Digital Onboarding Checklist

Overview of customer onboarding, AML and risk requirements

for individual and business accounts

1.Customer onboarding (Identification or Simplified Due Diligence). After completing this stage account
KYC status will be “identified”. .................................................................................................................... 2
1.1. Flow Diagram ............................................................................................................................................ 2
1.2. Front end: Onboarding and Verification Questions ................................................................................... 3
1.3. Accept T&Cs and Privacy policy ................................................................................................................. 4
1.4. Send email confirmation ........................................................................................................................... 4
1.5. Back-end Checks and Scanning .................................................................................................................. 4
1.6. Assign various flags to each customer ....................................................................................................... 6
1.7. Sanctions and PEP Scanning and “Silent” Checks Workflow post-registration .......................................... 6
2. Account Verification – as soon as one of the triggers have been activated. After completing this
stage account KYC status will be “verified”. ................................................................................................ 7
2.1. Verification trigger reached ....................................................................................................................... 7
2.2. Lock verified accounts information ........................................................................................................... 7
3. Ongoing monitoring............................................................................................................................. 8
3.1. Blockchain tracking ................................................................................................................................... 8
3.2. Ongoing Sanctions Scanning ...................................................................................................................... 8
3.3. Transaction monitoring ............................................................................................................................. 9

1
1. Customer onboarding (Identification or Simplified Due Diligence).
After completing this stage account KYC status will be marked
“identified”

1.1. Process Flow Diagram

2
 1.2. Front end: Onboarding and Verification Questions

Customer Collect (at account opening) – Verify (when one of verification triggers occurs) later on
category upon accepting T&C and
privacy policy
a. Email
Natural Proof of Identity:
Persons b. Full name
Match of the full name, date of birth and the ID number. Valid ID
c. National or foreign ID type
document = passport, driving license, residency card or national ID
(include drop-down list) and
card. Where required or allowed by law, national population register
number or national ID database may be utilized. All documents must be valid
d. Residential address at the moment of the review.
e. Date of birth (include age
Proof of Address:
validation)
Utility bill, bank statement, official letter addressed to this address
f. Place of birth (country drop
that is less than 3 months old, correspondence from a governmental
down list)
agency, confirmation of property purchase, letters from school or
g. Nationality (drop down list) university. Sending verification code or credit/debit card delivery to
h. Phone number the customer address can be utilized.
a. Email
Business For sole proprietors:
Accounts b. Legal entity name - Proof of Identity (similar to natural persons);
c. Date and place of incorporation - Proof of Individual’s Address: Recent (not older than 3 months)
d. Business address bank or credit card statement, commercial invoice.
e. Registration number or Tax/VAT For non-registered businesses (partnerships, cooperatives):
number (depending on what is a. A document illustrating the business purpose (e.g. a partnership
commonly used in the country, agreement, a trade permit, a rental or supplier contract)
VAT number mandatory for EU) b. For all users who can transact on behalf of the entity:
f. Contact phone number - Proof of Identity (similar to natural persons);
g. Website (optional) - Proof of Address (similar to natural persons);
h. Account representative– the - Letter of authorization or a power of attorney.
following details must be c. For BO(s) the following information must be collected:
collected: - Place of birth;
- Full name; - Address;
- Date of birth; - Proof of Identity (similar to individual).
- Place of birth (country); For registered businesses:
- Address; a. Registration/foundation documents to validate the registration
- National or foreign ID; and ownership structure and (where applicable) appropriate
number and document type; license, permit or tax ID.
- Nationality; b. For all representatives who can transact:
- Phone number. - Proof of Identity (similar to an individual);
i. Directors, proxy-holders and - Proof of Address (similar to an individual);
BO(s). Minimum information to - Letter of authorization or a power of attorney.
be collected for all BOs in excess c. For BO(s) of legal entities not exempt from BO verification:
of 10% ownership: - Place of birth (country);
- Full name; - Address (similar to individual);
- Date of birth; - Proof of Identity (similar to individual).
- Country of residence; Beneficial Owners of publicly listed companies, international
- Nationality. organizations, banks and financial institutions, state institutions may
not need to be verified.
j. Industry category/subcategory

3
 1.3. Accept Terms & Conditions and Privacy policy

You will need 2 separate checkboxes for T&Cs and for Privacy Policy.
This is the moment when the customer becomes a customer and we can store their info, send reminders,
and also have the obligation to protect their account security and integrity. At this time, we can place
cookies for security and marketing purposes.

