Data Regulation in Switzerland’s Financial Sector

Introduction

In Switzerland's financial sector, data regulation is not merely a legal obligation but a cornerstone of trust and operational integrity. Financial institutions handle vast amounts of sensitive personal and financial data daily, facilitating innovation while exposing themselves to significant risks. Data breaches, cyber threats, and regulatory non-compliance can lead to severe consequences, including financial loss, reputational damage, and legal repercussions.

For the purpose of this blog, "financial institutions" refers to a broad range of entities operating in Switzerland's financial sector, including banks, insurance companies, investment firms, payment service providers, and other entities subject to relevant laws and regulations. We will examine the evolving regulatory landscape governing data privacy, security, governance, and Artificial intelligence (AI) in Switzerland's financial sector, outlining the key obligations and compliance measures necessary for financial institutions to navigate this complex environment effectively.

Overview of Regulatory Framework

To mitigate the risks in the financial sector, financial institutions must establish robust data governance frameworks that prioritize privacy, security, and compliance. These frameworks should align with key regulations, including the Federal Act on Data Protection (FADP), the Data Protection Ordinance (DPO), the Anti-Money Laundering Act (AMLA), the Banking Act, the Financial Market Infrastructure Act (FinMIA), and the Financial Market Supervision Act (FINMASA).

Regulatory bodies such as the Federal Data Protection and Information Commissioner (FDPIC), the Swiss Financial Market Supervisory Authority (FINMA), and the National Cyber Security Centre (NCSC) provide oversight and guidance to enhance resilience against cyber threats and ensure regulatory adherence.

Data Privacy in the Financial Sector & How Securiti Can Help

Data Collection

Under Article 19 of the FADP, financial institutions must inform customers about their data collection practices. This includes providing customers with clear and sufficient information to enable them to exercise their rights effectively. Specifically, financial institutions must disclose:

• The identity and contact details of the data controller.
• Categories of personal data collected (if not directly obtained from the data subject).
• Purposes for which the data is processed.
• Recipients or categories of recipients to whom the data is transmitted, including details on cross-border transfers such as the destination country or international organization.

Securiti’s Consent Module automates consent tracking and management.

Securiti’s Privacy Notice Module automates and customizes privacy notices for compliance with global data laws, ensuring transparency and real-time updates.

Legal Basis and Data Retention

The FADP mandates that personal data processing must comply with legal requirements. Unlike some other frameworks, the FADP does not impose specific lawful basis requirements for private entities. However, financial institutions must ensure that when consent is used as a legal basis for data processing, it must be informed, specific, and freely given. Explicit consent is mandatory for processing sensitive personal data or conducting high-risk profiling, as outlined in Articles 6(6) and 6(7) of the FADP.

The retention period for data in the financial sector can vary depending on specific circumstances and regulatory requirements. Generally, financial institutions must adhere to the Swiss Code of Obligations, which, under Article 958(f), mandates a ten-year retention period for accounting records. This requirement is also reflected in other laws, such as Article 7 of the AMLA. Additionally, Article 6(4) of the FADP requires that personal data be deleted or anonymized once it is no longer needed unless other legal obligations apply.

Securiti’s Data Privacy solution automates compliance with evolving global privacy regulations and principles.

Data Processing Principles

Article 6 of the FADP outlines essential principles for data processing, which financial institutions must follow:

• Lawfulness: All data processing must be processed lawfully.
• Good Faith and Proportionality: Data processing must be fair, transparent, and limited to what is necessary for its intended purpose.
• Purpose Limitation: Personal data must be collected and processed only for specific, clearly defined purposes that the data subject can recognize.
• Accuracy: Financial institutions must ensure that the customer’s data is accurate. They must take all appropriate measures to correct, delete or destroy data that are incorrect or incomplete insofar as the purpose for which they are collected or processed is concerned.

Securiti’s Data Privacy solution automates compliance with evolving global privacy regulations and principles.

Data Subjects’ Rights

Chapter 4 of the FADP grants data subjects several rights that financial institutions must facilitate. These rights include:

• Right to information.
• Right to access personal data.
• Right to erasure of personal data.
• Right to object to data processing.
• Right to data portability.
• Right not to be subjected to automated decision-making.

Under the FADP, deadlines for responding to data subject rights may vary. Access and data portability requests must be addressed within 30 days.

