AML in fiduciary: 2026 obligations, KYC, PEP, MROS and compliance file

2026 overview of new AML obligations for fiduciaries in Switzerland: expanded scope, KYC procedures, PEP/sanctions checks, MROS reporting, and key points for building a robust compliance file. Focus on best practices and non-compliance risks for fiduciary firms, executives, and compliance officers.

By Ark Fiduciaire

Published on 07/01/2026

Reading time: 14min (2750 words)

conformiteoarlbaamlfinmapme

You run a fiduciary in Geneva, or manage compliance in a firm. And you sense 2026 will bring a “small” tightening of AML? Wrong reading. The scope is expanding, expectations are rising, and “half-done” files will be costly.

Let me be direct: AML is not managed with a dusty binder and a KYC form signed once. It’s managed as a system. With evidence. And habits.

Useful sources to frame the topic: (source: AML/LTPM Revision 2026 (State Secretariat for International Financial Matters SFI)), (source: Legal bases AML and OBA (official texts, fedlex)), (source: FINMA legal bases (AML, OBA, OBA-FINMA)), (source: AML FAQ (ch.ch, Swiss State portal)), (source: Anti-money laundering guide and beneficial owner register (admin.ch)), (source: 2026 positions (news EXPERTsuisse)).

Scope 2026: who is subject to AML and which activities?

The question isn’t “am I a fiduciary?”. The real question: “do I carry out an activity that puts me within AML scope?”

In practice, in Geneva, many firms discover they are “subject” when a client requests a slightly exotic setup, or when the bank asks questions no one anticipated.

Fiduciary activities triggering AML

Without playing lawyer, remember a simple logic: as soon as you intervene in flows, structures, or operations that could conceal the origin of funds, you’re in the AML zone.

Typically, you see:

  • formation, administration, management of companies (especially with non-resident shareholders)
  • provision of directors, managers, domiciliation (depending on actual role)
  • assistance with account opening, payment organization, treasury management
  • asset operations (even when “you don’t touch the money”, but you orchestrate)

Classic trap: “We just do accounting.” Yes… except you prepare payments, give instructions, manage powers of attorney, you’re the intermediary making the operation possible. Result? You’re under scrutiny.

2026: what changes in spirit (and practice)

Even when the text doesn’t “revolutionize” everything, execution changes:

  • more traceability expected on the beneficial owner (BO)
  • more requirements on the economic justification of operations
  • more coherence between client profile and observed flows

In our view, the real 2026 change is zero tolerance for incomplete files. Previously, some slipped through. Tomorrow, it becomes a firm risk.

Table — quick mapping of situations (field view)

Situation encountered in fiduciaryTypical AML riskConcrete reflex
Foreign client wants an LLC in Geneva “to invoice”Shell company / weak economic justificationRequire business model, contracts, clients, countries of activity, documented BO
Domiciliation + “convenience” adminOpaque effective controlRefuse if you don’t understand who decides and why
Accounting mandate + you prepare paymentsYou become a link in the flowApproval procedure, supporting documents, monitoring
Group with holdings and intercompany loansFund circulation hard to readLoan contracts, rates, schedules, fiscal/economic logic
Crypto client “converts” and wants to pay suppliersOrigin of funds / traceabilityProof of origin, platforms, histories, coherence

Due diligence and documentation obligations (SRO, internal controls, registers)

AML isn’t “getting a paper signed”. It’s proving you did your job, and can demonstrate it 18 months later, when everyone has forgotten.

SRO: affiliation, internal rules, and what you’ll really be asked

If you’re subject, you must be affiliated to a self-regulatory organization (SRO) or under equivalent supervision depending on your status. In controls, your opinion isn’t asked. You’re asked for:

  • your internal AML regulation (up to date)
  • your processes (who does what, when, how)
  • your execution evidence (files, logs, validations)

Field observation: many firms have a “copy-paste” internal regulation that doesn’t match reality. Worse than nothing. Because you prove yourself you don’t follow your own rules.

Internal controls: role separation, even in small teams

You’re 3 in the firm? Fine. You can still separate:

  • the person who collects documents
  • the person who validates risk and onboarding
  • the person who does periodic follow-up

When not possible, document compensation: occasional double validation, quarterly review by a partner, signed checklists.