1.4. Send email confirmation

After our customer has completed their registration, we must send a message to the customer confirming
that their account has been registered. At this point we can ask for email confirmation via a reverse link. We
can add instructions to this confirmation email on how to activate the account, how to contact us, how to
link new payments instruments or add funds to their account, etc. This is a good moment to tell the customer
how to activate 2-factor authentication (it is optional at this stage, but will be mandatory when the customer
has their first transaction).

1.5. Back-end Checks and Scanning

At the moment of client onboarding (e.g. client registration) these checks should automatically run in close
to real time:
Data Provided “Silent checks” – not visible to the Follow up, if there is an alert
by the customer
customer
Full name (or legal - All names associated with the account must - If there is a partial match from scanning
entity name and be scanned against sanctions lists and PEP (e.g. name matches, but country is
all names lists (e.g. by Trulioo, Passfort, Jumio, Comply different, or date of birth is different), an
associated with Advantage or Onfido, etc.1) account must not be able to transact,
the account) - The name is scanned against negative media until the investigation is completed. In
references (corruption scandals, case of doubt (e.g. not sure if our
bankruptcies, litigations, change in control, customer is the person from the list) an
M&A announcements) – recommend to use automatic request message must be sent
for PEPs only, because negative media don’t to the customer asking to submit proof of
always have date of birth or country address and proof of identity and/or
information, which creates many false contact customer service.
positives - No need to look at the account by an
- Name is scanned for obviously false names, agent before the customer has uploaded
e.g. Coca-Cola, Peter Pan, celebrity names, the documents (because without the
obviously abusive and oblivious names documents we won’t be able to resolve
(recommend to have a list of obviously false the partial match)
and abusive names and implement batch - If the customer does not react, account
scanning daily) remains inactive, no action is required
- Account status must be “waiting for
information” and inactive

Date of birth - Validation that the customer is 18 years old - Block if the customer is under 18

1https://onfido.com/
www.trulioo.com
www.complyadvantage.com

4
Address - Ensure that the address is from an eligible - Flag inconsistencies, but no action
country (recommend not to include non- required, until a transaction attempt
eligible countries into the country drop- occurs (e.g. customer received funds or
down list, to prevent people from added funds to their account)
onboarding, if they are not eligible) - Flag customers from high-risk countries,
- Check for consistency between IP, block disputed territories or territories
geolocation and resident address and phone where you don’t offer services
prefix
- Detect if VPN or other disguising techniques
were used

Nationality - Block North Korea, and any other country - In cases where the nationality is different
nationals you do not support (refer to your from the residence, (e.g. funds received)
AML Policy) ensure we will ask for the proof of
- Flag cases where the nationality is different visa/legal status when the account is
from the residence country (excluding pushed for verification status, at the
mismatches between EU countries), moment of an attempted transaction
because there will be a need to ensure
legitimate residence status, where
nationality does not equal residence.

E-mail - Confirm email by reverse link - Flag bots and temporary emails
- Detect temporary emails and bots (e.g. PIPL
or Kount services)
- Scan emails (with PIPL tool or equivalent) for
references in commercial registers, social
media and other public databases

Phone number - Check consistency with country info, flag - Phone must be confirmed later at the
inconsistencies stage of 2-Factor Authentication setup.
- Avoid using SMS for 2FA, better to use an
authentication app, since it requires
separate authentication when installed

Plan as best - If a customer is using the “register with - Having information about the social
practice – social Facebook” or “register with Google” media profile of a customer can be used
media links. functionality or similar, their information to detect linked accounts or “clear”
can be re-used for completing the payments between friends and family
registration information (to avoid typing, - It can also be used to confirm occupation
especially on mobile), but it’s not allowed to and credit worthiness, indications for
use this feature for login, instead of creating possible sources of funds, whether a
a unique password in order to avoid security person is a crypto-enthusiast, member of
vulnerabilities, if their social media account the crypto-community, has a stable job,
is / becomes compromised. etc.

Additional examples of information that must be “silently” collected at the point of registration – Kount,
Simility, SiftScience or equivalent is a must, especially if you use card payments as a payment option of
funding source:

o Are there signs of malware, viruses, etc. on the device used for registration?
o “Machine fingerprint” – e.g. device ID, operational system, language settings. The device used for
registration is usually a very good data point for future prevention of account takeover and fraud
prevention;

5
o Detect instances of same device used, same IP used, same address used and any other data points
matches in order to flag linked accounts;

1.6. Assign various flags to each customer

o Account status flags (active, inactive, in review, waiting for information, blocked, account has linkages
with another accounts, suspected account takeover);
o Risk category – standard risk, high risk, PEP, VIP;
o Funds-related flags – funds in review, not allocated (e.g. you have not identified the customer yet), risk
reserve, subject to dispute, etc.

