Executive Summary, Key Findings and Recommendations

Switzerland has recently made major enhancements in the practice of banking supervision and now has a high level of compliance with the Basel Core Principles for Effective Banking Supervision (BCPs). Not all the results of improvement to date are embedded in the system or yet observable. The Swiss banking system is very large relative to the size of the economy, conducts significant transactions with non-residents, and contains two G-SIFIs with large international operations and a number of banks that are systemically important in domestic terms. The sector faces a number of challenges to parts of its business model as expectations related to transparency and tax authorities increase. Major Swiss banks are also adjusting to the new international prudential standards. More recently, several material issues have arisen in domestic or cross-border markets that have indicated weaknesses in controls or practices that are being dealt with by banks and the authorities. Given the nature of the Swiss banking system and its importance to the country and globally, it is essential that the supervisory system meet the highest standards for effectiveness. To reach that goal, Swiss authorities need to go farther along the path they have already started and aim for a higher level of intensive supervision.

Significant portions of guidance and legislation related to qualitative risk management and control standards are not as detailed or comprehensive as in many other major countries and need to be updated and selectively strengthened. Supervisory risk assessments and guidance to auditors, as the extended supervisory arm of the Swiss Financial Market Supervisory Authority (FINMA), need to be further materially improved, beyond what is now envisioned. Additional skilled resources within FINMA are necessary to meet these goals and to conduct more on-site supervisory work. The assessors saw many examples of high quality initiatives and practices in FINMA. The model of using auditors is understandable given the structure of the Swiss banking system to multiply FINMA expertise and take advantage of auditor’s global networks, but needs to be handled carefully. Switzerland has one of the most principles based approaches to rules and guidance among major countries. It remains considerably focused on capital and liquidity metrics, and less focused than necessary on qualitative elements of risk management and robustness of internal controls. The recommendations in this report would add to the effectiveness of supervision, would increase FINMA’s ability to assess the quality and completeness of information coming from auditors, and would put more incentive on auditors to perform in a better and more consistent manner. FSAP assessments focus solely on whether the core principles are met in practice, and take no position to endorse or otherwise a country’s basic supervisory approach.

Introduction

1. This assessment of the current state of the implementation of the Basel Core Principles for Effective Banking Supervision (BCP) in Switzerland has been completed as a part of a Financial Sector Assessment Program (FSAP) update undertaken by the International Monetary Fund (IMF) during 2013. It reflects the regulatory and supervisory framework in place as of the date of the completion of the assessment. It is not intended to represent an analysis of the state of the banking sector or crisis management framework, which have been addressed in the broader FSAP exercise.

2. An assessment of the effectiveness of banking supervision requires a review of the legal framework, and detailed examination of the policies and practices of the institution(s) responsible for banking regulation and supervision. In line with the BCP methodology, the assessment focused on banking supervision and regulation in Switzerland and did not cover the specificities of regulation and supervision of other financial intermediaries, which are covered by other assessments conducted in this FSAP.

3. The Swiss authorities agreed to be assessed according to the Revised Core Principles Methodology issued by the BCBS (Basel Committee of Banking Supervision) in September 2012. This assessment was thus performed according to a significantly revised content and methodology as compared with the previous BCP assessment carried out in 2002 which was conducted under the first BCP methodology.¹ It is important to note that this assessment cannot and should not be compared to the previous undertaking, as the revised BCP have a heightened focus on risk management and its practice by supervised institutions and its assessment by the supervisory authority, raising the bar to measure the effectiveness of a supervisory framework (see box for more information on the Revised BCP).

4. The Swiss authorities also chose to be assessed and rated against the Essential and Additional Criteria. In order to assess compliance, the BCP Methodology uses a set of essential and additional assessment criteria for each principle. The essential criteria (EC) were usually the only elements on which to gauge full compliance with a CP. The additional criteria (AC) are recommended best practices against which the Swiss authorities have agreed to be assessed and rated.² The assessment of compliance with each principle is made on a qualitative basis. A four-part grading system is used: compliant; largely compliant; materially noncompliant; and noncompliant. This is explained below in the detailed assessment section. The assessment of compliance with each CP is made on a qualitative basis to allow a judgment on whether the criteria are fulfilled in practice. Effective application of relevant laws and regulations is essential to provide indication that the criteria are met.

5. The assessors reviewed the framework of laws, rules, and other materials provided and held extensive meetings with officials of the Swiss Financial Market Supervisory Authority (FINMA), and additional meetings with auditing firms, and banking sector participants. The authorities provided a self-assessment of the CPs, as well as responses to additional questionnaires, and provided access to supervisory documents and files, staff and systems.

6. The assessors appreciated the cooperation received from the authorities. The team extends its thanks to staff of the authorities who provided cooperation, including provision of documentation and access, at a time when staff was burdened by many initiatives related to global regulatory changes and changes in Swiss supervisory processes.

7. The standards were evaluated in the context of the Swiss financial system’s structure and complexity. The CPs must be capable of application to a wide range of jurisdictions whose banking sectors will inevitably include a broad spectrum of banks. To accommodate this breadth of application, according to the methodology, a proportionate approach is adopted, both in terms of the expectations on supervisors for the discharge of their own functions and in terms of the standards that supervisors impose on banks. An assessment of a country against the CPs must, therefore, recognize that its supervisory practices should be commensurate with the complexity, interconnectedness, size, risk profile and cross-border operation of the banks being supervised. The assessment considers the context in which the supervisory practices are applied. The concept of proportionality underpins all assessment criteria. For these reasons, an assessment of one jurisdiction will not be directly comparable to that of another.

8. An assessment of compliance with the BCPs is not, and is not intended to be, an exact science. Reaching conclusions required judgments by the assessment team.³ Nevertheless, by adhering to a common, agreed methodology, the assessment should provide the Swiss authorities with an internationally consistent measure of the quality of its banking supervision in relation to the BCPs, which are internationally acknowledged as minimum standards.

9. To determine the observation of each principle, the assessment has made use of five categories: compliant; largely compliant, materially noncompliant, noncompliant, and non-applicable. An assessment of “compliant” is given when all EC and ACs are met without any significant deficiencies, including instances where the principle has been achieved by other means. A “largely compliant” assessment is given when there are only minor shortcomings, which do not raise serious concerns about the authority’s ability to achieve the objective of the principle and there is clear intent to achieve full compliance with the principle within a prescribed period of time (for instance, the regulatory framework is agreed but has not yet been fully implemented). A principle is considered to be “materially noncompliant” in case of severe shortcomings, despite the existence of formal rules and procedures and there is evidence that supervision has clearly not been effective, the practical implementation is weak or that the shortcomings are sufficient to raise doubts about the authority’s ability to achieve compliance. A principle is assessed “noncompliant” if it is not substantially implemented, several ECs are not complied with, or supervision is manifestly ineffective. Finally, a category of “non-applicable” is reserved for those cases that the criteria would not relate to the country’s circumstances.

Institutional and Market Structure – Overview

10. Switzerland has a diversified financial sector that is systemically important to the global markets. It comprises a few significant global players in banking and insurance, two dozen cantonal banks, regional financial institutions, private banks, foreign banks, internationally oriented insurance companies, and many pension funds. It has one of the largest banking sectors globally in terms of assets to GDP. The two large banks rank among the world’s top ten banks and are designated as Global Systemically Important Banks (G-SIBs). Switzerland is a global leader in private wealth management with a market share of more than a quarter in global cross-border private banking. The Swiss financial system contributes about 10 percent to Swiss GDP and employs over 5 percent of the labor force.

11. The banking industry is highly concentrated, but also it has a large number of medium and small banks. The banking sector has approximately 70 percent of the total financial sector assets with CHF 2.7 trillion, or over 450 percent of the country’s GDP. The banking sector consists of 297 banks (end-2012), although the two large banks account for about one-half of the Swiss banking system’s global assets and are important intermediaries in global financial markets. They are classified as Category 1 banks by the authorities in terms of size and complexity. The two largest are universal banks in their home Swiss market but focus more selectively abroad, where they are global players in asset and wealth management and in certain investment and corporate banking businesses. They are systemically important domestically as well with a share of over 30 percent in local markets. Major Swiss banks have been leaders globally in the extent of their restructuring and exiting of certain business in response to changed profitability dynamics and enhanced capital and liquidity requirements.

12. Other banks are much smaller, although some of them are relatively large compared to the size of economy and are systemically important domestically or regionally within the country. There are some relatively large banks serving more domestic or European markets on the asset side but many also gathering funds internationally into their asset or wealth management arms. Three Category 2 banks average CHF150B of assets and the 27 Category 3 banks have average assets of some CHF20B. There are 24 cantonal banks included in from Categories 2 to 4, which are historically established by cantonal laws and play an important role in each region, with a share of around 15 percent of the total banking assets. They tend to be classic retail banks with deposit gathering and lending to individuals and enterprises, together with wealth management. There are also a number of small regional banks focusing on traditional retail, mostly mortgage finance, within specific geographical regions. Foreign banks and private banks are heavily involved in cross-border and wealth management activities. Potential risks to smaller banks tend to be in credit risk and interest rate risk in the banking book. Wealth management functions are more exposed to operational and reputational risk. The 250 smallest and least complex banks as classified by FINMA have median assets of CHF250m.

13. FINMA, an independent public law institution, is a unified supervisor which regulates and supervises banks. It was created in 2008 by unifying the Federal Banking Commission (EBK), which was in charge of supervision and regulation of the banking sector, the Federal Office of Private Insurance, the insurance regulator and supervisor, and the Anti-Money Laundering Control Authority, to improve the financial sector supervision and the supervisor’s international role. It started its operation from the beginning of 2009, but it had been long planned as the original bill was drafted in 2006 and the law was approved in 2007. In addition to regulation and supervision of banks and insurance firms, FINMA also regulates capital markets and their intermediaries. In terms of banking regulation, laws and ordinances are submitted by the Federal Department of Finance (FDF) and enacted by the Federal Parliament and Federal Council, respectively. The Swiss National Bank (SNB) has responsibility over the stability of financial system and is in charge of monetary policy operations. It also is responsible for the supply of liquidity and acts as a lender of last resort.

Preconditions for Effective Banking Supervision

14. Switzerland has a competitive economy with prudent public finances and one of the highest GDP per capita globally. Sound and sustainable fiscal policies are anchored in a debt brake rule contained in the federal constitution and in constitutions governing 25 of 26 cantonal governments. SNB conducts the country’s monetary policy as an independent central bank. It is obliged by the Federal Constitution and its statute to act in accordance with the interests of the country as a whole. It has to ensure price stability, while taking due account of economic developments. Within this framework, the National Bank Act also confers on the SNB the mandate of contributing to the stability of the financial system

15. The macroeconomic situation in Switzerland has been stable but facing difficulties in the past few years:

• GDP growth in Switzerland has decelerated and inflation remains negative. Driven by lower net exports, growth slowed in 2012 to only 1 percent and is expected to reach around 1¼ percent in 2013, and to regain momentum only gradually. Core and headline consumer price inflation are negative as the pass-through from the past exchange rate appreciation continues to run its course, while expectations are anchored in positive territory. Unemployment is low, and immigration is fueling labor force growth.

• The exchange rate floor was introduced by SNB and it has helped safeguard macroeconomic stability. The floor was introduced in September 2011 as a measure to contain the effects of “safe haven” flows into Swiss assets. These inflows resumed in mid-2012, prompting further heavy intervention and an expansion of the balance sheet of the SNB, but pressures on the Swiss franc have waned since late 2012. Following the introduction of the floor, the real exchange rate has depreciated. While there have been difficulties in some segments, Swiss exports have performed well in recent years. The current account surplus remains sizable, reflecting favorable net interest income.

• The fiscal position is strong. Discretionary fiscal policy is limited by the structurally balanced budget rule (“debt brake”) at the federal level and other fiscal rules at the cantonal level. With conservative budget planning and execution, the federal government has consistently outperformed the fiscal rule. The debt-to-GDP ratio is expected to fall further to about 45 percent of GDP in 2016, although there are spending pressures over the medium term and long-term challenges from population aging.

• Developments in real estate and mortgage lending are important macroprudential concerns. With interest rates at historically low levels, mortgage lending has accelerated, bringing mortgage debt to about 140 percent of GDP. In parallel, housing prices have been rising, particularly in certain segments of the market. The authorities have taken measures to address these risks as described below.

16. In terms of financial sector policies, Switzerland’s approach has been to be an early adopter of the new Basel capital and liquidity measures and to tailor them with additional add-ons for certain banks for systemic reasons. Higher minimum capital ratios apply to the two G-SIFIs and to a lesser degree also to other banks except the smallest ones. Stability in the financial sector has been significantly strengthened by the ‘too big to fail’ (TBTF) legislative revision for the regulation of systemically important banks. The revision was approved by Parliament on September 30, 2011 and put into force by the Federal Council on March 1, 2012. The corresponding amendments to the Capital Adequacy Ordinance (CAO) and the Banking Ordinance (BO) were passed by the Federal Council, approved by Parliament and entered into force on January 1, 2013.

17. The Federal Council decided on February 13, 2013 to activate the countercyclical capital buffer, targeted at mortgage loans financing residential property in Switzerland. This was on the recommendation of the SNB. Banks were required to hold an additional 1 percent of their risk-weighted assets in the mortgage sector by end September 2013 as a consequence of imbalances in the real estate sector built up during the last couple of years. The level of the buffer was further increased to 2 percent in January 2014.⁴ FINMA has also introduced measures to raise risk weights for mortgage lending and new requirements for mortgage financing through Swiss Bankers Association, including a minimum down payment and minimum repayment requirements

18. The role of SNB relates to macro-prudential supervision. The SNB is responsible for the designation of the systemically important banks according to Art. 8 of the Swiss Banking Act, and propose an activation of the countercyclical capital buffer to the Swiss Federal Council. Between FINMA and the SNB a Memorandum of Understanding (MOU) is in place. It provides for regular meetings at head of organization level and ongoing exchange of views in the areas of (i) assessment of the soundness of systemically important banks and/or the banking system; (ii) regulations that have a major impact on the soundness of banks, including liquidity, capital adequacy and risk distribution provisions, where they are of relevance for financial stability; (iii) contingency planning and crisis management.

19. Switzerland has a consensus-driven culture with strong support for principles-based, proportional regulation and supervision, once adopted. Rating agencies have described the domestic credit culture as conservative. The system of business laws is well developed, as is the practice of professions important to banking such as accountancy and auditing, the legal profession, and banking and risk management. However, given the size and reach of domestic banks, FINMA (and its predecessor) concluded that there were not sufficient high quality resources available in Switzerland to effectively conduct bank supervision using own resources only. That lead to the development of the supervision model of having the outside auditors of banks, and their global network, conduct regulatory audits on behalf of FINMA (as an ‘extended arm’), but paid for by the banks.

20. All stock corporations and other commercial entities in Switzerland must prepare financial statements including a balance sheet, an income statement and notes. The financial statements of stock corporations are subject to an annual audit. Publicly traded companies, banks, other financial institutions, mutual funds and pension funds are subject to additional reporting requirements. Auditors of public companies are subject to regulation and inspection by an independent authority.

