Introduction
On December 13, 2022, the Swiss Financial Market Supervisory Authority FINMA published the totally revised Circular 2023/1 "Operational Risks and Resilience - Banks". In doing so, FINMA is adapting the circular to technological developments and concretizing supervisory practice on topics such as the management of operational risks, the handling of critical data, the management of risks associated with information and communication technology (ICT) and cyber risks. In addition, FINMA incorporates the principles on operational resilience and other principles of the Basel Committee on Banking Supervision. Possible alleviations or tightenings for the addressees of the circular are possible; as are adjustments based on the size, complexity, structure and risk profile of an institution (principle of proportionality). The revised circular is designed to be principle-based and technology-neutral and will enter into force on January 1, 2024. In the following article, we would like to provide a brief overview of some selected topics of the revised circular.
Operational Risk Management
The (overarching) management of operational risks, which forms part of the institution-wide risk management in accordance with FINMA Circular 2017/1 "Corporate Governance - Banks", is set out in chapter IV. of the circular.
In particular, FINMA specifies the role and responsibility of the board of directors with regard to operational risks and states that the board of directors must decide on strategic changes of direction (e.g., change of business model) if it considers certain inherent or residual risks as not or no longer tolerable. It is also the responsibility of the board of directors to approve an institution's defined risk tolerance, taking into account the results of risk and control assessments.
In contrast, the executive board is responsible for ensuring in a comprehensible way that operational risks are identified, assessed, limited and monitored. It is also the responsibility of the executive board to ensure the effectiveness of the design and implementation of operational risk management through regular reviews. Details on this and also on the institution's internal reporting requirements can be found in the circular.
The circular also stipulates that institutions must categorize operational risks uniformly across all institutions and include them in an inventory. The completely revised FINMA Circular also provides detailed information on the identification and limitation of operational risks (control and mitigation measures) and on key controls.
In letters B to F of chapter IV. of the totally revised circular, FINMA addresses individual risks separately:
- ICT Risk Management: The management of ICT risks includes both change management and ICT operations (run, maintenance) as well as incident management. It is the responsibility of the executive board to implement and document appropriate procedures, processes, controls as well as tasks, competencies, and responsibilities (e.g., annual reporting to the executive board on relevant ICT risks, information on the development of risks and the effectiveness of key controls, etc.). This also applies to ensuring the confidentiality, integrity and availability of ICT. Approval and monitoring are a matter for the board of directors. In particular, new development methods such as “Agile” have found their way into the circular (Change Management). However, the circular also emphasizes the importance of ICT inventories (particularly with regard to timely responses to ICT and cyber incidents and to problems within an IT system).
- Cyber Risk Management: According to FINMA's explanatory notes of December 7, 2022, on the total revision of Circular 2008/21 and the partial revision of Circular 2013/3 ("Explanatory Notes"), FINMA has revised and specified the security requirements with regard to cyber risks based on experience from its supervisory practice. According to FINMA, the management of cyber risks cannot be treated or assessed completely separately from the management of ICT risks. The materialization (or occurrence) of ICT risks could lead to higher cyber risks (and vice versa). With regard to the reporting process or the duty to report a cyber attack, FINMA makes reference in the explanatory notes to the FINMA Guidance 05/2020 "Duty to report cyber attacks pursuant to Article 29 para. 2 FINMASA" (see also our magazine article on this subject): FINMA Guidance 05/2020: Duty to report cyber attacks
- Critical Data Risk Management: Critical data (i.e., data that is of such crucial significance in view of the size, structure, complexity, risk profile and business model of the institution that it requires increased security measures) is also taken into account in the completely revised circular. FINMA increases the level of protection with regard to the handling of critical data (e.g., definition and implementation of a data strategy) and expands the circular to the effect that the integrity and availability of critical data are now also covered in the revised circular (in addition to confidentiality, which was already addressed in the context of client identifying data in the previous Annex 3 of FINMA Circular 08/21). The Explanatory Notes indicate that FINMA supervised entities may also have reporting obligations to the competent data protection authority/data protection officer based on the applicable data protection law in addition to the reporting duties to FINMA.
- Business Continuity Management (BCM): These new, updated explanations in the circular (letter E) will replace the "Recommendations for Business Continuity Management (BCM)" of the Swiss Bankers Association, which are recognized as a minimum standard, as of the entry into force of the circular (January 1, 2024). Among other things, the circular makes clear that each relevant business and organizational area of an institution must identify its critical processes ("RTO" and "RPO" as keywords) and the resources required for them (with further "interpretation" as before) as part of the BIA (Business Impact Analysis). In addition, the institution has to define at least a Business Continuity Plan (BCP) as well as a Disaster Recovery Plan (DRP), as part of the BCP, and to review and update them ad hoc in case of significant changes at least annually. Both the implementation of the BCP and the DRP must be regularly assessed with tests (such as tabletop exercises). As far as the scope of the tests is concerned, these are now related to or extended to "severe but plausible scenarios".
- Management of risks from cross-border service business: The explanations on the management of risks from cross-border service businesses are almost identical to Principle 7 of the qualitative requirements for dealing with operational risks from FINMA Circular 2008/21 "Operational Risks - Banks".
Ensuring operational resilience
Chapter V. of the circular sets out the requirements for operational resilience. Operational resilience is defined in the circular as, among other things, “the institution’s ability to restore its critical functions in case of a disruption within the tolerance for disruption.”
For each critical function, the institution must define a tolerance for disruption and have it approved by the board of directors. A corresponding inventory must also be maintained. In addition, the institution must take measures to ensure operational resilience "taking into account severe but plausible scenarios." Also, the ability to continue to provide critical functions under severe but plausible scenarios shall be tested and practiced on a regular basis within the appropriate tolerance for disruption. One of the reasons for this is to exclude, as far as possible, any risk to the institute from the lack of basic resources (such as electricity, insolvency of a key service provider or due to a pandemic).
With regard to ensuring operational resilience, the addressees generally have a transitional period of two years according to the totally revised circular (cf. corresponding references in Circular 2023/01, margin note 113). For some selected requirements (e.g., with regard to the inventory), a transition period of one year applies from the date of entry into force.
Continuation of critical services during the resolution and recovery of systemically important banks
The second to last chapter of the circular (chapter VI.) briefly discusses the continuation of critical services in the resolution and recovery of systemically important banks. The new explanations largely correspond to the previous Principle 6 of the qualitative requirements for dealing with operational risks from FINMA Circular 2008/21 "Operational Risks - Banks".
Conclusion and outlook
With the complete revision of FINMA Circular 2023/1, FINMA has not only taken into account the increasing complexity of IT systems, technological progress and change, the accumulation of cyber attacks and the handling of critical data but has also specified supervisory practice with regard to the management of these operational risks.
The revision of the FINMA Circular on operational risks has also resulted in amendments to FINMA Circular 2013/03 "Auditing". The partially revised FINMA Circular 2013/03 "Auditing" is also expected to enter into force on January 1, 2024.
The capital requirements, which are currently still part of FINMA Circular 2008/21, will be replaced by the revised Capital Adequacy Ordinance (CAO) and other FINMA implementing provisions as part of the implementation of the final Basel III rules.
If you have any questions regarding the implementation of FINMA Circular 2023/1, we will be happy to provide you with advice and support.
