Measures for promoting good governance

FINMA carried out seven on-site inspections of banks relating to corporate governance and risk culture in 2025. It found that indicators for governance and risk culture were only collected sporadically at the institutions investigated. This information is not or is only infrequently brought to the attention of the executive board or the board of directors. This meant that the senior management bodies in particular were unable to anticipate or control (negative) developments in governance or risk culture.

It became apparent that FINMA was unable to ascertain from the minutes of meetings of the executive board and board of directors whether substantive discussions actually took place within the bodies. These minutes were often not detailed enough to understand the discussions and, in particular, dissenting opinions. Decisions were sometimes made informally and inadequately documented. This runs counter to good governance.

In its review of the incentive systems, FINMA found that there is not always an appropriate relationship between variable remuneration and employee appraisals. Such an imbalance undermines a healthy risk culture and incentive structure within the institutions. In this context, it should be emphasised that the use of so-called relationship manager scorecards often led to weaknesses in compliance behaviour being diluted by the weighting of the individual topics, which had a negative impact on the weight of responsibility felt by the persons concerned.

Finally, FINMA found during the reviews that the role and effectiveness of the compliance function could be improved, particularly in relationship to manager-centric organisations. Strong, independent control functions are the backbone of any financial institution and must be positioned in such a way that they can effectively fulfil their control responsibilities.

FINMA carried out four on-site inspections at insurance companies, focusing on the governance and effectiveness of the internal control system (ICS). These revealed repeated shortcomings in the design and effectiveness of individual control activities, as well as fundamental findings in relation to the ICS framework and governance in risk management. In some cases, it was not clear how the board of directors actually fulfils its responsibility for the ICS and reviews the effectiveness of the ICS. In other cases, the division of responsibilities between the control activities of the operational units (first line of control) and the control functions (second line of control) was also unclear. In order to prevent a problematic diffusion of responsibilities and to strengthen the individual accountability of the operational units, the different responsibilities must be clearly delineated and communicated. An efficient and effective ICS framework is an essential element for effective risk control by the executive board and the board of directors.

FINMA took corrective action wherever deficiencies were identified. In order to recognise and prevent undesirable developments at an early stage in future, FINMA will increasingly focus its preventive supervision and interventions on aspects of risk culture.

Risk analysis as a key element in the prevention of money laundering

Alongside measures for monitoring and managing risks, a risk tolerance policy that has been defined by the executive management board in the course of money laundering risk analysis serves as a key instrument in any effective anti-money laundering strategy. In its FINMA news on Guidance 05/2023 “Money laundering risk analysis pursuant to Article 25 para. 2 AMLO-FINMA”, FINMA had presented its observations and experiences of risk analysis in a transparent manner. Since then, it has examined numerous risk analyses. In doing so, it has noted progress in terms of both defining the risk tolerance and regarding the design of risk analysis. Nevertheless, in 2025, FINMA identified further potential for improvement.

In particular, when defining the risk tolerance, it was often the case that only strict exclusion criteria (e.g. prohibited countries and industries) were specified. This is not sufficient. The definition of risk tolerance must deal with the risks that the institution could but does not wish to take on and is part of the risk culture. Moreover, risk-mitigating measures were being paraphrased in the risk tolerance. However, risk-mitigating measures are not part of risk tolerance. Risk-mitigating measures come to bear in the case of risks that the institution enters into in accordance with the defined risk tolerance.

In addition, assessing the inherent risks posed problems at certain individual institutions. For example, the risk mitigation measures or the institution-specific risk tolerance were often erroneously taken into account when assessing the inherent risks. That resulted, by way of example, in risk factors such as foreign politically exposed persons (PEPs), or business relationships involving complex organisational structures (e.g. trust structures nested across different foreign jurisdictions), being assessed as inherent risks with a medium criticality level rather than a high or very high criticality level. FINMA required the institutions concerned to rectify these deficiencies.

