Top 5 Common Pitfalls in Swiss AML Audits (and How to Avoid Them in 2026)

Swiss financial intermediaries face some of the world’s most rigorous anti-money laundering audit standards. Between the Swiss Financial Market Supervisory Authority (FINMA)’s exacting expectations, evolving self-regulatory organization (SRO) requirements, and the 2025 Anti-Money Laundering Act (AMLA / Geldwäschereigesetz) revisions including the Federal Act on the Transparency of Legal Entities (LETA / Loi fédérale sur la transparence), the compliance landscape in 2026 has reached unprecedented complexity.

Yet despite access to sophisticated technology and professional expertise, many Swiss firms—from cryptocurrency exchanges (Krypto-Börsen) in Zurich to payment service providers (Zahlungsdienstleister) in Geneva and remittance companies (Geldtransferunternehmen) across Lugano—repeatedly stumble over the same preventable pitfalls during AML audits. These failures don’t just result in embarrassing audit findings; they trigger regulatory enforcement actions, substantial financial penalties, reputational damage that affects banking relationships and customer confidence, and in severe cases, license revocation that forces business closure.

Whether you’re preparing for your first AML audit or have successfully passed several, understanding where other financial intermediaries commonly fail—and more importantly, how to avoid these traps—can mean the difference between a clean audit and a compliance crisis.

This article examines the five most common and costly pitfalls that trip up Swiss financial intermediaries during AML audits in 2026, with practical strategies for avoiding each one. Drawing from real audit experiences across VASPs, payment institutions (Zahlungsinstitute), money transmitters, and other financial services, we’ll show you how to navigate these challenges successfully.

Understanding the Swiss AML Audit Context in 2026

Before diving into specific pitfalls, it’s essential to understand what makes Swiss AML audits particularly demanding and what’s changed in 2026.

The Regulatory Landscape

Switzerland’s AML framework operates on multiple levels. FINMA directly supervises banks, securities dealers (Effektenhändler), and certain larger financial institutions, requiring annual comprehensive audits. Most other financial intermediaries—including VASPs holding Payment Instrument Institution licenses (Zahlungsinstitut-Bewilligung) under Article 1b of the Banking Act, payment service providers, remittance companies, asset managers, and certain legal professionals—must affiliate with recognized SROs such as VQF (Verein zur Qualitätssicherung von Finanzdienstleistungen), PolyReg (PolyReg Selbstregulierungsorganisation), ARIF (Association Romande des Intermédiaires Financiers), or OAR-G (Organisme d’autorégulation de la Chambre fiduciaire).

These SROs conduct or oversee periodic AML audits (GwG-Prüfung / Audit LBA) of their members, typically every one to three years depending on risk assessment. While SRO audits may seem less daunting than direct FINMA supervision, they follow FINMA’s interpretations of the AMLA (Geldwäschereigesetz / Loi sur le blanchiment d’argent) and implementing ordinances (AMLO-FINMA / OBA-FINMA), making them equally rigorous.

What Changed in 2025-2026

Several regulatory developments have elevated audit standards and introduced new compliance challenges:

LETA Implementation: The Swiss Transparency Register now requires beneficial ownership reporting for legal entities, with auditors scrutinizing how financial intermediaries verify and document ultimate beneficial owners (UBOs) against registry data.

Enhanced VASP Requirements: Following Financial Action Task Force (FATF) guidance and the implementation of MiCA-influenced standards in neighboring EU countries, Swiss crypto service providers face intensified scrutiny around Travel Rule compliance, self-hosted wallet interactions, and decentralized finance (DeFi) protocol risks.

AI and Automation Standards: FINMA’s guidance on artificial intelligence in financial services means auditors now evaluate not just whether you have transaction monitoring systems, but whether those systems use appropriate technology, are properly validated, and effectively detect suspicious patterns while managing false positives.

Sanctions Enforcement Focus: With Switzerland’s alignment with EU sanctions regimes and ongoing concerns about sanctions evasion through cryptocurrencies and complex corporate structures, sanctions compliance has become a primary audit focus area.

For comprehensive guidance on Swiss AML requirements, see our ultimate guide to VASP compliance and Switzerland AML audit checklist.

The Cost of Failure

Audit deficiencies aren’t mere administrative inconveniences. Recent Swiss enforcement actions demonstrate the serious consequences:

• License restrictions or revocations for firms with systemic compliance failures
• Mandatory remediation programs requiring substantial investment in technology, personnel, and external advisors
• Enhanced supervision meaning more frequent audits and heightened regulatory scrutiny
• Reputational damage affecting customer confidence and business development opportunities
• Banking relationship challenges as banks increasingly de-risk by terminating relationships with poorly-compliant financial intermediaries

Understanding these stakes makes it clear why avoiding common pitfalls isn’t optional—it’s existential for your business.

Quick Reference: The Five Critical AML Audit Pitfalls

Pitfall	Why It Happens	Primary Consequence	Quick Fix
Generic Risk Assessments	Template reliance, lack of customization	Entire program appears disconnected from reality	Use actual transaction data and specific threats
Incomplete Beneficial Ownership	Complex structures, verification difficulties	Cannot identify who controls customer entities	Trace to natural persons, verify independently
Ineffective Transaction Monitoring	Poor calibration, vendor defaults	Either drowning in alerts or detecting nothing	Baseline behavior, tune regularly, test effectiveness
Inadequate Staff Training	Check-box mentality, generic content	Staff don’t understand or apply procedures	Customize content, test knowledge, segment by role
Poor Record Retention	System migrations, disorganization	Cannot produce documents when requested	Centralize storage, automate capture, test retrieval

Pitfall #1: Generic, Template-Based Risk Assessments That Don’t Reflect Your Actual Business

The Problem

The most prevalent and damaging pitfall Swiss financial intermediaries encounter is submitting risk assessments that auditors immediately recognize as generic templates with minimal customization. Whether purchased from consultants, copied from industry associations, or downloaded from compliance software, these assessments contain boilerplate language that could apply to any financial institution anywhere.

Auditors have reviewed hundreds of risk assessments. They instantly spot when you’ve described your cryptocurrency exchange’s risk profile using the same language as a traditional asset manager, or when your remittance company’s geographic risk analysis contains references to jurisdictions you don’t actually serve.

Why This Happens

Financial intermediaries fall into this trap for several understandable but ultimately inexcusable reasons:

Resource Constraints: Smaller firms, particularly fintech startups and newly licensed entities, often lack dedicated compliance teams with the expertise to conduct sophisticated risk analysis. Purchasing a template seems more efficient than building from scratch.

Misunderstanding the Requirement: Some firms mistakenly believe the risk assessment is a perfunctory compliance document rather than the foundational element of their entire AML program. They treat it as paperwork to file rather than a strategic tool.

Overreliance on External Advisors: When consultants deliver risk assessments, firms sometimes accept them without sufficient review and customization, failing to inject the operational detail and institutional knowledge that makes risk assessments credible.

Annual Update Neglect: Even firms that initially created thoughtful risk assessments often conduct inadequate annual reviews, making minor updates while missing significant business model changes, new product launches, or evolving threat landscapes.

Real Audit Examples

During a 2025 audit of a Zurich-based VASP, auditors found the firm’s risk assessment contained extensive analysis of wire transfer risks and ATM vulnerabilities—neither of which applied to their purely digital business model. The assessment was clearly adapted from a traditional money services business template without proper customization. This became a significant audit finding.

