Every month we help companies go through the process of identifying the right KYB and AML vendors. We have seen many different tenders, and the same pattern comes up every time: teams know what they need operationally, but the process of discovering what to ask and how to ask it is where things fall apart.
Requirements get missed. Vendor lock-in questions never get raised. Nobody asks about false-positive reduction mechanisms until they are six months into implementation and drowning in alerts. Ongoing monitoring gets a single line item when it should be an entire section. Data residency comes up in legal review, three weeks after the shortlist was finalised.
We see it constantly. Most teams either start from scratch, copy a procurement template that was written for IT infrastructure, or inherit a spreadsheet from a colleague who ran a similar process three years ago.
This is our first stab at a unified toolkit to help. It will continue evolving, and we would genuinely welcome your input. If you have feedback or improvements you can recommend, email me directly: stuart@zenoo.com
91 requirements across 17 categories
We compiled this from real tender processes we have been involved in across financial services, professional services, and regulated industries. It is not theoretical. Every requirement in this template has come up in an actual vendor evaluation.
The template covers 17 categories:
| Category | Number of requirements | Key focus |
|---|---|---|
| Onboarding and workflows | 8 | No-code builders, workflow modes, white-labelling, branching, exception handling |
| KYC: individual verification | 6 | Database checks, document verification, biometrics, individual-to-business association |
| KYB: business and UBO | 8 | Entity verification, UBO identification, ownership visualisation, registry enrichment |
| Screening: sanctions, PEP and adverse media | 9 | Watchlist coverage, ongoing rescreening, false-positive reduction, matching logic |
| Case management | 8 | Unified case records, SLA queues, RfI templates, audit trails, role-based workflows |
| Duplicate management | 2 | Record deduplication and consolidation |
| Risk assessment and CRA | 6 | Risk scoring, client risk assessment frameworks |
| Enhanced due diligence | 5 | Deep-dive investigation workflows and documentation |
| Ongoing monitoring | 4 | Perpetual KYC, event-driven refresh, review scheduling |
| Document management | 3 | Storage, retrieval, compliance audit trails |
| Integration and API | 6 | REST APIs, CRM integration, data migration, webhooks, batch processing |
| Vendor flexibility | 4 | Vendor-agnostic architecture, marketplace model, bring-your-own credentials |
| AI and automation | 5 | Enrichment agents, false-positive reduction, risk model tuning, narrative generation |
| Reporting and analytics | 3 | Compliance dashboards, trend analysis, regulatory reporting |
| Security and privacy | 5 | Encryption, data residency, SOC 2, access controls |
| Implementation and support | 4 | Onboarding timeline, dedicated support, training |
| Commercial | 4 | Pricing model, contract terms, SLAs |
Each requirement has a priority level (Foundational, Must, Should, Nice to Have) and columns for vendors to fill in their response, readiness status, and supporting evidence.
How to use it
The template has three sheets: Requirements, How to Use, and Vendor Scoring.
| Step | Action | Key consideration |
|---|---|---|
| 1 | Download and review requirements | Adjust priority levels to match your organisation's risk profile and jurisdiction |
| 2 | Add or remove rows for sector-specific needs | Transaction monitoring, SAR workflows, fraud detection, or remove non-essential categories |
| 3 | Send Requirements sheet to shortlist vendors | Give two weeks for response. Speed of response indicates implementation capability |
| 4 | Score vendors using the Vendor Scoring sheet | Weighted scoring across all 17 categories allows apples-to-apples comparison |
What most teams miss
Based on the tenders we have been involved in, these are the requirements that get left out most often and cause the most problems downstream.
Vendor lock-in. Ask whether you can switch IDV or screening providers without rebuilding your workflows. If the answer involves six months of professional services, that is lock-in regardless of what the contract says. Ask specifically: "If we wanted to replace Provider X with Provider Y for sanctions screening, what would that involve and how long would it take?"
A Head of Compliance at a UK wealth manager told us: "We did not ask about provider switching in our original tender. Two years in, our screening provider's data quality in the Middle East dropped significantly. It took us nine months to switch because every workflow was hardcoded to their API. That is nine months of degraded screening on our highest-risk client segment."
False-positive economics. Do not just ask "do you reduce false positives?" Every vendor says yes. Ask for the mechanism. Auto-disposition with confidence scoring is fundamentally different from a threshold slider. One saves analyst time whilst maintaining compliance defensibility. The other hides risk.
Ongoing monitoring. Most RFPs focus heavily on onboarding and forget that perpetual KYC is where the real operational cost sits. AMLA now mandates specific review frequencies: annually for high-risk, every three years for medium, every five years for low. Ask about event-driven refresh, not just annual review schedules. Ask how the platform handles a situation where a low-risk customer's risk profile changes mid-cycle.
Data quality by jurisdiction. "200+ countries" means nothing if the data quality in your priority markets is poor. Ask for coverage rates and data sources per jurisdiction, not just a headline number. "We cover Nigeria" and "we have access to CAC registry data with 94% match rates in Nigeria" are very different statements.
Total cost of ownership. Platform fees are only part of the picture. Add screening provider costs, IDV costs per check, CRM licence implications, data migration, and training. Ask for a 5-year TCO breakdown, not just year one. The vendor that looks cheapest in year one is often the most expensive over five years once you factor in per-check costs at scale.
Download the template
Download the KYB/AML tender requirements template (.xlsx)
91 requirements. 17 categories. Three sheets: Requirements, How to Use, and Vendor Scoring.
Free to use. No sign-up required. Adapt it, share it, send it to every vendor on your shortlist.
If you want help filling it in, or if you want to see how Zenoo scores against it, get in touch. 30 minutes. Your requirements. No slides.
Key takeaways
- Most vendor evaluations fail because teams know what they need operationally but do not know how to ask for it. A structured 91-requirement template across 17 categories removes guesswork.
- Vendor lock-in is the most overlooked risk. Ask whether provider switching requires professional services and timeline, not just whether it is theoretically possible.
- False-positive reduction mechanisms matter far more than the headline claim. Confidence scoring with auto-disposition is operationally different from a threshold slider.
- Ongoing monitoring gets underestimated. Most RFPs focus on onboarding, but perpetual KYC is where sustained operational cost accumulates under AMLA review frequency mandates.
- Five-year total cost of ownership beats year-one platform fees. Add screening provider costs, per-check IDV charges, migration, and training to identify the true long-term expense.
