IP Geolocation for Fintech — KYC, Sanctions, and Payment-Fraud Signals
Why fintech is its own axis: payments, lending, neobanks, crypto-on-ramps, BNPL, and embedded finance all share the same regulatory floor (KYC + sanctions + AML) and the same fraud-economics (chargeback liability sits with the merchant or PSP). The IP-layer signal isn’t optional — it’s the cheapest first check before you commit to a card-network call or a 3DS challenge.
The country an IP resolves to, the ASN it belongs to, and whether it’s a known VPN, proxy, or Tor exit node are inputs to three separate fintech control surfaces:
- KYC / onboarding — country-of-origin must match the customer’s claimed jurisdiction, or the application gets routed to enhanced due diligence (EDD).
- Sanctions / OFAC / EU-restrictive-measures screening — IP-country is one of the indicators that triggers a sanctions hold (alongside name, DOB, address).
- Payment fraud — at authorisation time, IP-country mismatch with billing-country, hosting-provider ASN (DigitalOcean, AWS), and VPN/Tor flags compound into a per-transaction risk score.
A single REST call to IP Geo API returns all three signal classes — country, ASN, threat-flags, risk-score — on every plan, no add-on SKU.
What fintech buyers care about (in order)
- EU residency + GDPR posture. EU-headquartered fintechs cannot ship customer IPs to a US-based vendor without a §28 GDPR DPA + SCCs + a transfer impact assessment. Most US incumbents (MaxMind, ipinfo.io, ipstack) require this paperwork. IP Geo API runs on EU hosting (Hetzner, Frankfurt) and never transfers data outside the EEA — the DPA is a one-page artifact, not a 40-page schedule.
- Predictable EUR billing. Fintechs in DE/NL/IE/FR don’t want USD-denominated SaaS cost on the income statement. We bill in EUR, monthly, no annual prepay, no FX surprises at quarter-end.
- Threat fields included on every plan, not a separate SKU. ipgeolocation.io charges separately for the Security API. ipstack splits the Security Module out. ipinfo.io charges per-bundle. With IP Geo API,
is_vpn,is_proxy,is_tor,is_hosting, andrisk_scoreship on every response from the free tier upward. - ASN-level granularity. Fintech fraud teams routinely block transactions from commercial-hosting ASNs (residential users do not normally pay for groceries from an OVH server). We expose
asn,asn_org, andis_hostingas first-class fields. - Latency ≤40 ms median (EU edge). Authorisation flows have a hard SLA at the PSP — typically 800-1200 ms end-to-end for the cardholder. An IP lookup that costs 200 ms erodes margin elsewhere; ours costs 30-40 ms median in EU.
The three fintech control-surfaces, in code
1. KYC: country-of-origin check at signup
// /api/onboarding/start.js — Node 20 / Vercel Edge
import { headers } from 'next/headers';
export async function POST(req) {
const ip = headers().get('x-forwarded-for')?.split(',')[0]?.trim()
?? req.ip;
const claimedCountry = (await req.json()).billing_country; // ISO-2
const geo = await fetch(`https://api.ipgeo.10b.app/v1/lookup/${ip}`, {
headers: { Authorization: `Bearer ${process.env.IPGEO_KEY}` }
}).then(r => r.json());
const mismatch = geo.country_code !== claimedCountry;
const flagged = geo.is_vpn || geo.is_proxy || geo.is_tor || geo.is_hosting;
return Response.json({
proceed: !mismatch && !flagged,
enhanced_due_diligence: mismatch || flagged,
geo_country: geo.country_code,
asn: geo.asn,
risk_score: geo.risk_score,
});
}
Audit trail: persist (timestamp, ip, country_code, asn, risk_score) alongside the customer record. Regulators (DNB, BaFin, FCA, AFM) ask for this in the next on-site visit.
2. Sanctions screening: pre-filter by IP-country before name-screening
Sanctioned jurisdictions today include (per OFAC + EU restrictive-measures consolidated list, 2026): CU, IR, KP, RU, SY, BY, plus regional restrictions on Crimea, DNR, LNR, Kherson, Zaporizhzhia.
