fairlane.systems

FINMA SN 08/2024 · COMPLIANCE

FINMA Supervisory Notice 08/2024 on AI: four pillars governance, accountability, robustness, explainability

Supervisory Notice 08/2024 of 18 Dec 2024. Fiduciary relevance: only AMLA-supervised mandates. Pure accounting fiduciaries are not directly FINMA-supervised – but best practice is recommended.

Researched & fact-checked by: · As of: 2026-05

What is Supervisory Notice 08/2024?

FINMA Supervisory Notice 08/2024 "Governance and risk management in the use of artificial intelligence" was published on 18 December 2024. It is the first FINMA document with AI-specific requirements. Addressees are all FINMA-supervised entities: banks, insurers, asset managers, trustees, fund management companies, managers of collective assets, securities firms, financial market infrastructures.

SN 08/2024 is a supervisory notice, not a circular. Legally that means: no new conduct standard in the narrow sense, but a concretisation of existing duties (Circular 2023/01 operational risks, Circular 2018/03 outsourcing, sectoral duties from FinIA, CISA, ISA, BA). In practice the notice has the same binding force as a circular – FINMA examines along the four pillars.

The notice names four focus areas (pillars), formulated as "expectations". These expectations are not detailed prescriptions but outcome duties – the board and management must ensure fulfilment; the exact design is proportional to the materiality of the AI application.

Four pillars – what FINMA actually expects

Pillar 1: Governance. The top governing body (board) must own the AI strategy. This includes a written risk appetite, a clear AI approval process for new applications, an AI inventory (which AI systems are in use, in which business processes), periodic reporting to the board. Banks and insurers typically establish an internal AI governance committee that approves a risk assessment before any new system goes live.

Pillar 2: Accountability. Every AI system must have a clearly named owner – a natural person responsible for the system's performance. Alongside data owner, validation owner and (for external models) an outsourcing owner. FINMA asks the pointed question: who can explain to me the decision the system made? The answer "we do not know, the model is a black box" is not acceptable.

Pillar 3: Robustness. Data quality, model validation, drift monitoring in operation, stress tests, reproducibility of results, data lineage. In practice: a validation report with test results against a baseline before go-live. In operation, drift monitoring with defined escalation thresholds. With third-party models (OpenAI, Anthropic), the provider's internal validation reports are rarely sufficient – compensating output audits are needed.

Pillar 4: Explainability and customer communication. Where an AI system decides customer-relevant matters (credit grant, premium calculation, investment recommendation), it must be explainable why which result. Not necessarily technical explainability (LIME, SHAP, counterfactuals), but legal-functional explanation to the customer. Complaint and correction channels are required. The duty aligns with FADP Art. 21 para. 1 lit. f (information on solely automated decisions).

Fiduciary relevance of SN 08/2024 – where does it apply?

The question "am I caught by SN 08/2024?" has three possible answers for Swiss fiduciary offices.

Directly FINMA-supervised – SN fully applicable. A fiduciary office running an asset management mandate with own investment disposition (recommendations, portfolio management) and above CHF 5 million AuM or with regular commercial activity is licensed under FinIA Art. 17. SN 08/2024 fully applies. Same for fiduciary offices acting as trustees of beneficiary structures and subject to FinIA.

AMLA-supervised mandates – SN partially applicable. Classical fiduciary offices that perform AMLA due diligence for clients (KYC, beneficial owner check, suspicious activity reporting) are not directly FINMA-supervised – they fall under self-regulation (SRO, e.g. SO-FIT, ARIF, SO-VSV) or under DSFin direct supervision. If such fiduciaries use AI in AMLA workflows (e.g. AI AMLA KYC screening, see corresponding service module), SN 08/2024 does not apply directly – but SRO rules and the "best practice" expectation of AMLA compliance do.

Pure accounting fiduciary – SN not directly applicable. Fiduciaries providing only accounting, payroll, VAT and tax mandates without asset management are not directly FINMA-supervised and not in the AMLA supervisory zone (unless they verify beneficial owners for complex structures). SN 08/2024 does not apply directly here – but is freely used as a best-practice document for AI governance (analogous to ISO 42001).

Recommendation May 2026: even non-supervised entities should know the four pillars and implement them proportionally. SN 08/2024 is 5 pages long and offers pragmatic structuring help – even without legal duty, it creates credibility before clients, banks (sub-outsourcing review) and insurance customers.

Implement SN 08/2024 in 5 steps

  1. 01Board resolution: fix AI strategy, risk appetite, approval process for new AI applications in writing.
  2. 02Build AI inventory: all AI systems in use including third-party (OpenAI, Anthropic, Mistral) with materiality classification.
  3. 03Assign responsibilities: per system an owner, a data owner, a validation owner, documented in writing.
  4. 04Validation and monitoring process: validation report against baseline before go-live, drift monitoring with escalation thresholds in operation.
  5. 05Explainability and customer channel: document per system how customer-relevant decisions are explained; establish a complaint channel.
  6. 06Internal audit and annual management review: examine the framework and the AI inventory and report to the board.

When SN 08/2024 must be fully implemented

Four patterns force full implementation.

First: you are a FINMA-supervised bank, insurer, asset manager or fiduciary with an investment mandate. The notice is not optional. First FINMA inspections in 2026 explicitly check the AI inventory and the materiality classification.

