How to Choose an AML Solution: Evaluation Criteria and Checklist

Choosing an AML (Anti-Money Laundering) solution means evaluating platforms for combating money laundering and terrorist financing (AML/CTF) by their ability to detect suspicious transactions, screen sanctions lists, deliver transaction monitoring and produce regulatory declarations. The FCA imposed over £176 million in fines in 2024 for AML/CTF failings — a record that reflects a structural tightening of enforcement, not a one-off spike.

This growing severity places compliance officers before a high-stakes choice: the AML solution selected determines the business's ability to detect, report and demonstrate due diligence for 5 to 10 years. This guide provides a structured evaluation framework: 12 weighted criteria, 30 questions to ask vendors, a scoring grid and a 5-step selection methodology. For a broader view of document compliance, see our document compliance guide.

Why a dedicated AML solution has become essential

Regulatory pressure is accelerating

The European anti-money laundering framework is undergoing a major transformation between 2024 and 2027. The AMLD6 directive (6th Anti-Money Laundering Directive), adopted in 2024, introduces three fundamental changes:

1. Creation of AMLA (Anti-Money Laundering Authority): the new European supervisory authority, based in Frankfurt, will directly supervise the 40 highest-risk financial entities from 2028 and set technical standards for all obliged entities.
2. Expanded scope: estate agents, luxury goods dealers, professional football clubs and crypto platforms now fall within AML/CTF obligations.
3. Harmonised rules: the AMLR regulation (Anti-Money Laundering Regulation), directly applicable in all Member States, replaces national transposition and eliminates interpretation divergences.

In the UK, the MLR 2017 (Money Laundering Regulations) as amended, combined with the Economic Crime and Corporate Transparency Act 2023, impose similarly stringent requirements on regulated entities.

The limits of manual and artisanal approaches

Businesses managing AML compliance with Excel spreadsheets, manual processes or modules built into their ERP reach an operational ceiling. Three symptoms signal this:

• False positive rate above 90% on sanctions list screening. This is the average observed by the Wolfsberg Group on simple rule-based systems. Each alert requires 15 to 30 minutes of manual processing.
• Inability to detect complex schemes: money laundering through structuring (smurfing), cascading shell companies and arrangements using crypto assets evade controls based on fixed thresholds.
• Non-compliant reporting: the NCA (National Crime Agency) requires structured, timestamped and traceable SARs (Suspicious Activity Reports). A manual process guarantees neither the completeness nor the traceability demanded during an FCA inspection.

The 12 essential criteria for an AML solution

Each criterion is scored on a scale of 1 to 5 and weighted according to its impact on compliance and operational efficiency.

Criterion 1: sanctions and PEP list screening (weighting: 15%)

Screening is the foundation of any AML solution. It compares clients and counterparties against international sanctions lists (EU, OFAC, UN, HM Treasury) and politically exposed persons databases.

What to evaluate:

• Number of lists covered (minimum: 1,500 lists, 200+ jurisdictions)
• Update frequency (standard: daily; optimal: real-time)
• Fuzzy matching algorithm (handles spelling variants, transliterations, aliases)
• False positive rate (benchmark: <5% after calibration)
• Documented and auditable whitelisting capability

Score 5/5: exhaustive coverage, real-time updates, advanced fuzzy matching with relevance scoring, false positives <3% after calibration.

Criterion 2: transaction monitoring (weighting: 15%)

Transaction monitoring analyses financial flows to detect suspicious operations. This is the criterion that most differentiates solutions from one another.

What to evaluate:

• Number of preconfigured detection scenarios (minimum: 50 standard scenarios)
• Ability to create custom scenarios (visual rule editor vs bespoke development)
• Complex pattern detection (structuring, layering, round-tripping)
• Processing speed (real-time analysis vs daily batch)
• Detection rate against published FATF/NCA typologies

Score 5/5: 100+ preconfigured scenarios, no-code rule editor, real-time detection, coverage of FATF and NCA typologies.

Criterion 3: alert management and investigation workflow (weighting: 12%)

A solution that generates alerts without providing a structured investigation workflow creates more problems than it solves. The daily alert volume in a mid-sized bank reaches 200 to 500 per day — without an effective triage tool, analysts drown.

What to evaluate:

• Automatic alert scoring and prioritisation
• Investigation interface with consolidated view (client, transactions, documents, history)
• Configurable workflow (escalation levels, deadlines, automatic assignment)
• Audit trail for each decision (who processed, what decision, on what date)
• Expected productivity: number of alerts processed per analyst per day (benchmark: 40-60)

Criterion 4: regulatory coverage and reporting (weighting: 12%)

The solution must produce the declarations and reports required by regulators without manual reworking.

