Chapter 02 · Working artifact

RFP Template

The literal RFP. Sections, questions, response format. Copy into a Google Doc, edit your company specifics, send to 5–7 vendors. Includes the scoring rubric you'll apply when responses come back.

How to run the RFP

RFPs are exhausting for vendors. A well-run RFP gets answered in detail; a sloppy one gets boilerplate marketing. Five rules to keep it tight:

  1. Send to 5–7 vendors max. Sending to 10+ signals you're not serious and you'll get B-team responses. Pre-filter via the kill-switches in 01 § Kill switches.
  2. Two-week response window. Less means rushed answers; more means stale data and lost momentum.
  3. Single channel for questions. Designated email; questions and answers shared with all bidders (so no one gets an unfair edge). Set a question deadline halfway through the window.
  4. Mandatory response format. Make them answer in your template. Vendors who rewrite the structure are signalling how they'll behave during integration.
  5. Reject "see attached marketing PDF" answers. Send them back. Twice.
Realistic timing

Week 1: kickoff + RFP drafted. Week 2: RFP sent. Week 3: mid-window Q&A. Week 4: responses received. Week 5: scoring + clarification round. Week 6: top-3 demo deep-dives. Total to short-list: ~6 weeks.

Cover letter / RFP introduction

[Company] — Request for Proposal: Identity Verification & KYC Vendor

DATES
- RFP issued:          [DATE]
- Bidder questions due: [DATE + 7d]
- Q&A circulated:      [DATE + 9d]
- Responses due:       [DATE + 14d, 17:00 UTC]
- Notice to shortlist: [DATE + 28d]

POINTS OF CONTACT
- Procurement / process: [Name, email]
- Product / technical:   [Name, email]
- Legal / commercial:    [Name, email]

ABOUT [COMPANY]
[2–3 paragraphs: what you do, regulatory licenses held, current
geographic footprint and 18-month expansion plan, current
verification volume and projected 12-month growth, current
verification stack (or "greenfield").]

PURPOSE OF THIS RFP
We are evaluating identity verification and KYC vendors for
[consumer IDV / KYB / sanctions screening / Travel Rule / …] to
[primary jurisdictions] with planned expansion to [secondary list].
Projected Year-1 volume: ~[N] consumer IDV checks, ~[M] KYB
checks, ~[K] sanctions screenings.

RESPONSE FORMAT
Use the template at §7 of this document. Do not substitute marketing
collateral for direct answers. Where information cannot be shared
without an NDA, indicate "NDA required" and we will arrange one.

CONFIDENTIALITY & NDA
This RFP is confidential. By responding, you confirm acceptance of
the mutual NDA at Appendix A. Your response will be shared only
with the [Company] evaluation team.

NON-BINDING
This RFP is for evaluation only and does not constitute an offer
to contract. [Company] reserves the right to engage one, multiple,
or no respondents.

§1 — Company overview

Short. Less than 1 page of vendor response. Designed to surface lifecycle / business-risk flags early.

  1. Company legal name, HQ jurisdiction, year founded, current employee count.
  2. Ownership: privately held / public / PE-owned / subsidiary. List any M&A events in the last 24 months.
  3. Most recent funding round (date, amount, lead investor) or last fiscal year revenue (range acceptable).
  4. Total number of paying customers; number of customers in [your industry vertical]; number in [your primary jurisdiction].
  5. Three reference customers we may contact, ideally in fintech / crypto / regulated financial services.
  6. Geographic offices and team locations (engineering, support, compliance).
  7. Brief positioning statement: who is your product for, and what do you do better than alternatives?

§2 — Technical capability

The longest section. This is where vendors earn their score.

2.1 Coverage

  1. Provide a country-by-country matrix for our top-20 markets ([list]) showing: supported document types, biometric/liveness availability, expected completion rate, expected median time-to-decision.
  2. Which countries are not supported at all? Roadmap for adding them?
  3. For each supported document type in our top-5 markets, provide: extraction fields, OCR accuracy benchmark, MRZ / NFC chip support, and edge cases handled (e.g., torn corners, holographic glare).