There was also uncertainty surrounding the necessary degree of detail required for the money laundering risk analysis. The general principle is that the higher the level at which the defined risk tolerance is set, the finer the degree of detail that will need to be presented in the money laundering risk analysis in respect of the individual money laundering risk factors (e.g. for the country-specific risk, there should be a breakdown by country).

FINMA is continuing to focus on this issue and will be expanding its use of the instrument of money laundering risk analysis as part of its future supervision of money laundering risks.

Findings from on-site inspections related to the Anti-Money Laundering Act

FINMA made combating money laundering in the retail banking sector a focal point of its supervisory work in 2025. It carried out several on-site inspections, which revealed that business clients form a particularly high-risk segment. This client group carries specific risks in terms of the identification, monitoring and traceability of the economic activity.

In isolated cases, institutions had entered into client relationships that exceeded their risk appetite and were not adequately understood by the banks. In the case of clients with foreign connections this included, for example, special business models or unusual transaction behaviour (particularly pass-through transactions).

The criteria indicative of business relationships with increased risks are to be drawn up by each bank on an institution-specific basis. Inspections showed that certain regulatory criteria, which are indicative of such business relationships, are not systematically taken into account. If a financial intermediary considers a criterion to be not relevant, it must justify its decision in a transparent and documented manner with quantifiable and verifiable indicators (see FINMA news on Guidance 05/2023 “Money laundering risk analysis pursuant to Article 25 para. 2 AMLO-FINMA”). Although other criteria were being taken into account, they were assigned too low a weighting in the bank’s scoring methodology. This means that they have virtually no influence on a final classification as increased risk, which can lead to a structural underestimation of money laundering risks.

The on-site inspections also showed that the frequencies of periodic assessments pertaining to business relationships with increased risks are sometimes too low when measured against market standards. Delays in updating the assessments were also identified in the case of some institutions, which is in contravention of their own internal guidelines. The frequency of periodic assessments must align with the business relationships’ risk level, and assessments must be underpinned by adequate and qualified resources.

FINMA expects financial intermediaries to pay special attention to the indicated weak points and, where necessary, to enhance their anti-money laundering processes appropriately.

In late 2024, FINMA published central questions relating to the interpretation of the Financial Services Act in a new Circular. Accordingly, the key points set out in the Circular were assessed during on-site inspections carried out at the supervised institutions. Points of weakness in the implementation were identified among smaller institutions in particular. Despite the transparency requirements set down in the Act and the Ordinance, disclosures of conflicts of interests necessitated by use of the institutions’ own financial instruments still remained unsatisfactory. It is important that clients are informed transparently about the use of institutions’ own financial instruments. Furthermore, the risks relating to compliance with the rules of conduct in the investment business were still not being adequately taken into account during internal risk assessments and were being presented to the executive bodies only in a fragmented manner. In that respect, FINMA identified further potential for improvement among many institutions. Appropriate control measures need to be defined in order to reduce and control risks.

In the course of the on-site inspections, FINMA also addressed shortcomings in the advisory process. Private clients are entitled to extensive investor protection. If they have sufficient assets and also, where relevant, investment knowledge, they may waive part of their entitlement to investor protection by means of an “opt-out” mechanism. Opting out thus entails risks, and clients must be made aware of those risks. Clients may also rescind their opt-out at any time in order to benefit from the investor protection once more. Shortcomings in clarifying the investor protection, opt-out mechanism and opt-out risks were identified at various institutions.

Recommendations on financial instruments must also be adequate and appropriate for the clients. Accordingly, a risk profile and information on their knowledge and experience must be obtained before any services are provided. As FINMA noted during its on-site inspections, some institutions are failing to observe that order of procedure. Corresponding warnings were issued to institutions concerned.