1.7. Sanctions and PEP Scanning & “Silent” Checks Workflow, post-
registration

6
 2. Account Verification –after one of the triggers have been activated.
Completing this stage sets account KYC status to “verified”.

2.1. Verification trigger reached

As soon as one of the verification triggers has been reached (depending on your business model, your AML
policy and your country, it could be the first attempted transaction by the customer, or the transactional
volume reaching 150 EUR for prepaid cards, or a single transaction at 1000 EUR for payments for goods or
services, plus any indication of risks or irregularities – such as an alert generated by any of your monitoring
tools), you must limit customer’s ability to exit funds and you must request the customer to complete the
account verification process – either by asking them to upload or send you required documents (see section
1.2. right column) or trigger automated verification flow with one of the KYC providers that you use. Until
the account verification is satisfactory completed, the account should not be able to exit funds.

Ideally, you need to setup an automated message that should be sent to the customer email as soon as one
of the verification triggers has been activated, and you should explain in detail what you expect the customer
to do. You can also setup a series of automated email reminders to the customer, for example once a week,
or potentially more frequently, if they do not respond.

2.2. Lock-in verified account information

After the customer has provided all the necessary documents or completed the automated verification flow,
an agent should review the information (if needed) and if everything is matching and valid – the account can
be marked as verified and the transactional limits previously set, used to trigger the verification, can be
lifted.

After the account has been verified, the customer can no longer change their name, date of birth, or
nationality, or business details (these details can only be changed by contacting customer support, and then
a new verification will be required). They should be able to change their address or phone number, if needed.

If the customer does not react, their ability to exit funds is restricted. It does not always make sense to
restrict account ability to receive funds, because the customer (especially merchants) may not always know
when they get paid. If there is no reaction from the customer within 30 days, no transactions (incoming or
outgoing) should be allowed anymore, because the prolonged refusal to provide information is, in itself, a
risk factor.

During manual verification and account review, minor discrepancies in documentation (e.g. name Rob
instead of Robert, or Steve instead of Steven, or obvious typos) can be corrected by the customer support
team directly, there is no need for the customer to re-submit the details, but an automatic or manual
message must be sent to their email about what has been changed within their account profile information.

7
 3. Ongoing monitoring

Every financial institution has an obligation to constantly monitor its customer base and customer
transactions. It includes sanctions, PEP scanning and transaction monitoring (for example, to detect and
prevent money-laundering, fraud, account takeover, price manipulation, insider trading and other
potentially criminal activities).

3.1. Blockchain tracking

Payment in cryptocurrencies (in or out). It is possible to risk-score the blockchain history of bitcoin and
other most popular cryptocurrencies addresses used by the customer. It can be done by using Elliptic AML
tool2, Chainalysis3, or similar tools. The tool is able to analyze the overall blockchain history of the address
used by the customer for making a transfer. The following factors are analyzed to produce a risk-score for
each case at a given point in time:
o Whether this address involved in disguising techniques, such as using “mixers” or aggregated
accounts;
o Whether this address was ever connected with a known “bad” address and if so, what was
the total % of volume of those transactions;
o Whether this address is connected to a known mining pool;
o Whether this address is receiving funds from a known custodian or reputable crypto-
exchange and of so – what is the % of the volume.

Where the risk score produced by the blockchain analysis tool is too high (check with the provider you use),
you will need to trigger an investigation and, where appropriate, file a suspicious activity report.

For the outgoing coin transactions, the first address used by the customer to withdraw their coins will usually
be a newly created address, which does not yet have any history (and therefore, does not have a risk score).
However, it is important for us to understand whether or not the funds have been used to conduct
potentially illegal activities. It is recommended to check the outgoing addresses used by the customer
approximately 1-2 weeks after the withdrawal, and see if there is any indication of a risky behavior.

It might be costly to monitor each incoming and each outgoing transaction, especially if the amounts are
very small, in which case you can create an automated logic, which transactions you will send for risk-scoring.
The logic could be, for example: “Review the first 3 incoming and the first 3 outgoing transactions regardless
of the amount, and if all of them are low risk, for all subsequent transactions only request a risk score for
transactions at 200 EUR”.

3.2. Ongoing Sanctions Scanning

Sanctions lists are updated almost daily – new information may become available about known criminals,
new names of the criminals could be added, new politicians may be elected. It is possible that your customer
today has been cleared and tomorrow their name will appear in the sanctions or PEP lists.

