How to Prepare for AML Audit in Switzerland: The Complete 2026 Checklist

Preparing for a FINMA-aligned AML audit? ComplyFactor provides independent AML audit services specifically tailored to Swiss regulatory requirements. Our team understands FINMA expectations, SRO obligations, and the 2025 AMLA revisions. Whether you’re a VASP, payment institution, or remittance service provider, we ensure you’re audit-ready. Contact us today to discuss your audit preparation needs.

Many Swiss financial intermediaries underestimate the preparation time required for AML audits. FINMA-recognized audit firms typically recommend starting your preparation at least 3-4 months before your scheduled audit date to ensure adequate time for documentation review, control testing, and remediation of any identified gaps.

The 2025 AMLA Revision: What Changed?

The 2025 revision of Switzerland’s Anti-Money Laundering Act (Geldwäschereigesetz) introduced several significant changes that directly impact audit expectations. These revisions align Switzerland more closely with the latest FATF Recommendations and address emerging financial crime threats:

Enhanced Beneficial Ownership Requirements: The introduction of LETA means auditors now scrutinize how firms verify and document ultimate beneficial owners (UBOs), with particular attention to the accuracy of information reported to the new Swiss Transparency Register. The 25% control threshold remains, but verification requirements have been strengthened.

Expanded Risk-Based Approach: FINMA expects more sophisticated risk assessments that consider emerging threats like ransomware payments, decentralized finance (DeFi) protocols, and sanctions evasion techniques. Generic risk assessments no longer satisfy audit requirements—firms must demonstrate specific analysis of their unique risk exposures.

Technology and Automation Standards: Following FINMA’s guidance on the use of artificial intelligence and machine learning in financial services, auditors now evaluate whether firms’ automated transaction monitoring systems adequately detect suspicious patterns while minimizing false positives. Simple rule-based systems may be deemed insufficient for higher-risk institutions, particularly those processing significant transaction volumes.

Cross-Border Payment Scrutiny: Given Switzerland’s role as a global financial hub, auditors pay heightened attention to correspondent banking relationships and cross-border payment flows, particularly those involving high-risk jurisdictions identified by FATF or subject to international sanctions regimes.

For a deeper understanding of Swiss regulatory frameworks, see our comprehensive guide to VASP compliance.

The Complete AML Audit Preparation Checklist

1. Governance and Organizational Structure

Effective AML compliance begins with strong governance. Swiss auditors assess whether your firm demonstrates genuine “tone from the top”—FINMA’s preferred term for board-level commitment to compliance.

Board and Senior Management Oversight: Document evidence that your board receives regular AML updates, approves key policies annually, and actively discusses emerging money laundering risks. Minutes from board meetings should reflect substantive compliance discussions, not perfunctory acknowledgments.

Compliance Officer Appointment: Ensure your designated AML compliance officer (MLRO) has appropriate authority, independence, and resources. For SRO-supervised firms, verify that your compliance officer meets the qualifications specified in your SRO’s regulations. Consider whether MLRO outsourcing makes sense for your organizational structure, particularly if you lack in-house expertise in Swiss regulatory requirements.

Organizational Independence: Auditors examine whether your compliance function operates independently from business units. The compliance officer should report directly to senior management or the board, not to revenue-generating departments that might create conflicts of interest.

Adequate Resourcing: Document that compliance receives sufficient budget, technology, and human resources relative to your firm’s size and risk profile. Understaffed compliance teams are a frequent audit finding.

2. Written AML/CFT Policies and Procedures

Swiss law requires financial intermediaries to maintain comprehensive written policies covering all aspects of AML/CFT compliance. These aren’t mere formalities—auditors will test whether your documented procedures reflect actual practice.

Comprehensive Policy Coverage: Your AML policy manual should address customer due diligence, beneficial ownership identification, enhanced due diligence triggers, ongoing monitoring, suspicious activity reporting to MROS (Money Laundering Reporting Office Switzerland), record retention, sanctions screening, and employee training.

Risk-Based Methodology: Document your methodology for categorizing customers into risk tiers (low, medium, high, prohibited). This should be granular enough to justify different due diligence intensities but not so complex that staff cannot consistently apply it.

Annual Policy Review: FINMA expects annual reviews of AML policies, with updates reflecting regulatory changes, audit findings, and evolving risk landscapes. Maintain a version control log showing policy evolution over time.

Accessibility and Training: Policies mean nothing if staff don’t know they exist. Demonstrate that employees can easily access current policies and that new hires receive policy training during onboarding.

For guidance on building comprehensive compliance documentation, review our article on creating an effective AML compliance program.

3. Risk Assessment and Risk-Based Approach

Switzerland follows FATF’s risk-based approach, requiring firms to identify, assess, and mitigate their specific money laundering and terrorist financing risks.

Enterprise-Wide Risk Assessment: Conduct and document a comprehensive risk assessment covering customer risks, product/service risks, delivery channel risks, and geographic risks. This should be updated at least annually or whenever your business model changes significantly.

