Switzerland's Anti-Money Laundering Act (AMLA) applies to virtually every FinTech company that handles client assets, facilitates payments, or provides financial services. For startups entering the market, AML and KYC compliance is often the first regulatory hurdle — and one of the most resource-intensive. This guide covers the legal framework, practical requirements, and a go-live checklist tailored to Swiss FinTech startups.
The Swiss AML/KYC Legal Framework
The AMLA and its implementing ordinances define obligations for financial intermediaries. FINMA supervises banks, securities dealers, and asset managers directly. Most FinTech startups fall under SRO supervision — joining a Self-Regulatory Organisation such as VQF, PolyReg, or AOOS that conducts periodic audits on FINMA's behalf.
Key legislation includes the AMLA itself, the FINMA Anti-Money Laundering Ordinance (AMLO-FINMA), and the SRO regulations. The Financial Action Task Force (FATF) recommendations underpin Swiss law, meaning international standards for customer due diligence (CDD), beneficial ownership, and suspicious activity reporting apply domestically.
Who Is a Financial Intermediary?
A financial intermediary under AMLA includes any person who, on a professional basis, accepts or holds assets belonging to others, assists in investing or transferring assets, or provides credit. Common FinTech activities triggering AML obligations:
- Payment services and e-money issuance
- Cryptocurrency exchange and custody
- Investment platform and robo-advisory services
- Peer-to-peer lending and crowdfunding
- Wealth management and portfolio management
If your startup performs any of these activities professionally, you must join an SRO or obtain direct FINMA supervision before commencing operations.
Customer Due Diligence (CDD) Requirements
Standard Due Diligence
Every client relationship requires identification of the contracting party using reliable, independent source documents. For natural persons this means valid identity documents; for legal entities, commercial register extracts plus identification of beneficial owners holding 25% or more. The purpose and intended nature of the business relationship must be documented.
Enhanced Due Diligence (EDD)
EDD applies to high-risk clients: politically exposed persons (PEPs), clients from high-risk jurisdictions on the FATF grey or black lists, complex ownership structures, and unusual transaction patterns. EDD requires additional verification steps, senior management approval, and enhanced ongoing monitoring.
Simplified Due Diligence
In limited low-risk scenarios — certain insurance products, regulated market participants — simplified measures may apply. FinTech startups rarely qualify for simplification given their digital, cross-border client base.
Transaction Monitoring and Suspicious Activity Reporting
Financial intermediaries must monitor transactions for indicators of money laundering or terrorist financing. When suspicion arises, a report must be filed with the Money Laundering Reporting Office Switzerland (MROS) — even if reporting may tip off the client (tipping-off prohibitions apply).
Effective monitoring requires rule-based and behavioural analytics covering:
- Structuring and smurfing patterns
- Rapid movement of funds through accounts
- Transactions inconsistent with the client's profile
- Connections to sanctioned individuals or entities
- Cross-border flows to high-risk jurisdictions
Manual review of spreadsheets does not scale. Most Swiss FinTech startups implement automated monitoring through RegTech platforms integrated with their core banking or payment systems.
SRO Membership and Supervision
Joining an SRO involves submitting an application with business plans, AML policies, organisational charts, and evidence of qualified AML officers. The SRO conducts an initial audit before granting membership, then periodic audits every one to three years depending on risk classification.
Common audit findings for FinTech startups include incomplete CDD files, missing beneficial ownership documentation, inadequate transaction monitoring rules, and insufficient staff training records. Preparing thoroughly before the first audit saves months of remediation — see our SRO audit preparation guide for a complete checklist.
Integrating AML with Data Protection
AML programmes process significant personal data — identity documents, transaction histories, risk scores. This data handling must comply with the revised Federal Act on Data Protection (FADP). Privacy impact assessments, data retention schedules, and cross-border transfer safeguards are essential. AML and FADP compliance should be designed together, not in isolation.
Link to Operational Risk Frameworks
AML failures are operational risk events. FINMA expects AML controls to be embedded within the broader operational risk management framework described in Circular 2023/1. Incident escalation, control testing, and third-party oversight for KYC providers should align with your ORM policies.
Common Pitfalls
- Onboarding before SRO membership — Operating without supervision is a criminal offence under AMLA.
- Insufficient beneficial ownership checks — Shell companies and nominee structures require deeper investigation.
- Static risk scoring — Client risk profiles must be updated when circumstances change.
- Delayed MROS reporting — Suspicion must be reported immediately; internal investigation does not justify delay.
- Outsourcing without oversight — KYC providers remain your regulatory responsibility.
Go-Live Checklist for Swiss FinTech Startups
- SRO membership application submitted and approved (or FINMA licence obtained)
- Written AML/KYC policy approved by management
- Designated AML compliance officer with adequate qualifications appointed
- CDD procedures documented for natural persons and legal entities
- PEP and sanctions screening integrated into onboarding workflow
- Transaction monitoring rules configured and tested with sample data
- MROS reporting procedure and tipping-off training completed
- Record-keeping system retaining CDD files for minimum 10 years
- Staff AML training programme with attendance records
- FADP compliance measures aligned with AML data processing
- Internal audit or independent review scheduled within first 12 months
AML/KYC compliance is foundational for every Swiss FinTech startup. Investing in robust processes and automation from day one reduces audit findings, protects your licence, and builds the trust that clients and investors expect.