MROS Annual Report 2025: 21,087 Suspicious Activity Reports, Three Trend Themes, and the Coming Data-Quality Bar

The Money Laundering Reporting Office Switzerland — MROS, the Swiss financial intelligence unit (FIU) attached to fedpol — published its Annual Report 2025 in May 2026. The headline number is the one most people will quote: 21,087 suspicious activity reports (SARs) reached MROS over the year, an increase of 39.3% on 2024 and a new record. Volume has nearly quadrupled since the goAML reporting system went live at the start of 2020. On an average business day in 2025, 82 SARs landed in the queue. Behind the volume, the composition of what financial intermediaries are reporting — and how they detect it — has shifted in ways that matter for second-line teams.

The volume growth has multiple drivers. Mandatory-reporting law has tightened, particularly through the move under Article 9(1)(a) of the Anti-Money Laundering Act (AMLA, the Swiss Geldwäschereigesetz / GwG) that turned what had been an optional reporting right under Article 305ter(2) of the Penal Code into a default. Internal monitoring has matured: more intermediaries run transaction-monitoring systems than five years ago, and the systems themselves catch more. And case complexity has risen — both because criminal modi operandi have professionalised, and because the digitalisation of the financial system has put more transactions through paths that warrant a second look. We read the 2025 report not as a story about a number but as a diagnostic of the pipeline: where the reports come from, what they describe, what triggers them, and what the FIU is asking intermediaries to do next.

Overview

1. Where the volume came from
2. Predicate offences: fraud is the centre of gravity
3. How suspicion is triggered, and what is changing
4. Three trend themes for 2025
5. The new data-quality regime under Article 23(7) AMLA
6. Where to focus through the rest of 2026
7. Where we sit

Where the volume came from

Banks remain the dominant reporting sector. In 2025, 91.3% of SARs to MROS came from banks; the rest were spread across payment service providers, asset managers, fiduciaries, and the other financial-intermediary categories under the AMLA. Since goAML went live, that distribution has been broadly stable — what changes is the absolute volume, not the mix. The composition of the headline pipeline is shaped, more than anything else, by what banks file.

The legal basis on which intermediaries report is also shifting. Across existing customer relationships, 76.6% of reports in 2025 were filed under the mandatory reporting duty in Article 9(1)(a) AMLA, against 17.4% under the discretionary right in Article 305ter(2) PC. That continues a long trend — in 2016 the same split was almost exactly inverted, with 62.8% of reports filed as discretionary. The 2025 movement (+4.1pp toward mandatory, –4.3pp away from discretionary) is consistent with the trajectory of recent years. The remainder relates to reports filed when an intermediary declines to enter into a relationship in the first place, under Article 9(1)(b) AMLA.

The downstream pipeline is moving in step. MROS referred 1,375 cases to law-enforcement authorities under Article 23(4) AMLA in 2025, up 31.5% on 1,046 in 2024. The content of each referral has also grown — what was on average 1.4 underlying SARs per referral in 2022 is now several, as MROS bundles related reports into more substantial analytical products. In another 72 cases, MROS sent additional information to prosecutors after an initial referral had already gone out. The feedback loop on the other side has stayed roughly proportional: across the three full years to 31 December 2025 (2021–2024), 46.6% of referrals received some form of feedback from law-enforcement.

Predicate offences: fraud is the centre of gravity

When an intermediary files a SAR, it indicates which predicate offence it suspects underlies the funds. In 2025, fraud (Article 146 PC) was named — alone or in combination — as a suspected predicate in 64.3% of all SARs. That is well above the 2020–2024 average of 57.6%, and far above any other category. Document forgery (6.9%; 2020–2024 average 11.1%) and embezzlement (3.4%; average 5.7%) both fell year-on-year. Qualified tax offences declined to 1.8% from a five-year average of 5.8%. Drug-trafficking, bribery, and criminal-organisation predicates remained in the low single digits.

Two things follow from this. The first is that the typology library most second-line teams need to internalise has narrowed: if two-thirds of the reports we file describe fraud — and the trend is accelerating, not reverting — the indicators around customer accounts being used as conduits for fraud proceeds deserve disproportionate weight in the monitoring backlog. The second is that "fraud" in this dataset is heterogeneous. It covers manipulated business communication (the trend MROS focuses chapter 4.1 on, and to which we return below), online fraud at the consumer level, romance and investment scams, and the use of money-mule accounts inside otherwise legitimate institutions. The composite picture is one in which fraud-driven money flows have become the largest single workload on the Swiss AML system, and the workload is growing faster than the rest.

How suspicion is triggered, and what is changing

The triggering elements behind a SAR — what made the intermediary suspicious in the first place — have moved more sharply than the predicate offences. Reports may carry several triggers (the goAML field is multi-select), so the percentages overlap.

