You run a fiduciary in Geneva, or manage compliance in a firm. And you sense 2026 will bring a “small” tightening of AML? Wrong reading. The scope is expanding, expectations are rising, and “half-done” files will be costly.
Let me be direct: AML is not managed with a dusty binder and a KYC form signed once. It’s managed as a system. With evidence. And habits.
Useful sources to frame the topic: (source: AML/LTPM Revision 2026 (State Secretariat for International Financial Matters SFI)), (source: Legal bases AML and OBA (official texts, fedlex)), (source: FINMA legal bases (AML, OBA, OBA-FINMA)), (source: AML FAQ (ch.ch, Swiss State portal)), (source: Anti-money laundering guide and beneficial owner register (admin.ch)), (source: 2026 positions (news EXPERTsuisse)).
Scope 2026: who is subject to AML and which activities?
The question isn’t “am I a fiduciary?”. The real question: “do I carry out an activity that puts me within AML scope?”
In practice, in Geneva, many firms discover they are “subject” when a client requests a slightly exotic setup, or when the bank asks questions no one anticipated.
Fiduciary activities triggering AML
Without playing lawyer, remember a simple logic: as soon as you intervene in flows, structures, or operations that could conceal the origin of funds, you’re in the AML zone.
Typically, you see:
- formation, administration, management of companies (especially with non-resident shareholders)
- provision of directors, managers, domiciliation (depending on actual role)
- assistance with account opening, payment organization, treasury management
- asset operations (even when “you don’t touch the money”, but you orchestrate)
Classic trap: “We just do accounting.” Yes… except you prepare payments, give instructions, manage powers of attorney, you’re the intermediary making the operation possible. Result? You’re under scrutiny.
2026: what changes in spirit (and practice)
Even when the text doesn’t “revolutionize” everything, execution changes:
- more traceability expected on the beneficial owner (BO)
- more requirements on the economic justification of operations
- more coherence between client profile and observed flows
In our view, the real 2026 change is zero tolerance for incomplete files. Previously, some slipped through. Tomorrow, it becomes a firm risk.
Table — quick mapping of situations (field view)
| Situation encountered in fiduciary | Typical AML risk | Concrete reflex |
|---|---|---|
| Foreign client wants an LLC in Geneva “to invoice” | Shell company / weak economic justification | Require business model, contracts, clients, countries of activity, documented BO |
| Domiciliation + “convenience” admin | Opaque effective control | Refuse if you don’t understand who decides and why |
| Accounting mandate + you prepare payments | You become a link in the flow | Approval procedure, supporting documents, monitoring |
| Group with holdings and intercompany loans | Fund circulation hard to read | Loan contracts, rates, schedules, fiscal/economic logic |
| Crypto client “converts” and wants to pay suppliers | Origin of funds / traceability | Proof of origin, platforms, histories, coherence |
Due diligence and documentation obligations (SRO, internal controls, registers)
AML isn’t “getting a paper signed”. It’s proving you did your job, and can demonstrate it 18 months later, when everyone has forgotten.
SRO: affiliation, internal rules, and what you’ll really be asked
If you’re subject, you must be affiliated to a self-regulatory organization (SRO) or under equivalent supervision depending on your status. In controls, your opinion isn’t asked. You’re asked for:
- your internal AML regulation (up to date)
- your processes (who does what, when, how)
- your execution evidence (files, logs, validations)
Field observation: many firms have a “copy-paste” internal regulation that doesn’t match reality. Worse than nothing. Because you prove yourself you don’t follow your own rules.
Internal controls: role separation, even in small teams
You’re 3 in the firm? Fine. You can still separate:
- the person who collects documents
- the person who validates risk and onboarding
- the person who does periodic follow-up
When not possible, document compensation: occasional double validation, quarterly review by a partner, signed checklists.
Registers: what you must be able to produce in 10 minutes
When the SRO or an auditor asks, you must quickly produce:
- list of business relationships (active clients)
- risk classification (low / standard / high) + review date
- PEP register (or at least proof of screening and results)
- register of alerts / incidents / decisions (including “false alert”)
KYC procedures: client identification, beneficial owners, supporting documents and enhanced obligations
KYC is your insurance. Except many treat it as a formality. And later, when a strange flow arrives, there’s nothing left to explain.