2.2 Biometric & liveness

  1. Liveness technology: passive only / active only / both. Latest iBeta PAD certification level & date.
  2. Biometric matching FAR / FRR at your default operating point. Latest NIST FRVT submission, if any.
  3. Published demographic-bias testing results (skin tone, age, gender). Provide the report.
  4. Spoofing test results against printed photo, screen replay, mask, deepfake video.

2.3 Sanctions / PEP / adverse media

  1. Native screening or via partner (name the partner)?
  2. Lists supported: OFAC, EU consolidated, UN, UK HMT, AUSTRAC, MAS, [others]. Refresh frequency for each.
  3. Ongoing monitoring offering: re-screening cadence, alerting model, dispositioning workflow.
  4. False-positive rate on sanctions screening; tunability of name-matching strictness.

2.4 KYB

  1. Corporate-registry coverage by country; data freshness.
  2. UBO discovery depth (legal entities up to ultimate beneficial owner).
  3. Control-person identification.
  4. Adverse-news screening on business entities.

2.5 Decisioning & workflow

  1. Workflow / rules engine: hosted, configurable by us, versioned?
  2. A/B and routing primitives (cohort-based routing, geo-routing, fallback chains).
  3. Manual review console: queue management, reviewer audit trail, dispute workflow.
  4. Reporting & analytics: out-of-the-box dashboards, raw event export, SQL access?

2.6 Integration

  1. API style (REST / gRPC), versioning policy, deprecation window.
  2. SDKs: iOS, Android, Web JS, React Native, Flutter. Bundle sizes. Open-source / closed?
  3. Webhook delivery: signing, replay window, dead-letter, retry semantics.
  4. Sandbox: test fixtures, synthetic documents, forced-failure modes, time-to-first-verification for a new engineer.
  5. Provide links to public documentation; or sample doc pages.

§3 — Compliance & certifications

  1. SOC 2 Type II report — date of most recent, scope, attached?
  2. ISO 27001 certificate — date, scope.
  3. ISO 27701 or comparable privacy certification.
  4. PCI-DSS (if applicable).
  5. GDPR posture: DPO contact, sub-processor list URL, SCC / IDTA in DPA.
  6. Data residency options: which regions (EU, UK, US, APAC, …); guaranteed in DPA?
  7. Regulator acceptance: list customers in our top-3 target jurisdictions whose regulator has accepted you as their IDV provider. Cite the regulator and date if shareable.
  8. Travel Rule support: VASP-to-VASP messaging protocol(s) supported, ongoing-customer count.
  9. Data retention configurability: per-jurisdiction policy, default retention, right-to-erasure flow, audit-log retention.

§4 — Security

  1. Encryption: at rest, in transit, key management (KMS / HSM / customer-managed keys).
  2. Tenant isolation model (single-tenant / multi-tenant / hybrid).
  3. Authentication for our admin / console users: SSO via SAML/OIDC, SCIM provisioning, MFA enforcement options.
  4. API authentication: API keys, OAuth2, mTLS option.
  5. Pen-test history: last 12 months. Will you share the executive summary under NDA?
  6. Vulnerability disclosure / bug-bounty program?
  7. Incident-response process & customer-notification SLA.
  8. Sub-processor list and review process when you add a new sub-processor.
  9. Employee background-check policy for personnel handling PII.
  10. Audit-log access: customer-facing read-only access to operations performed on our data?

§5 — Commercial

  1. Pricing model for our projected volume: per-check unit pricing at three tiers (year-1, year-2, year-3 projected).
  2. Itemize every billable event type (IDV check, doc re-submission, sanctions screening, sanctions hit investigation, ongoing-monitoring fee, KYB sub-check, manual review, dispute, data export). Provide unit price for each.
  3. Minimum commitment: monthly minimum, annual minimum, term length to access best pricing.
  4. Overage pricing & shortfall penalty.
  5. Annual price-increase mechanism (capped, indexed, fixed)?
  6. Implementation / onboarding fees, if any.
  7. Sandbox pricing: free, capped, or metered?
  8. Termination terms: termination-for-convenience window, transition-assistance services, data export at end of contract.
  9. Payment terms (Net-30, Net-60, currency, currency-fluctuation handling for non-USD).
Force the price disclosure to be machine-readable

Demand a CSV or table — never just prose. If the response says "starting at $1.50/check" without volume tiers, demand the curve. Vendors burying pricing in prose is a known tactic.