Three observations stand out. First, third-party information overtook internal transaction monitoring as the most common single trigger. In 2025, 29.2% of SARs were prompted at least in part by external information — counterparties, public reporting, foreign FIU referrals, criminal-justice tip-offs — against an average of 24.9% over 2020–2024. Internal transaction monitoring remained close behind at 28.1%, but slipped from a 31.5% five-year average. This is the first time in the goAML series that monitoring has not been the leading single trigger.

Second, two pattern-based triggers grew sharply. Pass-through accounts — accounts that briefly receive funds before forwarding them, often the operational signature of a money mule or layering chain — featured in 22.1% of 2025 SARs, against a 13.7% five-year average: the largest absolute jump of any element. Unclear economic background — cases where transaction activity cannot be reconciled with the customer's declared profile or business — was named in 21.3% of SARs, almost double the five-year average of 10.8%. These two together describe a different kind of suspicion than a threshold-based monitoring rule produces. They describe a relationship view: someone reading the account, comparing it with what was understood at onboarding, and noticing the gap. Cash-related triggers continued to climb (16.9% versus 12.2%), consistent with the same picture.

The combined movement is the same story told through a different lens as the volume growth and the predicate-offence concentration. The pipeline is broadening at the top — more sources are feeding suspicion — while narrowing in the middle, around fraud as the dominant pattern. Monitoring still matters; it just is no longer doing the work alone.

Three trend themes for 2025

Last year, MROS replaced its standalone "typologies" chapter with a focused "trends" chapter, and moved the full typology library to its public website (where it has been published continuously since May 2025). The 2025 report continues that arrangement and selects three priority phenomena: manipulated business communication, shadow fleets, and Italian mafia activity.

Manipulated business communication — the umbrella under which CEO fraud and Business Email Compromise (BEC) sit — is described as established and increasingly professional. Damages routinely reach the millions of Swiss francs per case. The modus operandi is patient: attackers study a target's internal structures, decision processes, and supplier relationships for weeks before triggering a fraudulent transfer. MROS includes a worked BEC example involving a Swiss firm with an existing supplier relationship in the United Arab Emirates. The pattern is familiar to any compliance officer who has worked an investigation, but two operational notes from the report are worth surfacing: where international FIU cooperation works, it sometimes blocks funds before they ever land in the foreign correspondent's books — but that depends on the intermediary filing fast and complete. A late, thin SAR loses that window.

Shadow fleets are the report's expansion of the sanctions theme. The framing is specific to the post-2022 environment: networks of vessels, owners, managers, brokers, and insurers that move sanctioned cargo (most prominently Russian crude) outside the standard Western maritime infrastructure. MROS is careful about the legal contour — Swiss sanctions enforcement sits with the State Secretariat for Economic Affairs (SECO), not MROS — but a Swiss intermediary that surfaces ML/CFT exposure in the course of a sanctions-evasion analysis is expected to file a SAR under Article 9 AMLA in addition to whatever notification SECO's regime requires. The indicators MROS lists are recognisable from the international shadow-fleet literature: AIS dark periods and ship-to-ship transfers, re-flagging in opaque registries, recurring high-risk shipowners and P&I clubs, port choices that align with sanctions-evasion routes, and counterparties touching SECO, OFAC, or EU lists.

Italian mafia activity is the third theme. The report restates what is structurally true: Italian organised crime — most notably the 'Ndrangheta, alongside the Camorra, Cosa Nostra, the Sacra Corona Unita, and groups out of Apulia — generates extraordinary volumes of criminal proceeds (estimates of legal-economy turnover in Italy run from €40bn to €150bn per year, depending on methodology) and needs to reinvest those proceeds. Switzerland is one of the destinations. About 5% of the SARs MROS received in 2025 carried a criminal-organisation marker, although on detailed analysis the legal threshold for Article 260ter PC is often not met, and conversely the typology surfaces in reports that originally landed for unrelated reasons. The practical signals MROS calls out — cash-intensive small-business activity, layered CH–IT corporate structures with quiet beneficial-owner changes, real estate at premium valuations followed by rapid refinancing, counterparties named in Italian DIA relazioni semestrali — are unromantic and concrete. They reward continuity in the relationship view as much as alerting in transaction monitoring.

The new data-quality regime under Article 23(7) AMLA

The most consequential operational change in the 2025 report is not in the trend chapter. It sits in chapter 5, where MROS announces the implementation pathway for Article 23(7) AMLA — a new statutory basis that will let MROS define a binding data standard for SAR filings, including the XML Data Quality Report (DQ-Report) that will let the FIU give individual intermediaries quantitative feedback on the quality of what they file.

The mechanics: MROS has defined a set of data-quality measures — selected for their effect on downstream analytical processes and for the degree to which they can be measured automatically — and bundled them into version 1.0 of the DQ-Report. Pilot tests with a limited number of intermediaries are scheduled for the first quarter of 2026, with a full rollout to all reporting financial intermediaries from mid-2026. From that point onwards, individual intermediaries will receive standardised reports periodically, showing the level and trajectory of their data quality and how it compares against aggregated peer benchmarks. The DQ-Report is explicitly described as a quality-assurance instrument — not a supervisory grading — but in practice it will give MROS, and the intermediary's own second line, a comparable view of where each filing population sits.

