fairlane.systems

AML SCREENING · USE CASE

AI-supported AML/KYC screening: sanctions lists, PEP, beneficial owners

Screen onboarding data against SECO/OFAC/EU lists, build a risk score, prepare an SRO report draft. NEVER report automatically – the human decides.

Researched & fact-checked by: · As of: 2026-05

What is AI-supported AML screening?

The Swiss Anti-Money-Laundering Act (GwG) requires financial intermediaries – and, since the GwG revision 2026, in extended form also fiduciary offices acting in lawyer- and notary-like roles – to apply due-diligence duties at client onboarding. Concretely: identify the contracting party, identify the beneficial owner, clarify the background under elevated risk, and review periodically.

AI-supported screening automates the time-consuming research, not the decisions. A pipeline takes the onboarding data (name, date of birth, nationality, residence, legal form, ownership structure), queries the relevant sanctions lists (SECO, OFAC, EU consolidated, UN) and PEP databases, compares against adverse-media sources, and generates a risk score with reasoning. On suspicion a draft is prepared for reporting to the self-regulatory organisation (SRO) or, in serious cases, to the Money-Laundering Reporting Office (MROS).

CRITICAL and non-negotiable: the pipeline NEVER reports itself. Reporting to MROS (Art. 9 GwG) or the SRO is a serious decision with legal consequences for the client and liability risks for the financial intermediary. That decision is taken by a human – the compliance officer or responsible partner. The AI prepares, suggests, documents. It does not decide.

Why it matters

The GwG revision 2026 (in force since 1 January 2026) tightens three things. First: thresholds for due-diligence duties go down, more fiduciary offices fall within scope. Second: the federal transparency register for beneficial owners becomes mandatory – fiduciary offices must reconcile ownership data with the register. Third: FINMA has announced that it will spot-check SRO members on the quality of the KYC process.

The manual effort per onboarding case is typically 60 to 180 minutes today – depending on complexity (natural person versus holding with 5 participation levels). For 50 new mandates per year that is 50 to 150 hours that go into research instead of advice.

AI screening cuts the standard effort to 10 to 25 minutes per case. The time freed up is available for the qualitative review of elevated risks – what the GwG is actually designed for. Research is machine work; risk weighting is human work.

Second benefit: documentation. Anyone who must prove in a FINMA spot-check that sanctions lists were queried on 14 January 2026 benefits substantially from an automated pipeline with an audit trail. Manual Excel sheets are a risk factor in the supervisory procedure.

Third benefit: periodic re-screening. The GwG requires periodic review of clients – typically annual. A pipeline runs in the background: sanctions lists are refreshed every 24 hours (SECO publishes updates often at short notice), and a hit on an existing client immediately triggers a human review.

How it works

Six stations in the pipeline.

Capture onboarding data: Structured input via form or directly from the CRM. Mandatory fields: name, date of birth, place of birth, nationality(ies), residence, legal form for entities, ownership with participation quotas, intended business purpose, source of funds. For legal entities additionally the ownership chain up to the natural person.

API queries on sanctions lists: The pipeline queries several databases in parallel. SECO sanctions list (Switzerland) via the open XML feed. OFAC SDN/Consolidated (USA) via the official API endpoint. EU consolidated list via the EU sanctions feed. UN sanctions list via the UN XML feed. Optionally commercial providers such as Refinitiv World-Check, Dow Jones Risk & Compliance for extended PEP coverage.

Fuzzy matching: A direct name match is insufficient – sanctioned persons use aliases, transliteration variants and date-of-birth variations. The pipeline uses phonetic algorithms (Soundex, Metaphone) and Levenshtein distance with a configurable threshold. Best practice: 90% similarity as the default threshold.

LLM risk score: Hits and adverse-media snippets go to a language model with the task: "Rate the risk score 1-100 based on GwG criteria (geographical, sectoral, transactional). Deliver reasoning with source references." We recommend Claude Sonnet via LiteLLM. Under strict confidentiality: Mistral Large via EU hosting or Llama 3.1 70B locally.

Beneficial-owner reconciliation: For legal entities, the ownership chain is compared against the federal transparency register (accessible from 1 January 2026). Discrepancies are flagged as a red warning.

Draft SRO/MROS report on suspicion: If the risk score exceeds the defined threshold (default: 75), the pipeline generates a draft report. The draft contains: client data, sanctions/PEP hits, adverse-media snippets, risk reasoning, any special findings. The compliance officer reads, completes, corrects.

NEVER report automatically: filing with MROS (Art. 9 GwG) or the SRO has serious consequences – for the client (suspected money laundering, account freeze) and the financial intermediary (proceedings on mis-filing). That decision is taken exclusively by a person with the required role (compliance officer, partner, AML officer).

Screening workflow in 7 steps

  1. 01Capture onboarding data: structured input (name, date of birth, nationality, residence, ownership chain for legal entities).
  2. 02Parallel query of sanctions lists: SECO XML, OFAC API, EU consolidated, UN list. Optional commercial PEP database.
  3. 03Apply fuzzy matching: phonetics (Metaphone) and Levenshtein distance, threshold 90% default, configurable.
  4. 04Generate LLM risk score: summarise hits + adverse media + GwG criteria, score 1-100 with reasoning.
  5. 05Reconcile beneficial owners with the transparency register (for legal entities).
  6. 06On score above threshold (default 75): prepare an SRO/MROS report draft with all evidence. NEVER send automatically.
  7. 07Human decision: compliance officer or partner reviews, completes, corrects, decides on reporting. Keep audit trail (model, prompt, hit list, reasoning) for 10 years per Art. 957a CO.

