SWITZERLAND Law and Practice Contributed by: Lukas Morscher and Lukas Staub, Lenz & Staehelin
As a result, FINMA had to withdraw a fintech licence for the first time. Only in very few cases did FINMA make individual enforcement cases public: • in March 2019, FINMA ruled that the EVN-Token issued by envion AG, which offered a repayment claim after 30 years, constituted the acceptance of deposits from the public for which the issuer was not authorised – envion AG had accepted deposits in an amount exceeding CHF90 million from at least 37,000 investors and was already in liquidation prior to FINMA’s order due to violation of corporate law requirements; • in May 2023, FINMA ruled that the Dohrnii Founda - tion and its founder and former managing director had carried out several business activities requiring a licence in the crypto sector without obtaining the relevant licence from FINMA – the foundation is currently being liquidated by the competent bank - ruptcy authority; and • in July 2024, the Swiss Federal Administrative Court confirmed FINMA’s ruling that Comparis, a Swiss digital-only insurance comparison tool which also provides recommendations for specific insurance carriers, constitutes an untied insurance intermediary subject to regulatory requirements under the Insurance Supervisory Act (ISA), includ - ing registration with FINMA. FINMA also maintains a warning list on its website of individuals and entities who are presumed to carry out unauthorised activities under financial market regula - tions. 2.11 Implications of Additional, Non- Financial Services Regulations The processing of personal data by private persons and federal bodies is regulated in particular by the Data Protection Act (DPA) and the Data Protection Ordinance (DPO), the recently revised versions of which entered into force on 1 September 2023. The revised DPA is largely modelled after the EU Gener - al Data Protection Regulation (GDPR) and provides for considerable organisational and administrative requirements, as well as significant sanctions. The DPA and the DPO apply, with some exceptions, to
the processing of data relating to natural persons. Personal data must be protected against unauthor - ised processing by appropriate technical and organi - sational measures. In addition, the protection of data is, in the banking sector, also governed by the requirements on criti - cal data in the revised FINMA Circular 2023/1 Opera - tional Risks and Resilience – Banks. Critical data is data that, in view of the institution’s size, complexity, structure, risk profile and business model, is of such crucial significance that it requires increased security measures. The criticality of such data is determined by assessing its confidentiality, integrity and availability. In addition, the Federal Act on Information Security (ISecA) and its implementing ordinances entered into force on 1 January 2024. While the ISecA primar - ily focuses on government cybersecurity, a revision adopted on 29 September 2023 requires critical infra - structure operators, including private parties, to report cyber-attacks to the National Cyber Security Centre within 24 hours. This obligation has applied since 1 April 2025 to, inter alia, companies that are subject to the Banking Act (see 2.2 Regulatory Regime ), ISA (see 8.2 Treatment of Different Types of Insurance ) or the Financial Markets Infrastructure Act (FMIA; see 6. Marketplaces, Exchanges and Trading Platforms ). With regard to cybersecurity, non-binding guidelines with respect to minimum security requirements for telecommunication services have been issued by the competent regulator – the Federal Office of Commu - nications (OFCOM). However, there is no cross-sector cybersecurity legislation in Switzerland that would generally be applicable to fintech companies. 2.12 Review of Industry Participants by Parties Other Than Regulators The following are the most notable authorities and organisations involved in Swiss financial market regu - lation. • Financial intermediaries operating on a commercial basis are subject to AMLA (see 2.2 Regulatory Regime ) and must, unless otherwise supervised by FINMA (eg, as a bank), become a member of an SRO recognised by FINMA. While having limited
806 CHAMBERS.COM
Powered by FlippingBook