Client Overview
The organisation is a commercial bank operating across three Southeast Asian countries with a combined network of 150 branches and around 1.2 million retail and business customers. The bank has been expanding its digital banking footprint, including a mobile banking app, internet banking portal, and API-based integrations with national payment switches in each country. Managing digital certificates across three country IT environments has added a layer of complexity that the bank's central IT security team was finding increasingly difficult to handle.
The Challenge
Each of the bank's three country operations managed certificates independently, using local processes that varied in formality. The group IT security team had no consolidated view of the certificate estate and relied on country IT managers to flag upcoming renewals — a process that worked inconsistently in practice. A group security review found that across the three countries, 40 certificates were either expired or within 60 days of expiry with no renewal workflow in place. Separately, the bank's Singapore operation had received a notice from MAS referencing certificate management as a gap in its Technology Risk Management framework. The bank needed a solution that could provide group-level visibility while allowing country teams to manage their own renewals within a common framework.
“Three countries, three different ways of managing certificates, and a regulatory notice in one of them. We needed to bring this under one roof without taking control away from the local teams.”
— Group Head of Information Security
The Solution
eMudhra deployed CertiNext with a group-and-country governance model: the group IT security team has a consolidated view of the full certificate estate across all three countries, while each country IT team manages its own renewal workflows within the shared platform. An automated discovery scan identified 520 certificates across the three operations. Country-specific renewal policies were configured to reflect local regulatory timelines — with MAS-aligned SLAs for the Singapore operation and equivalent settings for the other two markets. Automated notifications went to country IT managers at 90, 60, and 30 days before expiry, with group-level escalation for any certificate that entered the 14-day window without a renewal in progress. CertiNext's reporting module was configured to generate country-specific compliance reports for each local regulator.
Results
The 40 at-risk certificates were remediated within four weeks. The MAS technology risk notice was formally closed three months after deployment. The group IT team reported that certificate-related escalations dropped significantly, with country teams now handling renewals proactively rather than reactively. The bank's next annual group security review rated certificate management as a resolved risk item for the first time.
Metric | Before | After |
Group certificate visibility | Three separate silos; no consolidated view | 520 certificates in unified group dashboard |
At-risk certificates | 40 expired or within 60-day window | All remediated within 4 weeks |
MAS Technology Risk notice | Notice received; gap unresolved | Notice formally closed within 3 months |
Country renewal process | Inconsistent; relied on manual notifications | Standardised automated workflows in all 3 countries |
Group security review rating | Certificate management flagged as open risk | Rated resolved in annual group security review |
