TL;DR: ASEAN banks are being pushed to move from transaction processors to lifestyle ecosystem orchestrators, using integrated third-party services and behavioral data to defend customer mindshare against super apps, according to Comarch. That shift changes the governance problem from rewards design to data, access, and partner-control orchestration across the broader digital estate.
NHIMG editorial — based on content published by Comarch: banking lifestyle ecosystems and loyalty strategy for ASEAN banks
Questions worth separating out
Q: How should banks govern third-party services inside a lifestyle ecosystem app?
A: Banks should govern embedded services the same way they govern privileged access paths.
Q: Why do lifestyle ecosystems increase identity and access risk for banks?
A: They increase risk because the bank no longer controls every identity and control point in the customer journey.
Q: What do banks get wrong about personalization in ecosystem banking?
A: They often treat personalization as a product feature instead of a governed access and data-use decision.
Practitioner guidance
- Inventory every ecosystem integration List each third-party service embedded in the banking app, the identity it uses, the data it can access, and the business owner responsible for revocation and review.
- Separate customer context from reusable attributes Define which behavioural and intent signals may be consumed for personalisation, which may be shared, and which must remain confined to the originating service.
- Apply lifecycle controls to partner access Tie partner onboarding, recertification, scope review, and offboarding to the same governance calendar used for high-risk internal access.
What's in the full article
Comarch's full article covers the commercial and loyalty-program detail this post intentionally leaves at the strategy layer:
- How the Unified Hub model is positioned for ASEAN banking loyalty programmes
- Examples of ESG-linked rewards and values-based banking features
- The vendor's discussion of customer retention, mindshare, and daily-use engagement
- Quoted perspectives from banking and loyalty leaders on programme evolution
👉 Read Comarch's article on banking lifestyle ecosystems and loyalty strategy →
Banking lifestyle ecosystems: what it means for IAM teams?
Explore further
Identity governance is becoming a product design issue, not a back-office control. When a bank embeds e-commerce, travel, or health services into its app, access decisions move into the customer journey itself. That means entitlement scope, partner onboarding, and offboarding now shape market trust as much as security posture. The practitioner conclusion is that identity teams have to govern the orchestrator, not only the bank core.
A few things that frame the scale:
- Companies are dedicating an average of 32.4% of their security budgets to secrets management and code security, with US organisations leading at 40.8%, according to The State of Secrets in AppSec.
- Only 44% of developers are reported to follow security best practices for secrets management, exposing a significant behaviour gap in day-to-day control execution.
A question worth separating out:
Q: Who is accountable when a partner service embedded in a bank app fails?
A: The bank remains accountable to the customer, even when the service is operated by a third party. That means contracts alone are not enough. Security, IAM, legal, and product teams need joint ownership of access scope, offboarding, incident response, and customer-impact review before integration goes live.
👉 Read our full editorial: ASEAN banks face a loyalty and ecosystem governance shift