In today’s fast-evolving regulatory landscape, Swiss financial institutions face increasing scrutiny around how they identify, measure, and manage risks related to money laundering and terrorist financing. A particularly critical area of focus has emerged following recent updates to Art. 25 para. 2 AMLO-FINMA and the publication of FINMA Guidance 05/2023.

These developments call for a fresh look at how institutions assess their AML risks—not just as a regulatory formality, but as a strategic risk management tool aligned with internal business objectives and risk appetite.

A Shift Toward Measurable AML Risk Management

FINMA’s recent supervisory activity has revealed that many banks are falling short in one fundamental area: the quality and completeness of their AML risk analysis. This is no longer a “nice-to-have” compliance document—it is now expected to serve as the backbone of an institution’s risk steering capabilities.

Under the revised expectations, AML risk analyses must go beyond qualitative narratives. They must be grounded in measurable indicators—known as Key Risk Indicators (KRIs)—and show clear links between business exposure and the control framework in place. Simply put, regulators want to see that the institution knows its risks, can measure them, and steers its business accordingly.

What Should Be Included in an AML Risk Analysis?

The AML risk analysis must be tailored to the institution’s specific business model, size, and risk exposure. It should answer key questions such as:

• Where are our geographical and client-related vulnerabilities?

• Are we operating within our defined AML risk appetite, and how to control it?

• Which products or services increase our exposure to financial crime risks?

• How effective are our current controls in mitigating these risks?

To support these assessments, FINMA expects institutions to define measurable AML KRIs, which may include metrics such as:

• Number or volume of transactions from high-risk jurisdictions

• Client exposure to politically exposed persons (PEPs)

• Usage of higher-risk services such as trade finance or crypto assets

• Share of complex structures (e.g. trusts, shell companies) in the client base

• Suspicious activity reports filed

Each institution should define KRIs that reflect its own business activities and strategic risk tolerance. The AML risk appetite should be embedded in daily operations—and demonstrably so.

A Strategic Tool—Not Just a Compliance Requirement

Used correctly, the AML risk analysis becomes a strategic instrument:

• It supports Board and Executive Management in aligning the AML framework with the institution’s overall risk appetite.

• It helps internal teams identify where enhanced controls are needed.

• It signals to regulators and auditors that the institution has its risks under control—literally.

Crucially, FINMA now expects the AML risk analysis to form part of broader governance and compliance risk assessments, such as those defined under FINMA Circular 2017/1. Institutions that can demonstrate an integrated, risk-based approach will stand out positively during regulatory reviews.

Download our free Excel template

Start building your AML risk analysis in line with Art. 25 para. 2 AMLO-FINMA. Our blank Excel template gives you a structured foundation to define and document your Key Risk Indicators. Download AML Risk Template Here

Need Support? Let’s Talk

If your institution needs support in reviewing, drafting or enhancing its AML risk analysis, including the definition of KRIs and aligning with your governance and risk appetite frameworks, we’re here to help.