# Python / FastAPI
SANCTIONED = {"CU", "IR", "KP", "RU", "SY", "BY"}
SANCTIONED_REGIONS = { # ISO-2 + region-name match
("UA", "Crimea"), ("UA", "Donetsk"), ("UA", "Luhansk"),
("UA", "Kherson"), ("UA", "Zaporizhzhia"),
}
def sanctions_pre_filter(geo):
if geo["country_code"] in SANCTIONED:
return ("HARD_BLOCK", f"sanctioned_country:{geo['country_code']}")
region = (geo["country_code"], geo.get("region_name", ""))
if region in SANCTIONED_REGIONS:
return ("HARD_BLOCK", f"sanctioned_region:{region[1]}")
if geo["is_tor"] or (geo["is_vpn"] and geo["is_hosting"]):
return ("MANUAL_REVIEW", "anonymizer_or_datacenter_vpn")
return ("PASS", None)
The IP-layer pre-filter cuts the name-screening false-positive rate (sanctions lists are full of common Slavic surnames) by routing high-confidence-allowed traffic past name-screening entirely.
3. Payment fraud: per-transaction risk score at authorisation
// /api/payment/authorize.js
const geo = await ipgeoLookup(ip);
let risk = geo.risk_score; // 0-100, server-side
if (geo.country_code !== card.country) risk += 20;
if (geo.is_vpn || geo.is_proxy || geo.is_tor) risk += 25;
if (geo.is_hosting) risk += 15;
if (HIGH_FRAUD_GEOS.includes(geo.country_code)) risk += 10;
const action =
risk > 80 ? 'block' :
risk > 60 ? '3ds_step_up' :
risk > 40 ? 'review' : 'allow';
await audit.write({
ip, geo_country: geo.country_code, asn: geo.asn,
risk, action, ts: Date.now()
});
Why this composes: IP signals are cheap (≤40 ms, ~€0,0001/lookup) and produce a numeric risk score that down-stream signals can extend (3DS challenge, device fingerprint, behavioural analytics) without re-doing the lookup.
Pricing math for a typical EU fintech
| Stage | Volume | Tier | Cost / month | Cost per check |
|---|---|---|---|---|
| Pre-launch / pilot | < 30 K checks/mo | Free | € 0 | € 0 |
| Seed / Series A | < 1 M checks/mo | Starter €29 | € 29 | € 0,00003–0,001 |
| Series B+ scale-up | < 10 M checks/mo | Business €99 | € 99 | € 0,00001–0,0001 |
| Late-stage / multi-product | > 10 M | Custom | on request | < € 0,00001 |
A single fintech merchant blocking just one € 60 chargeback per month through better IP-layer pre-filter recovers the entire Starter subscription — and chargebacks at € 60 are a conservative rounding-down.
Honest limits — what IP geolocation is not for in fintech
- It is not a sanctions decision in itself. Sanctions lists screen parties (persons + entities) by name and ID. IP-country is one signal among many; final decisions belong to the AML officer and the screening engine (LSEG World-Check, Dow Jones, ComplyAdvantage).
- It is not a substitute for KYC document verification. ID-document scans + selfie liveness + utility-bill PoR (or the eIDAS-aligned wallet at the EU level) remain mandatory for the regulated balance-sheet line.
- Mobile carrier-grade NAT (CG-NAT) blurs city resolution. For ~15-20% of mobile traffic in some EU countries (notably DE, IT), the IP resolves to the carrier hub, not the subscriber. Country and ASN are still reliable; city/postal-code are not.
- Privacy-first VPNs are increasingly hard to detect. Apple iCloud Private Relay and Google’s Privacy Proxy generate IPs that look residential but mask origin. We classify these as
is_relayseparately so you can decide policy per product line.
IP geolocation’s job in a fintech stack is to cheaply route so the expensive signals (3DS, device, behavioural, document-vault, manual review) only activate for ambiguous cases — saving 60-80% of cost without giving up control.
