FINMA Strengthens AML Risk Analysis and Governance Expectations

The Swiss Financial Market Supervisory Authority (FINMA) has issued Guidance 04/2026, strengthening supervisory expectations around anti-money laundering (AML) risk analysis and emphasizing that it should serve as a core management tool rather than a routine compliance exercise.

The guidance supplements FINMA’s 2023 framework and follows reviews of more than 30 banks and numerous financial institutions. While regulators observed improvements in risk governance, they identified recurring weaknesses in how firms define risk tolerance, measure risk exposure, and monitor AML controls.

A central message of the guidance is that institutions must clearly define their money laundering risk tolerance, including which client types, jurisdictions, products, or services fall outside their business model. FINMA noted that many institutions continue to rely solely on enhanced due diligence measures rather than explicitly excluding risks they are unwilling to accept. Examples cited include foreign politically exposed persons (PEPs), complex ownership structures, certain jurisdictions, crypto-related services, and trade finance activities.

The regulator also raised concerns about the growing use of Exception-to-Policy (ETP) approvals. According to FINMA, frequent exceptions may indicate that an institution’s actual risk appetite differs from its stated risk tolerance, making the issue a governance matter requiring board-level oversight. Institutions are expected to centrally document, monitor, and regularly report ETP cases to senior management and boards.

Another major focus is the use of Key Risk Indicators (KRIs). FINMA expects firms to monitor meaningful indicators that accurately reflect inherent AML risks, including exposure to higher-risk clients, PEPs, assets under management, exception approvals, and relationships connected to higher-risk jurisdictions. The regulator cautioned against aggregating low-, medium-, and high-risk exposures into single metrics, as this can obscure an institution’s true risk profile.

FINMA further stressed that risk-mitigating controls must be supported by evidence, not merely references to internal policies. Institutions should demonstrate control effectiveness through measurable outcomes, testing results, and documented deficiencies. Resource allocation also forms part of the risk analysis, with firms expected to assess whether staffing and expertise remain adequate as client risk, investigations, and monitoring demands increase.

For compliance teams, the guidance reinforces a growing regulatory expectation: AML risk assessments should actively shape business strategy, onboarding decisions, monitoring priorities, and governance oversight. Institutions that treat risk analysis as a static annual document may face increased scrutiny as regulators demand clearer evidence that AML frameworks are driving risk-based decision-making.