Customer Story
Highlights
Reduced support center calls by 45%
Reduced time spent on support center calls
Can get new services to market faster than previous system
HSBC Delivers Secure, Personalized and Awesome User Experiences for More Than 30 Million Customers in 36 Countries
Hi, um, my name's Ian Sorbello, I'm Head of Product Tech for Online Security for HSBC Global.
I work with HSBC Digital Services, and that Basically means that whatever we build is a global, uh, piece of tech that we need to roll out across.
Um, the globe's a big place and certainly with HSBC, our footprint is huge.
And I think that goes to the centre of why building technology in the bank, Uh, isn't easy, because you need to make it work for the market with which it's going to Drop.
Um, my talk is about democracy and Commoditization of security, and I think that's possibly confusing when you think about Customer access.
I mean, there’s no democracy in how you log on.
There's democracy, I think, in the way that you do security within the bank, That is to say how you make security work for your developers and your, Uh, technology base to actually create business function.
I've found over the years working in this space that ah security is hard.
And we make it hard, and certain parts of certainly financial institutions make it Extraordinarily hard to produce anything of real value, because they put blockers up.
And I think what we need to do is ensure that as we grow our capabilities within banks, and we try to keep up with the challenge of banks as well, that we're not getting in the way of folks that want to build stuff.
So we'll get into the democracy and commodity view as we move along.
I'm gonna start by talking about the, the geography and the global footprint of HSBC and How big it is.
Uh, the view around the One Strategy, How you make one strategy work for, uh, different markets and different countries.
Um, very strong focus on Access-Management, um, so my view is around we design for variance, We design for, uh, the capability to shift and change and be plastic when you go from one market to another.
Uh, how biometry is forming within this space And how do we make biometry work within the, the ForgeRock platform.
The uh discussion around APIs, it's a, it's a big one in finance.
I think APIs can be very natural for some industries.
For banking, I think APIs are an oddity, and some of us embrace, Some of us reject.
Also, identity-management within a large organisation is critical, Particularly when we're so large, what does that actually mean for us?
The identity that we hold, and potentially the identity that we can enable to be shared.
And, uh, as I was saying before about an organisation's developers, I just wanted to share a few insights that I've had over the years on what it's like to be a Developer, and how you can unleash a developer's creativity.
So HSBC Global, and this is just a retail view, um, I'm not even talking about institutional Banking or private banking, but 37 markets, 70 countries, and in for retail only, That's 37 million customers, and that's varying uh sizes depending upon where you are.
In order to actually facilitate good IT, we actually have 3 major points of presence across The globe.
North America, EU, and Asia Pacific.
Now those Points of Presence do cover markets, so where your IT sits, You've also got geopolitical and regulatory boundaries.
Uh, North America, United States and Mexico operate a little bit differently.
Uh, within Hong Kong and China, there is the Great Firewall of China that we need to deal with.
And that's even for a bank with Shanghai in its Name.
So one solution globally.
The view then is, well, let's build some stuff, let's do some stuff, and let's deploy.
And certainly in my previous life, There was a Dev, a Test, and a Prod, a Market.
I mean in HSBC, and there's many of them, there's many prods.
So releasing software to production.
Is releasing software to many productions, and your world becomes Three dimensional.
You've got time, what you're building over time, And then there's that third dimension of, well, Where is it dropping?
Who’s taking what and when, and you, you look at these roadmaps and plans, And they're extraordinarily complicated because it's Singapore going on this date.
And North America's not ready for that.
And all of this multiplicity going on where security is at various states and various levels, and they're not compatible.
So it's really, really difficult to actually produce anything and get a sane plan and Roadmap across all of those markets.
So when we look at Access-Management-AM, certainly over the last 14 years of, of, of my professional career.
I've seen a huge maturation of security standards; it’s, It's really evolved well.
I think we're centering on quite a, uh, a good suite of protocols that actually enable quite a Lot of things to happen.
And so when I look to things like OpenID Connect and OAuth2, User-Managed-Access, SSO for egress and ingress, Regardless, there's a lot of function there now.
We don't need to reinvent this and certainly There's no benefit in reinventing anything.
