Thank you Eve. And I just gotta say, for me, I work with Eve, it's a privilege to the fact to be introduced by Eve. So this is a great, great start to the story.
Look, I know it's late in the afternoon, I know we're all tied, but I presume that everybody's in this room loves authorization, so that's all Cool. So I'm expecting everybody it's gonna be on the ball, so to speak. So lemme introduce myself. My name's Adam Price. I'm a director of product and solution marketing ing identity. I've been with the company for just under four years, and I've got the remit for positioning our financial services globally.
So Adam, do you wanna introduce yourself please?
Yes. Thank you. Right. So thanks for sticking with us today. Okay. So my name's Adam Russ Bridge. I'm product lead for, for Ping authorized. I've been with Ping for about three and a half years, about five years in the authorization space.
Wonderful.
Well, we've got exciting topic for you today. So Alex did a great job of talking about graphs and authorization. They've been really a whole bunch of exciting sessions and panels and authorization throughout this event. So we don't wanna overbuild the ocean, but I, I guess what we want to do is we want to really contextualize dynamic authorization within the context of financial services. And this is a really, really exciting landscape.
In fact, API data identity, just, just over 60% of authorization deals in financial services space, which is quite, quite, quite interesting and telling of the demand. And we've seen that in dynamic authorization space. There's been a significant uptick in demand.
I mean, the growth data shows that dynamic authorization is growing by I think, 16.5% per annum for 2030. Some could argue that it's not a very high growth rate, but it is still growth rate.
And it's really interesting because we hear Cooper Jaal, right? Cooper Jaal, KuppingerCole, I should say Pronou pronounced it correctly. And as you may know, Kal released its policy based access management report this year. First of its sort, that's an indicator also of the amount of demand. So that's a really exciting space to be in.
So we're gonna be conceptualizing dynamic authorization and its growth within, within its vertical. So look, today we just want to take you through the business perspective, the kind of technical perspective of where dynamic authorization fits into the industry. But I also want to kinda tie it back to value, right? So how can dynamic authorization drive value? I think that's a very important thing to, to think about as well.
And we also want to give, for those of you in the room who are thinking of making internal business case asks within your organization some tips and thinking points about how to make that ask.
So without further ado, let's just turn into the kind of the kind of positioning here in, in the financial services industry. So we all know open banking, all of us know open banking, I presuming in room, yes, open banking has been around for about six, seven years. High adoption in, in, in the European Union in the UK now growing in many parts of the world, including Brazil.
So this is a global kind of trend, but actually if you look at what's happening in the European landscape, you open banking success and payment innovation is, is is leading us to look at a, the next chapter of this adventure. And that will be open finance and that's gonna be faster payments. So it's no surprise that the regulators are actually driving this. You may have heard that there was a, an extensive PSD two consultation in 2022 last summer.
The European Commission produced two very important pieces of legislative proposals that will shape this in the future.
First was the PSD two review results, which led to the PSR one slash PSD three proposals. So those are currently going through signoff process, they've not yet been announced. And then the second one, one is less publicized perhaps, is the financial data access framework. And actually, if you look at those two pieces of proposed legislation authorization's written all over it.
So Adam, why don't you tell us a little bit about how that kind of provides the opportunity to kind of fit in dynamic authorization in that space.
Alright, thanks very much.
Okay, so I think there's a few specific items to draw attention to here. Okay, so first of all, like the regulations are talking about stronger protection of consumer rights and personal information, right? So effectively what we're seeing here is more demand from the business for authorization controls. Okay? Second is around enhanced SEA, right? Strong customer authentication. So that's really talking about adaptive access to features and functionality in the app, right? We're not just making yes no decisions. We're starting to say yes, but right with our mitigations there.
Third is around permissions, dashboards in the regulations, okay? So here we're talking about forms of delegated access and consent, right? And when we think about consent, we shouldn't think just about consent management and capture, we should also think about consent enforcement, right? So how do we actually fold that into the release of information across APIs there, right?
And finally, there are controls around fraud throughout there, right? Particularly around scams.
You know, Alex was talking about scams previously, right? Form of coercion. They're hard because people pass the biometric checks. And so at that point we're starting to fold in data from different risk signals, essentially to drive people down different adaptive pathways inside the application. So what does this mean?
