On 10 July 2026, the UN Security Council's ISIL and Al-Qaida Sanctions Committee amended its consolidated list. On 4 March 2016 the Federal Council adopted the Ordinance on the automatic application of the UN Security Council's sanctions lists, meaning amendments to UN sanctions lists enter into force in Switzerland without delay. Sanction ordinances are implemented by the State Secretariat for Economic Affairs (SECO), and the names of individuals, groups and companies affected are listed in annexes to these ordinances which are updated continuously. The SESAM database was refreshed the same day.
For a crypto exchange optimised for retail trading velocity, the SESAM update is a compliance event handled by a periodic batch process, a screening run that catches new designations when it runs, whenever that may be. For an institutional custody operation, it is something else entirely: an obligation that attaches the moment the list changes, not the moment the compliance team notices.
All customers and counterparty VASPs must be screened against applicable designated party lists before onboarding and on an ongoing basis. Any match triggers an asset freeze and reporting obligation. The gap between "ongoing" as a regulatory expectation and "periodic" as an operational reality is where institutional settlement risk lives.
Consider a pre-funded settlement scenario. An institutional counterparty has deposited assets for a block trade scheduled to settle within hours. Between deposit and settlement, SECO updates SESAM with a UN-mandated designation. If the exchange's screening infrastructure operates on a nightly batch cycle, common in systems designed for high-throughput retail trading, the settlement may execute before the new designation triggers a review. The assets move. The compliance failure is already in the audit trail.
A breach of sanctions may result in imprisonment for up to five years, which may be combined with a fine of up to CHF 1 million. Businesses can also be held criminally liable for breach of sanctions, as can managing directors, employers, delegators or principals who intentionally or negligently fail to prevent a breach committed by a subordinate. The liability architecture does not distinguish between exchanges that screen every four hours and exchanges that screen every twenty-four. It distinguishes between compliance and non-compliance.
This is not a novel problem in traditional finance. Banks operating custody and settlement services built their infrastructure around regulatory continuity, real-time watchlist ingestion, automated transaction holds, and compliance gates embedded in the settlement workflow itself. The screening layer is not an add-on; it is load-bearing.
Crypto exchanges grew from a different root. The core competency is matching engine performance: order book depth, latency, throughput. Settlement, to the extent it existed, was largely on-chain finality, a technical event, not a compliance event. Custody emerged as a feature, not a discipline. And sanctions screening, where it existed at all, was designed for onboarding, not for continuous in-custody monitoring.
On 12 January 2026, FINMA published its Guidance 01/2026, setting out expectations regarding the custody of crypto-based assets and the associated risks for institutions subject to FINMA's supervision. Against the backdrop of a rapidly growing market for crypto-related trading, investment and custody services, FINMA observes that crypto-based assets are increasingly held with or by banks, securities firms, portfolio managers and collective investment schemes. FINMA further stresses that the supervised institutions remain fully responsible for ensuring compliant custody structures and that custody arrangements which do not meet supervisory expectations must be revisited and, where necessary, adapted.
The guidance is unambiguous: custody is a regulated activity, and the institution holding the assets bears responsibility regardless of whether custody was originally a bolt-on or a core service. But responsibility without infrastructure is exposure.
The FINMA AML crypto Switzerland landscape shifted materially in 2026. FINMA published substantial revisions to its Anti-Money Laundering Ordinance during April, May 2026, tightening enhanced due diligence triggers, expanding supervisory expectations for virtual asset service providers, and responding directly to criticisms raised in Switzerland's latest FATF mutual evaluation. The regulatory trajectory is clear: crypto service providers will be held to the same compliance standards as traditional financial institutions. The question is whether their infrastructure can meet those standards.
It is not enough to screen a customer once at onboarding. Firms need to understand the person or entity behind the account, identify whether sanctions exposure exists directly or indirectly, and assess whether transaction patterns, wallet behavior, or counterparty exposure suggest evasion risk. In practice, crypto compliance is now a blend of sanctions controls, AML controls, and risk-based monitoring rather than a collection of isolated checks.
The architectural challenge is specific. Trading systems are built for throughput, thousands of order events per second, with latency measured in microseconds. Compliance systems are built for accuracy, structured data validation, human review escalation, audit trail generation. Integrating them without degrading either function requires design decisions made at the infrastructure level, not the feature level.
Crypto custody and settlement platforms are built to secure digital assets, control transactions, and support institutional operations. These key features form the foundation of crypto settlement platform development by enabling compliant settlement, secure storage, and efficient institutional workflows. Purpose-built institutional custody infrastructure treats compliance as a precondition for settlement, not a post-settlement audit function.
For exchanges that built their custody capability as an extension of their trading platform, the retrofit is non-trivial. Real-time sanctions screening requires API integration with SESAM or equivalent data feeds, transaction hold logic embedded in the settlement workflow, and escalation paths that can pause high-value movements pending manual review, all without introducing latency into the trading layer that remains the exchange's commercial differentiator.
Institutions now expect custody providers to support operational functions including stablecoin payments, cross-border settlement, and yield generation. Institutional requirements have evolved beyond secure storage. The expectation gap is widening. Institutional counterparties are not simply asking whether an exchange can hold assets securely; they are asking whether the exchange can demonstrate, in audit-ready form, that every settlement occurred against a current sanctions list.
If data is missing, mismatched, or linked to sanctions risk, the VASP may need to reject, suspend, or report the transfer. The operational verb is "may need to", which means the system must be capable of rejecting or suspending, not merely flagging after the fact. Capability is infrastructure. It cannot be improvised during a regulatory event.
The Monday morning SESAM update is routine. SECO publishes regularly; UN designations flow through automatically. What makes this particular update useful as a diagnostic is its ordinariness. Every exchange competing for institutional flow should be able to answer a simple question: when SESAM updated on 10 July, how long did it take before every in-custody position and pending settlement was screened against the new list? If the answer is "by the end of day" or "at next scheduled run," the answer is also: our infrastructure does not support the compliance posture our institutional counterparties require.
The path forward is not mysterious. It involves treating sanctions screening as a real-time data dependency for settlement, not a batch process that runs on its own schedule. It involves building compliance gates into custody workflows rather than auditing compliance after the fact. And it involves accepting that the infrastructure decisions made when the exchange was optimising for retail trading may not serve the institutional business the exchange now wants to build.
Regulated counterparties will increasingly ask for evidence of continuous compliance, not just periodic compliance. The exchanges that can provide it will hold the assets. The exchanges that cannot will explain why their architecture makes it difficult.
References
[1] FINMA, International sanctions and independent freezing measures
[2] SECO, Searching for subjects of sanctions
[3] FINMA Guidance 01/2026, Custody of crypto-based assets
[4] UN Security Council, ISIL (Da'esh) and Al-Qaida Sanctions List






