Choosing an AML tech provider — the questions that will keep your clients safe

Compliance and anti-money laundering (AML) expert Harriet Holmes gives a masterclass in quizzing potential AML providers – so you can make the right choice for you, and your clients.

When a client hands over their personal details – passports, bank information or proof of address – they’re placing an enormous amount of trust in your firm. That trust is the foundation of any professional relationship, but it’s also incredibly fragile. A single data breach, an accidental leak or a provider who cuts corners can cause irreparable damage to your reputation. 

AML software sits at the heart of modern compliance. It verifies identities, manages documentation and helps businesses meet their regulatory obligations. Choosing the right AML provider isn’t just about efficiency or cost savings; it’s about demonstrating that you take client and consumer protection seriously. 

So, how do you make the right choice? By asking potential providers the right questions.

1) How do you keep my clients’ information secure?

Security should always be a priority. While it’s easy for a provider to say ‘we take security seriously’, what matters is how they prove it to you. 

A good provider will explain the measures they use to safeguard data at every step. They should be able to demonstrate security as a process, not a one-time setup. That means regular system testing, proactive monitoring and constant updates to deal with new threats. 

You don’t need to be an expert in encryption, standards or firewalls to judge whether a provider is trustworthy. Instead, focus on whether they can explain their approach in a clear, understandable, confident way. A provider who can’t or won’t explain how they keep your clients safe may not be one you want to trust. 

Red flag: Vague assurances like ‘we comply with industry standards’ without detail or context.  

2) Where will the data be stored? 

When it comes to data, location does matter. A responsible AML provider will be transparent about where their servers are, whether data ever leaves a jurisdiction and how they comply with GDPR when making such transfers. 

Think of it this way: would you be comfortable telling your clients exactly where their personal details are stored? If not, your provider hasn’t given you enough clarity. 

Probing question: Will my clients’ data ever leave the UK? How do you notify us and how do you make sure such transfers are done in compliance with GDPR?

3) Can you provide evidence that you meet high security standards? 

Trust is good; evidence is better. Independent audits and certifications are one of the clearest signs that a provider takes security seriously. 

Look for evidence such as ISO 27001 (information security management) or SOC 2 (controls focused on security, availability and confidentiality). These certifications aren’t just badges; they are proof that a provider’s systems and processes have been tested against strict benchmarks and independently verified.  

Ask how often audits take place. You can also ask whether they carry out any other tests, such as regular independent penetration tests to identify weaknesses before criminals do. 

Tip: Don’t be afraid to check or verify. Don’t just take their word for it. 

4) What happens if something goes wrong? 

Even the most secure systems can encounter problems. What really matters is how a provider responds to a problem. Ask about their incident response process:

• How will they tell you if there’s a breach affecting your clients?
• Who do they notify?
• How quickly will they notify you?
• What steps will they take to minimise damage? 

Always think big and small. Equally important is business continuity. If the AML provider’s system goes offline, how will you continue to onboard and serve clients? Providers should have disaster recovery plans that allow them to keep operating with minimal disruption. 

Think of it like insurance: you hope you never need this information, but you will be glad you asked these questions should something happen. 

Probing question: If your system went down tomorrow, how would you support the firm with onboarding?

5) How do you treat data control? 

One of the most important but often overlooked (until it’s too late) questions is around control. Understanding the boundaries and use of data is important. Make sure you have full control to export, delete or transfer data if you ever change providers. 

Watch out as some providers apply prohibitive restrictions or excessive fees. Essentially, this makes it very difficult for clients to change providers as the need arises.

Why this matters: Control over your data ensures you are never ‘locked in’ to an AML provider and that your clients’ information remains firmly in your control.

6) How long do you keep client data? 

Holding client data for longer than necessary is a real risk. It can put you on the wrong side of the law. Regulation 40 of The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 requires law firms to retain client due diligence for five years.

Ask your AML provider about their data retention policy:

• How long do they keep information?
• Can you determine the retention period yourself?
• What happens to data if/when you stop using the AML provider’s services? 

The provider you want to work with will give you a level of control and flexibility. That way, you can comply with regulatory and legal requirements while also respecting client privacy by ensuring that data is not held indefinitely. Holding on to data longer than necessary isn’t safe or compliant. Strong retention policies protect clients and your firm.

Probing question: Can I set my own retention period and will you automatically delete data when the limit is reached?

7) Who are your suppliers? 

It’s not just the AML provider you need to consider, but also their suppliers (the supply chain of suppliers). Many breaches happen layers down this chain, where oversight is weaker. 

When you choose an AML provider, you are not just trusting them; you are also trusting the network of suppliers and third parties that they could rely on. If those suppliers cut corners on security, your client data is still at risk, even if your direct provider is strong. 

Delve deeper: It’s worth considering not only who their suppliers are, but also how they vet and monitor them. A trustworthy AML provider should be able to show that they carry out due diligence on their partners and hold them to the same standards. 

8) Is security part of your company culture? 

Security isn’t just about systems, it’s about people. Culture matters as much as technology. A provider who treats security as an afterthought could put your clients at risk. 

Providers who can demonstrate that security is part of their DNA, not just a marketing line, are far more likely to protect you and your clients in the long run. 

Ask whether they train their staff on handling sensitive data. In many high-profile breaches, the root cause isn’t just a technical flaw but often human error, an employee falling for a phishing scam, or a developer bypassing controls. Some companies only train staff after an incident. 

Probing question: How do you integrate security into your company culture?  

9) Can you integrate and cooperate with our existing systems? 

Technology alone doesn’t guarantee compatibility – culture matters too, says Tim Parkman of Marker AI. A credible AML provider should be able to demonstrate both technical flexibility and a collaborative mindset. 

Ask whether their systems support integration via secure APIs, webhooks or other standard protocols, and whether they’ve successfully connected with platforms similar to yours. But don’t stop at the tech. Probe how they handle integration requests:

• Do they offer responsive support?
• Are they willing to work with your IT team or third-party vendors without delay or defensiveness? 

A provider who resists integration or becomes uncooperative when asked to collaborate can quickly become a bottleneck. The right partner will treat interoperability not as a nuisance but as a shared responsibility – one that protects clients and strengthens your operational resilience.

Beyond security: building client and consumer confidence

While security must be a crucial concern, choosing an AML provider is also about reassurance.

Your clients want to know their personal details are safe when shared with you. You should handle their data with the same care you’d expect for your own. By selecting an AML provider who can clearly answer the questions above, you’re not just protecting data, you’re actively strengthening client trust.

In a competitive market, trust is one of your most powerful differentiators; it’s invaluable.

Though clients don’t directly see the suppliers you choose, they experience the impact. It shapes their relationship with you through faster onboarding, smoother interactions and, most importantly, confidence that their information is secure.

When you ask the right questions, you set a higher standard, not just for compliance but for client service. Fundamentally, when choosing an AML provider you should remember that data security isn’t just a technical checkbox; it’s a core part of your professional responsibility.

The right provider becomes an extension of your firm’s commitment to protecting client information, while the wrong choice could expose you to significant regulatory and reputational risks.

Written by Harriet Holmes of Thirdfort