FINMA Operational Risks and Resilience Circular explained.


We recently hosted our annual Swiss Breakfast Briefing and shared highlights from FINMA's Operational Risks and Resilience Circular that came into force on 1 January 2024. Many attending were unaware of these changes and the possible implications to their operational practices, so lets dive into what it means for financial institutions in Switzerland.

Changes explained

The aim of the operational risks and resilience circular is to address data risk and the overall protection of critical data within a financial institution. This is a significant milestone, which will strengthen the operational resilience of firms in Switzerland. 

The circular highlights the need for more advanced technological developments within firms. It also clarifies supervisory practice with regard to the management of operational risks, particularly in connection with information and communication technology, handling critical data and cyber risks.

 It it is also worth noting that it replaces the Swiss Bankers Association’s “Recommendations for Business Continuity Management (BCM)” that are recognised as a minimum standard. 

FINMA requirements for mitigating critical data risk 

Section D of the circular specifies how firms should manage data risk. These new expectations have far reaching implications for firms with many needing to re-evaluate current practices to ensure they're fit for purpose. Here are the core requirements:

Data Discovery
"The institution shall identify its critical data in a systematic and comprehensive way, categorise it on the basis of its criticality and define clear responsibilities".

Data Lifecycle Management
"The critical data defined by the institution must be managed throughout its entire lifecycle".

Data Protection
"In the management of critical data, in particular, the confidentiality, integrity, and availability of the critical data must be ensured through appropriate processes, procedures, and controls".

Data Access
"Critical data must be adequately protected from being accessed and used by unauthorised persons during operations and during the development, change, and migration of ICT. This also applies to critical data in test environments".

Cross-Border Data Transfers
"If critical data is stored outside of Switzerland or if it can be accessed from abroad, increased risks associated with this must be adequately mitigated and monitored via suitable means and the data afforded particular protection".

Need support?

If you're not sure if your current operational practices meet these new expectations, why not book an introductory call with one of the team. They'll be more than happy to offer some advice on where your gaps may be.