fairlane.systems

FINMA · COMPLIANCE

FINMA awareness: AI governance for banks, insurers and asset-managing fiduciaries

FINMA Supervisory Notice 08/2024, Circular 2023/01 on operational risks. Who is supervised, what FINMA requires, what is best practice for the non-supervised.

Researched & fact-checked by: · As of: 2026-05

What does FINMA regulate regarding AI?

The Swiss Financial Market Supervisory Authority FINMA supervises banks, insurers, asset managers and trustees, managers of collective assets, fund management companies, self-regulatory organisations, supervisory organisations, financial-market infrastructures and securities firms. On 12 February 2025 Switzerland decided against a horizontal AI regulation like the EU AI Act in favour of a sectoral approach – supplemented by ratification of the Council of Europe AI Convention. Implementing legislation is expected by the end of 2026.

For the financial market, a sectoral approach means FINMA applies its existing supervisory tools to AI. Three documents are central. First, FINMA Circular 2023/01 "Operational risks and resilience – banks", in force since 1 January 2024, which sets requirements on IT risk management, cyber security, data governance and outsourcing. Second, FINMA Supervisory Notice 08/2024 "Governance and risk management in the use of artificial intelligence" of December 2024, addressed to all supervised entities and covering four topic blocks: governance and accountability, inventory and risk classification, data quality and model validation, explainability and customer effects. Third, FINMA Circular 2018/03 "Outsourcing", which also applies to AI providers as outsourcing partners.

As of May 2026, a separate AI licence regime is NOT planned. AI use in supervised institutions is reviewed via the existing supervisory frameworks, combined with FINMA surveys (annual, next Q3 2026) and on-site inspections.

Who is FINMA-supervised and who is not?

The question "am I FINMA-supervised?" decides the level of formal AI governance required. Four profiles are relevant in Swiss practice.

Clearly FINMA-supervised: universal banks (UBS, ZKB, cantonal banks), foreign banks, private banks, asset-management banks, insurers (life, non-life, supplementary health), reinsurers, asset managers and trustees under FinIA (licence requirement since 1 January 2020, transition period ended 31 December 2022), fund management companies, managers of collective assets, securities firms, financial-market infrastructures (SIX, SIS, SwissDOTS).

Indirectly captured: outsourcing providers and cloud vendors delivering critical services to supervised institutions. A Swiss AI boutique building LLM routing for a bank is indirectly captured via FINMA Circular 2018/03 – the bank must ensure the provider meets requirements, which is contractually passed through.

NOT FINMA-supervised: classical fiduciaries providing only accounting, tax returns, fiduciary mandates without asset management. Law firms, notaries, auditors (RAB-supervised, not FINMA), real-estate brokers, IT service providers, insurance intermediaries (FINMA-registered but lightly supervised), crypto exchanges with pure spot trading without custody.

Borderline: fiduciary office managing client assets (investment recommendations, asset-management mandate) – above CHF 5 million AuM or with regular commercial activity, FINMA licence required under FinIA Art. 17. Fintech platforms with deposit character above CHF 100 million – banking licence or fintech licence required. Crypto providers with token listing or stablecoin issuance – usually FinG/AMLA duty.

What FINMA actually requires

Supervisory Notice 08/2024 names four duty blocks for supervised institutions.

1. Governance and accountability: AI use is a management board matter, not an IT operation. The board and management must own the AI strategy, define a risk appetite and approve AI initiatives via an internal committee. Responsibilities must be set down in writing – who is model owner, who is data owner, who is responsible for validation. This is markedly stricter than for ordinary IT projects.

2. Inventory and risk classification: every AI system in use is to be entered into an AI inventory, classified by (a) materiality (which business processes depend on it), (b) customer effect (does the system decide credit grants, premium calculation, investment recommendation?), (c) supervisory exposure (does it touch licensed activities?). The classification drives the depth of validation, monitoring and escalation.