Scanning for sanctions must be performed each time when:

o A new customer has registered;
o An existing customer changed name, or date of birth, or legal entity name, or added a new name of
a director or a beneficial owner to their account; and

2 https://www.elliptic.co/
3 https://www.chainalysis.com/
8
 o Sanctions lists have changed (only scan the delta data, which has been changed). If your scanning
provider is unable to timely update you about the changes in the sanctions lists, this may impact your
customers. It is required to re-scan all your customer base at least monthly.

3.3. Transaction monitoring

Scenario/RISK Rule and Logic

Account takeover Two scenarios possible:
attempt. o If the attack is really serious, prolonged and many accounts are affected, it is
Multiple unsuccessful potentially useful for all accounts to remain locked, even for the authentic users,
attempts to log into the in which case all users are receiving a message that the service is unavailable.
same account within a short This may happen during a massive attack on many accounts.
time (often done in batches o If the user account is attacked in isolation (e.g. someone is trying to access just
where several accounts are this one account) and there are no signs of a massive attack, then the user must
attacked). be invited to go through the password recovery procedure, even if the password
entered is correct. Password recovery must include some knowledge-based
questions on account activity and history (e.g. “non-facebookable” questions).
o Based on the types of goods purchased, social media info and other factors, it is
possible in some cases to assess the risk of account takeover when the buyer is
using someone else’s card. Another type of checks is based on the identified
stolen credentials available on the dark net marketplaces or names identified as
a part of known databases affected by a security breach. These rules generate
alerts focused on detecting an account takeover or compromised credentials.

Linked Accounts Generate a flag for customers using the same device or same IP or using the same
Detection. payment methods. Consider a situation that many accounts can be opened by
Track customers who use or fraudsters using stolen IDs and stolen credit card credentials.
share the same or similar
devices, payment methods
or individuals.

Correct address on file. Customers rarely remember to change their profile addresses when they move. You
Mismatch between can monitor whether or not the customer has logged into their account from the IP
customer address on file, that is within 2-3-5 km from the location of their address. Additionally, for physical
phone prefix, customer IP purchases, you can compare the account address to the shipping address, and if the
geolocation. customer is recently logging in from Germany, but the account address is in the UK,
you can send a reminder to the customer, e.g. "your account is displaying a
behaviour inconsistent with the info we have on file, can you please kindly check
your address and ensure it is accurate and up-to-date". If you have a social media
profile of the customer, you can automatically look up the address details there.
Your KYC or fraud management vendors can also check addresses against unrealistic
addresses, postal codes which are associated with high levels of violent crimes, IP
information, and whether there was a previous successful delivery of undisputed
transaction to that customer’s address. If the risk is too high, an alert can be
generated.

Signs of layering. Flag 3-5-7 new payment options per 1-2 weeks and conduct a manual review.
Customer changes
blockchain accounts or is
using multiple bank accounts
or multiple credit cards in an
unusually frequent manner.

9
Change in patterns, These rules target various velocity triggers (e.g. total monthly volumes, sudden
velocity monitoring. increase in volumes), recently added or never used funding instruments, payments
The amount of the to higher risk destinations (e.g. merchants who offer gambling services, adult
transaction is unusual for the services), transactional pattern of a customer (e.g. a customer’s transaction pattern
typical customer behaviour. has changed from always purchasing female shoes to suddenly purchasing
automotive parts or an increase of 200% on monthly basis to the previous month or
previous monthly average for this year).

Flag high risk customers Criteria for high-risk accounts will be set out in your AML policy. Ensure that you can
regularly run a report on all customers that are flagged as high-risk, including
transactions between high-risk customers.

Scanning transactional Consider using batch scanning for transactional messages for high-risk countries or
messages for key words. criminal activity indications (e.g. names of criminal organizations, indications of
drugs, arms, child pornography, etc).

Account dispute rate These metrics can help to identify customer abuse and collusion.
Track chargebacks plus any
refunds and concessions
granted.
Credit bureau checks Customer names will be checked for possible credit disputes, especially for high-risk
This is important for payment industry purchases such as gambling, adult services, etc. Also, the destination
cards as it reduces the risk of (merchants) will be checked and if the risk of a merchant being fraudulent is high
credit disputes with the (e.g. a merchant is a known scammer), the transaction can be declined.
customers.

Behavioural biometrics How customers type or move their mouse can be an indicator of identity theft and
account takeover. For gambling and adult services, there is a possibility to predict
the likelihood if a customer is sober or under the influence of alcohol or other
substances.

“Abuse list” Some of the names that are likely to be problematic can be identified by the vendors,
This allows to detect and but you can add your company’s “abuse list members” to such list, for example, high
prevent repetitive fraud, dispute rate customers or customers whose accounts were blocked in the past for
stolen cards or compromised policy violations (blocked customers will have a tendency to create new accounts
credentials. with new names).

10