By Stuart Watkins, CEO, Zenoo
Every month we help companies go through the process of identifying the right KYB and AML vendors. We have seen many different tenders, and the same pattern comes up every time: teams know what they need operationally, but the process of discovering what to ask and how to ask it is where things fall apart.
Requirements get missed. Vendor lock-in questions never get raised. Nobody asks about false-positive reduction mechanisms until they are six months into implementation and drowning in alerts. Ongoing monitoring gets a single line item when it should be an entire section. Data residency comes up in legal review, three weeks after the shortlist was finalised.
We see it constantly. Most teams either start from scratch, copy a procurement template that was written for IT infrastructure, or inherit a spreadsheet from a colleague who ran a similar process three years ago.
This is our first stab at a unified toolkit to help. It will continue evolving, and we would genuinely welcome your input. If you have feedback or improvements you can recommend, email me directly: stuart@zenoo.com
91 requirements across 17 categories
We compiled this from real tender processes we have been involved in across financial services, professional services, and regulated industries. It is not theoretical. Every requirement in this template has come up in an actual vendor evaluation.
The template covers 17 categories:
Onboarding and workflows (8 requirements). No-code workflow builders, outreach vs inreach modes, white-labelling, conditional branching, exception handling. The questions most teams forget: can you build different workflows for different risk tiers without engineering? Can the end customer upload documents directly, or does everything go through your team?
KYC: individual verification (6 requirements). Database checks, document verification, biometrics, individual-to-business association. The question most teams forget: how does the platform associate an individual verification with the business entity they represent?
KYB: business and UBO (8 requirements). Entity verification, UBO identification, ownership visualisation, registry enrichment, international coverage. The question most teams forget: how many layers of ownership does the platform trace by default, and what happens when a registry does not have digital records?
Screening: sanctions, PEP and adverse media (9 requirements). Watchlist coverage, ongoing rescreening, false-positive reduction, matching logic, data source transparency. The question most teams forget: what is the false-positive rate on your screening, and what mechanism do you use to reduce it? "AI-powered" is not an answer. Confidence scoring with auto-disposition thresholds is.
Case management (8 requirements). Unified case records, SLA queues, RfI templates, audit trails, role-based workflows, alerts inbox. Duplicate management (2 requirements). Risk assessment and CRA (6 requirements). Enhanced due diligence (5 requirements). Ongoing monitoring (4 requirements). Document management (3 requirements).
Integration and API (6 requirements). REST APIs, CRM integration, data migration, webhooks, batch processing. The question most teams forget: can you migrate existing customer data and case history from our current provider, or do we start from scratch?
Vendor flexibility (4 requirements). Vendor-agnostic architecture, marketplace model, bring-your-own credentials, A/B testing of providers. This is the category that separates platforms from point solutions. If you cannot swap a screening provider without rebuilding your workflows, you have lock-in regardless of what the contract says.
AI and automation (5 requirements). Enrichment agents, false-positive reduction, risk model tuning, narrative generation. Reporting and analytics (3 requirements). Security and privacy (5 requirements). Implementation and support (4 requirements). Commercial (4 requirements).
Each requirement has a priority level (Foundational, Must, Should, Nice to Have) and columns for vendors to fill in their response, readiness status, and supporting evidence.
How to use it
The template has three sheets: Requirements, How to Use, and Vendor Scoring.
Step 1. Download the Excel file and review the requirements. Adjust the priority levels to match your organisation. A requirement that is "Must" for a multi-jurisdictional bank may be "Nice to Have" for a single-country payments firm.
Step 2. Add or remove rows for sector-specific needs. If you need transaction monitoring, SAR workflows, or fraud detection, add those categories. If you are a smaller firm that does not need batch processing, remove it.
Step 3. Send the Requirements sheet to each vendor on your shortlist. Ask them to complete the Vendor Response, Readiness, and Evidence columns. Give them two weeks. Any vendor that cannot respond to a structured requirements document in two weeks is telling you something about their implementation speed.
Step 4. Use the Vendor Scoring sheet to compare responses side by side. The scoring matrix has space for three vendors with weighted scoring across all 17 categories.
What most teams miss
Based on the tenders we have been involved in, these are the requirements that get left out most often and cause the most problems downstream.
Vendor lock-in. Ask whether you can switch IDV or screening providers without rebuilding your workflows. If the answer involves six months of professional services, that is lock-in regardless of what the contract says. Ask specifically: "If we wanted to replace Provider X with Provider Y for sanctions screening, what would that involve and how long would it take?"
A Head of Compliance at a UK wealth manager told us: "We did not ask about provider switching in our original tender. Two years in, our screening provider's data quality in the Middle East dropped significantly. It took us nine months to switch because every workflow was hardcoded to their API. That is nine months of degraded screening on our highest-risk client segment."
False-positive economics. Do not just ask "do you reduce false positives?" Every vendor says yes. Ask for the mechanism. Auto-disposition with confidence scoring is fundamentally different from a threshold slider. One saves analyst time while maintaining compliance defensibility. The other hides risk.
Ongoing monitoring. Most RFPs focus heavily on onboarding and forget that perpetual KYC is where the real operational cost sits. AMLA now mandates specific review frequencies: annually for high-risk, every three years for medium, every five years for low. Ask about event-driven refresh, not just annual review schedules. Ask how the platform handles a situation where a low-risk customer's risk profile changes mid-cycle.
Data quality by jurisdiction. "200+ countries" means nothing if the data quality in your priority markets is poor. Ask for coverage rates and data sources per jurisdiction, not just a headline number. "We cover Nigeria" and "we have access to CAC registry data with 94% match rates in Nigeria" are very different statements.
Total cost of ownership. Platform fees are only part of the picture. Add screening provider costs, IDV costs per check, CRM licence implications, data migration, and training. Ask for a 5-year TCO breakdown, not just year one. The vendor that looks cheapest in year one is often the most expensive over five years once you factor in per-check costs at scale.
Download the template
Download the KYB/AML tender requirements template (.xlsx)
91 requirements. 17 categories. Three sheets: Requirements, How to Use, and Vendor Scoring.
Free to use. No sign-up required. Adapt it, share it, send it to every vendor on your shortlist.
If you want help filling it in, or if you want to see how Zenoo scores against it, get in touch. 30 minutes. Your requirements. No slides.