3. Data quality and model validation: data lineage, data-quality controls, validation tests before go-live, periodic re-validation, drift monitoring in operation. Black-box models without explainability are problematic for high-materiality cases. With third-party models (OpenAI, Anthropic) the missing model transparency must be covered by compensating measures: output audits, sampling validation, comparison tests against benchmarks.

4. Explainability and customer information: where an AI system makes or materially supports a customer-relevant decision (credit refusal, premium increase, investment recommendation), the customer is to be informed transparently – in line with Art. 21 para. 1 lit. f revFADP (information on fully-automated decisions). Complaint and correction channels are to be provided.

For banks, Circular 2023/01 additionally concretises IT requirements: vulnerability management, patch management, incident response within 24 hours, annual penetration tests, crisis exercises every two years.

FINMA-compliant AI setup in 7 steps

  1. 01Clarify status: are you FINMA-supervised? Check the FINMA licensee list and FinIA/FinIO thresholds.
  2. 02Build an AI inventory: capture every AI system in use with materiality, customer effect, licensing relevance.
  3. 03Define risk appetite: board resolution on tolerance thresholds for AI risks (performance, bias, hallucination).
  4. 04Data-quality and model-validation process: validation tests before go-live, annual re-validation, drift monitoring in operation.
  5. 05Review outsourcing contracts with AI providers: FINMA Circular 2018/03-compliant, with audit rights, sub-processor control, examination clauses.
  6. 06Explainability and customer information: where the AI system decides customer-relevant matters, provide information and a correction channel.
  7. 07Internal audit and management review: annual review of the framework, report to board, policy update.

Apply FINMA awareness: yes or no?

Apply fully: if you belong to FINMA-supervised institutions. Requirements are binding. Non-compliance can trigger enforcement, with sanctions ranging from warning through business-field bans to licence withdrawal. A documented AI inventory and an AI governance framework are a standard inspection point in 2026.

Apply voluntarily as best practice: if you handle fiduciary mandates below the CHF 5 million AuM threshold, are an insurance intermediary, run a crypto platform below licensing thresholds, or a fintech startup in the licensing pipeline. Here FINMA awareness is a maturity indicator: a bank entering an outsourcing contract with you will check governance maturity.

Do not apply: if you are a pure fiduciary practice without asset management, a law firm without FINMA exposure, a workshop, restaurant, classical SME. A lean AI policy aligned with the FADP and the usual ISO 27001 principles suffices. Formal FINMA awareness does not apply.

Preventive application: if you plan to expand into the FINMA space (build an asset-management line, apply for a fintech licence, advise crypto providers), begin AI governance 12-18 months before filing. The FINMA licence will presuppose adequate controls – building them under application stress costs more.

When FINMA-style requirements would be excessive

There are situations where the full FINMA machinery would be disproportionate and simpler compliance paths suffice.

Pure accounting fiduciaries without asset management: the effort for a full AI inventory with materiality classification and risk-appetite statement is not justified. Data falls under the FADP, professional conduct under standards of Treuhand Suisse or EXPERTsuisse. A lean AI policy and a client clause in the fiduciary mandate suffice.

Academic research with AI: universities and research institutes using AI in studies fall under their own research ethics frameworks and the Human Research Act, not FINMA.

SMEs in industry or services without financial services: the machine builder with AI-supported quality control needs an ISO 9001 quality management plus possibly ISO 42001, but no FINMA awareness.

Consumer tools for private use: using ChatGPT for restaurant recommendations or birthday-poem creation is not FINMA-relevant.

Important: even if you are not FINMA-supervised, Supervisory Notice 08/2024 is freely available as a best-practice document. Many Swiss SMEs voluntarily use it as a structuring aid for their own AI policy – analogous to many SMEs applying ISO 27001 principles without seeking certification.