Registers: what you must be able to produce in 10 minutes

When the SRO or an auditor asks, you must quickly produce:

  • list of business relationships (active clients)
  • risk classification (low / standard / high) + review date
  • PEP register (or at least proof of screening and results)
  • register of alerts / incidents / decisions (including “false alert”)

KYC procedures: client identification, beneficial owners, supporting documents and enhanced obligations

KYC is your insurance. Except many treat it as a formality. And later, when a strange flow arrives, there’s nothing left to explain.

Client identification: individual vs legal entity

For an individual:

  • valid ID (readable copy)
  • address and proof (as per your policy)
  • professional activity, employer, country of taxation (when relevant)

For a company:

  • commercial register extract (or equivalent)
  • articles of association / founding documents
  • bodies, signing powers
  • description of actual activity (not “consulting” in one line)

Simple question to ask: “Who signs, who decides, who benefits?” If you don’t have the answer, you don’t have KYC.

Beneficial owner (BO): the point that breaks files

The BO is the individual who actually controls or benefits. And no, “it’s a trust” isn’t an answer.

What’s expected in a proper file:

  • signed BO declaration
  • clear organizational chart (even on one page)
  • documents that corroborate (register, shareholder agreement if needed, founding documents)

Classic trap: take the BO declaration, file it, and never check if it matches reality (country, activity, flows). When things blow up, the declaration won’t save you.

Supporting documents: what makes the difference in audit

A good KYC file contains “usable” evidence:

  • contracts (clients/suppliers) when activity is new or atypical
  • sample invoices, website, pitch deck (yes, even that)
  • proof of origin of funds when there’s contribution, loan, or cash injection

Enhanced obligations: when you must switch to “high risk” mode

You switch to enhanced when:

  • PEP (or close/associate) identified
  • high-risk country / sanctions / high corruption
  • complex structure without clear economic reason
  • cash-intensive activity or incoherent flows

Enhanced means:

  • more documents
  • validation by senior level
  • shorter review frequency
  • written justification for acceptance decision

KYC checklist (onboarding) — firm version

  • Signed mandate + clear scope (what you do / don’t do)
  • Client identification (ID / CR / articles)
  • BO identified + signed declaration + organizational chart
  • Purpose and nature of relationship (2–5 sentences, not a formula)
  • Expected flow profile (amounts, countries, frequency, counterparties)
  • Documented PEP/sanctions screening
  • Risk classification + next review date
  • Internal validation (who accepted, when)

Ongoing monitoring: PEP, sanctions lists, automated monitoring

Entry control is good. But money laundering often happens after. When the relationship is established and everyone lets their guard down.

PEP: what firms underestimate

PEP doesn’t mean “prohibited”. It means “you must be able to explain why you accept, and how you monitor”.

In practice, what trips up:

  • indirect PEP (relative, spouse, associate)
  • “local” PEP (public function, public companies)
  • status change (a client becomes PEP after onboarding)

Sanctions: the straightforward risk

Sanctions are binary: if you miss them, you’re in trouble. And it’s not rare: homonyms, transliterations, shell companies.

Reflex: keep dated proof of screening, and a procedure “what to do if match?”.

Monitoring: manual, semi-automated, automated… but provable

You can keep it simple, even without expensive tools, as long as it’s coherent:

  • periodic review of high-risk clients (e.g. quarterly)
  • semiannual review of standard clients
  • annual review of low-risk clients

And above all: an alert register. An alert handled without trace is as if it was never handled.

Table — example of realistic monitoring plan

Risk levelTypical triggersReview frequencyEvidence to keep
Lowsimple local activity, coherent flows1x/yearreview note + screening
StandardSME with moderate international flows2x/yearflow check + occasional supporting docs
HighPEP, high-risk country, complex structure4x/yeardetailed review + senior validation + decisions

MROS reporting: reporting thresholds, procedure and legal protection

MROS scares people. Often because they confuse “suspicion” and “proof”. You’re not a prosecutor. You’re a professional subject to a reporting obligation in certain situations.

