Client Overview
The organisation is a regional investment firm based in a GCC financial centre, with offices in three countries and a workforce of around 450 professionals across investment management, compliance, finance, and operations. The firm manages a range of client portfolios and is regulated by the local financial services authority. In preparation for a regulatory inspection, the firm's compliance and IT teams conducted a review of their access management practices and found several gaps that needed to be addressed.
The Challenge
The firm's employees accessed portfolio management software, trading terminals, client reporting tools, and internal communication platforms using separate credentials. There was no MFA enforced for most systems, and access rights were provisioned manually by the IT team based on email requests — a process that had led to inconsistencies, with some staff holding broader access than their roles required. The regulatory inspection report noted the absence of formal access reviews and MFA on systems holding client data as compliance gaps requiring remediation. The firm was given a 90-day window to demonstrate corrective action. Additionally, with staff spread across three offices, remote access to systems was growing, and the firm had no consistent way of verifying identity for employees logging in from outside the office.
“The inspection findings were a prompt we needed. We knew our access management practices were not where they should be — the report just formalised the urgency.”
— Chief Operating Officer
The Solution
eMudhra deployed SecurePass to address the access management gaps identified in the inspection. A unified identity directory was established, replacing the ad hoc provisioning model with role-based access profiles aligned to each job function. MFA was configured using TOTP and push-based authentication, applied to all system logins — including remote access scenarios. SSO was deployed across the investment management platform, client reporting tools, trading terminals, and the internal HR and finance applications, reducing the number of separate credentials each employee needed to manage. An automated access review workflow was set up to run quarterly, generating reports for the compliance team on who had access to which systems and flagging any accounts that had not been reviewed within the prescribed period. The deployment was completed within the 90-day regulatory window.
Results
The firm submitted a remediation report to the regulator within 80 days, demonstrating MFA enforcement, role-based access profiles, and a functioning access review process. The regulator accepted the remediation without further queries. Employees reported fewer access-related issues, and the IT team noted a reduction in ad hoc provisioning requests following the introduction of standardised role profiles.
Metric | Before | After |
MFA coverage — internal systems | Not enforced on most applications | 100% enforcement across all system logins |
Access provisioning model | Manual, ad hoc; inconsistent role alignment | Role-based profiles; standardised provisioning |
Regulatory remediation window | 90-day deadline from inspection report | Completed and submitted within 80 days |
Access review process | No formal process in place | Quarterly automated access review reports |
SSO coverage | Separate credentials per system | Unified SSO across all business applications |
