Governance and risk management when using artificial intelligence (Guidance 08/2024)x

Swiss Financial Market Supervisory Authority FINMA

FINMA Circular 08/2024 deals with governance and risk management in the use of artificial intelligence (AI) in the financial market. Supervisory circulars inform supervised institutions about important topics and current risks in order to facilitate the practical application of regulations. Unlike FINMA ordinances and circulars, they are not regulatory instruments.

It emphasises the need to adequately identify, limit and control the risks associated with AI. Although there is no specific legislation on AI in Switzerland, FINMA expects supervised institutions to actively consider the impact of AI use on their risk profile and to adapt their governance, risk management and control systems accordingly. The circular addresses various risk areas, including operational risks, IT and cyber risks, and legal and reputational risks. 

It emphasises risk mitigation measures and the importance of independent review.

Federal Act on Information Security in the Confederation 

Swiss Confederation

Federal authorities, offices and organisations in Switzerland must comply with the new Federal Act on Information Security in the Confederation (FAISC) as part of their data processing activities. Beyond these bodies, the FAISC also affect the information security practices of cantonal authorities, operators of critical infrastructure, any third-party contractors, service providers or business partners that process federal data or interact with federal IT resources, and international partners that collaborate with Swiss federal bodies.

The FAISC and its ordinances came into effect on January 1, 2024. The following transition deadlines  have been announced for the implementation of its provisions:

• Classification Catalogue: Entities in scope need to establish a robust information classification in line with the new regulations by December 31, 2024.

• Risk Analysis and IT Classification: Risk analyses must be conducted, and IT systems classified according to the FAISC and its ordinances by December 31, 2025.

• Information Security Management Systems (ISMS): Entities in scope will be required to set up an ISMS by December 31, 2026.

• Technical Security Compliance: All IT resources must comply with the FAISC’s new technical security regulations by  December 31, 2029.
  

Circular Operational risks and resilience - banks

Swiss Financial Market Supervisory Authority FINMA

This revised circular addresses operational risks in the banking sector, taking into account technological advancements and incorporating principles from the Basel Committee on operational resilience.

• FINMA has made the circular binding as of 1 January 2024.
• Transitional provisions ensure that operational resilience can be phased in by
  1 January 2026. 
  

Digital Operational Resilience Act (DORA)

European Union

The primary goal of DORA is to enhance the IT security of financial entities such as banks, insurance companies, and investment firms. DORA ensures that the European financial sector remains resilient in the face of severe operational disruptions. Key aspects covered by DORA include ICT risk management, third-party risk management, digital operational resilience testing, and reporting of major ICT-related incidents to competent authorities.

Swiss companies operating in the financial sector are indirectly affected by DORA, especially if they have business relationships with EU partners or subsidiaries and group companies in the EU. 

• This EU regulation, effective January 16, 2023, is mandatory since January 17, 2025.
  

Stay Compliant, Stay Ahead.

Osmond offers gap analysis, maturity assessments, pre-audit readiness, policy development, and operational implementation support for new legislation. Our comprehensive approach ensures compliance and enables organisations to effectively manage the risks associated with their digital infrastructure, maintaining a robust business continuity.

We’re here to help!