Choosing AML Software Vendors

How to choose an AML software vendor

From designated non-financial businesses and professionals (DNFBPs) to virtual asset service providers (VASPs), the breadth of firms subject to anti-money laundering (AML) regulations is greater than ever. Moreover, the regulations themselves – and the criminal activities they’re designed to detect and prevent – are more complex. As a result, AML software vendors have become an essential part of the compliance function in most financial institutions. Improvements in regulatory technology (Regtech) also mean the benefits of partnering with an effective vendor are higher.

However, not all AML software vendors are created equal. So how do firms decide who to partner with? 

A good question to start is: Why do we want to partner with a vendor in the first place? Compliance teams should complete a build vs. buy evaluation to answer this and define the objectives of partnering with a regtech firm. Before building in-house, firms need to consider:

• Are we seeking a unique solution that isn’t currently available in the market?
• Do we have the right resources to maintain and improve the solution over time? Factoring this in, will we still see an acceptable ROI on the initial investment?
• How easily will the solution integrate with current workflows and tools? 
• Where will the AML data required for effective onboarding and transaction screening come from?
• Will the solution be able to scale effectively with business growth?
• Do internal stakeholders have sufficient knowledge to ensure the tool meets regulatory requirements? 

This process should clarify the scope of the request for approval (RFP) process and ensure that important considerations related to integration, scalability, and the scope of relevant regulations have been fully assessed. 

AML software vendors: compliance requirements

AML software vendors must meet the fundamental needs of a firm’s AML program, considering their customer base, area(s) of operation, and internal capabilities. From a regulatory perspective, an AML program should feature several essential risk-based controls, including customer due diligence (CDD), transaction monitoring, sanctions lists, PEP screening, and adverse media monitoring. The diagram below shows the full scope of activities firms need to consider across the onboarding and relationship development process through to growth or closure. 

 In addition to those fundamentals, compliance teams need to consider:

• Data coverage: An AML software solution should capture the spectrum of customer and transaction data that a firm needs to fulfil its regulatory responsibilities. 
• Speed of updates: As customer data evolves, AML software solutions should be capable of updating rapidly to reflect new risk levels.
• Matching algorithms: Search algorithms should be able to identify and assess risks effectively when a match is found during the AML process. The name transliteration process, for example, should consider language differences, spelling variations, misspellings, aliases, and so on.
• Proactive monitoring: When a customer’s risk profile changes, AML software should alert the compliance team quickly and efficiently, with minimal need for manual checks. 

AML software vendors should help reduce false positives

False positive AML alerts represent a significant time and efficiency drain for every financial institution. However, the right AML software vendor can help firms reduce false positive rates. Certain features of an AML software solution are specifically useful in this regard:

• Risk-based: Ideally, AML software solutions should be configurable to the risk profiles of customers, transactions, and industrial sectors, so that firms can deliver a more specific, focused, and accurate AML response depending on context. 
• Profile-based: Software that incorporates profile-based screening can reflect the risk profiles presented by individual customers. Profile-based screening allows firms to apply simplified AML measures to lower-risk customers while subjecting higher-risk customers to enhanced scrutiny. 
• Usability: AML software solutions should be user-friendly and accessible so compliance teams can address alerts quickly without consulting IT teams.
• Sensitivity: Compliance teams should be able to tailor the sensitivity of their AML software to screen only for relevant data attributes, ignoring variables that do not pose a risk to the firm’s AML compliance responsibility.  
• Whitelisting: Software solutions that integrate whitelists of approved customer names may be able to remediate false positive alerts more quickly.

Implementation as easy as A-P-I

Firms should assess the potential of an AML software vendor’s representational state transfer (REST) application programming interface (API) to enhance their existing AML infrastructure:

• API integration: A REST API should allow seamless sync with existing AML systems, such as case management and customer records. 
• Availability: The API must make the necessary AML data available to compliance employees in an accurate and timely manner so that essential information, such as monitoring alerts, is addressed effectively.
• Security and capacity: The API must meet industry-level security standards while also being able to handle the capacity and speed requirements of a firm’s AML search volumes.

The continued importance of human expertise

The AML software vendor a firm implements should complement the skills and expertise of internal compliance staff. However powerful or innovative a solution is, its effectiveness will depend on how it supports the compliance team and advances its compliance objectives. 

Practically, this means assessing the strengths and weaknesses of the AML program and the teams that use it. Similarly, a firm’s leadership must have the AML experience and expertise to build an effective compliance program and select the best technology. This may require compliance teams to provide appropriate training and coaching. 

Deploying compliance solutions from AML software vendors 

Firms must consider how their AML software solution will be deployed within their existing business infrastructure. Some software deployments will require on-premises installation, while others may be able to run off-premises in the cloud. 

While there is no one-size-fits-all solution, both types of deployment have benefits and drawbacks: 

On-premises software deployments: While software solutions deployed on-premises offer a greater degree of control over compliance infrastructure, that control ultimately means more regulatory exposure for firms. On-premises solutions also entail higher professional service costs, extended implementation periods and may require an IT department capable of performing all necessary maintenance, updates, back-ups, and security processes. 

Cloud software deployments: Cloud software solutions offer firms less direct control of their AML infrastructure and reduce regulatory exposure by handling maintenance and security needs as part of their service offering. Cloud solutions also provide flexibility when firms need to scale their AML program up and down and can be deployed rapidly compared to on-premises solutions.

The importance of strong security 

AML requires firms to collect and store a range of sensitive customer information. Accordingly, a firm’s AML software vendor must offer a suitable level of protection from cyber threats and comply with jurisdictional privacy regulations such as the EU’s General Data Protection Regulation (GDPR) and California’s Consumer Privacy Act.  

Similarly, the solution should help firms achieve ISO27001 certification. The globally-recognized information security management standard, ISO27001 certification, involves technological and physical security controls. The protection your AML software confers will constitute a significant part of the accreditation process.

With this in mind, firms should ensure they have reviewed, and are comfortable with, their software vendor’s security policies. Vendors should also have disaster recovery and business continuity strategies to ensure that unforeseen circumstances do not disrupt services and compliance responsibilities.

Evaluating and implementing AI 

Tools that leverage artificial intelligence (AI) – including machine learning, deep learning, and natural language processing – can significantly enhance a firm’s AML compliance performance. In our State of Financial Crime 2023 survey, 99 percent of senior compliance professionals said they expect AI to positively impact financial crime risk detection. They anticipate specific gains in transaction monitoring. When asked which transaction monitoring use case AI could best help them with, firms overwhelmingly identified three:

• Alert Prioritization – 31 percent of respondents expected AI to help rank transaction alerts by risk. This enables transaction monitoring teams to catch more risky activity and do it faster.
• Flexible Tuning – 26 percent thought they’d use AI to improve their alert system – helping to adjust thresholds and fine-tune alerts responsively.
• Relationship Identification – 24 percent anticipated artificial intelligence would uncover new relationships between monitored entities and individuals. 

As the survey shows, alert prioritization is the top use case firms focus on. Returning to the issue of false positives, with the volume of data available to financial institutions today, AI is a crucial way of ensuring firms can scale effectively while continuing to identify true positive AML alerts more effectively – see the diagram below.