FINMA sets out specific requirements for anti-money laundering risk analysis

Classification¹

¹ _{This is a greatly simplified overview intended to provide a quick introduction to the subject. Each institution should assess the relevance and the specific need for action on a case-by-case basis.}

Classification and objectives

FINMA emphasises that the money laundering risk analysis is the central control instrument of risk management. It forms the starting point for the design of the anti-money laundering framework by defining risk tolerance and establishing binding guidelines for organisation, processes and controls. The aim of the updated guidance is, in particular, to

• eliminate existing methodological ambiguities;
• improve the comparability and consistency of risk analyses; and
• strengthen their actual steering effect within the institution.

Key findings from FINMA’s supervisory practice

FINMA acknowledges that institutions have made progress since 2023, particularly in structuring risk analyses and defining risk tolerance. At the same time, recurring weaknesses persist:

• Risk tolerance not sufficiently specified:
  There is often a lack of clear specifications as to which risks are explicitly excluded (e.g. countries, client segments or products), or these are not consistent with the business model.
  
  
• Methodological shortcomings in risk identification:
  The distinction between inherent risk, controls and residual risk is sometimes unclear or inconsistent, which significantly limits the validity of the risk analysis. 
  
  
• Inadequate identification of heightened risks:
  Certain risk areas, in particular PEPs, complex structures or crypto-related business models, are in some cases not adequately classified as high risk. 
  
  
• Weaknesses in operationalisation:
  Risk indicators (KRIs), limits and monitoring mechanisms are often not sufficiently meaningful or are not consistently linked to risk tolerance. 
  
  
• Overly lenient exception processes:
  ‘Exception-to-policy’ approvals are sometimes granted too frequently and effectively undermine the defined risk policy.

FINMA’s clarified expectations

Based on these findings, FINMA has specified its expectations in relation to the key elements of risk analysis:

• Clear definition of risk tolerance:
  Institutions must explicitly specify which risks they accept and which are excluded. Risk-mitigating measures are no substitute for deliberate risk exclusions.
  Example: A portfolio manager systematically excludes business relationships with clients from high-risk countries, rather than merely mitigating these through enhanced due diligence.
  
  
• Systematic identification of inherent risks:
  The risk analysis must comprehensively and in detail capture all relevant risk drivers of the business model (clients, products, markets, distribution channels). 
  Example: Separate assessment of the risks associated with PEP clients, complex structures and digitally initiated business relationships, rather than an aggregated overall assessment of the ‘private client segment’.
  
  
• Clear methodological distinction:
  Inherent risks, control quality and residual risks must be clearly distinguished and assessed in a transparent manner. 
  Example: An institution first assesses the inherent risk of a PEP customer as ‘high’, reduces this through effective controls and transparently reports the remaining residual risk, rather than directly assigning an ‘overall medium risk’.
  
  
• Greater focus on governance:
  Risk analysis, business strategy, risk policy and operational implementation must be consistently linked. In particular, KRIs, limits and escalation mechanisms must be effectively defined.
  Example: Defining a KRI for the proportion of high-risk relationships in the overall portfolio, e.g. 10% of the customer base or AuM, with clear escalation mechanisms in the event of this threshold being exceeded.
  
  
• Monitoring and governance:
  Compliance with risk tolerance must be monitored on an ongoing basis. Deviations must be systematically recorded, approved and controlled. 
  Example: Introduction of a formalised ‘exception-to-policy’ process with approval at Executive Board level in the event of defined risk limits being exceeded, and regular reporting to the Board of Directors.

Implications for FINIA institutions (in particular portfolio managers)

FINMA expressly states that the methodological principles of risk analysis also apply to FINIA institutions. Differences exist only in the level of detail in accordance with the principle of proportionality, but not in terms of quality or methodology.

For portfolio managers, this means in particular:

• Risk analyses must be equally robust and methodologically sound as those carried out by banks.
• Explicit risk exclusions and clear risk tolerance are mandatory.
• The risk analysis must be used as an active management tool and must not be merely a formality.

Conclusion

Although FINMA’s Guidance se04/2026 does not tighten formal regulatory requirements, it does define significantly clearer supervisory expectations regarding the quality of money laundering risk analyses. The notice makes it clear that, going forward, FINMA will place even greater emphasis on the anti-money laundering risk analysis as a central governance and management tool. Institutions are therefore urged to critically review their existing risk analyses and, in particular, to specifically strengthen their methodology, granularity and operational effectiveness.

How we can support you

Grant Thornton assists companies in understanding regulatory changes and supports them in their practical implementation. We are also available as a point of contact for conceptual and technological issues.