A Geneva payment service provider’s risk assessment identified “high risk from cash transactions” as a primary concern. During the audit, the firm revealed they hadn’t handled cash transactions in three years following a business model pivot to exclusively digital payments. The outdated assessment indicated poor governance and inadequate annual review processes.

A remittance company serving primarily South Asian corridors submitted a risk assessment with generic statements about “emerging market risks” but provided no analysis of the specific money laundering and terrorist financing threats associated with Pakistan, India, Bangladesh, or Sri Lanka—their actual operating markets. Auditors noted this as evidence the firm didn’t understand its own risk profile.

How to Avoid This Pitfall

Start with Actual Data: Your risk assessment must be grounded in empirical analysis of your customer base, transaction patterns, product offerings, and delivery channels. Begin by extracting and analyzing data about who your customers actually are, where they’re located, what products they use, and how they transact.

For a VASP, this means analyzing what cryptocurrencies customers trade, what percentage involves stablecoins versus mainstream coins versus privacy coins, how frequently customers interact with self-hosted wallets, what proportion of transactions trigger Travel Rule thresholds, and which blockchain networks see the highest activity.

For payment service providers, analyze your merchant customer base by industry sector, average transaction values, chargeback rates, and geographic payment flows. Document which correspondent banking relationships you maintain and which cross-border corridors represent the highest transaction volumes.

For remittance companies, map your actual geographic corridors with transaction volume statistics, analyze sender and recipient country risks using FATF assessments and other authoritative sources, and identify your customer demographics and remittance purposes.

Conduct Threat Analysis: Research and document specific money laundering and terrorist financing threats relevant to your business model. Don’t rely solely on generic threat descriptions. Reference authoritative sources including:

• Switzerland’s Money Laundering Reporting Office (MROS) annual reports and typologies
• FATF typologies reports relevant to your sector
• FINMA risk communications and circulars
• Industry-specific threat assessments from associations or regulatory bodies

For VASPs, this might include analyzing typologies around cryptocurrency mixing services, ransomware payments, darknet marketplace transactions, sanctions evasion techniques using crypto, and emerging threats from DeFi protocols. Link these threats to specific controls you’ve implemented.

Map Controls to Identified Risks: Create explicit linkages between each identified risk and corresponding mitigation measures. Auditors look for this risk-control mapping to verify your program is truly risk-based rather than a collection of generic procedures.

For example, if you’ve identified “high risk of structuring to evade Travel Rule reporting thresholds” as a specific threat, document the transaction monitoring rules, alert investigation procedures, and customer communication strategies you’ve implemented to address this exact risk.

Make It Specific and Quantitative: Replace vague statements with specific, measurable descriptions. Instead of “we serve moderate-risk jurisdictions,” state “approximately 35% of our transaction volume involves counterparties in jurisdictions rated as having strategic AML deficiencies by FATF, specifically focusing on [list countries]. We have implemented enhanced monitoring including [specific control details].”

Instead of “we conduct due diligence on customers,” specify “we classify customers into four risk tiers based on [specific criteria]. In 2025, our customer base consisted of 60% low-risk retail customers, 32% medium-risk small business customers, 7% high-risk customers including [categories], and less than 1% prohibited relationships.”

Update Meaningfully: Annual risk assessment updates shouldn’t consist of changing the date in the footer. Document what’s changed in the past year: new products launched, business model pivots, significant customer base shifts, regulatory changes affecting your risk profile, and emerging threats identified through your monitoring activities or industry intelligence.

If your VASP added support for a new blockchain protocol, analyze the risks this introduces. If your payment institution expanded into new merchant verticals, assess sector-specific vulnerabilities. If your remittance company opened new geographic corridors, evaluate the jurisdiction-specific risks.

Involve Operational Staff: Your compliance officer shouldn’t develop the risk assessment in isolation. Involve staff with operational knowledge—those who onboard customers, process transactions, investigate alerts, and handle customer service inquiries. They possess practical insights about actual risks that purely theoretical compliance analysis might miss.

For guidance on building effective risk assessments, see our article on key components of an effective AML audit program.

Pitfall #2: Incomplete or Unverified Beneficial Ownership Documentation

The Problem

With LETA’s implementation and enhanced Article 2a AMLA requirements, beneficial ownership identification and verification has become a primary audit focus. Yet beneficial ownership remains one of the most problematic areas where Swiss financial intermediaries consistently fail to meet regulatory expectations.

Auditors regularly encounter incomplete ownership chains where firms documented some shareholders but stopped investigating before reaching natural persons exercising ultimate control. They find UBO declarations accepted at face value without independent verification. They discover outdated beneficial ownership information not reflecting recent ownership changes. And they identify cases where firms incorrectly determined who qualifies as a beneficial owner, either through misunderstanding the 25% control threshold or failing to recognize control exercised through indirect ownership or other mechanisms.

Why This Happens

Beneficial ownership verification is inherently challenging, particularly for customers with complex corporate structures:

Multi-Tier Structures: When customers are legal entities owned by other legal entities, which are in turn owned by trusts or foundations, which are ultimately controlled by individuals in foreign jurisdictions, tracing ownership becomes complicated. Many firms stop at the first or second tier rather than persisting to natural persons.

Nominee Arrangements: Beneficial ownership may be obscured through nominee shareholders or directors, making it difficult to identify who truly controls the entity. Firms may accept the nominal ownership structure without investigating whether nominees are acting on behalf of undisclosed principals.

Trust and Foundation Complexities: For customers structured as trusts or foundations, determining who qualifies as beneficial owners requires understanding roles of settlors, beneficiaries, protectors, and other parties—legal concepts that vary across jurisdictions and that many compliance officers don’t fully understand.

Cross-Border Information Barriers: Obtaining reliable beneficial ownership information from foreign jurisdictions, particularly those without beneficial ownership registries or with strong privacy protections, presents practical challenges. Some firms give up too easily or accept insufficient documentation.

Customer Resistance: Customers sometimes resist providing detailed beneficial ownership information, claiming confidentiality concerns or expressing frustration at the level of detail required. Firms may accept incomplete information rather than insisting on full disclosure or terminating the relationship.

The Swiss Transparency Register: The new register was supposed to simplify verification, but some firms have become overly reliant on registry data without conducting independent verification or understanding the registry’s limitations. The register contains self-reported information, and firms remain responsible for verifying accuracy rather than blindly accepting registry entries.

Real Audit Examples

A Zurich-based payment institution onboarded a merchant customer structured as a Liechtenstein foundation. The firm obtained the foundation’s registration documents showing a Liechtenstein corporate service provider as the foundation council member, but never identified the settlor, beneficiaries, or protector who actually controlled the foundation. During the audit, auditors determined the firm couldn’t identify who ultimately received the merchant’s payment processing revenues—a fundamental failure.

A VASP accepted a Swiss Transparency Register entry showing a natural person as the UBO of a corporate customer without conducting any independent verification. During the audit, auditors discovered the registered UBO was actually a deceased individual—the company had never updated the registry following the beneficial owner’s death and subsequent ownership transfer. The VASP had no process for independently verifying or periodically updating UBO information.

A remittance company serving customers sending funds to emerging markets maintained beneficial ownership documentation for its Swiss corporate customers but had no beneficial ownership information whatsoever for individual customers receiving funds abroad. The firm didn’t understand that correspondent relationships with foreign exchange houses required due diligence on those institutions’ beneficial ownership and AML controls.

