FINMA Supervisory Notice 04/2026: AML Risk Analysis
Background
On 4 June 2026, FINMA published Supervisory Notice 04/2026 on AML risk analysis. It supplements Supervisory Notice 05/2023 and summarises further observations from the review of AML risk analyses. FINMA notes that FinIA institutions already apply certain aspects of the previous supervisory notice by analogy, but that there remains room for improvement.
The supervisory notice is relevant for portfolio managers pursuant to Art. 17 FinIA and managers of collective assets pursuant to Art. 24 FinIA, insofar as they are subject to the Anti-Money Laundering Act.
Key FINMA Expectations
The AML risk analysis should serve as a central risk management tool. It must not merely exist as a formal document, but must reflect the institution’s actual risks. This includes in particular:
- defining the institution’s risk tolerance;
- identifying inherent risks;
- assessing control risks;
- determining net risks;
- setting risk limits;
- using appropriate key risk indicators;
- defining risk-mitigating measures;
- periodic review and updating.
FINMA criticises in particular the absence of deliberate exclusions, insufficient exception-to-policy processes, missing or inadequate key risk indicators, and AML risk analyses that are not sufficiently granular.
Practical Relevance
The AML risk analysis should reflect the institution’s actual client, country, product and service structure. General or standardised risk analyses are not sufficient if they do not have a comprehensible link to the specific business model.
For portfolio managers and managers of collective assets, the following risk factors are particularly relevant:
- domicile and nationality of clients and beneficial owners;
- PEP relationships;
- complex ownership and control structures;
- domiciliary companies, trusts, foundations and comparable structures;
- countries with increased money laundering, corruption or sanctions risks;
- unusual transactions or source-of-wealth circumstances;
- products with an increased risk of misuse;
- external assets, custodian banks or service providers outside Switzerland;
- crypto or digital asset exposure;
- delegation and outsourcing arrangements.
Action Points
- Review and update the AML risk analysis;
- clearly define the institution’s risk tolerance;
- define deliberate exclusions of countries, client segments, products or services;
- introduce or review an exception-to-policy process;
- define appropriate key risk indicators;
- align the risk analysis with the client base and transaction profiles;
- document risk-mitigating measures;
- review the effectiveness of controls;
- ensure approval by the responsible governing bodies.
Additional Relevance for Managers of Collective Assets pursuant to Art. 24 FinIA
For managers of collective assets, the AML risk analysis should be reviewed on a risk-based basis to determine whether it adequately reflects the specific characteristics of the respective business model. This concerns in particular the client or investor structure, relevant country and counterparty risks, any delegations, and the organisational embedding of AML-relevant controls.
The specific risk factors that are relevant depend on the respective business model, fund structure, parties involved and tasks assumed.

