Part of our complete guide to negative news screening for Swiss banks. This post is the deep dive on AML obligations for Swiss asset managers under FinIA; the guide covers the end-to-end picture.
For two decades, most Swiss independent asset managers operated under a relatively light supervisory regime: registered as Directly Subordinated Financial Intermediaries (DSFI) or affiliated to a self-regulatory organisation (SRO), audited mostly on AML and left otherwise to their own devices. The Financial Institutions Act (FinIA / FINIG, SR 954.1), in force since 1 January 2020, ended that. Portfolio managers and trustees now need a FINMA licence, and they sit inside a prudential supervisory architecture that did not exist before.
The AML obligations themselves did not change. AMLA still applies, AMLO-FINMA still applies, and the Convention on Due Diligence applies to those firms that are CDB signatories. What changed is the audit bar. FINMA-recognised supervisory organisations (SOs) inspect on a recurring basis, and the documentation an asset manager has to produce on demand looks much closer to what a bank would produce than to what an SRO inspection used to be willing to accept.
This post maps the FinIA AML stack as it actually applies to asset managers and trustees, and outlines what FINMA and the SOs look for in practice.
What FinIA changed for asset managers
The legal architecture is the simple part. The FinIA text on fedlex.admin.ch sets out a tiered licensing regime: portfolio managers and trustees at the lower tier, managers of collective assets above them, fund management companies and securities firms (formerly securities dealers) higher still. Each tier inherits the requirements of the tiers below and adds its own.
For portfolio managers and trustees, the practical change was threefold:
- Licensing instead of registration. Each firm needed a FINMA licence under FinIA. The transition for previously active portfolio managers and trustees ran until end-2022, by which point a licence application had to be filed. Firms that did not apply had to wind down the regulated business.
- Ongoing prudential supervision. Where SROs supervised AML compliance, FINMA-recognised supervisory organisations (SOs) now supervise the full prudential and conduct picture, with FINMA retaining direct enforcement authority.
- Capital, organisation, and governance requirements. Minimum capital, fit-and-proper management, internal organisation appropriate to the risk, and adequate risk management and internal controls. None of these are AML rules per se, but they shape the environment in which AML controls operate.
The upstream point is that AML is no longer the only thing being inspected. It is one component of a wider prudential examination, and the documentation that supports it has to fit cleanly into that larger file.
Who is in scope
FinIA covers four main categories of financial institution:
- Portfolio managers (Art. 17 ff.): firms that manage individual client assets on a discretionary basis. The classic Swiss gérant de fortune indépendant / independent asset manager.
- Trustees (Art. 17 ff., same tier): firms that act as trustee in the sense of the Hague Trust Convention, holding and managing assets on behalf of beneficiaries.
- Managers of collective assets (Art. 24 ff.): firms managing Swiss or foreign collective investment schemes or pension assets above the de minimis thresholds.
- Fund management companies (Art. 32 ff.): companies operating Swiss collective investment schemes, with custody-bank-adjacent responsibilities.
- Securities firms (Art. 41 ff.): formerly securities dealers, trading securities in own name for clients or running market making.
Banks remain primarily regulated under the Banking Act (BankG, SR 952.0) rather than FinIA, although a bank that performs portfolio-manager or fund-management functions inherits those obligations on top. Insurers sit under the Insurance Supervision Act (SR 961.01) and are out of scope here.
The boundary that catches firms by surprise is between family office activity (which can be unregulated, depending on structure and clientele) and trustee or portfolio manager activity (which needs a FinIA licence). The test is functional, not nominal: a firm that calls itself a family office but manages third-party assets on a discretionary basis is, for FINMA purposes, a portfolio manager.
AML obligations under AMLA + FinIA
The AML stack for asset managers is the same one that applies to all Swiss financial intermediaries:
- The Anti-Money Laundering Act (AMLA / GwG, SR 955.0) sets the substantive duties: identification of contracting party, identification of beneficial owner, special clarification duties for high-risk relationships, communication of suspicious activity to the Money Laundering Reporting Office Switzerland (MROS), and ten-year retention of records (Art. 7).
- The FINMA Anti-Money Laundering Ordinance (AMLO-FINMA, SR 955.033.0) operationalises those duties. Risk-based classification of business relationships, ongoing monitoring of transactions, global monitoring of risk, and (Art. 22) the obligation to keep documents so that individual transactions can be reconstructed by a knowledgeable third party. We covered the mechanics in What Swiss AML rules actually require for screening evidence.
For an asset manager with a discretionary mandate, those duties translate concretely to:
- At onboarding: identify the contracting party, identify the beneficial owner of the assets, document the source of funds and source of wealth proportionate to the risk classification, and put the relationship into a risk class that drives the rest of the monitoring effort.
- During the relationship: monitor transactions and the relationship globally for indicators that the original risk classification is still appropriate. Re-perform identification and BO checks when triggers occur (change of beneficial owner, significant change in transaction pattern, adverse media, sanctions hit).
- On suspicion: file a report to MROS without delay (AMLA Art. 9), and freeze assets if required. The reporting threshold is "reasonable suspicion", which is lower than evidentiary certainty.
None of this is new under FinIA. What FinIA changed is who looks at the documentation afterwards and how often.
Screening expectations: what FINMA and SOs look for
The supervisory expectation, articulated through SO inspection practice and FINMA's enforcement record, is that a screening process produces evidence with five properties:
- Coverage at onboarding. Every contracting party and every beneficial owner is screened against, at minimum, applicable sanctions lists and a structured negative-news source. The screening event itself is documented: who screened, when, against which list version, with which result.
