-
- Art. 3 FC
- Art. 5a FC
- Art. 6 FC
- Art. 10 FC
- Art. 13 FC
- Art. 16 FC
- Art. 17 FC
- Art. 20 FC
- Art. 22 FC
- Art. 26 FC
- Art. 29a FC
- Art. 30 FC
- Art. 31 FC
- Art. 32 FC
- Art. 42 FC
- Art. 43 FC
- Art. 43a FC
- Art. 45 FC
- Art. 55 FC
- Art. 56 FC
- Art. 60 FC
- Art. 68 FC
- Art. 74 FC
- Art. 75b FC
- Art. 77 FC
- Art. 81 FC
- Art. 96 para. 1 FC
- Art. 96 para. 2 lit. a FC
- Art. 110 FC
- Art. 117a FC
- Art. 118 FC
- Art. 123a FC
- Art. 123b FC
- Art. 130 FC
- Art. 136 FC
- Art. 164 FC
- Art. 166 FC
- Art. 170 FC
- Art. 178 FC
- Art. 189 FC
- Art. 191 FC
-
- Art. 11 CO
- Art. 12 CO
- Art. 50 CO
- Art. 51 CO
- Art. 84 CO
- Art. 97 CO
- Art. 98 CO
- Art. 99 CO
- Art. 100 CO
- Art. 143 CO
- Art. 144 CO
- Art. 145 CO
- Art. 146 CO
- Art. 147 CO
- Art. 148 CO
- Art. 149 CO
- Art. 150 CO
- Art. 633 CO
- Art. 701 CO
- Art. 715 CO
- Art. 715a CO
- Art. 734f CO
- Art. 785 CO
- Art. 786 CO
- Art. 787 CO
- Art. 788 CO
- Art. 808c CO
- Transitional provisions to the revision of the Stock Corporation Act of June 19, 2020
-
- Art. 2 PRA
- Art. 3 PRA
- Art. 4 PRA
- Art. 6 PRA
- Art. 10 PRA
- Art. 10a PRA
- Art. 11 PRA
- Art. 12 PRA
- Art. 13 PRA
- Art. 14 PRA
- Art. 15 PRA
- Art. 16 PRA
- Art. 17 PRA
- Art. 19 PRA
- Art. 20 PRA
- Art. 21 PRA
- Art. 22 PRA
- Art. 23 PRA
- Art. 24 PRA
- Art. 25 PRA
- Art. 26 PRA
- Art. 27 PRA
- Art. 29 PRA
- Art. 30 PRA
- Art. 31 PRA
- Art. 32 PRA
- Art. 32a PRA
- Art. 33 PRA
- Art. 34 PRA
- Art. 35 PRA
- Art. 36 PRA
- Art. 37 PRA
- Art. 38 PRA
- Art. 39 PRA
- Art. 40 PRA
- Art. 41 PRA
- Art. 42 PRA
- Art. 43 PRA
- Art. 44 PRA
- Art. 45 PRA
- Art. 46 PRA
- Art. 47 PRA
- Art. 48 PRA
- Art. 49 PRA
- Art. 50 PRA
- Art. 51 PRA
- Art. 52 PRA
- Art. 53 PRA
- Art. 54 PRA
- Art. 55 PRA
- Art. 56 PRA
- Art. 57 PRA
- Art. 58 PRA
- Art. 59a PRA
- Art. 59b PRA
- Art. 59c PRA
- Art. 60 PRA
- Art. 60a PRA
- Art. 62 PRA
- Art. 63 PRA
- Art. 64 PRA
- Art. 67 PRA
- Art. 67a PRA
- Art. 67b PRA
- Art. 73 PRA
- Art. 73a PRA
- Art. 75 PRA
- Art. 75a PRA
- Art. 76 PRA
- Art. 76a PRA
- Art. 90 PRA
-
- Art. 1 IMAC
- Art. 1a IMAC
- Art. 3 para. 1 and 2 IMAC
- Art. 8 IMAC
- Art. 8a IMAC
- Art. 11b IMAC
- Art. 16 IMAC
- Art. 17 IMAC
- Art. 17a IMAC
- Art. 32 IMAC
- Art. 35 IMAC
- Art. 47 IMAC
- Art. 55a IMAC
- Art. 63 IMAC
- Art. 67 IMAC
- Art. 67a IMAC
- Art. 74 IMAC
- Art. 74a IMAC
- Art. 80 IMAC
- Art. 80a IMAC
- Art. 80b IMAC
- Art. 80c IMAC
- Art. 80d IMAC
- Art. 80h IMAC
-
- Vorb. zu Art. 1 FADP
- Art. 1 FADP
- Art. 2 FADP
- Art. 3 FADP
- Art. 4 FADP
- Art. 5 lit. c FADP
- Art. 5 lit. d FADP
- Art. 5 lit. f und g FADP
- Art. 6 para. 3-5 FADP
- Art. 6 Abs. 6 and 7 FADP
- Art. 7 FADP
- Art. 10 FADP
- Art. 11 FADP
- Art. 12 FADP
- Art. 14 FADP
- Art. 15 FADP
- Art. 18 FADP
- Art. 19 FADP
- Art. 20 FADP
- Art. 22 FADP
- Art. 23 FADP
- Art. 25 FADP
- Art. 26 FADP
- Art. 27 FADP
- Art. 31 para. 2 lit. e FADP
- Art. 33 FADP
- Art. 34 FADP
- Art. 35 FADP
- Art. 38 FADP
- Art. 39 FADP
- Art. 40 FADP
- Art. 41 FADP
- Art. 42 FADP
- Art. 43 FADP
- Art. 44 FADP
- Art. 44a FADP
- Art. 45 FADP
- Art. 46 FADP
- Art. 47 FADP
- Art. 47a FADP
- Art. 48 FADP
- Art. 49 FADP
- Art. 50 FADP
- Art. 51 FADP
- Art. 52 FADP
- Art. 54 FADP
- Art. 55 FADP
- Art. 57 FADP
