FINMA guidance calls out Swiss bank failings on AML risk analysis

The regulator reviewed the risk analyses of more than 30 banks in spring 2023. It found “a “large number (of banks) … did not meet the basic requirements for such an analysis.”

FINMA added even an adequate definition regarding risk tolerance around money laundering—the cornerstone for effective risk analysis—“was lacking in some cases.”

Switzerland’s financial services sector has recently experienced its share of money laundering scandals. Last June, a Swiss court fined Credit Suisse 2 million Swiss francs (then-U.S. $2.1 million) for failing to prevent money laundering linked to a Bulgarian criminal organization more than a decade ago. In October, Credit Suisse agreed to pay French authorities 238 million euros (then-U.S. $237 million) to settle claims it broke the country’s money laundering laws by luring wealthy clients to Switzerland.

Without naming any institutions, FINMA said there were a range of failings in banks’ anti-money laundering (AML) detection and reporting protocols—some of them regarded as basic.

FINMA found banks often failed to take account of the money laundering risks certain countries, types of clients, and politically exposed persons could have on their business. It also found, “in most cases,” there was “no suitable process to allow exceptions to the defined risk tolerance in individual cases.” Such exceptions are granted by the executive board and monitored after appropriate risk mitigation measures have been defined.

Further, the regulator noted no key risk indicators were defined that could be used to monitor compliance with a bank’s AML risk tolerance or that would enable the executive board and the board of directors to regularly supervise it.

FINMA’s review said it was “regularly noted” that banks’ assessments regarding inherent money laundering risks and control risks, as well as resulting residual risks, “were not broken down individually and comprehensibly for each recorded money laundering risk of each money laundering risk category.” Additionally, not all money laundering risks relevant to the institution were always covered.

The regulator also found banks’ measures to mitigate money laundering risks were often not described in enough detail. FINMA said descriptions were “regularly too generic to comprehend their impact on the inherent risks,” while key indicators to demonstrate the effectiveness of controls were lacking. This meant it was more difficult for institutions to make necessary improvements to their AML frameworks.

FINMA added money laundering risks and exposures were not compared to previous years, making it difficult to monitor AML controls, keep track of progress, or assess how risk levels might have progressed.

Previous guidance from the regulator released in 2015 said risk analysis around money laundering (and other risks) must be recorded in writing, periodically reviewed, adjusted if necessary, and approved by the board of directors or top management so the findings inform risk policy and business strategy.

“In concrete terms,” said FINMA, “this means that a bank takes the money laundering risk into account when determining its business strategy. There is thus a close interdependency with a bank’s business strategy and risk policy.”

FINMA said it repeatedly observed banks did not provide key figures to show how large their risk exposure to money laundering might be or to what extent compliance with the business strategy and risk policy was ensured because of their AML efforts.

The regulator noted, “It was often found that the qualitative and quantitative resources required to ensure the implementation of the bank’s anti-money laundering processes were not critically examined so that they could be adjusted if necessary.”