Skip to main content
Modern 42 Logo
Banking & Financial Services

Identity controls that satisfy APRA auditors and protect customer data.

We work with 2 of the top 10 ASX-listed organisations and a number of other financial services institutions. We deliver IAM and PAM programmes that meet APRA CPS 234 requirements and hold up under regulatory scrutiny.

Speak to our financial services team Identity Maturity Assessment
100+IAM & PAM Projects
2Top-10 ASX Clients
100%Australian-Owned
1BeyondTrust Partner of Year 2024
Industry Research

In 2024, financial services became the most breached industry globally — surpassing healthcare, which held the top position from 2018 to 2023.

2024 Annual Data Breach Report // Identity Theft Resource Center (ITRC)

Speak to our financial services team
Regulatory and compliance drivers

The compliance obligations that drive IAM in financial services.

Australian financial services organisations face layered regulatory obligations where identity and access management is a primary control domain.

  • APRA CPS 234 (Information Security): identity and access management are central to CPS 234 compliance requirements
  • APRA CPG 234 guidance on privileged access and identity lifecycle management
  • ASIC Regulatory Guide 255 on operational resilience and third-party risk
  • PCI DSS v4.0 for card data environments: strong MFA, privileged access controls, and audit logging
  • AUSTRAC AML/CTF requirements for access controls over transaction monitoring systems
Banking-specific challenges

Identity complexity in enterprise financial services.

Enterprise financial services environments are more complex than the vendor documentation describes. We have seen this across engagements with major Australian banks.

  • Strict MFA requirements for all privileged access, particularly to core banking systems
  • Segregation of duties across trading, operations, settlements, and compliance functions
  • Third-party vendor and contractor access to production and near-production systems
  • Core banking system privileged access: most core banking platforms have limited native IAM capability
  • Customer identity (CIAM) for digital banking channels and mobile applications
  • Regulatory audit trails demonstrating the effectiveness of access controls over time
  • APRA notification and remediation requirements when material information security incidents are identified
Modern 42 team discussing identity strategy with a client
What we deliver

Our most common financial services engagements.

These services address the core identity and privilege obligations facing APRA-regulated institutions.

Conditional Access Review

APRA CPS 234 assessments regularly identify gaps in conditional access policy. We review your existing policies, identify weaknesses, and deliver a remediated policy set. Learn more

Identity Maturity Assessment

Establish your baseline before committing to a CPS 234 response programme. We assess your identity and privilege controls and produce a prioritised gap analysis. Learn more

Frequently asked questions

Financial services IAM questions.

Yes. We routinely work under strict confidentiality arrangements with financial services clients. We do not name our banking clients publicly, and we design our engagements to minimise the number of people with visibility into your environment.
APRA CPS 234 findings related to identity and access management are among the most common. We assess your current controls against APRA's expectations, identify material weaknesses, and deliver the engineering remediation required to close those gaps. We produce documentation that supports your response to APRA.
Yes. Core banking platforms have limited native identity and access management capabilities. We design and implement PAM controls that wrap around core banking systems, providing credential vaulting, session recording, and just-in-time access without requiring changes to the core banking platform itself.
Trusted by Australia's Largest Banks

Confidential engagements. Proven at scale.

We routinely work under strict NDA with APRA-regulated institutions. Our engagements are designed for confidentiality, and we do not name our banking clients publicly. The results speak through regulatory outcomes, not press releases.

Related industries

Other sectors we work in.

GovernmentHealthcareManaged Services

Speak to our financial services team.

Whether you are responding to an APRA finding, preparing for a CPS 234 review, or planning a PAM programme, we can help.

Get in touchPrivileged Access Management

We use cookies

We use cookies and similar technologies to help personalise content, measure the performance of our site, and provide a better experience. By clicking Accept, you consent to the use of all cookies.
Learn more.