When Should You Deploy a Customer Risk Assessment Tool?

Customer risk assessment tools are mandatory for financial institutions. But more businesses should probably use them.

Failing to perform an adequate risk assessment can cost a lot. In 2019, US government agencies issued more than $19.8 billion in fines to organizations that made things too easy for financial criminals, whether knowingly or accidentally.

Let’s look more closely at what customer risk assessment is, how to do it, and when to use a tool for this.

What Is a KYC Risk Assessment?

A KYC or customer risk assessment is a standardized method of assessing the level of risk posed by a customer in order to conduct the appropriate level of checks and verifications to be able to do business with them without endangering the company or the economy as a whole.

As part of their anti-money laundering (AML) obligations, certain types of regulated companies are required to assess the risk a customer poses by verifying the person’s identity, their location, the source of their funds, the way they intend to use them, and similar information.

This data will in turn allow the organization to identify and manage whether:

• they are a money laundering risk
• they are believed to be financing terrorism per CFT regulations
• they are a politically exposed person such as a politician or their close family
• they are sanctioned as individuals or as part of a company
• they appear on criminal and fugitive watchlists or other blacklists

What Does Assessing Customer Risk Involve?

Put simply, you want every customer to be ideal for your business. In a perfect world, it would mean only allowing people who intend to purchase your goods or services, but the definition can be extended by asking:

• Is the customer real? The first thing you want to do is ensure you’re dealing with a legitimate user. That means filtering out bots and fake traffic. And the most efficient method at your disposal here is to ensure the customer has a real digital footprint.
  
  A digital footprint is essentially a trail of information that any user carries with them. It can be in the form of cookies, device and network configuration or their social media presence. We’ll dive into the concept in more detail below, but the important thing to note is that it’s especially useful to analyze digital footprint at the onboarding stage – when you let in new users onto your site.
  

• Have I seen this customer before? An interesting question to ask for many departments. Marketers can use the information to create tailored offers or to ensure they’re not giving out too many promotional codes and discounts (which helps curb bonus abuse).  
  
  Here again, looking at the digital footprint is important, but you also need to compare the information with your own historical data. Companies need to have a robust analytics solution in place, which can help them look at IP addresses, and device fingerprinting to log info about each configuration of software and hardware. 
  

• Is the customer who they say they are? One of the highest risk factors is dealing with false identities. Customers who use stolen IDs are always bad news for your business. It means they are intentionally hiding who they are, more often than not in order to defraud your online business.
  
  Answering the question of customers’ true identity is exactly the goal of KYC checks. KYC, or Know Your Customer, is a legal process which forces certain companies to gather info related to the user’s residential address, full name, and date of birth. 

As we’ll see, there are different kinds of KYC checks, but all of them can be useful for online businesses.

Who Should Assess Customer Risk?

Customer risk assessment isn’t just reserved for banks these days. Any business dealing with online transactions knows that not all customers have the same value to the business. Some will become loyal and repeatedly purchase your goods or services. Others will end up costing you more than you earn.

Fintechs, crypto exchanges, online casinos, loan companies, traditional financial institutions… These types of companies are all well aware of the importance of customer risk assessment. 

In fact, they must comply with a number of regulations that put them under pressure to check user info, such as:

• International Money Laundering Abatement and Anti-Terrorist Financing Act
• USA PATRIOT Act
• UK Proceeds of Crime Act 2002
• JMLSG Guidance
• Third European Money Laundering Directive

The goal is to prevent individuals from conducting fraud that would harm the company directly or indirectly, for example via:

• Chargeback rates: whether you have been defrauded by malicious attackers, or you are the victim of friendly fraud, companies end up losing 2 to 3 times the transaction amount after processing all the chargeback rates, according to Chargeback Gurus.
  
• Bonus abuse: casinos and gambling operators have long known that attracting new users with special offers can backfire. Fraudsters use bots and synthetic or stolen IDs to register multiple times (multi-accounting) in order to reap the benefits of referral links or new user discounts. Bonus abuse is increasingly common for any online business, from fintechs to online stores.
  
