When Should You Deploy a Customer Risk Assessment Tool?

risk assessment cover graphics

Customer risk assessment tools are mandatory for financial institutions. But here’s why more businesses should probably use them.

Fintechs, crypto exchanges, online casinos, loan companies, traditional financial institutions… These types of companies are all well aware of the importance of customer risk assessment. 

In fact, they must comply with a number of regulations that put them under pressure to check user info, such as the:

  • International Money Laundering Abatement and Anti-Terrorist Financing Act
  • USA PATRIOT Act
  • UK Proceeds of Crime Act 2002
  • JMLSG Guidance
  • Third European Money Laundering Directive

And failing to perform an adequate risk assessment can cost them a lot. In 2019, US government agencies issued more than $19.8B in fines to organizations who made things too easy for financial criminals, whether knowingly or accidentally.

Important For a Growing Number of Verticals

But customer risk assessment isn’t just reserved for banks these days. Any business dealing with online transactions knows that not all customers have the same value to the business. Some will become loyal and repeatedly purchase your goods or services. Others will end up costing you more than you earn, especially due to:

  • Chargebacks rates: whether you have been defrauded by malicious attackers, or you are the victim of friendly fraud, companies end up losing 2 to 3 times the transaction amount after processing all the chargeback rates.
  • Bonus abuse: casinos and gambling operators have long known that attracting new users with special offers can backfire. Fraudsters use bots and synthetic or stolen IDs to register multiple times (multi-accounting) in order to reap the benefits of referral links or new user discounts. Bonus abuse is increasingly common for any online business, from fintechs to online stores.
  • Account takeover: fraudsters find value in any online presence, which is why they try to log into other people’s accounts. E-wallets and bank accounts are especially attractive to them, but, here again, a growing number of businesses find that their users’ accounts are regularly stolen. Fraudsters mine accounts for personal data, or empty them of bonus points, for instance. This is also known as credential stuffing, and it costs businesses a huge amount in lost time and resources when trying to give back the account to the legitimate user – not to mention reputation loss.

What Does “Assessing Customer Risk” Mean Exactly?

Put simply: you want every customer to be ideal for your business. In a perfect world it would mean only allowing people who intend to purchase your goods or services, but the definition can be extended by asking:

Is the customer real? 

The first thing you want to do is ensure you’re dealing with a legitimate user. That means filtering out bots and fake traffic. And the most efficient method at your disposal here is to ensure the customer has a real digital footprint.

Digital footprint is essentially a trail of information that any user carries with them. It can be in the form of cookies, device and network configuration or their social media presence. We’ll dive into the concept in more detail below, but the important thing to note is that it’s especially useful to analyze digital footprint at the onboarding stage – when you let in new users onto your site.

Have I seen this customer before?

An interesting question to ask for many departments. Marketers can use the information to create tailored offers, or to ensure they’re not giving out too many promotional codes and discounts (which helps curb bonus abuse).  

Here again, looking at the digital footprint is important, but you also need to compare the information with your own historical data. Companies need to have a robust analytics solution in place, which can help them look at IP addresses, and device fingerprinting to log info about each configuration of software and hardware. 

Is the customer who they say they are?

One of the highest risk factors is dealing with false identities. Customers who use stolen IDs are always bad news for your business. It means they are intentionally hiding who they are, more often than not in order to defraud your online business.

Answering the question of customers’ true identity is exactly the goal of KYC checks. KYC, or Know Your Customer, is a legal process which forces certain companies to gather info related to the user’s residential address, full name, and date of birth. 

As we’ll see, there are different kinds of KYC checks, but all of them are equally useful for online businesses.

What is the Difference Between Risk Assessment and KYC?

The first is a general practice that evaluates how likely a user is to break the law in the future. KYC checks, or Know Your Customer procedure, is one of the methods used for those risk assessments. KYC focuses on gathering important info about people at the beginning of a relationship, for instance when onboarding new users.

Other risk assessment methods include CDD (Client Due Diligence) and EDD (Enhanced Due Diligence), which focus more on monitoring where funds come from in the context of anti money laundering regulations (AML). Note that these anti money laundering checks must be performed and reviewed continuously, and that they cover both external and internal risks, meaning your customers as well as your employees.

I’ve Never Heard of KYC – Do I Still Need to Do It?

Because KYC processes are a legal requirement, your risk management team should already know about them. But if you’ve never had to perform these checks, there’s no harm in employing the same methods to filter out bad customers.

At SEON, we tend to classify KYC into two different modes: light and heavy.

light and heavy kyc for customer risk assessment
  • Light KYC: is fast, frictionless and helps reduce churn. It’s like an invisible customer profiling that’s performed in real time as users land on your website and start filling fields. The downside is that it is riskier.
  • Heavy KYC: involves verification and authentication methods that can slow down customers in their journey. For instance, submitting an ID selfie or 2 factor authentication with a mobile device.

And ideally, your assessment process should be able to alternate between the two, based on the information you receive. This is what we call dynamic friction, and it can work whether you perform risk assessment manually, or automate it. Which leads us to the question of how long exactly it takes to assess risk.

What are the 3 main factors to consider in determining AML risk?

