NNSFlowNNSFlow
Back to The LedgerCompliance

Risk-based approach to AML screening: how often, how deep, for whom

FINMA expects screening cadence and depth to track customer risk, not flatten it. Here is how the risk-based approach maps to the three lines of defence in a way that survives an audit.

Antoine Bedaton
Antoine Bedaton
21 Jan 202612 min read
Risk-based approach to AML screening: how often, how deep, for whom

Part of our complete guide to negative news screening for Swiss banks. This post is the deep dive on the risk-based approach to AML screening; the guide covers the end-to-end picture.

The phrase "risk-based approach" appears in almost every Swiss AML policy document. In most of them it functions as a slogan rather than a control. The text says "we apply a risk-based approach to ongoing monitoring", and a reviewer is left to guess whether that means quarterly, annually, on transaction-trigger only, or whatever the analyst on duty thinks appropriate that morning.

FINMA does not accept that ambiguity. The Anti-Money Laundering Act (AMLA / GwG, SR 955.0) and the FINMA Anti-Money Laundering Ordinance (AMLO-FINMA, SR 955.033.0) require that the risk classification of each business relationship drive concrete operational decisions, including how often to re-screen and how deeply. This post is about turning that obligation into a defensible cadence, and how the LoD1 / LoD2 / LoD3 framing maps to it.

What "risk-based" actually means in FINMA terms

The legal hook is in three places.

AMLA Art. 6 ("Special clarification duties") obliges intermediaries to clarify the economic background and purpose of a transaction or business relationship when there are indicators of unusual circumstances or a heightened risk of money laundering. Art. 6 para. 2 lists the clarification-trigger conditions; the duty to act on those triggers is not optional.

AMLO-FINMA Arts. 13 to 19 operationalise this. Art. 13 requires intermediaries to classify business relationships by risk according to criteria they themselves define and document. Arts. 14 and 15 enumerate higher-risk categories and higher-risk transactions. Arts. 16 to 18 define what additional clarifications are required for higher-risk relationships. Art. 19 covers the periodic review obligation: relationships and transactions have to be monitored, with the cadence and scope set on a risk basis.

FINMA Circular 2023/1 on operational risks and resilience does not replace these AML rules, but Chapter IV.D ("Critical Data Risk Management") expects integrity and availability controls over the same evidence used to back the risk-based decisions. The screening data that feeds the classification is critical data; the rationale that justifies the cadence has to be reproducible.

The international anchor is the FATF guidance on the risk-based approach for the banking sector, which Switzerland's framework operationalises domestically. FATF's Recommendation 1 puts the obligation plainly: institutions must identify, assess, and understand their ML/TF risks and take commensurate measures.

The practical consequence: a Swiss institution cannot run a flat, "once a year for everyone" review schedule and call it risk-based. The cadence has to vary by classification, and the variance has to be documented.

Risk classification: what feeds the band

AMLO-FINMA Art. 13 leaves the criteria for classification to the institution, but Arts. 14 and 15 give a non-exhaustive list of factors that trigger higher-risk treatment. Most Swiss banks combine these into a low / medium / high banded model, with the bands themselves defined in internal directives.

Factors that typically feed the classification:

  • Geographic exposure. Customer domicile, principal place of business, source-of-funds origin, transaction counterparties. Country risk lists (FATF high-risk jurisdictions, EU AML high-risk third countries, the institution's own list) drive the input.
  • Business type and product. Cash-intensive sectors, correspondent banking, private banking, virtual asset services. AMLO-FINMA Art. 15 specifies categories that are higher-risk by default.
  • Beneficial-ownership opacity. Trusts, foundations, multi-layer holding structures, offshore vehicles. The harder it is to trace the natural person at the end of the chain, the higher the band.
  • PEP status. AMLO-FINMA explicitly treats foreign politically exposed persons as high-risk. Domestic PEPs and PEPs of international organisations get treated as such depending on additional factors per the SBA's CDB 20.
  • Transaction volume and velocity relative to the stated purpose of the relationship.
  • Channel of onboarding. Non-face-to-face, introduced by a third party, digital identification under FINMA Circular 2016/7 versus in-person onboarding.
  • Adverse media history. Prior hits, prior escalations, prior exits initiated by other institutions.

The classification is not a one-time exercise. It is a derived value that has to be recomputed when any of its inputs change. A relationship classified low at onboarding and reclassified high three years later because the customer's controlling shareholder became a PEP is a normal lifecycle event, not an exception.

Frequency: how often to re-screen

This is where most institutions either over-engineer or under-document. The risk-based principle applied to frequency has two mechanisms working in parallel:

Scheduled cadence by risk band. A baseline interval that applies to every relationship in the band absent a triggering event. This is the periodic review obligation in AMLO-FINMA Art. 19 made concrete.

Event-driven triggers. Re-screens forced by specific events, regardless of where the next scheduled review falls.