Client identification: individual vs legal entity
For an individual:
- valid ID (readable copy)
- address and proof (as per your policy)
- professional activity, employer, country of taxation (when relevant)
For a company:
- commercial register extract (or equivalent)
- articles of association / founding documents
- bodies, signing powers
- description of actual activity (not “consulting” in one line)
Simple question to ask: “Who signs, who decides, who benefits?” If you don’t have the answer, you don’t have KYC.
Beneficial owner (BO): the point that breaks files
The BO is the individual who actually controls or benefits. And no, “it’s a trust” isn’t an answer.
What’s expected in a proper file:
- signed BO declaration
- clear organizational chart (even on one page)
- documents that corroborate (register, shareholder agreement if needed, founding documents)
Classic trap: take the BO declaration, file it, and never check if it matches reality (country, activity, flows). When things blow up, the declaration won’t save you.
Supporting documents: what makes the difference in audit
A good KYC file contains “usable” evidence:
- contracts (clients/suppliers) when activity is new or atypical
- sample invoices, website, pitch deck (yes, even that)
- proof of origin of funds when there’s contribution, loan, or cash injection
Enhanced obligations: when you must switch to “high risk” mode
You switch to enhanced when:
- PEP (or close/associate) identified
- high-risk country / sanctions / high corruption
- complex structure without clear economic reason
- cash-intensive activity or incoherent flows
Enhanced means:
- more documents
- validation by senior level
- shorter review frequency
- written justification for acceptance decision
KYC checklist (onboarding) — firm version
- Signed mandate + clear scope (what you do / don’t do)
- Client identification (ID / CR / articles)
- BO identified + signed declaration + organizational chart
- Purpose and nature of relationship (2–5 sentences, not a formula)
- Expected flow profile (amounts, countries, frequency, counterparties)
- Documented PEP/sanctions screening
- Risk classification + next review date
- Internal validation (who accepted, when)
Ongoing monitoring: PEP, sanctions lists, automated monitoring
Entry control is good. But money laundering often happens after. When the relationship is established and everyone lets their guard down.
PEP: what firms underestimate
PEP doesn’t mean “prohibited”. It means “you must be able to explain why you accept, and how you monitor”.
In practice, what trips up:
- indirect PEP (relative, spouse, associate)
- “local” PEP (public function, public companies)
- status change (a client becomes PEP after onboarding)
Sanctions: the straightforward risk
Sanctions are binary: if you miss them, you’re in trouble. And it’s not rare: homonyms, transliterations, shell companies.
Reflex: keep dated proof of screening, and a procedure “what to do if match?”.
Monitoring: manual, semi-automated, automated… but provable
You can keep it simple, even without expensive tools, as long as it’s coherent:
- periodic review of high-risk clients (e.g. quarterly)
- semiannual review of standard clients
- annual review of low-risk clients
And above all: an alert register. An alert handled without trace is as if it was never handled.
Table — example of realistic monitoring plan
| Risk level | Typical triggers | Review frequency | Evidence to keep |
|---|---|---|---|
| Low | simple local activity, coherent flows | 1x/year | review note + screening |
| Standard | SME with moderate international flows | 2x/year | flow check + occasional supporting docs |
| High | PEP, high-risk country, complex structure | 4x/year | detailed review + senior validation + decisions |
MROS reporting: reporting thresholds, procedure and legal protection
MROS scares people. Often because they confuse “suspicion” and “proof”. You’re not a prosecutor. You’re a professional subject to a reporting obligation in certain situations.
For legal framework and official explanations: (source: AML FAQ (ch.ch, Swiss State portal)), (source: Legal bases AML and OBA (official texts, fedlex)).
When to report: the real trigger
The trigger is founded suspicion. Not “I don’t like their face”, not “it’s a complicated client”. Founded suspicion is when available elements make a link with a prior offense, criminal organization, or illicit funds plausible, and you can’t dispel doubt with reasonable clarifications.
