Home / Industry

Enriching Know-Your-Customer (KYC) Practices With IP Intelligence

Know-your-customers (KYC) policies aim to minimize the risk of money laundering, bribery, and other types of fraud. While it was originally implemented in financial institutions, companies outside the financial sector have adapted KYC with digital transactions as the primary driver. These days, the approach is enforced by virtual asset dealers, nonprofit organizations, and even social media companies.

The fight against fraud is challenging, but some KYC solution providers have learned to utilize technical information like IP address and device geolocation intelligence as part of their KYC analysis.

Why Is IP Intelligence Vital in the KYC Process?

To answer this question, let us consider the scenario where Client A and Client B downloaded a banking app to open an account. As part of the identity verification process, they would have to upload a photo of their identification card and take a selfie.

The process ensures that the documents are verified and the account applicant is truly the one conducting the transaction. But aside from identity verification, the clients’ IP addresses and geolocation are also validated for the reasons identified below.

Check for Suspicious Activities

Among the significant reasons for checking a client’s IP address is to ensure that it is not associated with suspicious or malicious activities. For example, if Client A’s IP address in our hypothetical scenario is 49[.]234[.]50[.]235, IP intelligence sources, such as the Threat Intelligence Platform, would flag it as malicious.

As a result, Client A’s account application would be denied. On the other hand, Client B, whose IP address is 49[.]225[.]140[.]100, would successfully create an account since his address is clean.

Validate the IP Address and Geolocation of Succeeding Transactions

It is important to note that the KYC process does not stop after onboarding. It should follow the client’s transactions throughout his or her tenure to protect both him or her and the organization. Every time Client B logs in to his or her account, the KYC guidelines mandate that his or her IP address be checked. So if at one point Client B uses a totally different IP address—say 185[.]220[.]100[.]241—a red flag would be raised for reasons like those indicated below.

Different IP Geolocation

To recall our hypothetical scenario, Client B initially used the IP address 49[.]225[.]140[.]100 upon signup. The IP address is assigned to New Zealand, specifically in the Takapuna region. IP Geolocation API further revealed that the Internet service provider (ISP) is Vodafone New Zealand and the connection type is cable or digital subscriber line (DSL).

The geolocation of the new IP address 185[.]220[.]100[.]241, however, is HaƟfurt in Germany and the connection type is mobile. Has Client B traveled to Germany? The bank should first reach out to him or her before allowing the new IP address access to the account.

Tor Exit Nodes and Other Anonymizers

The Threat Intelligence Platform listed tor-exit-14[.]zbau[.]f3netze[.]de as the domain resolving to the IP address 185[.]220[.]100[.]241. Banks and other financial institutions generally block Tor exit nodes, virtual private networks (VPNs), and other anonymizers as part of their anti-money laundering protocols.

The policy came about after a study by the Financial Crimes Enforcement Network (FinCEN) in 2014, which found that 975 suspicious activity reports filed by banks are connected to Tor exit nodes. The amount lost to possibly fraudulent activity totaled US$24 million.

KYC is more than just identity verification. The process should uncover underlying issues relative to the client’s past and present sessions or transactions as well. With IP intelligence, organizations can discover crucial information about every user. The mandates of the KYC policy answers these specific questions:

  • Where is the user located?
  • Does the user’s location differ from previous sessions?
  • Is he or she using a new device?
  • Is the user hiding behind a Tor exit node or VPN?

By answering these questions, KYC solutions can help protect both the account owners and the organization.

Are you a cybersecurity researcher, KYC solution provider, or security product developer? Contact us to learn more about the IP and threat intelligence sources used in this post. We are also open to security research collaboration and other ideas.

By WhoisXML API, A Domain Research, Whois, DNS, and Threat Intelligence API and Data Provider

Whois API, Inc. (WhoisXML API) is a big data and API company that provides domain research & monitoring, Whois, DNS, IP, and threat intelligence API, data and tools to a variety of industries.

Visit Page

Filed Under


Commenting is not available in this channel entry.
CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Co-designer of the TCP/IP Protocols & the Architecture of the Internet



New TLDs

Sponsored byRadix


Sponsored byDNIB.com

Domain Names

Sponsored byVerisign

IPv4 Markets

Sponsored byIPv4.Global

Brand Protection

Sponsored byCSC

Threat Intelligence

Sponsored byWhoisXML API


Sponsored byVerisign