• Account takeover: fraudsters find value in any online presence, which is why they try to log into other people’s accounts. E-wallets and bank accounts are especially attractive to them, but, here again, a growing number of businesses find that their users’ accounts are regularly stolen. Fraudsters mine accounts for personal data, or empty them of bonus points, for instance. This is also known as credential stuffing, and it costs businesses a huge amount in lost time and resources when trying to give back the account to the legitimate user – not to mention reputation loss.

What’s the Difference Between Risk Assessment and KYC?

Risk assessment is a general practice that evaluates how likely a user is to break the law in the future. KYC verification is one of the methods used for those risk assessments. KYC focuses on gathering important info about people at the beginning of a relationship, for instance when onboarding new users.

Other key methods include CDD (Client Due Diligence) and EDD (Enhanced Due Diligence), which focus more on monitoring where funds come from in the context of anti-money laundering regulations (AML).

Note that these AML checks must be performed and reviewed continuously, at regular intervals, and that they cover both external and internal risks, meaning your customers as well as your employees.

I’ve Never Heard of KYC, Do I Still Need to Do It?

Because KYC processes are a legal requirement, your risk management team should already know about them. But if you’ve never had to perform these checks, there’s no harm in employing the same methods to filter out bad customers.

At SEON, we tend to classify KYC into two different modes: light and heavy.

• Pre-KYC: Light KYC is fast, frictionless and helps reduce churn. It’s like an invisible customer profiling that’s performed in real-time as users land on your website and start filling in fields. The downside is that it is riskier.
  
• Heavy KYC: Involves verification and authentication methods that can slow down customers in their journey. For instance, submitting an ID selfie or 2-factor authentication with a mobile device.

And ideally, your assessment process should be able to alternate between the two, based on the information you receive. This is what we call dynamic friction, and it can work whether you perform risk assessment manually, or automate it. This leads us to the question of how long exactly it takes to assess risk.

How Long Does It Take to Assess a Customer?

This is probably the question that troubles most businesses that aren’t financial institutions. They understand that users want to move fast, whether it’s to sign up to a new service or to finalize a purchase. Churn, friction and obstacles are the enemies of online businesses, which leads companies to play a challenging balancing act between risk and security.

In fact, the words may conjure up memories of submitting a folder of personal information to open a bank account or to purchase a financial product like insurance protection or a loan. You’d sometimes have to wait for weeks before getting an answer.

But these days, it can actually be near-instantaneous, provided you’ve set up the right system in place.

Factors to Consider in Your Customer Risk Assessment

As part of your risk assessment, you will want to consider a series of risk factors, monitor customers against them and have in place defined workflows when one is identified. Specifically, these are:

• Regulatory risk: Failure to conduct KYC, IDV and other mandated checks on customers is a regulatory risk. This can lead to fines and other penalties for the company, including imprisonment.
• Customer risk: How likely is this type of customer to pose a risk? Are they a private individual? A company? Are they a PEP? Who is the ultimate beneficial owner (UBO), if it’s a company? And so on.
• Product risk: This factor takes into account whether the product the customer is purchasing or accessing is more or less likely to enable money laundering or other risks. The scope of what someone can do can vary significantly per product.
• Geographical risk: Where is this person or company based? Is this country or area on any sanctions lists? Is it considered to pose a higher risk of certain types of crime?
• Delivery channel risk: This factor considers how the customer transacts with the company, and whether that environment adds more risk. For example, someone accessing your servers via API or mobile banking may be more likely to pose a risk than a customer who has walked into a branch – or vice versa, all depending on your infrastructure.

Effective Steps to Conducting a Risk Assessment

Whether you are a small business or a global leader, the steps will be the same:

1. Delegate risk assessment to a team member, whole team, or specialist
2. Identify business-specific risks
3. Assess the risks, and measure how they will impact the business
4. Collect all the potential risk vectors (or data points relating to the risk)
5. Create KPIs that measure and monitor risk rates.

