Skip to main content
This guide explains how to implement conditional routing in your onboarding workflow. Instead of a linear verification journey, this approach dynamically adjusts friction based on real-time risk signals—routing customers to the appropriate CDD tier based on assessed risk. This risk-based approach supports both current AUSTRAC expectations and the direction of upcoming AML/CTF reforms in Australia, which consolidate customer identification into a single, risk-based CDD obligation.

Overview

Risk-Based Onboarding uses a three-step process:
  1. Passive Signal Collection – Assess email, phone, and device risk invisibly
  2. Decision Gate – Route to Simplified, Standard, or Enhanced CDD based on risk score
  3. Verification – Execute the appropriate verification path for the CDD tier

CDD Tiers

FrankieOne’s risk-based workflows support configurable CDD tiers (Simplified, Standard, Enhanced) that customers can align with their risk assessment and regulatory expectations:
CDD TierRisk LevelExample Use Cases
SimplifiedLowLow-risk customers, standard products
StandardMediumMost new account openings
EnhancedHighPEPs, high-value products, complex structures

Verification Intensity by Industry

The verification checks at each CDD tier vary by industry based on regulatory requirements:
CDD TierBankingGamingOther Sectors
SimplifiedTwoPlusID (Gov ID + credit bureau + electoral roll)IDOnly or TwoPlusConfigurable
StandardTwoPlusID (Gov ID + screening)TwoPlusIDConfigurable
EnhancedTwoPlusID + biometrics + adverse mediaTwoPlusID + biometricsConfigurable
Note: Banking has a higher regulatory floor—even Simplified CDD requires TwoPlusID verification. Other industries may use lighter verification at lower CDD tiers based on their risk assessment.

Configuration Options

Risk-based routing can be configured at different levels depending on your needs:
OptionSignals UsedBest For
Full Fraud SignalsEmail, phone, device, IPMaximum fraud protection
Email + Phone OnlyEmail reputation, phone intelligenceLighter integration, good coverage
Business Logic OnlyEntity age, product type, transaction valueSimple routing without fraud checks

Option 1: Full Fraud Signals

Uses all available fraud steps: device intelligence, IP risk, email risk, and phone risk. Provides the strongest fraud detection but requires OneSDK integration for device and IP capture. Fraud steps included:
  • email_risk – Email domain, age, and reputation
  • phone_risk – Phone type, carrier, and validity
  • device_intelligence – Device fingerprint, velocity, and blocklist
  • ip_risk – Geolocation, VPN/proxy detection

Option 2: Email + Phone Only

A lighter approach that assesses risk using email and phone fraud steps. No device fingerprinting or OneSDK integration required. Fraud steps included:
  • email_risk – Evaluates email domain, age, and reputation
  • phone_risk – Evaluates phone type, carrier, and validity
Signals evaluated:
  • Email domain (disposable, free, corporate)
  • Email age and deliverability
  • Phone type (mobile, VoIP, landline)
  • Phone carrier risk and number validity

Option 3: Business Logic Only

Route based on entity attributes or transaction context without fraud signal checks. Useful when risk is determined by business factors rather than fraud indicators. 
{
  "stage": "DECISION_GATE",
  "logic": "IF entity_age < 30_days OR product_type == 'HIGH_VALUE' OR transaction_value > 10000",
  "then": "ENHANCED_VERIFICATION",
  "else": "STANDARD_VERIFICATION"
}
Example routing rules:
  • New customers (entity age < 30 days) → Enhanced verification
  • High-value products → Document + biometric
  • Transaction value > threshold → Step-up required
  • Returning verified customers → Streamlined flow

Prerequisites

Before implementing risk-based routing, ensure you have:
  • A workflow configured with conditional logic
  • For fraud signals: Completed the Fraud Checks Guide setup
  • For device intelligence: OneSDK integration with session tracking

