March 31, 2025

20.03.2025, Enrico Giacoletto

The aim of this post is to give a brief overview of the main changes and new Swiss regulations impacting banks and financial institutions at the start of 2025.

For your information, the ISFB is organizing a regulatory update seminar divided into 6 modules in May and June 2025(registration link). During the first module, I will provide an overview of recent key regulatory changes.

1. A few reminders of the key dates in January 2025

As a preamble to this post, it is worth recalling some important changes that came into force on January 1, 2025: the six new ordinances implementing Basel III Final, the updated Ordinance on Shareholders' Equity (OFR) and the new FINMA circular 25/02 "Rules of conduct under the LSFin and OSFin". For more details on these topics, we invite you to refer to the posts published with ISFB at the end of 2024(link for Basel III Final and link for FINMA circular 25/02).

2. Operational resilience

An important topic for banks at the start of this year concerns the regulatory project FINMA 23/01, which aims to increase the operational resilience of banks in Switzerland. The first requirements came into force in January 2024, and will be fully applicable from January 1, 2026: the end of the transitional provisions is approaching.

2.1 Definition

What is operational resilience? What does it mean? What does it entail? FINMA provides the following definition (FINMA circular 23/01, marginal number, cm, 18):

• "Operational resilience refers to the facility's ability to be able to restore its critical functions in the event of interruptions within the limits of interruption tolerance, i.e. the facility's ability to identify, protect against and respond to potential threats and failures, to restore ordinary business operations in the event of interruptions and to learn from them to minimize the impact on the performance of critical functions [...]"

2.2 Key objectives

It is from this regulatory definition of the concept of operational resilience that the expectations specified by FINMA derive. In particular, the key resilience objectives and responsibilities directly incumbent on the senior management of Swiss financial institutions are as follows:

• "The establishment identifies its critical functions and their tolerance to interruptions. These are approved by the senior management body. In addition, the body responsible for senior management approves and regularly monitors the procedure for ensuring operational resilience." (FINMA circular 23/01 cm 101, effective January 1, 2024).
• "The institution takes measures to ensure operational resilience taking into account severe but plausible scenarios." (FINMA Circular 23/01 cm 102, effective January 1, 2026).

It is clear from these objectives that the aim is to take into consideration a new typology of events and situations whose nature and duration are likely to put the bank's critical functions at risk.

2.3 Implementation provisions and timetable

Coming into force on January 1, 2024, the regulatory process for operational resilience continues, with deadlines in January 2025 and 2026. It should be noted that FINMA circular 23/01 "Operational risks and resilience - banks" provides for simplifications and relief for smaller institutions (cm 20).

With regard to the provisions already in force from January 1, 2024, we remind you of the provisions of cm 101, 103 and 105 of the circular. Thus, each year, the bank's senior management must review and validate the procedure for ensuring operational resilience (cm 101), as well as the reports relating to the bank's operational resilience, including :

• The updated list of identified critical functions (cm 101),
• Tolerance thresholds for relevant interruptions (cm 103, requirement subject to proportionality),
• Annual reports on operational resilience include (cm 105):
  o significant control weaknesses, or
  o incidents likely to compromise operational resilience.

With regard to the provisions that came into force this year, on January 1, 2025, we discuss here the provisions of cm 106 to 109 of the circular. These provisions concern the identification and evaluation of critical functions, and were granted a transitional period of one year. They have been fully in force since January 1, 2025.

In accordance with cm 106, the establishments concerned must carry out a risk assessment specific to the critical functions identified, determining in particular for each of these functions :

• internal and external threats and corresponding exploitable vulnerabilities,
• the resulting operational risks, their assessment, limits and monitoring framework.

In this respect, cm 107 requires the plant to create, maintain and annually review an inventory of its critical functions, including :

• a revised and updated list of critical functions,
• interruption tolerance for each of these critical functions,
• connections and dependencies between critical processes and the resources (internal and external components) needed to perform each critical function.

The cm. 108 also emphasizes the need to document key operational risks and related controls.

cm 109 clarifies expectations regarding the continuity of critical functions and processes: these, and the critical resources (IT components, internal and/or external human resources) that support them, must be the subject of Business Continuity Plans (BCPs). Depending on the size of the company, regular tests must be carried out on the ability to perform critical functions within defined interruption tolerances in the event of severe but plausible scenarios.

Provisions to come into force next year in January 2026

cm 102 specifies that the plant must take into account severe but plausible scenarios when establishing measures to ensure operational resilience. This requirement applies to all plants, unlike the following, which are subject to proportionality.

cm 104 requires the establishments concerned to "coordinate" well and comprehensively all the relevant components for comprehensive resilience management. This includes ICT risk management, cyber risk management, business continuity management, outsourcing and contingency planning.

cm. 111 and 112 concern systemically important banks, and deal with the coordinated organization of the emergency plan in the event of a crisis (cm. 111), and the maintenance of critical services in the event of liquidation and reorganization (cm. 112).

3. Other important announcements at the start of 2025

Below are other important announcements for the beginning of 2025. Among these announcements, some developments will be the subject of a detailed analysis in a future post. These include regulatory developments in the field of Artificial Intelligence and the entry into force of FINMA circular 25/04 on "Consolidated supervision of financial groups under the BL and LEFin".

• FINMA's new circular 25/04 will come into force on July 1, 2025. The circular sets out FINMA's practice in the area of consolidated supervision, the content of which has hitherto been addressed solely to institutions targeted by individual decisions. The circular on "Consolidated supervision of financial groups under the BL and LEFin" provides useful details and clarifications for reporting entities wishing to know the conditions under which group companies must be included in consolidated supervision. With this circular, FINMA intends to formalize its established practice with regard to the consolidated supervision of financial groups under the BL and LEFin.
• The Federal Council's consultation on the draft FATCA Model 1 law and ordinance to transpose the agreements reached with the United States in June 2024, so that Switzerland can move from FATCA Model 2 to Model 1 reporting.
• At the same time as the FATCA changes, the Council is revising the law on the automatic exchange of information (pLEAR).
• The Federal Council's communication on Artificial Intelligence (AI).

This post is the result of an editorial choice and is based on the research and regulatory monitoring work carried out by the e-Reg solution.

Enrico Giacoletto, CFA, FRM

easyReg Sàrl