Securiti's Data Subject Request (DSR) Automation simplifies and streamlines the process of managing data subject requests and automates tasks such as access, deletion, and correction requests, ensuring compliance while reducing manual effort and risk.

Data Protection Impact Assessments (DPIAs)

Under Article 22 of FADP financial institutions must conduct DPIAs for processing activities likely to result in a high risk to the data subject's personality or fundamental rights. DPIAs should include:

• A detailed description of the processing activities.
• An assessment of associated risks.
• Planned measures to mitigate risks.

Financial institutions are exempt from conducting DPIAs if processing:

• It is mandated by a legal obligation.
• Utilizes certified systems under Article 13 of FADP.
• Aligns with an approved code of conduct under Article 11 of the FADP.

If residual risks persist after a DPIA, financial institutions must seek the opinion of the FDPIC unless they consult a qualified data protection advisor.

Given the financial sector's increasing adoption of cloud-based services, DPIAs are especially relevant for financial institutions migrating banking operations to the cloud, ensuring adequate safeguards for customer data.

Securiti’s Assessment automation solution helps organizations evaluate their internal protocols, ensuring the necessary technical and organizational measures are in place to prevent human errors.

Incident Response and Breach Notification

Under Article 24 of the FADP and Article 15 of the DPO, financial institutions must notify the FDPIC of data breaches likely to pose high risks to data subjects as quickly as possible. Notifications must, at minimum, include the following:

• Details of the breach.
• Potential consequences.
• Mitigation measures undertaken or planned.

Additionally, data subjects must be informed when required in specific and comprehensible language for their protection or if directed by the FDPIC.

The financial institution is required to document breaches, including a summary of the incident's circumstances, its effects, and the measures taken. This documentation must be retained for at least two years from the time of the report.

Securiti’s Breach Management solution automates breach notifications and compliance actions, providing incident response workflows that help organizations respond to privacy incidents promptly and effectively.

Data Protection Officer (DPO)

While appointing a DPO is not mandatory for private businesses, Article 10 of the FADP encourages organizations to designate a DPO. A DPO can help financial institutions ensure compliance, oversee data protection practices, and act as a liaison with the FDPIC.

Securiti’s Data Mapping module can equip (DPOs) with tools to uphold stringent data security and governance protocols to catalog and map all data processing activities.

Record of Processing Activities (ROPA)

Maintaining a ROPA is critical for financial institutions, as it is generally unavoidable for banks and financial sector companies to ensure compliance and operational efficiency. RoPA enables them to monitor data flows, assess risks, and implement appropriate safeguards. Article 12 of the FADP highlights the importance of ROPA in defining the scope of data processing and aligning with governance frameworks, such as the FINMA’s circular. Small and medium-sized enterprises with minimal data processing risks may be exempt. Additionally, maintaining accurate records supports compliance with Article 7 of AMLA by ensuring transaction records and due diligence documentation are properly retained, regularly updated, and readily available for regulatory requests.

Securiti’s Assessment Automation module allows users to Automate records of processing (RoPA) aligning with global privacy regulations.

Cross-Border Transfers

Under the FADP, personal data can be transferred abroad if the destination country provides an adequate level of protection, as determined by the Federal Council (Annex 1 DPO). If the country lacks adequate protection, transfers are permitted if suitable safeguards are in place, such as Standard Contractual Clauses (SCCs), Binding Corporate Rules (BCRs), or specific contractual agreements.

If none of these safeguards apply, limited exceptions under Article 17 of the FADP may allow transfers. Organizations must inform data subjects of cross-border transfers and document them in their processing inventory. Non-compliance can result in legal penalties under Article 61(a) of the  FADP.

Securiti’s Data Access Governance (DAG) tool allows organizations to oversee and manage access to personal data across different jurisdictions.

Privacy by Design and by Default

Article 7 of the FADP mandates that financial institutions integrate privacy into their service design through Privacy by Design and Privacy by Default principles:

• Privacy by Design: Data protection should be embedded into financial products and services from inception. This includes strong encryption, multi-factor authentication, and pseudonymization techniques for fraud detection.
• Privacy by Default: Customer-facing services must have the highest privacy settings enabled by default. Examples include anonymized transaction histories in digital banking apps and pre-selected minimal data-sharing options for loan applications.

With the increasing digitization of financial services, financial institutions must ensure compliance with these principles from the outset, minimizing privacy risks without requiring additional user intervention.

Securiti’s Data Privacy Management suite allows users to comply with Privacy by Design and by Default by embedding robust privacy controls into their ecosystem, ensuring continuous regulatory compliance.

