Financial Market Supervisory Authority (FINMA) Switzerland

About FINMA

The Financial Market Supervisory Authority (Eidgenössische Finanzmarktaufsicht, FINMA) is the regulator of independent financial markets in Switzerland and is responsible for ensuring that Swiss financial markets function effectively. It has prudential supervision over banks, insurance companies, exchanges, securities dealers, and other financial institutions.

The FINMA published Circular 2018/3 Outsourcing–banks and insurers to define the requirements that banks, securities dealers, and insurance companies must abide by when they outsource to a service provider any functions that are significant to the company’s business activities. Any company that outsources its business activities is accountable to the FINMA just as it would be if it carried out the outsourced functions itself.

Microsoft and FINMA

To help guide financial institutions in Switzerland considering outsourcing business functions to the cloud, Microsoft has published A compliance checklist for financial institutions in Switzerland. By reviewing and completing the checklist, financial organizations can adopt Microsoft business cloud services with the confidence that they are complying with applicable regulatory requirements.

When Swiss financial institutions outsource business activities, they must comply with the requirements of the Swiss Financial Market Supervisory Authority (FINMA) and be cognizant of additional requirements and guidelines that include those of the Swiss Bank Act, the Swiss Bank Ordinance, and the Swiss Insurance Supervision Act.

The Microsoft checklist helps Swiss financial firms conducting due-diligence assessments of Microsoft business cloud services and includes:

  • An overview of the regulatory landscape for context.
  • A checklist that sets forth the issues to be addressed and maps Microsoft Azure, Microsoft Dynamics 365, and Microsoft 365 services against those regulatory obligations. The checklist can be used as a tool to measure compliance against a regulatory framework and provide an internal structure for documenting compliance, and help customers conduct their own risk assessments of Microsoft business cloud services.

Microsoft in-scope cloud services

How to implement

Frequently asked questions

Is regulatory approval required?

No. The use of public cloud computing is permitted without an approval by the FINMA, subject always to compliance with the requirements set out in the regulations and guidelines listed above.

Are there any mandatory terms that must be included in the contract with the cloud services provider?

Yes. In Part 2 of the Compliance Checklist, we have mapped these terms against the sections in the Microsoft contractual documents where you find them addressed. In addition, the Swiss Federal Data Protection and Information Commissioner (FDPIC) supplies a sample contract for transborder outsourcing of data processing. This is the same as the Standard Contractual Clauses (also known as EU Model Clauses) under the Microsoft Online Services Terms.

Resources