What does FINMA stand for? What are the objectives of this independent authority and what is its role in the Swiss financial market? What is FINMA's Fintech authorisation all about? And what does FINMA-compliant mean in terms of hosting? In this blog post, we have summarised what is relevant for tech companies in Switzerland in relation to FINMA.
What is FINMA's role?
FINMA stands for the Swiss Financial Market Supervisory Authority. As its name suggests, FINMA supervises and monitors all areas of the financial sector. FINMA is a public-law institution with its own legal personality and its head office in Bern. Its activities are based on the Financial Market Supervision Act. This law was passed by the Swiss parliament on 22 June 2007. The Federal Council brought the Act into force in full on 1 January 2009.
As an independent authority over the Swiss financial market, FINMA has sovereign powers over banks, insurance companies, stock exchanges, financial institutions, collective investment schemes plus their asset managers and fund management companies, as well as insurance intermediaries. FINMA is committed to protecting creditors, investors and insured persons and to safeguarding the functioning of the financial markets. FINMA thus sees itself primarily as a supervisory authority whose main task is to monitor compliance with the laws and ordinances enacted by Parliament and the Federal Council. The authority is subject to parliamentary oversight and must answer to parliamentary supervisory committees.
What does FINMA do?
FINMA has a statutory mandate to protect financial market clients - namely creditors, investors and insured persons - and the functioning of the financial markets.
Good to know: Since 1 May 2013, FINMA's powers have extended beyond the supervised financial sector. As part of its general market supervision, it has to punish market abuse, in particular insider trading and market manipulation, among other things.
The primary objective of financial market supervision is to maintain the functioning of the financial markets and to protect the collective of clients from insolvency. The next sections provide an overview of FINMA's objectives.
What are FINMA's objectives?
FINMA's objectives are functional protection, individual protection and reputation promotion.
- Functional protection: "The first and most important prerequisite for a stable and functioning financial system is the solvency of the supervised institutions. FINMA's supervisory activities aim, among other things, to ensure that supervised institutions manage their risks, which can endanger individual institutions and subsequently also the functioning of the system," FINMA writes. The aim is to ensure the stability of the financial system and promote confidence in the orderly functioning of the financial markets.
- Individual protection: As described above, creditors, investors and insured persons are to be protected from insolvencies of institutions, from unfair business practices and from unequal treatment in the stock exchange sector. This protection goal of FINMA is to be understood collectively. From the perspective of the collective, it is of central importance that financial institutions are solvent at all times. Ensuring this is one of its main objectives.
- Reputation promotion: FINMA's supervisory activities help to strengthen the competitiveness and reputation of the Swiss financial centre.
How independent is FINMA?
FINMA is functionally, institutionally and financially independent. We explain briefly below what this means:
- Institutional independence: To ensure institutional independence, the legislator has designed FINMA as a public-law institution with its own legal personality. Its bodies are the board of directors and the executive board.
- Functional independence: Independence from political authorities prevents parliament or government from giving FINMA instructions on its supervisory activities.
- Financial independence: FINMA is not financed by taxpayers' money, but by supervisory levies and fees. FINMA charges fees for supervisory procedures and for services. It also levies an annual supervisory charge on supervised entities per supervisory area to cover FINMA's costs, which are not covered by the fees. FINMA's accounts are audited by the Swiss Federal Audit Office.
What is FINMA's fintech authorisation?
FinTech (financial technology) offers the global financial industry new opportunities to adapt to changing customer needs, reduce costs, save time and make their products accessible to larger parts of the world's population. The innovative use of FinTech enables financial institutions to design and offer their products and services in a customer-oriented and efficient manner. To promote innovative financial companies, the legislator has created the so-called Fintech licence, a licence with facilitating requirements. FINMA is responsible for issuing this licence. The Fintech licence allows the acceptance of public deposits up to a maximum of one hundred million Swiss francs or crypto-based assets, whereby the public deposits or assets may neither be invested nor earn interest.
What does FINMA-compliant mean in relation to hosting?
FINMA Circular 2018/3 regarding the outsourcing of hosting services at banks and insurance companies stipulates that outsourcing of business processes is only permitted if the outsourcing company can ensure that its audit firm and FINMA can exercise and enforce their inspection and audit rights. The outsourcing company must therefore ensure that it is made aware of the information that is only available at the IT service provider. For the service providers, this means that they must ensure transparency vis-à-vis the client.
"Since it is difficult to verify compliance with supervisory regulations as well as Swiss data protection requirements with foreign providers, Swiss banks have so far been reluctant to use foreign cloud services," concludes a blog post by the Lucerne University of Applied Sciences and Arts on the topic of cloud banking. So when choosing an IT infrastructure provider, the company location should also be taken into account for data protection reasons. In times of data leaks and increasingly perfidious hacker attacks, most companies - and their end customers - probably want to know where their data is stored. Most hyperscalers such as Amazon or Microsoft have their headquarters in the USA, where access to company data is practised by means of the Patriot Act without judicial control. In Switzerland, on the other hand, this is not allowed.
Would you like a secure and FINMA-compliant home for your IT environment? Contact us for a no-obligation consultation or a free demo. or a free demo.
When must a hacker attack be reported to FINMA?
Supervised persons and the audit firms of companies must immediately report to FINMA any incidents that are of material importance for supervision. This includes hacker attacks, data theft and data leaks. According to the data protection team at law firm Walder Wyss, the criterion of materiality is met if the protection of creditors, investors and insured persons and/or the functioning of the financial markets is impaired.
"FINMA considers the risk of cyber attacks on the Swiss financial centre to remain very high. FINMA's supervised institutions are targeted by cyber criminals who, in addition to monetary interests, also aim to compromise the availability, confidentiality and integrity of critical technology infrastructure and sensitive information," FINMA wrote in a supervisory communication in May 2020.
What do tech companies need to consider when storing customer data?
As described above, companies must guarantee the security of all stored personal data. Both employee and customer data must be protected as best as possible. If this data is accidentally or intentionally compromised and it turns out after the cyber attack or data leak that the company concerned had not taken appropriate security measures, it may face fines and sanctions. The Swiss Data Protection Act (DPA) provides for penal provisions in the event of intentional violations of the obligations to provide information, to report and to cooperate, as well as of the professional duty of confidentiality.
The FADP is currently being revised. The revision is intended to create more transparency and strengthen the co-determination rights of data subjects. The draft revision is strongly based on the EU General Data Protection Regulation (GDPR). Companies with customers in the EU are already subject to the GDPR today, although much higher fines than before are possible for the effective enforcement of data protection law since 2018.
Check out the Xelon blog for more free resources on data protection:
- This is why your data should stay in Switzerland
- Backups: How to back up your data correctly
- Cyber security and the protection of customer data
Do you have questions about FINMA-compliant hosting? Are you looking for a reliable cloud infrastructure solution where your data is stored in ISO-certified data centres in Switzerland? Would you like feedback on your data protection concept? Contact us for a consultation.
Simon Kilchmann