The curam.citizenaccount.security.impl.CitizenAccountSecurity API offers a method performDefaultSecurityChecks that will ensure that the user is of the correct type. This method will check the user type, and if not acceptable, will write a message to the logs and fail the transaction. This should be called in the first line of every custom facade method, before any processing or further validation has taken place:
public CitizenPaymentInstDetailsList listCitizenPayments()
throws AppException, InformationalException {
// perform security checks
citizenAccountSecurity.performDefaultSecurityChecks();
// validate any page parameters (none in this case)
// invoke business logic
return citizenPayments.listPayments();
}