In short, the business is bringing the IAM teams new requirements around authorizations. These requirements continue to evolve over time, right? Historically, we've embedded those authorization controls into the apps in across the channels leading to, you know, duplications of effort and so on. And there's prime opportunities here to externalize, centralize, abstract that way and allow it to evolve over time.
It's a big opportunity, right?
And again, financial services is where it's gonna be playing out. And actually, this is an interesting story here. So this is about six, eight weeks. Eight weeks ago, Adam and I were attending a very prolific customer and prospect event in the city, city of London. And we had one of our customers, I can't name who it is, both a top five UK retail bank. And this chap is the strategic lead for Im, he's not just an IM manager, he's the strategic lead for Im, his job is to make sure the IAM can work to realize the long term values for the ba, for the, for the bank and drive an ROI.
And he ultimately said, Hey, you know, authentication is no longer enough to protect our customers and authentication is no longer enough to, to deliver the kind of experiences that we want to differentiate in the market. And I think that's a really compelling, compelling story and that really explains why, why his bank has gone through this entire journey, you know, looking at role-based entitlements and really moving towards this kind of right hand side of the continuum. See that you see here, all focused around policy-based access.
So Adam, why don't you tell us about context? How does context fold into that equation?
Yeah, absolutely. Look, again, do you know, we see like these regulations, what the bank was saying was effectively there's a, a variety of regulations, a variety of signals that all need to be folded in for this evolving landscape here, right?
So, you know, policies can be expressed in different ways when we talk about policy-based access control, right? There's a variety of ways in which they can manifest, but effectively two, two pieces coming together. One is around the policy, one is around the data, right? So down at the bottom we've got some examples of those data sources that need to be fed in to our financial services decisioning, right? So maybe it's the individual entitlements they can be expressed in different ways, right? They can be expressed across APIs, across graphs, whatever that may be, right?
We've got company rules and policies that need to be folded in. We see increasingly banks delivering shared access and shared finance type controls, right? Around individual joint accounts, corporate hierarchies and so on. But then as we move to the right, do you know what, we've got more and more of these aspects around consent, money, transfer fraud, and risk signals. All of these need to be folded in to both our authorization models and our, as our data sources there.
And I, you're talking about models here, actually, we, we kind of knock this up, this kind of idea of using capability and maturity model to think about how authorization is, is maturing and the diff different kind of use cases that we're looking at in authorization to really look at this kind of contextual need and opportunity that I alluded to. So why don't you tell us a little bit about this kind of thinking, Adam?
Yeah.
So when, when we are having conversations with organizations, you know, we can try and bucket and categorize the, the elements that we're seeing. So often on the left hand side, we see this piece around API access management, API security, right? So this ties, I think, quite closely into the o OSP top 10 piece around broken access control that you're talking about there, right?
So, you know, can we match the subject in the token to the resource being accessed there, right in the middle, we're moving more towards those semis static entitlements. So which products does a user have access to?
You know, how do we express those relationships, those delegations that we have across, across the organization? And often this is, you know, it's semis static, it's governed by the business itself. But then on the right hand side, we have these use cases that are owned by the business, but they're folding in context from multiple different sources again there, right? So we have evolving requirements, evolving regulations, high levels of audit requirements, particularly on the right hand side. And we're often using authorization to drive personalized experiences at this point.
Well, let's kind of get a bit more technical, shall we? I mean, we talk about trust fabrics and trust fabrics are a big kind of conceptual tool that Cooper Cole has developed and championed over time. So tell us how authorization fits into that kind of trust fabric layer, if you will.
So this is, yeah, like this, this is, I think what we're starting to see more and more from our financial services customers, right? They are thinking about how authorization fits into, in an interconnected landscape here. So at the top we've got channels, right?
And channels are represented by different lines of business, owned by different teams. And effectively we have organizations introducing authorization as that core architectural component that the channels use for authorization decisions, right? As we go further down on the left, we see some examples of the inputs to that authorization layer, right? So in practice, the bank will have a variety of specialist data sources that they use, okay? So they could be fresh specialist fraud and risk decisioning systems, customer specific payment limits.
But effectively what, what changes is that the channels talk to the dynamic authorization layer. Tho tho the dynamic authorization layer determines based on what the user is doing, which of those signals and sensors to pull in at that point in time, right?