So what that does is it makes a desire for banks now to use Protocol and use technology that have built this and built it well.
I've coded stuff before in the past because banks like to do that.
We're special, our banking security is particularly high.
The products: do they work for finance?
Particularly well.
So if you get an enabled development team with enough wherewithal and air cover from above, Boom, you, you, you're coding stuff.
And before you know it, you have a security system, and it's embedded, and it's developers Need to use it, and in order to use it, you need to go to the documentation.
And that documentation only exists within the bank.
Because you created it, it's not a spec or a protocol, No-one's talking about it on.
Any of your developer sites?
So, we're at a stage now where there's actually zero desire to code anything.
It's not going to help banks now to actually build all of their own code up.
And so as part of this Transform programme that HSBC's undertaking, We're trying to build software now, where we don't own and, and maintain all of this code.
What we're actually trying to do is unleash the capacity to.
Integrate, expand, inter-opt.
And we're going beyond ourselves, it's easy to secure your own application.
You can do some logon forms, you can put a repository, some credentials behind there.
And as long as you're piping into your own system, and you've got that nice connection between your Client and Server.
You're kinda, you're kinda there.
But that's not enough, I mean, the, the technologies have changed.
It's not just about PINs and passwords, because that's hard.
Definitely moving on from there.
We're starting to get into these areas of biometrics.
I think any bank could build a PIN password logon, but I doubt very much you're gonna Be able to build a biometry system that's effective and doesn't get defeated.
So we’re already starting to look towards technology providers that have serious Capability in that area.
So, no desire to code, I would posit that banks can't build this anymore at all.
You'll get left behind.
Another interesting thing about banks is that they're siloed.
If you see a nice front door, you’ve actually got lots of business silos.
And business silos love their own identities, They don't let them go.
So private banking does have its own logon, retail has its own logon.
If I go to Institutional and I'm a CEO of a company, I have a different logon, So business lines take control and they don't want to let it go.
The reason also too is that because they're not empowered to create any real expansion On what they want without significant investment, and that only really comes from When the actual bank gets together and, and pools views and pools resources to create, The next gen.
So for Jock was something that we started Looking at over the last year, and certainly saw enough to say this is it, This is gonna help solve our problems.
And we use the ForgeRock Access Management tooling and we're moving into the identity Management space as well, because HSBC is huge, it's got lots of customer data.
And this is where I see security commoditised, we are actually creating a platform off someone else's platform for developers to actually hook to.
So now it's no longer difficult or expensive for a cust for a, Sorry, a developer to say, how do I secure my application?
I want to build a new App, how can I do that?
Can you let me do that?
Normally it's hard, normally it's costly.
Let's commoditise that, it should be like caching, it should be like storing data in a Database, access and security.
Gonna dive a little bit in terms of the Access Management space and when I look at how do we Use ForgeRock in our world, well, we've got all of these countries.
All of these points of presence, all of these instances.
Question is, I mean, do we have one?
Does everyone log in to the one place?
That's, that's a definite no.
If you're in Asia and you're hooking into a UK data centre, It's not a good experience.
So we put markets around these satellite points of presence.
And the Access-Management-AM instances actually sit in there.
Now certain business lines will always want autonomy, they'll always want to say, We want our own kit, we want our own servers, If you blow up, We don't wanna blow up, and that, by that I mean retail versus say institutional banking.
And that's fine.
As long as we've got a pattern, We can, we can drop out our OpenAM instances the correct, You know, in the right way.
So geographic instancing actually sits at the Bottom there.
You go into a Point of Presence, You might instance a number of AM servers for different business lines.
When you go to other markets, then you start to begin to separate again.
So within a Point of Presence, you'll have geopolitical lines, and you go in, You, you, you instance different markets accordingly.
You might have one market on one instance or you might have multiple markets on one instance.
But that's what ForgeRock AM tooling does for you, it gives us that capacity to utilise these Services in ways where your business line is represented by a configuration.
Buy a policy and it's viewed that way.
And banks also too don't just produce one app, so there are ancillary app coming out now that We all wanna get to, and that's again being driven by the way developers like to build now.
