Current findings in the implementation of the amended provisions of the AMLA 

Practical tips for the best possible implementation and avoidance of risks

Detlev M. Basse, Dr. iur., LL.M., Senior Legal Counsel FS Regulatory & Compliance, BDO Ltd

Taulant Avdija, Partner, Head of FS Regulatory & Compliance Switzerland,               BDO Ltd

1. Introduction

Last year, significant changes to anti-money laundering and due diligence requirements came into force. This had a direct impact on internal regulations and directives, processes and documentation requirements. The internal controls (ICS) also had to be revised in this context. The relevant changes to the AMLA and FINMA's expectations are listed below:

• Obligation to review (verify) and appropriately document the AM
• Obligation to periodically update client data on the basis of the risk analysis in accordance with the criteria set out in Art. 13 para. 2 AMLO-FINMA.
• Obligation to carry out an annual risk analysis, taking into account the area of activity and the type of business relationships conducted in accordance with the requirements of FINMA Supervisory Notice 05/2023 within the meaning of Art. 25 para. 2 AMLO-FINMA.

2. Current status of implementation by financial intermediaries

This section outlines the findings of audits carried out and proposes appropriate measures to ensure compliance with the regulatory requirements.

2.1     General documentation requirements

The central element for avoiding findings, in particular complaints, is the requirement for physical and/or electronic documentation that is comprehensible to third parties (supervisory authority and audit firms). Of particular relevance here is the traceability of a business transaction, e.g. the concrete basis for the determination of the BO. This also includes chronological traceability, i.e. the date of execution and the name of the authorised person as well as any references to other relevant documents. Current experience shows that formal documentation requirements tend to be handled carelessly. The frequently used justification ‘We know our customers’ is not sufficient.

2.2 Verification of the beneficial owner

The verification of the beneficial owner (BO) requires an independent verification process by the FI. The content of the customer's self-declaration of the beneficial owner - despite the quality of the document - must be verified using suitable and meaningful documents. Suitable documents include a complete KYC with the reason for entering into the business relationship, education, background and business activities of the customer, source of wealth, source of funds, intended use of the assets, transaction behaviour, etc.

As a source, the open-source enquiry can also provide information about the contracting party. The provisions of Art. 4 AMLA in conjunction with Art. 2 letter f AMLA are authoritative. Art. 2 letter f AMLO-FINMA or Art. 56 ff. or Art. 59 ff. AMLO-FINMA.

Current findings show that the implementation of legal requirements for the verification of the FCA is not yet being carried out properly. The isolated note ‘BO was checked’ or the filing of copies of identity documents is not sufficient. The inspection process must be recorded in writing as a basis for traceability. This is a plausibility check and not a request for evidence. It must also be recorded who carried out the check for the FI and when this was done.[1]

2.3 Periodic updating of customer data

As part of the requirement under Art. 7 para. 1bis AMLA for the risk-based, periodic updating of client data, FIs agree that this must be carried out annually for foreign PEPs. Adequate risk assessment of client relationships has become increasingly important; if this fails, the FI runs the risk that the annual update will not be carried out adequately (e.g. review of the risk criteria for an annual check). If such a process is not properly documented, this may constitute a breach of due diligence obligations and may have consequences under supervisory law.

The frequency of the update according to the customer's risk scaling must be set out in a binding directive. The defined deadlines must be adhered to.

The active updating obligation affects all data about the customer that is the subject of the business relationship, also from a data protection perspective. This applies to both master data for formal identification and other data (e.g. content of the KYC). The process for the resubmission and assessment of the continuation of a GmeR must be structured and documented. This includes the reasoned request for the continuation or cancellation of a KYC.

2.4 Low risk appetite and high proportion of domiciliary companies abroad - a contradiction

Carrying out a money laundering risk analysis within the meaning of Art. 25 para. 2 AMLO-FINMA requires the nominal determination of the total number of existing business relationships, including the proportion of domestic/foreign clients, private/business clients, PEP and GmeR, operating companies and domiciliary companies, as well as the inflows and outflows compared to the previous year. The customer data must be prepared in a structured manner. This includes criteria such as: domicile of the contracting party as well as BO/control holder, nationality/s and, in the case of legal entities or companies, business divisions (use of NOGA code[2]) as well as the number of business relationships with domiciliary companies or complex structures (cf. Art. 13 para. 2 letter h AMLO-FINMA).

FINMA criticises the lack of an adequate definition of money laundering risk tolerance in the assessed risk analyses, which should form the limiting framework of a robust risk analysis through defined limits and structural elements.

The risk tolerance must be in line with the strategic orientation and the business model. Simply paying lip service to the fact that ‘the risk appetite is low’ is not enough. Practice shows that high-risk business relationships are nevertheless often entered into via ‘exception-to-policy decisions’ (e.g. with domicile in FATF ‘grey list’ countries). This practice clearly shows a contradiction in implementation, i.e. the exception becomes the rule. In many cases, there is no clear process for minimising the risks and monitoring the ‘exceptionally’ approved business relationships.

When carrying out the risk assessment, the inherent risk, control risk and the resulting net risk must be clearly identified for each money laundering risk category in accordance with FINMA requirements. This gives the risk assessment more weight, but also requires more time and compliance/risk expertise on the part of the persons responsible. It may be advisable to involve specialised third parties in the outsourcing of risk and compliance tasks.

3. Conclusion

The regular revision of regulations, directives and work processes must be consistently pursued. The changes must be harmonised with the ICS. This is illustrated by the term complex structure, as without inclusion in a directive, the essential basis for the assessment of increased MLA risks with such structures is missing.

Outsourcing compliance/risk tasks to specialised third parties not only provides relief, especially for small units such as independent asset managers, but also significantly reduces legal and regulatory risks.

Biographies

Dr. Detlev M. Basse has been a Senior Legal Counsel at BDO Financial Services since January 2023. Previously, he held leadership positions in Legal & Compliance at banks in Eastern Switzerland and Liechtenstein, as well as Head of Compliance at a securities firm in Zurich. He has extensive and diverse experience in legal and compliance issues in the financial sector, both nationally and internationally. His specialization lies in supporting external asset managers (EAM) with compliance matters. His professional focus areas include anti-money laundering, the implementation of due diligence obligations, and the practical compliance with data protection requirements according to EU GDPR and the revised Federal Data Protection Act. He is a recognized lecturer for training on compliance topics in the financial sector. 

Taulant Avdija, Partner, is an attorney-at-law and Head of Regulatory & Compliance at BDO Financial Services. He holds a CAS in Financial Regulation and a CAS in Digital Finance Law and advises and supports banks and financial intermediaries in the implementation of new regulatory requirements. Over the past 10 years, he has been involved in major anti-money laundering investigation and remediation projects. He plays an active role in the training of actors in the financial sector, regularly acting as a trainer for various institutions.

[1] Identification of beneficial owners of companies and assets or beneficial owners of assets.

[2] The classification of economic activities (NOGA) is derived from the Statistical Classification of Economic Activities in the European Community (NACE). The new version (NOGA 2025) will be introduced in the FSO statistics from 2026 (see https://www.bfs.admin.ch/bfs/en/home/statistics/industry-services/nomenclatures/noga.html).