- Art. 58 FADP
- Art. 60 FADP
- Art. 61 FADP
- Art. 62 FADP
- Art. 63 FADP
- Art. 64 FADP
- Art. 65 FADP
- Art. 66 FADP
- Art. 67 FADP
- Art. 69 FADP
- Art. 72 FADP
- Art. 72a FADP
-
- Art. 2 CCC (Convention on Cybercrime)
- Art. 3 CCC (Convention on Cybercrime)
- Art. 4 CCC (Convention on Cybercrime)
- Art. 5 CCC (Convention on Cybercrime)
- Art. 6 CCC (Convention on Cybercrime)
- Art. 7 CCC (Convention on Cybercrime)
- Art. 8 CCC (Convention on Cybercrime)
- Art. 9 CCC (Convention on Cybercrime)
- Art. 11 CCC (Convention on Cybercrime)
- Art. 12 CCC (Convention on Cybercrime)
- Art. 16 CCC (Convention on Cybercrime)
- Art. 18 CCC (Convention on Cybercrime)
- Art. 25 CCC (Convention on Cybercrime)
- Art. 27 CCC (Convention on Cybercrime)
- Art. 28 CCC (Convention on Cybercrime)
- Art. 29 CCC (Convention on Cybercrime)
- Art. 32 CCC (Convention on Cybercrime)
- Art. 33 CCC (Convention on Cybercrime)
- Art. 34 CCC (Convention on Cybercrime)
-
- Art. 2 para. 1 AMLA
- Art. 2a para. 1-2 and 4-5 AMLA
- Art. 2 para. 2 AMLA
- Art. 2 para. 3 AMLA
- Art. 3 AMLA
- Art. 7 AMLA
- Art. 7a AMLA
- Art. 8 AMLA
- Art. 8a AMLA
- Art. 11 AMLA
- Art. 14 AMLA
- Art. 15 AMLA
- Art. 20 AMLA
- Art. 23 AMLA
- Art. 24 AMLA
- Art. 24a AMLA
- Art. 25 AMLA
- Art. 26 AMLA
- Art. 26a AMLA
- Art. 27 AMLA
- Art. 28 AMLA
- Art. 29 AMLA
- Art. 29a AMLA
- Art. 29b AMLA
- Art. 30 AMLA
- Art. 31 AMLA
- Art. 31a AMLA
- Art. 32 AMLA
- Art. 34 AMLA
- Art. 38 AMLA
FEDERAL CONSTITUTION
MEDICAL DEVICES ORDINANCE
CODE OF OBLIGATIONS
FEDERAL LAW ON PRIVATE INTERNATIONAL LAW
LUGANO CONVENTION
CODE OF CRIMINAL PROCEDURE
CIVIL PROCEDURE CODE
FEDERAL ACT ON POLITICAL RIGHTS
CIVIL CODE
FEDERAL ACT ON CARTELS AND OTHER RESTRAINTS OF COMPETITION
FEDERAL ACT ON INTERNATIONAL MUTUAL ASSISTANCE IN CRIMINAL MATTERS
DEBT ENFORCEMENT AND BANKRUPTCY ACT
FEDERAL ACT ON DATA PROTECTION
CRIMINAL CODE
CYBERCRIME CONVENTION
COMMERCIAL REGISTER ORDINANCE
FEDERAL ACT ON COMBATING MONEY LAUNDERING AND TERRORIST FINANCING
FREEDOM OF INFORMATION ACT
FEDERAL ACT ON THE INTERNATIONAL TRANSFER OF CULTURAL PROPERTY
- I. Introduction
- II. Databases and files relating to suspicious activity reports (para. 1)
- III. Disclosure of data and files (para. 2)
- IV. Right of access of data subjects (para. 3)
- V. Destruction of data after five years (para. 4)
- Bibliography
- Materialis
I. Introduction
1 With the entry into force of the revised Anti-Money Laundering Act (AMLA) on January 1, 2023, Art. 34 AMLA was significantly amended in the interests of legal consistency. Firstly, the heading of Art. 34 AMLA was amended to reflect the content, which concerns data collection in connection with both the reporting obligation (Art. 9 AMLA) and the right to report (Art. 305ter para. 2 SCC). This was done primarily with a view to providing a more comprehensive formulation and extending the scope to include information that may be disclosed to the Money Laundering Reporting Office (MROS) in accordance with Art. 11a AMLA. It now bears the title: “Databases and files relating to reports and information provided to the reporting office”. Secondly, the previous AMLA supervisory authorities have been expanded to include the Central Office.