A defensible matrix usually looks something like the following. The exact intervals are an institution-level policy decision, not a regulator-set number, but the shape is the consensus:

| Risk band | Scheduled cadence | Typical depth at scheduled review | |---|---|---| | Low | Every 24 to 36 months | LoD1 light review, LoD2 if any change | | Medium | Every 12 months | LoD2 standard review | | High | Every 6 to 12 months | LoD2 enhanced review | | PEP / high+ | Every 6 months or less | LoD2 enhanced, LoD3 sample at year-end |

The cadence should be documented with the rationale for each band. An examiner who asks why low-risk relationships are reviewed every 30 months and not every 12 months is not asking a trick question. The answer is whatever the institution's risk methodology says, and that answer has to be in writing.

What undermines the cadence in practice is the tension between scheduled and event-driven reviews. The scheduled review tends to become the default because it shows up in a calendar; the event trigger gets handled when someone notices. A serious operational setup treats the trigger as the primary mechanism and the scheduled cadence as a backstop, not the other way round.

Depth: LoD1, LoD2, LoD3 in practice

The risk-based principle applies to depth as much as frequency. Two relationships in the same band can require different review depth depending on what the trigger surfaced. The three lines of defence (Basel principles, BCBS publications) operationalise this distinction.

LoD1: Front Office. Customer-facing teams. The depth at LoD1 is "is anything obviously off?" Quick screening for sanctions hits, basic adverse media, presence in PEP lists. The LoD1 review either clears the relationship for routine processing or escalates to LoD2. This is point-in-time evidence capture, not an investigation.

LoD2: Compliance. The compliance function. Depth at LoD2 is the full investigation: the relationship between hits and the customer, context for adverse media, beneficial-ownership tracing, PEP status verification, source-of-funds plausibility. LoD2 produces the documented decision that closes or escalates the matter, and is where the four-eyes principle attaches (see our post on four-eyes architecture).

LoD3: Audit (read-only). Internal audit and external auditors. Depth at LoD3 is retrospective: not redoing the LoD2 investigation but verifying that the LoD2 process produced defensible evidence, that the cadence was applied, and that the rationale survives inspection.

In NNSFlow, the LoD level is a property of both the user and the investigation. LoD1 users perform initial screening; LoD2 users run the deep investigation and four-eyes approval; LoD3 users have read-only access for retrospective review. The default configuration sets the minimum reviewer LoD for four-eyes approval to LoD2, and the minimum LoD for PEP-touching cases also to LoD2. The mapping between user role, LoD level, and permitted actions is configurable per deployment.

The practical consequence: the who and the how deep questions are answered together. A high-risk relationship is not just "screened more often", it is screened more often and by a reviewer at the LoD level the policy requires.

LoD versus risk band

These are two independent dimensions, not one. A low-risk relationship can still be reviewed at LoD2 if a trigger surfaces a specific concern. A high-risk relationship can be reviewed at LoD1 for routine periodic checks if nothing has changed since the last LoD2 deep review. The risk-based approach is what governs the combination.

Trigger events that force a re-screen

Scheduled cadence is the floor. Triggers are what push the cadence up when the underlying risk changes. The list below is not exhaustive, but covers the common categories that any defensible policy enumerates.

  • Sanctions designation. A new entry in OFAC SDN, EU consolidated list, SECO, UN 1267 lists, or domestic Swiss measures that touches any party in the relationship (customer, beneficial owner, controlling shareholder, counterparty in a recent transaction). The re-screen is immediate, not "at the next scheduled review". See our comparison of OpenSanctions versus World-Check for what the underlying lists look like in practice.
  • PEP status change. A customer or beneficial owner becomes a PEP, or ceases to be one. AMLO-FINMA does not contemplate "we will get to this at the next annual review". The classification flips when the underlying status flips.
  • Adverse media hit. Significant news exposure related to financial crime, corruption, sanctions evasion, or other AML-relevant conduct. The judgement call is what counts as "significant"; the threshold belongs in the institution's policy, not in the analyst's head.
  • Beneficial owner change. Restructuring, share transfer, inheritance, or acquisition that changes who controls the customer. AMLA Art. 4 obliges the intermediary to identify the beneficial owner; a change to that owner is a change to the identification record and re-triggers due diligence.
  • Atypical transaction. AMLA Art. 6 para. 2 trigger conditions: unusual size, structure, or purpose, fragmentation that suggests smurfing, transit through high-risk jurisdictions. The clarification duty under Art. 6 attaches to the transaction itself, but it typically also re-triggers the relationship-level review.
  • Country risk change. A jurisdiction in the customer's exposure profile gets added to a high-risk list (FATF grey or black list, EU high-risk third countries). The classification of every relationship exposed to that jurisdiction has to be revisited.
  • Internal-source trigger. Suspicious-activity report filed, exit decision elsewhere in the group, regulatory inquiry about the customer.