For legal framework and official explanations: (source: AML FAQ (ch.ch, Swiss State portal)), (source: Legal bases AML and OBA (official texts, fedlex)).

When to report: the real trigger

The trigger is founded suspicion. Not “I don’t like their face”, not “it’s a complicated client”. Founded suspicion is when available elements make a link with a prior offense, criminal organization, or illicit funds plausible, and you can’t dispel doubt with reasonable clarifications.

Concrete examples:

  • “loans” contributions without contract, schedule, logic
  • circular invoices between related companies, no substance
  • flows to sensitive jurisdictions without commercial reason
  • refusal to provide simple documents (BO, contracts, origin of funds)

Ark Fiduciaire

Need help with this topic?

Our experts are available for personalised guidance. First consultation free, no commitment.

Internal procedure: who decides, and how to document

In a firm, you need a written procedure:

  1. who receives the alert (employee, accountant, admin)
  2. who analyzes (compliance officer / partner)
  3. which clarifications are attempted (and which aren’t)
  4. who decides to report
  5. how to archive the MROS file

Legal protection and confidentiality: beware “tipping-off”

You cannot warn the client you’re reporting (tipping-off). And you must protect your staff: an MROS decision must be carried by the firm, not “Paul, junior, who saw something”.

Field observation: some firms write overly chatty internal emails (“it’s money laundering”). Bad idea. Stay factual: facts, dates, amounts, inconsistencies, missing documents.

Building and controlling the compliance file: organization, storage, internal audits

A robust compliance file tells a coherent story: who is the client, why accepted, how they operate, and how you monitor.

Organization: a single file, not 12 places

If your documents are in:

  • an email
  • a drive
  • an ERP
  • a paper binder

… you’ll waste time and miss elements. Best practice: a central file (physical or digital), with a standard structure.

Storage: integrity, access, and proof of date

You’ll be asked: “who had access? when was the document added? is it the final version?”

Even without sophisticated tools, you can:

  • name files with date (YYYY-MM-DD)
  • lock client folders (access rights)
  • keep a validation trail (signed PDF, internal note)

Internal audits: the control that avoids disaster

In our view, a firm that waits for the SRO audit to discover its gaps is at risk.

Realistic rhythm:

  • quarterly mini-audit on 5 files (including 2 high-risk)
  • annual full audit on a larger sample

What’s checked: BO coherence, screening, flow profile, periodic reviews, documented decisions.

“Compliance file ready for audit” checklist

  • Complete KYC + BO + organizational chart
  • Motivated risk profile (not just a tick)
  • PEP/sanctions screening with dated proof
  • Periodic review notes (dates, findings, actions)
  • Supporting documents for atypical operations (contracts, invoices, explanations)
  • Register of alerts and decisions (including closure)
  • Traceability of internal validations

Step by step: getting your firm “clean” before 2026

Let’s get concrete. Here’s a sequence that works in a firm, without immobilizing everyone for 3 months.

Step 1 — Map your services and real risks (1 week)

  • list your services (accounting, payroll, domiciliation, admin, account opening, etc.)
  • for each service, note: “do I touch flows? do I create/control a structure?”
  • classify existing mandates: low / standard / high

Step 2 — Standardize your files (2 weeks)

  • create a unique structure
  • impose an onboarding KYC checklist
  • impose a periodic review checklist

Step 3 — Set up a decision register (immediate)

A simple internal table is enough at first:

  • date
  • client
  • alert / event
  • decision
  • who validates
  • documents

Step 4 — Review “old” files (4 to 8 weeks)

Start with:

  • potential PEPs
  • complex structures
  • non-resident clients

And do one thing: fill the gaps. Not rewrite history.

Step 5 — Test your system (internal audit)

Take 10 files at random. Ask yourself: “if the SRO arrives tomorrow, can we defend each file without sweating?”

Practical case (Geneva): a consulting LLC transferring abroad

Real (typical) situation:

  • Client: LLC in Geneva, IT consulting
  • Annual turnover: CHF 1,200,000
  • Gross margin: CHF 720,000
  • Manager: Swiss resident
  • Shareholder: holding in Cyprus
  • BO declared: individual resident in Emirates

Over 3 months, the company:

  • receives CHF 310,000 from 4 Swiss clients
  • pays CHF 185,000 to “subcontractors” in Portugal and Dubai
  • pays CHF 90,000 in “management fees” to the holding

Problem: no solid documents. Just generic PDF invoices.