Second: you are an outsourcing provider for a supervised bank or insurer (e.g. an AI boutique building LLM routing for a bank). Your bank clients will contractually bind you to the notice – usually with audit rights, sub-processor duties, data-location requirements (EU/CH).

Third: you plan to expand into the FINMA space (e.g. fintech licence, new asset management line). Licence applications will presuppose adequate AI governance. 12-18 months lead time recommended.

Fourth: you belong to an AMLA SRO and use AI in KYC workflows. SROs will use best-practice implementation of SN 08/2024 as a yardstick in 2026/2027 audits, even where not formally required.

When a lean solution suffices

Three patterns permit a lean implementation.

Pure accounting fiduciary without complex AMLA mandates: a simplified internal AI policy with (a) client information about AI use, (b) DPA with the LLM provider, (c) staff training on sensitive data suffices. A full AI inventory with materiality classification is overkill.

SME in industry or services without financial services: ISO 9001 or ISO 42001 (AI management) is the appropriate framework, not FINMA. Supplier audits follow ISO norms, not FINMA notices.

Research and development of AI without productive customer use: pilot-phase PoCs without active customer interaction are not FINMA-relevant. Once active customer data is processed, the classification may flip.

This is not legal advice. The classification "FINMA-supervised yes/no" and "SN 08/2024 applicable yes/no" must be assessed case by case by a lawyer with banking and financial-services experience.

Trade-offs

STRENGTHS

  • SN 08/2024 is compact at 5 pages and written in practical language
  • The four-pillar structure also serves as a structuring aid for non-supervised entities
  • Interlocking with existing circulars (2023/01, 2018/03) reduces duplication
  • Outcome duties allow proportional effort according to materiality

WEAKNESSES

  • Black-box models (OpenAI, Anthropic) make Pillar 3 (robustness) and 4 (explainability) harder
  • Sectoral approach causes duplication for providers in EU markets (EU AI Act in parallel)
  • No detail standard – management must own its own interpretation
  • Rapid model updates (e.g. Das aktuelle Claude-Modell -> 4.7) demand annual re-validation

FAQ

Are pure accounting fiduciaries FINMA-supervised?

As a rule NOT. Classical fiduciary activity (accounting, tax returns, payroll) is outside FINMA. FinIA Art. 17 kicks in only with investment recommendations, portfolio management or trustee mandates above CHF 5 million AuM with regular commercial nature. SN 08/2024 is not directly applicable to pure accounting fiduciaries but is useful best practice.

What does "materiality" mean for an AI system?

Materiality is the relevance of the AI system for business processes and customers. Three axes: (a) business criticality (if the system fails, how much business is affected?), (b) customer effect (does the system decide credit, premiums, investment recommendation – or only internal efficiency?), (c) supervisory relevance (does the system touch licensed activities?). High-materiality systems require deeper validation, tighter monitoring, more board reporting.

Is a DPA with OpenAI enough for Pillar 2 (accountability)?

No. A DPA governs responsibility toward the provider but does not replace the internal owner. The internal owner is a natural person on your side – typically a unit head or compliance officer – who stands for system performance and signs the validation reports. With black-box models like OpenAI, the owner must document compensating measures (output audits, sample tests).

What sanctions threaten on violation of SN 08/2024?

The notice alone does not directly trigger fines – it concretises existing duties. Violations lead to enforcement via the underlying provisions (Circular 2023/01, Circular 2018/03, FinIA, BA, ISA). Sanction scale: warning, obligations, professional ban, licence withdrawal, public statement under FINMASA Art. 34 (reputationally costly). As of May 2026, no AI-specific enforcement cases are public, but the 2025 and 2026 FINMA surveys show active supervision.

Related topics

FINMA · COMPLIANCEFINMA awareness: AI governance for banks, insurers and asset-managing fiduciariesrevDSG · COMPLIANCErevDSG / revFADP and AI: what the revised Swiss Data Protection Act means for LLM useISO 42001 · COMPLIANCEISO/IEC 42001: the international standard for AI management systemsAUDIT TRAIL · AI CONCEPTAI audit trail design: what to log so an AI answer stays audit-readyEU AI ACT · COMPLIANCEEU AI Act 2026: high-risk duties from 2 August 2026 – what Swiss providers must do now

Sources

  1. FINMA-Aufsichtsmitteilung 08/2024 – Governance und Risikomanagement beim Einsatz Künstlicher Intelligenz · 2024-12
  2. FINMA-Rundschreiben 2023/01 – Operationelle Risiken und Resilienz (Banken) · 2024-01
  3. FINMA-Rundschreiben 2018/03 – Outsourcing (Banken und Versicherer) · 2018-12
  4. FINMA-Umfrage 2025 – Künstliche Intelligenz auf dem Vormarsch in Schweizer Finanzinstituten · 2025-04
  5. Bundesrat-Beschluss vom 12. Februar 2025 – Sektoraler Ansatz für KI-Regulierung Schweiz · 2025-02

FITS YOUR STACK?

This is not legal advice. We accompany FINMA SN 08/2024 implementation, build AI inventories and owner structures and review outsourcing contracts for banks, insurers and asset managers. Initial call free of charge.

Book a call