What to evaluate:

• Automatic generation of SARs (NCA format in the UK, Tracfin/ERMES format in France)
• Periodic regulatory reporting (FCA annual financial crime return, MLR compliance reports)
• Multi-jurisdictional coverage (SARs for the UK, STRs for FATF countries)
• Register of suspicious operations not reported (archive with justification)
• Adaptability to regulatory changes (update delay after publication of new legislation)

Criterion 5: client risk assessment (weighting: 10%)

The Risk-Based Approach (RBA) is at the heart of AMLD6 and the MLR 2017. The solution must enable client classification by risk level and adapt due diligence accordingly.

What to evaluate:

• Configurable risk scoring model (client, geographic, product and channel factors)
• Number of risk levels (minimum: 3 — low, medium, high; optimal: 5 levels with granularity)
• Automatic reclassification based on events (suspicious transaction, country change, sanctions list addition)
• Methodology documentation (required by the FCA during inspections)

Criterion 6: customer due diligence (weighting: 8%)

Beyond initial KYC, the AML solution must manage due diligence levels: simplified (SDD), standard (CDD) and enhanced (EDD).

What to evaluate:

• Automated document collection according to risk level
• Beneficial ownership (UBO) verification with 15% threshold (AMLD6)
• Management of complex structures (ownership chains, trusts, foundations)
• Automated periodic review (triggered by risk level and relationship age)

Criterion 7: artificial intelligence and machine learning (weighting: 8%)

AI in AML is no longer marketing. Regulators (EBA, FCA) explicitly encourage its use to reduce false positives and detect new laundering patterns.

What to evaluate:

• Types of models used (supervised, unsupervised, graph neural networks)
• Decision explainability (regulatory obligation: each alert must be justifiable)
• Ability to learn from your data (pre-trained model vs fine-tuning)
• Measured false positive reduction (benchmark: 40 to 70% reduction vs simple rules)
• Anomaly detection without predefined scenarios (essential for new typologies)

Criterion 8: technical integration and API (weighting: 7%)

The AML solution must integrate into an existing ecosystem: core banking, CRM, payment systems, document management tools.

What to evaluate:

• Documented REST API with versioning
• Native connectors (SWIFT, SEPA, major core banking systems)
• Processing capacity (transactions per second)
• Average integration time (benchmark: 8 to 16 weeks)
• Standard data format support (ISO 20022, XML, JSON)

Criterion 9: data management and privacy (weighting: 5%)

AML data is among the most sensitive in the business. Its processing is governed by GDPR and sector-specific regulations.

What to evaluate:

• Data location (EU hosting mandatory for European residents' data)
• Encryption at rest and in transit (AES-256 minimum)
• Retention period management (5 years after the end of the business relationship under UK MLR 2017)
• Right to erasure vs retention obligation (managing the tension between GDPR Art. 17 and MLR requirements)
• Security certification (ISO 27001, SOC 2 Type II)

Criterion 10: scalability (weighting: 3%)

The solution must accommodate business growth without performance degradation or disproportionate cost increase.

What to evaluate:

• Cloud-native vs on-premise architecture (impact on scalability)
• Marginal cost per transaction at growing volume
• Multi-entity capability (managing multiple subsidiaries, brands, jurisdictions)
• Documented performance at different volume scales

Criterion 11: support and guidance (weighting: 3%)

Support goes beyond technical matters. An AML vendor must provide continuous regulatory guidance.

What to evaluate:

• Support availability (24/7, business hours, weekdays only)
• Support language (local language essential for regulator interactions)
• Regulatory watch included (alerts on changes, scenario updates)
• Dedicated Customer Success Manager (from what billing threshold)

Criterion 12: total cost of ownership (weighting: 2%)

The TCO of an AML solution far exceeds the licence cost. See our article on AML compliance software for accountants for a detailed pricing benchmark.