II. Databases and files relating to suspicious activity reports (para. 1)
A. Addressees of the standard
2 According to Art. 34 para. 1 AMLA, financial intermediaries must maintain separate databases and files containing all documents relating to the reporting obligation (Art. 9 AMLA) or the right to report (Art. 305ter para. 2 SCC) as well as to inquiries from the Reporting Office (MROS) pursuant to Art. 11a AMLA. By explicitly listing both types of reporting, the legislator made it clear that the right to report continues to fall within the scope of Art. 34 AMLA and that the same rules apply to the separate data collections for all reports. The storage of databases and files within the meaning of Art. 34 AMLA applies exclusively to financial intermediaries – thus, the standard does not refer to the storage of such documentation by MROS itself. This provision is a lex specialis to the data protection regulations governing the handling of documentation, the access rights of the customers concerned, and the retention periods that apply in connection with a suspicious activity report.
B. Relevant files
3 Financial intermediaries already collect a considerable amount of customer data at the beginning and in the course of the usual business relationship as part of their due diligence obligations. If the financial intermediary decides to report to MROS, it would be impractical, even disproportionate, to subsequently separate all electronic and physical data in the customer file that is related to the internal investigations and the report. The mere customer data collected in the course of the normal business relationship can be stored separately as a copy or as an attachment to the suspicious activity report in accordance with Art. 34 para. 1 AMLA.
4 The documents collected during the reporting process primarily include the reporting form completed by the financial intermediary (which, since 2020, has been submitted electronically via the “goAML” information system) as well as relevant supporting documents and file notes containing a detailed analysis of the reasonable grounds for suspicion and the in-depth investigations carried out (Art. 6 AMLA). The latter consist of investigations by the compliance department or the anti-money laundering unit based on publicly or restrictedly accessible databases (e.g., relevant media articles, PEP comparisons using databases such as World-Check, or detailed evidence of suspicious transactions) and the results of these investigations. If these do not dispel the initial suspicion, KYC documents or, if applicable, the communication between the customer and the customer advisor or the money laundering unit with the customer advisor must be attached. In addition, correspondence or reports prepared by a qualified third party (such as external compliance service providers or specialized lawyers) may also be attached. This must enable MROS to make a decision based on the report file. As a result, such documents are no longer merely business documents collected as part of the usual due diligence obligations (Art. 3, 4, and 5 AMLA), but rather files of increased sensitivity.
5 The MROS maintains a non-exhaustive list of documents that must be submitted for reports in accordance with the Ordinance on the Money Laundering Reporting Office (MGwV).
C. Need-to-know principle
6 In order to ensure the proper management of risks relating to the confidentiality of electronic and physical customer data, the “need-to-know” principle must be strictly applied. This fundamental principle of data protection means that individuals may only be given access to information or functionalities that are necessary for the performance of their duties. Consequently, only the anti-money laundering unit of the respective financial intermediary should be given access to the separate data collection and be entrusted with its processing and management. In practice, the anti-money laundering unit creates a report dossier for each completed suspicious case and archives a copy of it with restricted access in a separate internal database. It should be noted that the documentation of the customer file with the usual business documents remains unaffected by this.
D. No-AML reports
7 According to the wording, only reports actually submitted to MROS fall within the scope of Art. 34 para. 1 AMLA. In practice, however, it may happen that, after in-depth investigations of the suspected money laundering, certain suspicious circumstances can be ruled out – for example, if the unusual or conspicuous behavior of the customer can be explained or if there is simply no predicate offense to money laundering. This gives rise to a documentation obligation in the form of a “no-AML report,” which, following the partial revision of the GwV-FINMA, has been newly regulated in Art. 22a para. 2 GwV-FINMA since January 1, 2023.
