As these five RIRs cover multiple countries, there are multiple national and local internet registries that have been set up to further divide IP ranges between them. In general, IP addresses can be registered directly with an RIR (involving an application process, review and a fee) or through an internet service provider (ISP), commonly known as the companies that provide internet connectivity to homes and businesses.

As a result of all these layers of administration, it can be costly (and at times, impossible) to guarantee that your IP address always remains the same.  The following describes a few common concepts that you may encounter when striking up a conversation about IP addresses, and draws some helpful distinctions:

• Static IP vs. Dynamic IP
  Static IP addresses can be more costly, as you are paying for the consistency of the address. Generally, static IPs are most frequently obtained for commercial purposes.
  
  Conversely, dynamic IP addresses work under the acceptance that IP addresses may be reassigned by the ISP at any time, without notice, at any degree of frequency (as dictated by the RIR/ISP). Given the possibility that a single IP address may be reassigned to multiple ISP users over time, it is critical to correlate IP address information with other data points collected on the platform, e.g., username.

• Geolocation With IP
  Through the use of commercial platforms that maintain mappings between IP addresses and geographic locations, it is possible to identify, at varying levels of granularity, a user’s geographic location. While this geographic location can supplement user information gathered through other means, e.g., Know-Your-Customer onboarding, it is important to understand the limitations of such technologies.
  
  As the geographic specificity through geo-IP mapping increases, the accuracy, generally, will decrease. For example, at the country level there is a high degree of accuracy, but as the granularity increases, i.e., to the city level, confidence in accuracy will gradually decrease. Similarly, geographic shift of IP addresses will generally be more significant at higher granularity; over time, IP addresses are more likely to be reassigned to different cities than to different countries.

• VPN and Hosting
  To further complicate geographic IP address mapping, it is important to be aware of virtual private networks (“VPN”) and hosting providers, e.g., Amazon AWS. When using a VPN or a hosting provider, it is possible for a user to obfuscate their true location. Given this, it is important to consider the total view of a user’s activity in the event there are user events logged that might more accurately locate a user. It is, of course, possible that a user might always use a VPN or hosting provider that will thwart most policies that don’t deny connections from known VPN or hosting providers, a policy which can unintentionally remove legitimate customers.

Use Cases for IP Addresses as a Risk Indicator for Compliance

After understanding the mechanics of IP addresses, it is important to recognize the implications of having this data point and the practical applications for it. To that end, the following sections describe specific use cases that have centered around the use of the IP address as a risk indicator.

Banking and Financial Services

Historically, in the brick and mortar banking paradigm, a customer of a bank would have had to physically present themself and communicate with a bank employee to initiate a relationship/complete in-branch activities. However, in the realm of digital banking — or even cryptocurrency — the point of interaction between customer and institution happens exclusively over the internet. As such, the only information available to “identify” your customer is truly limited to the IP address. Granted, certain data transmitted from an IP address enables the recipient to confirm their identify (i.e., usernames and passwords), but going one step further may allow for the identification of other risks, such as:

• A customer accessing banking services from a restricted country, i.e., North Korea, indicative of a compromised account or a potential sanctions breach (both being bad scenarios for a bank);
• A customer whose KYC profile indicates a residence and employment based in Pennsylvania, but whose online activity resolves to an IP address based in Australia;
• Multiple customers accessing banking services from the same IP address in a relatively short period of time.

As indicated in the Electronic Banking section of the Federal Financial Institutions Examination Council (FFIEC) manual, there is already some level of expectation around the tracking and review of IP addresses:

Useful MIS for detecting unusual activity in higher-risk accounts include ATM activity reports, funds transfer reports, new account activity reports, change of Internet address reports, Internet Protocol (IP) address reports, and reports to identify related or linked accounts (e.g., common addresses, phone numbers, e-mail addresses, and taxpayer identification numbers). (Author’s bold emphasis)

E-commerce

In the e-commerce space, where a company’s engagement and marketing strategy can be tied to an employee or customer’s location, the IP address may be a useful indicator for flagging potential suspicious activity, fraud or abuse. For example, if a marketing campaign requires a photo submission in response to a “challenge,” there may also be a control to determine if the IP address’s location was in physical proximity to what was expected. Another example is from the IRS, which implemented testing on return filings in 2015 to determine if an IP address was responsible for multiple returns. As a result, it would alert the IRS to potential suspicious activity, as it could be a sign that fraudsters were sending multiple returns.[2]

In addition to the IP address, companies that obtain authentic identification information on their customers before a new account is opened or new transaction is initiated are already well positioned to evaluate whether the information gathered is consistent with the customer’s IP address behavior. For example, if a customer has a significant percentage of transactions linked to an IP address in a region different than that which they provided, this should pose a heightened risk to a company that deems this behavior atypical.

Sanctions Compliance

In addition to company policy around standard business practices, the IP address may be a useful signal for regulatory compliance. One place this has become apparent is with regard to OFAC sanctions compliance, under which U.S. jurisdiction entities must ensure that they are not engaging in activities that violate OFAC’s active country-based sanctions programs, as well as with sanctions targets named on OFAC's list of Specially Designated Nationals and Blocked Persons (SDNs).[3] This, of course, spans industries and is of particular importance in light of the sustained volume of sanctions-related enforcement actions in the past few years.[4]

In order to comply, an organization must first understand where information surrounding transactional activity resides, and how to link it to an IP address. This is no simple task, as the IP address information is often stored in unstructured logging systems that capture massive amounts of information related to activity on the platform. In addition to logging systems, customer data platforms (CDPs) are also instrumental in capturing the IP address of a customer’s behavior, such as email clicks and website navigation patterns. Last, external vendors such as transaction monitoring platforms also store IP addresses related to transactions they process.

Using the IP addresses from a variety of sources, as well as publicly available data that links IP addresses to a geographic region, a user attempting an online transaction from a sanctioned country or from a known sanctions target may be blocked based on the IP address activity associated with a user. However, this does not fully address an e-commerce platform’s compliance risks since IP blocks are dynamic and may change. Likewise, the use of a VPN may obscure the actual location of the device in question, making IP address merely the first line of defense in sanctions compliance.

Following the IP Breadcrumbs

Looking forward, as the venue for customer-to-institution interactions trend toward (or become necessitated by) intermediary channels, including devices, technologies and internet networks, regulated organizations will need to expand the scope of information they are relying upon to stay compliant.  

IP addresses are critical digital breadcrumbs that have the potential to link anything connected through the internet to their geographic location. While IP addresses may not have been a high priority (or even well known) in many compliance circles, it is almost certainly something that is logged, stored and buried away in the technology basements of all companies. Collecting IP address activity is a critical first step in understanding behavior on any web-based system, but there are a variety of limitations that make this only one piece of an increasingly complex puzzle. A more robust solution would include comprehensive testing, monitoring and reporting that links users to their known IP address activity to flag suspicious activity in real time. While this is no simple task, the increasing focus on all things digital from the regulatory community may make this level of scrutiny a necessity.