21. FINMA is the supervisory authority and also the insolvency and resolution authority for banks and securities dealers in Switzerland. It is also responsible for intensified supervision of banks in a recovery status. At the point of non-viability, FINMA is responsible for establishing intervention measures, and the resolution or the liquidation of the bank. Systemically important banks, as required by FINMA, need to establish recovery plans which are subject to FINMA’s approval. In addition, FINMA defines institution-specific resolution plans. FINMA is responsible for the international coordination and cooperation process regarding the global resolution strategy for both Swiss G-SIBs.

22. In 2011, FDF, SNB and FINMA signed a tripartite memorandum of understanding on crisis management. The MOU governs exchange of information on financial stability and financial market regulation issues, as well as collaboration in the event of a crisis. In accordance with the MOU, strategic coordination of the crisis management organization and of any intervention is performed by a Steering Committee (SC), comprising the head of the Federal Department of Finance (FDF), the Chairman of the Governing Board of the SNB and the Chairman of FINMA. Meetings of the SC shall be held whenever necessary. FINMA leads international crisis management colleges for the two major Swiss banks, especially with participation of the United States and the United Kingdom.

23. Regarding recovery and resolution, the coming into force of the new Banking Insolvency Ordinance (BIO) established by FINMA was an important step for Switzerland. This Ordinance sets out the process to be followed so that not only shareholders but also bondholders contribute towards restructuring. As part of its restructuring plan, FINMA can order a compulsory conversion of bonds or a waiver of claims (bail-in): it ensures that banks can still continue to operate and safeguard financial stability. In the case of systemically important large banks, additional capital measures have been taken in the form of convertible capital (CoCos). This involves a two-stage approach which, as a first step, converts CoCos into equity capital. If this measure to sustainably stabilize the bank proves insufficient, the next step is resolution at the highest group level by means of a bail-in. This procedure triggers FINMA’s resolution strategy in cooperation with its key host regulators.

24. In 2008 the limit on depositor protection was increased from CHF 30,000 to CHF 100,000, and extended to employee pension accounts. In addition, the upper limit for overall secured assets was increased from CHF 4 billion to CHF 6 billion. In September 2011, the temporary provisions were made permanent in the revised Banking Act. The Depositor Protection scheme is set up as an ex-post financed association with which all banks in Switzerland must be affiliated. In the event of a bank going bankrupt, all members transfer to this scheme the amounts required of up to a total amount of CHF 6 billion within five days. To guarantee this, banks are required to deposit 125 percent of the guaranteed amounts in Switzerland.

25. Effective market discipline is promoted by the design of key policy measures, such as those related to resolution of banks, and by a transparency in disclosure of financial accounts. However, various observers have noted that disclosure under Swiss accounting rules is less in general than under international standards. The philosophy of complete bank secrecy related to individual account holders is being altered in some circumstances under international pressure and as a result of specific situations of questionable behavior. Market participants believe these trends will have implications for the business model of certain institutions.