Related use-cases
The fintech surface composes from these IP Geo API use-case patterns:
- Fraud detection —
../use-cases/fraud-detection/— risk scoring, VPN/proxy/Tor flags, hosting-ASN classification, country-of-origin mismatch. - Geoblocking & compliance —
../use-cases/geoblocking-compliance/— sanctions pre-filter, OFAC + EU-restrictive-measures, region-level blocking. - Bot / WAF security —
../use-cases/bot-security/— credential-stuffing, account-takeover, signup-bot filtering at the IP layer. - Visitor analytics —
../use-cases/visitor-analytics/— cookieless attribution, funnel-by-country, conversion telemetry. - Geo personalization —
../use-cases/geo-personalization/— currency / language / payment-method selection by inferred country. - Geo pricing —
../use-cases/geo-pricing/— country-tiered subscription pricing, FX surcharge handling.
Compare IP Geo API to the providers fintechs evaluate
If you’re shortlisting vendors for a fintech RFP — typically driven by a procurement or compliance team — these head-to-heads cover the providers most often shortlisted in the IP-geolocation market:
- IP Geo API vs MaxMind —
../compare/maxmind/— REST SaaS vs MMDB-download licensing, when the binary still wins, when EU-hosted SaaS wins. - IP Geo API vs ipinfo.io —
../compare/ipinfo-io/— EU residency, EUR billing, threat fields included vs add-on. - IP Geo API vs ipstack —
../compare/ipstack-com/— HTTPS-on-free, EU hosting, Security Module bundling. - IP Geo API vs ipapi.co —
../compare/ipapi-co/— bundled-everything pricing, attribution-backlink obligations. - IP Geo API vs ipgeolocation.io —
../compare/ipgeolocation-io/— separately-priced Security API SKU vs bundled threat block, USD vs EUR billing. - IP Geo API vs IP2Location —
../compare/ip2location-com/— REST-only managed API vs annual BIN/CSV/MMDB licensing, IP2Proxy bundling cost. - IP Geo API vs DB-IP —
../compare/db-ip-com/— attribution-free free tier, EU-edges-only, bundled threat detection.
Read also — narrative deep-dives
Seven 2026-dated comparison articles with code-level migration sketches and pricing math at 100K / 1M / 10M req/mo:
- IP Geo API vs ipinfo.io in 2026: When the EU Alternative Wins (and When It Doesn’t) →
- IP Geo API vs MaxMind in 2026: SaaS vs DB Download — Which Stack Wins? →
- IP Geo API vs ipstack in 2026: HTTPS-on-Free, EU Hosting, and the Security Module Question →
- IP Geo API vs ipapi.co in 2026: Free-Tier Generosity vs Predictable Latency →
- IP Geo API vs ipgeolocation.io in 2026: Bundled Endpoints, Bundled Threat-Detection, and the EU-Residency Question →
- IP Geo API vs IP2Location in 2026: REST-First vs Database-Download — Which Model Wins for Your Stack? →
- IP Geo API vs DB-IP in 2026: REST-First vs DB-Download — Which EU Vendor Wins for Your Stack? →
Migration walkthroughs — drop-in code-level guides
Already on an incumbent? These step-by-step migration guides ship with field-by-field maps, code diffs, shadow-mode validation, and rollback notes:
- Migrate from MaxMind GeoIP2 to IP Geo API (2026) → — drop the weekly
.mmdbsync, swap to a REST call with the same field shape. - Migrate from ipinfo.io to IP Geo API (2026) → —
loc-string parsing,orgASN+name regex split,Authorization-header edge-stripping. - Migrate from ipstack to IP Geo API (2026) → — HTTP→HTTPS scheme flip,
security.*empty-vs-populated branch behaviour. - Migrate from ipapi.co to IP Geo API (2026) → — per-day rate-limit fragmentation, attribution-backlink scrub.
- Migrate from ipgeolocation.io to IP Geo API (2026) → — Security API SKU consolidation,
apiKey-in-URL log-leak hardening. - Migrate from IP2Location to IP Geo API (2026) → — BIN/CSV/MMDB-download decommission, IP2Proxy SKU consolidation, USD-annual-to-EUR-monthly billing migration.