Step 1: Create Entity

Create an entity profile with the data required for your chosen configuration. 
curl -X POST https://api.frankieone.com/v2/individuals \
  -H "api_key: YOUR_API_KEY" \
  -H "X-Frankie-CustomerID: YOUR_CUSTOMER_ID" \
  -H "Content-Type: application/json" \
  -d '{
    "individual": {
      "entityType": "INDIVIDUAL",
      "name": {
        "givenName": "JAMES",
        "middleName": "A",
        "familyName": "TESTONE",
        "displayName": "JAMES A TESTONE"
      },
      "dateOfBirth": {
        "year": "1990",
        "month": "05",
        "day": "15"
      },
      "nationality": "AUS",
      "addresses": [
        {
          "type": "RESIDENTIAL",
          "streetNumber": "35",
          "streetName": "CONN",
          "streetType": "STREET",
          "unitNumber": "1",
          "locality": "FERNTREE GULLY",
          "subdivision": "VIC",
          "postalCode": "3156",
          "country": "AUS",
          "unstructuredLongForm": "U 1/35 CONN STREET, FERNTREE GULLY, VIC 3156"
        }
      ],
      "emailAddresses": [
        {
          "type": "WORK",
          "email": "[email protected]",
          "isPreferred": true
        }
      ],
      "phoneNumbers": [
        {
          "country": "AUS",
          "number": "0412345678",
          "isPreferred": true
        }
      ],
      "documents": {
        "IDENTITY": [
          {
            "type": "DRIVERS_LICENSE",
            "country": "AUS",
            "subdivision": "VIC",
            "primaryIdentifier": "123456789",
            "secondaryIdentifier": "P1234567",
            "class": "IDENTITY"
          }
        ]
      },
      "consents": [
        { "type": "GENERAL" },
        { "type": "DOCS" },
        { "type": "CREDITHEADER" }
      ]
    }
  }'
The response includes the entityId required for workflow execution.
Note: For device and IP signals, you must implement OneSDK on the client side. Email and phone checks work independently without it.

Step 2: Execute Risk-Based Workflow

Execute your workflow with risk-based routing enabled. The workflow configuration determines how signals are evaluated and which path is triggered. 
curl -X POST https://api.frankieone.com/v2/individuals/{entityId}/serviceprofiles/KYC/workflows/AUS-Risk-CDD-Email-Phone-Device/execute \
  -H "api_key: YOUR_API_KEY" \
  -H "X-Frankie-CustomerID: YOUR_CUSTOMER_ID"

Workflow Configuration

Risk-based workflows include fraud steps (email risk, phone risk, device intelligence) that evaluate signals before routing to the appropriate verification path. Below is a conceptual example of the branching structure with three CDD tiers: 
{
  "workflow_name": "Dynamic_Risk_Based_Onboarding",
  "stages": [
    {
      "stage": "PRE_SCREEN",
      "steps": ["email_risk", "phone_risk", "device_intelligence"]
    },
    {
      "stage": "DECISION_GATE",
      "logic": {
        "HIGH_RISK": "fraud_score > 50 OR device_risk == 'HIGH' OR pep_match == true",
        "MEDIUM_RISK": "fraud_score > 20 OR entity_age < 30_days",
        "LOW_RISK": "default"
      }
    },
    {
      "stage": "VERIFICATION",
      "branches": {
        "LOW_RISK": ["document_verification", "database_match"],
        "MEDIUM_RISK": ["document_verification", "database_match", "screening"],
        "HIGH_RISK": ["document_verification", "biometric_liveness", "database_match", "screening", "adverse_media"]
      }
    }
  ]
}
CDD TierRisk ScoreVerification Path
Simplified0-20Document + database verification
Standard21-50Document + database + screening
Enhanced51+Document + biometrics + database + screening + adverse media
Note: This is a conceptual representation. Workflows are configured by your FrankieOne representative. Contact your representative to set up risk-based routing with the appropriate fraud steps for your use case.