Sector-Specific Risk Factors: Different financial services face distinct risks. VASPs must address crypto-specific threats like mixing services and anonymity-enhanced coins. Remittance companies must evaluate high-risk corridor transactions. Payment processors must assess merchant risk and card-not-present fraud. Your risk assessment should reflect your sector’s unique vulnerabilities.

Emerging Risk Identification: Auditors expect evidence that your firm monitors emerging threats. This might include analysis of FINMA circulars, FATF guidance, and typologies reports from MROS. Document how you’ve adapted controls in response to new risks like deepfake-enabled account openings or sanctions evasion through cryptocurrencies.

Risk Mitigation Mapping: For each identified risk, document corresponding mitigation measures. Auditors verify this linkage between risk identification and control implementation.

4. Customer Due Diligence (CDD) and Know Your Customer (KYC)

Customer due diligence forms the foundation of AML compliance. Swiss requirements follow FATF standards but include specific national interpretations.

Customer Identification Standards: Verify customer identity using reliable, independent source documents. For individuals, this typically means government-issued photo identification. For legal entities, obtain registration documents and organizational charts. Swiss law requires verification within prescribed timeframes, and auditors test compliance with these deadlines.

Beneficial Ownership Identification: Under LETA and Article 2a AMLA, you must identify and verify beneficial owners controlling more than 25% of a legal entity customer. Document your methodology for obtaining this information and the steps taken to verify its accuracy. Given the new Transparency Register, auditors may cross-check your UBO records against official registry data.

Purpose and Nature of Business Relationship: Document the intended purpose of each customer relationship. This information should be specific enough to enable effective transaction monitoring. “Business purposes” is insufficient; you need detail on expected transaction volumes, geographic patterns, and counterparties.

PEP Screening: Implement systematic screening for politically exposed persons (PEPs), including domestic PEPs (Swiss officials) and foreign PEPs. Document your PEP identification process, enhanced due diligence procedures for PEP relationships, and senior management approval requirements. Remember that Switzerland applies enhanced scrutiny to domestic PEPs, unlike some jurisdictions that focus primarily on foreign officials.

Ongoing Due Diligence: CDD isn’t a one-time exercise. Demonstrate that you periodically review and update customer information, with review frequencies appropriate to each customer’s risk rating. High-risk customers should undergo more frequent reviews than low-risk counterparts.

5. Enhanced Due Diligence (EDD) for High-Risk Relationships

Certain customer relationships warrant enhanced scrutiny beyond standard CDD procedures.

EDD Trigger Identification: Document clear criteria for triggering enhanced due diligence. Common triggers include high-risk jurisdictions, PEP status, cash-intensive businesses, complex ownership structures, and unusual transaction patterns. Your triggers should align with your risk assessment findings.

Enhanced Information Collection: For EDD cases, collect additional information such as source of funds and source of wealth documentation, detailed business plans, references, and adverse media screening results. The level of enhancement should be proportionate to the identified risk.

Senior Management Approval: Swiss regulations require senior management approval for high-risk relationships. Maintain clear documentation of who approved each relationship and the rationale for acceptance despite elevated risk.

Intensified Monitoring: High-risk customers should be subject to more frequent and detailed transaction monitoring. Document how your monitoring approach differs between risk tiers.

6. Transaction Monitoring and Suspicious Activity Detection

Effective transaction monitoring distinguishes compliant firms from those simply going through the motions.

Monitoring System Implementation: Whether using automated software or manual processes, document your approach to detecting unusual or suspicious transactions. For larger institutions, FINMA increasingly expects AI-driven or sophisticated rule-based systems that adapt to customer behavior patterns.

Alert Generation and Investigation: Maintain records of all monitoring alerts, investigation findings, and disposition decisions. Auditors will sample these files to assess investigation quality and consistency. Your documentation should explain why transactions were deemed suspicious or non-suspicious.

Threshold Calibration: If using automated monitoring, document your methodology for setting alert thresholds and rules. Generic vendor defaults aren’t sufficient—you must demonstrate that thresholds reflect your specific risk profile and customer base. Show evidence of periodic threshold reviews and adjustments based on false positive rates and detection effectiveness.

Sanctions Screening: Implement real-time screening against Swiss, EU, UN, and OFAC sanctions lists. Document your screening methodology, hit resolution procedures, and false positive management. Given Switzerland’s alignment with EU sanctions against Russia, auditors scrutinize sanctions compliance carefully.

For VASPs, transaction monitoring must address crypto-specific patterns. See our guide on AML/CFT best practices for VASPs for detailed guidance.

7. MROS Reporting and Suspicious Activity Reports (SARs)

Switzerland’s Money Laundering Reporting Office (MROS) receives suspicious activity reports from financial intermediaries nationwide.

SAR Filing Procedures: Document your process for identifying, escalating, and reporting suspicious activities to MROS. This should include decision trees or criteria for determining when suspicion reaches the reporting threshold, approval workflows, and filing procedures.

