Basel III · Identity Lens

Basel III

Basel III is where identity becomes a measured operational-risk and operational-resilience input — and where ICT failure has explicit capital implications.

Back to Thinking

Full name: Basel III — International regulatory framework for banks (BCBS standards)
Region: International (national supervisor implementation)
Applies to: Internationally active banks. While Basel III is primarily a capital, liquidity, and leverage framework, the BCBS Principles for the sound management of operational risk and the 2021 Principles for operational resilience put identity squarely inside operational risk and operational-resilience obligations.

Basel III itself is a capital-adequacy framework, but the BCBS principles that supervisors implement alongside it bring operational risk and operational resilience into scope. The 2021 Principles for Operational Resilience explicitly require banks to identify and protect critical operations against severe disruption — which, for any modern bank, includes the identity services that authenticate customers, employees, and counterparties.

What it asks for

The Identity Lens

The clauses that bite when identity architecture is weak, rewritten in plain English. Authoritative text is linked below.

Principle 5 — ICT including cyber security (Principles for operational resilience)

Banks must implement an ICT risk-management programme that protects critical operations against ICT disruption, including from cyber threats. Identity providers, federation, privileged-access infrastructure, and customer-authentication services are inside this perimeter.

Principle 6 — Third-party dependency management

Critical third-party dependencies — including identity-as-a-service providers, payment processors, and authentication vendors — must be mapped, tested, and substitutable. Identity vendor concentration is now an explicit operational-resilience concern.

BCBS 239 — Risk data aggregation and reporting

Identity audit data is risk data when it feeds operational-risk reporting. The lineage, accuracy, and timeliness expectations of BCBS 239 apply to identity events that drive risk metrics.

Operational risk capital (Pillar 1) and AMA / SMA

Material identity incidents (account takeover, data theft, fraud through compromised credentials) fall inside the operational-risk loss data that drives capital under the standardised measurement approach. A poor identity programme materially increases the bank's regulatory capital requirement.

Where teams miss it

Common Misses

Patterns we see again and again — usually because the identity programme runs in parallel to the compliance programme rather than inside it.

Operational-resilience playbook that names 'core banking' as a critical operation without naming the identity service that authenticates every transaction into core banking.

Identity-as-a-service vendor treated as commodity SaaS with no operational-resilience tiering, despite being the single point of failure for customer login.

Identity loss events recorded in security tooling but never flowing into the operational-risk loss-data programme — so the capital model never reflects the actual risk.

Third-party register that lists the IdP but not the downstream connectors, brokers, and authentication-flow vendors that sit between the bank and its customers.

What works

Where Design Pays Off

Patterns we have seen survive supervisory review, audit, and the next change.

Identity services classified as critical operations under the bank's operational-resilience programme, with impact tolerances, substitutability plans, and severe-but-plausible scenario testing.

Identity loss events feeding the operational-risk loss-data pipeline so the capital impact of weak identity is visible at the board level.

Vendor-concentration mapping that includes identity providers and the authentication chain, with documented exit and substitution strategies.

Authoritative sources

Read the source

Every claim above is checkable. Start here.

Bank for International Settlements

BCBS Principles for Operational Resilience (2021)

Bank for International Settlements

BCBS Principles for the sound management of operational risk

Bank for International Settlements

BCBS 239 — Principles for effective risk data aggregation

Related Services

How We Help

Acsense Identity Resilience

Identity engagement aligned to Basel III.

IAM Assessment

Identity engagement aligned to Basel III.

Need a Basel III-ready identity baseline?

We start with an assessment that maps your identity controls to Basel III requirements, then design and operate the gaps.

Book a Conversation