1. Documentation requirements
8 Accordingly, if a financial intermediary decides not to file an MROS report because the suspicion has been dispelled by additional investigations, it must document the reasons for this decision. There is no reporting obligation within the meaning of Art. 9 AMLA, as there is no “reasonable suspicion.” The financial intermediary must document the clarifications carried out as part of the No-AML report in accordance with the requirements of Art. 7 AMLA, but primarily in order to be able to prove that the reporting obligation was not violated by not filing a report. The requirements for this documentation obligation are designed in such a way that even expert third parties can form a reliable opinion on compliance with the due diligence obligations.
9 Because “hindsight bias” can often occur in the retrospective assessment of decisions – i.e., the risk that the facts appear clearer and more complete in retrospect than they actually were at the time of the decision – particularly high requirements must be placed on the content of a No-AML report. This is the only way to prevent administrative, supervisory, or even criminal consequences.
2. Maintenance of a separate database for no-AML reports
10 No-AML reports differ from actual MROS reports only in their outcome – the additional clarifications carried out and the sensitivity of the data remain the same. In practical terms, such cases are also documented and archived in a separate database by the anti-money laundering unit. For this reason, it can be logically assumed – despite not being explicitly mentioned – that such data collections fall within the scope of Art. 34 AMLA.
11 From a practical point of view, it seems obvious to place no-AML reports within the scope of Art. 34 para. 1 AMLA, as further grounds for suspicion may arise in the course of the business relationship in question. In this case, additional clarifications must be carried out and, if necessary, new sensitive customer data must be collected, documented, and stored in a separately maintained database. A no-AML report from a non-reporting financial intermediary could also constitute part of the additional information requested by MROS on the basis of a suspicious activity report from a reporting financial intermediary pursuant to Art. 11a AMLA. This would mean that the no-AML report is related to a suspicious activity report, which is why the same rules must apply as for the suspicious activity report itself. Due to the close relationship between the no-AML report and the MROS report described above, it seems justified to deny the customer the right to information under the FADP with regard to the sensitive customer data associated with the no-AML report.
E. Requests from the reporting office pursuant to Art. 11a AMLA
12 With the partial revision of the AMLA, since January 1, 2023, a financial intermediary must maintain separate databases and files with all documents related to requests from the reporting office pursuant to Art. 11a AMLA.
1. Disclosure of additional information
13 If MROS requires additional information for the analysis of a report received by it pursuant to Art. 9 AMLA or Art. 305ter para. 2 SCC, the reporting financial intermediary must disclose this information to MROS upon request pursuant to Art. 11a para. 1 AMLA, insofar as it is available to the financial intermediary. This means that any additional information obtained by MROS from a reporting financial intermediary is assigned to the report file in accordance with Art. 34 para. 1 AMLA. This does not include information that goes beyond the suspicious activity report, but is closely related to it.
2. Third-party intermediaries and foreign FIUs
14 If, on the basis of this analysis, MROS determines that, in addition to the reporting financial intermediary, other financial intermediaries are or were involved in a transaction or business relationship, the financial intermediaries involved must, upon request, provide the reporting office with all related information in their possession, in accordance with Art. 11a para. 2 AMLA.
15 Prior to the partial revision on January 1, 2023, non-reporting financial intermediaries were not required to maintain additional information requested by MROS under Art. 11a para. 2 AMLA in a separate database within the meaning of Art. 34 para. 1 AMLA. Considering that the additional information provided by a non-reporting financial intermediary is highly sensitive data in connection with a suspicious activity report – and not regular KYC information – the unequal treatment did not appear to be objectively justified.
16 If, based on the analysis of information from a foreign reporting office (“Financial Intelligence Unit” [FIU]), it becomes apparent that financial intermediaries subject to the AMLA are or were involved in a reported transaction or business relationship, the financial intermediaries involved must, in accordance with Art. 11a para. 2bis AMLA, provide MROS with all related information upon request, insofar as they have it at their disposal.
17 Before the entry into force of para. 2bis on July 1, 2021, MROS was only able to obtain additional information if this was required for the analysis of a suspicious activity report from a financial intermediary operating exclusively within Switzerland. Such a locally bound requirement constituted an obstacle in the cross-border fight against money laundering and terrorist financing: The MROS was not yet able to request additional information from Swiss financial intermediaries on the basis of a request or ad hoc information provided by a foreign FIU. Only if a suspicious activity report from a Swiss financial intermediary was already in its database could the MROS deepen its analysis and request additional information. Financial intermediaries are not informed whether the MROS's request for information is based on para. 2 or para. 2bis, which is why the information must be stored in separate databases in accordance with Art. 34 para. 1 AMLA.