Detailed Assessment

A. Supervisory Powers, Responsibilities and Functions

Principle 1	Responsibilities, objectives and powers. An effective system of banking supervision has clear responsibilities and objectives for each authority involved in the supervision of banks and banking groups.5 A suitable legal framework for banking supervision is in place to provide each responsible authority with the necessary legal powers to authorize banks, conduct ongoing supervision, address compliance with laws and undertake timely corrective actions to address safety and soundness concerns.6
Essential criteria
EC1	The responsibilities and objectives of each of the authorities involved in banking supervision7 are clearly defined in legislation and publicly disclosed. Where more than one authority is responsible for supervising the banking system, a credible and publicly available framework is in place to avoid regulatory and supervisory gaps.
Description and findings re EC1	The Swiss Financial Market Supervisory Authority (FINMA) is responsible for supervision of banks in Switzerland. FINMA is “the authority that supervises the financial market” and a “public institution”. (Financial Market Supervisory Act (FINMASA) Art. 4). It is a unified supervisor; the law provides FINMA the supervisory authority over those licensed by it which includes banks, insurance firms, collective capital investments, and audit companies. (FINMASA Art. 2). FINMA’s authority covers licensing, supervision, application of corrective actions and sanctions, and issuing regulation in the form of ordinances and circulars. According to the National Bank Act (NBA), the Swiss National Bank (SNB) has the mandate to ensure price stability while taking due account of the development of the economy. Within this framework, the SNB has “to contribute to the stability of the financial system” (NBA Art. 5). It also is responsible for the supply of liquidity and act as a lender of last resort in the event of a crisis (NBA Art. 9). There are two particular areas where the SNB participate in decisions affecting microprudential supervision: Under the Banking Act (BA) Art. 8 para 3, the National Bank designates—after consulting FINMA—the systemically important banking institutions and their systemically important functions; and Under the Capital Adequacy Ordinance (CAO) Art. 44 the Swiss National Bank can issue a proposal to the Swiss Federal Council to activate, adjust, or deactivate a countercyclical buffer. Prior to issuing such a proposal, the Swiss National Bank must consult with FINMA. Cooperation between FINMA and SNB is described in a MOU between two institutions established in February 2010. The MOU focuses on the following areas: assessment of soundness of systemically important banks and/or the banking system; regulations that have a major impact on the soundness of banks; and contingency planning and crisis management. A high-level steering committee which meets at least twice a year as well as a standing committee which meets at least four times a year has been established for coordination, including on joint projects. It also provides a framework for information sharing including confidential ones. Currently the two largest banks have been designated as systemically important. The relevant legal fundamentals are made public on FINMA’s website and on that of the Swiss Federal Administration.
EC 2	The primary objective of banking supervision is to promote the safety and soundness of banks and the banking system. If the banking supervisor is assigned broader responsibilities, these are subordinate to the primary objective and do not conflict with it.
Description and findings re EC2	FINMA’s objectives are provided as “[I]n accordance with the financial market acts, financial market supervision has the objectives of protecting creditors, investors, and insured persons as well as ensuring the proper functioning of the financial market” (FINMASA Art. 5). FINMA does so mainly by prudential supervision which – with regard to banks – “promotes the safety and soundness of banks and the banking system”. FINMASA Art. 5 also stipulates that “it (financial market supervision) thus contributes to sustaining the reputation and competitiveness of Switzerland’s financial center”. The authorities explain that this wording—“it thus contributes”—clearly subordinates the contribution to “sustaining the reputation and competitiveness of Switzerland’s financial center” to promoting the safety and soundness of banks and the banking system. They also explain that it is the way in which FINMA understands its responsibilities and conducts banking supervision and that this contribution is performed through creating robust regulatory and supervisory frameworks. The assessors were also informed that there is a Parliamentary initiative to expand the objectives of FINMA by amending FINMASA to include promoting the competitiveness of the financial center as one of the primary objectives. The act also requires FINMA, in exercising its regulatory powers, to take into account the effect that regulation has on competition, innovative ability and the international competitiveness of Switzerland’s financial centre, in addition to the compliance cost and international standards. (FINMASA Art. 7) Again, FINMA explains that this Article. does not cover supervisory actions and that it understands that this requirement is fulfilled by constructing a robust regulatory framework that contributes to the safety and soundness of banking system, and by ensuring meaningful consultation on new initiatives.
EC3	Laws and regulations provide a framework for the supervisor to set and enforce minimum prudential standards for banks and banking groups. The supervisor has the power to increase the prudential requirements for individual banks and banking groups based on their risk profile8 and systemic importance.9
Description and findings re EC3	FINMA is responsible for the supervision of banks and banking groups in Switzerland. The Swiss regulatory framework for banking supervision is formulated at three levels: Federal acts such as the Federal Law on Banks and Savings Banks (Banking Act, BA) and the Financial Market Supervision Act (FINMASA) are issued by Parliament. In the hierarchical structure of Swiss legislation, federal acts are subordinate to the Constitution. Under the Federal Constitution, all important legislative provisions must be passed as a federal act. This includes, for instance, severe restrictions on constitutional rights (e.g., economic freedom), basic provisions on the rights and obligations of persons and on procedures followed by the federal authorities. Federal acts are drafted by FDF and submitted to the parliament. The way this work is conducted depends case-by-case, but a project team consists of relevant parties including FDF and FINMA could be organized. The draft could be changed through the parliamentary process. Ordinances are based on parliamentary laws and are issued by the Swiss Federal Council or very occasionally by FINMA. The Federal Council can pass general legal provisions in the form of an ordinance insofar as it is empowered to do so by an act or directly by the Constitution. Federal ordinances are also drafted by FDF and submitted to the Federal Council. For administrative units such as FINMA to issue ordinances, explicit delegation in laws or Federal Council ordinances is required. Circulars can be issued by FINMA to set forth its practice with regard to the above regulations. The purpose of FINMA circulars is to enable the supervisory authority to implement legislative rules in a uniform and proper manner by specifying open, undefined legal norms and outlining generally abstract requirements for exercising discretionary powers. Circulars do not need any explicit legal basis in an act; their content, however, must be materially related to acts and ordinances. Circulars are binding for FINMA. Circulars must be approved by the board of FINMA. Compliance with all FINMA Circulars (as well as Acts and Ordinances) applicable to banks are subject to the annual audit process and issues of non-compliance will be reported in the annual audit report, based an assessment of risk and materiality. However, Circulars do not have the characteristics of Acts of Ordinance. Accordingly, a supervised institution may appeal against a Circular in a concrete case if the institution considers the Circular is not applicable for its particular circumstances. In addition to these, FINMA publishes guidance through various forms, including Frequent Asked Questions and FINMA position papers. Although these do not formally have same degree of enforceability, they are understood by banks and external auditors to compliment Ordinances and Circulars and banks need to adhere to them.
EC4	Banking laws, regulations and prudential standards are updated as necessary to ensure that they remain effective and relevant to changing industry and regulatory practices. These are subject to public consultation, as appropriate.
Description and findings re EC4	The authorities observe developments on the financial markets, both nationally and internationally to identify and understand the relevant risks and follow the evolution of international regulations as well as its effects on Switzerland, and these developments, as well as parliamentary trigger the regulatory or legislative process. Regulations, including laws and ordinances are revised frequently; for example, BA was most recently amended in September 2011, BO June 2012, the new CAO was issued June 2012, and a number of circulars have been issued each year. However, as explained in relevant CPs, some circulars, particularly those related to specific risk management requirements, are not revised frequently enough to keep them updated and relevant. In the process of formulating regulations, FINMA communicates information on regulatory initiatives and their current status to various stakeholders. Draft regulations and explanatory reports are in general submitted for open consultation to give all interested parties the opportunity to express themselves. In general, comments received are published together with a report on the considerations and the adopted legislation. FINMA’s reactions to relevant issues raised during the consultation are included in the consultation report. Also, public hearings are held about draft regulations to involve wider stakeholders including depositors and other customers. If justified by the importance of a regulatory project and permitted by timing and circumstances, workshops and joint working groups with the supervised entities may also take place. Industry participants that assessors met were generally satisfied with their communication with FINMA, but some noted that more frequent and candid dialogue on regulatory issues between FINMA and the industry would be valuable.
EC5	The supervisor has the power to: (a) have full access to banks’ and banking groups’ Boards, management, staff and records in order to review compliance with internal rules and limits as well as external laws and regulations; (b) review the overall activities of a banking group, both domestic and cross-border; and (c) Supervise the activities of foreign banks incorporated in its jurisdiction.
Description and findings re EC5	(a) FINMA has full access to banks’ and banking group’s Board, management staff and records as provided by FINMASA, Art. 29, which stipulates that “the supervised entities (including the institutions’ management and staff), their audit companies and auditors as well as persons or companies that are qualified investors or that have a substantial participation in the supervised entities must provide FINMA with all information and documents that it requires to carry out its tasks”. (b) Under certain circumstances, not only a bank as a solo entity but also a “financial group” or a “financial conglomerate” including related entities both domestic and cross-border becomes subject of group supervision by FINMA (BA Art. 3b f). (See Cp12.) As a consequence, FINMA reviews the overall activities of a banking group, both domestic and cross-border, if it is the lead home-country regulator of such a group. However, entities conducting non-financial activities are excluded from group supervision. (c) Branches and subsidiaries of foreign banks must obtain a license from FINMA. These institutions are subject to similar regulatory and supervisory requirements applicable to all other Swiss banks, including requirements to furnish information to FINMA.
EC6	When, in a supervisor’s judgment, a bank is not complying with laws or regulations, or it is or is likely to be engaging in unsafe or unsound practices or actions that have the potential to jeopardize the bank or the banking system, the supervisor has the power to: (a) take (and/or require a bank to take) timely corrective action; (b) impose a range of sanctions; (c) revoke the bank’s license; and (d) cooperate and collaborate with relevant authorities to achieve an orderly resolution of the bank, including triggering resolution where appropriate.
Description and findings re EC6	If a bank poses problems as described above FINMA has the power to take the required corrective measures (see CP11). Depending on the gravity of a situation the following measures will be taken and escalated accordingly: Regular supervision: FINMA will address problems with the bank under its regular supervision. In this context, it may request the bank to take immediate corrective measures and impose time limits for the implementation. Enforcement: If (a) the bank does not implement the requested corrective measures under its regular supervision, (b) it is apparent that the bank is unable or unwilling to implement the required corrective measures, or (c) the situation poses immediate risks to the bank, the banking system or to the interests of depositors, FINMA will open administrative enforcement proceeding (Art. 30 FINMASA). Interim measures: In enforcement proceedings, FINMA can order interim measures to safeguard the situation. FINMA can appoint an investigating agent to implement the required corrective measures (Art. 36 FINMASA). Final measures: In enforcement proceedings, FINMA can order the restoration of compliance with the supervisory law (Art. 31 FINMASA). The possible measures are not pre-defined. In addition, FINMA can: bar a person from acting in a management capacity in the banking sector for a period of up to five years (Art. 33 FINMASA); confiscate any profit made through a serious violation of the supervisory provisions (Art. 35 FINMASA); and, revoke the banking license (Art. 37 FINMASA). FINMA is the competent authority for the resolution and/or liquidation of banks in Switzerland. In this regard, FINMA assumes the role of the ordinary bankruptcy authorities, i.e., FINMA decides on the liquidation of a bank (Art. 33 para 1 Banking Act, BA). FINMA may appoint one or several liquidators who are subject to its supervision (Art. 33 para 2 BA). FINMA may also itself assume the role of the liquidator (through a specialized unit within FINMA). In addition, FINMA is the competent authority to recognize the effects of bankruptcy/liquidation proceedings over a foreign bank in Switzerland.
EC7	The supervisor has the power to review the activities of parent companies and of companies affiliated with parent companies to determine their impact on the safety and soundness of the bank and the banking group.
Description and findings re EC7	FINMA establishes its consolidated supervision at the level of the parent company if the group of companies including a bank meets the definition of financial group as noted above. Thus parent companies are included in FINMA’s group supervision and required to provide information and documents. As noted above, group supervision supplements supervision of a bank as a solo entity. In addition, “qualified investors or that have a substantial participation” in a bank are also required to provide information and documents requested by FINMA. In case of companies affiliated with parent companies, if they are companies operating in the financial sector, they will also be subject to group supervision, which gives FINMA the ability to request information. If these companies are not operating in the financial sector, they will be exempted from group supervision and FINMA will have no direct power over these entities.
Assessment of Principle 1	Compliant
Comments	Changes to the objectives of FINMA to elevate promoting competitiveness to a main objective (as described in EC1) would risk confusing FINMAs mandate and would be contrary to this CP. Despite the compliant grade, there are weaknesses in the power of FINMA which are taken into account in assessment of other CPs. In particular, the existence of gaps in the regulatory framework, infrequency of updating circulars, and use of FAQs and other secondary documents to augment regulations, cause a challenge in consistent application of the regulatory framework and in supervisory activities.
Principle 2	Independence, accountability, resourcing and legal protection for supervisors. The supervisor possesses operational independence, transparent processes, sound governance, budgetary processes that do not undermine autonomy and adequate resources, and is accountable for the discharge of its duties and use of its resources. The legal framework for banking supervision includes legal protection for the supervisor.
Essential criteria
EC1	The operational independence, accountability and governance of the supervisor are prescribed in legislation and publicly disclosed. There is no government or industry interference that compromises the operational independence of the supervisor. The supervisor has full discretion to take any supervisory actions or decisions on banks and banking groups under its supervision.
Description and findings re EC1	FINMA is created as a public law institution with its own legal personality and official seat in Bern (FIMASA Art. 4). Governance and independence of FINMA are specified in Section 1 of Chapter 2 of FINMASA and further underpinned by the secondary regulations on the organization of FINMA. FINMSA Arts. 9 and 10 and the related secondary regulation on the organization of FINMA specify the terms and conditions of the composition and tasks of the Board of Directors (BoD) and the management board. It requires BoD, which is appointed by the Federal Council and comprises seven to nine members, to be independent of the supervised persons and entities (FINMASA Art. 9 para 1). The Chair of BoD is not permitted to carry out any other economic activity nor hold any federal or cantonal office unless it is in the interest of fulfillment of the tasks of FINMA (FINMASA Art. 9 para 4). Further, FINMASA Art. 21 para 1 requires FINMA to carry out its supervisory activity autonomously and independently. FINMA is funded independently from the general federal budget by levying fees for individual cases and services as well as annual supervision charges on supervised entities (FINMASA Art. 15). FINMA’s budget is only subject to approval by FINMA’s BoD. The relevant Ordinance issued by the Federal Council sets a broad framework of fees and charges but it does not constrain FINMA’s ability to charge banks. FINMA’s annual report and three year strategic plan is subject to approval by the Federal Council. At least once a year, FINMA discusses the strategy for its supervisory activities and current issues of financial center policy with the Federal Council (FINMASA Art. 21 para 2). FINMA has its own Personnel Ordinance (subject to approval by the Federal Council) which provides FINMA with increased flexibility regarding the remuneration of its employees compared to the federal administration. FINMA explains that it enjoys a large degree of autonomy in the performance of its supervisory duties. Its decisions can only be appealed in court. For regulation above FINMA level (acts and federal ordinances) as well as for international policy development FINMA coordinates with other relevant authorities such as FDF and SNB. There are no observers from government, politics or industry present in meetings of FINMA’s BoD or Executive Board. The government cannot issue operational instructions to the supervisory authority. FINMA is accountable to the Federal Parliament, which exercises general oversight (“Oberaufsicht”) over FINMA according to the ordinary working modalities of the Swiss Parliament (FINMASA Art. 21 para 4). There are no provisions that allow Parliament or the Federal Council to intervene in operational issues under the FINMA’s responsibility, such as supervisory actions and decisions on individual banks. FINMA explains that there is interference on a day-to-day basis with FINMA’s supervisory work neither by Parliament nor by the Federal Council. Currently, however there is substantial parliamentary interest in FINMAs power to issue what amount to rules or guidance, and the effect on various aspects of the sector’s competitiveness. Proposals to change FINMA’s mandate are on hold pending a review of its regulation versus international norms. Recently, in response to FINMAs decision in 2012 to impose Pillar 2 requirements on midsize banks, Parliament passed a motion requiring the Federal Council to take this power away from FINMA and vest it in the federal council instead. That motion indicated in a non- binding way that the resulting Pillar 2 capital charges should be capped at values less than FINMA now has in place.
EC2	The process for the appointment and removal of the head(s) of the supervisory authority and members of its governing body is transparent. The head(s) of the supervisory authority is (are) appointed for a minimum term and is removed from office during his/her term only for reasons specified in law or if (s)he is not physically or mentally capable of carrying out the role or has been found guilty of misconduct. The reason(s) for removal is publicly disclosed.
Description and findings re EC2	The Federal Council appoints the FINMA’s BoD. In doing so, it must ensure the appropriate representation of both genders. It appoints the Chair and the Vice-Chair. It determines the level of remuneration. (FINMASA Art. 9 para 2). The BoD has to be comprised of seven to nine expert members, who are independent of the supervised persons and entities. The members of BoD, including the Chair and Vice Chair, are appointed for a term of office of four years; each member may be reappointed twice (FINMASA Art. 9 paras. 2 and 3). The Federal Council removes members of BoD “if the requirements for holding office are no longer fulfilled” without providing further details, although this has not happened to date. (FINMASA Art. 9 para 5). There is no requirement to disclose the reason(s) for removal. The Chief Executive Officer (CEO) and the members of the Executive Board are appointed by the BoD. The appointment of the CEO is subject to approval by the Federal Council (FINMASA Art. 9 para 1). Consequently, the Federal Council has to approve the decision of BoD to terminate the employment of CEO “if the requirements for holding office are no longer fulfilled” (FINMASA Art. 9 para 5). Moreover, the FINMA Personnel Ordinance Art. 9 para 4 provides that the termination of an employment contract, including the one for CEO, must be for objective reasons and they have to be communicated in writing to the person concerned. For the CEO and other members of the Executive Board, there is no requirement to disclose the reason(s) for removal.