- Migrate from DB-IP to IP Geo API (2026) → — MMDB/CSV-download decommission, CC-BY-4.0 attribution-backlink scrub,
countryCode3ISO-3 vs ISO-2 gotchas.
Industry deep-dives
Other vertical-specific surfaces using the same IP Geo API primitives:
- Ad-tech — RTB enrichment, IVT/SIVT filtering, click fraud → — sub-40 ms bid-enrichment, datacenter ASN blocking, IAB-TCF v2.2 vendor-list readiness.
- iGaming — Licence-jurisdiction enforcement, anti-circumvention, self-exclusion → — hard-fail-closed posture for MGA/UKGC/KSA/DGOJ/ANJ/ADM/DAS, residential-proxy ASN block-list, GamStop/CRUKS/ROFUS/Spelpaus/OASIS register routing by IP-country.
- SaaS monetization — geo-pricing (PPP), VAT/GST tax routing, trial-abuse defence, OFAC/BIS gates → — PPP-adjusted tiering, EU OSS/IOSS + UK/AU/SG/IN GST + US Wayfair nexus, residential-proxy ASN block-list for card-testing defence, OFAC SDN + EU CFSP + BIS Entity-List feature-gates.
- Streaming media — geo-licensing enforcement, anti-circumvention, CDN POP steering, SSAI ad-insertion → — per-territory licensing with HTTP 451 hard-fail-closed at manifest stitch + per-event sports blackout via Haversine GPS-distance, residential-proxy ASN block-list at session-init, CDN POP steering across AMS/FRA/LON/CDG/MIL/IAD/GRU + 3-tier adaptive-bitrate ladder, SSAI ad-insertion targeting with regionalised ad-pools and per-event blackout enforcement.
- E-commerce — EU OSS / UK VAT / US Wayfair tax routing, BIN-vs-IP carding, PPP-adjusted pricebook, fulfilment routing → — checkout-time tax-jurisdiction routing across EU OSS 27 destination-VAT + UK VAT 20% + US Wayfair 13-state nexus + CA per-province GST/HST + AU/SG/IN/BR/JP GST/ICMS/JCT with sanctions hard-stop on IR/KP/SY/CU/BY/RU/MM/VE, BIN-vs-IP carding + refund-fraud 6-factor weighted scoring with residential-proxy ASN block-list, PPP-adjusted 7-tier pricebook on first paint with VPN/proxy fall-back to BIN-billing-country, 9-warehouse fulfilment routing FRA/AMS/MAD/MIL/DOV/IAD/LAX/DEL/SIN with DDP/DDU duty pre-calc and lithium/aerosol/prescription destination-gates.
- Healthcare — Cross-Border Telehealth Licensing, HIPAA PHI/EPHI Access Geofencing, EU Patient-Data Residency w/ Schrems II Routing, Cross-Border Pharma + DEA Schedule Gating → — consult-init telehealth licensure match across US IMLC 41-state partial + CA/FL/NY/TX independent + EU MRPQ Directive 2005/36/EC + DE Bundesärztekammer + NL BIG + FR ONM + UK GMC w/ HTTP 451 hard-fail-closed on jurisdiction-mismatch + NO_RECIPROCITY hard-stop on IR/KP/SY/CU/BY/RU/MM/VE/AF/SO, HIPAA 45 CFR §164.308(a)(4) PHI/EPHI access geofencing w/ clinical-ASN allowlist Epic/Cerner/Allscripts/Mayo/MGH/Cleveland/Kaiser + residential-proxy ASN reject Bright Data/Oxylabs/Smartproxy/IPRoyal/Tier3 + home-office BAA-attested workstation allowlist + risk_score < 30 soft-allow, EU patient-data residency w/ GDPR Art. 9 special-category + EDPB Recommendations 01/2020 supplementary technical measures + Schrems II SCC flag for US-shard + routing to 6 EHR shards EU-FRA/EU-AMS/UK-LON/US-IAD/CA-YYZ/AU-SYD w/ VPN/proxy fall-back to EU-FRA highest protection, cross-border pharma + controlled-substance gating w/ DEA Schedules I-V + Ryan Haight Act §3 in-person-eval for telemed Rx + EU Falsified Medicines Directive 2011/62/EU originator-country audit + per-country bans for cannabis/CBD/psilocybin/MDMA/kratom.