III. Disclosure of data and files (para. 2)
18 Financial intermediaries may only disclose data from the aforementioned separately maintained databases and files to FINMA, the ESBK, the intercantonal authority, the central office, the supervisory and self-regulatory organizations, MROS, and law enforcement authorities. This list is exhaustive. The explicit mention of the reporting office and the law enforcement authorities is considered unfortunate by some scholars, as it makes the other competent data recipients appear to be of equal importance, even though they should be viewed differently. This is because MROS receives the report file with the suspicious activity report in accordance with Art. 9 AMLA or Art. 305ter para. 2 of the SCC and forwards it to the law enforcement authorities if there is reasonable suspicion in accordance with Art. 23 para. 4 AMLA.
19 It should therefore be clarified that Art. 34 para. 2 AMLA is a mandatory provision with regard to the disclosure of this data to MROS. With regard to the other authorities mentioned in the paragraph, financial intermediaries are not generally obliged to automatically forward every suspicious activity report together with the complete report dossier. If the report concerns a business relationship involving significant assets, the reporting financial intermediary must inform the authorities of the report (Art. 22a GwV-FINMA). It should also be noted that some self-regulatory organizations require their affiliated financial intermediaries to immediately forward a copy of each report submitted. However, an obligation to disclose information to a supervisory authority only arises if the latter expressly requests access to the report file after being informed by the financial intermediary that a suspicious activity report has been submitted.
20 Since January 1, 2020, financial intermediaries have been submitting their suspicious activity reports predominantly by electronic means. The MROS data processing system used to date has been replaced by the “goAML” information system. Law enforcement authorities also receive the information reported to MROS via “goAML,” supplemented by an analysis report from MROS. To date, however, MROS must also accept suspicious activity reports in paper form. With the upcoming partial revision of the AMLA, this option will be eliminated (Art. 23 para. 7 E-AMLA).
21 The disclosure of particularly sensitive personal data to third parties is prohibited under Art. 30 para. 2 lit. c of the FADP, unless there is a justification under Art. 31 para. 1 FADP. This justification is provided by Art. 34 para. 2 AMLA. Under data protection law, there is generally no additional justification required vis-à-vis MROS, as the statutory reporting obligation already requires the disclosure of the relevant data. Art. 34 para. 2 AMLA also clearly regulates which recipients have access to the data contained in the report file, regardless of how sensitive the data is. Additional justifications under Art. 31 para. 1 FADP are therefore excluded.
IV. Right of access of data subjects (para. 3)
22 In the context of data protection, the right of access plays the most important role. It allows the data subject – i.e. the person whose data is being processed – to assert their data protection rights. This is because the prerequisite for safeguarding the rights of the data subject is their knowledge of the data being processed about them.
23 With regard to the right to information under data protection law, the AMLA now provides for special provisions with regard to its assertion in the sense of a lex specialis: According to Art. 34 para. AMLA, the right of access of a data subject (Art. 25 FADP) must be exercised vis-à-vis MROS – and not, for example, vis-à-vis the financial intermediary (Art. 35 AMLA). The actual processing by MROS – i.e., the modalities of data processing, the data subject's right to information, and any restrictions on the information – is regulated by Art. 35 AMLA in accordance with Art. 8 of the Federal Act on Federal Police Information Systems (BPI).
24 The financial intermediary's prohibition on disclosure under Art. 10a aGwG had been indefinite since the partial revision on January 1, 2016. However, this was still contrasted by the exclusion of the right to information, which remained limited in time under Art. 34 para. 3 aGwG (during the MROS's analysis or the freezing of assets under Art. 10 aGwG).
25 This contradiction led to legal uncertainty for financial intermediaries, as on the one hand they could not refuse to provide an affected person with information about their report file under Art. 34 para. 3 AMLA. On the other hand, however, by disclosing the report file to the affected person, they would have violated the information prohibition under Art. 10a AMLA. However, both after the analysis had been completed and after the asset freeze had been lifted, the persons concerned still had the opportunity to assert their right to information. At that point in time, the report file would still have been the subject of preliminary investigations by the criminal prosecution authorities. Conversely, this would mean that the person concerned would learn of both the suspicious activity report and the involvement of the criminal authorities. If the person concerned decided to withdraw their assets, which in the worst case scenario would not yet be subject to a freezing order, the criminal proceedings would be immediately jeopardized. Furthermore, there was a risk that the customer would terminate the customer relationship and take legal action against the financial intermediary if the latter disclosed information about the report file. Although the financial intermediary would be protected under the provisions of Art. 11 AMLA, it could still face reputational damage as well as civil and criminal proceedings.
