2. The identity management policies and procedures referred to in paragraph 1 shall contain all of the following:

• (a) without prejudice to Article 21, first paragraph, point (c), a unique identity corresponding to a unique user account shall be assigned to each staff member of the financial entity or staff of the ICT third-party service providers accessing the information assets and ICT assets of the financial entity;
  • For the purposes of point (a), financial entities shall maintain records of all identity assignments. Those records shall be kept following a reorganisation of the financial entity or after the end of the contractual relationship without prejudice to the retention requirements laid down in applicable Union and national law.
• (b) a lifecycle management process for identities and accounts managing the creation, change, review and update, temporary deactivation, and termination of all accounts.
  • For the purposes of point (b), financial entities shall, where feasible and appropriate, deploy automated solutions for the lifecycle identity management process.