Banking is double digits ahead of even its most highly regulated peers (government and healthcare) in winning consumer trust. The Thales Digital Trust Index 2026 reports 57% of customers trust the banking sector, compared to 44% and below for every other industry. Banks are doing something different and being rewarded for it. CIAM industry professional Ammar Faheem examines what financial institutions are doing better, and how passwordless adoption, increased consumer data control, and risk-based authentication are turning traditional cost centers into banking’s new revenue generators.
When it comes to earning customer trust, banking is doing something right. In the recent Thales Digital Trust Index 2026 report, banking had the highest trust rankings of any other industry: 57% overall, while most of the competition sat in the low double digits.
The closest competitors were other highly regulated sectors, such as government (41%) and healthcare (35%).
What’s behind the bump in trust? Just last year, there was more parity among the competition, with the banking sector pulling in a high-moderate 44% (according to the 2025 version of the same report) while government and healthcare were only a few percentage points behind (three and four, respectively).
While other sectors have seen marginal year-on-year movement, banking’s 13-point increase stands out.
In my experience working with some of these financial institutions as a consumer identity and access management (CIAM) professional, here’s where I’ve seen them getting it right.
They’re making passwordless non-optional
Banks are facing regulatory pressure to implement Strong Customer Authentication (SCA) policies, driven by standards like PSD2 and by a rise in AI-backed phishing, SIM swaps, and credential stuffing.
This results in them upping the bar for their customers, upgrading existing MFA architecture to passwordless authentication, and making it mandatory.
This includes FIDO-based passkeys, biometrics, device-bound authenticators, to enable phishing-resistant MFA (very different from traditional MFA). Phishing-resistant MFA ties logins to private keys stored on physical devices (mobile phones, FIDO security keys), so there’s no chance they’ll be intercepted, spoofed, or stolen. Without the physical device, it won’t work.
As the PSD2 regulations bear down on banks across the EU, we’re seeing increased passkeys adoption at financial institutions. US banks are not exempt: major American institutions like Goldman Sachs, Morgan Stanley, Chase, Citigroup, and Bank of America have significant stakes in Europe, carving out a “dominant” share of the EU derivatives market (as high as 28%), making this apply to (nearly) everyone.
The bottom line? Worldwide regulations are driving stronger authentication, and banks are responding positively: survey says their customers are, too.
While customer trust may have been an unforeseen advantage of stronger authentication, this next improvement is one that banks knew their customers would like. It has a lot to do with security and everything to do with control.
They’re giving granular customer consent
Right now, it’s not just about safer logins. Banks are deploying modern CIAM to give their customers greater control over their data, and those customers are repaying that trust with loyalty.
Australia’s Consumer Data Right (CDR), the EU’s PSD2, and emerging standards across the US and Canada are again pushing trust in the right direction by mandating that financial institutions give their customers beefed-up consent management systems and mechanisms for data transparency and customer-controlled sharing.
CIAM capabilities are being deployed to support these policies, underpinning things like:
- Open banking APIs
- Granular customer consent management
- Secure third-party identity federation
Customers want explicit control over who accesses their data and what data is shared. But they’re not the only ones to benefit: this level of granularity (tied back to identity) also gives financial institutions the data they need to craft better user experiences. Think data aggregation leading to greater personalization.
This reveals a larger underlying trend: identity tools are delivering more than authentication. They are enabling authorization, consent, and even data governance at scale. This helps both banks and the people who trust them.
Last point. People don’t just want stronger sign-ons or greater control (though they do want that). They want to know that in an era where nearly everything can be faked, banks have a way to make sure they are who they say they are, at all times.
Which is why banks have leaned heavily into adaptive authentication.
They’re using risk-based authentication to reduce fraud
RBA, or risk-based authentication, is an adaptive approach that lets the organization using it raise verification standards in high-risk cases while keeping things fairly simple elsewhere.
For example, if a login attempt comes in from a remote geographic region at 2am in the morning, and that pattern deviates from the baseline for this particular customer, that instance would get flagged, and the user would be asked to jump through a few more hoops. Known as “step-up authentication,” this may require an SMS code, a fingerprint, or a tokenized login.
Not only does this align with zero-trust strategies (and hit a lot of FinServ compliance boxes in the process), it shows customers that someone is watching to make sure they’re them. It provides a bit more friction for suspicious attempts, and people like to see that their behaviors matter: the bank isn’t just going to let them access their account when something seems off.
While it adds an extra step in the short term, what we’re seeing with consistently higher banking trust numbers is that it’s worth it. People both recognize and reward a “better safe than sorry” approach, especially when it comes to their financial information.
RBA is becoming foundational to a modern digital banking approach, not optional. Just last September, India’s central bank issued guidelines allowing payment issuers to add risk-based checks to existing MFA controls, as needed. Those controls only guard the front door, though; the payment details behind them still depend on secure hosting for credit card data that keeps the cardholder environment itself compliant.
It’s these kinds of timely, threat-aware changes that make consumers trust banks, even more than their healthcare providers and governments.
The big question: Does trust come down to regulation?
Banking’s trust advantage was not built solely on reputation.
It was built on a combination of regulatory pressure, mature identity infrastructure, and a willingness to make security visible to the people it protects. The regulations that drove those changes are sector-specific. The tools and the outcomes are not.
For organizations outside financial services, the question is no longer whether passwordless authentication, granular consent management, and risk-based controls are worth the investment. Banking has already answered that. The question is how much longer other sectors can afford to wait.
By Ammar Faheem, Director Product Marketing (CIAM)