26 The current legal provision not only ensures consistency between Art. 34 and Art. 10a AMLA by indefinitely excluding the right to information under data protection law, but also improves the effectiveness of the suspicious activity reporting system. A data subject may only exercise their right to information on data in the separate data collections at MROS. The reporting office can therefore provide information to the data subject at its own discretion in accordance with Art. 35 para. 1 AMLA and in compliance with the procedural requirements relating to police collections of suspicious activity data. This ensures that information relevant to suspicions is processed in accordance with data protection regulations without jeopardizing the interests and procedures of the law enforcement authorities, which in turn increases legal certainty.
27 Data collected in connection with additional inquiries by reporting offices pursuant to Art. 11a AMLA from reporting and non-reporting financial intermediaries is also subject to the indefinite exclusion of the right to information. Financial intermediaries may not provide the person concerned with any information about this data (Art. 10a para. 1 AMLA).
V. Destruction of data after five years (para. 4)
28 According to Art. 34 para. 4 AMLA, data collected in connection with a report and forwarded to MROS must be destroyed five years after the report was made. This provision thus deviates from the ten-year retention period for business records under Art. 7 para. 3 AMLA and that under Art. 958f para. 1 CO.
29 Some legal scholars agree that the five-year retention period under Art. 34 para. 4 AMLA is a coordination error on the part of the legislator. In accordance with the recommendations of the Financial Action Task Force (FATF) and the EEC Money Laundering Directive, a retention period of five years was originally envisaged for Art. 7 para. 3 AMLA. However, during the parliamentary deliberations, the period in Art. 7 para. 3 AMLA was extended to ten years, as the documents in question often also constitute business documents and are therefore subject to the civil law retention obligation. However, Art. 34 para. 4 AMLA was not amended, even though it would also be appropriate to align it with the ten-year period. The opinion expressed here concurs with the recommendation of the majority of legal scholars, namely that – contrary to the current legal provision – Art. 34 para. 4 AMLA should be interpreted in line with the ten-year period specified in Art. 7 para. 3 AMLA.
30 The reporting office points out that the documents to be deleted are only copies of documents that were submitted to the reporting office in the context of a suspicious activity report or on the basis of a request (Art. 11a AMLA) and are not original documents within the meaning of Art. 7 para. 3 AMLA. However, this does not change the shortened retention period and the associated unsatisfactory situation for financial intermediaries in terms of supervisory law.
31 Another part of the doctrine considers that this approach can no longer be maintained because the five-year period in Art. 34 para. 4 AMLA has remained unchanged despite the recent amendment of the other paragraphs of Art. 34 AMLA and has not been extended to ten years. A shorter retention period is understandable from a data protection perspective, as personal data may only be retained for as long as is necessary for the purpose of processing (Art. 6 para. 4 FADP). This principle was already indirectly included in the principle of proportionality prior to the revision of the FADP. Once the suspicious activity report has been forwarded to MROS, the latter has all the relevant information and documents in accordance with Art. 34 para. 1 AMLA, so it can be assumed that these are no longer needed by the financial intermediary after five years. However, there is currently no apparent obligation under data protection law to delete the data after five years at the latest. Furthermore, para. 4 explicitly states that the data must be deleted after five years and not that it must be retained for at least five years. This can be interpreted as a clarification of the principle of data minimization (Art. 6 para. 2 FADP). Once the data has served its purpose, the financial intermediary has the option of deleting it earlier. In our opinion, this data fulfills its purpose from the perspective of MROS – however, from the perspective of the reporting financial intermediaries, this must be critically questioned. With regard to internal and external audit activities, however, financial intermediaries are advised not to delete the relevant documents prematurely. The statute of limitations for criminal prosecution, for example in the case of a breach of the reporting obligation under Art. 37 AMLA, which is seven years (Art. 52 FINMASA), must also be taken into account. It is not uncommon for an even longer period of time to elapse between the beginning of the breach of the reporting obligation and a criminal conviction. In this context, it is questionable whether and how a financial intermediary concerned can substantiate its defense without access to the relevant data in the report file.
32 From a practical point of view, financial intermediaries and the money laundering unit are already obliged to maintain a separate database with restricted access for documents and files in a report file. If the approach taken by the law is followed, the respective report files must be systematically assigned a five-year deadline, which either reminds the financial intermediary to manually delete the report files or automatically deletes them, resulting in additional administrative effort. This effort will be particularly noticeable in the banking sector: according to the MROS's annual statistics for 2024, 92.3% of the total 15,141 suspicious activity reports submitted came from the banking sector. This corresponds to approximately 59 reports per working day.
