Identity management


  1. As part of their control of access management rights, financial entitiesas defined in Article 2, points (a) to (t) shall develop, document, and implement identity management policies and procedures that ensure the unique identification and authentication of natural persons and systems accessing the financial entities’ information to enable assignment of user access rights in accordance with Article 21

  2. The identity management policies and procedures referred to in paragraph 1 shall contain all of the following:

    1. without prejudice to Article 21, first paragraph, point (c), a unique identity corresponding to a unique user account shall be assigned to each staff member of the financial entity or staff of the ICT third-party service providersan undertaking providing ICT services accessing the information assetsa collection of information, either tangible or intangible, that is worth protecting and ICT assetsa software or hardware asset in the network and information systems used by the financial entity of the financial entity;

    2. a lifecycle management process for identities and accounts managing the creation, change, review and update, temporary deactivation, and termination of all accounts.

    For the purposes of point (a), financial entitiesas defined in Article 2, points (a) to (t) shall maintain records of all identity assignments. Those records shall be kept following a reorganisation of the financial entity or after the end of the contractual relationship without prejudice to the retention requirements laid down in applicable Union and national law.

    For the purposes of point (b), financial entitiesas defined in Article 2, points (a) to (t) shall, where feasible and appropriate, deploy automated solutions for the lifecycle identity management process.