Risk Factors Evaluated

The workflow evaluates multiple risk factors, each contributing to the overall risk score:
Risk FactorDescriptionExample Values
fraud_emailEmail Address RiskLOW, MEDIUM, HIGH
fraud_phone_numberPhone Number RiskLOW, MEDIUM, HIGH
fraud_ip_addressIP Address RiskLOW, MEDIUM, HIGH
fraud_count_sessionSession Count RiskNumeric
entity_typeEntity TypeINDIVIDUAL
entity_ageAge of Entity (years)Numeric
workflow_attemptsNumber of Workflow AttemptsNumeric
document_typeID Document TypeDRIVERS_LICENSE, PASSPORT
address_country_riskResidential Address CountryCountry code
document_country_riskDocument Issuing CountryCountry code

Fraud Indicators

The FRAUD step evaluates specific indicators that can trigger issues:
IndicatorRisk LevelExample Triggers
Risky Email DomainHIGHDisposable domains, known fraud domains
Email AgeMEDIUM-HIGHRecently created email addresses
VoIP PhoneMEDIUM-HIGHNon-mobile phone numbers
Phone Carrier RiskMEDIUMHigh-risk carriers
IP Location MismatchMEDIUMIP doesn’t match stated address
VPN/Proxy DetectedMEDIUMConnection anonymisation

Step 3: Interpret Results

The workflow execution response contains the full verification outcome in the workflowResult object.

Key Response Fields

FieldDescription
workflowResult.resultOverall outcome: PASS, REVIEW, or FAIL
workflowResult.workflowExecutionStateExecution state: COMPLETED
workflowResult.riskAssessment.riskLevelRisk level: LOW, MEDIUM, or HIGH
workflowResult.riskAssessment.riskScoreNumeric risk score
workflowResult.issuesArray of flagged issues
workflowResult.stepsWhich steps passed, failed, or are incomplete

Example Response: High-Risk (Needs Review)

This example shows a high-risk result triggered by a risky email domain: 
{
  "workflowResult": {
    "entityId": "155da7b9-cb8a-461a-8e58-787d65276630",
    "result": "REVIEW",
    "status": "REVIEW",
    "workflowExecutionState": "COMPLETED",
    "workflowName": "AUS-Risk-CDD-Email-Phone",
    "workflowExecutionId": "01KGJW7WXA0X5QHFC9M31AEE9Q",
    "issues": [
      {
        "category": "FRAUD",
        "issue": "FRAUD_EMAIL_ADDRESS",
        "severity": "REVIEW"
      },
      {
        "category": "RISK",
        "issue": "RISK_THRESHOLD_HIGH",
        "severity": "REVIEW"
      }
    ],
    "riskAssessment": {
      "riskLevel": "HIGH",
      "riskScore": 61,
      "riskFactors": [
        {
          "factor": "fraud_email",
          "description": "Email Address Risk",
          "value": "HIGH",
          "score": 51
        },
        {
          "factor": "fraud_phone_number",
          "description": "Phone Number Risk",
          "value": "LOW",
          "score": 1
        },
        {
          "factor": "fraud_ip_address",
          "description": "IP Address Risk",
          "value": "LOW",
          "score": 1
        },
        {
          "factor": "entity_age",
          "description": "Age of Entity",
          "value": "76",
          "score": 1
        }
      ]
    },
    "steps": {
      "passed": ["START", "MATCHLIST", "DECISION", "FINISH"],
      "failed": ["KYC", "FRAUD"],
      "incomplete": ["TOGGLE_MONITORING"],
      "order": ["START", "MATCHLIST", "KYC", "FRAUD", "TOGGLE_MONITORING", "DECISION", "FINISH"]
    }
  }
}

Understanding the FRAUD Step Results

The workflowStepResults array contains detailed results for each step. For the FRAUD step: 
{
  "stepName": "FRAUD",
  "result": "HIT",
  "summary": {
    "maximumEmailAddressRisk": "HIGH",
    "maximumPhoneNumberRisk": "LOW",
    "maximumIpAddressRisk": "LOW",
    "numberEmailAddressEvaluations": 1,
    "numberPhoneNumberEvaluations": 1
  },
  "processResults": [
    {
      "objectType": "EMAIL_ADDRESS",
      "result": "HIT",
      "supplementaryData": {
        "riskLevel": "HIGH",
        "indicators": [
          {
            "name": "emailLevel",
            "value": "high",
            "rules": [{ "name": "Risky Email Domain", "isActive": true }]
          }
        ]
      }
    },
    {
      "objectType": "PHONE_NUMBER",
      "result": "CLEAR",
      "supplementaryData": {
        "riskLevel": "LOW"
      }
    }
  ]
}