What to evaluate:

• Pricing structure (per transaction, per user, annual flat rate)
• Integration and initial setup costs
• Maintenance and update costs (included or charged as extras)
• Training costs (initial and ongoing)
• Exit costs (data migration, contractual reversibility)

Selection checklist: 30 questions to ask vendors

Features and detection (10 questions)

1. How many sanctions and PEP lists do you cover, and what is the update frequency?
2. Does your fuzzy matching algorithm handle Arabic-Latin transliterations and Chinese characters?
3. How many transaction monitoring scenarios are preconfigured, and can new ones be created without development?
4. What is your measured false positive rate for clients with a comparable profile to ours?
5. Are your AI models explainable within the meaning of the EBA Guidelines on the Use of ML (EBA/GL/2024/06)?
6. Do you detect crypto asset transactions and cross-chain transfers?
7. How do you handle beneficial ownership identification in multi-tier structures?
8. What is your coverage of money laundering typologies published in the NCA's annual reports?
9. Do you offer unsupervised anomaly detection (alongside rule-based scenarios)?
10. How do you handle batch screening vs real-time screening, and what is the latency?

Compliance and reporting (8 questions)

11. Do you automatically generate SARs in the NCA/Tracfin format?
12. Do you produce the elements required for the FCA annual financial crime return?
13. What is your average update delay after publication of new regulatory text?
14. Do you cover AMLD6 specifics (15% UBO threshold, centralised registers, AMLA)?
15. How do you document the audit trail for each alert processed?
16. Do you support multi-jurisdictional declarations (SARs UK, STRs, etc.)?
17. What is your approach to managing GDPR vs AML retention obligation tensions?
18. Do you provide AML activity reports ready to present to the board?

Technical and integration (7 questions)

19. Is your API documented in OpenAPI 3.0+ with a sandbox environment?
20. What native connectors do you offer (core banking, CRM, payment systems)?
21. What is the average integration time observed with your clients?
22. What is your processing capacity (transactions per second) and availability SLA?
23. Where is data hosted, and do you offer sovereign European hosting?
24. Do you hold ISO 27001 and/or SOC 2 Type II certifications?
25. How do you manage version updates without service interruption?

Commercial and support (5 questions)

26. What is your pricing structure and how does cost evolve with growing volume?
27. What are the integration, training and migration costs — included or extra?
28. Do you offer a dedicated Customer Success Manager and support in our language?
29. What are the reversibility and data portability conditions at contract end?
30. What is the termination notice period and contractual penalties for early exit?

Scoring grid: evaluate solutions side by side

Use this template to score each solution evaluated. Multiply the score (1 to 5) by the weighting to obtain a weighted score. The maximum total score is 500.

Decision thresholds:

• Score >400: mature and complete solution, to be prioritised
• Score 300-400: solid solution with identified improvement areas
• Score 200-300: partial solution, requires supplements or suits only limited needs
• Score <200: solution unsuitable for the AML requirements of an obliged entity

Classic pitfalls when choosing an AML solution

Pitfall 1: technology lock-in

Some vendors make migration deliberately difficult: proprietary data formats, no standardised audit history export, non-portable detection scenarios. The migration cost for an AML solution sits between £42,000 and £250,000 for a mid-sized business. Negotiate portability from the initial contract.

Pitfall 2: the compliance gap between marketing and reality

"AMLD6 compliant" is a claim every vendor makes in 2026. But AMLD6 is not a binary label. Verify concretely: is the beneficial ownership register connected to national registers in real time? Is the 15% threshold implemented? Do detection scenarios cover new crypto asset typologies? Demand a detailed compliance matrix article by article.

Pitfall 3: hidden costs

The visible cost (licence or per-transaction price) represents 40 to 60% of the real TCO. Hidden costs include:

• Scenario configuration: £8,500 to £42,000 if configuration is not included in the licence
• Ongoing training: £2,500 to £8,500/year (regulators require annual AML team training)
• Regulatory updates: some vendors charge for each scenario update following regulatory changes
• Annual device review: the FCA expects a documented annual review — if the solution does not facilitate it, the cost of manual production is added

Pitfall 4: the AI illusion

"Powered by AI" means nothing without metrics. Ask: what is the measured false positive reduction rate for clients comparable to us? Are AI decisions explainable and documented (EBA regulatory obligation)? Is the model trained on European data or only American data? A model trained on US laundering typologies poorly detects patterns specific to the European market (use of property investment vehicles, arrangements via holding companies).

Pitfall 5: neglecting change management

The best AML tool on the market fails if teams do not use it correctly. Budget for change management: intensive initial training (3-5 days), operational support for 3 months, process review after 6 months. The target adoption rate at 6 months should exceed 85%.

