How to choose an AML / KYC service provider (especially if your business has just started)?
According to Reuters, since 2009, regulators have sanctioned companies operating in the financial sector with more than $ 342 billion for their failures to prevent money laundering and terrorist financing. As such harsh sanctions may easily ruin the business of even a very promising Fintech company, many should consider to hire a KYC/AML provider. They, however, should do so wisely. There are many AML / KYC products on the market worldwide, making money laundering prevention a profitable industry. Choosing the right service provider for your business is a complex and responsible endeavour. The goal of this article is to help companies structure the vendor search process, formulate the right questions for the request for proposal and advise on how to reduce compliance risks when outsourcing AML/CTF processes.
Risk assessment and its proper documentation
To begin with, it is crucial to make an appropriate risk assessment of your business with regard to money laundering and terrorist financing, as well as with regard to international sanctions regimes. What are the features of your product? What is the geographical location of your customers? Do you focus on individuals or corporate entities? According to your business model – what solutions do you need? Do you only need to identify and verify the identity of your customers online? Or do you need a technological solution to help you further in risk profiling and comprehensive customer due diligence? Before you search for your vendor, you should think about those and similar questions.
Secondly, it is important to realise that the outsourcing of some compliance processes, does not leave you without responsibility over the functioning of your compliance program. In the event of an investigation, regulators are looking for a proof that you diligently and with due care made effort to prevent money laundering/terrorist financing of occurring. Diligence starts with the selection of your AML/KYC providers. Carefully document your evaluation and decision process. The questions you need to answer are:
- What criteria were used to evaluate the supplier? Price is not a sufficient factor for a decision.
- How does the product meet the needs of your business?
- Which other products and suppliers were considered?
- What is the reputation the provider and its business model? Was it recommended?
Evaluation questions for potential vendors
Once you select a set of vendors that meet the needs of your business, ask the following questions:
1. Data sources: The complexity of the anti-money laundering process increases with each new jurisdiction in which your company operates. You need to find out if potential providers have direct access to local business registers and their equivalents. This point becomes even more important when the service provided involves the discovery and verification of the beneficial owner.
2. Supported languages: Linguistic differences and especially different alphabets create many inaccuracies in customer verification and make it difficult to serve foreign customers. The ability to transliterate is very important in the KYC process. Many small suppliers work only in Latin, but what happens when onboarding customers with names in Cyrillic, Arabic or Chinese? Experience shows that you should always ask for a demonstration.
3. Databases developed by third parties: Many vendors integrate third-party databases into their solutions. This helps them improve their product and offer comprehensive solutions. However, an incomplete database can cause many problems. It is therefore very important to assess the quality of the sources offered by the service provider. Request a list of databases that the vendor uses. If the provider has developed its own, ask for more information about its sources and reliability. The sources in use for politically-exposed persons and sanction screening are of particular importance.
4. Data quality: Not only data sources are important. The way in which the provider applies / processes the collected information is equally important. Are bank accounts and other identification marks checked during onboarding in addition to the potential customer’s name? Is fuzzy logic or matching algorithms used during database screening? How false positives are limited? Is Adverse Media & Negative Press search part of the screening process? How often are databases updated? Do they utilise biometrics, machine learning, enhance data manually or use a mix of these technologies? Is it possible to configure the product according to the needs of your own business – for example, adding lists of names that have already been checked and do not pose a risk?
5. Data security: In order to perform AML / KYC verification, the provider must have access to customers’ personal data. The GDPR welcomes you. On which server does the provider store data and for how long? Who has access to it and for what reasons? What is your provider’s privacy policy?
6. Audit trail: It is very important that the vendor sends periodic detailed reports that enable documentation of results. Also, there should be a trace of their screening, which should be tracked electronically (the so-called audit trail). In the case of an inspection by the regulatory authorities, this is the way in which it is proven that the regulatory requirements have been met.
7. Liability of the service provider: The contractual liability of your vendor is extremely important. Read the terms of the service level agreement carefully, especially when it comes to general terms. When the respective vendor not only offers a certain automated service, but also provides “expert opinion” and “professional advice” on the acceptance of the client / transaction (customer onboarding)– you need to understand to what extent they would compensate for damages in case of an error in professional advice they have given. In practice, service providers limit their responsibility with detailed clauses.
KYC requirements are here to stay. The trend shows that they will become stricter. Every company must use its resources wisely. Building immediately fully-fledged compliance department and dedicating staff to perform costly, manual compliance process might be not the most efficient way. AML / KYC providers help new companies automate identification and due diligence processes and reduce regulatory risk. However, we must choose the service provider we trust wisely.
The author, Dr. Elina Karpacheva is the Chair of the European Compliance Centre based in Sofia, Bulgaria. She is also the Content Director of the Bulgarian website of the Risk & Compliance Platform Europe, see www.riskcompliance.bg