When to use

The pipeline suits any fiduciary office within the scope of GwG – i.e. financial intermediaries under Art. 2 GwG, including fiduciary offices conducting asset management, advice on the sale or purchase of enterprises, or trustee functions.

Particularly useful at a volume of 20 or more new onboardings per year. Below that the pipeline setup amortises more slowly.

Particularly valuable for offices with international client portfolios (holding structures, cross-border advice, family offices). Ownership chains are most complex here, and the manual research effort accordingly large.

In combination with periodic client review: the pipeline runs annually or on every trigger event (larger transaction, change of beneficial owners) automatically and flags changes – changes that a manual process often misses.

For SRO members whose compliance function must be certified, a documented automated pipeline is a direct benefit in the certification audit.

When not to use

NEVER report automatically. An SRO or MROS filing without human review violates fiduciary due-diligence duty and can trigger a separate GwG criminal proceeding. Even if the AI identifies a hit with 99-percent confidence: the human decides whether to file.

DO NOT use without revDSG-compliant data processing. Onboarding data contains particularly protected personal data (date of birth, nationality, financial situation). If the pipeline uses third-country language models (US, UK), a Transfer Impact Assessment (TIA) and standard contract clauses are required. Mistral via EU hosting or local Ollama solves the issue.

DO NOT use without explicit client information. The data-protection declaration must name that AI procedures are used in GwG screening – transparency per revDSG Art. 19.

DO NOT use as sole risk score. The AI covers sanctions lists, PEP and adverse media. It does NOT cover: personal perception in the client meeting, on-site observations, sector-specific insider knowledge. The risk score is one component of the assessment, not the assessment itself.

DO NOT use with severely outdated sanctions-list feeds. If the SECO list has not been refreshed for four weeks (pipeline defect), the result is deceptive. We recommend a daily health-check script that verifies feed freshness and alerts on stalls.

DO NOT use as a shield against liability claims. If the AI misses a hit and you do not check, the financial intermediary bears responsibility. The AI is a tool, not insurance.

Trade-offs

STRENGTHS

  • Onboarding research drops from 60-180 min to 10-25 min per case
  • Documented audit trail for FINMA spot-checks and SRO certification
  • Periodic re-screening runs in the background, catches sanctions-list changes automatically
  • Transparency-register reconciliation automatic – discrepancies are flagged

WEAKNESSES

  • NEVER report automatically – human decision mandatory, liability risk on wrongful filing
  • Third-country language models require TIA and SCC – EU/CH hosting mandatory for sensitive clients
  • Sanctions-list feeds may fail – daily health check required
  • AI sees only data hits, not client-meeting behaviour or insider knowledge

FAQ

Which sanctions lists must be checked?

Mandatory for Swiss fiduciary offices: the SECO sanctions list (Federal Act on the Implementation of International Sanctions, EmbA). In practice also check: EU consolidated list (relevant for EU links), UN consolidated list (international law), OFAC SDN/Consolidated (US links or USD payments). PEP databases are not mandatory but best practice.

What does the federal transparency register 2026 mean?

Since 1 January 2026 legal entities domiciled in Switzerland must register their beneficial owners (natural persons with at least 25% participation or control) in the federal transparency register. Financial intermediaries can query the register as part of their due-diligence duty. Discrepancies between client declaration and the register are grounds for review.

What happens with a wrongful filing?

A wilfully wrong MROS filing triggers Art. 305ter SCC (obstruction of justice). A negligently wrong filing causing damage to the client creates civil liability. That is why human review before every filing is critical – the AI can misinterpret hits, for example on name duplicates (Hans Müller Geneva is not Hans Müller St. Gallen).

Which language model is best for AML screening?

For the standard case Claude Sonnet (Anthropic) via LiteLLM – good structure, robust source citation, low hallucination rate. For strict data-protection needs: Mistral Large via EU hosting (EU/EFTA data residency guaranteed) or Llama 3.1 70B locally via Ollama on own hardware. With high stakes run two models in parallel: risk scores must converge.

Related topics

AMLA REVISION · COMPLIANCEAMLA revision 2026: extension to fiduciary advisory and FATF Recommendation 16FINMA · COMPLIANCEFINMA awareness: AI governance for banks, insurers and asset-managing fiduciariesrevDSG · COMPLIANCErevDSG / revFADP and AI: what the revised Swiss Data Protection Act means for LLM useART. 321 SCC · COMPLIANCEProfessional secrecy (Art. 321 SCC) and AI use: what lawyers, notaries, physicians and auditors must observeART. 957a CO · COMPLIANCEArt. 957a CO and AI bookings: audit trail, GeBüV, and 10-year retention

Sources

  1. FINMA – Geldwäschereiverordnung und GwG-Aufsichtspraxis · 2026-04
  2. SECO – Sanktionsmassnahmen und konsolidierte Liste · 2026-05
  3. OFAC – Specially Designated Nationals (SDN) List and Consolidated List API · 2026-04
  4. EU – Consolidated Financial Sanctions List (CFSP) · 2026-03
  5. Bundesgesetz über die Bekämpfung der Geldwäscherei (GwG, SR 955.0) – Revision 2026 · 2026-01
  6. MROS – Meldestelle für Geldwäscherei: Meldepflicht und -Praxis · 2026-02

FITS YOUR STACK?

What this looks like in your business – a 30-minute intro call.

Book a call