Swiss AML obligations explained (AMLA / GwG)

What the AMLA is, and what it covers

The AMLA is Switzerland's federal anti-money-laundering statute, in force since 1 April 1998. It does not regulate companies in general. It regulates a defined category: the financial intermediary. The Act sets the duties at the level of principle. The ordinances below it, chiefly the AMLO-FINMA (SR 955.033.0, the FINMA Anti-Money Laundering Ordinance of 3 June 2015), set out how a supervised firm actually meets them.

A financial intermediary is anyone who, on a professional basis, accepts or holds assets belonging to others, or helps to invest or transfer them. That is a wide net. It catches the prudentially licensed institutions: banks, securities firms, fund institutions, insurers. And it catches a long list of firms below any licence threshold, among them independent asset managers, trustees, fiduciaries, payment-service providers, currency exchangers, and crypto businesses that exchange, transfer or custody virtual currencies for clients. The label on the business is irrelevant. What it does with client assets decides whether the AMLA applies.

The line that matters in practice is supervision, not duty. The duties are the same across the board. Who checks them is not. FINMA supervises the AML compliance of licensed institutions directly. Everyone else must affiliate with one of the FINMA-recognised self-regulatory organisations, of which there are eleven as of June 2026. The mechanics of that split, which gate a given activity falls through, are set out in our guide to FINMA licence versus SRO membership.

The five due-diligence duties

The due-diligence duties are the spine of the whole regime, and they are cumulative. Meeting four of them well does not cover a gap in the fifth. They run in a logical order, from knowing who the client is to watching what the client does, and each one feeds the next.

Identification of the contracting party comes first. For an ongoing business relationship it is required regardless of amount. For occasional, one-off transactions a threshold applies: the AMLO-FINMA sets identification at CHF 15,000 for cash transactions and subscriptions to certain unlisted collective investment schemes, a figure lowered from CHF 25,000 with effect from 1 January 2020. For linked virtual-currency transactions the threshold drops to CHF 1,000 measured over a 30-day period, a crypto-specific tightening brought in by the AMLO-FINMA partial revision in force since 1 January 2023. These are the points where many onboarding flows are quietly non-compliant, because the occasional-transaction rule is easy to overlook.

The beneficial-owner duty is the one that bites. The intermediary must look through the contracting party to the natural person who ultimately owns or controls it, and record that person, not merely the account holder. Illicit money hides behind layered companies and nominee structures precisely so the paperwork names someone other than the controller. Getting this wrong is among the most frequent audit findings. We build the look-through into onboarding so the real owner is captured and evidenced, which is set out in our KYC and onboarding guide.

Clarification and risk classification turn raw identification into something the firm can act on. The intermediary must understand the purpose and intended nature of the relationship and grade its risk. A relationship classified higher-risk triggers enhanced due diligence: source of wealth, source of funds, and senior-management approval. What pushes a relationship into that category is a politically exposed person, an opaque structure, a high-risk jurisdiction, or an unusual transaction profile. The classification then sets how intensively the relationship is monitored.

Risk-based monitoring is the standing obligation

Monitoring is the duty that never ends, and it is the one regulators test hardest. Identification happens once; monitoring runs for the life of the relationship. The intermediary must watch transactions against the profile it established at onboarding and react when activity departs from it. This is why weak onboarding produces weak monitoring. Without a baseline of who the client is and what the relationship is for, there is nothing meaningful to measure activity against. The two are one system, covered in our sanctions screening and onboarding pages.

"Risk-based" is the operative phrase. Swiss AML law does not demand that every transaction be scrutinised identically. It demands that scrutiny scale to risk: a low-risk relationship is monitored lightly, a higher-risk one closely, and the firm must be able to justify how it draws the line. That justification lives in the institution-wide risk assessment, the document that maps the firm's clients, products, channels and geographies to a risk rating and sets the rules the monitoring then applies. In the matters we run, the part that bites is usually not the dramatic suspicious transaction but the slow drift: a client whose activity grows past its original profile while the file is never refreshed, which is exactly what an auditor reconstructs after the fact.