Result Values

ResultMeaningRecommended Action
PASSAll checks passed, risk within thresholdAuto-approve account
REVIEWFlags present or risk threshold exceededManual review required
FAILCritical failure or verification failedDecline registration

Issue Categories

CategoryExample Issues
FRAUDFRAUD_EMAIL_ADDRESS, FRAUD_PHONE_NUMBER, FRAUD_DEVICE
RISKRISK_THRESHOLD_HIGH, RISK_THRESHOLD_MEDIUM
KYCNOT_FOUND, PARTIAL_MATCH
Note: Even when individual fraud checks pass, the overall result may be REVIEW if the combined risk score exceeds your configured threshold. This ensures your compliance team can make the final decision with full context.
For detailed field definitions, see Interpreting Workflow Results.

Configuring Thresholds

Work with your FrankieOne representative to tune risk scoring based on your risk appetite.

Risk Score Thresholds

The overall risk score determines the CDD tier and workflow routing:
Risk LevelScore RangeCDD TierTypical Outcome
LOW0-20Simplified CDDPASS
MEDIUM21-50Standard CDDPASS or REVIEW (configurable)
HIGH51+Enhanced CDDREVIEW
These thresholds can be tuned as regulatory guidance evolves (for example, where reforms call out higher-risk customer types or jurisdictions).

Risk Factor Weights

Each risk factor contributes a weighted score. Example weights:
Risk FactorLOW ScoreHIGH Score
fraud_email151
fraud_phone_number151
fraud_ip_address151
entity_type22
entity_age15
document_type13
address_country_risk110
Note: Weights are configurable. Contact your FrankieOne representative to adjust scoring for your use case.

Best Practices

Always log the workflowExecutionId for audit trails and troubleshooting. Handle REVIEW outcomes by routing to your compliance team with the full flag context rather than auto-declining. Monitor conversion rates by workflow path. If step-up abandonment is high, review your biometric capture UX or threshold settings. Tune thresholds gradually based on observed fraud rates and false positive feedback.

Troubleshooting

IssueLikely CauseResolution
All users getting REVIEW resultRisk score threshold too lowIncrease threshold or adjust factor weights
FRAUD_EMAIL_ADDRESS false positivesLegitimate domains flaggedReview email risk rules with FrankieOne
KYC step showing NOT_FOUNDNo data source matchesEnsure correct document details provided
High fraud_email scoresRisky domain patternsCheck if corporate domains need whitelisting
RISK_THRESHOLD_HIGH on valid usersCumulative scores too highReview individual factor weights
Missing fraud_phone_number resultPhone format issueEnsure phone includes country code

Ongoing CDD and Monitoring

PASS/REVIEW/FAIL outcomes can be combined with periodic reviews and ongoing monitoring rules to help customers keep pace with evolving AUSTRAC expectations around ongoing CDD. Consider configuring:
  • Triggers for refresh (e.g., profile changes, new PEP/adverse media hits)
  • Periodic re-verification based on customer risk rating
  • AML screening and fraud signals to inform ongoing risk rating over the customer lifecycle
Fraud and cyber signals are increasingly relevant to both financial crime risk and broader AML/CTF expectations and can be integrated into your overall ML/TF risk assessment.

Regulatory Context (Australia)

This guide is designed for reporting entities operating under Australia’s AML/CTF framework and is aligned to current AUSTRAC guidance. Australian AML/CTF laws are undergoing reform, including a move to a single, risk-based customer due diligence obligation and expanded coverage of additional sectors (tranche 2). FrankieOne does not provide legal or regulatory advice. Reporting entities should obtain their own advice and configure workflows in line with their AML/CTF programs.

Next Steps