
- reviews,
- temporary deactivation, and
- termination of all accounts.
- Where feasible and appropriate, financial entities must deploy automated solutions for identity lifecycle management.