Quality of SAR Content: Auditors may review submitted SARs to assess quality and completeness. Effective SARs clearly explain the grounds for suspicion, include relevant transaction details and supporting documentation, and demonstrate thorough investigation before filing.

SAR Filing Statistics: Maintain records of SARs filed, including dates, general descriptions (without violating tipping-off prohibitions), and outcomes. Auditors may compare your SAR filing rates to industry benchmarks to identify potential under-reporting.

Tipping-Off Prevention: Document controls preventing disclosure of SAR filings to customers or subjects of reports, as required by Article 11 AMLA. This includes staff training on tipping-off prohibitions and procedures for managing customer inquiries after account freezes.

MROS Feedback Integration: When MROS provides feedback on your reports, document how you’ve incorporated lessons learned into your compliance program improvements.

8. Record Retention and Data Management

Swiss AML law imposes strict record retention requirements that auditors verify during examinations.

Ten-Year Retention Period: Maintain all AML-related records for at least ten years after the business relationship ends or the transaction completes. This includes customer identification documents, transaction records, correspondence, internal analyses, and MROS reports.

Organized Record Systems: Records must be retrievable within a reasonable timeframe. Auditors test this by requesting specific customer files or transaction histories and timing how long retrieval takes. Disorganized record-keeping is an audit deficiency even if records exist somewhere in your system.

Data Security and Confidentiality: Given the sensitive nature of AML records, demonstrate appropriate cybersecurity controls protecting data from unauthorized access, modification, or destruction. This is particularly important for cloud-based systems or third-party storage arrangements.

Cross-Border Data Transfers: If you use foreign service providers for data storage or processing, ensure compliance with Swiss data protection laws and document how these arrangements preserve your ability to produce records during audits or regulatory examinations.

9. Staff Training and Awareness

Human elements often determine compliance program effectiveness more than sophisticated technology.

Initial Training: All employees in relevant functions must receive AML training upon hiring, before assuming responsibilities involving customer interactions or transaction processing. Document training dates, content covered, and attendees.

Ongoing Training: Provide regular refresher training, typically annually, covering regulatory updates, emerging typologies, internal policy changes, and lessons learned from audit findings or internal quality reviews. Training should be tailored to job functions—frontline staff need different content than back-office personnel.

Training Effectiveness Testing: Document how you verify that training achieves its objectives. This might include quizzes, case study exercises, or scenario-based assessments. FINMA expects evidence of learning, not just attendance records.

Specialized Training: Certain roles require specialized training beyond general AML awareness. Compliance officers should receive training on regulatory interpretation, investigations, and regulatory reporting. IT staff supporting monitoring systems need training on system capabilities and limitations. Senior management should receive governance-focused training on their oversight responsibilities.

For structured training programs aligned with Swiss requirements, explore our AML training programs.

10. Technology and Systems Controls

In Switzerland’s sophisticated financial environment, technology underpins most AML controls.

Customer Onboarding Systems: Document your technology for customer identification, verification, and screening. For digital onboarding, demonstrate compliance with FINMA’s guidance on video identification and electronic signatures.

Transaction Monitoring Software: If using automated monitoring, maintain documentation of system configurations, rule logic, threshold settings, and validation testing results. FINMA expects periodic independent validation of monitoring system effectiveness.

Sanctions Screening Technology: Document your sanctions screening processes, including screening frequency (ideally real-time or near-real-time), list sources, fuzzy matching logic, and false positive management workflows.

Data Analytics Capabilities: Increasingly, FINMA expects sophisticated analytics for risk assessment and behavior analysis. Document any advanced analytics capabilities, including machine learning models, network analysis tools, or behavioral profiling systems.

System Change Management: Maintain records of all system changes, including the business rationale, testing procedures, approval workflows, and implementation dates. Auditors examine whether changes were properly controlled and whether they affected monitoring effectiveness.

11. Third-Party and Vendor Management

Many Swiss financial intermediaries rely on third-party service providers for various AML functions.

Due Diligence on Service Providers: Before engaging AML-related service providers (technology vendors, KYC utilities, outsourced compliance officers), conduct due diligence on their capabilities, controls, and regulatory standing. For outsourced MLRO services, verify that providers understand Swiss regulatory requirements. ComplyFactor’s global MLRO services specifically address Swiss regulatory contexts.

Contractual Controls: Ensure contracts with third parties clearly define responsibilities, performance standards, data security requirements, and audit rights. You remain responsible for AML compliance even when outsourcing specific functions, so contracts should preserve your ability to oversee vendor performance.

Ongoing Monitoring: Periodically review vendor performance through service level agreement monitoring, quality reviews, and testing. Document these oversight activities for audit purposes.

Vendor Incident Management: Maintain procedures for addressing vendor performance issues, security incidents, or compliance breaches. Document how you’ve responded to any third-party failures that affected your compliance posture.