Trade-offs

STRENGTHS

  • Sectoral Swiss approach more pragmatic than horizontal EU-AI-Act regulation
  • Supervisory Notice 08/2024 as a clear structuring aid, also for non-supervised entities
  • Interlocking with Circular 2023/01 (operational risks) and 2018/03 (outsourcing) uses existing frameworks
  • AI inventory and risk classification durably sharpen management awareness

WEAKNESSES

  • Duties spread across multiple documents (Circular 2023/01, SN 08/2024, Circular 2018/03)
  • Indirect scope (outsourcing) generates contractual effort for AI providers
  • Black-box models (OpenAI, Anthropic) require compensating validation – additional cost
  • Sectoral approach causes duplication for providers in the EU market (EU AI Act applies in parallel)

FAQ

Are fiduciaries FINMA-supervised?

As a rule NOT. Classical fiduciary activities (accounting, tax returns, fiduciary mandates without investment choice) do not fall under FINMA. Once asset management or investment advice with regular commercial nature or above CHF 5 million AuM is added, the FinIA licence requirement kicks in (FinIA Art. 17). Check carefully: "investment recommendations" are already in scope; "mere accounting" is not.

What happens if a FINMA inspection finds AI shortcomings?

FINMA works in an escalation ladder. First step: review report with action plan, typically 6-12 months' deadline. Second step: on-site follow-up review. Third step: enforcement procedure with order – from warning through obligations to licence withdrawal. With systemic violation, public disclosure under FINMASA Art. 34 looms, which is reputationally expensive. No AI-specific enforcement procedures are publicly known for 2025/2026, but the 2025 FINMA survey shows active supervision.

Is ISO 27001 enough for FINMA?

No, but it helps as a baseline. ISO 27001 largely covers the information-security pillar of Circular 2023/01. The AI-specific duties from Supervisory Notice 08/2024 (AI inventory, materiality classification, model validation, explainability) require an additional layer – usually ISO 42001 or an adapted internal framework. The combination ISO 27001 + ISO 42001 + FINMA-specific outsourcing framework is the standard build at mid-sized Swiss banks and insurers in 2026.

Does FINMA require AI inference to take place in Switzerland?

Not explicitly. FINMA does however require that critical outsourcings (Circular 2018/03) do not impede supervisability and that data is moved along FADP-compliant paths. In practice many banks require EU hosting of the inference endpoint (Azure OpenAI Frankfurt, AWS Bedrock Frankfurt) or directly CH hosting (Aleph Alpha on Swiss infrastructure, or own Hetzner FSN/CH setup). For particularly sensitive data (customer identification, banking-secrecy data under Art. 47 BA), CH hosting remains the conservative path.

Related topics

EU AI ACT · COMPLIANCEEU AI Act 2026: high-risk duties from 2 August 2026 – what Swiss providers must do nowrevDSG · COMPLIANCErevDSG / revFADP and AI: what the revised Swiss Data Protection Act means for LLM useAMLA REVISION · COMPLIANCEAMLA revision 2026: extension to fiduciary advisory and FATF Recommendation 16ISO 42001 · COMPLIANCEISO/IEC 42001: the international standard for AI management systemsAUDIT TRAIL · AI CONCEPTAI audit trail design: what to log so an AI answer stays audit-ready

Sources

  1. FINMA-Aufsichtsmitteilung 08/2024 – Governance und Risikomanagement beim Einsatz Künstlicher Intelligenz · 2024-12
  2. FINMA-Rundschreiben 2023/01 – Operationelle Risiken und Resilienz (Banken) · 2024-01
  3. FINMA-Rundschreiben 2018/03 – Outsourcing (Banken und Versicherer) · 2018-12
  4. FINMA-Umfrage 2025 – Künstliche Intelligenz auf dem Vormarsch in Schweizer Finanzinstituten · 2025-04
  5. Bundesrat-Beschluss vom 12. Februar 2025 – Sektoraler Ansatz für KI-Regulierung Schweiz · 2025-02
  6. Bracher / Suter – Kommentar zur FINMA-Aufsichtsmitteilung KI (Jusletter Weblaw 2024-12-24) · 2024-12

FITS YOUR STACK?

This is not legal advice. For binding interpretation consult a Swiss lawyer / data-protection officer. We accompany FINMA awareness audits, AI inventory build-up and outsourcing contract reviews for banks, insurers and asset managers. Initial call free of charge.

Book a call