Know Your Customer (KYC) Obligation

Under Section 1 of the AMLA, financial institutions must verify customer identities as part of the KYC process when establishing a business relationship. This prevents money laundering, fraud, and terrorist financing. Financial institutions must collect valid documentation to confirm identity and, for legal entities, verify the individuals representing them.

KYC requirements also apply to high-value transactions, especially cash or insurance-related ones. If suspicious activity is detected, identity verification is mandatory regardless of transaction size. Additionally, financial institutions must identify the beneficial owner to ensure transparency and compliance with anti-money laundering laws.

Securiti’s Data Privacy Module automates compliance with evolving global privacy regulations.

Data Security in the Financial Sector & How Securiti Can Help

As digitalization advances, cyber threats are a growing concern for financial institutions worldwide. To mitigate risks, Switzerland is strengthening cybersecurity through existing laws, regulatory guidance, and new legislative initiatives.

Cybersecurity Framework

While Switzerland does not have a single comprehensive cybersecurity law, various statutes, regulations, and guidelines govern cybersecurity in the financial services sector. Notable developments include the establishment of the National Cyber Security Centre (NCSC) and updated regulatory expectations for financial institutions.

The NCSC, established under the Ordinance on Protection against Cyber Risks, serves as Switzerland's central hub for cybersecurity expertise and coordination. Although it does not perform direct regulatory functions, the NCSC collaborates with entities such as the Swiss Financial Market Supervisory Authority to enhance national preparedness against cyber threats.

Cybersecurity Obligations for Banks and Financial Market Infrastructures

In addition to maintaining security measures as per Article 8 of FADP and Article 1 of  DPO, financial institutions in Switzerland must comply with various cybersecurity obligations to safeguard their networks. Article 47 of the Banking Act imposes strict confidentiality obligations, making unauthorized disclosure or exploitation of sensitive financial data a criminal offense, with penalties of up to five years' imprisonment or significant fines.

Under Article 3(f) of the Banking Act, financial conglomerates are required to identify, limit, and monitor cyber risks. These responsibilities are further detailed in FINMA’s Circular 2023/1,  key obligations  include:

• Adopting internationally recognized Information and Communication Technology (ICT) standards and frameworks.
• Regularly reporting cyber risks, incidents, and control measures to management.
• Maintaining an up-to-date ICT inventory to swiftly identify vulnerabilities and respond effectively to cyberattacks.
• Conducting vulnerability scans, and cyber exercises by qualified staff with adequate resources.

Article 14 of the FinMIA mandates that the financial market infrastructures operate IT systems that are suitable for their activities, ensure regulatory compliance, and include effective emergency arrangements to maintain business continuity. Under Article 23 FinMIA, systemically important financial market infrastructures are subject to special IT system requirements to further enhance their stability and resilience.

Cyberattack Reporting Obligations

Under Article 29(2) of the FINMASA, supervised financial institutions must report incidents of substantial importance to FINMA. This includes major cyberattacks affecting business-critical functions.

To clarify these obligations, FINMA issued Guidance 03/2024, which builds upon previous requirements and incorporates findings from cyber risk supervision, including insights from on-site reviews and risk assessments. It provides additional clarification on reporting duties outlined in FINMA Guidance 05/2020, emphasizing the importance of timely reporting and cyber risk management.

Regarding the threshold for reporting, cyberattacks must be reported if they impact critical functions, meaning those where a successful or partially successful attack could result in system failure or operational disruption.

The timelines for reporting are as follows:

• Financial institutions must submit a preliminary report to FINMA within 24 hours of identifying and assessing the criticality of the cyberattack.
• A full incident report must be submitted within 72 hours via FINMA’s web-based survey and application platform.
• Any new developments must be reported as they arise.

For cyberattacks classified as "high" or "severe" (as per Annex 1 of Guidance 05/2020), financial institutions are expected to provide a conclusive root cause analysis once the case has been fully processed. This report must detail:

• The reason for the attack’s success.
• Its impact on regulatory compliance and operations.
• Mitigation measures implemented to prevent recurrence.

In cases of severe incidents, financial institutions must demonstrate the effectiveness of their crisis management framework as part of their final report.

Moreover, as per upcoming amendments to the Swiss Information Security Act, expected to be effective in the first half of 2025, critical infrastructure providers shall be obliged to report cyber-attacks on their IT resources to the NCSC within 24 hours.