A cross-comparison revealed that a majority of institutions offer portfolio-related investment advisory services. In doing so, some institutions were paying too little attention to the diversification risks arising in a portfolio context. In the case of portfolio-related investment advice, client investments are considered holistically during the advisory process, and risks are gauged at the portfolio level rather than in respect of individual investments. Institutions must therefore focus on ensuring suitable investment diversification for their clients. If the institution’s investment strategy also provides systematically for non-market-standard risk concentrations, clients must be informed accordingly before provision of the service. In the course of the on-site inspections, institutions failing to do so were instructed to effect improvements.
 

During 2025, FINMA continued its work to combat greenwashing in connection with Swiss funds making reference to sustainability and at banks’ point of sale. This is in accordance with FINMA’s mandate to protect investors from improper business conduct, particularly from deception, including greenwashing. In FINMA’s view, greenwashing takes place if misleading statements are being made to investors (knowingly or unknowingly) concerning the sustainability aspects of financial products or services.

In the course of new approvals and changes to Swiss funds making reference to sustainability, FINMA assessed whether investors were being misled about the sustainable characteristics of those funds. Where necessary, it enforced disclosure of the minimum information. In doing so, it relied on the statutory transparency requirements.

With respect to the point of sale at banks, FINMA carried out on-site inspections pertaining to the organisational and governance obligations provided for under supervisory law. If, in the course of those reviews, FINMA identified any failure to comply with internal rules of conduct that govern sustainability aspects, it raised a corresponding complaint and demanded that the rules be complied with.

In the course of its on-site inspections, FINMA also identified weaknesses in the areas of risk management and the control framework. In some cases, the greater risks linked to the growth of the sustainable financial services business were still not receiving sufficient attention from top management. FINMA noted that (greenwashing) risks were not always being adequately identified by institutions in the course of the investment process and that compliance with the internally defined sustainability claim was still not adequately assured by means of appropriate controls. FINMA also noted that some institutions were unable to adequately substantiate impact promises (measurable, positive ecological impact) made to clients due to a lack of measurable targets and information relating to the promised impact.

In FINMA’s view, the applicable statutory basis is incomplete and contains gaps. Combating greenwashing in an effective manner requires uniform definitions, cross-sectoral rules as to conduct at the point of sale, and binding minimum requirements with respect to product transparency and reporting.

Working in collaboration with experts from the State Secretariat for Economic Affairs (SECO), FINMA also carried out a series of sanctions-related on-site inspections at supervised banks during 2025. A special focus was placed on the restrictions on trade (sanctions on goods) and their impacts on the financial institutions.

In numerous cases involving banks with exposure to potential sanctions-related risks linked to their provision of services to foreign business clients, FINMA noted gaps in the internal directives and prevention measures at those banks. Institutions engaged in relevant business activities are required to perform a sanctions-related risk analysis and ensure that formal internal regulations (e.g. directives) are in place for the business activities concerned. As part of the transaction monitoring process, a special focus must be placed on sanctions-related aspects. For example, sector-specific sanctions pose particular challenges in the area of transaction monitoring, which means that special knowledge is required on the part of the responsible employees.

Banks are required to carry out more rigorous investigations in respect of foreign business clients. That applies in particular if such clients are established or carry out trading activities in a country that is not implementing sanctions supported by Switzerland. The bank concerned must therefore, for example, clarify and document whether the client produces or trades in goods affected by Swiss sanctions, the countries the client operates in, and who the client’s customers are. The relevant know-your-customer information must be kept up to date.

To ensure that client relationships involving sanctioned persons can be spotted, banks must be aware of all persons and counterparties involved in the client relationship. In the case of client relationships entered into before 2016, it was still unnecessary for the controller to be identified. If banks continue client relationships for which the controller was not identified in view of the relevant transition provisions, they run the risk of maintaining business relationships involving sanctioned persons. In that respect, it is also relevant to point out the legal obligation, which provides that client files must be reviewed periodically to ensure they are up to date. When doing so, the identities of any as yet still unidentified controllers must be established. FINMA identified shortcomings in this regard during its on-site inspections and instructed the institutions concerned to rectify them.