Introduction
Capco Switzerland partnered with a Tier 1 global wealth manager to establish Swiss-specific risk appetite statements and an empirical data-driven risk assessment methodology to ensure full compliance with the requirements of FINMA Guidance 05/2023 on money laundering risk analysis and FINMA’s Anti Money Laundering Ordinance (AMLO-FINMA).
We established a sustainable process of automated reporting and risk monitoring with oversight of management board and supervisory board. A team of seasoned experts were deployed to identify current shortcomings in risk assessment practices and remediate them via a structured, transparent, and measurable risk assessment and risk appetite framework.
Why now?
Pursuant to Article 25 para. 2 AMLO-FINMA, banks are obliged to prepare a money laundering risk analysis (‘risk analysis’), taking into account the business activities and the nature of the established business relationships.1 However, when FINMA reviewed risk analysis and risk appetite across over 30 banks in Switzerland in 2023, it found that a large number of those risk analyses did not meet basic requirements.
In particular, an adequate definition of the money laundering risk tolerance (‘risk tolerance’), which forms the framework of a robust risk analysis through set limits, was lacking in some cases. Furthermore, FINMA noted, a lack of various structural elements that are prerequisites for a risk analysis could be observed.
FINMA subsequently published Guidance 05/2023 with the aim of “creating transparency with regard to its observations and experiences with risk analysis in its supervisory practice”, and banks are obliged to adhere to this Guidance.
How we did it
As a first step, we undertook a gap assessment of the client’s current risk analysis/risk appetite practices against FINMA Guidance 05/2023 and AMLO-FINMA. We also ascertained the relevance of risk factors as set out in Article 13.2 of AMLO-FINMA for the client’s wealth management business via a thorough appraisal of the bank’s underlying business model, client base, products and services, processes, and policies.
After establishing a clear understanding of the client’s business and risk profile, we developed an empirical model to calculate inherent risk, control effectiveness and residual risk. While conducting the risk assessment, we categorized risk in line with FINMA prescribed risk criterion (e.g. client type, geography, products). We then mapped controls to risk categories and validated coverage, analysed control effectiveness using available historical data and reports, and coordinated with stakeholders to validate assumptions and inputs.
We ensured that a sustainable framework was in place to conduct such exercises on a regular basis, and that the dynamic and continuous monitoring of risk took place under the supervision of the management board.
During the project, the scope of Capco’s engagement was expanded to support the enhancement of the bank’s control management methodology, including structured processes for control certification, attestation and assurance across the organisation.
Capco worked closely with all three lines of defense and – given the strategic implications of risk appetite on the bank’s reputation, business and profitability – with members of the management and supervisory boards. It is worth noting that FINMA mandates that risk appetite and risk assessment should be approved by the board of the bank.
What we delivered
In partnership with the client, Capco transformed its financial crime risk management framework. What began as a project to remediate shortcomings relating to the FINMA requirements led to the creation of a fully functioning and sustainable financial crime risk management framework – one that is now properly structured, fully transparent, and capable of delivering empirical evidence.
Our sustainable solution comprises automated risk reporting, dynamic monitoring, supervisory oversight and appropriate remediation measures. We also worked beyond the core scope of risk analysis/appetite to implement structured processes for control certification, attestation and assurance across all AFC-relevant controls.
The artefacts produced include financial crime risk appetite statements (both qualitative and quantitative), risk assessment methodologies, risk drivers and KRIs to measure the risks, and automated processes for the assessment and reporting of inherent risks, control effectiveness and residual risks. Furthermore, we defined RACI and senior management supervision and escalation frameworks for financial crime risk management.
As well as accomplishing the goals of the client and meeting regulatory expectations, Capco’s work has been acknowledged by external auditors as being “best of breed” in the industry.
Client feedback
The client highlighted that the overall response to the project was extremely positive, specifically acknowledging the clarity and robustness of the solution proposed, as well as the effectiveness of stakeholder management, quality of the presentation materials, and rigorous adherence to the project timeline.Throughout the project lifecycle, Capco consistently communicated progress transparently, which helped build stakeholder trust and allowed earlier-than-expected engagement on key deliverables.
Senior management and external auditors particularly recognized the innovative and high-quality approach to financial crime risk assessment and appetite definition, placing the bank in a leading position within the wider peer group.
The client expressed strong appreciation for Capco’s proactive, organized, and independent approach, highlighting the confidence provided by the team's disciplined execution and robust analytical foundation.