The Banking, Financial Services, and Insurance (BFSI) sector may be on the verge of an identity crisis. According to the Thales 2025 BFSI Insights Survey, third-party digital identities are set to skyrocket by 74% in the next 12 months, threatening to put current identity and access management (IAM) processes to the test. And while third parties accessing sensitive data is a "necessary evil," 89% of organizations still see it as a moderate to high risk.
The challenge for financial services will be maintaining projected growth – which in a hyperconnected digital era is synonymous with "third-party growth" – while not letting expansion outstrip security. And they'd better figure it out fast.
The Complex Web of BFSI Third Parties.
The Ponemon Institute states that no more than 16% of organizations have a mature IAM program in place. When hardly one in five can take care of their own access management needs securely, adding responsibility for third-party logins can be overwhelming. The average financial institution in a digitized economy relies on a variety of downstream vendors and lateral partners for a number of reasons:
- Companies are outsourcing HR, payroll processing, administration, and employee benefits.
- Technology providers include software vendors, IT service providers, app developers, cloud services, and cybersecurity services.
- Financial services frequently rely on other financial firms, payment card providers, payment card manufacturers, investment firms, and blockchain networks to provide a competitive service offering.
The number of third-party providers to banks has increased significantly in the past six years and now approximates one to five. The Thales report indicates that third-party identities will be growing at a rate of 37% over the next 12 months, and 86% state that the number of data sources and applications these third parties will need to access will increase as well.
These various access management needs must serve two purposes: security and ease of use.
Finding a customer identity and access management (CIAM) solution that ticks both boxes can be difficult – and a lot is at stake.
Third-Party Access Challenges
Third-party access is about more than usernames and passwords. It encompasses onboarding and offboarding, privileged access management, business continuity, and much more. These can all be threatened by third-party attacks.
Last year, nearly all the top banks in the U.S. were hit by third-party attacks, according to research from SecurityScorecard. Many were affected by fourth-party breaches as well. As Ryan Sherstobitoff, senior vice president of threat research and intelligence, stated, "For banks, these third-party vulnerabilities mean one compromised vendor could destabilize the entire financial system." In addition, third-party risks accounted for nearly a third (31%) of all client insurance claims and 23% of material losses in 2024 major financial hits. To top things off, 59% of all insurance-related companies reported data breaches with third-party involvement for the same period.
A central part of third-party risk management is ensuring that access channels leading to the primary company's data and resources are secured. Because the majority of organizations experienced an identity-related breach in the past year, the importance of strong CIAM cannot be overstated.
Futureproofing with Modernization and Agility
The solution to old, outdated IAM solutions that can't scale, can't integrate, and can't help but frustrate your third-party ecosystem is to lean on a CIAM solution that prioritizes modernization and agility.
According to the Thales report, nearly nine in ten (89%) currently have plans to modernize their third-party IAM approach, with 57% hoping to achieve better business agility and increased collaboration as a result.
This shows that companies see CIAM not only as a security tool, but also as a means to improve business. They hope that their increased investment in third-party-friendly identity and access management will translate directly into better teamwork and fewer siloes, an enhanced ability to move fast and make critical decisions, and a smoother, more profitable experience for them and all their partners involved.
In the BFSI sector, this translates to smoother interactions between banks and payment card processors, software supply chain vendors and mobile banking app developers, insurance providers and policyholders, and more.
Being able to seamlessly authenticate an ever-growing web of third parties will soon be a competitive differentiator for BFSI organizations. Far from a security initiative alone, CIAM will prove its value as a business enabler. Meanwhile, those with clunky, outdated processes will experience lag, user frustration, and stunted growth as poor third-party IAM management leads to dropped balls and data breaches.
With 89% of organizations calling for vendor rationalization and 98% complaining of manual IAM pain points, the conclusion is clear: to keep pace with an influx of third-party identities, financial institutions need to double down on CIAM simplicity, modernization and collaboration if they hope to survive this next phase of growth.