That gives consistency across the channels, but also the ability for the organization to swap in and out these different sources of context, these specialized vendors as time progresses, right? Leading to agility across the estate.
The other piece is on the right hand side here, where, you know, again, we're not just folding in these signals to make yes no type decisions. When we fit into the user journey in the financial services sector, then we're also driving a different form of actions across the estate.
So again, those forms of levels of assurance, right? Introducing contextual messaging when, when we're spotting signs of coercion and scams in order to drive different customer outcomes there.
And where we do deny activities, then actually driving information to case management systems so that essentially case management teams have got, you know, the information at their fingerprint, at, at their fingertips as to why someone, some transaction has been denied for what reasons that that took place, what information has already been gathered and assessed, and how we can kind of effectively expedite the resolution of that.
And what's really fascinating is that, you know, this kind of sits at the center of this fabric right? As well.
And it, we engage with these financial services customers and, and many of them get it, but also many of them educating as well, right? So it's, it's a journey and I think it's really interesting going back to the regulations that I alluded to. I think that'd be a huge catalyst for this in the financial services space.
But Adam, you know, I kind of wanna bring it back to value a little bit, right? We wanna be without talking about business value, technical value, right? So tell us how dynamic authorization in this context can really help to drive that value.
Okay?
So, you know, often what we see the most is that someone is bringing a homegrown authorization solution to, to the table, right? That's, that's, that's where focus starting. Okay? So they have a homegrown solution in place, solves a limited number of use cases, and the business is bringing new use cases that you can't solve with the existing capabilities, right? So by externalizing, by moving, we can see some of these benefits on the right hand side here, right? We're eliminating key person risks, we're shifting policy responsibility to business analysts, right?
We're enabling that collaboration between engineering teams and business analysts at that point and allowing some the redirection of engineering capacity to some of these value add problem spaces, right? We don't wanna be building authorization systems in these organizations. We wanna be giving our attention towards the value add capabilities and areas there, right?
On the, on the left hand side, in terms of the business value, we saw a couple of things there. So the first was that implementing three use cases in one particular organization, implementing three use cases in externalized system costs the same as one in that homegrown solution, right?
62% less, less time managing the policy life cycle, 70%, 75% reduction in time to configure policies and, you know, a shift in responsibility from the engineering team to the business analyst team, right? But, you know, effectively, I would encourage you like to, to, when we look back to open banking, you know, we shouldn't just view authorization as an optimization for engineering teams, right?
So we are driving those business outcomes, we're seeing significant reduction in fraud on the left hand side, we're we're enabling new channels that require these complex authorizations like corporate, like institutional banking. We're enabling these adaptive friction right? Experiences inside the estate.
And Adam, that's, that's a really important point actually.
You know, you frequently talk to these particularly banking providers and if you look back to the PSD two era, you know, it was in many cases a, a box tick exercise, but actually few of the players are actually thinking about how they can leverage those investments to actually drive a value added outcome. And one of the things that really popped out at me, the PSD two review that, that, that read into is the fact that they're talking about digital inclusion and access as well.
So there's a, you know, we are, we are moving people online and as you know, bank branches are closing around the world. How can we ensure that users have access to these services that they're not left behind?
And again, authorization has a play role to play in this within the delegated authorization use case.
So this is really, really an exciting piece. So it's not just about ticking boxes, saving money, making money. There's also another thing that I, I kind of bake, and we didn't plan to talk about this, but I was at a customer event in Antwerp a couple of days ago, sat next to a, a chap who is an architect of I am for a, a major financial infrastructure provider whom I cannot name.
And he told me the story about how everything is homegrown in inside, inside their w but then he admitted that after 20 or 30 years of, of that strategy, that they can no longer sustain that. And actually he was saying, Hey, I need to look to vendors to actually get that dynamic authorization into my ecosystem rapidly. So time to value was really an important driver when we talk about value as well.
Okay, cool. So let's, now let's take a look at some practical tips that our audience can take away with them to help them formulate an internal business case. Yes.
Any ideas, any, any tips you've got for us dadan?
Yeah, absolutely. Right.