- Periodic re-screening. Existing relationships are re-screened on a frequency that reflects their risk class. High-risk relationships re-screened more often, low-risk less often, but every relationship re-screened on a documented schedule. The re-screening events are stored with the same evidence quality as the onboarding screening.
- Event-driven re-screening. Triggers (sanctions list update, adverse media event, change of beneficial owner, transaction anomaly) cause an out-of-cycle re-screening, also documented.
- Defensible disposition. When a screening produces a hit, there is a documented analyst decision: true positive vs. false positive, with a reason, against the captured evidence as it appeared at the time. We covered the architectural side of this in The four-eyes principle, as architecture.
- Reconstructability. Two years later, a third party can pick up the file and walk through what was checked, when, against what, with what conclusion, and on what evidence. This is AMLO-FINMA Art. 22 applied to screening specifically.
In a FinIA-era examination, the SO will sample relationships across risk classes and ask to see the screening trail for each. A trail that consists of "we checked World-Check on this date, no hits" is weak. A trail that produces the captured screen, the list version, the analyst, the timestamp, and the rationale is what the supervisory expectation actually looks like. We touched on the list-source side in OpenSanctions vs World-Check: what changes for documentation.
In our experience, the audit gap at smaller asset managers is not the absence of screening. It is screening that produces a screen but not an evidence file. A spreadsheet noting "screened, no hit" is record-keeping. A captured snapshot of the screen, hashed and frozen at decision time, is reconstructable evidence. AMLO-FINMA Art. 22 expects the second.
Documentation: what to keep, for how long
The retention floor for AML records is set by AMLA Art. 7 para. 3: ten years after termination of the business relationship or completion of the transaction. The 2023 revision of AMLA added Art. 7 para. 1bis, which requires that records be periodically reviewed and updated, with the periodicity and scope set on a risk basis.
The categories that have to survive ten years for an asset manager are at minimum:
- Identification records of the contracting party and any beneficial owners, including supporting documents (passports, KYC forms, BO declarations).
- Risk classification at onboarding and any subsequent reclassifications, with the rationale.
- Onboarding screening evidence (sanctions, PEP, adverse media) and the analyst disposition.
- Periodic and event-driven re-screening evidence and dispositions.
- Transaction monitoring outputs (alerts, dispositions, analyst notes).
- Suspicious activity reports filed with MROS and the supporting case file.
- All correspondence material to the AML decision.
The interaction with the revised Federal Act on Data Protection (nFADP) deserves attention. AMLA retention is a legal obligation, which is a valid lawful basis for processing under nFADP. But that does not exempt the firm from the rest of the data-protection regime: purpose limitation, access controls, deletion after the retention period ends, and the cross-border transfer rules. We covered the intersection in nFADP and AML retention: how to keep records lawfully for ten years.
Practical implications for tooling
The supervisory shift from SRO to FINMA-via-SO has a tooling implication that is rarely articulated in plain terms: tools that were good enough for an SRO inspection on a thirty-relationship sample are not good enough for an SO inspection that is going to sample across the book systematically.
The common gap pattern at smaller asset managers and trustees:
- Sanctions screening done in a browser against a free public list, with the result noted in a spreadsheet. No captured evidence. No version of the list at the time. No tamper-evident link between the screening event and the file.
- Negative-news screening done with a general search engine or a consumer-grade adverse-media tool, with results saved as PDFs or screenshots into a folder. Reconstructable in principle, but the analyst's reasoning and the screening parameters are not captured, and the snapshot may not survive layout changes if the underlying source page is revisited.
- Periodic re-screening tracked in a spreadsheet with no enforced cadence. The cadence is a manual discipline, and any gap is invisible until the SO asks for the schedule.
None of these are illegal. But they produce evidence files that hold up poorly under inspection. The fix is structural, not procedural: a screening system that captures the source as displayed at the time of decision, hashes the capture (see SHA-256 evidence chains for the mechanics), records the analyst, the list version, and the disposition, and stores the result in a form that can be replayed in five years. That is what an SRO-grade tool typically does not do, and what an institution that has been through a FINMA enforcement proceeding tends to insist on. We walked through what that looks like in retrospect in Audit drill: a five-year reconstruction.
The procurement question for any vendor an asset manager evaluates is the same one a bank would ask, scaled down: see Vendor due diligence: what a Swiss bank's procurement team should be asking for the full version. For an asset manager, the items that almost always matter are the audit-rights clause, the data-export and exit plan, the cross-border transfer pathway, and the evidence properties of the screening output itself. For firms operating under particularly strict secrecy or no-egress constraints, the deployment shape matters too: see Air-gapped deployment: what actually breaks.
Bottom line
FinIA did not create new AML obligations for asset managers. It moved the supervisory architecture so that the existing AMLA and AMLO-FINMA obligations are inspected more rigorously, on a more predictable cadence, by inspectors who read the documentation in the way FINMA reads bank documentation. The asset managers that adapt cleanest are the ones that treat the AML evidence file as a first-class operational artefact: captured, hashed, attributed, retained for ten years, and reconstructable on demand.
The asset managers that struggle are the ones that built their AML process around tools designed for an earlier regime, kept the process running once it was working, and now find that the inspection bar moved while the toolchain did not. The fix is neither expensive nor exotic. It is mostly about treating screening as evidence generation rather than as a checkbox, and choosing a toolchain that does the same.
If your firm is mid-way through a FinIA-related re-tooling conversation, we are easy to reach. The frame we work from is that AMLA Art. 7, AMLO-FINMA Art. 22, and the FinIA supervisory architecture all converge on the same operational property: evidence that can be defended on demand, by a person who was not in the room.