How to Avoid This Pitfall

Establish Clear Identification Procedures: Document step-by-step procedures for identifying beneficial owners in different scenarios—for corporations, partnerships, trusts, foundations, and other legal arrangements. Your procedures should specify:

• How you define the 25% control threshold and account for indirect ownership percentages
• When you consider someone a beneficial owner through control mechanisms other than equity ownership (voting rights, board representation, other contractual arrangements)
• What information you require from customers about their ownership structure
• How many ownership tiers you investigate before reaching natural persons
• What you do when customers claim no one meets the 25% threshold (senior managing officials rule)

Implement Verification Requirements: Don’t accept customer self-declarations without verification. Establish clear verification standards:

For Swiss legal entities, use the Transparency Register as one data point but verify through additional sources such as commercial registry extracts, audited financial statements showing shareholder information, notarized ownership declarations, or direct contact with identified beneficial owners.

For foreign legal entities, obtain equivalent documentation from the entity’s home jurisdiction. This might include registry extracts, corporate governance documents, shareholder agreements, or apostilled ownership declarations depending on the jurisdiction’s legal framework.

For trusts and foundations, obtain trust deeds, foundation statutes, and declarations identifying all relevant parties (settlors, beneficiaries, protectors, foundation council members). Understand the legal framework governing these structures and who exercises actual control.

Create Ownership Charts: For complex structures, create visual ownership charts showing the full ownership chain from customer entity through intermediate holding companies down to natural persons. This helps you identify gaps in your documentation and makes it easier for auditors to understand and verify your beneficial ownership determinations.

Train Staff on Complex Structures: Beneficial ownership isn’t intuitive, particularly for trusts, foundations, partnerships, and foreign legal structures. Provide comprehensive training to customer onboarding and compliance staff covering:

• How to read corporate documents and extract ownership information
• Understanding different legal structures and how control is exercised
• Recognizing red flags suggesting nominee arrangements or obscured ownership
• When to escalate complex cases for senior compliance review
• How to use the Transparency Register and other research tools

Implement Periodic Reviews: Beneficial ownership changes over time through share transfers, inheritance, corporate restructurings, or legal changes. Establish procedures for periodically reviewing and updating beneficial ownership information, with review frequency based on customer risk ratings. High-risk customers should undergo annual beneficial ownership reviews at minimum.

Know When to Walk Away: If a customer refuses to provide adequate beneficial ownership information, cannot or will not explain a complex structure, or provides information you cannot verify, you may need to decline or terminate the relationship. Document that you made reasonable efforts to obtain information and explain why you ultimately decided the relationship posed unacceptable risk.

Document Your Analysis: Don’t just collect documents—document your analysis. Your customer file should contain written explanation of how you determined who qualifies as beneficial owners, including ownership percentage calculations for multi-tier structures, analysis of control mechanisms beyond equity ownership, and verification steps taken. Auditors need to see your thought process, not just the final conclusion.

For insights into beneficial ownership challenges across different jurisdictions, see our articles on Canada MSB license requirements and DFSA Category 3C compliance.

Pitfall #3: Transaction Monitoring Systems That Generate All Alerts or No Alerts

The Problem

Transaction monitoring represents the operational heart of AML compliance—the process of detecting unusual or suspicious customer behavior that might indicate money laundering or terrorist financing. Yet Swiss auditors consistently find transaction monitoring to be one of the weakest elements of firms’ compliance programs.

The problem manifests in two opposite extremes, both equally problematic: monitoring systems calibrated so loosely that they generate virtually no alerts, or systems calibrated so tightly that they produce overwhelming numbers of false positive alerts that staff cannot meaningfully investigate.

In the first scenario, auditors question how firms detect suspicious activity when their monitoring generates zero or near-zero alerts over extended periods despite processing thousands of transactions. This suggests either complete absence of meaningful monitoring or system calibration so loose that only the most blatant money laundering would trigger alerts.

In the second scenario, firms are drowning in alerts—hundreds or thousands per month—with investigation quality suffering as compliance staff rush through reviews to manage workload. Auditors find cursory investigations, inadequate documentation of analysis, and inconsistent disposition decisions as overwhelmed staff takes shortcuts.

Both extremes fail FINMA’s expectation that firms implement risk-based, effective monitoring calibrated to actually detect suspicious activity while allowing efficient investigation of generated alerts.

Why This Happens

Over-Reliance on Vendor Defaults: Many firms implement transaction monitoring software with vendor default thresholds and rules without customizing to their specific risk profile and customer base. These defaults often don’t match the firm’s transaction patterns, resulting in either excessive false positives or insufficient alert generation.

Fear of MROS Reporting: Some firms unconsciously calibrate monitoring to avoid generating alerts because they’re uncomfortable filing suspicious activity reports (SARs) with Switzerland’s Money Laundering Reporting Office (MROS). This risk aversion leads to increasingly loose thresholds that allow suspicious behavior to pass undetected.

Inadequate Tuning Resources: Monitoring system calibration requires ongoing attention—analyzing alert patterns, reviewing false positive rates, adjusting thresholds based on customer behavior changes, and implementing new rules for emerging typologies. Firms often lack the technical expertise or dedicated resources for continuous tuning.

Insufficient Historical Data: Newly licensed firms or those implementing monitoring systems for the first time often lack historical transaction data for baseline calibration. They may start with arbitrary thresholds that prove ineffective once actual transaction patterns emerge.

Manual Monitoring Limitations: Smaller institutions relying on manual transaction review processes struggle to comprehensively monitor all activity, leading to sampling approaches that miss suspicious patterns or inconsistent monitoring application across different customer segments.

Crypto-Specific Challenges: VASPs face unique monitoring complexity with multiple cryptocurrencies, varying liquidity levels, price volatility affecting transaction values, and blockchain-specific behavior patterns. Traditional fiat currency monitoring approaches don’t translate directly to crypto assets.

Real Audit Examples

A Geneva-based VASP processing approximately 50,000 cryptocurrency transactions monthly generated only three transaction monitoring alerts in an entire year, none of which resulted in MROS reports. Auditors reviewed a sample of transactions and immediately identified multiple suspicious patterns including structured transactions just below Travel Rule thresholds, rapid movement of funds through multiple wallets, and interactions with mixing services—none of which triggered alerts. The firm’s monitoring system was essentially non-functional.

A payment service provider in Basel implemented new monitoring software that generated over 3,000 alerts in the first month. Compliance staff could spend only 5-10 minutes reviewing each alert before moving to the next. Auditors sampling investigation files found minimal documentation—typically just “reviewed, no issues found” with no explanation of what was reviewed or why patterns weren’t suspicious. The overwhelming alert volume made meaningful investigation impossible.

A remittance company’s monitoring system had been calibrated based on Swiss customer transaction patterns but never adjusted when the firm expanded to serve emerging market corridors where typical transaction sizes and frequencies differed significantly. The system generated alerts for normal behavior in these new markets while missing suspicious structuring patterns that fell below the Swiss-calibrated thresholds.