EC3	The supervisor publishes its objectives and is accountable through a transparent framework for the discharge of its duties in relation to those objectives.10
Description and findings re EC3	FINMASA Art. 9 provides that BoD determines the strategic objectives of FINMA and submits them to the Federal Council for approval. The strategic objectives are determined for a period of 3 to 4 years and published on FINMA’s website (Strategic Goals 2013 to 2016). FINMASA also stipulates that BoD “draws up the annual report and submits the annual report to the Federal Council for approval prior to publication.” (Art. 9, Art. 22). This provides information on annual activities and priorities. There is also an annual hearing with the relevant Parliamentary Committees.
EC4	The supervisor has effective internal governance and communication processes that enable supervisory decisions to be taken at a level appropriate to the significance of the issue and timely decisions to be taken in the case of an emergency. The governing body is structured to avoid any real or perceived conflicts of interest.
Description and findings re EC4	FINMASA Art. 9 stipulates that the BoD decides on matters of substantial importance. Details on what constitutes matters of substantial importance are provided in FINMA’s Organizational Rules Art. 2 as: matters of considerable consequence for financial markets or of systemic importance as evidenced at one or more of the supervised institutions; matters of particular interest for the general public; matters that result in establishing rules of practice or a change thereto; matters involving a high liability risk for FINMA or having a long-term effect on FINMA’s reputation; and matters that are designated as such by at least three members of the Board of Directors. Thus, the BoD can be involved in making specific supervisory decisions, although FINMA explains the involvement of BoD on specific supervisory actions has been substantially reduced from its predecessor, EBK. The Executive Board, which is consist of CEO and Head of Divisions of FINMA, decides all matters that do not fall to BoD. In a few cases of lesser importance, the Executive Board may transfer this competence to the divisions. (Organizational Rules Art. 14) FINMA’s BoD as well as the Executive Board can, in urgent cases, pass resolutions via circular (including fax and email), making it possible to respond in a timely manner in the case of emergency. The Chair of the BoD can also take necessary decisions (Chairman’s resolutions) in lieu of the BoD (FINMA’s Organizational Rules Art. 9). FINMA’s internal governance rules at a lower level are mostly established in the Operational Regulations. Regarding conflicts of interest BoD members are required to be independent of the supervised persons and entities (FINMASA Art. 9). In addition, the Chair of the BoD is not allowed to carry out any other economic activities, nor hold any federal or cantonal office, unless they are in the interest of fulfilling FINMA’s tasks (FINMASA Art. 9). This restriction did not apply to other BoD members under the old rule, although they were not allowed to be members of executive boards or chairmen/vice chairmen of Boards of any supervised institutions. The authorities explain that recent appointments were only made under the condition that the candidate gives up any mandate in a supervised entity. Also, as described below, recusal rules apply to prevent potential conflict of interests. The authorities also introduced new rules in December 2013 prohibiting BoD members to engage in any activities in supervised institutions, although it will become effective from 2016. BoD also issued a Code of Conduct that is applicable to BoD and all staff members including members of the Executive Board. It sets out clear prescriptions regarding real and perceived conflicts of interest. For example, FINMA staff members who wish to assume an outside employment position needs to get an approval. Also, FINMA Personnel Ordinance regards outside work by a FINMA employee which results in a conflict of interest with the person’s activities within FINMA as incompatible with the employment with the FINMA, thus no approval will be granted. There are restrictions on transactions of securities of supervised entities, although it is somewhat relaxed for members of BOD who are not chair/vice-chair. The Code of Conduct also requires members of FINMA’s BoD, Executive Board and senior management to recuse themselves from consideration of matters concerning a supervised entity at which they were employed within the previous year.
EC5	The supervisor and its staff have credibility based on their professionalism and integrity. There are rules on how to avoid conflicts of interest and on the appropriate use of information obtained through work, with sanctions in place if these are not followed.
Description and findings re EC5	See EC4. FINMA’s Code of Conduct also includes the duty to protect the confidentiality of official matters (Art. 14). FINMA also has rules on the appropriate use of information (Regulations on the protection of information). In case of violation of these rules, sanctions such as dismissals can be imposed by FINMA (FINMA Personnel Ordinance Art. 10). A breach of official secrecy is liable to prosecution (Swiss Criminal Code Art. 320). The assessors found the quality of FINMA staff to be very high. This view is also generally shared by industry members who the assessment team met.
EC6	The supervisor has adequate resources for the conduct of effective supervision and oversight. It is financed in a manner that does not undermine its autonomy or operational independence. This includes: a budget that provides for staff in sufficient numbers and with skills commensurate with the risk profile and systemic importance of the banks and banking groups supervised; salary scales that allow it to attract and retain qualified staff; the ability to commission external experts with the necessary professional skills and independence, and subject to necessary confidentiality restrictions to conduct supervisory tasks; a budget and program for the regular training of staff; a technology budget sufficient to equip its staff with the tools needed to supervise the banking industry and assess individual banks and banking groups; and a travel budget that allows appropriate on-site work, effective cross-border cooperation and participation in domestic and international meetings of significant relevance (e.g., supervisory colleges).
Description and findings re EC6	FINMA is fully financially independent and has a stable and continuous source of funding. FINMA is funded by directly levying fees for individual cases and services as well as annual supervision charges on supervised entities (FINMASA Art. 15). FINMA’s costs not covered by specific fees are borne by the supervised banks. FINMA determines its budget for staff expenses itself, and the related fees and charges, on the base of its resource planning. FINMA views that it has adequate resources to conduct effective supervision and oversight as well as regulatory work on banks. In this context, it believes that its approach of making external audit firms an integral component (“extended arm”) of the supervisory process reduces the need for FINMA to have the specialized resources internally. Audit firms charge the costs of the regulatory audit directly to banks. FINMA’s budget for the banking supervision department has expanded from CHF 39.5 million in 2009 to CHF 65 million in 2013. The number of staff has increased from 371 FTE in 2010 to 442 FTE in 2012. Bank-related staff increased from around 87 FTE in 2010 to 98 FTE in 2012. Of these, some 38 are for off-site supervision and 22 are in risk management, both of whom also perform FINMA lead reviews. Authorization accounts for some 13 FTE and resolution/legal some 10-20 FTE. In addition, the authorities note that external auditors spend around 700 FTE per year for audit work in recent years. However that covers regulatory and financial audit and only some 200FTE of that is for regulatory audit across all categories of firms for normal supervision and some 135FTE is for special audits and model approval. FINMA did not have statistics for regulatory audit by category of banks. However based on the information for regulatory audit and financial audit combined, it appears that over two thirds would be for the Category 1 banks and foreign banks. FINMA has five off-site staff for each major bank, one each for the three Category 2 banks, seven for the approximately 30 Category 3 banks and 20 staff for the approximately 300 category 4 and 5 banks. Only some five of the risk management FTE time goes to banks in Categories 2–5. In certain specific areas such as operational risk, specialist staff is very limited. FINMA has put in place a head-count freeze. Senior management and the BoD is of the view that current staffing is adequate for banking regulation and supervision and do not see the need to increase it substantially. It informed assessors that the institution’s current focuses are on consolidating the institution after a rapid growth since FINMA’s establishment and on efficient use of existing resources. FINMA’s Personnel Ordinance sets out six different salary scales. FINMA explains that the framework of the salary range is sufficiently flexible to retain qualified staff at different levels, except those at the most senior levels. Also, FINMA states that it does not have understaffed key areas at the moment, and that it does not have much difficulty in attracting new staff, as it has a good reputation and can offer interesting jobs and good salaries. It acknowledges this is helped by the current market situation. Furthermore, FINMA relies on external auditors for some technical expertise. The recent turnover rates in the banking division are relatively low (6.8 percent in 2012, compared to 10.1 percent for FINMA overall). In the budgeting process, FINMA queries the scope of costs for external experts that have the necessary professional skills and independence with every department. Afterwards the amount of expected costs will be controlled by the CEO/Executive Board and the Board of Directors. If they agree, the expected costs are approved as a budget. Also during the budget formulation, a training budget has been explicitly set aside. In the years 2009 to 2011, the amount was CHF 2,000 per FTE per year, since 2012 the amount has been raised to CHF 3,000 per FTE. Every department has the responsibility to control the necessity of training for each person and to plan the training of staff. Regarding the budget for information system, required budget has been allocated. During the budget process, the necessity of additional IT tools is clarified, estimated and prioritized. Afterwards, the amount of expected costs will be approved by the Executive Board and the Board of Directors. Cost for travel is also considered during the budgeting process. The travel costs include trips for domestic and international meetings, on-site work, cross-border corporation and other important meetings. FINMA expresses that it does not experience any problem with these budgets.
EC7	As part of their annual resource planning exercise, supervisors regularly take stock of existing skills and projected requirements over the short- and medium-term, taking into account relevant emerging supervisory practices. Supervisors review and implement measures to bridge any gaps in numbers and/or skill-sets identified.
Description and findings re EC7	FINMA’s personnel planning focuses on determining that its future qualitative and quantitative staff needs are in line with the organization’s strategic needs e.g., FINMA’s Strategic Goals. FINMA states that it needs employees who have both competence and integrity, and operational demands (e.g., experience gained during supervisory reviews, changing supervision categories of several institutions, Basel III (Capital & Liquidity)) to perform its functions. The planned natural attrition of personnel in future years is matched with a succession planning. The resulting difference between supply and demand indicates the future quantitative and qualitative need for personnel. Further, this information feeds into the recruitment and development planning of personnel (e.g., planning personnel developing potential).
EC8	In determining supervisory programs and allocating resources, supervisors take into account the risk profile and systemic importance of individual banks and banking groups, and the different mitigation approaches available.
Description and findings re EC8	Supervisory programs and resource allocations follow a risk-based approach based on a pre-defined process (see CP8/9). For a bank requiring more attention, FINMA will assign more resources to ensure an appropriate level of supervision. The two biggest are overseen by a team of five to six people and supported by specialists in the risk unit as well as in the capital unit, making total FTE allocated to the two biggest banks around 30. For smaller banks, however, even for the three in Category 2, which could be domestically systemically relevant, only one person is assigned to a bank. For the roughly 30 banks in category 3 (which includes the cantonal banks), there are staff assigned, and for the smaller banks, a relationship manager oversees a portfolio of banks, which could consist of at least four to five banks. These supervisors are also supported by specialists, albeit to a much lesser degree. In discussions with assessors, those responsible for supervision of a range of smaller and mid-size banks indicate that between one-third and one-half of supervisory time overall is spent on AML/CTF and cross-border issues.
EC9	Laws provide protection to the supervisor and its staff against lawsuits for actions taken and/or omissions made while discharging their duties in good faith. The supervisor and its staff are adequately protected against the costs of defending their actions and/or omissions made while discharging their duties in good faith.
Description and findings re EC9	FINMASA Art. 19 provides that FINMA is liable only if: a) its management bodies or its staff have committed a breach of fundamental duties; and b) loss or damage is not due to a breach of duty by a supervised person or entity. A breach of fundamental duties may have occurred if measures were taken in bad faith. FINMA and its staff are therefore appropriately protected from being held liable for supervisory measures conducted in good faith. Staff is not personally and directly liable in civil law for discharging their duties, although they can be prosecuted if permitted by the Department of Justice. If a staff member acts in good faith, FINMA’s policy is to cover the expenses of a criminal procedure (e.g., court and lawyer fees). The authorities report that litigations against FINMA have been relatively limited and there has not been any court ruling that is against FINMA since its establishment. No prosecutions or litigation has been made against staff members.
Assessment of Principle 2	Materially Non Compliant
Comments	Assessors are of the view that the current resources of FINMA are not sufficient to supervise and regulate the entire banking system effectively, including effective oversight of supervisory work done by external auditors, and that this is contributing to shortcomings in supervision and timely regulation, and weak practical implementation, as described in various CPs. FINMAs adherence to a head-count freeze, that it has decided upon, needs to be relaxed to achieve compliance and to achieve the recommendations in this report. This issue seems acute for middle sized banks which are not globally systemically important but still systemically important domestically. But even for the largest banks, the limited staff resources is constraining further in-depth supervisory work at the level of intensity and regularity being conducted elsewhere. For mid-size and smaller banks, there is a need to conduct more strategic work to address thematic issues that could have material implications, such as operational, legal and reputational risks. For regulatory work, the assessors found a few but important circulars are not updated as frequently as desirable. The assessors believe this is partly due to lack of personnel. The assessors understand that the use of external auditors as an extend arm of FINMA augment resources in FINMA. But, FINMA still needs to exercise enhanced oversight on regulatory audit activities and control quality by providing guidance, assessing works by auditors, and having frequent communications with them, which it understands and making efforts to improve the supervisory approach. There are also thematic supervisory reviews across ranges of banks that are not amenable to being assigned to regulatory auditors. While oversight of supervisors is necessary even in a system where supervision is mainly conducted ‘in-house’, more oversight work is needed where work is outsourced. Assessors appreciate that FINMA is rightly following a ‘quality instead of quantity’ resourcing strategy, but still see the need to increase its resources. Assessors saw no evidence of interference in FINMA’s day-to-day operational independence. However, the assessors view that there are some potential shortcomings in the current legal framework, including the legally stipulated need for FINMA to consider the competitiveness of Swiss financial center. The risk is that this could lead the supervisor to compromise their pursuit of safety and soundness of the banking system. The assessors are also concerned with the current Parliamentary initiative to upgrade this element of the FINMA’s objectives, and to limit FINMAs existing Pillar 2 authority. Related to the governance issue, the assessors found rules to address conflict of interest in FINMA were incomplete for members of FINMA BoD who were not the Chair and the Vice Chair. Given the current set up of the FINMA BoD which expects or permits the members to be involved in any decision regarding individual entities if supported by three of them, as well as regulatory issues that affect the industry, even with the recusal rules, there was a possibility that these gaps could damage the perceived credibility of the supervisor As noted in EC4, the authorities recently strengthened rules to address conflict of interest of members of FINMA BoD. Assessors welcome the decision but believe sound governance and ability to attract Board members could still be enhanced by more clearly delineating and limiting the FINMA Board’s ability to be involved in individual decisions. Thus, the assessors recommend the authorities take following actions: Increase resources for banking regulation and supervision in FINMA. Do not elevate the competitiveness objective in FINMA mandate. Instead, consider removing the reference to competitiveness if needed to avoid confusion and confirm that the primary objective for the supervisor is to promote the safety and soundness of banks and banking groups. Clarify and limit what decisions on individual institutions FINMA’s board should take. Maintain the current FINMA power to set Pillar 2 add-ons on a group of banks.
Principle 3	Cooperation and collaboration. Laws, regulations or other arrangements provide a framework for cooperation and collaboration with relevant domestic authorities and foreign supervisors. These arrangements reflect the need to protect confidential information.11
Essential criteria
EC1	Arrangements, formal or informal, are in place for cooperation, including analysis and sharing of information, and undertaking collaborative work, with all domestic authorities with responsibility for the safety and soundness of banks, other financial institutions and/or the stability of the financial system. There is evidence that these arrangements work in practice, where necessary.
Description and findings re EC1	BA Art. 23 authorizes FINMA to share confidential information and documents with other financial market supervisory authorities such as the Federal Audit Oversight Authority, the Swiss stock exchanges as well as SNB. A formal arrangement exists between FINMA, the Federal Department of Finance and the Swiss National Bank based on a tripartite MOU for exchange of information and cooperation in the event of crisis. On the information exchange, the MOU establish a senior-level meeting that meets at least twice a year to exchange information on the macroeconomic environment, the situation in the financial markets and the banking sector, domestic regulatory initiatives as well as international regulatory initiatives and standards concerning the financial markets and the banking sector, and challenges and risks facing the Swiss financial center. On the cooperation in the context of a financial crisis, it sets up a high-level Steering Committee and a working-level Committee on Financial Crisis. The latter meets at least once or twice in a year, regardless of whether there is a crisis. Between FINMA and the SNB a Memorandum of Understanding (MOU) provides for exchange of views in the areas of: (1) assessment of the soundness of systemically important banks and/or the banking system; (2) regulations that have a major impact on the soundness of banks, including liquidity, capital adequacy and risk distribution provisions, where they are of relevance for financial stability; and (3) contingency planning and crisis management. (See CP 2) An informal and frequent communication is also taking place with SNB to share information, exchange views, and coordinate their activities, particularly on the biggest banks. Furthermore, FINMA shares relevant confidential information and cooperates with federal and cantonal prosecution authorities, according to FINMASA Art. 38. Also, information can be shared with other domestic regulators including the Takeover-Board and the Competition Committee under the Anti-Money Laundering Act (AMLA) Art. 29.
EC2	Arrangements, formal or informal, are in place for cooperation, including analysis and sharing of information, and undertaking collaborative work, with relevant foreign supervisors of banks and banking groups. There is evidence that these arrangements work in practice, where necessary.