Concrete examples:
- “loans” contributions without contract, schedule, logic
- circular invoices between related companies, no substance
- flows to sensitive jurisdictions without commercial reason
- refusal to provide simple documents (BO, contracts, origin of funds)
Ark Fiduciaire
Need help with this topic?
Our experts are available for personalised guidance. First consultation free, no commitment.
Internal procedure: who decides, and how to document
In a firm, you need a written procedure:
- who receives the alert (employee, accountant, admin)
- who analyzes (compliance officer / partner)
- which clarifications are attempted (and which aren’t)
- who decides to report
- how to archive the MROS file
Legal protection and confidentiality: beware “tipping-off”
You cannot warn the client you’re reporting (tipping-off). And you must protect your staff: an MROS decision must be carried by the firm, not “Paul, junior, who saw something”.
Field observation: some firms write overly chatty internal emails (“it’s money laundering”). Bad idea. Stay factual: facts, dates, amounts, inconsistencies, missing documents.
Building and controlling the compliance file: organization, storage, internal audits
A robust compliance file tells a coherent story: who is the client, why accepted, how they operate, and how you monitor.
Organization: a single file, not 12 places
If your documents are in:
- an email
- a drive
- an ERP
- a paper binder
… you’ll waste time and miss elements. Best practice: a central file (physical or digital), with a standard structure.
Storage: integrity, access, and proof of date
You’ll be asked: “who had access? when was the document added? is it the final version?”
Even without sophisticated tools, you can:
- name files with date (YYYY-MM-DD)
- lock client folders (access rights)
- keep a validation trail (signed PDF, internal note)
Internal audits: the control that avoids disaster
In our view, a firm that waits for the SRO audit to discover its gaps is at risk.
Realistic rhythm:
- quarterly mini-audit on 5 files (including 2 high-risk)
- annual full audit on a larger sample
What’s checked: BO coherence, screening, flow profile, periodic reviews, documented decisions.
“Compliance file ready for audit” checklist
- Complete KYC + BO + organizational chart
- Motivated risk profile (not just a tick)
- PEP/sanctions screening with dated proof
- Periodic review notes (dates, findings, actions)
- Supporting documents for atypical operations (contracts, invoices, explanations)
- Register of alerts and decisions (including closure)
- Traceability of internal validations
Step by step: getting your firm “clean” before 2026
Let’s get concrete. Here’s a sequence that works in a firm, without immobilizing everyone for 3 months.
Step 1 — Map your services and real risks (1 week)
- list your services (accounting, payroll, domiciliation, admin, account opening, etc.)
- for each service, note: “do I touch flows? do I create/control a structure?”
- classify existing mandates: low / standard / high
Step 2 — Standardize your files (2 weeks)
- create a unique structure
- impose an onboarding KYC checklist
- impose a periodic review checklist
Step 3 — Set up a decision register (immediate)
A simple internal table is enough at first:
- date
- client
- alert / event
- decision
- who validates
- documents
Step 4 — Review “old” files (4 to 8 weeks)
Start with:
- potential PEPs
- complex structures
- non-resident clients
And do one thing: fill the gaps. Not rewrite history.
Step 5 — Test your system (internal audit)
Take 10 files at random. Ask yourself: “if the SRO arrives tomorrow, can we defend each file without sweating?”
Practical case (Geneva): a consulting LLC transferring abroad
Real (typical) situation:
- Client: LLC in Geneva, IT consulting
- Annual turnover: CHF 1,200,000
- Gross margin: CHF 720,000
- Manager: Swiss resident
- Shareholder: holding in Cyprus
- BO declared: individual resident in Emirates
Over 3 months, the company:
- receives CHF 310,000 from 4 Swiss clients
- pays CHF 185,000 to “subcontractors” in Portugal and Dubai
- pays CHF 90,000 in “management fees” to the holding
Problem: no solid documents. Just generic PDF invoices.