The Apple app ecosystem, it's natural for people to want to build apps.
So when we secured APPs, before APPs were always just this one big huge chunk created or Covered by this huge security system on top.
So now as we expand on APPs, the question, where do the APPs authenticate to?
And so we've got this other multiplicity going on where more APPs across many markets, Across points of presence, have to be thought about.
And in that area, we start to talk about the, the concept of realms, And we're using realms more and more now as we start to build out and start thinking about new Markets coming on board.
And even now it's about, well, the app does the journey.
By that I mean a log-on process, or how do I handle a 401 when the microservices say no allowed in because you’re not authenticated enough, and piloting that capacity to have a New journey to say, well, we were in a certain state and you did go through these certain Processes and flows, but now we think we've got it better, So let's pilot that.
Let's put that back out there, so you're not changing the entire front door of your bank, You just, testing a small amount at a time, and we use realms for that as well.
So this is where, from an AM perspective, you've got a product that is a platform, But we're using it in a way that makes sense to us when you've got huge amounts of markets and Huge amounts of countries actually needing to have a different posture on the same technology.
So biometrics is certainly one area we want to move to.
HSBC is investing in the concept of biometrics significantly behind the scenes.
And biometry, to my mind, is growing.
I don't think it's very.
It's not fully mature, at least in the way we use it, and it's not mature to the extent that people feel comfortable using it.
It's not natural yet.
However, I think what's important is we build for it, But we build for it in a way where pivot is normal.
And what I mean by that is we see biometrics as just another credential.
And if I look at biometry, I think, well, ForgeRock doesn't offer biometry.
Well, I was worried about that actually when I first began.
But actually it wasn't a worry at all, it was actually the saving grace because ForgeRock Isn't in that space.
Who wants to be a biometric expert if that's not what your wheelhouse is?
What I actually wanted is to have biometry connected in, into the middleware that underlies everything else within the bank, The security fabric.
So when I look at PIN and password, which comes out of the box for Access-Management-AM, When I look at 2FA, MFA knowledge and, and um, Um, other factors, Two FA factors?
The inherence factor of who you are is just Another snap into the ForgeRock pipeline.
And so biometry, to my mind, I'm gonna add something, and I know it's gonna possibly be Defeated soon.
I don't know who to bet the farm on.
I don't know who to bet the bank's security, but I sure as hell wanna turn it off quick.
If things don't go well, or a new technology comes out.
And if I also think of biometry not only just as in who you are or what you are.
But how you act, then I can start to take advantage of all of the new continuous Authentication processes.
So I'm holding my phone, I'm doing banking, I'm sensing that things aren't right, You're not walking like me.
But that's gonna plug into ForgeRock, because ForgeRock's connected to the microservices.
And as I'm banking, I'm actually trying to execute money transfer.
I'm looping back to ForgeRock and asking, are we good?
ForgeRock will say no, because there was a nice connection between this new tech and what ForgeRock does.
ForgeRock to me is the stitching glue, The fabric that sits all the way behind all of our microservices and, and, and back end.
Banking APIs, um.
It is absolutely polarised, and I think of APIs on top of banks.
I'm not sure that we're all in alignment or agreement.
If you actually ask, should we put banking APIs out there, You will get a mixed room.
You'll have people that are absolutely, Let's do this.
This is what people do, this is what Technology's like, why not?
And then you've got the others that say, this is gonna kill us.
From a banking perspective, this is disintermediating the customer from the brand.
Having someone else's App work on your behalf is a weird concept.
Where's our logo?
Where's our experience?
What can I put in front?
Of them to say I've got control?
And I find it interesting because I think if you're, there’s, there’s two sides to that.
You can either run.
And hope that this doesn’t happen.
Or you play and you play well, and I think the latter is the way to go.
Because the UK has a regulation, Competition Market Authority, CMA OpenBanking initiative, you will put banking APIs on top of your bank.
You will enable your customers to get up and go to another bank with ease.
That's, that's the reason.
So if we actually wanna push back and go, I don't like APIs, I don't want this OpenBanking initiative, customers can leave easily.