Securiti’s Breach Management solution automates breach notifications and compliance actions, ensuring timely reporting of security incidents. 

Securiti’s Data Security Posture Management solution empowers organizations to mitigate data breach risks, safeguard data sharing, and enhance compliance while minimizing the cost and complexity of implementing data controls.

Outsourcing Risks

While outsourcing business functions allows financial institutions to scale and specialize, it also introduces potential vulnerabilities. To mitigate these risks, FINMA Guidance 03/2024 provides that if a financial institution outsources a significant function, particularly critical functions or substantial amounts of critical data, the service provider and any subcontractors must comply with the same regulatory requirements as the supervised financial institution. Maintaining an up-to-date inventory of all significant outsourced functions, including subcontractors, is considered essential for regulatory compliance. However, the financial institutions remain fully responsible for meeting supervisory requirements, which cannot be transferred to the service provider.

Securiti’s Vendor Risk Management solution automates vendor risk assessments, tracks subcontractor engagements, and data breaches, and provides automated alerts, supplier assessments, and security audits for ongoing third-party risk monitoring.

Securiti’s Data Access Governance (DAG) tool allows organizations to oversee and manage access to personal data across different jurisdictions.

Data Governance in the Financial Sector & How Securiti Can Help

Effective data governance ensures operational resilience, risk management, and regulatory compliance. To effectively address these areas, as per FINMA Guidance 03/2024, financial institutions must establish comprehensive frameworks that integrate both preventative and reactive measures. To achieve this, the following key areas require focus:

• Board-level accountability is essential for integrating cyber risks into overall risk management. Financial institutions must oversee third-party data flows and enforce vendor compliance. Defining cyber risks, risk appetite, and tolerance helps set a strong foundation for mitigation and decision-making.
• Effective risk mitigation starts with clear data classification and regular assessments. Financial institutions should implement continuous threat monitoring and penetration testing to detect vulnerabilities early and enhance security measures.
• Strict access controls, continuous monitoring, and tested data recovery plans are necessary to prevent unauthorized access and ensure resilience against cyber threats, including ransomware. The recovery processes must guarantee data integrity and completeness.
• Employee awareness programs are critical in mitigating social engineering risks, ensuring that they recognize and respond appropriately to potential cyber threats.
• Cyber resilience testing, including red teaming and tabletop exercises, is crucial for validating data governance effectiveness. Independent audits and regular governance reviews ensure security controls remain aligned with regulatory expectations and evolving threats.
• Clear reporting mechanisms are essential for transparency and compliance. Financial institutions must document risk exercises, internal reviews, and governance measures to demonstrate proactive data security management and regulatory adherence.

Securiti's Data Governance module automates data discovery, classification, and lifecycle management to ensure compliance and enable efficient data control across environments.

AI in the Financial Sector & How Securiti Can Help

The Swiss financial sector is increasingly integrating AI to enhance efficiency, automate processes, and improve decision-making. However, this adoption comes with regulatory and operational challenges.

FINMA has highlighted key risks associated with AI in its Guidance 08/2024, including model biases, lack of explainability, cybersecurity threats, and dependency on third-party AI providers. While there are no AI-specific regulations as of yet, existing financial laws require financial institutions to incorporate AI risks into their governance and risk management strategies.

To ensure responsible AI use, FINMA advises financial institutions to maintain high data quality, conduct thorough testing, and establish independent reviews of AI models. Continuous monitoring and a clear understanding of AI-driven decisions are essential to mitigate potential legal and reputational risks.

Looking ahead to 2025, significant developments in AI governance are expected as regulators refine their frameworks in response to evolving risks and international standards.

Securiti's AI Security & Governance module protects AI systems by managing data security, privacy, and compliance, ensuring safe and ethical AI operations.

Conclusion

As financial services become more digitalized, Switzerland’s regulatory framework continues to evolve to address emerging risks in data privacy security, governance, and AI implementation. Financial institutions must remain compliant with existing laws while preparing for stricter oversight in areas such as cyber resilience and AI governance.

Securiti, a pioneer in the Data Command Center, provides a centralized platform that enables secure data usage and facilitates responsible GenAI integration. Through its unified approach to data intelligence, control, and orchestration across hybrid multi-cloud environments, Securiti helps financial institutions safeguard sensitive data, enhance customer trust, and navigate complex regulatory requirements with confidence.

Request a demo to learn more.