Concretely, a defensible compliance file requires:
- BO: organizational chart + proof of control (holding documents, register, declaration)
- Economic purpose: why a holding in Cyprus? why management fees?
- Subcontracting: contracts, deliverables, proof of service (tickets, reports, access, project emails)
- Flow profile: written justification that international payments are expected, with countries and amounts
Firm decision (example):
- request within 10 days: contracts + deliverables + explanation of management fees + calculation basis
- if refusal or persistent inconsistencies: internal escalation, high risk, enhanced review
- if founded suspicion not dispelled: MROS analysis as per procedure
This case is often seen at year-end. The accountant finds huge “consulting” expenses, no substance. Everyone panics. If KYC and monitoring are done from the start, you save a lot of time.
3 costly mistakes for Geneva fiduciaries (and how to fix them)
Mistake 1 — “We have a copy of the passport, so it’s fine”
No. You have an identity, not an understanding.
Correction: add a note “purpose and nature” + flow profile + corroborated BO.
Mistake 2 — PEP file treated as standard file
PEP is not a stamp. It’s a level of monitoring.
Correction: senior validation + more frequent review + written justification for acceptance.
Mistake 3 — Alert handled verbally, no trace
Classic: “we talked about it, it was nothing”. But in audit, “we talked about it” doesn’t exist.
Correction: alert register, even minimalist. One line, one decision, one document.
Non-compliance risks and sanctions 2026
It’s not just a reprimand. The risk is multiple:
- SRO measures (corrective requirements, enhanced audits)
- reputational damage (in Geneva, it spreads fast)
- banking break (client loses their bank, you lose the mandate)
- firm and body liability depending on cases
And there’s a very concrete risk: “portfolio risk”. One toxic file can trigger a review of 30 files.
In our view, the best approach is to invest in documentary discipline. Not in complicated phrases. A good factual internal note is better than a 12-page report that proves nothing.
What your client must understand (otherwise you bear all the risk)
You can do perfect KYC. If the client doesn’t play along, you’re stuck.
Put it in writing from the mandate:
- obligation to provide documents within reasonable deadlines
- right to suspend certain services if documents are missing
- right to terminate if major inconsistencies
Simple phrase I often use in meetings: “If you can’t explain where the money comes from and why it moves like this, I can’t support you.” That clarifies everything.
AML FAQ for fiduciaries: 2026
1) Is a “accounting only” fiduciary concerned by AML?
It depends on what you actually do. If you limit yourself to bookkeeping without intervening in flows, organizing payments, or administering structures, the risk of being subject is different. The problem is many “accounting” mandates drift into operational management (payments, powers of attorney, account opening). And then, you change category.
2) What is an acceptable BO in a file?
An acceptable BO is an identified individual, with a signed declaration, and corroborating elements (organizational chart, company documents, economic coherence). If you just have a name on a form, with nothing behind, you’re fragile.
3) How often should a client file be reviewed?
There’s no magic frequency for all. You set a frequency based on risk, and stick to it. Low: annual. Standard: semiannual. High: quarterly. Key point: keep dated proof of review and decisions.
4) What if a client refuses to provide origin of funds?
Document the request, the refusal, and assess if doubt can be dispelled otherwise. Often, no. In this case, you don’t continue “as if nothing happened”. Escalate internally, requalify risk, and consider MROS reporting if suspicion becomes founded.
5) What does a match on a sanctions list mean?
It means: stop and check. Many matches are homonyms. But you must prove you checked and concluded. Without proof, you’re exposed.
6) How to prepare for an SRO audit without losing your health?
Standardize your files, keep your registers (clients, risks, PEP/sanctions, alerts), do a quarterly mini internal audit. The SRO audit goes well when you can produce documents quickly, and the file story is coherent.
References
- AML FAQ (ch.ch, Swiss State portal)
- Anti-money laundering guide and beneficial owner register (admin.ch)
- 2026 positions (news EXPERTsuisse)
- Legal bases AML and OBA (official texts, fedlex)
- AML/LTPM Revision 2026 (State Secretariat for International Financial Matters SFI)
- FINMA legal bases (AML, OBA, OBA-FINMA)