Know and Serve Your Customer: Why KYC is not enough

Today’s connected businesses need to communicate, collaborate and interact with their customers in a way that’s more flexible than ever before. Knowing and, based on that knowledge, optimally serving the customer is key to success in the Digital transformation.

Customer-facing IAM needed

With the accelerating digital transformation, we intrude deeper into the subject of customer identity management than ever before. Several external drivers change economic partnerships, such as a different competitive landscape, ever-changing regulation and at the same time an increasing number of cyber-attacks. There are also internal drivers such as the need for more agile, innovative and flexible organizations. Both internal and external drivers are encompassed in overarching core topics like smart manufacturing, the Internet of Things (IoT) and Know Your Customer (KYC). To be successful in digital transformation we need to change our customer contacts. For this we need to deploy a string of key enabling technologies, e.g. identity relationship management, security and privacy, big data, right up to blockchain and distributed ledgers.

In order to reach a competitive advantage, we also have to improve our customer relationships and the way we handle data. We need to be able to deal with customers and their identities better than ever before. In times of the cloud advantages can’t be reached simply by better IT and lower costs any more. The cloud delivers equal services to everyone at an affordable price.

What’s needed is a customer-facing IAM (Identity & Access Management). While companies were traditionally only looking at employees and some external business partners in their IAM deployments, with focus on administrative efficiency and compliance, in recent times federation and the management of partners became more and more important as a B2B element. Now, finally, the customers play a role as well. And they should, obviously, given that the customer is where the money comes from. There are also, e.g., ecommerce processes that have to supported. In the future, we need to take all resources into focus. How can we, for instance, serve the customer better and safer in the cloud? How can we deal with the customer with ever-changing business partnerships and in new business models?

Besides cloud services and the access to them, we also need to manage mobile devices such as computers, tablets, smartphones and wearables as well as logins to social networks and, last but definitely not least, IoT and operational technologies (OT) in manufacturing environments. We also need ways to protect the ownership of customer data. This requires the further development and perfection of identity relationship management (IRM), as one important element. In a sense this is the advancement of IAM in the digital context. How can I still steer and control access in this much more complex world?

Holistic look at identity

Identity Relationship Management (IRM) means having a single identity model across different identities, from employees, customers, partners, but also services, things and devices. It needs to be scalable internet-wide, not only on an enterprise dimension. Most companies have many more customers than employees. Customers often deploy a number of various devices. This means other quantity structures and thus performance and scalability requirements. The people responsible for CRM (Customer Relationship Management) need to see their system in a context of IAM, since this is the biggest identity store in most companies. It provides a whole customer history. This is actually a point I already wrote about ten years ago. Other IAM sources are, for instance, ERP, Finance (credit history) and Governance. We need to add and understand context information, social logins and access paths. What is really happening there? What does the customer look like and how can he get access? Is he at the same time an employee of the company? Are there any conflicts arising out of this, e.g. when employees manage their own customer data sets?

Instead of information silos, a cross-system approach for IAM is necessary, along with an improved customer experience, faster time to market and context-sensitive, adaptive security measurements. If someone wants to get access via a relatively weak social login, another risk evaluation is needed than if she or he gets authorization via a registered account or an ID card. We need to understand the respective risk and context and adapt our evaluations accordingly. The more information we have the more precise will be each risk evaluation.

Daily breaches show that passwords are not enough anymore, especially not the same across various services. However, access has to remain user friendly to be accepted by customers. One useful additional security feature could be, for example, adaptive push authentication and notification. A new KuppingerCole Webinar provides more information about this method (in German).

KYC goes beyond CIAM

How can you know and optimally serve your customer during the whole lifecycle? Important elements here are customer self-service and integration of customer data. KYC (Know Your Customer) goes even further than CIAM (Customer Identity & Access Management). It encompasses Customer Tracking & Marketing Automation as well as Analytics (Big Data) and Privacy & Information Protection. The customer needs to give his consent about what’s being done with his data and for which reason it might be used. He must be able to withdraw this consent any time. This brings the concept of Life Management Platforms closer to reality than ever before.

KYC can best be seen as the intersection between CRM (and Marketing automation), IAM and Privacy, i.e. the marketing view of the customer, the technical or identity view of the customer and the (not only) legal perspective. Active interaction plays an important role here as well as governance. The question is: Who in the company may do what in which form with the customer? Drivers of this development are compliance topics such as anti-money laundering (AML). Technologies such as IRM are really helpful in this context to understand how different identities are connected to each other.

The term KYC is also not really accurate, since it is not only about knowing the customer, but also optimally serving him. Thus I’d prefer the term KSYC, Know & Serve Your Customer, an appropriate evolutionary step of doing CRM. If enterprises in addition finally start looking at their employees as a special kind of customers, who are granted access to more applications than others, it will improve enterprise IAM as well, bring different business divisions smoothly under one roof and help getting rid of unnecessary discussions about special applications for the management of consumer identities.