The use of application programming interfaces, or APIs, has exploded over the past several years. As governments and other institutions increasingly offer digitized records, firms are tapping into that data to make the process of confirming prospects’ identities more efficient. In 2017, there were more than 17,000 public APIs available for use.1With the right partners, financial institutions can access more than just public data; they can also obtain access to government and private records such as phone records, credit bureaus, DMV information, arrest records, utilities, court records, and business data.
APIs also allow for a level of customization, enabling faster integrations with partners. In an API-driven world, companies can perform the dual goals of meeting ID verification rules and providing a better onboarding experience for the customer. An increasing number of firms are growing comfortable with public cloud and software-as-a-service offerings, which allow them to scale up and down as their data needs ebb and flow. If you’re one of those companies, here are some things to keep in mind as you embark on your API journey:
In its “Financial Services Technology 2020 and Beyond” report, PwC says that firms “will need an architecture that can bend as requirements change and interact with data and systems that could be anywhere.”2
In the past, enterprise systems tended to be the only source of data and processing, but now, they are simply a component of a larger ecosystem that includes cloud services, employee devices, the Internet of Things, and third-party data. Much of that information will be coming in through APIs, so enterprises have a clear business case to update their systems and governance to handle them.
“APIs require that financial institutions think differently about strategy, given that the transactions that call them may come from third parties,” PwC writes. “New business models will influence how firms think about the data models they use, how they aggregate information from other sources, the support structures they implement, and more. This is not just an issue for business strategists; it has clear technical implications for the teams who are responsible for doing the work.”
In its “API Economy: Systems to Business Services” report, Deloitte recognizes that API integration means there will be more systems and people with access to sensitive data.3 Information will flow both in and out of your organization, and implementing IT governance and security procedures to protect both the prospect you’re seeking information on and the information coming in about them, is crucial for building trust.
“The user types and their levels of access for cloud applications need to be managed,” adds the Cloud Standards Customer Council in the user group’s “Cloud Customer Architecture for API Management” paper.4 “This could include business users (customer, vendor, third-party, staff users), or IT users (administrators, privileged users, application users). Identity and access management could leverage the enterprise user directory … [Firewalls] in the public network component tier help protect the network-level flows to application and data.”
APIs, and the third-party data they enable access to, are tools. But simply building an API is not a solution alone. Companies need to adjust business processes and IT backend in order to optimize the use of APIs. For example, onboarding practices may need to be adjusted in order to better integrate the data at pain points.
In its article “For Commercial Banks, a Better Route to ‘All Aboard,’” Bain and Co. suggests that companies begin advancing their KYC processes by identifying the key data the company needs to comply with regulations: “Onboarding requirements and forms tend to swell over time with regulatory changes and local variations, yet obsolete material does not get culled. Rationalizing the documents to a coherent list of essential data points will help to minimize complexity and reduce the workload.” 5
After that, companies can incorporate data into their processes more easily through advanced customer portals. Such portals can “be enhanced with features, such as advanced character recognition, so that proof of address serves to prepopulate fields. And it should be integrated with other IT systems to allow for the automatic population and maintenance of data,” Bain says.
The goal of using APIs and third-party data is to streamline onboarding and increase customization with internal systems. For most firms, the best move is to find a valuable partner with a turnkey solution, rather than try to identify and integrate all the data sources they want themselves. After the U.S.’ Financial Crimes Enforcement Network (FinCEN) put new KYC requirements into effect in 2016, PwC’s Dan Ryan posted three guidelines for firms looking to partner up to meet those regulations on the Harvard Law website:6
- Ensure that the partner itself meets cybersecurity requirements and has received appropriate certifications
- Only choose partners that align with your risk appetite
- Be sure that you and your partner are aware of jurisdictional differences
Thomson Reuters is not a consumer reporting agency and none of its services or the data contained therein constitute a ‘consumer report’ as such term is defined in the Federal Fair Credit Reporting Act (FCRA), 15 U.S.C. sec. 1681 et seq. The data provided to you may not be used as a factor in consumer debt collection decisioning, establishing a consumer’s eligibility for credit, insurance, employment, government benefits, or housing, or for any other purpose authorized under the FCRA. By accessing one of our services, you agree not to use the service or data for any purpose authorized under the FCRA or in relation to taking an adverse action relating to a consumer application.