How to Avoid This Pitfall

Baseline Your Transaction Patterns: Before setting monitoring thresholds, analyze your actual transaction data to understand normal customer behavior. Calculate statistics including:

• Transaction value distributions (median, mean, percentile distributions)
• Transaction frequency patterns by customer segment
• Geographic patterns and common correspondent relationships
• Product usage patterns and typical customer workflows
• Seasonal or cyclical variations in activity levels

Use these baselines to set thresholds that will trigger alerts for truly unusual behavior rather than normal activity or, conversely, that won’t only flag the most egregious cases while missing everything else.

Implement Risk-Based Monitoring: Don’t use identical monitoring for all customers. Higher-risk customers should face more intensive monitoring with tighter thresholds, more sophisticated rule logic, and more frequent reviews. Lower-risk retail customers can have more relaxed monitoring parameters while still maintaining adequate coverage.

For VASPs, this means different monitoring approaches for institutional trading customers versus retail investors, for customers who regularly interact with self-hosted wallets versus those who keep assets on-platform, and for customers trading high-risk anonymity-enhanced cryptocurrencies versus mainstream digital assets.

Use Multiple Detection Methodologies: Don’t rely exclusively on transaction threshold rules. Implement a layered monitoring approach including:

• Threshold-based rules (transaction values, frequencies, velocities)
• Pattern-based rules (rapid movement of funds, structured transactions, unusual geographic patterns)
• Peer group comparisons (customer behavior versus similar customers)
• Network analysis (relationship patterns, common counterparties)
• Behavioral profiling (deviations from established baseline behavior)

Document Your Calibration Logic: Maintain written documentation explaining why you set specific thresholds and rules, what analysis supported these decisions, and how thresholds relate to your identified risks. When you adjust thresholds, document the rationale and supporting analysis. This demonstrates to auditors that your monitoring reflects thoughtful risk-based design rather than arbitrary configuration.

Conduct Regular Tuning Reviews: Schedule quarterly reviews of monitoring effectiveness analyzing:

• Alert volumes and trends
• False positive rates by rule type
• Investigation outcomes and patterns
• Suspicious activity report filing rates
• Emerging typologies requiring new rules
• Changes in transaction patterns requiring threshold adjustments

Document these reviews and any resulting system adjustments. Regular tuning demonstrates active management rather than “set it and forget it” approaches that auditors criticize.

Invest in Investigation Quality: Generate alerts that your staff can meaningfully investigate. This means calibrating alert volumes to sustainable levels and training investigators to conduct thorough analysis. Each investigation should document:

• What triggered the alert
• What additional information was reviewed
• What customers said when questioned about the activity
• What analysis was conducted
• Why the activity was or wasn’t deemed suspicious
• What outcome was reached and by whom

For Crypto Monitoring: VASPs should implement blockchain-specific monitoring capabilities including:

• On-chain transaction tracing and network analysis
• Wallet clustering and address attribution
• Identification of interactions with mixing services, darknet markets, ransomware addresses, and sanctioned addresses
• Travel Rule compliance monitoring for threshold crossings
• Monitoring of self-hosted wallet interactions and unusual withdrawal patterns

Standard fiat currency monitoring is insufficient for cryptocurrency risk. See our guide on AML/CFT best practices for VASPs for detailed crypto monitoring guidance.

Validate System Effectiveness: Periodically test your monitoring system’s ability to detect known suspicious patterns. This might involve:

• Back-testing the system against historical suspicious activity reports to verify those patterns would trigger alerts
• Creating test scenarios mimicking money laundering typologies to confirm rule logic functions correctly
• Independent reviews by internal audit or external consultants evaluating monitoring effectiveness

For comprehensive guidance on effective monitoring approaches, see our articles on AML audit requirements and preparing for AML audits.

Pitfall #4: Inadequate Staff Training and Testing of Knowledge Retention

The Problem

Swiss AML regulations require financial intermediaries to provide appropriate staff training, yet training programs represent one of the most frequently cited audit deficiencies. The problems range from complete absence of formal training to perfunctory annual sessions that staff attend but don’t meaningfully engage with, to training content that covers generic AML concepts without addressing the firm’s specific risks or the unique requirements of Swiss regulation.

Auditors commonly discover that staff cannot articulate their AML responsibilities, don’t understand the firm’s policies, can’t explain why certain procedures exist, and lack awareness of recent regulatory changes affecting their functions. When auditors interview frontline staff, they often find these employees lack basic knowledge about customer due diligence requirements, suspicious activity indicators, or reporting obligations.

Even more concerning, auditors find firms that can demonstrate training occurred but cannot demonstrate that training was effective—no testing of knowledge retention, no verification that staff actually understand the material, no measurement of whether training influenced staff behavior.

Why This Happens

Check-Box Mentality: Many firms view training as a compliance obligation to document rather than an opportunity to improve staff competency. They conduct annual training sessions primarily to create records proving training occurred, without concern for whether learning actually happened.

Generic Content: Firms purchase off-the-shelf training courses or use SRO-provided generic materials without customizing content to their specific business model, risk profile, or operational reality. Staff sit through training covering scenarios that never occur in their actual work while not learning about the situations they genuinely face.

Passive Learning Approaches: Training often consists of staff watching videos or clicking through slide presentations without interactive exercises, case studies, or scenario-based learning that promotes engagement and retention. Passive consumption doesn’t create lasting knowledge or change behavior.

Failure to Segment Training: Firms provide identical training to all staff regardless of role, meaning frontline customer service representatives receive the same content as back-office transaction processors and senior compliance officers. Effective training should be tailored to specific job functions and responsibilities.

No Knowledge Validation: Even when training is provided, firms often skip testing to verify staff actually learned the material. Without assessments, firms have no way to know whether training was effective or whether staff understood and retained critical concepts.

Infrequent Updates: Firms conduct training when onboarding new employees and then annual refresher sessions, but fail to provide interim training when regulations change, audit findings are issued, new products launch, or emerging risks are identified. Staff operate with outdated knowledge during extended periods between formal training sessions.

Real Audit Examples

During a 2025 audit of a Zurich VASP, auditors interviewed customer service staff who handled account opening inquiries. When asked about the Travel Rule and when it applies, three staff members provided three different answers—one said it applied to all transactions, another said it didn’t apply to their business, and the third correctly identified the CHF 1,000 threshold but couldn’t explain what information must be collected. The firm had conducted annual training but clearly staff didn’t understand or retain critical concepts.

A payment institution’s training records showed 100% staff completion of annual AML training modules with perfect 100% scores on post-training quizzes. Auditors, suspicious of the uniformly perfect results, tested staff knowledge independently during interviews. Staff performed poorly, demonstrating they couldn’t apply training concepts to real scenarios. Further investigation revealed staff had access to quiz answer keys and simply copied answers without engaging with training content.

A remittance company conducted comprehensive AML training for its Swiss headquarters staff but provided no training to staff in foreign branch offices who actually processed most customer transactions. During the audit, auditors discovered branch staff couldn’t identify basic suspicious activity indicators and weren’t aware of the firm’s MROS reporting obligations, creating significant compliance gaps.

How to Avoid This Pitfall

Develop Customized Training Content: Don’t rely exclusively on generic training materials. Develop content specific to your firm addressing:

• Your actual policies and procedures, not generic industry standards
• Risk scenarios staff genuinely encounter in their specific roles
• Your products and services and associated money laundering vulnerabilities
• Swiss regulatory requirements and how they apply to your business model
• Recent audit findings and lessons learned
• Emerging threats and typologies relevant to your customer base

For VASPs, training should cover Travel Rule mechanics, self-hosted wallet risks, blockchain analysis basics, crypto-specific red flags, and DeFi protocol concerns. For payment institutions, cover merchant due diligence, payment fraud typologies, cross-border correspondent risks, and industry-specific vulnerabilities. For remittance companies, cover geographic corridor risks, structuring patterns, source of funds questioning, and rapid movement of funds indicators.

