Switzerland’s financial markets regulator published supplementary guidance on money laundering risk analysis Wednesday, flagging persistent weaknesses in how banks and other financial institutions define risk tolerance and assess inherent risks.

FINMA said it had reviewed risk analyses from more than 30 banks examined in spring 2023, as well as those of numerous other FinIA institutions—a category encompassing such non-bank institutions as securities firms, fund management companies, and portfolio managers. The review identified sectoral shortcomings significant enough to merit a new supervisory statement, FINMA said. 

One recurring issue flagged by the agency was a failure by institutions to define clear-cut instances when a client or activity exceeded risk tolerances. 

A number of institutions described conditional risk-mitigating measures where outright exclusions were required—for example, conditioning acceptance of foreign politically exposed persons (PEPs) on executive board approval, rather than excluding them categorically. Others institutions relied solely on mandatory exclusions, such as sanctioned jurisdictions, without making deliberate, business-model-driven choices about which countries, client segments, services, or products to exclude, according to the guidance. 

FINMA also identified problems with exception-to-policy processes. Some institutions had approved exceptions in such volume that their stated risk tolerances were effectively meaningless, according to the guidance, which argued that higher-risk appetites in such instances should be formalized through a board-level revision. 

In other cases, institutions defined metrics solely for control risk, omitting indicators for inherent risks, including the number and assets under management of high-risk clients, and geographic risks outside of designated target markets. 

FINMA also found that some financial institutions had simply underestimated the vulnerabilities that come with dealing with complex structures, PEPs, and crypto services. While the regulators considers such relationships and activities to be inherently high risk, the firms did not, classifying them as medium risk instead.