Fintech 2025

SWITZERLAND Law and Practice Contributed by: Lukas Morscher and Lukas Staub, Lenz & Staehelin

In addition, the protection of data is, in the bank - ing sector, also governed by the requirements on critical data in the revised FINMA Circular 2023/1 Operational Risks and Resilience – Banks. Criti - cal data is data that, in view of the institution’s size, complexity, structure, risk profile and busi - ness model, is of such crucial significance that it requires increased security measures. The criti - cality of such data is determined by assessing its confidentiality, integrity and availability. In addition, the Federal Act on Information Secu - rity (ISecA) and its implementing ordinances entered into force on 1 January 2024. While the ISecA primarily focuses on government cyberse - curity, a revision adopted on 29 September 2023 requires critical infrastructure operators, includ - ing private parties, to report cyber-attacks to the National Cyber Security Centre within 24 hours. This obligation applies since 1 April 2025, inter alia, to companies that are subject to the Bank - ing Act (see 2.2 Regulatory Regime ), Insurance Supervisory Act (ISA; see 8.2 Treatment of Dif- ferent Types of Insurance ) or Financial Markets Infrastructure Act (FMIA; see 6. Marketplaces, Exchanges and Trading Platforms ). With regard to cybersecurity, non-binding guide - lines with respect to minimum security require - ments for telecommunication services have been issued by the competent regulator – the Federal Office of Communications (OFCOM). However, there is no cross-sector cybersecurity legislation in Switzerland that would generally be applicable to fintech companies. 2.12 Review of Industry Participants by Parties Other than Regulators The following are the most notable authorities and organisations involved in Swiss financial market regulation.

• Financial intermediaries operating on a com - mercial basis are subject to AMLA (see 2.2 Regulatory Regime ) and must, unless oth - erwise supervised by FINMA (eg, as a bank), become a member of a self-regulatory organi - sation (SRO) recognised by FINMA. While having limited enforcement powers, SROs are responsible for supervising compliance with the due diligence obligations of the financial intermediaries. FINMA, in turn, actively super - vises the SROs. • Banks, insurers, managers of collective assets, fund managers and securities firms are required by financial market regulation to mandate an independent audit firm super - vised by the Federal Audit Oversight Authority (FAOA) as statutory auditor. • Under FinIA, asset managers and trustees are required to associate themselves with an independent, privately organised supervisory organisation (SO), while FINMA retains the competence to authorise asset managers and trustees as well as to conduct any respec - tive enforcement proceedings. The ongoing supervision of asset managers and trustees is delegated to the SO, which in turn must obtain authorisation from FINMA and is itself supervised by FINMA. Furthermore, there are many private for-profit and not-for-profit organisations active in the fin - tech industry that are helping to define indus - try standards. Most notably, the Swiss Bank - ers Association has defined several standards applied by banks – eg, on opening corporate accounts for DLT companies. 2.13 Conjunction of Unregulated and Regulated Products and Services Although no specific rules on the conjunction of unregulated and regulated products and servic - es apply, financial service providers are required

813 CHAMBERS.COM

Powered by