Checklist for Evaluating KYC Software
- Determine which risk you want to combat
This has to be the first step for any risk-based approach. Depending on the risk which you feel is most important, you will narrow down the search for a possible vendor. For example, if you want to minimize your involvement in money laundering, an OFAC filter will not help you significantly, as this list focuses on terrorism.
- Do your due diligence on the due diligence provider.
Research who is behind the company and what his/her expertise in the field of banking and compliance is. Remember, you are relying on his/her expertise. Any KYC product is only as good as the entries in the system.
- Question the marketing material and ask for specifics
Read the marketing material carefully. In 2002, the Associated Press stated that a vendor had "15 of the nineteen terrorist hijackers in its database prior to September 11". As we all know, statements that sound too good to be true usually are. Another vendor states in its material that its search combines information from over 400 million files/records. You might want to ask how many of these sources really relate to fraud or money laundering.
- Request transparency about the sources
"The secret to creativity is knowing how to hide your sources" (Albert Einstein) You need to know exactly what kinds of information is included in your product. At least, request a list of the databases for your own records. Just imagine, a regulator asks you about your KYC solution and you have to give him a vague statement about the coverage. A statement like, "our system monitors several thousand web pages" does not contain the information needed. The type of source - governmental sources, newspaper articles, or privately maintained newsgroups - determines the quality of the database, that's why you need to know.
- Ask for specifics on the number of entries
Another criterion to compare vendors is to look at the number of black-listed individuals/companies. For example, a package of OFAC, FBI, EU Terrorists, UN Terrorists, typically lists less than 50,000 names of unwanted customers. Obviously, the more names of terrorists, money launderers and fraudsters your solutions hosts, the less the risk of doing business with people that pursue those activities.
- Determine how often the database is being updated and verify this statement
You want to make sure that the database is updated on a frequent and regular basis. A gap of 48 hours between the change to the underlying source (e.g. FBI Most Wanted) and the vendor's database seems to be market standard and should be sufficient. You can test such a quality statement by looking for the latest change of the OFAC list and then verify when this name was added to the vendor's list.
- Request a demo
It is very common to receive a fully functional demo prior to the purchase. Test the system for usability, presentation and reliability. Ideally you have several demos at the same time and compare features and content.
- Check a prepared list of names
Prepare your own list of app. 50 known terrorists, money launderers, fraudsters and use it as a sample to test the products. This allows you to quickly identify strengths and weaknesses in the vendor's product.
When following these eight recommendations, your challenge of selecting the right solution for your KYC program becomes much easier. As a result, compliance will find a new position in your financial institution in which it becomes part of risk management on a total enterprise basis.
? Dirk Mohrmann
First published on BankersOnline.com 08/18/03
First published on 08/18/2003