Make Training Interactive and Engaging: Move beyond passive video watching to active learning approaches:

• Case study discussions where staff analyze real (anonymized) suspicious activity scenarios
• Role-playing exercises for customer due diligence questioning
• Group workshops solving compliance dilemmas
• Tabletop exercises simulating regulatory examinations
• Guest speakers from regulators or industry experts providing fresh perspectives

Segment Training by Role and Risk: Different staff need different training:

Frontline Customer-Facing Staff: Focus on customer identification, suspicious activity recognition, asking appropriate questions, when to escalate concerns, and customer communication about compliance requirements.

Transaction Processing and Operations Staff: Emphasize transaction monitoring alert investigation, sanctions screening procedures, documentation requirements, and system usage.

Compliance Officers: Provide advanced training on regulatory interpretation, investigation techniques, MROS reporting standards, audit preparation, and emerging regulatory developments.

Senior Management and Board Members: Focus on governance responsibilities, “tone from the top,” oversight of compliance programs, understanding audit findings, and regulatory relationship management.

Technology and IT Staff: Cover system controls, data security, change management, monitoring system functionality, and reporting capabilities.

Test Knowledge Retention: After training, assess whether staff actually learned the material:

• Conduct quizzes or examinations testing comprehension
• Use scenario-based assessments where staff must apply concepts to situations
• Monitor practical application through quality assurance reviews of actual work
• Conduct follow-up interviews or refresher sessions addressing knowledge gaps
• Track assessment scores over time to identify struggling staff or topics requiring additional coverage

Provide Ongoing Training: Don’t limit training to annual sessions. Implement:

• Targeted training when regulations change or new guidance is issued
• Post-audit training addressing findings and remediation measures
• Product launch training when introducing new services
• Emerging risk briefings when new typologies or threats are identified
• Regular “lunch and learn” sessions covering specific topics
• Microlearning—short, focused training modules staff can complete in 10-15 minutes

Document Training Comprehensively: Maintain complete training records including:

• Training dates, duration, and attendance records
• Training content and materials provided
• Names and qualifications of trainers
• Assessment results and scores
• Remedial training for staff who didn’t demonstrate competency
• Post-training surveys or feedback forms
• Evidence that training was updated to reflect regulatory changes or audit findings

Measure Training Effectiveness: Go beyond attendance tracking to evaluate whether training achieves its objectives:

• Compare pre-training and post-training knowledge assessments
• Monitor error rates in actual work (CDD documentation quality, alert investigation thoroughness)
• Track suspicious activity report filing rates before and after training on red flag recognition
• Survey staff about training usefulness and request suggestions for improvement
• Review audit findings to identify whether training gaps contributed to deficiencies

For guidance on developing effective compliance training programs, see our AML training programs page and article on AML compliance officer roles and responsibilities.

Pitfall #5: Poor Record Retention and Inability to Retrieve Documentation

The Problem

Swiss AML law requires financial intermediaries to maintain comprehensive records for ten years after the business relationship ends or the transaction is completed. These records must be organized such that they can be retrieved within a reasonable timeframe upon request by auditors or regulators.

Yet auditors consistently find record retention to be among the most deficient areas. Common problems include incomplete records where required documentation is missing from customer files, disorganized record systems where documents exist but cannot be located efficiently, premature destruction of records before the retention period expires, inability to retrieve electronic records from legacy systems, and failure to maintain records for rejected customer applications or terminated relationships.

During audits, when auditors request specific customer files or transaction records, delays in retrieval raise immediate red flags. If your compliance team needs days or weeks to locate requested documents, auditors conclude your record management is inadequate—and they question what other controls might be poorly implemented.

Why This Happens

System Migrations: When firms migrate to new customer relationship management systems, transaction processing platforms, or document management systems, they often fail to properly migrate historical records. Legacy system data becomes inaccessible while new system data is incomplete, creating documentation gaps.

Decentralized Storage: Some firms store records in multiple locations—paper files in offices, electronic files on shared drives, attachments in email systems, documents in third-party platforms—without centralized indexing or consistent organization. Staff struggle to locate documents scattered across disparate systems.

Incomplete Onboarding Documentation: During busy periods or with inadequate staff training, customer onboarding processes may be completed without collecting all required documentation. Gaps aren’t noticed until audits when reviewers systematically check for complete files.

Poor Terminated Relationship Management: When customer relationships end, especially through customer-initiated account closures, firms sometimes fail to retain complete records. Staff may assume closed accounts no longer require documentation, not understanding that the ten-year retention period starts when the relationship ends, not when it begins.

Cloud and Third-Party Vendor Reliance: Firms using cloud-based systems or outsourced service providers may lose access to records if vendor relationships terminate, systems are discontinued, or vendors fail to maintain adequate data retention. Firms sometimes don’t realize they’ve lost record access until auditors request historical documentation.

Inadequate Record Retention Policies: Some firms lack comprehensive policies specifying what records must be retained, in what format, for how long, with what organizational system, and with what security controls. Without clear policies, staff make inconsistent ad-hoc decisions about record management.

Real Audit Examples

A Geneva-based payment institution underwent a system migration two years before its audit. When auditors requested customer files for accounts opened before the migration, the firm discovered that while customer identification documents had been scanned into the new system, supporting due diligence documentation, transaction records, and investigation files remained in the old system which had been decommissioned. The firm had no access to several years of required records.

During an audit of a Zurich VASP, auditors requested customer files for a sample of 25 accounts. The compliance team required three weeks to assemble the files, with several files remaining incomplete because documents were stored in multiple locations—some in the CRM system, others in email, some in a shared drive folder structure that no longer matched current organization, and paper documents in physical files that had been moved to an offsite storage facility. The disorganization delayed the audit and became a significant finding.

A remittance company had maintained excellent records for active customer relationships but immediately destroyed files for closed accounts. When auditors discovered this practice and asked about records for relationships terminated within the past ten years, the firm had to admit the records no longer existed—a serious AMLA violation. The firm hadn’t understood that retention obligations extend ten years after relationship termination.