Description and findings re EC2	FINMA has arrangements on cooperation and information exchange with foreign supervisory authorities. FINMA currently has MOUs with 17 jurisdictions, including most major financial centers. These MOUs specify, amongst other things, cooperation on information exchange and on-site inspection within the statutory framework provided by legislation. FINMA is an active organizer of and participant in Supervisory Colleges for cross-border institutions. For the two big Swiss banks, FINMA organizes an annual meeting with all interested foreign supervisory authorities which are of importance for the respective banking group (“general colleges”). In addition, more focused “core colleges” with the key US and UK regulators take place semi-annually. Typically, a US-based meeting focuses on investment banking activities, while a Swiss-based meeting focuses on wealth management activities. These extensive colleges complement bilateral international cooperation. For the two big banks, FINMA also conducts a few joint supervisory reviews annually with UK and US supervisors. This usually takes a form of sending several of its staff members to on-site works by the foreign supervisors, but FINMA also leads supervisory reviews where UK and US supervisors participate in the on-site work. FINMA highly values these exercises, as they promote deeper sharing of views and information among the supervisors, and can send strong and coordinated messages to the banks. FINMASA Art. 42 authorizes FINMA to cooperate with a foreign supervisory authority even in the absence of a specific agreement. If the cooperation involves the exchange of confidential data, FINMA generally requires an ad-hoc declaration from the requesting supervisory authority stipulating that: the information may only be used for the direct supervision of the regulated institutions; the supervisory authority is bound by official or professional confidentiality provisions; and the information may not be published or passed on to other authorities and bodies, including other supervisory or criminal prosecution authorities, without the prior consent of FINMA. FINMA explains that it receives a substantial number of requests each year, and that it is able to provide requested information in most of the cases. FINMA explains strong cooperation with other foreign supervisory authorities was necessitated and took part in international cases where Swiss banks are involved, such as the case regarding LIBOR or a substantial trading loss of a big Swiss bank that took place outside of Switzerland.
EC3	The supervisor may provide confidential information to another domestic authority or foreign supervisor but must take reasonable steps to determine that any confidential information so released will be used only for bank-specific or system-wide supervisory purposes and will be treated as confidential by the receiving party.
Description and findings re EC3	Regarding cooperation with domestic authorities, the legal provisions stipulate that FINMA is authorized to transmit confidential information and documents to another domestic authority if they require the information to fulfill their duties. (FINMASA, Art. 38, BA Art. 23bis, AMLA Art. 29) Swiss legislation (BA Art. 43, Criminal Code Art. 320) provides for professional secrecy obligations, breach of which is subject to criminal law prosecution. Concerning foreign authorities, as described in EC 2, FINMASA Art. 42 expressly requires that in order to share non-public information with another competent foreign authority, the latter must be subject to official or professional secrecy and that the information is to be used exclusively for the direct supervision of foreign institutions. FINMA insists on a declaration by the foreign supervisor that the information will be used as confidential as an integral part of the request for administrative assistance with regard to compliance with the rules of confidentiality. FINMA also demands that the requesting authority grant an explicit warranty that the transmitted information and documents are used exclusively for the direct supervision of foreign institutions and that the transmitted information and documents are passed on to competent authorities or to bodies that are entrusted with supervisory duties that lie in the public interest only on the basis of a general authorization in an international treaty or with FINMA’s prior consent. FINMA notes that experience shows that foreign counterparts respect the confidentiality of information provided by FINMA.
EC4	The supervisor receiving confidential information from other supervisors uses the confidential information for bank-specific or system-wide supervisory purposes only. The supervisor does not disclose confidential information received to third parties without the permission of the supervisor providing the information and is able to deny any demand (other than a court order or mandate from a legislative body) for confidential information in its possession. In the event that the supervisor is legally compelled to disclose confidential information it has received from another supervisor, the supervisor promptly notifies the originating supervisor, indicating what information it is compelled to release and the circumstances surrounding the release. Where consent to passing on confidential information is not given, the supervisor uses all reasonable means to resist such a demand or protect the confidentiality of the information.
Description and findings re EC4	FINMA treats information from other supervisors as confidential and uses the information only for the direct supervision of the regulated institutions. Members of FINMA BoD and FINMA employees are bound by official secrecy under FINMASA Art. 14, FINMA Employees Act and the FINMA Code of Conduct. This duty applies not only with regard to third parties outside the government but also towards other offices of the federal or cantonal administration. In addition, FINMA must comply with the Data Protection Act that imposes restrictions on the processing of personal data. A violation of official secrecy may lead to administrative disciplinary measures and a prison sentence or a fine under Art. 320 of the Criminal Act. As a result, FINMA may in principle neither disclose confidential information nor transfer such information to third parties. However, FINMA has the competence to decide whether to waive official secrecy, according to a decision of the Swiss Supreme Court. In addition, FINMA is an ordinary member (member A) of the IOSCO MMoU. Under Articles 10 and 11 of the IOSCO MMoU, the principle of confidentiality and the principle of specialty are regarded to be great importance and have to be strictly implemented by each member. In the event that FINMA is legally compelled to disclose confidential information it has received from another supervisor, FINMA will promptly notify the originating supervisor, indicating what information it is compelled to release and the circumstances surrounding the release. Where consent to passing on confidential information is not given, FINMA will use all reasonable means to resist such a demand. FINMA may refuse to disclose information that is not publicly accessible or to hand over files to prosecution authorities and other domestic authorities where: (a) the information and the files solely serve the purpose of forming internal opinions; (b) their disclosure or handover would prejudice ongoing proceedings or the fulfillment of its supervisory activity; or (c) it is not compatible with the aims of financial market supervision, or with its purpose. (FINMASA Art. 40) FINMA notes that it has not been requested or ordered to disclose confidential information received from another supervisor.
EC5	Processes are in place for the supervisor to support resolution authorities (e.g., central banks and finance ministries as appropriate) to undertake recovery and resolution planning and actions.
Description and findings re EC5	FINMA acts as both supervisor and resolution authority. Domestic cooperation among FINMA, SNB and FDF is provided in the framework established by the tripartite MOU. As described in EC 1, this MOU sets up a framework to deal with a crisis that threatens the stability of the Swiss financial system, that includes Steering Committee (SC) and the Committee on Financial Crisis (CFC). SC is in charge of performing strategic coordination of crisis management and any interventions to address the crisis, and will be made up of the Head of FDF who will chair the committee, the Chair of Governing Board of SNB and the Chair of FINMA. CFC consists of CEO of FINMA (chair) Vice Chair of the SNB Governing Board, and the Director of Federal Finance Administration, a unit in FDF. CFC is responsible for coordinating precautionary efforts and for crisis management. Even in non-crisis times, a meeting is held once or twice a year as a rule. In practice, the CFC meeting has been held regularly and frequently in recent years to share information on Swiss financial sector in response to the difficult environment surrounding global financial sectors. BA Art. 37f allows FINMA to coordinate with foreign authorities in case of foreclosure proceedings against a bank involves processes abroad. This Article aims in particular at avoiding creditors to avail themselves of deficient coordination to get overcompensation for their losses.
Assessment of Principle 3	Compliant
Comments
Principle 4	Permissible activities. The permissible activities of institutions that are licensed and subject to supervision as banks are clearly defined and the use of the word “bank” in names is controlled.
Essential criteria
EC1	The term “bank” is clearly defined in laws or regulations.
Description and findings re EC1	BO Art. 2a defines banks as enterprises which are active mainly in the field of finance and in particular those: who accept deposits from the public on a professional basis or solicit these publicly in order to finance in any way, for their own account, an undefined number of unrelated persons or enterprises, with which they do not form an economic unit, or who refinance themselves in substantial amounts from a number of banks which are not significant shareholders and with which they do not form an economic entity in order to provide any form of financing for their own account to an undefined number of unrelated persons or institutions.
EC2	The permissible activities of institutions that are licensed and subject to supervision as banks are clearly defined either by supervisors, or in laws or regulations.
Description and findings re EC2	The Swiss banking system is based on the universal banking model and laws or regulation does not clearly define the permissible activities of banks. The banking license, in principle, authorizes exercise of a whole range of possible financial services (such as deposit, credit, asset management, trading, etc.). Non-banking activities are also permitted, provided that the main character of the bank as an institution continues to be mainly active in the field of finance. Unless the institution is not mainly active in the field of finance, it can be licensed as a bank. In supervisory practice, however, the scope of the bank’s operations needs to correspond to its financial capacities, personal resources and organizational structure. The bank must describe precisely its field of business operations with regard to its objectives and geographic terms in articles of incorporation, by-laws and business rules (BO Art. 7 paras. 1 and 3). Articles of incorporation, by-laws and internal regulation of the banks, including there revisions, are subject to FINMA’s formal approval (BA Art. 3 para 3). These documents provide a detailed scope of bank’s operation. Thus, FINMA can restrict and control the scope of bank’s activities. Banks which directly engage in insurance underwriting and selling are prohibited by the Insurance Supervision Act. Moreover, banks’ shareholding of non-financial firms are restricted to not more than 15 percent of their eligible capital and the total amount of such participation to not more than 60 percent. (BA Art. 9 para 4)
EC3	The use of the word “bank” and any derivations such as “banking” in a name, including domain names, is limited to licensed and supervised institutions in all circumstances where the general public might otherwise be misled.
Description and findings re EC3	The term “bank” or “banker”, alone or in combination with other words, may only be used in the company name, designation of the business purpose or advertising, in the case of institutions which have obtained a license from FINMA (BA Art. 1 para 4). A violation to this provision could result in a fine of up to CHF 500,000 (BA Art. 49 para 1). On the contrary, there is no requirement for licensed banks to have the word “bank” in their names.
EC4	The taking of deposits from the public is reserved for institutions that are licensed and subject to supervision as banks.12
Description and findings re EC4	As a rule, only licensed banks are permitted to solicit deposits from the public on professional basis (BA Art. 1 para 2.). Accepting more than 20 deposits on a continuous basis is deemed as soliciting deposits on professional basis (BO Art. 3a para 2). This prohibition extends to all entities including natural persons, except in cases where the Federal Council provides exception where the protection of the depositors is insured. In practice, this is limited to corporate bodies that are established under public law where the state takes full responsibility for their liabilities (BO Art. 3a para 1). Such establishments are regulated and supervised based on individual regulations of public law. They are considered to be as equally stable as common banks licensed by FINMA. However, after the transformation of the postal saving to a licensed bank, there is no significant deposit taking entity outside of licensed banks.
EC5	The supervisor or licensing authority publishes or otherwise makes available a current list of licensed banks, including branches of foreign banks, operating within its jurisdiction in a way that is easily accessible to the public.
Description and findings re EC5	Lists of licensed banks operating in Switzerland, including branches of foreign banks as well as representative offices, are maintained and published on FINMA’s website in four different languages (German, French, Italian, and English).
Assessment of Principle 4	Compliant
Comments
Principle 5	Licensing criteria. The licensing authority has the power to set criteria and reject applications for establishments that do not meet the criteria. At a minimum, the licensing process consists of an assessment of the ownership structure and governance (including the fitness and propriety of Board members and senior management)13 of the bank and its wider group, and its strategic and operating plan, internal controls, risk management and projected financial condition-(including capital base). Where the proposed owner or parent organization is a foreign bank, the prior consent of its home supervisor is obtained.
Essential criteria
EC1	The law identifies the authority responsible for granting and withdrawing a banking license. The licensing authority could be the banking supervisor or another competent authority. If the licensing authority and the supervisor are not the same, the supervisor has the right to have its views on each application considered, and its concerns addressed. In addition, the licensing authority provides the supervisor with any information that may be material to the supervision of the licensed bank. The supervisor imposes prudential conditions or limitations on the newly licensed bank, where appropriate.
Description and findings re EC1	FINMA is the legally established authority that issues banking licenses (BA Art. 3 para 1). Licenses (new licenses and changes in licensing requirements) are processed by a separate organizational unit (Authorization Department) that, alongside the banking supervisory sections, belongs to the Banks division. FINMA explains that the licensing and supervisory sections work closely together. When issuing licenses and changing licensing requirements, opinions are exchanged that take ongoing supervision into consideration. If there are differences of opinions, the division head will be involved to solve the issue. FINMA recognizes the importance of licensing processes given the country’s financial center function. The interest to establish operations in the country is still high in recent years with 55 preliminary as well as formal applications has been submitted in the last five years. New licenses contain conditions and requirements that must be considered when setting up a company. Initially, the business activities that the bank is allowed to conduct are limited, based on bylaws and other major internal rules authorized by FINMA. Those activities are then allowed to be expanded in a controlled manner, taking financial, personnel and organizational resources of the bank into consideration. As noted in CP 4, even after the initial stage, FINMA controls the scope of banks’ activities through authorization of their bylaws and other major internal rules which are required to state their business lines in a detailed manner. Unless authorized by FINMA, these rules will not be entered in to the commercial register and not become effective. During the first few years, a number of interim audits are conducted. Depending on the case in question, it is also possible to determine certain areas to be audited that require special attention when the bank is being set up.
EC2	Laws or regulations give the licensing authority the power to set criteria for licensing banks. If the criteria are not fulfilled or if the information provided is inadequate, the licensing authority has the power to reject an application. If the licensing authority or-supervisor determines that the license was based on false information, the license can be revoked.
Description and findings re EC2	BA Art. 3 provides a number of criteria for licensing banks: Clear scopes of business and adequate organizational frameworks corresponding to their business activities; Establishment of separate bodies for management for one and for providing direction, supervision and control; Fully paid up capital that exceed the minimum determined by the Federal Council (CHF 10 million (BO Art. 4 para 2)); Persons for management who are of good reputation and be able to guarantee the proper conduct of business operations; Natural persons or legal entities that has qualified participation to guarantee that their influence will not have a negative impact on the sound and prudent management of banks; and Persons in charge of management to be domiciled in a place where they can exercise effective management and assume responsibilities. These broad provisions provide FINMA considerable room to set the licensing benchmark appropriately on a case-by-case basis, incorporating specific aspects that need to be addressed in order to be issued with a license for a particular case. FINMA further specifies its requirements for licensed banks in ordinances, circulars and FAQs, which apply to not only ongoing banks but also newly licensed banks. FINMA also publishes a guideline that lists documents an applicant need to submit, that includes detailed information regarding persons responsible for management, organizational framework, business plans, and budgets for first three years. Detailed official interpretation of the above criteria is not published or internally defined, but a booklet written by FINMA staff members explaining licensing process are widely used as reference by FINMA staff and the industry. Licensing process is conducted by the authorization department of FINMA. The staff of the department assess adequacy of application and their compliance to the licensing framework. In addition, an external auditor who will not become a regulatory auditor of the bank needs to assess the compliance of the applicant vis-à-vis licensing requirements. If the licensing requirements cannot be met, incomplete information is submitted or FINMA is not convinced about compliance with the licensing requirements for some other reason, the license is refused and the application is rejected. FINMA is authorized to issue formal decrees stating that a license has not been granted. Under the administrative procedural law in Switzerland, appeals can be made against those decrees to the Federal Administrative Court. Generally, however, applicants will usually withdraw their applications when a negative indication is informally communicated. Licenses issued that are based on incorrect information can be revoked under rules set out in the general administrative procedural law, although it has not happened to date. If there are few shortcomings and they can be remedied, less stringent measures can be taken.
EC3	The criteria for issuing licenses are consistent with those applied in ongoing supervision.
Description and findings re EC3	As mentioned in EC 2, the regulatory framework that applies to ongoing banks are also applies to newly established banks. Thus, during the licensing process, FINMA assesses whether the applicant will be able to meet requirements applied in ongoing supervision, in addition to the requirements only applied for licensing. Moreover, after banks are licensed, FINMA continuously monitors if banks are complying the conditions for licensing. This is one of the main issues that regulatory auditors assess.
EC4	The licensing authority determines that the proposed legal, managerial, operational and ownership structures of the bank and its wider group will not hinder effective supervision on both a solo and a consolidated basis.14 The licensing authority also determines, where appropriate, that these structures will not hinder effective implementation of corrective measures in the future.
Description and findings re EC4	As noted above, BA Art. 3 para 2 stipulates that banks need to establish an adequate organization corresponding to the proposed business activities. Therefore, only structures that can be suitably supervised are permitted in which supervisory requirements can be implemented effectively. Structures that impede supervision, for example, very complex participation structures that are not transparent, are not permitted. The same paragraph requires senior management of a bank domiciled in Switzerland must be resident in the place where they manage and bear responsibility for the bank. This is to ensure that the main management functions of a Swiss bank are in Switzerland, including for globally active banks. In the case of latter, at least the majority of senior management, including those who assume the most important leadership responsibilities, needs to reside in the vicinity in which the bank is domiciled. The same applies at group level: if FINMA is responsible for supervising the group, effective group control should be anchored credibly in Switzerland. Business structures (off-shore/shell entities) without substance are not allowed. If a foreign bank operates from Switzerland or does business only or primarily in or from Switzerland, its organization must comply with Swiss law and is subject to the provisions for Swiss banks. (FBO-FINMA, Art. 1 Para 2)