- Travel & Hospitality — Geo-Rate Enforcement + Dynamic-Pricing per Booking Origin, OTA Carding + ATO Defence at Checkout, OFAC/EU CONSILIUM/UK OFSI Sanctions Screening + Luxury AML Thresholds, GDS Routing + EU OSS + DAC7 Reporting → — 8-tier booking-origin pricebook (T1 EU-Lux 1.00x → T8 Africa 0.75x) w/ VPN/proxy/Tor fall-back to T2_NA_LUX anti-arbitrage + SANCTIONS_HARDSTOP HTTP 451 on IR/KP/SY/CU/BY/RU/MM/VE/AF/SO at search-render + BIN-billing-country pin at checkout, OTA carding + ATO defence w/ corporate-travel-platform ASN allowlist (AS-CWT/Amex GBT/BCD/FCM/Egencia/Navan/Amadeus/Sabre) fast-lane + consumer-OTA reject on VPN/Tor/relay + residential-proxy ASN block (Bright Data/Oxylabs/Smartproxy/IPRoyal/Tier3, ~78% of OTA carding per Sift 2024) + 6-factor carding score threshold ≥70, OFAC + EU CONSILIUM + UK OFSI sanctions screening at booking-init w/ sanctioned-origin hard-stop + EU 6AMLD compelled-disclosure on VPN/proxy + US-Cuba 31 CFR §515 General License gate + luxury AML thresholds (yacht €10K, private jet €20K, villa €5K/night, heli €3K) + PEP screen + source-of-funds eval, GDS + inventory routing + EU OSS / DAC7 reporting (Amadeus EU/UK + Sabre US/CA + Travelport APAC + 27 EU-MS destination-VAT rates DE 19% → HU 27% + NO 25% + CH 8.1% + UK 20% + DAC7 Directive 2021/514 reportable-platform-operator evidence-log 5-year retention + Jan-31 lead-MS annual report).
- Online Education — Cross-Border Distance-Learning Licensure (SARA/ENIC-NARIC/QAA/TEQSA/AICTE), PPP-Adjusted Tuition Tiering, Exam-Proctoring Geo-Anchor (IELTS/TOEFL/GMAT/GRE/CFA/CPA/USMLE), FERPA + GDPR Art. 9 + Schrems II LMS Shard-Routing → — US SARA 49-state reciprocity + non-SARA CA/MA direct-auth + EU ENIC-NARIC 47 national centres + Bologna ECTS + UK QAA/OfS + AU TEQSA/CRICOS + IN AICTE/UGC w/ HTTP 451 hard-fail-closed on jurisdiction-mismatch + SANCTIONS_HARDSTOP on IR/KP/SY/CU/BY/RU/MM/VE/AF/SO at enrolment-init, 8-tier PPP tuition pricebook T1 high-income 1.00x → T5 low-income 0.15x w/ residential-proxy ASN block-list (Bright Data 212238/401116 + Oxylabs 396982/60068 + Smartproxy 62240/16276 + IPRoyal 35916/174 + Tier3 21859/32475) + VPN/proxy fall-back to T1 anti-arbitrage, exam-proctoring geo-anchor at session-init w/ IP-country MUST match ID-doc-country + residential-proxy ASN void exam + lifetime fraud-flag + datacenter ASN reject (AWS/GCP/Meta/CF/OVH/DO) + VPN/proxy/Tor → void per IELTS Online / TOEFL iBT Home / GMAT Online / GRE at Home / CFA / CPA / USMLE / PTE Home policy, 6-shard LMS routing EU-FRA/EU-AMS/UK-LON/US-IAD/CA-YYZ/AU-SYD w/ FERPA 34 CFR §99.31 + GDPR Art. 9 special-category + Schrems II SCC-required-flag for cross-border US-shard + Privacy Act 1988 APP 8 AU + PIPEDA CA + state-AG SOPIPA/SHIELD/SOPPA + EU_FRA highest-protection fallback on VPN/proxy.
