-
Audit Industry, Services, Institutions
More security, more trust: Audit services for national and international business clients
-
Audit Financial Services
More security, more trust: Audit services for banks and other financial companies
-
Corporate Tax
National and international tax consulting and planning
-
Individual Tax
Individual Tax
-
Indirect Tax/VAT
Our services in the area of value-added tax
-
Transfer Pricing
Our transfer pricing services.
-
M&A Tax
Advice throughout the transaction and deal cycle
-
Tax Financial Services
Our tax services for financial service providers.
-
Financial Services
Consultancy services that generate real added value for financial service providers.
-
Advisory IT & Digitalisation
Generating security with IT.
-
Forensic Services
Nowadays, the investigation of criminal offences in companies increasingly involves digital data and entire IT systems.
-
Regulatory & Compliance Financial Services
Advisory services in the area of financial market law.
-
Transaction Services / Mergers & Acquisitions
Successfully handling transactions with good advice.
-
Legal Services
Experts in commercial law.
-
Trust Services
We are there for you.
-
Business Risk Services
Sustainable growth for your company.
-
Abacus
Grant Thornton Switzerland Liechtenstein has been an official sales partner of Abacus Business Software since 2020.
-
Accounting Services
We keep accounts for you.
-
Payroll Services
Leave your payroll accounting to us.
-
Real Estate Management
Leave the management of your real estate to us.
-
Apprentices
Career with an apprenticeship?!
Classification1
1This is a highly simplified presentation, which should enable a quick initial classification of the topic. Each institution should determine the relevance and theconcrete need for action individually.
2Self-regulatory organisation (SRO)
Background
The new circular focuses on the importance of operational risks and resilience for financial institutions. It is intended to take account of the structural change and an increasing threat situation in relation to ICT risks. This includes technical developments such as progress in digitalisation, increasing complexity of supply chains and dependencies as well as the increase in cyber-attacks. Other drivers for the revision of the circular were international regulatory developments.
Innovations in the area of operational risk management
The requirements of the Circular on the management of operational risks are divided into the following areas:
- Overarching management of operational risks
- ICT risk management (information and communication technology)
- Cyber risk management
- Critical data risk management
- Business Continuity Management (BCM)
- Management of risks from the cross-border services business (cross-border)
The content of these areas of the FINMA Circular was revised or updated to varying degrees. Some have remained completely unchanged, while others have undergone significant changes.
An already familiar focus of the FINMA Circular is the management of operational risks. FINMA has now summarized the overarching management of operational risks in one chapter in order to make supervisory expectations more transparent. The content has remained unchanged.
In the area of ICT risk management, significant adjustments were made based on the Principles of Operational Resilience (POR) developed by the Basel Committee on Banking Supervision and the revised Principles for the Sound Management of Operational Risk (PSMOR).
Further significant adjustments were made to the regulation of critical data risk management. The circular now contains a definition of the term “critical data”. The term has been expanded to include all data that are of such crucial significance to the institution that they require increased security measures.
The new chapter on Business Continuity Management (BMC) in the circular replaces the previous SBA self-regulation. The regulation on BCM was updated when it was incorporated into the circular. Minor adjustments were made to the chapter on cyber risk management. The management of risks from the cross-border services business and the continuation of critical services in the resolution and reorganisation of systemically important banks in Chapter VI remain unchanged.
Operational resilience
The circular now focuses on ensuring operational resilience and contains related requirements in a separate chapter V. Operational resilience refers to the ability of an institution to restore its critical functions in the event of disruptions within the tolerance for disruption. A holistic approach is expected that records, monitors, and reports on both preventive and reactive measures in their entirety.
FINMA’s expectations based on on-site inspections carried out
During on-site inspections in the run-up to the entry into force of the FINMA Circular, FINMA identified areas for improvement at many institutions, such as currentness and completeness of the ICT inventory. FINMA also found that some institutions did not systematically monitor their technological infrastructure in a timely and systematic manner. FINMA furthermore noticed that the focus in the identification of critical data is sometimes closely limited to client identifying data (CID), whereas a broader approach is expected under the new circular when assessing and determining the criticality of data.
Applicability and significance for FinIA institutions
The circular is only directly applicable to banks, financial groups and conglomerates and securities firms. The requirements are limited by FINMA by exempting banks and securities firms in supervisory categories 4 and 5 from the obligation to fulfil numerous marginal points. The implementation of the FINMA Circular also depends on various factors in individual cases, such as the size, complexity, structure, and risk profile of the bank in question. Depending on the situation, FINMA may relax or tighten rules. Transitional provisions of up to two years apply in some cases to the new chapter on operational resilience. The other areas of the circular will enter into force on 1 January 2024 without transitional provisions.
Except for banks and investment firms, the Circular is not aimed at other FinIA institutions and is therefore not directly applicable to them. Nevertheless, the circular contains numerous FINMA expectations which, to a lesser extent and depending on the size, complexity, structure, and risk profile of the institution, are also likely to apply to lower regulated institutions. This includes, for example, many general requirements on operational risk management or requirements around crossborder risk. FinIA institutions should also not ignore the marginal points on cyber risk management and BCM.
Conclusion and outlook
FINMA Circular 2023/1 contains important new and stricter requirements in relation to the management of operational risks and operational resilience at financial institutions. Due to the reasonable lead time, banks and securities firms should have prepared and implemented most of the adjustments resulting from the FINMA Circular in order to be ready for its entry into force. The next challenge for them will be the specific implementation in practice, in particular of the procedures, processes, and controls. Although other FinIA institutions are not directly affected, they should clarify the extent to which the circular is relevant or helpful for them, depending on the size, complexity, structure, and risk profile of their institution.