A trigger that depends on an analyst happening to read the news is not really a trigger, it is a hope. The policy needs a defined ingestion path for each category, with the source of truth, the latency expectation, and the required action set documented per trigger type.

Documenting the rationale: what FINMA wants in audit

The reconstruction obligation in AMLO-FINMA Art. 22 applies to the risk classification and the cadence as much as to the substantive decision. A FINMA-engaged auditor or a FINMA-appointed investigator (FINMASA Arts. 25, 36) is entitled to ask: why is this relationship classified medium and not high, and why was the last review fourteen months ago and not nine? The answer needs to be in the file, in writing, in a form a third party can read.

The audit-defensible record covers four items.

First, the classification itself, with the values that drove it. "Medium risk" is not a record. "Medium risk because [country: low, business type: medium, beneficial owner opacity: low, PEP: no, transaction volume: medium, channel: low], using methodology version 2024-Q3" is.

Second, the cadence applied to that classification, with a reference to the policy version in effect when the cadence was chosen. Policies change; the policy version under which a particular review was conducted has to be reconstructable. Schema preservation matters here: if the methodology evolved, the historical view must remain readable. (See the discussion in our evidence-rules post.)

Third, the deviations and their justification. A scheduled review that was deferred, a high-risk relationship that was reviewed at LoD1 because the trigger was minor, a re-screen that happened earlier than the cadence required because of an event: each deviation is a decision, and each decision needs a documented reason and a named decision-maker. Recent FINMA enforcement decisions have repeatedly turned not on missing files but on documentation that, when produced, did not defensibly support the institution's earlier choices (Credit Suisse / Mozambique (2021), Julius Baer Latin America matter (2020)).

Fourth, the trigger response trail. When a trigger fires, who saw it, when, and what they did. A list of triggers ingested into the system without a corresponding action history is worse than no list, because it shows the institution had the information and did nothing documented with it.

The drill described in our audit-drill post applies directly to risk-based decisions: pick a relationship at random, hand the file to someone who did not work it, and see whether the classification, the cadence, and any deviation can be defended in thirty minutes from a clean read.

Frequency and depth are two dials, not one. Risk band drives the cadence; the line of defence drives the depth; events override both. The audit-defensible answer is the one where each of the three is independently documented.

Bottom line

The risk-based approach is not a deferral. It is a positive obligation to make every screening decision (when, how deep, by whom) trace back to a documented risk classification and to the policy version in force at the time. A flat cadence is non-compliant; an unstructured one is undefensible.

The combination that holds up in audit is straightforward to state and harder to operate:

  1. A risk classification with explicit factors and a recorded methodology version.
  2. A scheduled cadence per band, declared in policy, applied consistently, deviation-justified.
  3. A trigger taxonomy with defined ingestion paths and required actions per trigger type.
  4. An LoD assignment that maps reviewer authority to case depth, with four-eyes approval at the LoD level the policy requires.
  5. A documented trail across all four, captured at the time of the decision, frozen in the form a third party will read it in.

A system that operationalises this combination is the kind where a five-year-old review can be defended cold. A system that flattens it produces enforcement files. The gap between the two is mostly about what gets written down at the time, and about who is allowed to do what at which depth. Neither problem is technically hard, both are organisationally easy to neglect.

If you are mid-way through redesigning your risk-based monitoring methodology and want to compare notes, we are easy to reach. "Risk-based" only earns its name when an examiner reading the file two years later can reconstruct, without help, why this relationship was reviewed when it was, by whom, and to what depth.

#RBA#FINMA#AMLA#LoD#swiss

Continue reading

Negative news screening for Swiss banks: the complete guide
Compliance

Negative news screening for Swiss banks: the complete guide

What Swiss negative news screening actually requires, end to end: the regulatory framework, the screening lifecycle, source selection, evidence preservation, tooling decisions, and a full audit-readiness checklist.

Antoine Bedaton
Antoine Bedaton
07 May 202634 min read
guide
Managing false positives in AML screening: a Swiss-aligned disposition framework
Compliance

Managing false positives in AML screening: a Swiss-aligned disposition framework

Auditors do not measure how few alerts you generated. They measure whether each disposition is consistent, justified, and reproducible. Here is the disposition framework that survives a Swiss AML audit.

Antoine Bedaton
Antoine Bedaton
02 Apr 202611 min read
false-positives
nFADP and AML files: what actually changed for Swiss FIs in 2023
Compliance

nFADP and AML files: what actually changed for Swiss FIs in 2023

The revised Federal Act on Data Protection has been in force since 1 September 2023, with no transition period. For an AML stack already built around 10-year retention, the headline question (destroy or retain?) has a clear answer. The harder questions are the ones nobody asks.

Antoine Bedaton
Antoine Bedaton
03 Dec 20259 min read
nfadp