A Digital KYC/AML – Client Onboarding Checklist
Published on: 24th September 2019
I took sometime today following a series of discussions with a few friends in the Fintech, Banking and Legal space to write down a list of what one should consider as the norm when on-boarding clients in not only Financial Services but as a standard level of KYC/AML processes that every legal firm in Malta and abroad should undertake if they operate in a serious jurisdiction. One must remember that from a compliance point of view both on a legal local and international level processes must be in place and the mistakes of the past are the solutions of everyone’s future.
Easy to Use Checklist for Individual Customers (Natural Persons)
Front Facing Initial Requirements (what your customer sees and needs to provide)
Ask the customer to fill in the following fields:
- Full name : First Name, Last Name
- National or foreign ID type and number
To collect ID type, allow for the following document types:
Passport, national ID, driver’s license. Many clients ask me if they should offer “other”category for rare document types such as PEPs, diplomatic or marine passports, asylum certificates and other possible document types. For startups with limited resources I would advise against it, because if you offer “other” category, you need to continuously research it and spend time reviewing it, which is not necessarily what you would like to do.
It is better to list all countries from where you are ready to accept customers and not even display the countries that you don’t support. E.g. EU & USA, Asia etc this needs to be based on the EMI or banking liscnce one has.
Date of birth : With financial services or other regulated products, it is better to include field validation logic and ensure that your customer is 18 years old.
Place of birth (country) include all countries (recognized by the UN or by the country where your platform is setup and liscenced.
- Nationality include all countries (recognized by the UN or by the country where your platform is setup and liscenced.
- Phone number
Always ask for clarification of country prefix drop-down list and decide if you would like the phone prefix to be only from the country of your customer’s residence or from any other country.
You can decide if you would like to confirm it (strongly recommended) by an SMS code also it helps. E-mail (confirm by reverse link) double verification.
Other due diligence should include:
Uploads: Proof of Identity: Valid ID document (passport, driving license, national ID card, where
Applicable – front and back pages). Proof of Address that is 3 months old or less: utility bills, bank statement, phone bills, credit card statements, insurance statements, childcare invoices or any other document that has a recurring nature and indicates an ongoing relationship between the customer and the sender
(e.g. school certificates, letters from the university), official letter addressed to this address or correspondence from government agency, confirmation of property purchase. Sending verification code to the customer address can be an option.
Sending an email confirmation
Send a message to the customer confirming that their account has been registered. Ask for email confirmation (if not done so before). Now you can add instructions on how to activate the account, how to add a payment instrument, navigate the website, how to contact the support team, etc.
Through your team of MLRO’s or compliance officers they must also extenedd their due diligence on the Back-End (what you do and how you check the details provided by the customer)
During the process of client on-boarding (e.g. client registration) the following information will be provided by the client and the following checks should occur automatically (close to real time) to ensure you are performing sanctions and PEP scanning obligations and also for the purposes of managing online fraud risks;
“Silent checks” – not visible to the customer Follow up
Full name – The full name must be scanned against all applicable to you sanctions lists for SDN, sanctions and PEPs (you can use services, for example, by Veriff, ComplyAdvantage, WorldCheck, Trulioo, Passfort, Jumio, Onfido1) – Optional (for example, you could only use it for PEP or high-risk customers) – full name can be scanned against negative media references (corruption, scandals, bankruptcies, litigations, change in control, M&A announcements) – e.g. by RDC, Passfort, Onfido, ComplyAdvantage (be mindful, this functionality could generate a lot of false positives and should be used wisely)
– Full Name is scanned for obviously false names, e.g. Gigolo, ManUtd Supporter or silly celebrity names, obviously abusive and oblivious names (e.g. batch scanning).
– If there is a partial match from scanning, an account must not be able to transact, until the issue is researched and resolved.
Date of birth – Validation that the client is 18 years old – Block if the client is under 18
Address – Ensure that the address is from an eligible country
GEO Location – Check consistency between IP, geolocation, residence address and possibly phone prefix.
– Detect if VPN or other disguising techniques were used
– Flag inconsistencies and decide what you would like to block or escalate for manual review
Nationality – Flag cases where nationality is different from residence country
– Decide if you would like to ask for the proof of visa/legal status in the country
E-mail – Confirm email address by reverse link
– Detect temporary emails and bots
– Scan if email is listed in the known lists of compromised credentials
– Flag bots and temporary emails.
Here are additional examples of information that could be collected and continuously analyzed at the point of registration and going forward by using various transaction monitoring tools in order to detect suspicious activities and manage the risks of online fraud:
- Are there signs of malware, viruses, etc. on the device used for registration and have you seen this device or this IP before and whether or not it was associated with a problematic situation.
- “Machine fingerprint” – e.g. device ID, operational system, language settings. The device used for registration is usually a very good data point for future detection of account takeover and fraud prevention.
- Detect instances of same device used, same IP used, same address used and any other data points matches in order to flag linked accounts.
- Velocity monitoring: you should have rules and specific logic to be able to generate certain system alerts based on changes in the customer behavior, such as sudden increase in volumes, recently added or never used funding instrument used for withdrawals, payments to higher risk destinations and similar.
- For physical shipping of goods, it is important to detect and analyze mismatches between the shipping address and the billing address, detect unrealistic addresses, postal codes which are associated with high levels of violent crimes, or whether there was a previous successful delivery or undisputed transaction to that customer address.
- Behavioral biometric. How customers type or move their mouse can be an indicator of identity theft and account takeover.
- Custom lists: It is possible and often useful to create and maintain special lists, such as“abuse list”, “high risk list”, “VIP lists” to appropriately react to certain customer activities, detect and prevent repetitive fraud, etc.
It is possible to risk-score the blockchain history of the bitcoin address used by the customer by using a very useful tool which we ourselves promote at www.metaluminor.com – Various AML tools and crypoto Chain analysis software. These tools are able to analyze the overall blockchain history of the address used by the customer for making a transfer. The following factors are among those analyzed to produce a risk-score for each case at a given point in time:
- Was this address involved in disguising techniques, such as using “mixers” or aggregated accounts.
- Was this address ever connected with a known “bad” address and if so, what was the total % of volume of those transactions.
- Is this address connected to a known mining pool.
- Is this address receiving funds from a known custodian or reputable crypto exchange and of so – what is the % volume.
If you would like to receive more information about what tools are available today to improve your due diligence process do not hesitate to reach out to us on info @ metaluminor.com
Remember always: Scan emails for references in commercial registers, social media and other public databases. Phone number – Check consistency with country info, flag inconsistencies and always avoid using SMS for 2FA, better to use authentication app, since it requires separate authentication when installed.
Philip Maurice Mifsud
CEO | Founder