Are you shutting the door on the capacity for customers to come to you?
So there's really no way out; it's the right way to go.
And from a perspective of building the highest common denominator from a global world, I'm taking the UK's view.
Let's do this.
Let's make programmatic API access to a bank happen, and we do it well.
I'm not gonna build it.
I'm gonna use the technology of ForgeRock, OAuth, OIDC and UMA.
And we're ready because we bought the tech, we saw that future coming.
All we need to do is just establish it in the right way.
Get the right processes in place for developers to make a natural view on that.
And that's pretty easy because our APPs effectively are relying parties to ourselves.
It's no longer just APPs that we have to integrate to and have a siloed view on.
We're completely relying parties to ourselves.
We're the relying party, the Service-Provider.
And the IdP.
Identity management is burgeoning, I think.
This is not my area in particular.
I've got a, uh, uh, a colleague who's working in This right now and it's the, the, the connectivity between, Identity and access management.
It is extraordinary, particularly when you’re building off the 4-door product set.
We've got customer data all over the world.
And it's extremely well vetted.
We have KYC everywhere, an extraordinarily tight KYC.
So to my view, identity is currency, it's something that we can sell, It's something that we can secure.
If we can manage the data together.
Bear in mind, at the moment, my Australian bank account and my identity.
It's completely different from my UK one, and HSBC doesn't know me.
They know me twice, nothing in between.
So if I can actually bring that together and say we're now one identity as we see it.
That's going to help our systems internally.
25,000 staff members work on identity data, working globally at HSBC.
It's a huge footprint of process.
Can we reduce that?
Can we make it better?
Can we make it wider?
When you've got the access management at the Top, then you've got a way to provide.
Proper user-managed consent-based issuance of your data.
Who are you gonna interrupt with?
What are you gonna put out there?
How can you take that back?
It's all in that layer.
So we will start to stage all of this information and think about how we as a bank Can participate.
Forget gov.verify.
We're as good as them.
We're big, as big as them in, say, the UK when we talk about our customer base.
We're also across the globe.
The other side of it, of course, is that we are behind the Great Firewall of China.
We have Chinese foundations.
We've got that global print.
So this is my last, uh, little piece, and this goes to the core I think of why ForgeRock as a Technology is, is, is, is key.
And what you can do with it.
To my mind, it's a series of capabilities.
It's a product that's been written well.
It's working against identity, it works against access management.
So I saw an uh a quote from Richard Branson and it immediately made me think about what I Do every day and what I think is important, and I, I, I think that this can go a long way regardless of the industry you're in.
It's to say that you look after your employees first, and they look after your customers.
I don't think so much about customer, journey or customer experience, I don't think so much about that outside piece.
I'm thinking about the developers inside it.
Bank that actually know quite a lot about this.
Because I don't know whether you share my view on this, But developers, before they come into work or after they go home, They're messing about encoding, and they're playing with Open technologies, and they're Doing things on the side and they're learning, and they're doing stuff that banks typically Wouldn't let you do.
So they got a lot of knowledge, They know how to innovate.
They know how to make business function.
Can they execute in your organisation?
I don't think it's likely in, in, in many cases.
They need permission.
They need to be able to say, can we do X or Y?
And if you don't have the capability provided for them, If you don't turn on the features, if you make security hard, You can't do that.
It's difficult.
We might might be risky.
I think you need to create the security platforms, and create the patterns and the Architectural guard rails with which you can enable developers to fly.
And I think that that's where the power of a bank comes from, The digital side anyway.
Publish usable security capabilities.
ForgeRock's a great product to use actually, it certainly works for us, And given that, your devs will now take care of your clients.
I'm Isabella, and thank you very much.
I work with HSBC Digital Services, and that Basically means that whatever we build is a global, uh, piece of tech that we need to roll out across.
Um, the globe's a big place and certainly with HSBC, our footprint is huge.
And I think that goes to the centre of why building technology in the bank, Uh, isn't easy, because you need to make it work for the market with which it's going to Drop.
Um, my talk is about democracy and Commoditization of security, and I think that's possibly confusing when you think about Customer access.