How to Avoid This Pitfall

Develop Comprehensive Record Retention Policies: Document clear policies specifying:

• What categories of records must be retained (customer identification documents, due diligence documentation, transaction records, correspondence, internal analyses, MROS reports, audit reports, board minutes, training records, system logs)
• Retention periods for each record category (generally ten years for AML-related records)
• When retention periods begin (relationship termination dates, transaction completion dates)
• Acceptable formats (electronic, paper, or both)
• Storage locations and organizational systems
• Security and access controls
• Destruction procedures for records reaching end of retention periods
• Responsibilities for record management and periodic compliance reviews

Centralize Record Storage: Implement a centralized document management system rather than storing records across multiple disparate locations. Modern document management platforms allow:

• Organized folder structures with consistent taxonomy
• Metadata tagging for easy searching and filtering
• Version control tracking document evolution
• Access controls limiting document visibility to authorized staff
• Audit trails showing who accessed documents when
• Automated retention period enforcement
• Integration with other business systems for seamless document capture

Automate Record Capture: Reduce reliance on manual document filing through automation:

• Automatically capture and store customer identification documents submitted through digital onboarding platforms
• Save email correspondence to appropriate customer folders through email management rules or AI-based filing
• Integrate transaction systems with document management to automatically link transaction records to customer files
• Capture system-generated reports, screening results, and investigation documentation automatically

Plan for System Migrations: When migrating to new systems, ensure complete historical data migration:

• Inventory all records in legacy systems before migration
• Develop data migration plans covering all record categories
• Test migration completeness and data integrity
• Maintain legacy system access as a backup during transition periods
• Document what was migrated, what remains in legacy systems, and how to access both

Manage Vendor Dependencies: For records stored in third-party systems:

• Contractually require vendors to maintain data throughout your retention period
• Obtain data export capabilities allowing you to retrieve records if vendor relationships end
• Periodically extract and backup critical data to systems you control
• Test your ability to retrieve records from vendor systems
• Include data migration and retention provisions in vendor contracts

Don’t Forget Terminated Relationships: Implement clear procedures for managing records when relationships terminate:

• Flag closed accounts for extended retention rather than immediate destruction
• Move terminated relationship records to separate storage for easier management
• Calculate and track retention period expiration dates
• Maintain rejected application records (lower risk, but still retain for reasonable periods)
• Include terminated relationship records in regular backup and disaster recovery processes

Test Record Retrieval: Don’t wait for an audit to discover you cannot retrieve records:

• Periodically test retrieval times by requesting random sample customer files
• Ensure retrieval times are reasonable (typically within 1-2 business days maximum)
• Verify that files are complete with all required documentation
• Identify and remediate any retrieval difficulties before audits
• Document retrieval test results as evidence of adequate record management

Maintain Records for All Required Situations: Remember that record retention extends beyond customer files:

• Rejected or abandoned customer applications (retain identification attempts)
• Terminated business relationships (ten years from termination)
• Suspicious activity reports filed with MROS (retain supporting documentation)
• Investigation files for alerts that didn’t result in MROS reports (document why)
• Transaction records for all account activity (not just large or unusual transactions)
• Correspondence with customers, regulators, auditors, and service providers
• Training records showing staff completed required programs
• Policy versions showing program evolution
• System change logs and validation testing
• Board and committee meeting minutes documenting oversight

Implement Periodic Compliance Reviews: Schedule regular reviews (typically quarterly or semi-annually) to verify record retention compliance:

• Sample customer files to check completeness
• Verify proper filing of recently received documents
• Confirm legacy system accessibility
• Review storage capacity and plan for expansion needs
• Check that retention periods are properly tracked
• Audit access logs for unauthorized access attempts
• Test backup and recovery procedures

For insights into proper documentation management in the context of comprehensive AML programs, see our article on creating an effective AML program blueprint.

Additional Emerging Pitfalls to Watch in 2026

Beyond the five major pitfalls detailed above, several emerging compliance challenges warrant attention as Swiss AML audits evolve in 2026:

Inadequate Sanctions Screening

With Switzerland’s alignment with EU sanctions regimes and the complex sanctions landscape targeting Russia, auditors are finding deficiencies in how firms screen customers and transactions. Common issues include screening only at account opening rather than continuously, using outdated sanctions lists, poor false positive management that allows genuine hits to be dismissed incorrectly, and failure to screen beneficial owners and connected parties. VASPs face additional scrutiny around screening cryptocurrency addresses against sanctioned wallet lists and blockchain analytics for indirect sanctions exposure.

Insufficient Governance and Oversight

The “tone from the top” that FINMA emphasizes requires genuine board and senior management engagement with AML compliance, not perfunctory acknowledgments. Auditors increasingly scrutinize whether boards receive meaningful compliance reporting, actively discuss emerging risks, approve policy changes after substantive review, provide adequate resources for compliance functions, and hold management accountable for compliance failures. Rubber-stamp board approvals without evidence of discussion or challenge suggest weak governance.

Technology Control Weaknesses

As financial services become increasingly digital, auditors examine technology controls more intensively. This includes change management for compliance-related systems, user access controls ensuring appropriate segregation of duties, data integrity controls preventing unauthorized modification of records, system validation and testing procedures, cybersecurity controls protecting sensitive customer information, and business continuity planning for compliance systems. For VASPs specifically, auditors expect robust controls around private key management, hot wallet exposure, and cold storage procedures.

Inadequate Third-Party Due Diligence

When outsourcing AML functions or using third-party service providers for critical processes, firms remain ultimately responsible for compliance. Auditors find that many firms conduct insufficient due diligence on service providers, lack adequate contractual controls, fail to monitor vendor performance, and don’t have contingency plans for vendor failures. This applies to outsourced compliance officers, KYC utilities, screening vendors, hosting providers, and payment processors. See our guide on MLRO outsourcing for guidance on managing these relationships effectively.

Poor Integration of Compliance and Business Functions

Effective compliance isn’t a standalone function—it must be integrated into business operations. Auditors increasingly find problems when compliance operates in isolation from product development, sales, customer service, and technology functions. This manifests in products launched without compliance review, sales incentives that encourage staff to minimize due diligence, customer service staff unable to explain compliance requirements to customers, and technology implementations that don’t consider compliance implications. Compliance should be embedded throughout the organization, not siloed in a separate department.

Learning from Enforcement Actions

Understanding how regulators respond to AML failures provides valuable context for why these pitfalls matter. While Switzerland has historically taken a more measured enforcement approach compared to some jurisdictions, recent years have seen increased willingness to impose significant penalties for serious compliance failures.

Recent Swiss enforcement actions have involved license restrictions limiting firms’ ability to onboard new customers until compliance improvements are implemented, mandatory audits at increased frequency with costs borne by the firm, required engagement of external compliance consultants to remediate systemic issues, and in egregious cases, license revocations forcing business closures.

For international context on enforcement trends and lessons learned, see our analysis of significant AML penalties including Monzo’s £21.1 million fine, Barclays’ £39.3 million penalty, and Canada’s historic $176 million FINTRAC fine.

These cases share common themes: compliance programs that existed on paper but didn’t function effectively in practice, inadequate resources devoted to compliance relative to business growth, insufficient governance and oversight by boards and senior management, and failure to remediate known deficiencies in a timely manner. The lesson is clear—cosmetic compliance doesn’t protect you. Regulators distinguish between firms making genuine good faith efforts that occasionally fall short and firms treating compliance as an afterthought.

Sector-Specific Considerations

While the five major pitfalls apply broadly across Swiss financial intermediaries, different sectors face unique challenges worth noting:

For Virtual Asset Service Providers (VASPs)

Swiss VASPs operating under Payment Instrument Institution licenses or the newer Crypto Institution framework face heightened scrutiny given cryptocurrency’s money laundering vulnerabilities. Beyond the universal pitfalls, VASPs commonly struggle with implementing the Travel Rule for transactions exceeding CHF 1,000 (as specified in FINMA’s guidance on virtual currency), documenting procedures for identifying and managing self-hosted wallet interactions, utilizing blockchain analytics effectively for transaction tracing and risk assessment, and addressing DeFi protocol risks when customers interact with decentralized exchanges or lending platforms.

The rapid evolution of crypto technology means VASPs must continuously update risk assessments and controls. What was appropriate monitoring for Bitcoin and Ethereum transactions may be inadequate for layer-2 protocols, cross-chain bridges, or newly emerging blockchain networks. For comprehensive VASP guidance, see our articles on MiCA implementation across European jurisdictions and crypto Travel Rule compliance.

