As anyone who has worked in financial services is aware, efficient KYC (Know Your Customer) processes are important for reasons including compliance, risk management and customer protection. It is also simply good business practice to understand who your customers are, so you can target your products and services to maximise business opportunities and customer satisfaction. While this may seem like common sense, when it comes to digital products and services, many companies are simply not aware of who is using their services, how they are using them, or the potential partnerships that they are missing out on by not exploiting these opportunities. A recent engagement Excelsa ran with a ‘traditional business’ organisation who had started down the B2B API route highlighted all their focus had been on replicating processes for their existing customers but in a digital way and were completely unaware of an ecosystem of cloud native businesses that was forming using these APIs.
Significantly, recent high profile data breaches at companies as high profile as Optus and Microsoft have demonstrated the particular vulnerability companies have when they publish APIs for anyone to use, without investing in capabilities to understand who is using these services and what their usage patterns are.
It is important to know who is using your published APIs for several reasons:
- Security: knowing who is using your API allows you to monitor usage and identify any suspicious behaviour that may indicate a security breach. This can help you to take proactive measures to protect your API and its users from potential threats.
- Performance: understanding the usage patterns of your API users can help you to optimise the API for better performance. By monitoring usage patterns, you can identify areas where the API is being overused or underutilised, and make adjustments to improve performance.
- Customer Support: Knowing who is using your API can help you to provide better customer support. If a customer reports an issue with the API, you can quickly identify the customer and their usage patterns, and provide more targeted support to resolve the issue.
- Business Insights: By understanding who is using your API and how they are using it, you can gain valuable insights into customer behaviour and usage patterns. This can help you to improve the customer’s experience, identify new business opportunities, develop new products or services, and make more informed business decisions.
Knowing who is using your published API is critical to ensuring the security, performance, and reliability of your API. It also provides valuable insights that can help you to improve your business operations and drive growth. Therefore we need a KYC approach for API owners as they attract users of their services and through the lifecycle of their APIs. Borrowing from the approach that banks take and adapting for the particular nature of APIs this would involve the following.
- Planning: by taking the deliberate step of documenting a KYC approach before even launching your API it will drive a cultural change within the organisation to ensure post launch there is due care and attention given for the following activities. The most successful companies will engage with existing and potential customers prior to any technical implementation of the API
- Identification: for basic APIs that reveal only publicly available information this could be lightweight information such as IP address or location, for business critical APIs could involve a full onboarding and verification process.
- Due Diligence: once identity has been established organisations should assess potential risks associated with the customer. This may involve collecting additional information about their intended use of your APIs, any particular performance required such as transactions per second (TPS), or peak times of day
- Risk Assessment: based on the information collected any risks associated with the customer, or changes that may be required to the APIs should be flagged. This could be as simple as auto-provisioning additional compute resources to support the additional load, or require more complex changes such as new rate limiting policies to ensure the new consumer does not degrade the performance of existing customers.
- Monitoring: to detect and prevent suspicious activity. This may involve monitoring for unusual transaction patterns, such as sudden spikes in transaction volumes or access requests from unusual locations.
- Record Keeping: to maintain records of your KYC activities for audit purposes and includes collecting and retaining customer identification and due diligence information, as well as transaction records and monitoring reports.
Importantly, this needs to go beyond simply knowing what technical personas are using your services, the IP address or even the developers who are integrating with your APIs. What we have seen is most organisations look at the developer on the client side as the ‘customer’ and hence focus on providing a delightful developer experience with code examples and developer documentation. However, this approach typically sidelines the end ‘customer’ who is the business owner on the client side who actually requires the data or service for their own business initiative. Whilst ensuring a good developer experience is initially key to driving consumption of an API, understanding the value proposition of the API for the business customer will ultimately drive a truly successful outcome. An efficient KYC process will enable the understanding of who these business customers are, as well as protecting your vital data and services.
Hopefully we have shown that an effective KYC approach will involve stakeholders from across the organisation including the Business owners, IT, Security, Support and Operations and in our next blog we will explore deeper the practicalities of a technical approach being more than just implementing a simple API management platform and exposing a rudimentary API portal and maybe more importantly how an organisation can use a Program mindset to bring together all these disparate stakeholders and technology to deliver the most effective KYC approach.