33 Furthermore, the practical purpose of storing personal data in the context of a suspicious activity report is not exclusively external, i.e., it is not merely to forward the data to MROS. In internal relations, business relationships that are reported to MROS on suspicion of money laundering and are not terminated should be categorized as having an increased risk of money laundering and be subject to special due diligence obligations (Art. 6 AMLA). The deletion of the report file after the five-year period or even earlier is not consistent with the risk assessment by the financial intermediary if the business relationship continues. If the business relationship does not involve any other risk-increasing factors (e.g., residence in a country with increased risk), a financial intermediary would be disposing of what is probably its only internal evidence of clarification and justification for the increased risk categorization.
34 In this context, it is also questionable how to deal with subsequent reports after the original report file has been deleted if new suspicions arise. A legal adjustment to the ten-year retention period would give the competent money laundering unit more time to follow up on information that has already been reported. This would improve traceability and the depth of documentation and would be useful to both the reporting office and the law enforcement authorities.
Bibliography
Bloch Juerg/Bühler Simon, Kampf gegen Terrorismusfinanzierung in der Schweiz: Herausforderungen für Finanzintermediäre, in: GesKR 2024, S. 53-73.
De Capitani Werner, Kommentierung zu Art. 34 GwG, in: Schmidt Niklaus (Hrsg.), Kommentar Einziehung – Organisiertes Verbrechen – Geldwäscherei, Bd. I, 2. Aufl., Zürich et al. 2007.
Derungs Corsin/Gmünder Eliane, Kommentierung zu Art. 34 GwG, in: Kunz Peter V./Jutzi Thomas/ Schären Simon (Hrsg.), Stämpflis Handkommentar, Geldwäschereigesetz (GwG), Bern 2017.
Gaul Caroline/Isler Michael/Vasella David, Kommentierung zu Art. 34 GwG, in: Hsu Peter Ch./Flühmann Daniel (Hrsg.), Basler Kommentar, Geldwäschereigesetz, Basel 2021.
Graber Christoph K./Oberholzer Dominik, Das neue GwG, 3. Aufl., Zürich 2009.
Gramigna Ralph, Kommentierung zu Art. 25 DSG, in: Blechta Gabor P., Vasella David (Hrsg.), Basler Kommentar, Datenschutzgesetz/Öffentlichkeitsgesetz, 4. Aufl., Basel 2024.
Hutzler Doris, EFD-Verurteilungen wegen Meldepflichtverletzung: Verantwortlichkeit in der Praxis, in: SZW 2025, S. 278-289.
Kilgus Sabine, Datenschutz und Geldwäschereibekämpfung – Wer schützt wen wovon wofür?, in: Persönlichkeitsschutz zwischen Mensch und Maschine, 25 Jahre Datenschutz-Forum Schweiz, 2024, S. 135-153.
Luchsinger Roland J./Blaser Julia, Neuerungen und offene Fragen der revidierten Geldwäschereivorschriften im Bereich des Nachmeldeverfahrens von Finanzintermediären, in: SZW 2022, S. 556-571.
Ordolli Stiliano, Kommentierung zu Art. 34 GwG, in: Thelesklaf Daniel/Wyss Ralph/van Thiel Mark/Ordolli Stiliano (Hrsg.), Orell Füssli Navigator Kommentar, GwG Kommentar/AMLA Commentary, 3. Aufl., Zürich 2019.
Rosenthal David, Das neue Datenschutzgesetz, in: Jusletter 16. November 2020.
Materialis
Association Romande des Intermediaires Financiers (ARIF), Richtlinie 13 zur Melde-, Sperr- und Geheimhaltungspflicht, abrufbar unter https://arif.ch/IMG/pdf/directives_2-13_d.pdf, besucht am 11.1.2026.
Botschaft zum Bundesgesetz über den Datenschutz (DSG) vom 23.3.1988, BBl 1988 II 413 ff., abrufbar unter https://www.fedlex.admin.ch/eli/fga/1988/2_413_421_353/de, besucht am 29.08.2025.
Botschaft zum Bundesgesetz zur Bekämpfung der Geldwäscherei im Finanzsektor vom 17.6.1996, BBl 1996 III 1154 ff., abrufbar unter https://www.fedlex.admin.ch/eli/fga/1996/3_1101_1057_993/de, besucht am 21.08.2025.
Botschaft zur Änderung des Geldwäschereigesetzes vom 27.6.2012, BBl 2012 6941 ff., abrufbar unter https://www.fedlex.admin.ch/eli/fga/2012/1031/de, besucht am 27.8.2025.
