The Office of the Comptroller of the Currency (OCC) released its Spring 2025 Semiannual Risk Perspective, highlighting operational risk as a top concern for financial institutions. Based on data through December 31, 2024, the report outlines how cybersecurity threats, fintech reliance, and legacy tech continue to stress the security posture of U.S. banks. While the OCC is a U.S. regulator, the themes resonate globally, especially in regions where regulators are increasing scrutiny on identity, third-party risk, and operational resilience.
The OCC paints a stark picture of the modern banking ecosystem: under siege by sophisticated cyber threats, burdened by technical debt, and increasingly reliant on third-party vendors and fintech platforms. Compounding this challenge is the rapid adoption of AI, often without adequate oversight or secure identity controls. These same concerns are echoed by global regulators, including the European Banking Authority (EBA), FSRA in West Asia, and APRA in Australia, all of which now demand greater assurance around third-party and identity-related risks.
Identity is now the preferred attack vector. Today’s attackers don’t need to break in—they log in. Whether it’s ransomware groups exploiting cloud misconfigurations or insiders abusing dormant accounts, access abuse is at the heart of modern breach tactics. Effective Identity and Access Management (IAM) is essential, but it’s not enough. What matters most is authorization intelligence: knowing exactly who can take what action, on which data, and under what conditions.
Meeting OCC expectations and aligning with international regulatory guidance requires clarity of authorization, not just access provisioning. The stakes are global, and the gaps are consistent: overprivileged identities, machine accounts with unchecked access, and opaque third-party integrations. Veza helps financial institutions operationalize least privilege, enforce Segregation of Duties (SoD), and deliver real-time authorization visibility across cloud, SaaS, and on-prem systems. Below, we break down how Veza supports each of the key risk areas outlined in the OCC’s Spring 2025 report.
Risk Area 1: Cyber Extortion and the Identity Blind Spot
The OCC’s Warning:
“Operational risk remains elevated as cyber threat actors continue to target banks and their service providers… Cyber threat actors are also increasing their use of ‘double extortion attacks.”
This warning reflects a growing trend across the industry, as seen in FS-ISAC’s 2024 Cyber Threat Intelligence Report, which emphasizes how compromised credentials are now central to data theft and extortion. The impact of a breach is no longer defined by network access; it’s defined by what the attacker can access once inside.
How Veza Helps: Enforcing Real-Time Least Privilege
Veza enables security teams to implement true least privilege by mapping the effective permissions of every identity, human or nonhuman, across the entire digital estate:
- Shrink the Attack Surface: Identify excessive access, dormant accounts, and toxic permission combinations across SaaS, cloud, and on-prem environments.
- Secure Privileged Access: Continuously monitor high-risk accounts and roles. Go beyond “group membership” to understand what actions an admin can actually take, in real terms.
- Policy-Driven Enforcement: Tie identity risk to operational controls with automated detection and remediation through integrations with your SIEM, SOAR, and ITSM tools.
Risk Area 2: Third-Party Risk; Fintechs, Vendors, and Visibility Gaps
The OCC’s Warning:
“Simultaneously, banks continue to increasingly rely on third parties, including fintech firms, expanding the cyberattack surface… [Fintechs] may not always have appropriate experience, technical expertise, and resources in place.”
As financial institutions deepen their reliance on fintech firms, cloud vendors, and third-party processors, the attack surface expands, often without corresponding oversight. This concern isn’t isolated to the U.S.; it aligns with the EBA’s outsourcing guidelines and MAS (Singapore) directives, both of which highlight the risk of giving critical access to under-governed external entities. The problem? Many identity tools stop at authentication. What’s missing is clear insight into what external identities can actually do.
How Veza Helps: Governing Third-Party Access Across the Lifecycle
Veza provides financial institutions with the ability to enforce least privilege for third-party users, without sacrificing agility:
- Granular Vendor Visibility: Visualize effective permissions for external identities across systems. Instead of seeing only “has access,” Veza shows whether a vendor can modify production databases, exfiltrate files from S3, or manage core configurations in your Salesforce instance.
- Automated Access Reviews: Automate periodic certifications for all external identities. Veza turns technical permissions into business-readable language so data owners can confidently review, approve, or revoke third-party access.
- Lifecycle Management: When a contract ends or a vendor offboards, Veza enables immediate deprovisioning of access across both primary and downstream systems.
Risk Area 3: Insider Abuse, Fraud, and Excessive Access
The OCC’s Warning:
“Insider abuse can expose banks to excessive risk… The digital environment presents opportunities for employees to manipulate information to misappropriate assets… or steal information to resell.”