EC5	The licensing authority identifies and determines the suitability of the bank’s major shareholders, including the ultimate beneficial owners, and others that may exert significant influence. It also assesses the transparency of the ownership structure, the sources of initial capital and the ability of shareholders to provide additional financial support, where needed.
Description and findings re EC5	The fit and proper test are applied for qualified shareholders and other persons substantially influencing a bank during the licensing process and banks must comply to the requirement on an ongoing basis (BA Art. 3 para 2 let. c.bis). Qualified participation is defined in the same paragraph of BA as holding directly or indirectly at least 10 percent of the capital or voting rights of a bank or persons who are in any other way able to influence the bank’s business activities in a significant manner. BA requires qualified participants of banks to guarantee that their influence will not have a negative impact on the sound and prudent management of the bank. The authorities explain that, in comparison with directors and managers, the fit and proper requirement for qualified shareholders focuses more on reputational aspects and not on banking experience and technical know-how. These are usually assessed through references and other means, including interviews if necessary. To enforce the fit and proper standard, FINMA is authorized to impose sanctions that include the suspension of voting rights or revocation of the banking license (BA Art. 23 ter), although this rarely happens. This fit and proper requirement also aims at granting a clear and transparent participation structure up to the ultimate beneficial owner. BO Art. 6 para 2 requires legal entities who have qualified participation in an applicant to provide information regarding their group structures; para 4 requires persons holding qualifying participation to declare the participation is for their own account or on a fiduciary basis. In addition, significant shareholders are required to disclose the origin of their wealth and provide evidence of the capacity to inject further capital if needed. Qualified shareholders and banking institutions are under a legal duty to report relevant shareholdings and any changes to FINMA.
EC6	A minimum initial capital amount is stipulated for all banks.
Description and findings re EC6	BO Art. 4 para 1 stipulates that fully paid in capital must amount to at least CHF 10 million. In the event that a founding shareholder decides to contribute assets other than cash in exchange for the shares issued by the new company, the value of the assets contributed and the extent of liabilities of the shareholder must be verified by a recognized auditing firm and be confirmed to FINMA before authorization. If an existing corporation is converted to a bank, not only paid in capital but also the entire amount of Core Equity Tier 1 can be counted to constitute the initial capital with permission by FINMA. There is also an exception for banks affiliated with a central organization and guaranteed by it. (Bo Art. 4 paras. 2,3)
EC7	The licensing authority, at authorization, evaluates the bank’s proposed Board members and senior management as to expertise and integrity (fit and proper test), and any potential for conflicts of interest. The fit and proper criteria include: (i) skills and experience in relevant financial operations commensurate with the intended activities of the bank; and (ii) no record of criminal activities or adverse regulatory judgments that make a person unfit to uphold important positions in a bank.15 The licensing authority determines whether the bank’s Board has collective sound knowledge of the material activities the bank intends to pursue, and the associated risks.
Description and findings re EC7	BA Art. 3 para 2 requires that “the persons charged with the administration and management of the bank must be of good reputation and must guarantee the proper conduct of business operations”. Further, FINMA FAQs on Board of directors of banks and securities dealers, which is applicable to both newly established banks as well as ongoing banks, provide further details by stipulating that “the members of the supreme governing body should enjoy a good reputation and have sufficient leadership skills, both individually and as a group, as well as the necessary specialist knowledge and experience in banking and finance” and “the body as a whole should have a sufficiently broad background mainly to ensure that—in addition to the main business operations—all other important areas such as finance and accounting, risk management, controlling and compliance are adequately represented”. Similar provisions also exist for financial groups and financial conglomerates (BA Art. 3f). Further, BO provides that all members of the board and management must enjoy an excellent reputation and give proof of no previous convictions and that they are expected to disclose all the details of any completed or pending legal and administrative proceedings (Art. 6 para 1). As mentioned above, the FAQ explains that the bank’s board members need to understand the corporate structures and risks of the institution’s individual business areas and those of the company or group as a whole. In practice, assessors were informed that if the potential candidates are often already known to FINMA or their CVs show conclusive evidence of relevant professional experiences and absence of indications of irregularities, the assessment is done on the basis of the standard documents mentioned in BO Art. 6, i.e., information on their nationality, residency, qualified participations in other companies, and any pending legal or administrative proceedings, as well as signed CVs, references and extracts from the Central Penal Register. In less obvious cases, FINMA applies many other methods to evaluate evidence and conduct further background checks. Additional information can be obtained for example via investigations of the professional or private environment of the person, inquires with other authorities or foreign embassies, investigations using on-line tools (e.g., World Check, Factiva, Google, IOSCO-Portal), assessment of transparency over the due diligence process regarding and behavior in the authorization procedure, and disclosures on remuneration and source of the person’s private wealth. Moreover, candidates for major positions of the Board and management (regularly the Chair, the CEO and other key positions) are personally interviewed by FINMA. Credible references are an important part of the process. In case doubts remained and a negative decision is made regarding a particular candidate, it will be communicated to the applicant. Unless the disputed candidate is not replaced, the license application will be rejected. FINMA explains that this happens from time to time.
EC8	The licensing authority reviews the proposed strategic and operating plans of the bank. This includes determining that an appropriate system of corporate governance, risk management and internal controls, including those related to the detection and prevention of criminal activities, as well as the oversight of proposed outsourced functions, will be in place. The operational structure is required to reflect the scope and degree of sophistication of the proposed activities of the bank.16
Description and findings re EC8	FINMA states that the proposed business strategy and business plan are the key elements that are examined when approving license applications; for example, they are decisive factors in determining adequacy of banks’ internal organizational regulations as the bank’s operational structures must be balanced proportionally with the planned business activities. The guidelines for licensing application requires applicants to submit a comprehensive set of documents regarding strategic and operation plans including: Detailed description of the business activities and the corresponding processes; Articles of Incorporation, partnership agreements and regulations, which are tailored to the business activities; Organization of the applicant; Additional information on the organization, such as staffing, infrastructure and information system, outsourcing, internal control and risk management, separation of functions, compliance and due diligence, internal audit; Business plan for the first three financial years (business development, the clientele, the staff and the organization, etc.); and Financial statements for the first three financial years (balance sheets, income statements). According to the authorities, during the licensing process, the following aspects are analyzed separately in detail according to granular requirements prescribed in FINMA circulars and FAQs for both on-going banks as well as applicants: A balanced management structure with two management levels – the Board and management. The independence of Board as well as an adequate composition of the Board that reflects operation of the banks is required. (BA Art. 3 para 2, BO Art. 8, FINMA FAQs on Board of directors and securities dealers). An adequate internal organization, particularly regarding separation of functions, an effective, internal control system, incl. risk management and compliance (BA Art. 3 para 2, BO Art. 9, FINMA Circular 08/24). Effective measures to comply with due diligence obligations and combating money laundering and terrorist financing (AMLA, AMLO-FINMA). Compliance with provisions on proper outsourcing (FINMA Circular 08/7).
EC9	The licensing authority reviews pro forma financial statements and projections of the proposed bank. This includes an assessment of the adequacy of the financial strength to support the proposed strategic plan as well as financial information on the principal shareholders of the bank.
Description and findings re EC9	As noted above, an applicant submits business plan and financial statements for the first three business years (including balance sheets, income statements and capital planning). This includes results assuming different scenarios. The above mentioned guidelines also require assessment reports on business plans and budgets by an external auditor; the auditor is expected to examine the prospective financial information closely and to judge its plausibility. FINMA accepts banks to be unprofitable during their initial stages as long their business plans are sound in the medium-term. If FINMA judges the business plan is too vague or there is any doubt about how it can be realized, the license application will be rejected. The principal shareholders and other important parties must be able to prove to FINMA that they are capable financially of supplying the bank with more fresh capital if necessary and that they can answer for the sustainable development of the company.
EC10	In the case of foreign banks establishing a branch or subsidiary, before issuing a license, the host supervisor establishes that no objection (or a statement of no objection) from the home supervisor has been received. For cross-border banking operations in its country, the host supervisor determines whether the home supervisor practices global consolidated supervision.
Description and findings re EC10	The home regulator is asked for a statement of no objection in the case of foreign banks establishing a branch or subsidiary (for branches, FBO-FINMA Art. 4; for subsidiaries FBO-FINMA Art. 3bis para 1bis). In the case of branches or subsidiaries of a foreign financial group, the lead home regulator is asked for a statement about adequate supervision at a consolidated basis (for branches, FBO-FINMA Art. 4 para 2; for subsidiaries, BA Art. 3b). FINMA also assesses by itself the adequacy of consolidated supervision by the home supervisor through variety of information, including FSAP reports.
EC11	The licensing authority or supervisor has policies and processes to monitor the progress of new entrants in meeting their business and strategic goals, and to determine that supervisory requirements outlined in the license approval are being met.
Description and findings re EC11	As explained above, initially and during the set-up phase of a bank, FINMA takes various measures; as a rule, the license is at first linked to different requirements and conditions to ensure that the bank can conduct its business in an orderly manner and that its organization functions well. Moreover, the scope of the bank’s business activities during the initial set-up phase will be limited. Once financial and organizational resources permit, the areas in which the bank conducts business can be gradually extended in order to ensure a controlled growth. This is controlled through authorization of banks’ bylaws and business rules. The newly authorized institution is subject to immediate, ongoing supervision. During the set-up phase, various interim audits by external auditors are requested with designated special areas to be audited.
Assessment of Principle 5	Compliant
Comments	The discussion with the staff in charge of licensing as well as review of typical licensing files shows a robust process is in place in assessing various licensing requirements, including the fit and proper test for members of the Board and senior management and other aspects referred to in this principle.
Principle 6	Transfer of significant ownership. The supervisor17 has the power to review, reject and impose prudential conditions on any proposals to transfer significant ownership or controlling interests held directly or indirectly in existing banks to other parties.
Essential criteria
EC1	Laws or regulations contain clear definitions of “significant ownership” and “controlling interest”.
Description and findings re EC1	BA Art. 3 para 2 defines “qualified participation” as direct or indirect holding of at least 10 percent of a bank’s capital or voting rights or having ability to influence the bank’s business activities in a significant manner in any other way. While there is no regulation or guidance that provides more detailed interpretation of the latter, the authorities explain this is applied flexibly to intercept other de facto and de jure influential elements. Examples include the case of parties that have beneficial ownership or have close ties that can exercise their influence based on a shareholders’ agreement or mutual informal arrangements. FINMA explains that consideration is also taken of particularly significant financial or personal dependency relationships such as having additional top management positions or large-scale business dependencies. Even a relatively small amount of shares combined with option elements (e.g., call option to increase to above 10 percent) may be considered as qualified participation ‘by other means’.
EC2	There are requirements to obtain supervisory approval or provide immediate notification of proposed changes that would result in a change in ownership, including beneficial ownership, or the exercise of voting rights over a particular threshold or change in controlling interest.
Description and findings re EC2	BA Art. 3 paras. 5 and 6 prescribes that FINMA is to be informed in advance about any changes in qualified participation, regardless at which level. This reporting requirement concerns buyers and sellers, as well as the bank. Ultimate beneficial owner (UBO) is regarded as indirect qualified participation and is also subject to this reporting requirement. The transaction can only be carried out once FINMA has approved the notification. This notification requirement is also necessary when a qualified participation is increased or reduced thereby exceeding or falling below the thresholds of 20 percent, 33 percent, or 50 percent of the capital or the voting rights. As mentioned above, the definition of qualified participation includes direct and indirect holding of shares or voting rights, thus including ultimate beneficial owners (UBOs), as well as having ability to influence the bank’s business activities in a significant manner. In order to determine UBO, persons having qualified participation in banks must inform FINMA if participation has been acquired for their own account or on behalf of third parties, and if the participation is linked to options or similar rights. (BO Art. 6 para 3). However, as mentioned in EC2, what should constitute “having ability to influence the bank’s business activities in a significant manner” is not publicly defined in any detail. Other jurisdictions often have at least some further criteria specified as to what has to be considered in determining influence. If a foreign-owned bank experiences a change in foreigners with qualified participation or if a bank undergoes foreign ownership, it is necessary to apply for an additional license (BA Art. 3 paras. 5 and 6 and Art. 3ter).
EC3	The supervisor has the power to reject any proposal for a change in significant ownership, including beneficial ownership, or controlling interest, or prevent the exercise of voting rights in respect of such investments to ensure that any change in significant ownership meets criteria comparable to those used for licensing banks. If the supervisor determines that the change in significant ownership was based on false information, the supervisor has the power to reject, modify or reverse the change in significant ownership.
Description and findings re EC3	FINMA understands that it has power to prohibit intended changes in participation about which it has been notified that do not meet the requirements set down in laws and regulations. Changes made with incorrect information provided to FINMA can be revoked. Depending on the case, if there are only few shortcomings and they can be remedied, less stringent measures can be taken. In order to restore lawful conditions, FINMA can adopt appropriate measures in cases where changes in participation have already been made (FINMASA Art. 31). Licenses and other authorization made can be revoked in particularly serious cases (Art. 37 FINMASA); furthermore, it is possible to suspend shareholders’ voting rights (see Art. 23ter BA). Revoking licenses and the other measures described are implemented by way of enforcement proceedings. See CP 11 for details of these enforcement proceedings. In practice, no transfer of significant ownership have been denied in the past five years, but a few application have been withdrawn as FINMA communicated that there is no prospect of them to be approved.
EC4	The supervisor obtains from banks, through periodic reporting or on-site examinations, the names and holdings of all significant shareholders or those that exert controlling influence, including the identities of beneficial owners of shares being held by nominees, custodians and through vehicles that might be used to disguise ownership.
Description and findings re EC4	Banks must report all direct and indirect qualified participations as soon as they have knowledge thereof, at least however once a year and within 60 days following the end of the financial year (BA Art. 3 para 6). The list should include details as to the identity and the share of equity of holders of qualified participation, and necessary documents for those parties in case where the documents have not been submitted before (BO Art. 6a). This includes identities of beneficial owners if parties having direct participation declare if the participation is not for their own account.
EC5	The supervisor has the power to take appropriate action to modify, reverse or otherwise address a change of control that has taken place without the necessary notification to or approval from the supervisor.
Description and findings re EC5	FINMA has the power to address holding of qualified participation that has taken place without the necessary notification to it, including modifying or reversing it. Please refer to EC3 above.
EC6	Laws or regulations or the supervisor require banks to notify the supervisor as soon as they become aware of any material information which may negatively affect the suitability of a major shareholder or a party that has a controlling interest.
Description and findings re EC6	FINMASA Art. 29 para 2 requires supervised banks to report immediately and without being asked any incidents that are of substantial importance to supervision. FINMA explains that this includes important information about qualified shareholders who may influence the bank’s reputation or its sound business activities negatively and this understanding is shared with banks.
Assessment of principle 6	Largely Compliant
Comments	The above grade reflects lack of detailed guidance on who are included in the qualified participation as having ability to influence the bank’s business activities in a significant manner. The current regulatory framework relies on banks to report changes in the qualified participation; it is important to establish a shared understanding on the definition of it. Licensing staff indicated that they and banks apply the generally-worded criteria in practice in ways that have not caused problems to date. The assessors understand the need for flexibility in defining the qualified participation, and thus believe the detailed guidance or interpretation should not be an exhaustive list; instead, it should include general qualitative criteria or further (non exhaustive) items that are included on which to assess the ability to influence the bank’s business activities in a significant manner and several concrete examples.
Principle 7	Major acquisitions. The supervisor has the power to approve or reject (or recommend to the responsible authority the approval or rejection of), and impose prudential conditions on, major acquisitions or investments by a bank, against prescribed criteria, including the establishment of cross-border operations, and to determine that corporate affiliations or structures do not expose the bank to undue risks or hinder effective supervision.
Essential criteria
EC1	Laws or regulations clearly define: (a) what types and amounts (absolute and/or in relation to a bank’s capital) of acquisitions and investments need prior supervisory approval; and (b) cases for which notification after the acquisition or investment is sufficient. Such cases are primarily activities closely related to banking and where the investment is small relative to the bank’s capital.