Concretely, a defensible compliance file requires:

  1. BO: organizational chart + proof of control (holding documents, register, declaration)
  2. Economic purpose: why a holding in Cyprus? why management fees?
  3. Subcontracting: contracts, deliverables, proof of service (tickets, reports, access, project emails)
  4. Flow profile: written justification that international payments are expected, with countries and amounts

Firm decision (example):

  • request within 10 days: contracts + deliverables + explanation of management fees + calculation basis
  • if refusal or persistent inconsistencies: internal escalation, high risk, enhanced review
  • if founded suspicion not dispelled: MROS analysis as per procedure

This case is often seen at year-end. The accountant finds huge “consulting” expenses, no substance. Everyone panics. If KYC and monitoring are done from the start, you save a lot of time.

3 costly mistakes for Geneva fiduciaries (and how to fix them)

Mistake 1 — “We have a copy of the passport, so it’s fine”

No. You have an identity, not an understanding.

Correction: add a note “purpose and nature” + flow profile + corroborated BO.

Mistake 2 — PEP file treated as standard file

PEP is not a stamp. It’s a level of monitoring.

Correction: senior validation + more frequent review + written justification for acceptance.

Mistake 3 — Alert handled verbally, no trace

Classic: “we talked about it, it was nothing”. But in audit, “we talked about it” doesn’t exist.

Correction: alert register, even minimalist. One line, one decision, one document.

Non-compliance risks and sanctions 2026

It’s not just a reprimand. The risk is multiple:

  • SRO measures (corrective requirements, enhanced audits)
  • reputational damage (in Geneva, it spreads fast)
  • banking break (client loses their bank, you lose the mandate)
  • firm and body liability depending on cases

And there’s a very concrete risk: “portfolio risk”. One toxic file can trigger a review of 30 files.

In our view, the best approach is to invest in documentary discipline. Not in complicated phrases. A good factual internal note is better than a 12-page report that proves nothing.

What your client must understand (otherwise you bear all the risk)

You can do perfect KYC. If the client doesn’t play along, you’re stuck.

Put it in writing from the mandate:

  • obligation to provide documents within reasonable deadlines
  • right to suspend certain services if documents are missing
  • right to terminate if major inconsistencies

Simple phrase I often use in meetings: “If you can’t explain where the money comes from and why it moves like this, I can’t support you.” That clarifies everything.

AML FAQ for fiduciaries: 2026

1) Is a “accounting only” fiduciary concerned by AML?

It depends on what you actually do. If you limit yourself to bookkeeping without intervening in flows, organizing payments, or administering structures, the risk of being subject is different. The problem is many “accounting” mandates drift into operational management (payments, powers of attorney, account opening). And then, you change category.

2) What is an acceptable BO in a file?

An acceptable BO is an identified individual, with a signed declaration, and corroborating elements (organizational chart, company documents, economic coherence). If you just have a name on a form, with nothing behind, you’re fragile.

3) How often should a client file be reviewed?

There’s no magic frequency for all. You set a frequency based on risk, and stick to it. Low: annual. Standard: semiannual. High: quarterly. Key point: keep dated proof of review and decisions.

4) What if a client refuses to provide origin of funds?

Document the request, the refusal, and assess if doubt can be dispelled otherwise. Often, no. In this case, you don’t continue “as if nothing happened”. Escalate internally, requalify risk, and consider MROS reporting if suspicion becomes founded.

5) What does a match on a sanctions list mean?

It means: stop and check. Many matches are homonyms. But you must prove you checked and concluded. Without proof, you’re exposed.

6) How to prepare for an SRO audit without losing your health?

Standardize your files, keep your registers (clients, risks, PEP/sanctions, alerts), do a quarterly mini internal audit. The SRO audit goes well when you can produce documents quickly, and the file story is coherent.


References

Let's talk

Get in touch

Our experts can help you understand the details and implications for your business. Get personalised advice tailored to your situation.