For Payment Service Providers and E-Money Issuers

Payment institutions face unique risks around merchant relationships, cross-border payment flows, and correspondent banking arrangements. Common audit deficiencies specific to payment providers include inadequate merchant due diligence and ongoing monitoring, failure to understand and monitor merchant business models and transaction patterns, insufficient controls around card-not-present transactions vulnerable to fraud and money laundering, and weak correspondent banking due diligence particularly for relationships with higher-risk jurisdictions.

Payment providers must implement merchant-specific risk assessments that consider industry sector vulnerabilities. A merchant processing payments for online gambling faces different risks than one processing for e-commerce retail or professional services. Generic merchant onboarding doesn’t satisfy risk-based approach requirements.

For Remittance and Money Transfer Companies

Remittance services transmitting funds across borders, particularly to emerging markets, face inherent money laundering risks that require robust controls. Common pitfalls specific to remittance firms include failure to properly assess and monitor high-risk payment corridors, inadequate source of funds verification for large or frequent remittances, insufficient understanding of correspondent relationships including foreign exchange houses and payout agents, and weak controls around rapid movement of funds designed to obscure audit trails.

Given the often personal nature of remittance transactions—individuals sending money to family abroad—firms must balance compliance rigor with customer service, implementing efficient procedures that don’t create excessive friction while still detecting suspicious patterns. For guidance on cross-border payment compliance in related contexts, see our Canada PSP and MSB regulatory framework article.

For Legal Professionals and Fiduciary Service Providers

With LETA’s implementation, lawyers, notaries, and fiduciary service providers facilitating entity formation and administration face new compliance challenges. These professionals commonly struggle with determining when AML obligations are triggered versus when professional privilege applies, implementing adequate beneficial ownership verification for complex multi-jurisdictional structures, maintaining independence when serving both as legal advisor and AML compliance officer, and managing conflicts between client confidentiality expectations and transparency requirements.

The intersection of professional privilege and AML obligations creates unique tensions. While privilege exists, it doesn’t exempt professionals from all AML requirements. Understanding these boundaries and documenting your analysis of when privilege applies is essential during audits.

Building a Culture of Compliance

Beyond addressing specific technical pitfalls, sustainable AML compliance requires building an organizational culture where compliance is valued, not viewed as an obstacle to business development.

Leadership Commitment: Genuine “tone from the top” means senior leaders actively champion compliance, allocate adequate resources, support compliance staff when they raise concerns, and hold personnel accountable for compliance failures. It’s insufficient for the CEO to give annual speeches about compliance’s importance while incentive structures reward business growth regardless of compliance quality.

Cross-Functional Integration: Compliance shouldn’t operate in isolation. Involve compliance in product development, customer acquisition strategies, technology implementations, and business expansion decisions. Early compliance involvement prevents problems rather than requiring costly remediation after products launch or partnerships are established.

Learning Organization Mindset: View audit findings, near-misses, and emerging typologies as learning opportunities. Conduct post-mortems on compliance failures asking “how did this happen?” and “how do we prevent recurrence?” rather than simply disciplining individuals. Systemic problems require systemic solutions.

Investment in People and Technology: Compliance programs can’t function without adequate resources. This means sufficient compliance staff relative to business complexity and transaction volumes, competitive compensation attracting and retaining qualified personnel, appropriate technology supporting compliance functions, ongoing training and professional development, and external expertise when needed for specialized situations.

Celebrating Compliance Success: Recognize and reward compliance achievements. This might include acknowledging staff who identify suspicious activity leading to MROS reports, celebrating successful audit outcomes, recognizing customer service staff who properly apply CDD procedures despite customer complaints, or rewarding innovation in compliance processes. If only business development achievements are celebrated, staff internalize that compliance is secondary.

Preparing for Your Next Audit

Avoiding the five major pitfalls detailed in this article significantly improves your audit outcomes, but preparation shouldn’t end there. Implement these additional strategies for comprehensive audit readiness:

Conduct Pre-Audit Self-Assessments: Before your scheduled audit, have internal audit or external consultants conduct gap assessments using similar methodologies to regulatory audits. Identify and remediate issues before auditors arrive. Our AML audit services provide this independent assessment for Swiss financial intermediaries.

Organize Documentation Proactively: Don’t wait for auditor document requests. Prepare organized packages with your compliance program documentation, including policies and procedures, risk assessments, governance materials, training records, testing results, and sample customer files demonstrating CDD quality.

Brief Key Personnel: Ensure staff likely to be interviewed by auditors understand their roles, can articulate compliance procedures, and know how to answer questions professionally without oversharing or making commitments beyond their authority.

Review Prior Audit Findings: If you’ve had previous audits, review findings and verify that remediation was completed effectively. Auditors always check whether prior issues were properly addressed, and recurring deficiencies are viewed more seriously than first-time findings.

Stay Current on Regulatory Developments: Review recent FINMA circulars, SRO guidance updates, and FATF recommendations to ensure your program reflects current expectations. Demonstrating awareness of recent regulatory developments impresses auditors and shows active compliance management.

Engage External Expertise: Consider engaging specialists for specific challenges. If you’re a VASP struggling with Travel Rule implementation, bring in blockchain compliance experts. If beneficial ownership verification is problematic, consult with corporate law specialists. If transaction monitoring calibration is an issue, engage financial crime data scientists. The investment in specialized expertise usually pays for itself through avoiding audit findings and their remediation costs.

For comprehensive preparation guidance, see our detailed article on preparing for your annual independent AML audit and our AML audit checklist for 2025.

Quick-Win Checklist: 30 Days to Stronger Audit Readiness

If your audit is approaching and you need to address the most critical vulnerabilities quickly, focus on these high-impact actions:

Week 1: Risk Assessment & Documentation

• Review your risk assessment for generic language that could apply to any business
• Add three specific, quantified risk statements based on your actual customer data
• Document at least five specific controls mapped directly to identified risks
• Update risk assessment date and document what changed in the past year

Week 2: Beneficial Ownership

• Sample 10 customer files and verify complete beneficial ownership documentation
• For any entities, ensure you’ve traced ownership to natural persons (not stopped at corporate shareholders)
• Cross-check three UBO declarations against Swiss Transparency Register
• Document your verification methodology in writing

Week 3: Transaction Monitoring & Training

• Calculate how many monitoring alerts you generated last quarter
• If zero alerts: immediately review and tighten monitoring thresholds
• If 500+ alerts: review false positive rate and consider threshold relaxation
• Schedule brief refresher training for frontline staff on red flags

Week 4: Records & Final Review

• Test document retrieval by requesting five random customer files
• Time how long retrieval takes (should be under 2 business days)
• Verify you have records for terminated relationships from the past 10 years
• Prepare organized audit response package with key program documentation

Critical Final Checks:

• Confirm board received compliance update within past 6 months
• Verify all staff completed annual AML training
• Review and close any outstanding remediation items from previous audit
• Ensure MROS reports are filed for any pending suspicious activity cases

Conclusion: From Pitfalls to Best Practices

The five common pitfalls that derail Swiss AML audits—generic risk assessments, inadequate beneficial ownership documentation, ineffective transaction monitoring, poor staff training, and weak record retention—are entirely preventable. They don’t result from obscure regulatory technicalities or impossible standards. They stem from insufficient attention, inadequate resources, poor processes, or fundamental misunderstanding of what effective AML compliance requires.