I mean, there’s no democracy in how you log on.
There's democracy, I think, in the way that you do security within the bank, That is to say how you make security work for your developers and your, Uh, technology base to actually create business function.
I've found over the years working in this space that ah security is hard.
And we make it hard, and certain parts of certainly financial institutions make it Extraordinarily hard to produce anything of real value, because they put blockers up.
And I think what we need to do is ensure that as we grow our capabilities within banks, and we try to keep up with the challenge of banks as well, that we're not getting in the way of folks that want to build stuff.
So we'll get into the democracy and commodity view as we move along.
I'm gonna start by talking about the, the geography and the global footprint of HSBC and How big it is.
Uh, the view around the One Strategy, How you make one strategy work for, uh, different markets and different countries.
Um, very strong focus on Access-Management, um, so my view is around we design for variance, We design for, uh, the capability to shift and change and be plastic when you go from one market to another.
Uh, how biometry is forming within this space And how do we make biometry work within the, the ForgeRock platform.
The uh discussion around APIs, it's a, it's a big one in finance.
I think APIs can be very natural for some industries.
For banking, I think APIs are an oddity, and some of us embrace, Some of us reject.
Also, identity-management within a large organisation is critical, Particularly when we're so large, what does that actually mean for us?
The identity that we hold, and potentially the identity that we can enable to be shared.
And, uh, as I was saying before about an organisation's developers, I just wanted to share a few insights that I've had over the years on what it's like to be a Developer, and how you can unleash a developer's creativity.
So HSBC Global, and this is just a retail view, um, I'm not even talking about institutional Banking or private banking, but 37 markets, 70 countries, and in for retail only, That's 37 million customers, and that's varying uh sizes depending upon where you are.
In order to actually facilitate good IT, we actually have 3 major points of presence across The globe.
North America, EU, and Asia Pacific.
Now those Points of Presence do cover markets, so where your IT sits, You've also got geopolitical and regulatory boundaries.
Uh, North America, United States and Mexico operate a little bit differently.
Uh, within Hong Kong and China, there is the Great Firewall of China that we need to deal with.
And that's even for a bank with Shanghai in its Name.
So one solution globally.
The view then is, well, let's build some stuff, let's do some stuff, and let's deploy.
And certainly in my previous life, There was a Dev, a Test, and a Prod, a Market.
I mean in HSBC, and there's many of them, there's many prods.
So releasing software to production.
Is releasing software to many productions, and your world becomes Three dimensional.
You've got time, what you're building over time, And then there's that third dimension of, well, Where is it dropping?
Who’s taking what and when, and you, you look at these roadmaps and plans, And they're extraordinarily complicated because it's Singapore going on this date.
And North America's not ready for that.
And all of this multiplicity going on where security is at various states and various levels, and they're not compatible.
So it's really, really difficult to actually produce anything and get a sane plan and Roadmap across all of those markets.
So when we look at Access-Management-AM, certainly over the last 14 years of, of, of my professional career.
I've seen a huge maturation of security standards; it’s, It's really evolved well.
I think we're centering on quite a, uh, a good suite of protocols that actually enable quite a Lot of things to happen.
And so when I look to things like OpenID Connect and OAuth2, User-Managed-Access, SSO for egress and ingress, Regardless, there's a lot of function there now.
We don't need to reinvent this and certainly There's no benefit in reinventing anything.
So what that does is it makes a desire for banks now to use Protocol and use technology that have built this and built it well.
I've coded stuff before in the past because banks like to do that.
We're special, our banking security is particularly high.
The products: do they work for finance?
Particularly well.
So if you get an enabled development team with enough wherewithal and air cover from above, Boom, you, you, you're coding stuff.
And before you know it, you have a security system, and it's embedded, and it's developers Need to use it, and in order to use it, you need to go to the documentation.
And that documentation only exists within the bank.
Because you created it, it's not a spec or a protocol, No-one's talking about it on.
Any of your developer sites?
So, we're at a stage now where there's actually zero desire to code anything.
It's not going to help banks now to actually build all of their own code up.
And so as part of this Transform programme that HSBC's undertaking, We're trying to build software now, where we don't own and, and maintain all of this code.