5-step selection methodology

Step 1: map your requirements (2-3 weeks)

Before contacting vendors, document your situation:

• Volumes: number of clients, transactions, counterparties to screen
• Regulatory scope: which specific obligations (FCA, HMRC, EU regulations, etc.)
• Existing systems: core banking, CRM, current tools, data flows
• Organisation: compliance team size, current processes, pain points
• Budget: annual envelope, year-1 investment capacity

Produce a structured requirements document of 15 to 20 pages. This will serve as the basis for consultations.

Step 2: shortlist 3 to 5 solutions (2 weeks)

Send the requirements document to 6 to 8 vendors and request a structured written response. Eliminate on the basis of knockout criteria:

• Absence of local regulatory coverage (UK/FCA)
• No European data hosting
• SLA below 99.5%
• No support in your language

Retain 3 to 5 solutions for the demonstration phase.

Step 3: demonstrations and POC (4-6 weeks)

For each shortlisted solution:

1. Guided demonstration (2 hours): walkthrough of key features with your use cases
2. Reverse demonstration (2 hours): you drive, the vendor assists
3. POC (2-4 weeks): test on a sample of real data (200-500 clients, 1 month of transactions)

The POC must concretely measure: false positive rate, detection rate, alert processing time and quality of generated reporting.

Step 4: negotiation and contracting (2-4 weeks)

Priority negotiation points:

• Pricing: secure a 3-year price commitment with a revision clause linked to volumes
• SLA: demand financial penalties for non-compliance (service credits)
• Reversibility: data portability in a standard format (JSON, CSV), migration assistance included
• Regulatory updates: included in the licence, not charged as extras
• Audit clause: right to audit the vendor's security measures and compliance

Step 5: deployment and ramp-up (8-16 weeks)

Deployment follows four phases:

1. Technical integration (3-4 weeks): API connection, data flows, integration testing
2. Business configuration (2-3 weeks): scenario setup, threshold calibration, risk profiles
3. Dual run (3-4 weeks): parallel operation of old/new system, results comparison
4. Switchover and optimisation (2-4 weeks): go-live, intensive monitoring, threshold adjustment

Plan a fortnightly steering committee for the first 6 months with tracking KPIs: false positive rate, analyst productivity, alert processing time, team satisfaction.

Frequently asked questions

What is the difference between an AML solution and a KYC solution?

KYC (Know Your Customer) focuses on verifying client identity at the start of the relationship: identity documents, address, beneficial owners. AML covers a broader scope: ongoing transaction monitoring, sanctions list screening, laundering pattern detection, suspicious activity reports. In practice, the two are complementary. Some solutions cover both (Sumsub, Jumio), others specialise in AML (ComplyAdvantage, Napier, NICE Actimize).

How long does deploying an AML solution take?

Expect 12 to 24 weeks for a full deployment: technical integration (3-4 weeks), scenario configuration (2-3 weeks), dual run (3-4 weeks), ramp-up (2-4 weeks), plus a stabilisation period of 4 to 8 weeks. Cloud-native solutions reduce the technical integration phase. A rushed 6-week deployment will produce a poorly calibrated system with 90%+ false positives.

What budget should you expect for an AML solution?

The annual budget ranges from £21,000 for a small obliged entity (broker, early-stage fintech) to £425,000+ for a retail bank. The TCO includes the licence (40-60% of total), integration (15-25%), training (5-10%), and recurring operational costs (manual alert review, maintenance). For a quick estimate: plan £2.50 to £7 per active client per year on an all-inclusive basis.

Does an AML solution replace the compliance officer?

No. The solution automates detection and screening, but decisions on suspicious activity reporting, risk policy and regulator relationships remain human responsibilities. The FCA requires a nominated MLRO (Money Laundering Reporting Officer) and an internal controls framework overseen by an identified compliance officer. The solution is a tool serving that officer, not a substitute.

How do you know if your current AML solution is obsolete?

Five warning signs: false positive rate above 85%, no detection of crypto asset transactions, no AMLD6 support (15% UBO threshold, centralised registers), inability to produce SARs in the required format, and alert processing time exceeding 25 minutes. If three of these five criteria are met, a migration should be planned within the next 12 months.

Does CheckFile cover AML or only document verification?

CheckFile is positioned on AI document verification: extraction, validation and authenticity checking of KYC and KYB documents. For transaction monitoring and sanctions list screening, CheckFile interfaces with specialist AML solutions via API. This modular approach enables businesses to combine the best document verification tool with the best AML tool, without depending on a monolithic suite.

---

This article is for informational purposes only and does not constitute legal, financial or regulatory advice.