Description and findings re EC1	Switzerland has three different restriction/requirements on specific types of acquisitions and investment. First, BO Art. 3 para 7 stipulates that banks organized pursuant to Swiss law shall notify FINMA before they establish a subsidiary, branch, agency, or representative office abroad. This provision is understood to include acquisition of participating interests in foreign companies active in the financial sector (Guidelines on preliminary reporting requirements for establishing physical presence abroad). Also, as explained in CP 6, this notification is understood to require FINMA’s approval and FINMA can reject it. According to the Guidelines, financial groups subject to FINMA group supervision are also required to report the acquisition of participating interests by entities shown within the scope of consolidation. BA Art. 6b provides information to be submitted for this notification to be as follows: A business plan which, in particular, describes the type of planned transactions and the organizational structure; The address of the business offices abroad; The names of the persons responsible for administration and management; The audit company; and The supervisory authorities of the host country. FINMA explains that this information serves to ensure that reporting banks are organized properly, have sufficient financial means, and establish solid risk management. FINMA also examines if the country where the bank plans to establish presence has laws or regulations prohibiting information flows necessary for adequate consolidated supervision and takes into consideration the effectiveness of supervision in the host country, and FINMA’s own ability to exercise supervision on a consolidated basis. In addition, the information is used for FINMA to respond to any applications or inquiries made by the host supervisor. Based on information provided in these reports as well as existing information on the bank, FINMA decides either to accept or reject the bank’s planned international activities or changes. Second, the business strategy and organization of a bank is defined in its strategy (business plan), its articles of incorporation and in its main organization and business rules as called for by BO Art. 3 para 2. Also, BA Art. 7 stipulates that the nature and geographic scope of the bank’s business activities must be accurately described in its articles of incorporation, its shareholder agreements, or its bylaws. Thus, it is understood that significant acquisitions and investments that require these rules to be changed (in particular the articles of incorporation and organization and business rules including specific delegations of competences) are subject to FINMA’s approval. Such changes may not be entered in the Commercial Register unless they have been approved by FINMA (BA Art. 3 para 3). The discussion with relevant staff members of FINMA showed this process is conducted rigorously. However, acquisitions and investments that do not need these rules to be changed, such as expansion of current business lines, may not require change in those rules thus out of the scope of FINMA’s approval. Laws and regulations do not provide detailed guidance. Third, investments in any company by a bank or by a company belonging to the same group may not exceed 15 percent of the net own funds of the bank or of the consolidated group to which the bank belongs. Additionally, the total of financial fixed assets of a nonaffiliated company acquired for the purpose of investment may not exceed 60 percent of the net own funds of the bank or the consolidated group. (BA Art. 4 para 4) The Capital Adequacy Ordinance (CAO) provides exceptions to the limits mentioned above where such investments are acquired for restructuring purposes or for the purpose of temporary emission, or the difference between the carrying value of these investments and the limits applicable is fully covered by eligible capital (CAO Art. 13). In addition, the BA Art. 4 bis prescribes that a bank’s participation in any single company must be proportionate the bank’s eligible capital (Art. 4bis BA; Art. 13 of the CAO).
EC2	Laws or regulations provide criteria by which to judge individual proposals
Description and findings re EC2	In case of foreign operations, the Guidelines on preliminary reporting requirements for establishing physical presence abroad sets out that the reporting requirements are to ensure that banks intending to expand their business activities by establishing a physical presence abroad are organized properly and have sufficient financial means to do so. No further details are provided in the regulatory framework. In case of acquisitions and investments that require changes in banks’ articles of incorporation and in its main organization and business rules, it is understood that banks need to comply requirements set out in laws and regulations that are applicable to general operation of banks, including those on organizations, internal control and risk management. Moreover, BO Art. 7 Para 3 stipulates that the scope of the bank’s operations must be commensurate with its financial resources and its administrative organization.
EC3	Consistent with the licensing requirements, among the objective criteria that the supervisor uses is that any new acquisitions and investments do not expose the bank to undue risks or hinder effective supervision. The supervisor also determines, where appropriate, that these new acquisitions and investments will not hinder effective implementation of corrective measures in the future.18 The supervisor can prohibit banks from making major acquisitions/investments (including the establishment of cross-border banking operations) in countries with laws or regulations prohibiting information flows deemed necessary for adequate consolidated supervision. The supervisor takes into consideration the effectiveness of supervision in the host country and its own ability to exercise supervision on a consolidated basis.
Description and findings re EC3	See EC 2. For acquisitions and investments that establish foreign financial operations, adequacy of its operation, including solid risk management, is required. Thus, it is expected that if establishing foreign operations may expose banks to undue risks or hinder effective supervision as well as implementation of corrective actions, FINMA will not approve, including a cases where laws and regulations of a jurisdiction inhibits effective consolidated supervision. Adequacy of effectiveness of supervision in the host country is also assessed. To ensure this, a comprehensive and detailed set of information is required to be provided to FINMA as set out in the Guidelines, including: Details of the legal structure (subsidiaries, branch offices, representative offices) and its share-holding structure. The shareholding structure and information on other participating shareholders are to be indicated in case participating interest is acquired in existing companies. Details of the type of business planned: outline of the business activities foreseen (business-model and plan), client target group, internal organization, especially in relation to risk management and local compliance. For parent companies, details of the existing reporting line, supervision of activities, risk management and compliance are to be included. Details of the structure of the executive management (board of directors) and of management (senior management). Information on any other functions exercised by the persons named at other group entities is to be indicated. Details of the assigned audit firm. Details of the local financial supervisory authority and of the approval granted for the foreseen business activities. Any information on possible restrictions imposed by the local financial supervisory authority and on the possibility of using the licenses granted outside Switzerland, e.g., European banking passport, is to be mentioned. Also, the Guidelines require banks to submit external auditor’s reports that indicate if the risk analysis of expanding business activities abroad is adequate and if these risks were considered in the institution’s global risk management. In case of acquisitions and investments that require changes in bank’s articles of incorporation and in its main organization and business rules, while general requirements for banking operations apply, no detailed requirements for information submission comparable to those for establishing foreign operations are provided.
EC4	The supervisor determines that the bank has, from the outset, adequate financial, managerial and organizational resources to handle the acquisition/investment.
Description and findings re EC4	See EC 2. BO Art. 7 Para 3 stipulates that the scope of the bank’s operations must be commensurate with its financial resources and its administrative organization. Thus, for foreign operations and acquisitions and investments that require changes in bank’s articles of incorporation and in its main organization and business rules, existence of adequate financial, managerial and organizational resources are assessed by FINMA.
EC5	The supervisor is aware of the risks that non-banking activities can pose to a banking group and has the means to take action to mitigate those risks. The supervisor considers the ability of the bank to manage these risks prior to permitting investment in non-banking activities.
Description and findings re EC5	Generally, Swiss banking law imposes no specific structural conditions or restrictions on bank investments in non-financial activities. However, as described in EC 1 and 2, if the acquisitions and investments are significant enough to require changes in bank’s articles of incorporation and in its main organization and business rules, FINMA will assess adequacy of management and control (BA Art. 3 para 2). However, there is no specific provision that focuses on risks arising from non-banking activities.
Assessment of Principle 7	Compliant
Comments
Principle 8	Supervisory approach. An effective system of banking supervision requires the supervisor to develop and maintain a forward-looking assessment of the risk profile of individual banks and banking groups, proportionate to their systemic importance; identify, assess and address risks emanating from banks and the banking system as a whole; have a framework in place for early intervention; and have plans in place, in partnership with other relevant authorities, to take action to resolve banks in an orderly manner if they become non-viable.
Essential criteria
EC1	The supervisor uses a methodology for determining and assessing on an ongoing basis the nature, impact and scope of the risks: which banks or banking groups are exposed to, including risks posed by entities in the wider group; and which banks or banking groups present to the safety and soundness of the banking system The methodology addresses, among other things, the business focus, group structure, risk profile, internal control environment and the resolvability of banks, and permits relevant comparisons between banks. The frequency and intensity of supervision of banks and banking groups reflect the outcome of this analysis.
Description and findings re EC1	FIINMA classifies all banks according to their relative size and complexity (categories 1–5). The two biggest banks which are globally systemically important are in Category 1, the three next largest are in Category 2. Category 3 contains some 30 banks (most of the cantonal banks) with some 70 banks in Category 4 and the rest, some 160 banks and 50 securities firms in Category 5. Assessors judge that a number of banks in Category 2 and 3 are systemically important in terms of the national market. Categorization is an important driver of FINMAs supervisory methodology and effort. Recently, for example, FINMA has decided to significantly reduce effort on Category 5 banks as they judge failures in this category would not be systemically important (median assets CHF250m). This strategy is understandable, though assessors did not review in detail the supervisory effort with respect to these banks. FINMA supervisory methodology is based on a combination of: annual formalized regulatory review/audit by external auditors hired and paid by banks, specific FINMA-mandated reviews by third parties and supervisory reviews conducted by FINMA itself (offsite and a limited number of on-site). FINMA has accredited 7 audit firms and some 150 lead auditors (who work with their auditing staff) to perform the regulatory audit of banks. Only the lead auditor has to be accredited. FINMA itself assigns a key account manager (KAM) or lead supervisor for each of the banks in categories 1 and 2 and has approximately 24 KAMs each with a portfolio of institutions in categories 3-5. As part of the regulatory audit performed by the external audit firm on every bank, a risk assessment has to be performed and agreed with FINMA, based on which the review/audit strategy is defined. This drives the specific areas and depth of regulatory audit work, subject to minimum standards for frequency and depth of work (review depth versus audit depth), which is set by FINMA. These standards apply to FINMA-specified areas for regulatory review. The minimum standards have more frequent audit-depth assessment if the bank is a G-SIB in Category 1, or in relation to the risk profile of other institutions. There is guidance given by FINMA with respect to the content and process for such a risk assessment. The risk assessment is based on an assessment of inherent risk (high/medium/low) in various aspects of the bank, an assessment of the quality of controls (H/M/L) and a net risk rating. There are no criteria for determining inherent risk ratings provided by FINMA. Inherent risks are assessed for various audit areas. For controls, ‘high’ risk is when no audit work has been done recently, it is not clear about whether controls exist or the auditor considers the controls ineffective. ‘Moderate’ control risk is when work has been done but the audit firm cannot determine if controls are effective, and ‘low’ control risk is when recent audit work has allowed the firm to conclude that controls are ‘appropriate and effective’. There is no formal process within FINMA to vet consistency of these risk assessments across institutions or groups of institutions in advance of regulatory audit work starting. FINMA and auditors are aware that the mindset needed for a regulatory or supervisory review is different than for a financial statement audit, which is more backward looking. The audit rating by FINMA and audit firms that drives the regulatory audit is designed to be forward looking and forward looking thinking explicitly asked of auditors in the audit circular. Starting this year auditors for the two large banks are required to rate the top ten risks, a process which FINMA and auditors both report as useful. Auditors are required in the circular to make their risk assessment comprehensive, and to add granularity to the formal rating assessment tables as necessary to accurately rate the bank. Required separation of the lead partner for the regulatory audit from the partner for the financial audit (for category 1 and 2 banks) is also designed to promote development of auditors with the desired regulatory mindset. The FINMA methodology controls the interaction of the audit firm with the bank with respect to its risk analysis. Risk assessments are not to be formally shared with firms until they are final and agreed with FINMA. Auditors are of course aware of the banks own risk assessment as well as the risk assessment of Internal audit. Some indicated that they do discuss certain aspects of risks and controls with the bank. Depending on the risk assessment, alterations are made in the standard audit work procedure in terms of focus and depth. Risk assessments can also lead to specific additional reviews by the audit form or by FINMA. Assessors reviewed the rating methodology and discussed these at length with FINMA and with regulatory audit firms. They also saw examples of the new methodology in practice in review of a selection of supervisory files. For a major bank, the methodology leads to one risk assessment for various risk types institution wide—i.e., one risk assessment for each of the major banks credit risk and one for each bank’s overall market risk. Different audit firms have different approaches to risk analysis, some driven by what they see as deficiencies in the FINMA-mandated approach. Some are using a wider and more granular definition of risks coming from their own audit acceptance and continuance risk methodologies, and then fitting the results into FINMAs templates. Others recognize that their high level inherent risk rating for particular risks is not particularly useful. In some cases (e.g., credit risk or market risk) the inherent risk assessment seems to be designed to assess risks in models or capital calculations, rather than risk in the underlying books. Control risk can be rated inconsistently to the resulting audit plan. For example certain examples assessors saw had overall credit or market risk controls rated high risk, apparently referring to control risk around models and related inputs—a potentially serious rating given the definitions. Some have an explicit forward-looking component in their own rating system (e.g., asking themselves if a risk is increasing or decreasing). Others do not. It is clear that risk analysis is not done consistently. In some cases the breakdown of the bank activities for the inherent risk ratings can be driven by the basic scope of the regulatory audit which is based on assessment of adherence to licensing conditions and other rules, and may not cover important risks. For example, for credit risk, banks activities are not broken down by type/geography of exposures as would normally be expected in these inherent risk ratings. Rather, the credit risk rating for certain IRB banks focuses on the risks of the IRB qualifying conditions and methodology not being met. Risks in underlying credit activities in different businesses and geographies can be described separately but not rated or with unclear link to the overall rating or supervisory effort. FINMA is planning to require banks to divide their inherent risk rating for credit risk into more granular categories, and the consultation was about to start at the time of the mission. Quality control systems in audit firms may not pick up important differences in interpretation of what constitutes high or medium or low inherent risk, which is left to individual partner judgment. In addition, FINMA has a camels-based supervisory rating with 9 rating grades. The rating is based on filters and thresholds applied to regulatory data, key flags if any triggered from the audit firm’s work (e.g., are there important formal audit opinion qualifications or not?), overlaid with supervisory judgment. For liquidity for all but the largest two banks, the metrics are based on outdated tests, even though trial LCR data is available (see CP24). Operational risk is not explicitly part of the rating framework (see CP25). Major internal control deficiencies would affect the regulatory audit result and feed into the supervisory rating and supervisory work. There is no explicit link between the annual risk assessment at the start of the supervisory work and the Camels-based rating. The 9-fold categorization is collapsed down to three grades—green, yellow and red which are reported to the institution. Green receives regular supervision in the next cycle, yellow receives increased supervision, and red is intensive. There are no explicit criteria for what constitutes a green as opposed to a yellow or a red. The camels rating is updated quarterly for banks in Category 1–3, quarterly for Category 4 banks with yellow or red grades and at the end of the annual cycle for banks in Category 4 with green grades and for all banks in Category 5. The FINMA-wide quality control process around these ratings is anchored in major annual ratings review meetings attended by the KAM, specialists, and senior management for the banks division. While there is no formal link between the rating system and sector wide risk, systemic trends and analysis by FINMA or SNB can factor into a judgmental overlay and thus into supervisory work. (Currently there is heightened interest about mortgage financing for example.) The camels-based ratings are driven in a major way by the data-driven analysis which is less likely to be forward looking. Assessors examined data on overrides to the system-generated ratings. The number of overrides is extensive and the number of grades that a rating changes is often 2 or more. Overall some 60 percent of banks are in green ratings, down from some 80 percent in 2008, with approximately 20 percent of banks in amber rating. The assignment of banks to category based on size and complexity understandably does not change often. Camels- based rating changes from year to year are infrequent for category 1 and 2 banks. Changes are more frequent for category 3 with some 25–35 percent of ratings changing annually, and higher percentage of changes in category 4 and 5. The degree of change is higher than one might expect in a camels based rating system. It could be due to the new system transitioning in, or to imprecision in the rating process, or to a combination of factors. Resolvability does not formally factor into the rating system but complexity is clearly a factor in splitting banks into categories, which affects supervisory planning. To date resolution and recovery planning has been started for the two large banks.
EC2	The supervisor has processes to understand the risk profile of banks and banking groups and employs a well defined methodology to establish a forward-looking view of the profile. The nature of the supervisory work on each bank is based on the results of this analysis.
Description and findings re EC2	Regulatory risk assessments done by auditors and agreed with FINMA are described in EC1. Standard operating procedures determine the minimum frequency and depth of supervisory work based on the various ratings and supervisory judgment as described in EC1. Assessors reviewed supervisory planning with auditors and FINMA, and reviewed planning of FINMA-lead reviews. They also discussed these matters with banks. As noted in EC1 there are a number of elements that likely make the risk profiles less forward looking than FINMA desires. In addition to the regular risk assessment described in EC1, banks are obliged to perform an annual capital planning based on a forward-looking risk profile. Capital plans are reviewed either by FINMA (banks category 1 and selected banks in categories 2 and 3) or assessed as part of the annual regulatory audit process performed by the external audit firm. Issues from these exercises can also trigger additional supervisory work. As well extensive supervisory work can be triggered by assessments of whether remedial action plans mandated by FINMA have been effectively put in place, or by assessments mandated by FINMA as to whether control issues that have materialized at one institution are being adequately handled by other banks.
EC3	The supervisor assesses banks’ and banking groups’ compliance with prudential regulations and other legal requirements.