Ideally, you want to look at the customer’s personal information (through KYC checks), the amount of money processed (high transaction values), and the geolocation, which can can be protective of customer identities (Switzerland), or known as tax havens, such as the Cayman Islands for instance.

How Long Does it Take to Assess a Customer?

This is probably the question that troubles most businesses who aren’t financial institutions. They understand that users want to move fast, whether it’s to sign up to a new service or to finalize a purchase. Churn, friction and obstacles are the enemies of online businesses, which leads companies to play a challenging balancing act between risk and security.

In fact, the words may conjure up memories of submitting a folder of personal information to open a bank account or to purchase a financial product like insurance protection or a loan. You’d sometimes have to wait for weeks before getting an answer.

But these days, it can actually be near-instantaneous, provided you’ve set up the right system in place.

transaction process

Effective Steps to Conducting The Assessment

Whether you are a small business or a global leader, the steps will be the same:

  1. Delegate risk assessment to a team member, whole team, or specialist
  2. Identify business-specific risks
  3. Assess the risks, and measure how they will impact the business
  4. Collect all the potential risk vectors (or data points relating to the risk)
  5. Create KPIs that measure and monitor risk rates.

A concrete example: let’s say you are a small online shop that sells physical goods. Your risks will probably be related to chargeback rates. You calculate that each chargeback ends up costing you up to $70. Paying too many of them each month could sink your business. 

In that case, the risk vectors will mainly be user detail, credit card numbers, and shipping address. 

Traditionally, a large merchant with the right ops and staff headcount would, therefore, have a team that performs manual review for these three points. For instance, they would contact the user for more information, or use any data they have to validate the purchase.

Luckily, in the digital age, it’s entirely possible to automate these steps and to scale your risk assessment without draining your team’s time and resources.

What if I Don’t Have the Resources to Deploy a Full Risk Team?

One of the biggest misconceptions about knowing your customer is that it’s a lengthy, resource-heavy process. This can be true if you’re doing it manually, for instance by verifying every new customer who joins your site with a phone call. For transactions, the typical manual workflow would include opening numerous tabs in a browser to gather customer info from different background check websites.

But thanks to automated tools, anyone can use risk assessment solutions that work at scale, whether you process one transaction per day or one per minute. And some providers like SEON even offer a transparent pay-per-API request model, which means anyone can afford risk management with full control over their ROI.

Risk Assessment and Fraud Prevention Tools

Risk assessment and fraud prevention tools nicely dovetail together as their goals are essentially the same: to gather data and use it to calculate risk. Here is how that process looks from the perspective of SEON’s fraud detection tools.

3 step process of the SEON platform

Step 1: Gathering data

As soon as visitors land on your website, SEON can begin gathering information. It may be about: 

  • The IP address: to understand where customers are in the world, whether they are hiding behind TOR or VPNs, and to see if they attempt to hide the origin of their connection.
  • The device configuration: device fingerprinting is an extremely powerful tool that lets us see the combination of software and hardware that users connect to your site with. Understanding the device build, browser version and features, amongst others, also helps create IDs to check when the same people revisit the site – or when they pretend to be different people.

Step 2: Enriching data

Gathering data is one thing, but it’s not enough to really know who your users are – especially if they’re lying or using stolen IDs. This is why you have the extra step to confirm the data quality, or to get the bigger picture with:

  • Email analysis: sometimes, a single data point can be enough to reveal a lot. For instance, an email address can be checked to see if it’s too new, registered with a free domain provider, or if it’s appeared on a blacklist before, amongst others.
  • Phone analysis: similarly, a phone number can be checked to see if it’s a landline or mobile, if the carrier is in the right country, and if the SIM card is on a real network or not.
  • Social media profiling: one of the most successful anti-fraud techniques in recent years is searching for social data. While this can be done manually, SEON speeds up the process to quickly learn if the user has linked their information with social or messaging networks. This allows us to gather a user picture, see when they last used it, and to read a user bio, amongst others.

Step 3: Calculating risk

The final step is to decide if all that data points to a risky user or not. In the past, fraud managers would have to use their expertise and instinct. While this is still the case today, the process is vastly improved thanks to risk scores

Each score is calculated with a number of rules. These can be prebuilt for your industry, manually created, or even suggested by AI. A simple rule would be to increase risk if a customer’s IP address is different from the shipping address. A complex one could be a velocity rule, which looks at the number of login attempts per minute, for instance.

The key is that businesses should be in control of risk mitigation. Is it worth being more strict, even if it increases false positives? Or would you rather let a few fraudsters pass and eat up the costs? Make sure you have the choice when you choose your fraud prevention tool.

Assessing Risk Before Fraudsters Strike

In conclusion, we can see that organizations of all sizes have access to resources to assess customer risk – whether they are required to or not.

And while the manual review is a perfectly viable option, it does tend to be prone to human error, and unfortunately, it simply doesn’t scale in terms of numbers, or processes you can deploy.

Which is why automation is key. Whether you need to calculate the risk of one transaction or a thousand, you should have tools in place that can help assess risk in real-time, and with outstanding precision.

This is exactly the goal behind all our products at SEON, from our one-click data enrichment Chrome plugin to our all-in-one solution, we enable anyone to start doing business with the right customers only, and with complete peace of mind.

Learn more about our products!
Products

Sign up to our newsletter

Newsletter