FINMA Supplements AML Risk Analysis Guidance for Banks and FinIA Institutions
Switzerland's financial regulator has issued a supplement to its core anti-money laundering guidance, identifying gaps that persist across banks and investment managers operating under FinIA. The update matters because the money laundering risk analysis sits at the foundation of every AML control framework, and FINMA has made clear it expects that foundation to be solid.
What FINMA Reviewed and What It Found
Scope of the review
Since publishing Guidance 05/2023, FINMA has re-examined risk analyses from a cohort of over 30 banks first inspected in spring 2023. It also assessed the risk analyses of a wider set of additional banks and FinIA institutions, giving the regulator a broad cross-sectional view of current practice across the Swiss financial sector.
Progress acknowledged
FINMA did recognise genuine improvement. Banks have moved forward in how they define risk tolerance and how they structure their risk analyses overall. The regulator also noted that some FinIA institutions are already applying aspects of Guidance 05/2023 by analogy, which it welcomed, confirming that the methodological principles in that guidance apply equally to portfolio managers and similar entities, even though the level of detail required may be proportionately lower given their generally reduced risk exposure.
Gaps that remain
Despite the progress, FINMA identified room for improvement in several areas. Two issues stood out. First, institutions had failed in some cases to include explicit exclusions covering certain countries, client segments, services, or products. Where exclusions did exist, they sometimes did not align sufficiently with the institution's actual business model, which means they offered less practical protection than intended. Second, institutions were not always applying the required methodological principles correctly when carrying out the risk analysis itself. These are not cosmetic concerns: both gaps directly undermine the risk analysis as a management tool.
Why the Risk Analysis Matters for Compliance Frameworks
Its role in the AML structure
FINMA's supplement reinforces something practitioners already know in principle but sometimes underweight in practice. The money laundering risk analysis is not a documentation exercise. Under Article 25 para. 2 of the Anti-Money Laundering Ordinance (AMLO-FINMA), it is the instrument through which an institution defines its risk tolerance and sets binding internal guidelines for the structure, organisation, and day-to-day management of its entire AML framework.
That means the risk analysis drives where resources go, how controls are calibrated, and which processes receive the closest scrutiny. If the analysis is incomplete or methodologically flawed, every downstream control built on it is potentially miscalibrated. Audit firms and compliance teams reviewing Swiss clients should treat the risk analysis as a first-order document, not a background annex.
Implications for FinIA institutions
The confirmation that FinIA institutions should apply Guidance 05/2023 by analogy is significant. Portfolio managers and asset managers that may have considered the guidance primarily a banking concern now have a clearer signal from FINMA that the same methodological rigour is expected of them, with proportionality in detail but not in discipline. For accounting firms and auditors serving these clients, this is an immediate prompt to review whether current risk analysis documentation meets that standard.
Practical Steps for Firms Advising Swiss Institutions
Reviewing country and client exclusions
The explicit-exclusions gap is one of the most actionable findings. Advisers should check whether the institution's risk analysis lists, in specific terms, the countries, client categories, products, and services it will not accept, and whether those exclusions are coherent with what the institution actually does. A generic list of high-risk countries copied from a standard template will not satisfy FINMA's expectations if it does not reflect the institution's real business scope.
Testing methodology against FINMA's framework
The second gap, methodological correctness, requires a more granular review. Firms should map the institution's risk analysis process against the steps set out in Guidance 05/2023 and its new supplement, checking for consistent application of risk scoring, aggregation logic, and the linkage between identified risks and the controls designed to address them. Crypto bookkeeping software and broader digital asset accounting software used by institutions should be able to produce transaction-level data that feeds cleanly into this risk scoring process. If the data pipeline is inconsistent, the risk analysis will be too.
Reliable crypto accounting software plays a supporting role here: it needs to surface complete, auditable records that can inform risk categorisation at the counterparty and transaction level, so that the institution's risk analysis reflects operational reality rather than theoretical categories. For Swiss firms holding or intermediating digital assets, that data quality dimension is non-negotiable.
For a broader view of how data quality affects AML compliance work, see our piece on blockchain analytics data quality due diligence questions, which sets out the questions firms should put to any analytics provider supplying compliance data.
Connecting the risk analysis to sanctions obligations
The risk analysis does not sit in isolation from other FINMA obligations. Country exclusions, for example, need to be consistent with the institution's approach to sanctions screening. Our earlier coverage of FINMA sanctions obligations for Swiss financial intermediaries outlines the specific steps required following FINMA's recent sanctions list updates, which should be read alongside this AML guidance supplement.
What to Watch Next
FINMA has a track record of following up guidance with supervisory action. Institutions that received feedback during the spring 2023 inspection cycle and have not since addressed the gaps identified should treat this supplement as a signal that re-inspection is a realistic prospect. The supplement also suggests that FINMA intends to assess FinIA institutions more systematically against the same framework going forward.
Accounting firms serving Swiss banks and FinIA institutions should build a review of the risk analysis into their next engagement cycle, if they have not done so already. The regulator has made the standard explicit. The gap between that standard and current practice at some institutions is also explicit. That combination rarely stays unaddressed for long.
Source: FINMA
FAQ
The supplement applies to banks subject to FINMA supervision and to institutions licensed under the Financial Institutions Act (FinIA), including portfolio managers and asset managers. FINMA confirmed that the methodological principles in Guidance 05/2023 apply to FinIA institutions by analogy, with a proportionate level of detail reflecting their generally lower risk profile.
FINMA found two main issues. Some institutions had not included explicit exclusions for certain countries, client segments, products, or services, or the exclusions they had did not match their actual business model. Others were not correctly applying the required methodological principles when conducting the risk analysis itself.
The requirement is set out in Article 25 para. 2 of the Anti-Money Laundering Ordinance (AMLO-FINMA). The risk analysis must define the institution's risk tolerance and provide binding internal guidelines for structuring and managing its AML framework.
Advisers should review whether the client's risk analysis includes explicit, business-model-consistent exclusions and whether the methodology follows the steps in Guidance 05/2023 and its new supplement. The risk analysis should be treated as a primary compliance document, not a background annex, because every downstream AML control is built on it.
It is supplementary guidance that clarifies how FINMA expects existing obligations to be met in practice. It does not introduce new legal requirements but signals more precisely where current practice falls short of what FINMA considers adequate under existing rules.