The reporting duty and the asset freeze

Reporting to MROS under art. 9 AMLA is mandatory, immediate and non-negotiable. Where a financial intermediary knows, or has reasonable grounds to suspect, that assets in a relationship are connected to money laundering, terrorist financing, a predicate offence or a criminal organisation, it must file a report with the Money Laundering Reporting Office Switzerland (MROS). MROS is the Swiss financial intelligence unit, housed at the Federal Office of Police (fedpol). It analyses the report and forwards cases to the cantonal or federal prosecution authorities where the suspicion holds.

Two duties attach to the report, and both have teeth. First, the freeze: under art. 10 AMLA the intermediary must block the reported assets, and the block runs for a maximum of five working days from the moment the report reaches MROS, giving the prosecutors a window to order a longer seizure. Second, the prohibition on tipping off: the intermediary may not inform the client, or any third party, that a report has been made. A firm that wants to keep the client comfortable and quietly drop the relationship instead of reporting has the duty backwards. The reporting threshold, "reasonable grounds to suspect", is lower than proof, and the obligation is the firm's to discharge whatever the commercial cost.

One protection balances the duty. Art. 11 AMLA shields an intermediary that reports in good faith from civil and criminal liability for having reported, even if the suspicion later proves unfounded. That exemption exists precisely so the firm reports rather than agonising over whether the suspicion is certain. Filing the report is the safe course; sitting on a genuine suspicion is not.

What the AMLA does not do

The AMLA is narrower than it is often assumed to be, and three misreadings cause most of the trouble. Knowing the limits is as useful as knowing the duties.

It does not turn an intermediary into a prosecutor. The firm's job is to identify, clarify, monitor and report. It is not to investigate the suspected crime, prove it, or decide guilt. Once the report reaches MROS the analysis and any prosecution belong to the state. A firm that tries to "build a case" before reporting usually just delays a report it was obliged to file at the point of suspicion.

It does not vouch for a client or a business. Meeting the AMLA duties says the firm knows who its client is and is watching the relationship. It says nothing about whether the client is a good investment, the structure is sound, or the business is reputable. AML compliance is a control against illicit money, not a quality stamp, and it confers no warranty on anyone.

It does not move the firm's liability to anyone else. Outsourcing the AML-officer function, buying a monitoring tool or affiliating with an SRO does not transfer the firm's responsibility for compliance; the governing body keeps it. Outsourcing puts the function in qualified hands and reduces the risk that reaches the firm. It does not relocate the legal accountability. That distinction, and where an external AML officer fits, matters to every smaller intermediary tempted to read a mandate as a way out.

And it does not yet reach pure advisory work. As of June 2026 the Act bites on lawyers, accountants and other advisers only when they act as financial intermediaries, for example by holding or transferring client assets; legal or tax advice on its own sits outside it. That boundary is moving. The partial revision of the AMLA, passed by Parliament on 26 September 2025, extends certain advisory activities into scope, including advice on setting up or structuring legal entities and on some real-estate transactions, and pairs this with a new federal transparency register of beneficial owners run by the Federal Department of Justice and Police. The revised AMLA is expected to enter into force in the second half of 2026, so the present scope still governs for now.

How the duties are supervised and audited

Supervision of the AMLA duties runs through two channels, and which one applies depends on the firm. A prudentially licensed institution, such as a bank, a securities firm or a fund institution, is supervised for AML by FINMA, through the regular regulatory audit conducted by a licensed audit firm. An intermediary below the licence threshold affiliates with a FINMA-recognised SRO, which sets its own AML regulations within the AMLA framework, runs an annual audit of each member, and enforces against failures. FINMA, in turn, supervises the SROs. The chain is FINMA over the SRO, and the SRO over the member; FINMA does not audit each affiliated firm directly. How that supervisory architecture sits together is mapped in our explainer on FINMA.

For most firms the annual SRO audit is where AML compliance is proven or found wanting. The auditor reconstructs the file: were clients and beneficial owners identified, was the risk classified, was the monitoring proportionate to that risk, were clarifications documented, were reports made where they should have been. A framework maintained continuously walks through that audit. A framework rebuilt the month before the auditor arrives rarely does. These duties are broad: the risk assessment, the policy framework, onboarding, monitoring, sanctions screening, the reporting process and audit readiness. That breadth is why many smaller intermediaries hold the AML function through a mandate rather than a full-time hire, and the rest of our AML and KYC compliance guides set out how each piece is built and run.