12. Independent Testing and Internal Audit

Beyond external regulatory audits, effective compliance programs include ongoing independent testing.

Internal Audit Coverage: Larger institutions should have internal audit functions that periodically test AML controls independently from the compliance department. Document internal audit findings, management responses, and remediation timelines.

Independent Reviews: For firms without internal audit departments, commission periodic independent reviews of AML controls. While distinct from regulatory audits, these reviews help identify and remediate issues before they become audit findings. Our AML audit services provide this independent perspective for Swiss financial intermediaries.

Control Testing: Document regular testing of key controls such as customer identification processes, screening accuracy, alert investigation quality, and training effectiveness. Testing should be risk-based, with higher-risk areas receiving more frequent examination.

Findings and Remediation Tracking: Maintain a centralized issues management system tracking all identified deficiencies, root cause analyses, remediation plans, responsible parties, and completion dates. Auditors will review your remediation responsiveness and effectiveness.

13. Regulatory Change Management

Switzerland’s regulatory environment evolves continuously, requiring active change management processes.

Regulatory Monitoring: Document how you stay informed of regulatory changes, including monitoring FINMA circulars, SRO guidance updates, FATF recommendations, and enforcement actions. Assign clear responsibility for regulatory intelligence gathering.

Impact Assessment: When regulatory changes occur, conduct timely impact assessments determining how new requirements affect your operations, policies, procedures, and systems. Document these assessments and resulting action plans.

Implementation Tracking: Maintain project plans for implementing regulatory changes, with milestones, responsibilities, and completion dates. Auditors verify that you’ve timely implemented new requirements and updated policies accordingly.

Staff Communication: Ensure regulatory changes are promptly communicated to affected staff through training, policy updates, or operational guidance. Document these communications and verify understanding.

14. Sector-Specific Considerations

Different types of financial intermediaries face unique audit focus areas requiring specialized preparation.

For Virtual Asset Service Providers (VASPs)

Swiss VASPs face particularly rigorous audit standards given cryptocurrency’s money laundering risks and regulatory evolution.

Travel Rule Compliance: Document your procedures for collecting, transmitting, and receiving originator and beneficiary information for crypto transfers exceeding CHF 1,000 (as specified in FINMA’s guidance on virtual currencies). FINMA scrutinizes Travel Rule compliance closely, expecting interoperable solutions that function across different VASP platforms. See our guide to crypto Travel Rules for implementation guidance.

Self-Hosted Wallet Interactions: Switzerland requires special controls for transactions involving self-hosted (non-custodial) wallets. Document how you identify such transactions, apply enhanced scrutiny, and obtain necessary information from customers about self-hosted wallet ownership and purpose.

On-Chain Analytics: Demonstrate use of blockchain analysis tools for transaction tracing, risk scoring, and suspicious activity detection. Auditors expect VASPs to leverage available on-chain intelligence rather than treating crypto transactions as opaque.

Stablecoin Risk Management: With stablecoins’ growing use in cross-border payments, document specific controls addressing stablecoin-related risks, including scrutiny of issuers’ reserves, redemption mechanisms, and potential use in sanctions evasion.

DeFi Protocol Interactions: If your customers interact with decentralized finance protocols, document how you assess and mitigate associated risks, particularly regarding unhosted wallets and anonymous counterparties.

For comprehensive VASP guidance, see our articles on UAE crypto regulation and MiCA implementation across European jurisdictions.

For Payment Service Providers and Remittance Companies

Payment institutions face distinct risks related to cross-border flows and correspondent relationships.

Payment Corridor Risk Assessment: Document your analysis of geographic payment corridors, identifying high-risk routes associated with fraud, sanctions evasion, or money laundering. Your monitoring should reflect corridor-specific risks.

Merchant Due Diligence: For payment processors serving merchants, demonstrate comprehensive merchant onboarding due diligence, including business verification, beneficial ownership identification, and prohibited business screening. Document ongoing merchant monitoring for transaction pattern anomalies.

Correspondent Banking Relationships: If you maintain correspondent banking relationships, document due diligence on correspondent banks, their AML controls, and their customer bases. FINMA expects particular scrutiny of correspondents in high-risk jurisdictions.

Cross-Border Transaction Monitoring: Implement enhanced monitoring for international payments, with particular attention to sanctions compliance, structured transactions designed to avoid reporting thresholds, and transactions lacking economic rationale.

Velocity Controls: Document transaction velocity limits and their calibration based on customer risk profiles, with exception workflows requiring enhanced review and approval.

For Canadian payment service providers dealing with similar issues, our PSP Canada RPAA compliance guide offers parallel insights applicable to Swiss contexts.

For Legal Professionals and Fiduciary Service Providers

The LETA expansion brings new compliance obligations for professionals facilitating entity formation and management.

Client Due Diligence for Corporate Services: When forming companies or trusts for clients, conduct and document thorough due diligence on the underlying beneficial owners, not just the nominal client. Understand and document the business purpose and anticipated activities of entities you establish.