Two adjacent developments belong with this. MROS is building a report scoring and risk scoring system to prioritise its own incoming queue — report scoring is in test, the broader risk-scoring module is in development. And the De-minimis-Praxis introduced under Article 9b AMLA now lets intermediaries notify the planned termination of a relationship at the moment of filing, provided that total assets in the relationship are below CHF 15,000, the termination decision is irreversible, and the intermediary marks the SAR with the code CANC40. That avoids a separate termination notice once the 40-day suspension period under Article 9b AMLA expires. None of these are dramatic individually. Cumulatively, they describe an MROS that is moving from passive acceptance of whatever filings come in to active management of the pipeline's quality and risk distribution.

For second-line teams, the practical implication is clear. The data-quality reports from mid-2026 will give MROS and each intermediary a directly comparable picture of how complete, consistent, and machine-processable each population's filings are. A team that is already using the goAML XML schema rigorously and applying MROS's published typology indicators will land where it expects to. A team that has been treating SAR filings as a free-text exercise and back-filling structured fields will not. The window to fix that is the run-up to mid-2026, before the comparison becomes routine.

Where to focus through the rest of 2026

Five things follow for compliance and financial-crime teams reading this report.

First, internalise the predicate-offence shift. If 64.3% of the system's SARs describe fraud, the typology library that is most worth investing in is the one that covers business-communication manipulation, money-mule patterns, online and investment fraud, and the corporate-account behaviours associated with them. The published MROS typologies — kept current on the MROS website since May 2025 — are the canonical reference. Aligning monitoring rules and analyst training to that library is the single most cost-effective adjustment available this year.

Second, take the trigger-source shift seriously. Internal transaction monitoring has slipped behind third-party information as the leading single trigger, and pattern-based triggers (pass-through accounts, unclear economic background) are growing fastest. The investments that move the needle here are not new alerts — they are connectivity. Better integration between transaction monitoring, customer due-diligence renewal, sanctions screening, and external information feeds; faster and more structured handling of foreign-FIU and law-enforcement tips; and a relationship view that lets analysts compare current activity against the customer profile that was approved at onboarding.

Third, prepare the SAR pipeline for the data-quality regime. Pilot testing of the XML DQ-Report begins in Q1 2026; full rollout follows mid-year. Every team has a finite window to audit its own filings against the goAML schema, retire any free-text shortcuts that the schema has a structured field for, and ensure the linked-entity, transaction, and account fields are populated rigorously and consistently. The first DQ-Report each intermediary receives will be the baseline against which the next year's progress is measured.

Fourth, work the three trend themes. Manipulated business communication is the single fastest path to seven-figure losses for our clients and counterparties; the indicators are not exotic, but they need to be taught and tested with the staff who handle outgoing payments. Shadow fleets are an AML extension of a sanctions investigation — most second-line teams will encounter them only obliquely, through trade-finance, correspondent-banking, or commodity-counterparty exposure, and the right response is structured cooperation with the SECO-facing line. The Italian-mafia indicators reward continuity: someone who reads the account in twelve-month context and notices the unexplained beneficial-owner change.

Fifth, watch the FATF country review. Switzerland's fifth Mutual Evaluation Report — the periodic FATF peer review — is in preparation, with the State Secretariat for International Finance (SIF) coordinating across the relevant federal and cantonal authorities and MROS itself running an internal gap analysis. The review will not be the supervisor with which an individual institution is in dialogue, but a country-level rating influences the supervisory tempo above. Teams that are tightening their AML programmes against the trends MROS identifies in 2025 will be in materially better shape when the country review concludes.

Where we sit

We build Bollwerk Frontier for the second line of defence — risk, compliance, and financial-crime teams whose job it is to surface the signals their institutions cannot afford to miss. The MROS 2025 report is, in that sense, a description of the system we are working in: the volume to triage, the predicate offences to weight, the triggers that work and the ones that are losing ground, the typologies that need to be live in monitoring next month rather than next year, and the data-quality bar that MROS is about to make legible at the level of individual intermediaries.

We pay attention to the parts of this workload that live unambiguously in the second line. The relationship view that detects unclear economic background. The cross-feed between external tips, sanctions exposure, and transaction monitoring that pushes more reports past the trigger threshold without producing more noise. The retrieval and analytical workflow that makes a SAR readable to MROS in the structured fields that the DQ-Report cares about. None of those are shortcuts around the work compliance officers do — they are tooling that lets the work happen at the cadence the pipeline now requires. If your team is working through any of this and would find it useful to compare notes, write to hello@bollwerk.ai.