HSBC’s digital transformation is defined by scale: 57 markets, 41 million customers, and thousands of developers creating APIs across multiple business lines, from personal and commercial banking to investment and private banking.

As a global Tier 0 bank, HSBC manages an ecosystem of thousands of applications — spanning risk management, finance, HR, and customer-facing digital services. Behind each service is a dense fabric of APIs connecting systems, enforcing compliance, and powering innovation.

“Every single one of our business units is on the API journey,” shared Eash Neelakandan, Global Head of Engineering and Infrastructure Platforms at HSBC, in a fireside chat at API Summit 2025 with Carl Mattsson, Vice President and GM of EMEA at Kong. “Delivering APIs at pace and scale while meeting regulatory requirements is what our day-to-day looks like.”

But as digital services and microservices skyrocketed across regions, the bank faced a pressing challenge: how to manage APIs consistently, securely, and efficiently without obstructing innovation.

A few years ago, HSBC found itself at a crossroads. Its decentralized API ecosystem encouraged creativity and experimentation, but the lack of uniform standards introduced inefficiencies and risk. Every line of business was solving the same problems in slightly different ways.

“Like how we’re in a revolutionary time with AI now, a few years back it was microservices,” Neelakandan said. “Thousands of APIs were being developed across markets. We needed a consistent, reliable way to manage them at scale.”

With APIs powering everything from payments to compliance, the stakes were high. Developers were spending too much time revalidating compliance and control requirements before pushing code into production; it was a process that delayed releases and constrained agility.

The goal was clear: simplify governance without suppressing innovation. HSBC needed to provide centralized control where it mattered — authentication, rate limiting, observability, and security — while giving developers freedom to build using the languages and frameworks they preferred.

Eash Neelakandan said, “We want to be a software company with a banking license — agile, secure, and ready for the future.”

To realize that balance, HSBC turned to Kong Gateway as the backbone of its API strategy. The approach was guided by one core principle: make IT easy.

“We started with a principle called ‘make it easy, make IT easy,’” said Neelakandan. “That means a platform that’s easy to develop, easy to scale, easy to trust, and easy to secure.”

This philosophy led to the creation of a developer-first platform that combines self-service onboarding, pre-configured compliance policies, and automation at every stage of the API lifecycle.

Using Kong’s open and extensible platform, HSBC centralized control functions like authentication, authorization, and observability while maintaining flexibility for developers to code in their preferred environments, from Java and Spring Boot to containerized microservices.

“We don’t tell developers not to use what they love," Neelakandan said. "But when it comes to standards and controls, we provide those centrally. That’s what makes their lives easier.”

This shift dramatically improved speed-to-market. Developers could now deploy APIs faster and more confidently, knowing compliance and governance were built into the platform by design.

“Previously, every team worried about meeting control requirements before production,” he said. “Once we simplified that path, we were surprised by the speed of innovation that followed.”

HSBC’s developer community became deeply involved in shaping the platform’s evolution. Over ten new capabilities were co-developed between HSBC engineers and Kong’s product teams, based directly on developer feedback. This collaboration culture reinforced HSBC’s vision of treating the bank as a software company with a banking license — agile, responsive, and engineering-led.

For HSBC, success is best measured by a single yardstick: time-to-market.

“If we can innovate faster, we can deliver digital experiences to customers quicker,” Neelakandan said. “That’s the single metric that captures everything.”

The results have been clear:

• 50% faster time-to-market for new digital banking experiences through automated controls and self-service onboarding

• 57 markets unified through standardized API governance and observability across global operations in retail, commercial, and investment banking

• 10+ new platform capabilities co-developed with Kong engineers, directly shaped by HSBC’s internal developer community to speed delivery and improve observability

• Continuous platform upgrades (Evergreening) without disruption

• Enhanced developer productivity and engagement through self-service tools

• Accelerated innovation cycles, powered by built-in trust and automation

These gains are transforming how HSBC operates, turning the bank into a platform organization that delivers new capabilities faster, more securely, and with global consistency.

“It’s about making the developer’s life easy" Neelakandan said. "If we take away the cognitive load, developers can focus on business outcomes rather than compliance checklists.”

What began as a technical deployment transformed into a strategic, multi-year partnership built on shared vision and mutual innovation. Over five years, the HSBC-Kong relationship evolved beyond product delivery.

“The partnership has definitely gone beyond technology,” Neelakandan said. “We launched an operational resiliency program with Kong, and the outcomes from that have become a model for vendor management across other areas of the bank.”

“We’ve been on this journey for five years, and HSBC has pushed us in the best possible way," said Mattsson. "They didn’t just ask for features; they helped us build them. That partnership has shaped how Kong itself has evolved.”

“That’s what I love about this journey," Neelakandan said. "Developers tell us what they need, and through our partnership with Kong, we deliver those capabilities together.”

Mattsson credited HSBC’s leadership team, including Group CIO Stuart Riley, with creating a culture where technology strategy connects seamlessly to business outcomes.

“It’s rare to see developer strategy so closely tied to leadership vision,” Mattsson said. “HSBC has built that alignment. As Stuart and Eash often say, everything starts with an API.”

One of the most significant milestones in the partnership is HSBC’s Evergreening Journey, a global program to streamline API gateway upgrades and maintain continuous compliance across hundreds of tenants and custom plugins.

As HSBC looks to the future, the focus turns to AI-enabled platform management using intelligence and automation to make its API ecosystem even more autonomous.

“We want to taste our own wine first,” said Neelakandan. “Before advising others on AI, we’re applying it to our own platform — an autonomous system that can manage itself. That’s not far from reality.”

The bank’s investment in API standardization and cataloging now serves as the foundation for responsible AI. With APIs connecting trusted data, core systems, and models, HSBC is ready to bring AI safely into production, starting within its own developer platforms.

“Governance is essential,” Neelakandan said. “But developer experience is what truly drives transformation. If you make it easy for developers, innovation, security, and trust follow naturally.”

HSBC’s journey shows that modernization isn’t about choosing between control and speed — it’s about designing for both. By standardizing APIs through Kong while empowering developers through automation and openness, HSBC has built a developer-first platform that moves at the speed of innovation while upholding the highest standards of trust and compliance.