UBO Verification Under LETA: Document procedures for verifying beneficial ownership information submitted to the Transparency Register, ensuring accuracy and completeness. Your files should contain evidence supporting UBO determinations.

Complex Structure Analysis: For multi-tiered corporate structures, document your analysis of ownership chains and beneficial ownership determinations. Be prepared to explain and justify your conclusions during audits.

Trust and Foundation Due Diligence: For trustees and foundation administrators, maintain comprehensive records of settlors, beneficiaries, protectors, and other relevant parties, with regular updates reflecting changes.

Professional Privilege Considerations: While legal professional privilege exists in Switzerland, document how you balance confidentiality obligations with AML requirements, particularly regarding suspicious activity reporting thresholds.

For Real Estate Intermediaries

Real estate professionals face increasing AML scrutiny given the sector’s historical vulnerabilities to money laundering.

Customer Identification in Property Transactions: Document customer identification for all parties to property transactions, including buyers, sellers, and beneficial owners of purchasing entities.

Source of Funds Verification: For significant property purchases, particularly cash transactions or purchases by foreign entities, document verification of source of funds. This is especially important for luxury property transactions exceeding several million Swiss francs.

Real Estate Professional Networks: Be aware of your obligations when working with lawyers, notaries, and other professionals in property transactions. Document how you coordinate AML responsibilities across the transaction parties.

Cross-Border Real Estate Investment: Property purchases by foreign entities warrant enhanced scrutiny. Document due diligence on ultimate beneficial owners and the rationale for using foreign entity structures.

Common AML Audit Deficiencies in Switzerland

Understanding frequent audit findings helps you proactively address vulnerabilities before auditors identify them.

Inadequate Risk Assessment

Generic, template-based risk assessments that fail to reflect actual business operations remain the most common audit deficiency. Your risk assessment should be specific, granular, and demonstrably linked to your customer base and product offerings.

Incomplete Beneficial Ownership Documentation

With LETA’s implementation, beneficial ownership documentation deficiencies have become more prevalent. Auditors frequently find incomplete ownership chains, insufficient verification of UBO identity, or outdated information not reflecting current ownership structures.

Weak Transaction Monitoring

Ineffective monitoring systems producing excessive false positives (indicating poor calibration) or no alerts whatsoever (suggesting inadequate coverage) are frequent findings. Auditors also commonly identify inadequate investigation documentation and inconsistent alert disposition decisions.

Training Deficiencies

Audit findings often cite insufficient training frequency, generic training content not tailored to Swiss requirements or firm-specific risks, lack of training effectiveness testing, or failure to train all relevant personnel.

Insufficient Enhanced Due Diligence

When high-risk relationships are identified, firms often fail to implement truly enhanced due diligence procedures. Auditors find that “enhanced” due diligence frequently looks identical to standard CDD, defeating the risk-based approach’s purpose.

Poor Record Retention

Disorganized record-keeping systems, inability to promptly retrieve requested documents, premature destruction of required records, and incomplete audit trails are common findings that are easily preventable through proper data management.

Sanctions Screening Gaps

Inadequate screening frequency, outdated sanctions lists, poor false positive management, and failure to screen beneficial owners and connected parties remain problematic, particularly given evolving sanctions landscapes.

To understand how audit deficiencies can lead to significant regulatory penalties, review our analysis of Barclays’ £39.3 million AML failures.

Preparing for Your Audit: The 90-Day Action Plan

Months 3-2 Before Audit: Foundation Building

Week 1-2: Conduct internal audit readiness assessment

• Review all AML policies for currency and completeness
• Inventory all required documentation
• Identify gaps in procedures or documentation
• Assign remediation responsibilities with deadlines

Week 3-4: Policy and procedure updates

• Update outdated policies to reflect current operations
• Incorporate recent regulatory changes
• Ensure version control and approval documentation
• Distribute updated policies to relevant staff

Week 5-6: Documentation organization

• Organize customer files systematically
• Ensure CDD documentation is complete and accessible
• Review record retention compliance
• Digitize paper records if necessary for efficient retrieval

Week 7-8: Control testing

• Test customer identification procedures
• Validate transaction monitoring system effectiveness
• Review sample of alert investigations for quality
• Assess sanctions screening accuracy

Week 9-10: Training reinforcement

• Conduct audit preparedness training for relevant staff
• Review audit procedures and expectations
• Practice responding to typical auditor requests
• Ensure staff understand their roles during the audit

Week 11-12: Governance review

• Schedule board meeting to review compliance program status
• Update board on audit preparation progress
• Obtain board endorsement of any policy changes
• Document board’s commitment to compliance (tone from the top)

Month 1 Before Audit: Final Preparations

Week 1: Pre-audit documentation package

• Prepare audit request list response materials in advance
• Organize organizational charts, policy manuals, and governance documentation
• Compile training records, testing results, and risk assessments
• Prepare executive summary of compliance program

