Know-your-customers (KYC) policies aim to minimize the risk of money laundering, bribery, and other types of fraud. While it was originally implemented in financial institutions, companies outside the financial sector have adapted KYC with digital transactions as the primary driver. These days, the approach is enforced by virtual asset dealers, nonprofit organizations, and even social media companies.

The fight against fraud is challenging, but some KYC solution providers have learned to utilize technical information like IP address and device geolocation intelligence as part of their KYC analysis.

Why Is IP Intelligence Vital in the KYC Process?

To answer this question, let us consider the scenario where Client A and Client B downloaded a banking app to open an account. As part of the identity verification process, they would have to upload a photo of their identification card and take a selfie.

The process ensures that the documents are verified and the account applicant is truly the one conducting the transaction. But aside from identity verification, the clients’ IP addresses and geolocation are also validated for the reasons identified below.

Check for Suspicious Activities

Among the significant reasons for checking a client’s IP address is to ensure that it is not associated with suspicious or malicious activities. For example, if Client A’s IP address in our hypothetical scenario is 49[.]234[.]50[.]235, IP intelligence sources, such as the Threat Intelligence Platform, would flag it as malicious.

As a result, Client A’s account application would be denied. On the other hand, Client B, whose IP address is 49[.]225[.]140[.]100, would successfully create an account since his address is clean.

Validate the IP Address and Geolocation of Succeeding Transactions

It is important to note that the KYC process does not stop after onboarding. It should follow the client’s transactions throughout his or her tenure to protect both him or her and the organization. Every time Client B logs in to his or her account, the KYC guidelines mandate that his or her IP address be checked. So if at one point Client B uses a totally different IP address—say 185[.]220[.]100[.]241—a red flag would be raised for reasons like those indicated below.

Different IP Geolocation

To recall our hypothetical scenario, Client B initially used the IP address 49[.]225[.]140[.]100 upon signup. The IP address is assigned to New Zealand, specifically in the Takapuna region. IP Geolocation API further revealed that the Internet service provider (ISP) is Vodafone New Zealand and the connection type is cable or digital subscriber line (DSL).

The geolocation of the new IP address 185[.]220[.]100[.]241, however, is Haßfurt in Germany and the connection type is mobile. Has Client B traveled to Germany? The bank should first reach out to him or her before allowing the new IP address access to the account.

Tor Exit Nodes and Other Anonymizers

The Threat Intelligence Platform listed tor-exit-14[.]zbau[.]f3netze[.]de as the domain resolving to the IP address 185[.]220[.]100[.]241. Banks and other financial institutions generally block Tor exit nodes, virtual private networks (VPNs), and other anonymizers as part of their anti-money laundering protocols.

The policy came about after a study by the Financial Crimes Enforcement Network (FinCEN) in 2014, which found that 975 suspicious activity reports filed by banks are connected to Tor exit nodes. The amount lost to possibly fraudulent activity totaled US$24 million.

KYC is more than just identity verification. The process should uncover underlying issues relative to the client’s past and present sessions or transactions as well. With IP intelligence, organizations can discover crucial information about every user. The mandates of the KYC policy answers these specific questions:

• Where is the user located?
• Does the user’s location differ from previous sessions?
• Is he or she using a new device?
• Is the user hiding behind a Tor exit node or VPN?

By answering these questions, KYC solutions can help protect both the account owners and the organization.

Are you a cybersecurity researcher, KYC solution provider, or security product developer? Contact us to learn more about the IP and threat intelligence sources used in this post. We are also open to security research collaboration and other ideas.