This is a guest post by our good friend, lawyer and an academic researcher Elina Karpacheva, PhD. She is the founder of the European Compliance Center – an international network of compliance experts in the CEE region and the first NGO in Bulgaria specifically focused on corporate compliance. Elina is Bulgarian Editor in Chief of the Risk & Compliance Platform Europe.
We hope that you will enjoy it!
Historically, the attention of the payment service industry was focused on the frightening threat of cybersecurity fraud. However, the risks and consequent penalties for AML/KYC violations and deficiencies have been steadily growing. According to Reuters, since 2009, there have been over $342 billion in fines for money laundering offences. One such penalty has the potential to kill a FinTech startup. Hence, companies need to choose their KYC/AML solution provider wisely.
There are a lot of AML/KYC products in the market. Choosing the right one for your business is a complex undertaking. The goal of this article is to help you structure the vendor search process, formulate the right questions for the request for proposal (RFP) and advise you how to reduce compliance risks when outsourcing AML/CTF processes.
Risk assessment & process documentation
To begin with, it is crucial to perform a precise assessment of your business risk in terms of money laundering and terrorist financing. What are the characteristics of your product? What is the geographic location of your customers? Is your focus on people or corporate entities? Are you able to identify and verify customers online? Do you need a solution to help you with risk profiling and customer due diligence? Despite the unified regulation across Europe, access to data is very different in every country. Hence, you need clarity on these topics before starting your vendor search.
Second, you are responsible for the service providers you choose at all times. In the event of an investigation, regulators are looking for a proof that you diligently and with due care made effort to prevent money laundering/terrorist financing of occurring. Diligence starts with the selection of your AML/KYC provider. Carefully document your evaluation and decision process. The questions you need to answer are:
- Which criteria did you use to evaluate the vendor? The price is not a sufficient decision factor.
- How does it meet the needs of your business?
- Which other products and providers did you research in detail?
- Who recommended the service provider and what do you know about its business model and reputation?
Evaluation questions for potential vendors
You have selected a set of vendors that cover your business and risk needs. To assess their expertise and fit-for-purpose, ask the following questions:
- Data sources: Many of the modern FinTech startups are born-global companies. This increases their market size. In the same time, the complexity of the AML/KYC process rises with every new country and legislation. You need to understand if the potential providers have direct access to local business registers and their equivalents. This point grows more important when service includes disclosure and verification of the beneficial owner. Your vendor could additionally utilise databases by third-party providers. The sources in use for PEP and sanction screening are of particular importance for you.
- Supported languages: The language differences and particularly the alphabet in use provide additional difficulties for serving customers from various countries. Many small vendors only cover documents using the Latin alphabet. Some providers guarantee data extraction from documents in Cyrillic, Arabic or Chinese. The experience shows that you always need to ask for a demo.
- Third-party data sources: A lot of vendors integrate third-party software in their solutions. This helps them enhance their product and offer comprehensive solutions. However, an incomplete database can cause a lot of problems. It is accordingly very important to evaluate the data quality of the different sources. Ask for a list of the utilized databases. If the provider has developed its own, request information on the data sources.
- Data quality: The data sources are important. However, the way the vendor applies this information is equally important. Do they check bank accounts and further data sources in addition to the name of the potential customer during onboarding? Are they using fuzzy logic or matching algorithms during the database screening? How do they limit false positives? Are Adverse Media & Negative Press search part of the screening process? How often do they update their databases? Do they utilize biometrics, machine learning, enhance data manually or use a mix of these technologies?
- Data security: Security and data privacy concerns rise with personal data accumulation. To execute an AML/KYC check, the vendor must access customers’ personal data. GDPR welcomes you. Where does the provider store the data and for how long? Who has access to it and why?
- Audit trail: Your potential provider must regularly send you a detailed result or assessment reports. An audit trail is a must. In the case of a regulator’s investigation, this is the way to prove that you complied with the law.
- Vendor liability: Some providers focus on verification, authentication and due diligence. Others go further and offer you “suggestions” or “professional advice” whether you should onboard a potential customer. Especially for the second type of service providers, you need to understand to what extent the company assumes responsibility. Are they going to cover your loses if they have made a mistake? In practice, most providers reduce their liability as much as possible.
AML/KYC requirements are here to stay. The trend shows that they will only get tougher. Startups should use their resources smarter. Building immediately fully-fledged compliance department and dedicating staff to perform costly, manual compliance process might be not the most efficient way. AML/KYC providers help new companies automate authentication and due diligence processes and as well as reduce regulatory risk. However, you have to choose your provider wisely.