Botschaft zur Umsetzung der 2012 revidierten Empfehlungen der Groupe d’action financière (GAFI) vom 13.12.2013, BBl 2014 605 ff., abrufbar unter https://www.fedlex.admin.ch/eli/fga/2014/100/de, besucht am 31.8.2025.
Botschaft zum Bundesgesetz über die Totalrevision des Bundesgesetztes über den Datenschutz und die Änderung weiterer Erlasse zum Datenschutz vom 15.9.2017, BBl 2017 6941 ff., abrufbar unter https://www.fedlex.admin.ch/eli/fga/2017/2057/de, besucht am 1.9.2025.
Botschaft zur Genehmigung und zur Umsetzung des Übereinkommens des Europarats zur Verhütung des Terrorismus mit dem dazugehörigen Zusatzprotokoll sowie zur Verstärkung des strafrechtlichen Instrumentariums gegen Terrorismus und organisierte Kriminalität vom 14.9.2018, BBl 2018 6427 ff., abrufbar unter https://www.fedlex.admin.ch/eli/fga/2018/2301/de, besucht am 26.8.2025.
Botschaft zur Änderung des Geldwäschereigesetzes vom 26.6.2019, BBl 2019 5451 ff., abrufbar unter https://www.fedlex.admin.ch/eli/fga/2019/1932/de, besucht am 18.8.2025.
Botschaft zum Bundesgesetz über die Transparenz juristischer Personen und die Identifikation der wirtschaftlich berechtigten Person vom 22.5.2024, BBl 2024 1607 ff., abrufbar unter https://www.fedlex.admin.ch/eli/fga/2024/1607/de, besucht am 22.11.2025.
Eidgenössische Finanzmarktaufsicht FINMA, Rundschreiben 2008/21 Operationelle Risiken – Banken, Eigenmittelanforderungen und qualitative Anforderungen für operationelle Risiken bei Banken, vom 20.11.2008, abrufbar unter https://www.finma.ch/de/~/media/finma/dokumente/rundschreiben-archiv/2008/rs-08-21/finma-rs-2008-21-20160922.pdf?sc_lang=de&hash=508C674329EF83C44FE1F53784637529, besucht am 23.8.2025.
Eidgenössische Finanzmarktaufsicht FINMA, Erläuterung zur Teilrevision der Geldwäschereiverordnung der FINMA (GwV-FINMA) vom 27.10.2002, abrufbar unter https://www.finma.ch/de/~/media/finma/dokumente/dokumentencenter/anhoerungen/abgeschlossene-anhoerungen/20221102-gwv-finma/erlaeuterungen_gwv_finma_20221027_de.pdf?sc_lang=de&hash=B2A5602EF279E721D833637EB4E92F38, besucht am 23.8.2025.
Eidgenössisches Justiz- und Polizeidepartement EJPD, Bundesamt für Polizei fedpol, Meldestelle für Geldwäscherei (MROS), Jahresbericht 2021, Bern 2022, abrufbar unter https://www.fedpol.admin.ch/dam/fedpol/de/data/kriminalitaet/geldwaescherei/jabe/jb-mros-2021.pdf.download.pdf/jb-mros-2021-d.pdf, besucht am 1.9.2025.
Eidgenössisches Justiz- und Polizeidepartement EJPD, Bundesamt für Polizei fedpol, Meldestelle für Geldwäscherei (MROS), Jahresbericht 2024, Bern 2022, abrufbar unter <https://www.fedpol.admin.ch/dam/fedpol/de/data/kriminalitaet/geldwaescherei/jabe/jb-mros-2024.pdf.download.pdf/jb-mros-2024-d.pdf> (besucht am 13.10.2025)
Eidgenössisches Justiz- und Polizeidepartement EJPD, Bundesamt für Polizei fedpol, Meldestelle für Geldwäscherei (MROS), Hilfreiche Dokumente und Links, Verdachtsmeldung gemäss Art. 9 GwG, abrufbar unter https://www.fedpol.admin.ch/fedpol/de/home/kriminalitaet/geldwaescherei/meldung.html, besucht am 3.9.2025.
PolyReg Allg. Selbstregulierungs-Verein, Reglement der SRO PolyReg gemäss Art. 25 GwG, abrufbar unter https://www.polyreg.ch/uploads/20230216.reglement.final.de.pdf, besucht am 11.1.2026.
Schweizerischer Versicherungsverband, Kommentar zum Reglement der Selbstregulierungsorganisation zur Bekämpfung der Geldwäscherei und der Terrorismusfinanzierung vom 12.2019, abrufbar unter https://www.sro-svv.ch/de/regelwerk/regulatorischer-auftrag/kommentar-zum-reglement-sro-svv, besucht am 8.9.2025.