So we, we see here, do you know three buckets that we can think of? Okay, so technology, people and process, right? So on the left hand side, organizations not specializing in authorization. There's no competitive advantage to developing, developing homegrown capabilities. And fundamentally, you know, we're still at the point where there's a lot of education in market, right? And it's going both directions at the moment that we have organizations educating vendors on what the requirements are and how those requirements evolve and, and vice versa.
We're showing the art of the possible back to the community itself. Okay? In terms of people, there are sort of a limited number of, of engineers who understand homegrown solutions, a lack of visibility into what's been implemented, right? So that key person risk that needs to be mitigated on process onboarding new case, new use cases continues to be expensive and there are effectively mechanisms to address governance concerns, shift responsibilities and rollout changes, you know, in, in much shorter timeframes there.
Yeah, it's exciting. And, and I think we've got, you know, we're just gonna wanna wrap up here. And as I mentioned, you know, the dynamic authorization market is growing and I think this number that you see here on screen is actually going to increase as we move forward. Particularly, I, I, I would make a conjecture to say that PSD three, PSR one and and feed is going to accelerate that process certainly in emea. And as we know, we've got many financial service providers looking from afar on Asia and seeing how that goes. And they'll be lifting and shifting in many cases.
But I just wanna say one more thing as well. So it's interesting because, so I'm a marketer as, as, as you, as you may have known from my introduction now we looked at, we looked at search terms for PSD three, PSR one and feeder and search volumes are low.
What does that tell you? It tells you the market's not interested no wrong. What it actually tells you is the market is not yet educated and ready. But that is gonna come very quickly. The European Parliament is hoping to put something on the statute books in 24 after the elections, depending on the outcome of the European Parliament.
So this will move very quickly and typically the kind of window for implementations around two years. So that doesn't really leave a lot of time for these providers to think about how they move towards a dynamic authorization mindset. And I might just say as well, this is a quote here, we displayed from, from the Cooper, Ja, Cole Leadership Compass for PBAM, you know, as you can tell here, the forecasting to innovation and the standards are going to develop in this space, which is really exciting.
And actually, if you're thinking about standards, there's a panel here and Adam staying, he's gonna be on a panel, right? So you're gonna be talking about standards.
So, so really exciting space. But Adam, any last words of pa passage from you before we wrap up?
Look, yeah, I think it's just, you know, when we, when we do view authorization across this landscape here, right? It is driving business outcomes that, to link it back to open banking, right? The goal of open banking is to enable greater business outcomes, greater flexibility for the consumer, right?
And, and often when we think of authorization, we can think of it, you know, quite narrowly in terms of permissions, in terms of an evolution from roles into, into something slightly more flexible, right? But what we're seeing is the application of this into a far broader, wider range of use cases that are enabling new channels that require these complex authorizations to the application of fraud and fraud mitigations and to adaptive experiences throughout our, our journeys.
Wonderful.
Well, thank you
That, that was chock full of insights and I, for 1:00 AM a sucker for capability maturity models and I noticed that we were all fighting for like line of sight to take a picture of that. So I wanted to ask a question about, you know, are you seeing any exemplars of the second and third levels of your maturity model?
So any exemplars? I think that, you know, the, the landscape is evolving rapidly at the moment, right? I think that's a great question, by the way. Do you know?
And like, I actually think that we're still quite early on in that journey. I think it's about the articulation of the use cases though, right? And often I think broadly there's more work to do in order to publish those use cases and formalize them, right? 'cause I think they're still quite bespoke right
Now. Awesome.
Yeah,
I mean there, there, there are some really progressive banks in the UK in particular who are adopting an API first mindset and there's a correlation between that and they're, they're embrace of dynamic authorization. That's what I would say without naming any
Banks in particular.
Yeah, I would think, you know, sort of the digital banks, the challenger banks are where you'd find kind of that agile approach to, to do better. So that's interesting. Any questions from the audience? I didn't see any in the app. Okay. Oh yes.
One, yes. Just
A comment. The numbers that you gave are really interesting though. The 75% reduction and the 60% reduction, I, I don't remember which was which, but like 10, 15 years ago, the only number we had was Oracle saying that 20% of the, of the developers' time is spent on authorization.
So it's, it's actually good to see that externalizing authorization saves you even more. So thanks for the numbers. Mm sure.
Awesome.
All right, well help me thank Adam and Adam for that presentation.