Identity & access for financial institutions.
Workforce, customer, and counterparty identity on a zero-trust foundation. Built for SMCR accountability, DORA resilience, and examination evidence.
Overview
Identity & access infrastructure for financial institutions, built to the standard institutions in this sector are required to operate.
XVICA designs, builds, and operates this layer for financial institutions clients in the UK, US, Canada, and Australia. The work is specified against the regulatory regime, the operational profile, and the examination expectations of this sector before any code is written.
What financial institutions cannot get wrong here.
- SMCR makes access a named-individual accountability, not an administrator ticket.
- Entitlement drift between joiners-movers-leavers is the most common control finding.
- Customer authentication fraud is a reported incident, not a technical footnote.
- Third-party access is a DORA ICT concentration risk by default.
Named regimes, mapped controls
Regulatory requirements are translated into explicit control requirements, then mapped to tests and evidence collection. Nothing is implied.
UK & EU
FCA SMCR attestation, PRA SS2/21 accountability, DORA third-party ICT register, PSD2 Strong Customer Authentication, and NIS2 for critical entities.
United States
NYDFS Part 500 privileged access, SR 11-7 attestation, FFIEC authentication guidance, and OCC third-party risk expectations.
Commonwealth
APRA CPS 234 information security, OSFI B-13 technology and cyber risk, and AUSTRAC customer due diligence.
Design decisions distinctive to this intersection
Components and design choices that recur across our work for this sector. Each deployment is specified individually.
Zero-trust by default
Every request is verified regardless of network position. No implicit trust from VPN or AD membership.
FIDO2/WebAuthn for phishing resistance
Hardware-backed authentication for privileged access. OTP is retired, not layered.
Just-in-time entitlement
Standing privilege minimised. Elevation is requested, approved, time-boxed, and logged.
Access certification at SMCR cadence
Attestation cycles match the accountability regime rather than an arbitrary calendar.
Integrated to the ledger
Who approved this transaction is a property of the transaction, not a separate log that needs cross-referencing.
How we work in financial institutions.
In a regulated financial institution, identity and access is where accountability becomes provable. SMCR names the individual; the question is whether the system can show which decisions that individual actually made. Our approach treats access not as a perimeter but as a decision ledger: every entitlement grant, every privileged elevation, every production change is a signed record attributable to a natural person. That record is the same object the internal audit function samples, the external auditor tests, and the SMCR attestation draws from. Institutions that start here tend to find that their access problem is the same as their examination problem, and that solving one closes findings against the other.
How engagements run
Three canonical commercial models. The right one depends on your in-house capability roadmap and risk appetite.
License and operate a ready platform
Deploy an XVICA-developed platform configured for your environment. Optional managed operations under SLA.
Partnership modelCo-Build + OperateLong-term joint build
XVICA leads engineering; your team provides domain ownership and governance. Outcome-based commercial structure.
Partnership modelBuild-Operate-TransferBuild it, run it, hand it over
Designed, built, and operated to a specified maturity threshold, then transferred with documentation and runbooks.
Partnership modelIdentity & access elsewhere
The same engineering discipline applied to neighbouring industries. Regulatory regime and operating profile differ; the standard does not.
Identity for enterprise
Workforce and customer identity across hybrid estates. Consolidates legacy directories, retires standing privilege, and makes access reviewable.
Read onIdentity for public sector
Government identity built to GDS and security assurance standards. Workforce, citizen, and cross-department access on one accredited platform.
Read onIdentity for healthcare
Clinician, patient, and system identity with clinical-safety awareness. Zero-trust foundations, break-glass done properly, auditable by IG committees.
Read onIdentity & access infrastructure for financial institutions.
Request a confidential briefing. We assess alignment and outline how XVICA can support your objectives in this sector.
Request a private briefing