The AML Risk Analysis today: FINMA’s expectations, market trends, audit conclusions

> Which inherent risks is FINMA currently emphasizing?
> How to document the analysis of the relevance of the enhanced risk criteria?
> Risk tolerance is becoming a recurring FINMA supervisory focus

INHERENT RISKS

Analysis of inherent risks today: which risk criteria are “rising”?

• Which risks is FINMA currently emphasizing? For example, activity compared to nationality?
• How should the weighting of the different risk criteria evolve within risk scoring:
  • What should be the weight of nationality in the risk scoring compared to other country linkage criteria such as the client’s place of activity, the location of their SOW, the location of their main clients, the location of their main suppliers, etc., in a world where passports can be falsified or even purchased?
  • What should be the weight of the client’s sector of activity given the increasing importance of trade/sectoral sanctions since 2022: chemicals, defense, electronics, etc.?

ENHANCED RISK CRITERIA

Analysis of the relevance of the enhanced risk criteria of the business relationship: what do auditors and FINMA expect in this regard?

• What link should be made between the AML risk analysis (art. 25, al. 2 OBA-FINMA) and the definition of the relevant criteria (art. 13, al. 2bis OBA-FINMA) ?
• How to document the analysis of the relevance of the criteria in the OBA-FINMA ? Should you take other criteria into consideration?
• How frequently should you do this exercise?
• Are the requirements identical for the enhanced risks of transactions?
• What are the main audit conclusions and the FINMA’s expectations?

CONTROL MEASURES AND BUSINESS MODEL

Acting on risk to reduce residual risk: control measures or action on the business model

Because many institutions pile up controls to compensate for an overly risky business model without ever questioning the activity itself, FINMA clearly distinguishes between two families of actions to reduce residual risk: control measures (acting on the risk) and structural measures (acting on the business model).

• If both types of measures are complementary, do they have the same impact and scope? When institutions “overinvest” in controls, do they adjust their business model, even when the structural risk is incompatible with their risk tolerance?
• Acting on risk or control measures – what does this mean? If the objective is to reduce the probability or impact of a risk without modifying the activity itself, can controls compensate for a business model that is intrinsically too risky? Can control measures be the only lever?
• Acting on the business model: structural measures – what does this mean? If these measures are the most powerful but also the most difficult (as they affect strategy, the client portfolio, products and markets), can risk be reduced at its source, i.e. by modifying the activity so that it becomes compatible with the institution’s risk tolerance? What are examples of structural measures? Exiting certain high-risk markets, ceasing to offer complex legal structures, reducing the proportion of offshore clients, abandoning sensitive payment corridors, limiting or prohibiting foreign PEPs.
• How to move forward? How can the two types of measures be articulated within a FINMA framework? Outline of possible solutions.

RISK TOLERANCE

Definition and application of risk tolerance: why does FINMA keep pointing out this issue year after year?

• What is risk tolerance according to FINMA?
• Why does FINMA criticize this point every year? Possible explanations: confusion between risk assessment and risk tolerance, lack of risk quantification, disconnect between risk tolerance and operational processes, lack of consistency with the business model (in relation to the target client base, products, markets and structural risks), lack of effective governance (e.g. insufficient involvement of board members, absence of reporting on compliance with limits, or undocumented adjustments).
• Risk tolerance is becoming a recurring FINMA supervisory focus. What is specifically reviewed? Incomplete documentation, inconsistencies between policy and practice, existence of quantitative or even qualitative thresholds, and links with AML, sanctions, credit and other controls.
• How can this be addressed? What could be the solutions at the strategic, tactical and operational levels?