A large investment bank secures its trading desks.
Controlling accesses in a high-pressure environment
Natixis is the corporate, investment and financial services arm of Groupe BPCE, France’s 2nd largest bank with 22% of the country’s deposits and 37 million clients. Natixis’ 22,000 employees generate 52% of net banking income outside France. The bank has its own client base of companies, financial institutions and institutional investors as well as Groupe BPCE’s client base of individuals, professionals and SMBs.
Natixis’ 750 traders buy and sell a large amount of financial instruments to support the bank’s corporate and investment banking, investment activity and specialized financial services. As trading is a core strategic process, Natixis closely supervises traders with internal controls. Still, by analyzing suspicions of fraud in other banks, Natixis realized that authentication was a weak link in the control chain.
“We monitor trading activity from a financial viewpoint but what if somebody else uses a trader’s stations to perform illegitimate trades?” says Alain Bernard, Natixis Chief Security Officer. “Some people might use a colleague’s passwords to ‘help out’ or for less honest reasons, this introduces operational risks. To address the issue, we decided to enforce biometric authentication in trading rooms, along with the appropriate access solution.”
Reinforcing traders security and productivity
Natixis began the project with competitive proof-of-concept installations. Out of four suppliers, Evidian was selected for its Authentication Manager and Enterprise SSO software.
The combined solution was the most satisfactory in terms of reliability, features and regulatory compliance. Still, authentication alone would not have fulfilled the bank’s needs. The solution had to meet the stringent operational requirements of trading floors.
“Traders use a cluster of stations to perform their work: 3 on average, but sometimes up to 10. A single biometric authentication must give access to – and lock – a whole cluster of PCs at once” says Alain Bernard. â€œIn addition, assistants must prepare their traders’ stations in the morning, locking out those assistants via biometrics would make no sense. Finally, trader assistants must still be able to monitor critical status screens while traders are away.”
To demonstrate that the solution satisfied the bank’s operational needs, Evidian worked with Natixis to test many scenarios, from daily operations to emergency process and maintenance. The bank concluded that Evidian’s solution was a perfect fit for its trading rooms.
Biometric authentication in the field
For Natixis, using vein instead of fingerprint authentication was an obvious choice. First, the tests demonstrated that the fingerprinting technology was still lacking. After trying out many real-life scenarios, involving wet or dirty hands, Natixis concluded that the rate of false negatives was high. This was totally unacceptable for traders, who demand quick access to their stations. But another major factor was the European legal environment.
“French law, for instance, is very strict regarding fingerprint biometrics: you cannot store the fingerprint’s biometric signature centrally. This is legitimate from a privacy point of view, as unlike a password, a fingerprint stays with you for life” says Alain Bernard. “Working around this would require storing the signature on smart cards. But this would create new operational constraints for traders and administrators. Fortunately, Evidian’s solution elegantly solves all operational and regulatory issues.”
Through Evidian’s integration with Hitachi’s VeinID finger vein authentication, traders authenticate without carrying any devices. This gives them flexibility and fast access to the stations in their trading desk. And with Evidian’s single sign-on, assistants and traders do not need to enter any application password, enhancing productivity.
Security beyond technology
Evidian solutions adapt to operational environments, even those as demanding as Natixis’ trading rooms. According to Evidian, security cannot be efficient in an organization unless it adapts to existing business processes that are designed with productivity in mind. Therefore, security solutions must take into account the practical requirements of businesspeople.
“Technology is just the beginning. If traders felt that their work was hampered in any way, the authentication project would have failed” says Alain Bernard. “Evidian made sure that their solution functions smoothly in the demanding environment of our trading floors, with our procedures and everyday constraints.”
For instance, access delegation is especially useful in trading rooms. Traders can quickly delegate access to their trading desk to a colleague or a support staff member. They delegate access themselves, under the control of the Natixis security policy, without calling the helpdesk. As a result, traders can ask a colleague to perform an emergency trade if their Blackberry warns them of a market situation. All delegated accesses are logged as such, which satisfies the bank’s stringent audit requirements.
Natixis procedures call for human supervision of trading desks, even if the trader is away. This helps spot market emergencies. Again, simple station locking would be unacceptable, as it would make supervision impossible. To solve this, the Evidian solution allows for live screens with locked mouse and keyboard when the trader is not present. This fully satisfies Natixis operational rules while enhancing security.
- Large investment and financial services bank
- 22,000 employees in 68 countries
- 750 traders
- Custom trading desks
- Up to 10 PCs and dozens applications per trader
- Biometric access control to trading stations
- Conform to local confidentiality laws
- No impact on trader productivity
- Finger vein biometrics in trading rooms
- One-login access to clusters of stations
- Delegation of access to assistants for fast application start-up
“Trading room security is strategic for Natixis. Evidian’s solution reinforces access to our traders’ clusters of PCs via biometrics. This strengthens user authentication in a very critical environment. Evidian solution fits very well in our demanding environment, with its stringent operational processes and requirements. We have strongly reduced access risks while improving trader productivity.”
Chief Security Officer – Natixis