Insider threats continue to be one of the hardest risks to detect and control. The OCC report references manipulation of internal systems and data theft for resale. Similar guidance from the FCA (UK) and HKMA (Hong Kong) urges banks to strengthen internal controls and enforce Segregation of Duties (SoD) across systems. Yet too often, legacy IAM tools miss the toxic access combinations that make insider abuse possible.
How Veza Helps: Detecting Toxic Access Combinations and Preventing Abuse with Authorization Intelligence
Veza helps prevent insider abuse by making toxic access patterns visible before they’re exploited:
- Segregation of Duties Enforcement: Identify when a user or service account has combinations like “create” and “approve” on high-value transactions. Veza continuously maps these SoD violations across disparate systems, including cloud-native and legacy apps.
- Sensitive Data Visibility: Map identity-to-data relationships to ensure only authorized roles can access PII, MNPI, or financial records. Whether it’s a database, file share, or SaaS platform, Veza gives full transparency into what identities can read, write, or delete.
- Proactive Risk Detection: Tie privilege changes and dormant accounts to behavioral triggers (e.g., excessive login attempts, after-hours access) using integrations with SIEM and UEBA tools.
Risk Area 4: Navigating Innovation, AI Ambition, and Legacy Tech Debt
The OCC’s Warning:
“While beneficial, using any form of AI, whether produced internally or by a third party, can introduce model, cybersecurity, and compliance risks… prolonged use of older or legacy systems could… introduce security vulnerabilities.”
AI promises speed, scale, and new capabilities – but it introduces a new class of identity risk. The OCC’s Spring 2025 report highlights how AI models, especially those using external data or built on third-party platforms, carry both cybersecurity and compliance risks. Meanwhile, legacy systems, often untouched for years, continue to expose unpatched vulnerabilities and outdated access controls. These are global concerns: Basel Committee guidance warns that financial institutions must strengthen access governance for both traditional and emerging technologies.
How Veza Helps: AI-Ready and Legacy-Safe Unified Authorization Across Hybrid Environments
Veza bridges the identity gap between legacy systems, AI-driven platforms, and hybrid cloud environments:
- Secure Machine and AI Identities: Discover, classify, and right-size access for nonhuman identities (NHIs) like service accounts, OAuth tokens, and cloud roles. Veza identifies overprivileged automation accounts that could be exploited in AI pipelines.
- Normalize Access Across Environments: Whether it’s a mainframe, Oracle DB, Azure subscription, or Snowflake warehouse, Veza unifies permission models into one graph. This gives security and compliance teams consistent policy enforcement and reporting across geographies and systems.
- Accelerate Modernization Without Compromise: Modernize securely by ensuring new platforms don’t inherit legacy access risks.
The Veza Advantage: Authorization Clarity
Across regions, regulators are raising the bar on operational resilience, and identity is at the center. From the OCC’s mandates on cyber extortion and insider abuse, to the EBA’s outsourcing controls, to APAC’s expectations for secure AI adoption, the directive is consistent: know what identities can do, not just who they are.
Veza delivers authorization intelligence built for this reality. Instead of simply showing who has access, Veza’s Authorization Graph reveals effective permissions across users, service accounts, cloud roles, and SaaS integrations. This unified view helps institutions enforce least privilege, prevent fraud, and prove compliance without slowing innovation.
Whether you’re responding to regulatory audits, reducing risk exposure, or preparing your environment for AI-driven transformation, Veza brings the clarity needed to act with confidence.
Learn how financial institutions around the world are using Veza to secure their most sensitive data and meet evolving security and compliance demands.
About the Authors
Zachary Wilson
Senior Solutions Engineer, Veza
LinkedIn
Zac Wilson brings over 20 years of hands-on experience in identity security across financial services, aerospace, and cloud-native environments. A CISSP and ISSAP, he’s led architecture and engineering efforts at Capital One, Seagate, and Orca Security. At Veza, Zac helps institutions operationalize least privilege and mitigate identity risk in complex, hybrid environments, drawing on a career built on identifying where legacy IAM systems break down.
Matthew Romero
Technical Product Marketing Manager, Veza
LinkedIn
Matthew Romero is a technical product marketer with deep expertise in identity, compliance, and Microsoft security. Before Veza, he led GTM strategy for Microsoft Defender XDR and supported field enablement for global hybrid security campaigns. He specializes in turning complex frameworks into actionable strategy, grounded in real-world deployment challenges across NA, EMEA, and APAC.
