-
Audit Industry, Services, Institutions
More security, more trust: Audit services for national and international business clients
-
Audit Financial Services
More security, more trust: Audit services for banks and other financial companies
-
Corporate Tax
National and international tax consulting and planning
-
Individual Tax
Individual Tax
-
Indirect Tax/VAT
Our services in the area of value-added tax
-
Transfer Pricing
Our transfer pricing services.
-
M&A Tax
Advice throughout the transaction and deal cycle
-
Tax Financial Services
Our tax services for financial service providers.
-
Financial Services
Consultancy services that generate real added value for financial service providers.
-
Advisory IT & Digitalisation
Generating security with IT.
-
Forensic Services
Nowadays, the investigation of criminal offences in companies increasingly involves digital data and entire IT systems.
-
Regulatory & Compliance Financial Services
Advisory services in financial market law and sustainable finance.
-
Transaction Services / Mergers & Acquisitions
Successfully handling transactions with good advice.
-
Legal Services
Experts in commercial law.
-
Trust Services
We are there for you.
-
Business Risk Services
Sustainable growth for your company.
-
Abacus
Grant Thornton Switzerland Liechtenstein has been an official sales partner of Abacus Business Software since 2020.
-
Accounting Services
We keep accounts for you.
-
Payroll Services
Leave your payroll accounting to us.
-
Real Estate Management
Leave the management of your real estate to us.
-
Apprentices
Career with an apprenticeship?!
Classification1
1 This is a highly simplified presentation, which should enable a quick initial classification of the topic. Each institution should determine the relevance and the specific need for action on an individual basis.
Possible measures in the area of operational risk management
The new guidance is based heavily on FINMA Circular 2023/1 "Operational risks and resilience", which applies exclusively to banks and securities firms. Many of the principles set out in that circular can now also be found in the new guidance, albeit in a shortened and simplified form. This means that the principles on operational risk management established in the banking sector are also to be applied in a reduced form to fund management companies and managers of collective assets. FINMA reminds the institutions in these supervisory categories to fulfill appropriate risk management requirements in order to avoid weaknesses. The highest governance body should define the principles for the management of all material risks to which the institution and the assets it manages are exposed. This includes defining the risk tolerance and developing directives, procedures and processes for identifying, assessing, managing and monitoring risks. The management must implement these guidelines, designate suitable functions and report regularly. Both bodies must periodically review their policies and processes for appropriateness and effectiveness, particularly in the event of changes to business activities or organization.
The measures in the supervisory communication on the management of operational risks are broken down into the following areas:
- Management of ICT risks (information and communication technology)
- Management of the risks of critical data
- Management of cyber risks
- Business Continuity Management (BCM)
- Management of risks from cross-border service business (cross-border)
- Management of operational risks in the case of outsourcing
FINMA's expectations based on its supervisory activities and the licensing procedure
As part of its supervisory activities and the licensing procedure, FINMA has identified areas for improvement at numerous institutions. For example, each institution should keep an inventory of its key hardware and software components (ICT inventory) and this ICT inventory should be regularly reviewed to ensure it is up to date and complete. In addition, measures to manage cyber risks must be defined to ensure the prompt resumption of regular business operations after an attack and compliance with reporting obligations to FINMA and, if applicable, to the Federal Data Protection and Information Commissioner (see also our newsletter Cyber Attacks of July 13, 2024). Critical data must be identified and appropriate protective measures and controls must be defined. When determining the critical data of an institution, a holistic approach must be taken that includes not only personal data and customer data, but all data that is essential for the institution. Furthermore, the business continuity plan should be periodically reviewed and tested, and clear communication strategies for emergencies should be defined.
In the area of legal and compliance risk management in cross-border business, the institution must analyze the legal framework of the respective country and take the necessary measures to mitigate the risk. In addition, the domiciles of the target customers should be included in the money laundering risk analysis and the relevant legal situation in the respective countries should be continuously monitored.
When outsourcing the risk control function, the institution should focus on the knowledge and experience of the service provider in the area of operational risk management. Key activities should be recorded correctly and completely in the inventory in order to avoid control gaps.
Applicability and significance for Portfolio Managers and Trustees under Art. 17 FinIA
Other than to fund management companies and managers of collective assets, the supervisory notice is, in principle, not aimed at other FinIA institutions such as Portfolio Managers or Trustees pursuant to Art. 17 FinIA and is therefore not directly applicable to them. Nevertheless, the supervisory communication contains numerous measures which, to a lesser extent and depending on the size, complexity, structure and risk profile of the institution, also make sense for less regulated institutions. For example, general guidelines on operational risk management or guidelines in the area of cross-border and outsourcing. Other FinIA institutions should also not ignore the marginal figures on cyber risk management and BCM.
Conclusion and outlook
FINMA Supervisory Communication 04/2024 once again emphasizes the most important measures in the area of operational risk management for fund management companies and managers of collective assets. Experience has shown that the measures can be implemented with manageable effort. Although other FinIA institutions are not directly affected, they should clarify the extent to which the supervisory notice is relevant or helpful for them, depending on the size, complexity, structure and risk profile of their institution.
Contacts
Fabian Schmid Partner, Regulatory & Compliance Financial Services T +41 43 960 72 62 E fabian.schmid@ch.gt.com |
|
Mirna Matic Senior Consultant, Regulatory & Compliance Financial Services T +41 43 960 72 54 E mirna.matic@ch.gt.com |