§6 — Support & SLA

  1. Uptime SLA: synchronous API, webhook delivery, manual review queue. What's covered, what isn't.
  2. Credit / penalty mechanism if SLA missed.
  3. Support tiers offered: response times for P1 / P2 / P3.
  4. Channel options: ticket, email, shared Slack/Teams, phone, dedicated technical account manager.
  5. Hours: 24/7 / business-hours / follow-the-sun.
  6. Status page URL; historical uptime over the last 24 months.
  7. Customer success engagement model: quarterly business reviews, roadmap visibility, beta program.
  8. User-facing dispute / appeal mechanism: who reviews disputes, SLA, audit trail.

§7 — References

  1. Provide three references we may contact: ideally in fintech / crypto / regulated FS, similar scale to ours, deployed for at least 12 months.
  2. For each reference, indicate: company (name or anonymized), industry, jurisdictions deployed, approximate volume tier, modules used, length of deployment, primary contact & role.
  3. Provide one "failure" reference — a customer that churned or downsized. We will treat the answer confidentially.
The "failure reference" is the diagnostic

Vendors hate this question. The ones who answer it honestly are the ones worth taking seriously. Vendors who claim they have no failures are either lying or have shipped only to friends-and-family customers.

Scoring rubric for RFP responses

Score each section 0–5, then map to the 38-criterion scorecard in 01. Use the rubric below to keep scoring consistent across reviewers.

ScoreResponse quality
5Direct, complete, verifiable. Includes data, customer references, documents (under NDA where needed). No hand-waving.
4Direct and mostly complete. 1–2 minor follow-ups needed; vendor commits to clarifying.
3Acceptable. Meets ask but light on specifics; would need a clarification round.
2Evasive or generic marketing. Multiple follow-ups required.
1Mostly substitutes marketing or "we'd love to discuss live" deflections.
0Did not answer or non-responsive.

Reviewer assignment

  • §1 Company overview: Procurement + Finance lead
  • §2 Technical capability: Engineering lead + PM
  • §3 Compliance: MLRO / CCO + Legal
  • §4 Security: Security / CISO delegate
  • §5 Commercial: Procurement + Finance lead
  • §6 Support & SLA: Engineering lead + Customer Ops lead
  • §7 References: PM (who runs the calls)

Each reviewer scores independently before the consolidation meeting. The first sign of consensus-by-anchoring is reviewers re-litigating their scores after seeing others'.

Response template (vendor-facing)

Append this to the RFP. Require vendors to use exactly this structure.

RESPONSE FROM: [Vendor legal name]
RESPONSE DATE:  [YYYY-MM-DD]
PRIMARY CONTACT: [Name, title, email, phone]

§1 — Company overview
1.1 Legal name + HQ:
1.2 Ownership / M&A history:
1.3 Most recent funding / FY revenue:
1.4 Customer counts:
1.5 References (3 + 1 failure):
1.6 Offices:
1.7 Positioning:

§2 — Technical capability
2.1 Coverage matrix (attach CSV: country × document × completion × time-to-decision):
2.2 Biometric & liveness:
…
[every numbered question is answered inline; attachments referenced by §X.Y]

§3 — Compliance
[…]

§4 — Security
[…]

§5 — Commercial
5.1 Pricing — attach: pricing-table.csv with columns
    [event_type, unit_price_usd, tier_1_volume, tier_2_volume, tier_3_volume]
5.2 Minimums:
5.3 Overage / shortfall:
5.4 Annual increase:
5.5 Implementation:
5.6 Sandbox:
5.7 Termination:
5.8 Payment:

§6 — Support & SLA
[…]

§7 — References (provide contact info under NDA if needed)
[…]

ATTACHMENTS
- A. SOC 2 Type II report (under NDA, separate channel)
- B. Coverage matrix CSV
- C. Pricing table CSV
- D. Sample DPA
- E. Sample MSA
- F. Standard SLA document
What to do when a vendor refuses to use your template

Send the response back with a 5-business-day extension and a polite note that responses not in template will not be scored. Most vendors comply on the second pass. Vendors who still refuse have told you something important about how they'll behave during your year-2 renegotiation.