What we're actually trying to do is unleash the capacity to.
Integrate, expand, inter-opt.
And we're going beyond ourselves, it's easy to secure your own application.
You can do some logon forms, you can put a repository, some credentials behind there.
And as long as you're piping into your own system, and you've got that nice connection between your Client and Server.
You're kinda, you're kinda there.
But that's not enough, I mean, the, the technologies have changed.
It's not just about PINs and passwords, because that's hard.
Definitely moving on from there.
We're starting to get into these areas of biometrics.
I think any bank could build a PIN password logon, but I doubt very much you're gonna Be able to build a biometry system that's effective and doesn't get defeated.
So we’re already starting to look towards technology providers that have serious Capability in that area.
So, no desire to code, I would posit that banks can't build this anymore at all.
You'll get left behind.
Another interesting thing about banks is that they're siloed.
If you see a nice front door, you’ve actually got lots of business silos.
And business silos love their own identities, They don't let them go.
So private banking does have its own logon, retail has its own logon.
If I go to Institutional and I'm a CEO of a company, I have a different logon, So business lines take control and they don't want to let it go.
The reason also too is that because they're not empowered to create any real expansion On what they want without significant investment, and that only really comes from When the actual bank gets together and, and pools views and pools resources to create, The next gen.
So for Jock was something that we started Looking at over the last year, and certainly saw enough to say this is it, This is gonna help solve our problems.
And we use the ForgeRock Access Management tooling and we're moving into the identity Management space as well, because HSBC is huge, it's got lots of customer data.
And this is where I see security commoditised, we are actually creating a platform off someone else's platform for developers to actually hook to.
So now it's no longer difficult or expensive for a cust for a, Sorry, a developer to say, how do I secure my application?
I want to build a new App, how can I do that?
Can you let me do that?
Normally it's hard, normally it's costly.
Let's commoditise that, it should be like caching, it should be like storing data in a Database, access and security.
Gonna dive a little bit in terms of the Access Management space and when I look at how do we Use ForgeRock in our world, well, we've got all of these countries.
All of these points of presence, all of these instances.
Question is, I mean, do we have one?
Does everyone log in to the one place?
That's, that's a definite no.
If you're in Asia and you're hooking into a UK data centre, It's not a good experience.
So we put markets around these satellite points of presence.
And the Access-Management-AM instances actually sit in there.
Now certain business lines will always want autonomy, they'll always want to say, We want our own kit, we want our own servers, If you blow up, We don't wanna blow up, and that, by that I mean retail versus say institutional banking.
And that's fine.
As long as we've got a pattern, We can, we can drop out our OpenAM instances the correct, You know, in the right way.
So geographic instancing actually sits at the Bottom there.
You go into a Point of Presence, You might instance a number of AM servers for different business lines.
When you go to other markets, then you start to begin to separate again.
So within a Point of Presence, you'll have geopolitical lines, and you go in, You, you, you instance different markets accordingly.
You might have one market on one instance or you might have multiple markets on one instance.
But that's what ForgeRock AM tooling does for you, it gives us that capacity to utilise these Services in ways where your business line is represented by a configuration.
Buy a policy and it's viewed that way.
And banks also too don't just produce one app, so there are ancillary app coming out now that We all wanna get to, and that's again being driven by the way developers like to build now.
The Apple app ecosystem, it's natural for people to want to build apps.
So when we secured APPs, before APPs were always just this one big huge chunk created or Covered by this huge security system on top.
So now as we expand on APPs, the question, where do the APPs authenticate to?
And so we've got this other multiplicity going on where more APPs across many markets, Across points of presence, have to be thought about.
And in that area, we start to talk about the, the concept of realms, And we're using realms more and more now as we start to build out and start thinking about new Markets coming on board.
And even now it's about, well, the app does the journey.
By that I mean a log-on process, or how do I handle a 401 when the microservices say no allowed in because you’re not authenticated enough, and piloting that capacity to have a New journey to say, well, we were in a certain state and you did go through these certain Processes and flows, but now we think we've got it better, So let's pilot that.
