Issued in August, FINMA Guidance 05/2023 was more than just a box-ticking update. It signalled a significant shift in how the Swiss regulator expected banks to manage money laundering risk analysis in line with Article 25 of the AMLO-FINMA ordinance. However, this required the sort of culture shift that does not happen overnight – or arguably after nearly two years later.
A FINMA review of risk analyses across more than 30 Swiss banks in 2023 found that a large number of the risk analyses examined did not meet the basic requirements. Missing were clear definitions of risk appetite, concrete risk indicators, and meaningful connections between risk assessments and actual business decisions. The message from FINMA was loud and clear: this was not good enough.
Guidance 05/2023 was issued with a view to “creating transparency with regard to its observations and experiences with risk analysis in its supervisory practice”.1 This essentially required banks to institute a continuous process for establishing risk appetite in alignment with strategy, regularly assessing and managing risks, and ensuring proper accountability.
The real challenge is turning AFC frameworks into something operational. Many institutions can talk about their low appetite for risk – but ask how that plays into onboarding or client reviews, and you hit a wall. Risk appetite exists on paper but doesn’t shape actual decisions.
Scalability is another issue. Risk processes are often local, and inconsistent across group entities. FINMA now expects a global, consolidated view – and that means standard definitions, shared metrics, and harmonized reporting.
Figure 1 below shows the core disconnects between regulatory expectations and day-to-day practice. These aren’t technical gaps – they are cultural, and they won’t be fixed by tweaking a spreadsheet.
| FINMA Expectation | Common Gap |
|---|---|
| Defined AML risk appetite | Vague policy language such as “The Bank does not engage in relationships that pose an elevated money laundering risk” without specifying what qualifies as elevated. |
| Measurable KRIs | Overreliance on qualitative input, for example when if the effectiveness of controls is assessed qualitatively by control owners, without objective testing. |
| Symbiotic Risk Appetite and Assessment | Often risk assessment does not inform risk appetite, e.g. the bank claims to have zero tolerance for overdue periodic reviews, yet the assessment contains no data or metrics on review completion rates. |
| Policy tied to strategy | Product and client decisions are disconnected from the stated risk appetite—for example, the bank expands into high-risk jurisdictions or launches high-risk products even though the quantitative threshold for high-risk client exposure has already been reached or exceeded. |
| Board-level accountability | The executive board and board of directors receive periodic AFC updates, but there is no structured process for reviewing breaches of risk tolerance, approving remediation plans, or validating whether the risk appetite remains appropriate given changes in exposure or business strategy. |
Figure 1
Swiss banks need to ensure a sharper integration between risk frameworks and business operations. Our recommendations to achieve this are as follows:
This is about building a better bank. Our four recommendations—define risk appetite with precision, measure consistently, connect risk to real decisions, and embed board-level oversight—form a practical roadmap. Institutions that follow this path will not only satisfy supervisory expectations, but also build sharper governance, deeper resilience, and better business alignment.
Clear boundaries. Real-time insights. Better decisions. That is the prize.
At Capco, we’ve supported leading Swiss banks on this journey. We know where the friction points are – and how to solve them without overengineering the solution.
References
