A Digital KYC/AML – Client Onboarding Checklist

Published on: 24th September 2019

I took sometime today following a series of discussions with a few friends in the Fintech, Banking and Legal space to write down a list of what one should consider as the norm when on-boarding clients in not only Financial Services but as a standard level of KYC/AML processes that every legal firm in Malta and abroad should undertake if they operate in a serious jurisdiction. One must remember that from a compliance point of view both on a legal local and international level processes must be in place and the mistakes of the past are the solutions of everyone’s future.

Easy to Use Checklist for Individual Customers (Natural Persons)

Front Facing Initial Requirements (what your customer sees and needs to provide)

Ask the customer to fill in the following fields:

  1. Full name : First Name, Last Name
  2. National or foreign ID type and number

To collect ID type, allow for the following document types:

Passport, national ID, driver’s license. Many clients ask me if they should offer “other”category for rare document types such as PEPs, diplomatic or marine passports, asylum certificates and other possible document types. For startups with limited resources I would advise against it, because if you offer “other” category, you need to continuously research it and spend time reviewing it, which is not necessarily what you would like to do.

Residential address

It is better to list all countries from where you are ready to accept customers and not even display the countries that you don’t support. E.g. EU & USA, Asia etc this needs to be based on the EMI or banking liscnce one has.

Date of birth : With financial services or other regulated products, it is better to include field validation logic and ensure that your customer is 18 years old.

Place of birth (country) include all countries (recognized by the UN or by the country where your platform is setup and liscenced.

  1. Nationality include all countries (recognized by the UN or by the country where your platform is setup and liscenced.
  2. Phone number

Always ask for clarification of country prefix drop-down list and decide if you would like the phone prefix to be only from the country of your customer’s residence or from any other country.

You can decide if you would like to confirm it (strongly recommended) by an SMS code also it helps. E-mail (confirm by reverse link) double verification.

Other due diligence should include:

Uploads: Proof of Identity: Valid ID document (passport, driving license, national ID card, where

Applicable – front and back pages). Proof of Address that is 3 months old or less: utility bills, bank statement, phone bills, credit card statements, insurance statements, childcare invoices or any other document that has a recurring nature and indicates an ongoing relationship between the customer and the sender

(e.g. school certificates, letters from the university), official letter addressed to this address or correspondence from government agency, confirmation of property purchase. Sending verification code to the customer address can be an option.

Acceptance of T&Cs and Privacy policy

When your customer has completed their registration, they have to accept your T&Cs and Privacy Policy.

You need to implement 2 separate tick boxes (or click buttons, or similar): for T&Cs and for Privacy Policy; and you cannot pre-tix them. The customer must actively accept each of them.

This is a very important moment when the customer actually becomes a customer and we can store their info, send them a welcome email, confirm their registration, send them reminders, place cookies for security (or marketing) purposes, if your Privacy Policy discloses this fact. From this moment on, you have an obligation to protect their account security and integrity.

Sending an email confirmation

Send a message to the customer confirming that their account has been registered. Ask for email confirmation (if not done so before). Now you can add instructions on how to activate the account, how to add a payment instrument, navigate the website, how to contact the support team, etc.

Through your team of MLRO’s or compliance officers they must also extenedd their due diligence on the Back-End (what you do and how you check the details provided by the customer)

On-boarding checks

During the process of client on-boarding (e.g. client registration) the following information will be provided by the client and the following checks should occur automatically (close to real time) to ensure you are performing sanctions and PEP scanning obligations and also for the purposes of managing online fraud risks;

Customer Data

“Silent checks” – not visible to the customer Follow up

Full name – The full name must be scanned against all applicable to you sanctions lists for SDN, sanctions and PEPs (you can use services, for example, by Veriff, ComplyAdvantage, WorldCheck, Trulioo, Passfort, Jumio, Onfido1) – Optional (for example, you could only use it for PEP or high-risk customers) – full name can be scanned against negative media references (corruption, scandals, bankruptcies, litigations, change in control, M&A announcements) – e.g. by RDC, Passfort, Onfido, ComplyAdvantage (be mindful, this functionality could generate a lot of false positives and should be used wisely)

– Full Name is scanned for obviously false names, e.g. Gigolo, ManUtd Supporter or silly celebrity names, obviously abusive and oblivious names (e.g. batch scanning).

– If there is a partial match from scanning, an account must not be able to transact, until the issue is researched and resolved.

Date of birth – Validation that the client is 18 years old – Block if the client is under 18

Address – Ensure that the address is from an eligible country

GEO Location – Check consistency between IP, geolocation, residence address and possibly phone prefix.

– Detect if VPN or other disguising techniques were used

– Flag inconsistencies and decide what you would like to block or escalate for manual review

Nationality – Flag cases where nationality is different from residence country

– Decide if you would like to ask for the proof of visa/legal status in the country

E-mail – Confirm email address by reverse link

– Detect temporary emails and bots

– Scan if email is listed in the known lists of  compromised credentials

– Flag bots and temporary emails.

Ongoing Checks

Here are additional examples of information that could be collected and continuously analyzed at the point of registration and going forward by using various transaction monitoring tools in order to detect suspicious activities and manage the risks of online fraud:

  • Are there signs of malware, viruses, etc. on the device used for registration and have you seen this device or this IP before and whether or not it was associated with a problematic situation.
  • “Machine fingerprint” – e.g. device ID, operational system, language settings. The device used for registration is usually a very good data point for future detection of account takeover and fraud prevention.
  • Detect instances of same device used, same IP used, same address used and any other data points matches in order to flag linked accounts.
  • Velocity monitoring: you should have rules and specific logic to be able to generate certain system alerts based on changes in the customer behavior, such as sudden increase in volumes, recently added or never used funding instrument used for withdrawals, payments to higher risk destinations and similar.
  • For physical shipping of goods, it is important to detect and analyze mismatches between the shipping address and the billing address, detect unrealistic addresses, postal codes which are associated with high levels of violent crimes, or whether there was a previous successful delivery or undisputed transaction to that customer address.
  • Behavioral biometric. How customers type or move their mouse can be an indicator of identity theft and account takeover.
  • Custom lists: It is possible and often useful to create and maintain special lists, such as“abuse list”, “high risk list”, “VIP lists” to appropriately react to certain customer activities, detect and prevent repetitive fraud, etc.

Blockchain Tracking

It is possible to risk-score the blockchain history of the bitcoin address used by the customer by using a very useful tool which we ourselves promote at www.metaluminor.com – Various AML tools and crypoto Chain analysis software. These tools are able to analyze the overall blockchain history of the address used by the customer for making a transfer. The following factors are among those analyzed to produce a risk-score for each case at a given point in time:

  • Was this address involved in disguising techniques, such as using “mixers” or aggregated accounts.
  • Was this address ever connected with a known “bad” address and if so, what was the total % of volume of those transactions.
  • Is this address connected to a known mining pool.
  • Is this address receiving funds from a known custodian or reputable crypto exchange and of so – what is the % volume.

If you would like to receive more information about what tools are available today to improve your due diligence process do not hesitate to reach out to us on info @ metaluminor.com

Remember always: Scan emails for references in commercial registers, social media and other public databases. Phone number – Check consistency with country info, flag inconsistencies and always avoid using SMS for 2FA, better to use authentication app, since it requires separate authentication when installed.

Yours sincerely,

Philip Maurice Mifsud

CEO | Founder




Meta Luminor - Head Office