FINMA Guidance 04/2026: Further
Precision on AML Risk Analysis

A stronger supervisory focus on risk tolerance, indicators and governance

On 4 June 2026, FINMA published Guidance 04/2026 on AML risk analysis under Article 25 para. 2 of the FINMA AML-Ordinance. The Guidance is relevant because it turns the AML risk analysis into a practical benchmark for supervision, audit findings, remediation and potential enforcement exposure. It clarifies how FINMA expects banks and financial institutions subject to the Financial Institutions Act (FinIA) to define money laundering risk tolerance, use meaningful indicators, assess inherent, control and net risks, and then escalate breaches into management action.

Supervisory background

The obligation to prepare an AML risk analysis follows from Article 25 para. 2 of the FINMA AML-Ordinance. On this legal basis, FINMA had already reviewed the AML risk analysis of more than 30 banks in Spring 2023 published Guidance 05/2023 on 24 August 2023 and thereafter issued Guidance 04/2026 after re-reviewing a segment of that group of banks.

FINMA’s key message is that the AML risk analysis should not be treated as a static compliance document. It should operate as a steering and control instrument for the AML framework, defining risk tolerance, informing controls and supporting risk-based resource allocation. FINMA, audit firms, supervisory organisations and enforcement teams will therefore need to focus more on the substance of the analysis.

Risk tolerance must be explicit, business-specific and enforceable

FINMA’s first focus is on money laundering risk tolerance. Guidance 04/2026 confirms that many institutions still need to define more clearly those risks they deliberately exclude based on their business model, strategy and risk appetite. Merely excluding jurisdictions or activities that are already clearly unacceptable is unlikely to be sufficient. Depending on the business model, deliberate exclusions may include foreign Politically Exposed Persons (PEPs), certain countries or sectors, crypto asset-related services or trade finance.

Risk tolerance should be documented, approved, translated into limits and supported by escalation rules. FINMA is particularly concerned about overly permissive exception-to-policy processes: systematic exceptions may indicate that the institution has changed its risk appetite without a formal decision.

Key risk indicators should monitor the real risk profile

Guidance 04/2026 clarifies that key risk indicators (KRI) are not the same as risk limits. Risk limits define boundaries; KRI monitor whether the institution remains within tolerance and whether management action is required. FINMA is critical of purely relative indicators, such as year-on-year growth measures and indicators that aggregate risks of different criticality into a single number.

Relevant indicators may include higher-risk relationships, PEPs, approved exceptions and exposures to higher-risk countries outside of target markets.

The risk analysis must be granular and methodologically coherent

The analysis must cover the relevant risk categories, including client segments, domicile or registered office, products and services, and any institution-specific criteria required by the business model. FINMA’s recurring concern is insufficient granularity, including the failure to present inherent risk, control risk and net risk in a comprehensible way for each identified risk.

FINMA also warns against methodological errors, such as considering mitigating measures when assessing inherent risk, or factoring risk tolerance into inherent risk rather than addressing it through limits and comparison with net risk. Institutions should also avoid generic references to internal directives and instead describe actual mitigation measures or link them to specific controls.

The risk analysis must lead to action

The AML risk analysis should be embedded in the broader governance and risk management framework. It should help determine whether the actual business remains consistent with the strategy and risk policy, whether risk limits are respected and whether corrective measures are required. FINMA expects institutions to use quantitative indicators to assess risk exposure across the client base and service offering, including both absolute numbers and proportions of the overall portfolio. Risk-limit breaches should trigger measures to bring risk back within tolerance, and not rely on routine exception approvals.

FINMA also focuses on whether net risk is compared with risk tolerance, as institutions may calculate net risk for individual risks while failing to aggregate them into an overall money laundering risk. The analysis should also show year-on-year changes and be linked to resource adequacy.

FinIA institutions and practical implications

Although the 2023 guidance was directed primarily at banks, FINMA had already indicated that the observations could equally apply to FinIA institutions. Guidance 04/2026 makes that point more explicit, with implementation adapted to actual risk exposure. Proportionality must be justified by the actual risk profile, and size alone does not remove the need for a robust and documented assessment.

Key takeaways

FINMA Guidance 04/2026 does not create a new AML risk analysis obligation. It clarifies and sharpens FINMA’s expectations and signals that AML risk analysis will be assessed according to its substance.

Institutions should review their AML risk analysis against FINMA’s updated expectations, focusing on risk tolerance, exception handling, KRI, risk methodology, net-risk aggregation, reporting and resource adequacy. For legal and compliance teams, these points are relevant when assessing remediation plans, supervisory correspondence, audit findings and potential enforcement exposure.