The good news is that addressing these pitfalls simultaneously strengthens your actual financial crime prevention capabilities. You’re not just checking boxes to satisfy auditors—you’re building real protections that defend your institution from being exploited by money launderers, terrorist financiers, and sanctions evaders.

Swiss financial intermediaries operate in one of the world’s most reputable and well-regulated financial systems. Meeting FINMA’s expectations and SRO requirements isn’t merely regulatory obligation—it’s competitive advantage. Firms with strong compliance programs enjoy better banking relationships, attract more sophisticated customers, face lower operational risks, and build sustainable businesses.

As Switzerland’s financial sector continues evolving with VASPs achieving mainstream acceptance, payment institutions innovating new services, and traditional institutions adapting to digital transformation, AML compliance will only grow in importance. The regulatory trajectory is toward higher expectations, more sophisticated oversight, and enhanced accountability.

Position your organization for success by learning from others’ mistakes. Avoid the common pitfalls detailed in this article. Invest in building a robust compliance program that not only satisfies audits but genuinely protects your institution and the Swiss financial system’s integrity.

Expert AML Compliance Support for Swiss Financial Intermediaries

Preparing for AML audits and avoiding common compliance pitfalls requires specialized knowledge of Swiss regulatory requirements, practical implementation experience, and ongoing attention to emerging risks and regulatory developments.

ComplyFactor supports Swiss financial intermediaries across all sectors—VASPs, payment institutions, remittance companies, asset managers, and legal professionals—with:

• Independent AML Audits: Conducted by professionals with extensive FINMA and SRO experience
• MLRO Services: Outsourced compliance officers providing ongoing program oversight and management
• Gap Assessments: Pre-audit evaluations identifying and prioritizing remediation needs
• Remediation Support: Hands-on assistance addressing audit findings and implementing improvements
• Training Programs: Customized staff training tailored to your business model and risks
• Compliance Program Development: Building comprehensive frameworks from the ground up

Our team combines deep regulatory knowledge with practical operational experience, helping firms navigate Switzerland’s complex AML landscape efficiently and effectively.

Contact ComplyFactor today to discuss how we can help you avoid common AML audit pitfalls and build a best-in-class compliance program.

---

Frequently Asked Questions

What’s the single most important thing I can do to prepare for a Swiss AML audit?

Ensure your risk assessment accurately reflects your actual business model, customer base, and transaction patterns. A credible risk assessment forms the foundation for your entire compliance program. Generic or template-based risk assessments are the most common audit deficiency and undermine everything else you’ve built. Invest time in creating a specific, data-driven, regularly updated risk assessment demonstrating you understand your unique money laundering and terrorist financing vulnerabilities.

How can I tell if my transaction monitoring system is properly calibrated?

A properly calibrated system should generate a manageable number of alerts that your compliance team can thoroughly investigate—typically producing some proportion of investigations that result in MROS reports while not overwhelming staff with excessive false positives. If you’re generating zero alerts or conversely thousands of alerts monthly, your calibration likely needs adjustment. Additionally, conduct periodic back-testing by reviewing whether your system would have detected suspicious patterns from historical MROS reports or known money laundering cases.

Do I really need to verify beneficial ownership information from the Swiss Transparency Register?

Yes. While the Transparency Register is a useful reference tool, you remain responsible for independently verifying beneficial ownership accuracy. The register contains self-reported information that may be outdated, incomplete, or incorrect. FINMA and SRO auditors expect you to validate registry information through additional sources such as commercial registry extracts, corporate documents, notarized declarations, or direct verification with identified beneficial owners. Simply copying registry entries into your files without verification is insufficient.

What should I do if I discover documentation gaps or compliance deficiencies while preparing for an audit?

Address them immediately rather than hoping auditors won’t notice. Document what you discovered, why the gap existed, what immediate corrective actions you took, and what systemic improvements you implemented to prevent recurrence. Auditors view self-identified and remediated issues more favorably than problems they discover that you were unaware of. Proactive remediation demonstrates effective compliance oversight.

How often should staff receive AML training?

At minimum, provide comprehensive training during employee onboarding before staff assume responsibilities involving compliance-related functions, and annual refresher training for all relevant personnel. However, effective programs also provide interim training when regulations change, audit findings are issued, new products launch, or emerging risks are identified. Consider supplementing formal annual training with regular brief updates, case study discussions, or scenario exercises to reinforce knowledge throughout the year.

Can I outsource my MLRO function to meet Swiss requirements?

Yes, outsourcing MLRO functions is permissible under Swiss law for most financial intermediaries, particularly smaller institutions where a full-time internal compliance officer may not be justified. However, you must ensure your outsourced MLRO has appropriate qualifications, understands Swiss regulatory requirements, provides adequate time and attention to your organization, and is properly supervised by your board or senior management. You remain ultimately responsible for compliance even when outsourcing specific functions. See our global MLRO services for guidance on effective MLRO outsourcing.

What’s the difference between a FINMA audit and an SRO audit?

Banks, securities dealers, and certain larger institutions directly supervised by FINMA undergo regulatory audits conducted by FINMA-recognized audit firms, with audit reports submitted directly to FINMA. Most other financial intermediaries affiliate with SROs (VQF, PolyReg, ARIF, OAR-G) which conduct or oversee periodic AML audits of their members. While SRO audits may seem less intensive, they apply the same regulatory standards as FINMA, following FINMA’s interpretations of the AMLA and implementing ordinances. Significant SRO audit findings are reported to FINMA, so the practical difference is smaller than many firms assume.

How long should I expect my AML audit to take?

Audit duration varies significantly based on institution size, business complexity, and transaction volumes. Smaller, simpler operations might complete audits in 1-2 weeks, while larger institutions with multiple service lines, significant cross-border activity, or complex structures may undergo audits lasting several weeks or even months. Proper preparation—organized documentation, responsive staff, clean compliance programs—significantly reduces audit duration. Audits of poorly prepared institutions take longer as auditors spend time locating documents, investigating concerning findings, and testing additional controls.

What happens if my audit identifies significant deficiencies?

Significant audit findings must be reported to your regulator (FINMA directly or via your SRO). You’ll be required to develop comprehensive remediation plans with specific timelines for addressing each finding. Your regulator may impose enhanced supervision requiring more frequent audits, restrictions on business activities until remediation is complete, or other supervisory measures. Severe or persistent deficiencies can result in enforcement actions including fines, public reprimands, license conditions, or in extreme cases license revocation. Prompt, comprehensive remediation is essential for managing regulatory consequences.

Is it better to conduct internal audits or reviews before regulatory audits?

Yes, strongly recommended. Pre-audit gap assessments by internal audit teams or external consultants allow you to identify and remediate issues before regulatory auditors arrive. Self-identified and corrected problems generally don’t become audit findings if the remediation was effective. This approach demonstrates proactive compliance management and reduces the likelihood of surprise findings during regulatory audits. Many firms engage independent firms like ComplyFactor for pre-audit gap assessments specifically to avoid preventable audit deficiencies.

---

This article provides general guidance on avoiding common Swiss AML audit pitfalls and does not constitute legal advice. Regulatory requirements vary based on your specific circumstances, business model, and regulatory status. Consult with qualified compliance professionals and legal advisors regarding your specific obligations.