Kong Sanction List Plugin

23 January, 2025

In the modern era of digital services, regulatory compliance has become a non-negotiable aspect of API management. Organizations must ensure their systems are not inadvertently engaging with sanctioned entities or politically exposed persons (PEPs). Yet, achieving this compliance without disrupting existing workflows is no small feat. This is where the Kong Sanction Lists Plugin shines. Designed for minimal latency, seamless integration, and reliable performance, the plugin allows businesses to incorporate real-time sanction screening into their API flows without missing a beat.

The Kong Sanction Lists Plugin is a breakthrough in compliance innovation, offering a streamlined way to screen API requests against sanctions and PEP lists. By intercepting requests at the Kong Gateway, the plugin ensures that every interaction is evaluated against regulatory lists without compromising speed or requiring significant changes to upstream or originator systems.

The plugin operates with precision and simplicity. When an incoming request includes the headers X-Adi-Full-Name and X-Adi-Id—containing the full name and identifier of a person or organization, respectively—the plugin triggers a validation call to the Abee DI Sanction List API. If the entity matches an entry on a sanctions list, the plugin appends a header, X-Adi-Sanctions, containing a serialized JSON object with detailed information about the match. This enriched request is then passed to the upstream service, enabling it to act on the compliance data as needed.

What makes this plugin remarkable is that it integrates directly into existing workflows with almost no disruption. It was deliberately designed to minimize changes required for both sides of communication—originators sending requests and upstream services processing them. The use of standard HTTP headers ensures compatibility, while the addition of a single response header provides actionable insights without the need for complex restructuring.

When introducing a compliance layer to API management, performance is often the biggest concern. APIs must process thousands or even millions of requests per second, and any delay can have cascading effects. The Kong Sanction Lists Plugin was built with this reality in mind, ensuring it delivers blazing-fast performance without compromising on accuracy or reliability.

Testing under peak conditions revealed the plugin’s ability to handle massive traffic loads with stable response times, proving its suitability for large-scale deployments. Whether processing hundreds or millions of requests per minute, the plugin maintains consistent performance, ensuring compliance checks never become a bottleneck.

Beyond speed, the Kong Sanction Lists Plugin was designed to integrate effortlessly into existing workflows. For organizations already managing complex API ecosystems, introducing a new compliance layer can be daunting—requiring changes to payloads, endpoints, or upstream logic. This plugin eliminates those concerns by working within the established patterns of API communication.

The use of standard headers, such as X-Adi-Full-Name and X-Adi-Id, ensures that the plugin can operate without requiring modifications to payload formats. On the upstream side, the inclusion of the X-Adi-Sanctions header means services can process compliance data with minimal updates to their existing logic. This simplicity makes the plugin not only easy to adopt but also highly flexible, accommodating a wide range of use cases and system architectures.

Administrators can configure the plugin dynamically through the Kong Admin API, adjusting parameters like the validation_url and api_key without restarting the gateway. This flexibility allows businesses to adapt quickly to changes in regulatory requirements or API infrastructure.

The result is a plugin that not only integrates seamlessly but does so in a way that respects the operational needs of both originators and upstream services. Businesses can implement compliance screening without the need for major overhauls, saving time, resources, and effort.

The Kong Sanction Lists Plugin embodies the perfect balance of innovation, performance, and practicality. It delivers a high-performance solution for real-time sanction and PEP screening while maintaining the speed and reliability that API-driven businesses demand. By enabling seamless integration and requiring minimal modifications to existing workflows, the plugin ensures that organizations can enhance their compliance measures without disruption.

In a world where regulatory landscapes are becoming increasingly complex, the ability to integrate compliance directly into API flows is a competitive advantage. With its low-latency design, secure handling of sensitive data, and dynamic configuration options, the Kong Sanction Lists Plugin empowers organizations to stay ahead of regulatory requirements while maintaining the agility and efficiency their customers expect.

The journey to develop this plugin was guided by a commitment to solving real-world problems in a way that is both innovative and practical. The result is a solution that redefines how businesses approach compliance, offering a faster, more seamless, and highly reliable way to ensure every API request meets the highest standards.

As Kong Partner we are thrilled to extend Kong offering and increase business value of Kong ecosystem by publishing our plugin targeted at financial institutions and retailers.

If you have Kong installed in your organization you can try the plugin from:

Plugin Luarocks package: https://luarocks.org/modules/grulka/kong-adi-sanction-lists
Plugin Github page: https://github.com/alkeicam/kong-adi-sanction-lists

Also, general information about our Fraud/AML/Sanctions offering for insurance & banking which is powering the plugin: https://www.execon.pl/abee-digital-id/