Maybe you just found out that your company is a target for money laundering, and regulators or your partners are pressuring you to get a compliance solution, fast. Or maybe you have an established compliance team, but your tools require a lot of manual overhead and produce too many false positives, and the alternatives you’ve seen would break your budget. Or maybe you’re part of a forward-thinking team and getting out ahead of a potential catastrophe.
Whatever your reason for seeking out a new compliance solution, the search can be daunting. The following steps will help you understand what to look for so you can find the right solution for you.
1. Determine your compliance type
The first thing to consider is which type of compliance solution you need. Traditional banks, fintechs, securities firms, marketplaces, and any other companies who process financial transactions are at risk for money laundering and need an anti-money laundering (AML) solution. This encompasses both transaction monitoring and customer screening, which includes Know Your Customer (KYC), identity verification, and sanctions list screening. Make sure the solutions you look at were purpose-built for the type of compliance you are addressing and aren’t just modules bolted onto a generic risk/fraud platform.
2. Consider how the solution is deployed
Once you’ve narrowed down the solutions to the specific type of compliance you need, start looking at the technology. Does the solution require that you install it on your premises, or does it run in a secure cloud environment?
An on-premises deployment is appropriate when an IT department wants to have total control over the solution and is prepared to perform all maintenance, patches, backups, and failover to ensure security and high availability. However, these types of deployments typically take many months to go into production. Furthermore, the IT staff will have to develop expertise in maintaining compliance software, and the overall cost of this approach is prohibitive for many companies.
If you want a fully secure solution without all the overhead, go with a cloud-based offering that uses one of the top providers such as Amazon AWS as their environment. A big advantage of this approach is that cloud-based offerings can be deployed much more rapidly than on-premises solutions, which can be critical when you’re under regulatory scrutiny.
3. Evaluate the company’s AML compliance expertise
Compliance is a rapidly growing market, and many companies are pulling together solutions to get a piece of the action. But if they don’t have direct experience with regulatory compliance, it will be an uphill battle for them to build a solution that matches what you actually need. For example, one well-known vendor’s solution limits the suspicious activity “narrative” to 280 characters, the length of a tweet. When solutions are built by teams without compliance experience, they face tougher scrutiny from examiners and regulators, and their customers suffer.
Make sure the company’s leadership and advisory board include industry experts in regulatory compliance as well as data science and cloud-based engineering. While the underlying technology is important, if you see a website that focuses mostly on their technology and not on the day-to-day problems they solve, chances are they are just a tech company who decided to jump into compliance and won’t provide you with the best solution.
4. Verify that it uses machine learning (correctly)
Historically, compliance solutions would return a very high rate of false positives, which meant that large teams of analysts would spend most of their time on tedious, unnecessary work. With the advent of machine learning, compliance solutions can now learn patterns and become smarter as analysts work, yielding much better results. If a solution doesn’t use machine learning effectively, it’s probably not worth considering since it could yield more manual work for your analysts and investigators.
However, many vendors claim to use machine learning but only have a rudimentary implementation that doesn’t actually add much value. Verify that the solution uses advanced machine learning that tracks and reduces false positives month-over-month and increases investigator efficiency with tools like smart case assignment and auto-generated SAR narratives. It should also surface useful recommendations and additional information within the case workflow, such as network analysis displaying potentially related parties and insight on how previous investigators managed similar cases. Lastly, ensure that the vendor has a team of trained data scientists who know how to leverage this emerging technology.
5. Look for a user interface that will maximize productivity
The power and ease of use of the application itself is crucial to the success of your compliance team. If the workflow is clunky or too simplistic, hard to use, doesn’t provide powerful case management, or slows down your analysts’ investigations, your team won’t benefit from using it. Every extra click adds up to lost productivity, so choose a solution that has a streamlined, intuitive, modern interface that will enhance your compliance team’s effectiveness and efficiency.
6. Ensure that it has automated regulatory reporting
When an analyst finds suspicious activity, they may have to complete a regulatory filing, such as a Suspicious Activity Report (SAR). FinCEN has made some improvements to the SAR form in recent years, but it’s still a challenge to fill out correctly and consistently, and the narrative is notoriously difficult to write. Typical problems include incompleteness as well as inconsistency from SAR to SAR within the same financial institution because different analysts write them. The filing process itself remains burdensome, too, even while regulatory scrutiny of SAR content has grown.
To maximize your team’s efficiency and the accuracy of your reports, choose a compliance solution that automatically generates and populates SAR content for you, including auto-generating narrative first drafts with correct wording and structure. Another essential feature is the capability to file the SAR directly with FinCEN, saving your team a lot of time and hassle while helping to ensure your reports adhere to FinCEN’s strict requirements.
7. Choose a vendor who treats you like a partner
When you’re choosing a compliance solution, the software is only one piece of the puzzle. A good vendor will maintain frequent interaction with their customers to make sure they’re succeeding and to get feedback. Unfortunately, many companies are perfectly happy if they never hear from you (except when it’s time to renew your contract).
Choose a vendor who is responsive and available, asks good questions and listens carefully to your needs, and treats you like a partner, not a problem. You should get a clear sense that these are people you really want to work with on an ongoing basis.
8. Make sure there’s room to grow
If you’re just starting out with compliance, don’t look at monolithic compliance platforms that will eat up your budget. Choose a vendor that offers a lower-cost solution for smaller compliance teams and has a clear path to grow with you. A lightweight solution might be perfect right now, but make sure you can seamlessly transition to a full enterprise solution when your business takes off.
For example, it should have a good set of rules right out of the box as well as the ability to build custom rules down the road. And it should allow you to pay less when your transaction volume is still low while enabling you to grow into unlimited transaction monitoring in the future.
9. Check their commitment to compliance
As mentioned earlier, many software companies want to get into the AML and compliance market. But when a large company offers a solution that’s tangential to their core business, you run the risk that they will focus their resources primarily on their main products, leaving you with a solution that doesn’t evolve. Similarly, if a smaller company doesn’t have the right backing or lacks industry and technical expertise, you run the risk that they’ll pivot in another direction. Make sure that regulatory compliance is in the DNA of the company’s leadership.
10. Review their security policies
You will process highly sensitive data with your compliance solution, and if you have European customers, you must be able to comply with GDPR regulations. California recently enacted similar protections for consumer data. Your compliance vendor must adhere to the strictest security standards and should have a detailed information security policy that describes how they protect your customers’ data. They should also have a mature business continuity and disaster recovery plan, so that in the event they experience a data breach or natural disaster, your business won’t be disrupted.
Ask to see the vendor’s security policies, penetration testing schedule, backup and failover strategy (including how often they test the backups), and whether they are SOC 2 compliant. Ask for verified proof that vendors meet these obligations. For example, some vendors claim SOC 2 compliance when they merely use SOC 2 compliant cloud providers. That’s simply not good enough for your critical customer data.
Choosing the right compliance solution for your company is a crucial task that will have a major impact on the success of your compliance program and your company as a whole. By following the steps above, you can avoid some of the most common pitfalls and will find the best solution to meet your regulatory obligations and maximize your compliance team’s productivity.