- Telecom & MSISDN — IP-vs-IMSI MCC/MNC Residency + Roaming-Arbitrage Detection (GSMA BA.27/IR.34 IPX), A2P SMS Grey-Route + AIT Defence (GSMA WAS / AIB), SIM-Swap + STIR/SHAKEN + Carrier-OAuth Step-Up (FCC TRACED Act, GSMA Open Gateway / camara.org), EECC + CALEA + National-LI Jurisdiction Routing → — IP-vs-IMSI MCC/MNC residency check at session-init w/ ITU-T E.212 + 3GPP TS 23.122 lookup + GSMA roaming-partner ASN allowlist 15169/3320/3215/3209/12876/2856/5089/12389/5400/6453/174/209 + sanctioned-MCC hard-stop IR/KP/SY/CU/MM/IQ/SD/SO + residential-proxy/Tor at consumer-mobile attach impossible-topology reject + hosting-ASN M2M misclassification flag + SIM-clone suspect on IP-country ≠ IMSI-home AND ASN ∉ roaming-partner, A2P SMS grey-route + AIT detection at message-submission w/ hosting/VPN AIT-score boost + grey-route-destination cross-check BD/PK/NG/PH/ID/VN/EG/MA/DZ/TN/KE/TZ/UG/GH + premium-rate prefix flag (+359/+371/+254/+27/+91-1800) + sender-ID country-mismatch BR ANATEL CNPJ / IN TRAI DLT / DE BNetzA whitelist + Telesign/Twilio fraud-feed escalation, SIM-swap + STIR/SHAKEN + carrier-OAuth defence at auth-callback w/ VoIP-provider ASN allowlist Bandwidth/Telnyx/Voxbone/Zenlayer/inteliquent attestation downgrade A→C on country-mismatch + SIM-swap suspect on country-flip within 24h step-up KBA + eSIM hosting-ASN provisioning reject per GSMA SGP.32, EECC + CALEA + national-LI 10-shard jurisdiction routing (DE TKG §170, FR CPCE L.34-1, NL Tw 13.1, IT CCE Art. 96 quater, UK IPA 2016 Part 4, US CALEA 47 USC §1001-1010 + FCC E911 NextGen, CN MIIT + CAC Art. 37, IN DoT §5(2), BR ANATEL + LGPD, AU TCIA + TIA Act 1979) w/ VPN/proxy/Tor → EU-FRA highest-protection fallback + manual-LI-eval flag + 5G SUCI/SUPI privacy per 3GPP TS 33.501 mismatched-SUPI = potential IMSI-catcher Stingray detection signal.
- Cybersecurity Ops — SOC/SIEM enrichment, zero-trust IAM step-up, EDR/XDR C2 detection, NIS2 + DORA + SOC2 + ISO 27001 + CMMC audit routing → — Tor/VPN/residential-proxy/hosting-ASN classification at log-ingest, impossible-travel + ASN-flip step-up, C2-egress ASN discrimination, and per-jurisdiction incident-notification routing in a ≤40 ms EU-resident call.
Get started — fintech-friendly procurement
- Free tier: 1 000 lookups / day, no credit card. Useful for pilot integration in dev / sandbox.
- Starter €29/mo: 33 K lookups / day, all threat fields, EU residency.
- Business €99/mo: 500 K lookups / day, SLA-backed, priority queue, full risk-score + VPN/Tor.
- DPA + SCCs: one-page artifact, EU-only data flows, signed in 24 h.
Sign up at https://ipgeo.10b.app/pricing and start with a sandbox key today.
Get early access — 50% off for 12 months
First 100 signups lock in 50% off any paid plan for the first year. No credit card required — we’ll email you at launch.