A concrete example: let’s say you are a small online shop that sells physical goods. Your risks will probably be related to chargeback rates. You calculate that each chargeback ends up costing you up to $70. Paying too many of them each month could sink your business. 

In that case, the risk vectors will mainly be user detail, credit card numbers, and shipping address. 

Traditionally, a large merchant with the right ops and staff headcount would, therefore, have a team that performs manual reviews for these three points. For instance, they would contact the user for more information, or use any data they have to validate the purchase.

Luckily, in the digital age, it’s entirely possible to automate these steps and to scale your risk assessment without draining your team’s time and resources.

What If I Don’t Have the Resources to Deploy a Full Risk Team?

One of the biggest misconceptions about knowing your customer is that it’s a lengthy, resource-heavy process. This can be true if you’re doing it manually, for instance by verifying every new customer who joins your site with a phone call. For transactions, the typical manual workflow would include opening numerous tabs in a browser to gather customer info from different background check websites.

KYC Risk Assessment and Fraud Prevention Tools

Risk assessment and fraud prevention tools nicely dovetail together as their goals are essentially the same: to gather data and use it to calculate risk. Here is how that process looks from the perspective of SEON’s fraud detection tools.

Performing a Risk Assessment with SEON

Step 1: Gathering data

As soon as visitors land on your website, SEON can begin gathering information. It may be about: 

• The IP address: To understand where customers are in the world, whether they are hiding behind TOR or VPNs, and to see if they attempt to hide the origin of their connection.
  
• The device configuration: Device fingerprinting is an extremely powerful tool that lets us see the combination of software and hardware that users connect to your site with. Understanding the device build, browser version and features, amongst others, also helps create IDs to check when the same people revisit the site – or when they pretend to be different people.

Step 2: Enriching data

Gathering data is one thing, but it’s not enough to really know who your users are – especially if they’re lying or using stolen IDs. This is why you have the extra step to confirm the data quality, or to get the bigger picture with:

• Email analysis: Sometimes, a single data point can be enough to reveal a lot. For instance, with email risk assessment you can analyse email risk to see if it’s too new, registered with a free domain provider, or if it’s appeared on a blacklist before, among others.
  
• Phone analysis: Similarly, you can conduct a phone number risk assessment to see if it’s a landline or mobile, if the carrier is in the right country, and if the SIM card is on a real network or not.
  
• Social media profiling: One of the most successful anti-fraud techniques in recent years is searching for social data. While this can be done manually, SEON speeds up the process to quickly learn if the user has linked their information with social or messaging networks. This allows us to gather a user picture, see when they last used it, and to read a user bio, amongst others.

Step 3: Calculating risk

The final step is to decide if all that data points to a risky user or not. In the past, fraud managers would have to use their expertise and instinct. While this is still the case today, the process is vastly improved thanks to risk scores. 

Each score is calculated with a number of rules. These can be prebuilt for your industry, manually created, or even suggested by AI. A simple rule would be to increase risk if a customer’s IP address is different from the shipping address. A complex one could be a velocity rule, which looks at the number of login attempts per minute, for instance.

The key is that businesses should be in control of risk mitigation. Is it worth being more strict, even if it increases false positives? Or would you rather let a few fraudsters pass and eat up the costs? Make sure you have the choice when you choose your fraud prevention tool.

Assessing Risk Before Fraudsters Strike

In conclusion, we can see that organizations of all sizes have access to resources to assess customer risk – whether they are required to or not.

And while the manual review is a perfectly viable option, it does tend to be prone to human error, and unfortunately, it simply doesn’t scale in terms of numbers, or processes you can deploy.

Which is why automation is key. Whether you need to calculate the risk of one transaction or a thousand, you should have tools in place that can help assess risk in real-time, and with outstanding precision.

This is exactly the goal behind all our products at SEON. From our one-click data enrichment Chrome plugin to our all-in-one fraud detection service, we enable anyone to start doing business with the right customers only, and with complete peace of mind.

Sources

• Chargeback Gurus: 2023 Chargeback Fees – The True Cost of Your Chargebacks