Let's put that back out there, so you're not changing the entire front door of your bank, You just, testing a small amount at a time, and we use realms for that as well.
So this is where, from an AM perspective, you've got a product that is a platform, But we're using it in a way that makes sense to us when you've got huge amounts of markets and Huge amounts of countries actually needing to have a different posture on the same technology.
So biometrics is certainly one area we want to move to.
HSBC is investing in the concept of biometrics significantly behind the scenes.
And biometry, to my mind, is growing.
I don't think it's very.
It's not fully mature, at least in the way we use it, and it's not mature to the extent that people feel comfortable using it.
It's not natural yet.
However, I think what's important is we build for it, But we build for it in a way where pivot is normal.
And what I mean by that is we see biometrics as just another credential.
And if I look at biometry, I think, well, ForgeRock doesn't offer biometry.
Well, I was worried about that actually when I first began.
But actually it wasn't a worry at all, it was actually the saving grace because ForgeRock Isn't in that space.
Who wants to be a biometric expert if that's not what your wheelhouse is?
What I actually wanted is to have biometry connected in, into the middleware that underlies everything else within the bank, The security fabric.
So when I look at PIN and password, which comes out of the box for Access-Management-AM, When I look at 2FA, MFA knowledge and, and um, Um, other factors, Two FA factors?
The inherence factor of who you are is just Another snap into the ForgeRock pipeline.
And so biometry, to my mind, I'm gonna add something, and I know it's gonna possibly be Defeated soon.
I don't know who to bet the farm on.
I don't know who to bet the bank's security, but I sure as hell wanna turn it off quick.
If things don't go well, or a new technology comes out.
And if I also think of biometry not only just as in who you are or what you are.
But how you act, then I can start to take advantage of all of the new continuous Authentication processes.
So I'm holding my phone, I'm doing banking, I'm sensing that things aren't right, You're not walking like me.
But that's gonna plug into ForgeRock, because ForgeRock's connected to the microservices.
And as I'm banking, I'm actually trying to execute money transfer.
I'm looping back to ForgeRock and asking, are we good?
ForgeRock will say no, because there was a nice connection between this new tech and what ForgeRock does.
ForgeRock to me is the stitching glue, The fabric that sits all the way behind all of our microservices and, and, and back end.
Banking APIs, um.
It is absolutely polarised, and I think of APIs on top of banks.
I'm not sure that we're all in alignment or agreement.
If you actually ask, should we put banking APIs out there, You will get a mixed room.
You'll have people that are absolutely, Let's do this.
This is what people do, this is what Technology's like, why not?
And then you've got the others that say, this is gonna kill us.
From a banking perspective, this is disintermediating the customer from the brand.
Having someone else's App work on your behalf is a weird concept.
Where's our logo?
Where's our experience?
What can I put in front?
Of them to say I've got control?
And I find it interesting because I think if you're, there’s, there’s two sides to that.
You can either run.
And hope that this doesn’t happen.
Or you play and you play well, and I think the latter is the way to go.
Because the UK has a regulation, Competition Market Authority, CMA OpenBanking initiative, you will put banking APIs on top of your bank.
You will enable your customers to get up and go to another bank with ease.
That's, that's the reason.
So if we actually wanna push back and go, I don't like APIs, I don't want this OpenBanking initiative, customers can leave easily.
Are you shutting the door on the capacity for customers to come to you?
So there's really no way out; it's the right way to go.
And from a perspective of building the highest common denominator from a global world, I'm taking the UK's view.
Let's do this.
Let's make programmatic API access to a bank happen, and we do it well.
I'm not gonna build it.
I'm gonna use the technology of ForgeRock, OAuth, OIDC and UMA.
And we're ready because we bought the tech, we saw that future coming.
All we need to do is just establish it in the right way.
Get the right processes in place for developers to make a natural view on that.
And that's pretty easy because our APPs effectively are relying parties to ourselves.
It's no longer just APPs that we have to integrate to and have a siloed view on.
We're completely relying parties to ourselves.
We're the relying party, the Service-Provider.
And the IdP.
Identity management is burgeoning, I think.
This is not my area in particular.
