1This is a highly simplified presentation, which should enable a quick initial classification of the topic. Each institution should determine the relevance and the concrete need for action individually.
Since 1 January 2016, the AMLO-FINMA contains an explicit requirement to prepare a money laundering risk analysis (current Art. 25 para. 2 AMLO-FINMA; based on FATF Recommendation 1). Accordingly, the financial intermediary must prepare a risk analysis of the associated money laundering and terrorist financing risks, taking into account its area of activity and the type of business relationships. The financial intermediary should take into account the domicile of the target clients, the geographical presence of the institution, the client segment and the products and services offered.
Since 1 January 2020, financial intermediaries must also analyse the criteria to be defined for the risk categorisation of their business relationships (Art. 13 para. 2bis AMLO-FINMA). For each of the criteria listed in Art. 13 para. 2 AMLO-FINMA, it must be recorded individually whether it is relevant to their own business activity or not.
Complete money laundering risk management incl. risk tolerances
The survey of risk analyses carried out by FINMA in spring 2023 at over 30 banks showed that most analyses did not meet the requirements. In FINMA’s view, the specific requirements were already apparent from the provisions and the explanatory reports but have not been implemented to the expected depth by many financial intermediaries to date. With its Guidance 05/2023, FINMA is providing clarity and communicating its expectations to banks and, mutatis mutandis, to FinIA institutions.
FINMA expects the risk tolerance and thresholds/limits to be defined, in particular taking into account the following points:
- Business policy exclusion of certain countries, customer segments and services and/or products
- Establishment of an “exception-to-policy” process to allow exceptions to the defined risk tolerance in individual cases
- Definition of key risk indicators to monitor compliance with risk tolerance by Management and BoD (based on risk limits)
In the risk analysis, FINMA expects the financial intermediary to identify, record, analyse and measure all money laundering risks to which it is exposed and, based on these findings, to define measures to manage, control, report and monitor these risks. The following points are central to this:
- Money laundering risks
- Recording, analysis and measurement of the individual risks for each risk category (esp. domicile or residence of clients, client segment, products/services and geographical presence --> to be completed individually)
- Show inherent risk, control risk and net risk individually and comprehensibly for each relevant money laundering risk
- Inclusion of key figures and findings from the controls carried out (“Controls of controls”)
- Implementation of the requirements under Art. 13 para. 2bis AMLO-FINMA
- Record for each individual criterion according to Art. 13 para. 2bis AMLO-FINMA whether it is relevant to the business activity or not
- The required relevance is to be considered given if a significant number of business relationships are affected
- The relevance assessment must be based on defined key figures and be comprehensible for third parties
- Monitoring compliance with the business strategy and risk policy
- Written record of the risk analysis, periodic review, adjustment if necessary and approval by the board of directors or the highest management body in each case
- Regular review of the extent to which the composition of the existing client base and range of services is in line with the business strategy and risk policy
- Definition of key figures for determining the respective risk exposure and compliance with the strategy/risk policy
- Definition of risk limits for monitoring risk tolerance
- Reconciliation of the net risk with the risk tolerance
- Taking measures in the event of non-compliance with thresholds or risk tolerance
- Other elements to consider
- Comparison with previous year: Ensuring the traceability of the development of risks (inherent risks, control risk and net risks)
- Resources: Critically scrutinise the qualitative and quantitative resources for ensuring the implementation of the anti-money laundering regime.
In order to meet the extensive requirements of FINMA, it is advisable, depending on the nature and size of the financial intermediary, to define the money laundering risk management process with the help of a risk criteria catalogue. In particular, the assessments of the inherent risk, the control risk and the net risk per money laundering risk must be individually visible and comprehensible. In addition, sufficiently detailed measures as well as key figures and risk limits must be defined for each money laundering risk.
As a rule, the AML unit is responsible for conducting and preparing the money laundering risk analysis. The defined risk limits should be consulted by the management and agreed with the board of directors (acceptance of residual risks). The (periodic) adoption is done by the board of directors or the highest management body. The money laundering risk analysis can be incorporated as part of the comprehensive compliance risk analysis.
Applicability for FinIA institutions
FINMA clearly addresses its expectations from Guidance 05/2023 to the banks. In it, it also makes a direct link to the Banking Act and Ordinance and FINMA Circular 2017/1 “Corporate Governance - Banks”. Only in one place does FINMA state that its observations and experience can also be applied mutatis mutandis to FinIA institutions. FinIA contains the explicit organisational requirement that the FinIA institution must identify, measure, manage and monitor its risks (including legal and reputational risks) and ensure effective internal controls. FinIO further requires that risk tolerances be determined. In light of the legal basis and FINMA Guidance 05/2023, it is clear that FINMA’s expectations regarding money laundering risk analysis and risk tolerance also apply in principle to FinIA institutions. However, for reasons of proportionality and according to informal discussions, a more pragmatic implementation may also be sufficient – compared to banks (at most in terms of the scope of risk categories/ criteria and/or level of detail on risk assessments and measures).
The money laundering risk analysis is to be a strategic tool for checking compliance with the risk and business strategy (in the form of risk limits) and the money laundering risk appetite (in the form of net risks). The definition of the risk appetite and a sound risk analysis will now increasingly be the focus of the supervisory authority and the audit firms. Financial intermediaries should check whether their money laundering risk analysis is compliant with the regulation and, if not, take appropriate steps to remedy the situation in a timely manner.