Week 2: Remediation completion

• Complete any outstanding remediation from internal reviews
• Document completed improvements
• Verify all planned enhancements are implemented
• Update policies to reflect procedural improvements

Week 3: Audit logistics

• Designate audit liaison and backup
• Prepare workspace for auditors
• Arrange system access for auditors (if needed)
• Schedule management interviews
• Communicate audit schedule to relevant staff

Week 4: Final quality review

• Conduct final walk-through of all prepared materials
• Verify completeness of documentation
• Test document retrieval times
• Conduct mock audit interview with key personnel
• Address any last-minute gaps

During the Audit: Best Practices

Establishing Productive Auditor Relationships

Approach the audit as a learning opportunity rather than an adversarial process. Experienced auditors often provide valuable insights into best practices and emerging risks beyond their formal findings.

Designate a Single Point of Contact: Assign a knowledgeable compliance officer as primary auditor liaison to ensure consistent communication and efficient information flow. This person should have authority to access all necessary information and coordinate across departments.

Be Responsive: Respond to auditor requests promptly and completely. Delays in providing requested information extend audit duration and may suggest underlying issues. If specific information isn’t available, explain why rather than leaving auditors waiting.

Be Honest About Limitations: If you’ve identified compliance gaps or limitations, acknowledge them candidly. Auditors appreciate transparency and are primarily interested in seeing that you’ve recognized issues and have remediation plans. Attempting to conceal known problems typically backfires when auditors independently discover them.

Take Notes: Maintain detailed notes of auditor discussions, questions, and preliminary observations. These notes help you understand their concerns and provide input for post-audit remediation planning.

Managing Document Requests

Organize Systematically: Maintain a log of all auditor requests with dates, descriptions, responsible parties, and completion status. This prevents overlooking requests and demonstrates your organizational competence.

Provide Complete Responses: When providing requested documents, ensure completeness. If an auditor requests “all customer files for high-risk customers,” verify you’ve included all relevant files rather than sampling. Incomplete responses necessitate follow-up requests and extend audit timelines.

Explain Context: When providing documentation, include brief explanations of context or unusual circumstances. For example, if providing transaction monitoring reports with high false positive rates, explain the system limitations you’ve identified and remediation plans.

Maintain Confidentiality: While being transparent with auditors, ensure you don’t inadvertently disclose information protected by professional privilege or violate customer confidentiality beyond what’s necessary for audit purposes.

Handling Preliminary Findings

Listen Carefully: When auditors share preliminary observations, listen carefully without becoming defensive. Ask clarifying questions to ensure you understand their concerns completely.

Gather Additional Information: If auditors raise concerns based on potentially incomplete information, offer to provide additional context or documentation that might clarify the situation. Sometimes preliminary findings are revised when auditors receive fuller information.

Acknowledge Valid Issues: If auditors identify legitimate deficiencies, acknowledge them and explain what steps you’ll take to address them. Demonstrating accountability and commitment to improvement often influences how findings are characterized in final reports.

Document Disagreements: If you disagree with auditor interpretations of regulations or findings, respectfully articulate your position with supporting regulatory references. While auditors may not change their conclusions, documented disagreements preserve your right to dispute findings through regulatory channels if necessary.

After the Audit: Remediation and Continuous Improvement

The audit’s completion doesn’t end your compliance obligations—post-audit remediation often determines whether future audits are easier or harder.

Analyzing Audit Findings

Categorize Issues: Group audit findings by severity (critical, significant, minor), theme (governance, controls, documentation), and affected business areas. This categorization helps prioritize remediation efforts.

Conduct Root Cause Analysis: For significant findings, dig beyond surface-level issues to identify root causes. Was a deficiency due to inadequate policies, insufficient training, poor system design, or lack of resources? Addressing root causes prevents recurrence.

Assess Systemic vs. Isolated Issues: Determine whether findings represent systemic program weaknesses or isolated incidents. Systemic issues require comprehensive remediation across the organization, while isolated issues may need targeted fixes.

Developing Remediation Plans

Set Realistic Timelines: Develop remediation timelines that are aggressive but achievable. Consider resource constraints, technology implementation requirements, and dependencies on third parties.

Assign Clear Ownership: Designate specific individuals responsible for each remediation item, with accountability for completion within agreed timeframes.

Define Success Criteria: For each remediation item, clearly define what “complete” means. How will you know the issue has been adequately addressed? What evidence will demonstrate resolution?

Obtain Necessary Resources: If remediation requires budget for technology, additional staff, or external expertise, promptly obtain necessary approvals. Delayed resource allocation undermines remediation timelines.

Implementing Improvements

Prioritize Critical Issues: Address critical findings immediately, before lesser issues. Regulators and auditors expect rapid response to serious deficiencies.

Update Policies and Procedures: Revise affected policies to prevent recurrence of identified issues. Ensure policy updates reflect operational realities and actual remediation steps.

