03 December 2025

Cloud services at banks and securities firms (Part 1)

  • Articles
  • Banking / Insurance
  • Data / Technology / IP

Cloud services offer banks and securities firms efficiency but also risks. FINMA and the Swiss Bankers Association provide guidance on risk management, resilience, and legal orientation

  • Tanja Steiner-Müller

    Senior Legal Associate

The increasing use of cloud services by banks and securities firms brings both efficiency gains and significant risks, particularly with regard to dependencies on a small number of service providers and operational risks. The Swiss Financial Market Supervisory Authority FINMA highlighted this in its Risk Monitor 2025 and is placing a strong supervisory focus on managing these risks and strengthening the resilience of institutions. In addition, the Swiss Bankers Association's Cloud Guidelines provide legal and organizational guidance and interpretation assistance for dealing with cloud services at banks and securities firms.

Read our two-part series on this topic.

Part 1: FINMA's supervisory focus 

Use of cloud services

The (increasing) use of cloud services by banks and securities firms (hereinafter "institutions") is highly relevant from a supervisory perspective. In its recently published (November 17, 2025) Risk Monitor 2025, the Swiss Financial Market Supervisory Authority FINMA (hereinafter "FINMA") states, among other things, that the increasing use of cloud services (and software-as-a-service models) is leading to greater dependence on a small number of central ICT service providers. Due to the concentration on a small number of service providers, this poses not only systemic risks for the Swiss financial center in the event of an interruption or unauthorized access, but also operational risks for the specific institution (e.g., as a result of outsourcing critical functions to third-party providers, incidents involving third parties, risks along the supply chain, etc.).

In general, (significant) business functions of financial institutions are outsourced to third parties to a significant extent. In the case of banks, these often include critical functions (for the definition, see FINMA Circular 2023/1 "Operational risks and resilience – banks," margin no. 14 ff. and for a brief overview of the circular, see our magazine article dated January 19, 2023). This results in the institution becoming heavily dependent on these service providers (due to high performance expectations) and an increasing loss of control.

FINMA's supervisory focus

According to the FINMA Risk Monitor 2025, one of FINMA's supervisory focuses is to compile an inventory of significant outsourcing arrangements in order to identify concentrations on a small number of service providers and, based on this inventory, to derive supervisory actions relating to the management of operational risks and ensuring operational resilience in accordance with FINMA Circular 2023/1 "Operational risks and resilience – banks" (see also our magazine article dated April 1, 2025, available in German only). FINMA is particularly focused on the outsourcing of critical functions that are important for operational resilience.

Resilience and the continuous strengthening of resilience (financial and operational resilience) of supervised institutions is also a strategic goal set by the FINMA Board of Directors for the 2025-2028 strategy period.

Holistic risk management

However, the institution's focus must not be limited to "only" significant outsourcing arrangements. According to the FINMA Risk Monitor 2025, almost half of all cyber attacks on financial institutions are carried out via third parties. The institution must therefore take all third parties (i.e. including third parties that are assigned tasks that are not classified as "significant outsourcing" within the meaning of FINMA Circular 2018/3 "outsourcing") in its risk management or include them in its holistic risk management. The FINMA Risk Monitor 2025 also makes it clear once again that the institution remains responsible for the proper performance of the outsourced function and must, among other things, ensure that the tasks outsourced or transferred to third parties are performed by the third party in compliance with the law. This also applies when using a cloud provider.

Conclusion

The increased use of cloud services by banks and securities firms increases the risk of loss of control, as dependence on cloud providers grows and susceptibility to external influences rises.

In view of FINMA's clear supervisory focus on strengthening the resilience of supervised institutions, these institutions are required to take appropriate measures.

Institutions must also identify, assess, manage, and monitor risks, such as operational risks, associated with the integration of a cloud provider or the outsourcing of functions to the cloud.

If you have any questions regarding the use of cloud services, please do not hesitate to contact us.

 

Click here to learn more about our expertise:
Back