I've got a, uh, uh, a colleague who's working in This right now and it's the, the, the connectivity between, Identity and access management.
It is extraordinary, particularly when you’re building off the 4-door product set.
We've got customer data all over the world.
And it's extremely well vetted.
We have KYC everywhere, an extraordinarily tight KYC.
So to my view, identity is currency, it's something that we can sell, It's something that we can secure.
If we can manage the data together.
Bear in mind, at the moment, my Australian bank account and my identity.
It's completely different from my UK one, and HSBC doesn't know me.
They know me twice, nothing in between.
So if I can actually bring that together and say we're now one identity as we see it.
That's going to help our systems internally.
25,000 staff members work on identity data, working globally at HSBC.
It's a huge footprint of process.
Can we reduce that?
Can we make it better?
Can we make it wider?
When you've got the access management at the Top, then you've got a way to provide.
Proper user-managed consent-based issuance of your data.
Who are you gonna interrupt with?
What are you gonna put out there?
How can you take that back?
It's all in that layer.
So we will start to stage all of this information and think about how we as a bank Can participate.
Forget gov.verify.
We're as good as them.
We're big, as big as them in, say, the UK when we talk about our customer base.
We're also across the globe.
The other side of it, of course, is that we are behind the Great Firewall of China.
We have Chinese foundations.
We've got that global print.
So this is my last, uh, little piece, and this goes to the core I think of why ForgeRock as a Technology is, is, is, is key.
And what you can do with it.
To my mind, it's a series of capabilities.
It's a product that's been written well.
It's working against identity, it works against access management.
So I saw an uh a quote from Richard Branson and it immediately made me think about what I Do every day and what I think is important, and I, I, I think that this can go a long way regardless of the industry you're in.
It's to say that you look after your employees first, and they look after your customers.
I don't think so much about customer, journey or customer experience, I don't think so much about that outside piece.
I'm thinking about the developers inside it.
Bank that actually know quite a lot about this.
Because I don't know whether you share my view on this, But developers, before they come into work or after they go home, They're messing about encoding, and they're playing with Open technologies, and they're Doing things on the side and they're learning, and they're doing stuff that banks typically Wouldn't let you do.
So they got a lot of knowledge, They know how to innovate.
They know how to make business function.
Can they execute in your organisation?
I don't think it's likely in, in, in many cases.
They need permission.
They need to be able to say, can we do X or Y?
And if you don't have the capability provided for them, If you don't turn on the features, if you make security hard, You can't do that.
It's difficult.
We might might be risky.
I think you need to create the security platforms, and create the patterns and the Architectural guard rails with which you can enable developers to fly.
And I think that that's where the power of a bank comes from, The digital side anyway.
Publish usable security capabilities.
ForgeRock's a great product to use actually, it certainly works for us, And given that, your devs will now take care of your clients.
I'm Isabella, and thank you very much.
Summary
Global 500 bank HSBC leverages IAM to better serve customers in a secure and compliant manner, regardless of country or device, while reducing costs.
Taking into account the different customer needs in different markets is really important and the platform allows us to do that. By taking advantage of trees, we create flexible journeys that can adapt dynamically rather than having to write lots of code
Andrew Scott
Global Head of Secure Access, HSBC
More About HSBC Bank
HSBC is one of the world’s largest banking and financial services organizations. We serve approximately 39 million customers through our global businesses: Wealth and Personal Banking, Commercial Banking, and Global Banking & Markets. Our network covers 62 countries and territories in Europe, Asia, the Middle East and Africa, North America and Latin America.
More Stories You'll Love
Mox Bank
Learn how ForgeRock, now a part of Ping Identity, helped Mox Bank achieve nearly 160K customers in just under a year.
BTPN Bank
One of Indonesia's largest banks grows business by connecting millions of customers across 17,000 islands
Standard Chartered
Standard Chartered wields identity as a competitive advantage to propel significant growth
If you like what we did for HSBC Bank,
let’s talk about what we can do for you.
Start Today
Contact Sales
See how Ping can help you deliver secure employee, partner, and customer experiences in a rapidly evolving digital world.