KYC and client onboarding in Switzerland

What compliant onboarding establishes

Compliant onboarding establishes who the client is, who is really behind it, what the relationship is for, and what risk it carries, documented to a standard an auditor can read without asking the firm to explain. The duties sit in arts. 3 to 8 AMLA and are made operational by AMLO-FINMA, the ordinance FINMA issues for the intermediaries it and the self-regulatory organisations supervise. Six elements have to be present in every file.

These are not six forms to file. They are one understanding of the client, evidenced. Getting the first four right is what makes the last two work, because monitoring can only flag what departs from a purpose and a profile that were written down at the start.

Identifying and verifying the contracting party

The contracting party is the person or entity that enters the relationship, and its identity must be verified against reliable evidence. For an individual that is an official identity document; for a legal entity it is a current commercial-register extract or an equivalent confirmation of existence and authority. The verification step records the document seen, the verifying detail and the date. Identification can happen face to face or, increasingly, through compliant remote channels.

Remote onboarding is permitted. AMLO-FINMA sets specific identification requirements for digital and correspondence onboarding so that identity is established as reliably as in a meeting. The medium changes; the obligation does not. A remotely onboarded client still needs the contracting party, the beneficial owner, the purpose and the risk classification captured to the full standard.

Establishing the beneficial owner

The beneficial owner is the natural person who ultimately owns or controls the client, and Swiss practice requires the intermediary to look straight through any company, partnership or structure to reach that person. Control of an operating company is presumed at a holding of 25 percent or more; where no shareholder reaches that level, control passes to whoever otherwise exercises it, and as a final fallback to the most senior managing person. The intermediary records the result on a written declaration: Form A for the beneficial owner of the assets, a controlling-person declaration for an operating company.

This duty applies even when the client is itself a regulated entity in many cases, and it applies to trusts, foundations and nominee arrangements. The point is to defeat the layering that hides the real party. In the matters we run, the part that bites is rarely the identity document; it is the look-through, where a corporate shareholder sits above another corporate shareholder and the file stops one layer short of the natural person. That is exactly the gap an auditor opens first.

Purpose, source of funds and risk classification

Purpose, source of funds and risk classification turn a set of identities into a relationship the firm can actually monitor. The purpose and intended nature of the relationship are recorded at the outset: what it is for, the expected volumes, where money comes from and where it goes. Source of funds and source of wealth are established where the relationship is higher-risk or a pattern looks unusual. Source of funds explains the specific money in the relationship; source of wealth explains how the client's overall assets were built.

Risk classification then assigns the relationship a rating, usually standard or higher-risk, against the criteria the firm set in its institution-wide AML risk assessment. The rating is consequential. It decides how deep the onboarding due diligence goes and how closely the relationship is watched afterwards. A relationship classified higher-risk pulls in enhanced due diligence; a PEP relationship adds senior-management approval before it can begin. None of this is discretionary once the criteria are met.

PEPs and enhanced due diligence

A politically exposed person is a higher-risk relationship by definition, and onboarding one is a controlled event. A PEP holds, or is close to someone who holds, a prominent public function, and that status carries a higher corruption and money-laundering risk. So the relationship triggers enhanced due diligence and approval by senior management before it opens. Enhanced due diligence means establishing source of wealth and funds, obtaining additional documentation and applying heightened ongoing monitoring. The same enhanced track applies to other higher-risk cases: opaque or unusually complex structures, links to high-risk jurisdictions, or transaction patterns that do not fit an ordinary profile.

Where files fail an SRO audit

Most onboarding files that fail an SRO audit fail on two points, and both are predictable. The first is incomplete beneficial-owner identification: the look-through stops at a corporate shareholder, the controlling-person declaration is missing or stale, or a 25-percent holder was never resolved to a natural person. The second is a missing source-of-funds rationale on higher-risk relationships: the box is ticked but the file carries no plausible, documented explanation of where the money came from.

A third pattern sits underneath both. The documentation duty in AMLA is itself an obligation, so a check done correctly but never written down still fails. An auditor reads the file, not the firm's memory. The two tables below set out the recurring findings and how a complete file answers each.

Onboarding is also the front door to the rest of the framework. The baseline it sets is what sanctions screening and ongoing transaction monitoring read from later, and the file it produces is the first thing examined in SRO-audit preparation. A weak onboarding file does not just fail on its own terms; it makes every downstream control weaker.

What KYC onboarding does not do

KYC onboarding is a money-laundering control, and several common expectations of it fall outside that purpose.

It does not judge whether the client is a good business risk. Onboarding establishes identity, ownership, purpose and money-laundering risk. Creditworthiness, commercial suitability and whether the relationship is profitable are separate questions the firm decides on its own commercial criteria.

It does not, by itself, clear a name. Identification and beneficial-owner work answer who the client is; they do not run the sanctions and PEP name check. That screening is a distinct step, run at onboarding and repeated on re-scan, with its own escalation path.

It does not end at account opening. The file is a living baseline rather than a one-time hurdle cleared and forgotten. Material changes such as new owners, a new beneficial owner, or a shift in the relationship's purpose require the file to be updated, and higher-risk relationships are periodically reviewed. Onboarding that is never revisited drifts out of date.

It does not replace the institution-wide risk assessment. The per-client risk classification is graded against criteria the firm sets at the institution level. Without that assessment, the onboarding rating has nothing consistent to measure against.

How onboarding fits the wider AML framework

Onboarding sets the baseline that the whole AML framework depends on. The understanding captured at the start — contracting party, beneficial owner, purpose, risk — is what ongoing monitoring measures activity against and what an SRO auditor tests first. Where a firm outsources its compliance function, the onboarding sign-off, the PEP approval and the audit file typically sit with that officer; the role and what it covers are set out in our guide to the wider AML and KYC compliance topic. Build the onboarding file complete and the rest of the framework has something solid to read; build it thin and every control downstream inherits the gap.