Enhance Training: If findings revealed training inadequacies, develop enhanced training content addressing specific gaps. Consider supplemental training for staff in areas where deficiencies were concentrated.

Strengthen Controls: Implement new or enhanced controls addressing identified vulnerabilities. This might include additional approval requirements, system enhancements, or more frequent testing.

Validation and Follow-up

Independent Validation: Before closing remediation items, have someone independent of the remediation owner validate that corrections are effective. This might be internal audit, compliance quality assurance, or external consultants.

Document Evidence: Maintain comprehensive documentation evidencing remediation completion. Future auditors will review how you addressed prior findings, and thorough documentation demonstrates your commitment to continuous improvement.

Report to Governance: Regularly update your board or senior management on remediation progress. Governance oversight of remediation demonstrates “tone from the top” and ensures accountability.

Prepare for Next Audit: View each audit as preparation for the next. The best audit readiness program is maintaining continuous compliance rather than cramming before scheduled audit dates.

For guidance on building sustainable compliance programs that minimize future audit findings, see our comprehensive guide on creating an effective AML program blueprint.

Selecting the Right Audit Firm in Switzerland

The quality of your AML audit significantly depends on auditor expertise and regulatory recognition.

FINMA Recognition Requirements

For directly supervised entities like banks and securities dealers, audits must be conducted by FINMA-recognized audit firms with appropriate authorization under the Audit Oversight Act. Verify that your selected audit firm holds current FINMA recognition for AML audits.

SRO Acceptance

If you’re subject to SRO supervision, ensure your selected audit firm is acceptable to your SRO. Some SROs maintain lists of approved audit firms, while others specify qualification criteria auditors must meet.

Industry Expertise

Select auditors with demonstrable expertise in your specific industry. A firm expert in banking may lack understanding of VASP-specific risks, while a VASP specialist may not fully appreciate payment institution regulatory nuances. Look for firms that regularly audit entities similar to yours.

Language Capabilities

Given Switzerland’s multilingual environment, consider auditors’ language capabilities. While many Swiss financial intermediaries operate in English, auditors should be able to review German, French, or Italian documentation if that’s your business language.

Technology Understanding

Particularly for VASPs and firms using sophisticated monitoring systems, ensure auditors understand relevant technologies. Auditors who don’t understand blockchain analytics, AI-driven monitoring, or payment processing systems may struggle to properly evaluate your controls.

Cost Considerations

While cost shouldn’t be the primary selection criterion, understand the basis for audit fees and what’s included. Some firms charge for follow-up work separately, while others include reasonable follow-up in initial fees. Clarify expectations upfront.

Looking Ahead: Emerging Trends in Swiss AML Audits

Understanding regulatory and audit focus areas helps you prepare not just for today’s audit but tomorrow’s expectations.

Enhanced Technology Scrutiny

FINMA’s increasing focus on AI-driven monitoring and automated controls means auditors will more deeply examine system validation, algorithm transparency, and bias management. Expect questions about how you validate that automated systems function as intended and how you address algorithmic drift over time.

Climate and Environmental Crime Linkages

As awareness grows of financial crime’s connection to environmental crimes like illegal logging, mining, and wildlife trafficking, expect auditors to examine whether your risk assessments and typologies adequately address these emerging areas.

Sanctions Evasion Sophistication

Given sanctions evasion’s increasing sophistication, particularly through cryptocurrency and complex corporate structures, auditors will examine whether your controls have adapted to contemporary evasion techniques beyond traditional name-matching approaches.

Cyber-Enabled Money Laundering

The intersection of cybersecurity and AML compliance is drawing increased attention. Auditors may examine how you address ransomware payments, the use of your services by cybercriminals, and coordination between cybersecurity and AML functions.

RegTech Adoption

Switzerland expects financial intermediaries to leverage technology for compliance efficiency. Auditors increasingly question why firms haven’t adopted available RegTech solutions that could enhance control effectiveness or efficiency.

For insights into cybersecurity’s role in compliance, see our article on building robust cybersecurity compliance plans.

Conclusion: From Compliance Burden to Strategic Advantage

While AML audits may feel burdensome, well-prepared organizations increasingly view them as opportunities to validate their compliance programs, identify improvement areas, and demonstrate their commitment to financial crime prevention to stakeholders, regulators, and business partners.

The checklist provided in this guide offers a comprehensive framework for audit preparation, but remember that effective compliance extends beyond checking boxes. True compliance excellence comes from embedding anti-money laundering principles into your organizational culture, empowering your compliance team, and continuously improving controls in response to evolving threats.

Swiss financial intermediaries operate in one of the world’s most sophisticated and well-regulated financial environments. Meeting FINMA’s expectations and SRO requirements demonstrates your commitment to upholding Switzerland’s reputation for financial integrity. With proper preparation, your AML audit can validate your efforts and position your firm for sustainable growth.

Whether you’re a VASP navigating the Travel Rule, a payment institution managing cross-border risks, or a legal professional adapting to LETA requirements, the fundamental principles remain consistent: know your customers, understand your risks, implement proportionate controls, and maintain comprehensive documentation.

Need Expert Support for Your Swiss AML Audit?

Preparing for an AML audit in Switzerland requires deep regulatory knowledge, practical experience, and attention to detail. ComplyFactor specializes in helping Swiss financial intermediaries achieve audit readiness through:

• Independent AML Audits: Conducted by professionals with extensive FINMA and SRO experience
• MLRO Services: Outsourced compliance officers who understand Swiss regulatory requirements
• Audit Preparation Advisory: Gap assessments and remediation planning to ensure you’re audit-ready
• Compliance Program Development: Building comprehensive frameworks tailored to your business model

Our team has supported VASPs, payment institutions, remittance companies, and other financial intermediaries across Switzerland in preparing for and successfully completing AML audits.

Contact ComplyFactor today to discuss how we can support your audit preparation and ongoing compliance needs.

---

Frequently Asked Questions

How often must Swiss financial intermediaries undergo AML audits?

Audit frequency depends on your regulatory status. Banks and securities dealers directly supervised by FINMA undergo annual regulatory audits that include AML components. SRO-supervised financial intermediaries typically face AML audits every 1-3 years depending on their risk profile, with higher-risk entities audited more frequently. Your SRO specifies exact audit frequency requirements.

What’s the difference between an AML audit and an AML review?

AML audits are comprehensive examinations of all aspects of your AML program conducted by independent, qualified auditors, typically as a regulatory requirement. AML reviews are more focused examinations of specific controls or areas, often conducted voluntarily to identify improvement opportunities. See our article on AML review vs. AML audit for detailed comparisons.

Can I use foreign audit firms for my Swiss AML audit?

For directly supervised entities, audit firms must be FINMA-recognized, which typically requires Swiss establishment or specific cross-border arrangements. For SRO-supervised entities, check your SRO’s requirements—some accept foreign firms meeting specified criteria while others require Swiss-based auditors. Regardless of the firm’s location, auditors must demonstrate understanding of Swiss AML requirements.

How long does a typical Swiss AML audit take?

Audit duration varies by institution size and complexity. Small financial intermediaries with limited transaction volumes might complete audits in 1-2 weeks. Larger institutions with complex operations, multiple service lines, or higher risk profiles may undergo audits lasting several weeks or months. Proper preparation significantly influences audit efficiency.

What happens if my audit identifies significant deficiencies?

Significant audit findings must be reported to your regulator (FINMA for directly supervised entities, your SRO for affiliated intermediaries). You’ll be required to develop and implement remediation plans within specified timeframes. Severe or unresolved deficiencies can result in regulatory enforcement actions, including fines, license restrictions, or in extreme cases, license revocation. Prompt, comprehensive remediation is essential.

Do I need to report my audit results to FINMA directly?

If you’re directly supervised by FINMA, your audit firm reports results directly to FINMA as part of regulatory reporting obligations. If you’re SRO-supervised, your audit results are typically reported to your SRO, which may forward significant findings to FINMA. You generally don’t report directly to FINMA unless you’re required to do so based on specific circumstances or serious findings.

Can I choose my own audit firm?

Yes, you typically select your audit firm, subject to regulatory or SRO requirements regarding auditor qualifications and recognition. However, your chosen auditor must be independent of your organization, meet applicable professional standards, and be acceptable to your regulator or SRO. Some organizations prefer rotating audit firms periodically to gain fresh perspectives.

How should I prepare if this is my first AML audit?

First-time audit preparation should begin at least 3-6 months in advance. Start by thoroughly reviewing all regulatory requirements applicable to your institution. Ensure all required policies, procedures, and controls are documented and implemented. Consider engaging external consultants for pre-audit gap assessments to identify and remediate issues before formal audits occur. Our audit preparation advisory services specifically support first-time audit candidates.

Are there specific requirements for VASP AML audits that differ from traditional financial institutions?

Yes, VASP audits focus heavily on crypto-specific risks and controls including Travel Rule compliance, self-hosted wallet interactions, on-chain analytics capabilities, stablecoin risks, and DeFi protocol exposures. Auditors also examine whether your transaction monitoring effectively detects crypto-specific typologies like mixing services, anonymity-enhanced cryptocurrencies, and cross-chain transfers. See our VASP compliance guide for comprehensive guidance.

How does LETA affect AML audit scope?

LETA’s beneficial ownership transparency requirements expand audit scope for professionals facilitating entity formation and management. Auditors now scrutinize UBO identification processes, verification procedures, Transparency Register submissions, and data quality more intensively than before. If your firm establishes or administers legal entities for clients, expect detailed examination of beneficial ownership documentation and verification methodologies.

---

This article provides general guidance on AML audit preparation in Switzerland and does not constitute legal advice. Regulatory requirements vary based on your specific circumstances, business model, and regulatory status. Consult with qualified compliance professionals and legal advisors regarding your specific obligations.