Description and findings re EC3	The monitoring of compliance with prudential regulations and guidance and other legal requirements is performed by the external auditor as part of the annual regulatory audit. Assessors reviewed methodology, saw examples of results, and discussed this with FINMA staff and external auditors. As noted in various other CPs, FINMA guidance in certain risk management and control areas is at a very high level. As well, audit methodologies often require auditors to express a very high level judgment on these matters (are they “adequate”) with little or no formal guidance on what is to be considered in making the assessment. (There is FINMA work in progress on this matter.) Auditors are asked to express two kinds of opinions with respect to these matters. In areas where they have done a “review” level work they are examining the design effectiveness of controls and express opinions as to whether anything that came to their attention suggested that the controls were not adequate (negative assurance). In areas where they do “audit” level work they are testing operational effectiveness of controls and express a positive opinion—“controls are adequate…” The standards for what level of seriousness amounts to a qualification to an opinion are not clear, except when there is a breach of regulation which must lead to a qualification. Some auditors that assessors met indicated they had adopted additional methodologies to bring additional rigor to this process, such as specifying how to categorize the seriousness of findings. Others had not, and relied on professional judgment and second partner review, which they indicated could vary considerably across partners. Noteworthy observation must be reported to FINMA who has to evaluate the seriousness of the problem. FINMA staff and auditors confirmed that there are from time to time active discussion between auditors, banks and FINMA on these conclusions and opinions. Some whom assessors talked to described these as amounting occasionally to “negotiations”. Regulatory audit opinions are not published but are provided to banks as well as FINMA. There are no explicit rules prohibiting disclosure of supervisory opinions by audit firms in their regulatory reports (as would normally occur for supervisory findings in other jurisdictions). Discussion with auditors revealed that this had rarely if ever been an issue and that qualifications or reservations would have to be very serious for them to trigger the bank having to consider disclosure under general securities law principles.
EC4	The supervisor takes the macroeconomic environment into account in its risk assessment of banks and banking groups. The supervisor also takes into account cross-sectoral developments, for example in non-bank financial institutions, through frequent contact with their regulators.
Description and findings re EC4	FINMA has established a structured process and semi-annual internal report that informs about the major macroeconomic, capital markets and structural risks (“Risikobarometer”). As part of this report, potential implications for supervised entities broadly (banks, insurances, markets) are considered. This can affect supervisory work. For example, starting in 2010 FINMA and SNB identified heightened level of concern about mortgage exposures in Switzerland and that triggered further extensive supervisory reporting, analysis of exposures and risks by region and also triggered additional cross-system supervisory work on some 20 banks. A regular monitoring report on this system-wide issue is also in place.
EC5	The supervisor, in conjunction with other relevant authorities, identifies, monitors and assesses the build-up of risks, trends and concentrations within and across the banking system as a whole. This includes, among other things, banks’ problem assets and sources of liquidity (such as domestic and foreign currency funding conditions, and costs). The supervisor incorporates this analysis into its assessment of banks and banking groups and addresses proactively any serious threat to the stability of the banking system. The supervisor communicates any significant trends or emerging risks identified to banks and to other relevant authorities with responsibilities for financial system stability.
Description and findings re EC5	FINMA holds regular meetings with the Swiss National Bank, where one standing item is the discussion about the current situation of financial markets. As a consequence, decisions may be taken to assess specific topics more in-depth. For example, in 2012 it was decided to perform an assessment of the vulnerability of the Swiss banking sector towards a potential Eurozone crisis. This can lead to supervisory action. Further, once significant trends or emerging risks are identified, supervisors communicate on a regular basis with their supervised banks and, if needed, specific measures are defined to monitor the situation (e.g., weekly ad-hoc reports, etc.).
EC6	Drawing on information provided by the bank and other national supervisors, the supervisor, in conjunction with the resolution authority, assesses the bank’s resolvability where appropriate, having regard to the bank’s risk profile and systemic importance. When bank-specific barriers to orderly resolution are identified, the supervisor requires, where necessary, banks to adopt appropriate measures, such as changes to business strategies, managerial, operational and ownership structures, and internal procedures. Any such measures take into account their effect on the soundness and stability of ongoing business.
Description and findings re EC6	Resolution and recovery planning is in place for the two large banks. FINMA can grant relief to the progressive capital component requirements provided there is a high probability that the systemically important bank will improve its resolvability in and as well as outside Switzerland. No such relief has been decided in practice as yet. FINMA and banks are in active discussion of various aspects of their operations that would improve resolvability. While FINMA has no explicit legislative authority to impose changes in structure it can use other tools as necessary to induce changes, such as withholding approvals or changing the scope of consolidation.
EC7	The supervisor has a clear framework or process for handling banks in times of stress, such that any decisions to require or undertake recovery or resolution actions are made in a timely manner.
Description and findings re EC7	The supervisor or Key Account Manager (KAM) follows the risk-based approach based on the established Standard Operating Procedures (SOP). As mentioned above, the supervisory category and the assigned rating determine the levels of required supervision. Under these procedures should the camels rating be downgraded to a pre-determined level (8 in the 1–9 rating category), the bank will be supervised by a separate team specialized in intensive supervision – TIS. The task of the TIS is to investigate the causes of problems and oversee crisis management. The primary objective in all cases is to put a swift end to the crisis in order to prevent loss or damage and minimize the use of resources. Assessors reviewed the actual experience of this group, which is extensive. Crises can be ended in a number of ways: at some institutions, the introduction and monitoring of corrective measures will suffice; in other cases, the correct response may well be for the institution to exit the supervised sector. Elsewhere, the investigation may reveal that compulsory measures under supervisory law are the only way to resolve the situation. In this case, the TIS will present the results of its investigations in such a way that enforcement proceedings can be conducted. The TIS will deploy the means of direct supervision: it will carry out on-site investigations, and identify and interact with all relevant parties including owners and shareholders.
EC8	Where the supervisor becomes aware of bank-like activities being performed fully or partially outside the regulatory perimeter, the supervisor takes appropriate steps to draw the matter to the attention of the responsible authority. Where the supervisor becomes aware of banks restructuring their activities to avoid the regulatory perimeter, the supervisor takes appropriate steps to address this.
Description and findings re EC8	When an institution is performing activities outside the regulatory perimeter, FINMA will intervene and generally close the relevant entity. The same applies to non-licensed entities that present themselves as banks without actually carrying out bank like activities. Where a licensed institution carries out business outside the scope of its license FINMA imposes requirements to bring activities in line with that authorized. This has occurred and assessors reviewed examples of the framework working in practice.
Assessment of Principle 8	Largely Compliant
Comments	FINMAs supervisory approach using regulatory auditors can work, but the improvements already made need more time to be embedded and additional improvements to augment FINMA on-site reviews, improve guidance to auditors to improve risk assessments and ensure consistency in ratings and supervisory work, and have more in depth theme reviews of control functions, are required to achieve the necessary effectiveness for both larger and smaller and mid-size banks. The five-fold categorization of banks according to their size and complexity is a reasonable method to link broad supervisory effort to high-level risks. It is unclear however if the broad switch of institutions from balance sheet intensive activities to more wealth management activities (and the consequent increase in operational and reputation risk) has been reflected in supervisory strategies or resources in a proactive way. The risk-based approach for bank supervision has been revised and enhanced after the 2007 banking crisis in an appropriate direction. Methodologies were enhanced, monitoring was increased, additional challenge of external auditors’ contribution to the supervisory approach was instituted, direct FINMA lead or commissioned supervisory reviews were instituted and more forward-looking and system-wide risk assessment elements were added. The intensity of supervision and contact with certain institutions has increased. Progress in implementing these improvements in a short time period is impressive and assessors believe that the basic direction is the correct one. There is no reason why the fundamental supervisory approach cannot deliver the necessary results if it is operated effectively. Use of auditors gives a system-wide annual review that is not present in other approaches. It also allows auditors to benchmark across institutions in other jurisdictions that they audit and to bring their global risk capability to bear. Supervisors generally showed a good understanding of risks in their institutions. There is extensive senior level experienced judgment and oversight of the risk assessment and supervisory process within the Banks division of FINMA. However, several elements mean it is not as it needs to be given the importance of major Swiss institutions globally and in the Swiss marketplace. Lack of granularity in risk assessments for major institutions means that important risks could not be sufficiently highlighted. Forward looking elements need to be formalized. The lack of criteria for various ratings, the inadequate granularity of assessing inherent risks, and the uncertainty surrounding what auditors’ assessment of various controls means in practice, reduce the robustness of the approach and mean it is heavily reliant on expert judgment which is not sufficiently consistent or well documented. Using separate audit firms means that comparisons across institutions in Switzerland that are similar but audited by different auditors is not possible with reliability, unless FINMA puts in place a process. Processes within FINMA to assess and adjust auditor’s risk assessments across groups of institutions should be strengthened. These issues could lead to material misallocation of supervisory effort and missing the opportunity to challenge supervisors on risk assessments and to identify material control or risk management deficiencies, before they have large consequences. Some improvements to address these issues have been identified by FINMA but are not yet implemented, including update of Circular 08/24 re qualitative risk management standards and related auditor instructions. Certain additional improvements are necessary including: providing more guidance for rating criteria; ensuring inherent risk assessments reflect actual business risk; requiring more granularity in risk assessments for larger institutions; enhancing methodology to emphasize forward looking elements such as requiring explicit consideration of whether risks are increasing, stable or decreasing; and instituting more cross-institution analysis by FINMA staff of the risk assessments and what they imply for supervisory effort and focus.
Principle 9	Supervisory techniques and tools. The supervisor uses an appropriate range of techniques and tools to implement the supervisory approach and deploys supervisory resources on a proportionate basis, taking into account the risk profile and systemic importance of banks.
Essential criteria
EC1	The supervisor employs an appropriate mix of on-site19 and off-site20 supervision to evaluate the condition of banks and banking groups, their risk profile, internal control environment and the corrective measures necessary to address supervisory concerns. The specific mix between on-site and off-site supervision may be determined by the particular conditions and circumstances of the country and the bank. The supervisor regularly assesses the quality, effectiveness and integration of its on-site and off-site functions, and amends its approach, as needed.
Description and findings re EC1	FINMA employs a mix of the on-site and off-site supervisory tools. These were enhanced starting in 2010 including promulgating a new audit circular at the end of 2012 on FINMAs enhanced expectations. This new circular was in effect for risk assessments done in early in 2013 and 2013 audits. On-site examinations are mainly performed by the recognized audit firms. As part of FINMA’s supervisory approach, audit firms are in charge of performing a comprehensive prudential audit, following general instructions given by FINMA. FINMA refers to these auditors as “FINMA’s extended arm”. FINMA has employed this approach because of the fundamental nature of its banking system, which is large relative to the country and has several institutions with complex global reach. FINMA believes that only by levering its resources through regulatory audits conducted by audit firms can it adequately have access to resources necessary to perform its supervisory mandate. It also notes that its approach provides an annual supervisory review across every supervised institution. FINMA also conducts certain on-site supervisory reviews itself, or by hiring and paying its own third party reviewers. Off-site supervision mainly relies on the examination of reports provided by the banks, the external auditors (delivery of ‘long form’ regulatory audit reports) and also results from other activities such as meetings with the banks’ management, attending supervisory colleges and/or discussions with other supervisory authorities. Assessors discussed these activities with FINMA staff and saw examples of the reports generated by this process. There is also clear evidence that these off-site activities influence supervision and actions vis-à-vis individual banks. On-site supervision is through regulatory audits performed by audit firms chosen by the banks (from the FINMA approved list of seven audit firms and some 150 accredited regulatory auditors who work with audit staff), and paid directly by the bank, not by FINMA. The regulatory audit is in practice done by the same firm as the financial audit (separate lead partner for the two largest banks and for the three banks in category 2). The regulatory audit is lead from Switzerland and can involve audit firm resources in other global financial centers and locations, as necessary, depending on the individual audit firm approach. FINMA is aware of the independence, mindset and expertise issues (and issues of who is the client) that this arrangement gives rise to. Regulatory assessments are fundamentally different than financial audits. FINMA has instituted various compensating measures. There are standard procedures that specify minimum periodicity and depth of work. To remain certified auditors have to perform a minimum number of hours of relevant work. FINMA off site supervisory staff challenge risk assessments and audit strategies and findings based on their knowledge of the bank. The findings of FINMA reviews can demonstrate inadequate work in the same areas by audit firms and puts pressure on them to perform. FINMA can de-certify individual partners or senior staff of audit firms from being eligible to do regulatory audits. This has occurred. FINMA also performs ex-post quality assurance on audit firms doing regulatory audits, much in the same way as the Swiss audit oversight body assesses audit firms financial audits. Annually, there is an inspection of each of the major audit firms with examination of one of their files including their working papers, and other audit firms are on a 2-3 year inspection cycle. This involves selecting and reviewing approximately 5 regulatory files a year (one each from the larger audit firms and a selection of smaller audit firms). Staff doing inspections report that issues of adequate professional skepticism do arise. This can lead to de-certifying certain persons of audit firms as noted above. The essence of the mandate of the audit firm is to confirm (or not) compliance of the bank with regulatory requirements (laws, ordinances, circulars). This culminates in an overall opinion whether the bank is meeting its licensing conditions. In audit reports it is rare to have an overall qualification but there can be 2-5 qualifications in specific areas for a large number of banks. Audit firms are to provide formal opinions on these matters (either positive or negative assurance) depending on the scope, depth and nature of the work performed. This means that the regulatory audit scope and opinions is dependent on the nature and completeness and specificity of the guidance it is auditing against. That also can have a material impact on the meaning of various conclusions. As FINMA guidance lacks specificity in qualitative criteria (see CP 15, 17, 19 and 24 for example), the nature of audit work and opinions in these areas can be difficult to assess. There is a standard annual audit report formulation and instructions from FINMA on what it is to cover. Often FINMA is asking auditors to express an opinion (pass/fail) on whether a particular process is ‘appropriate’ or whether resources in a control function are ‘adequate’. This comes from the generally-worded requirements in banking legislation or ordinances, compliance with which is the fundamental purpose of the regulatory audit. Audit firms have developed methodologies. FINMA does not approve these audit programs, but may approve the detailed scope for FINMA-mandated additional audits. FINMA has started sending a letter to audit firms at the beginning of the cycle on areas it wants emphasized. There is no guidance on what constitutes findings of various degrees of significance. Certain audit firms have determined that themselves. The assessment culminates in a long form report that is relayed to FINMA and the bank four months after the year-end. Audit reports and reporting cycles are not modular with continuous reporting on work done throughout the year. Timing of reporting on specific additional work mandated by FINMA could be dependent on the engagement. Assessors discussed the methodologies with FINMA, with representatives of larger and medium-size audit firms and with FINMAs audit inspection department. They also reviewed a sample of audit reports, though the changes for 2013 audits are not observable at the time of the mission. Discussions revealed material differences in what standards auditors are auditing to, and what constituted findings of various degrees of seriousness. Some firms indicated that certain of these aspects could vary partner to partner. In a number of cases because of lack of criteria, the audit opinion as to what is adequate depends to a very large degree on individual auditors’ professional judgment. The nature and seriousness of issues can be difficult to determine from the reports, which contain a large amount of factual information on the bank. Understanding is therefore driven by the quality and depth of discussion between the auditor and the FINMA key account manager (KAM). Auditors and banks report that there can be intense three-way discussion between auditors, banks and FINMA on the seriousness of particular issues. It also appears that what leads to a reservation on a risk management or control rating can be hard to assess. Examples seem to occur regularly of a process being judged ‘adequate’ while noting serious deficiencies but also noting that these are in the process of being rectified and have been reported to FINMA, making it hard to determine the basis for auditors judgments. As deficiencies or reservations are a key flag in FINMAs internal rating system, this approach depends on KAMs judgment and escalating important issues for discussion and decision on whether to intervene. Audit firms report that in certain areas where FINMA guidance is not detailed they will choose to supplement with relevant international guidance or firm-developed methodology. But the approach to that varies across audit firms and these firm-specific methodologies are not included in the standards that ex-post inspections inspect against. FINMA also can set guidance in frequently asked questions (FAQs) on its website. FINMA and banks indicated that these are taken very seriously and can be used by FINMA to respond rapidly rather than issuing a board-approved circular. FAQs will be consistent with requirements in legislation ordinances or guidance in circulars, but can be more specific and essentially contain important additional guidance on FINMA expectations. There was a difference of opinion between audit firms that assessors met, and between various staff within FINMA, as to whether FAQs formed part of the basis of rules and guidance against which regulatory audits are assessing. FINMA also reported that the regulatory audit report is used as information to supervisors but is not necessarily the full reality of the situation. FINMA applies its own judgment in determining ratings and supervisory interventions. (see CP8) Assessors discussed the regulatory audit work effort. On medium size banks, auditors report that up to 10 people can be involved, and the regulatory audit is around 1,000-1,500 hours (135-200 person days). Some 2-3 deeper dive reviews are conducted at major banks annually with a deep dive review normally being 1,000-3,500 hours (135-650 person days). Occasionally the depth and scope will be markedly more. FINMA conducts some 15 of its own reviews a year on average over the past two years on the two category 1 banks together, and approximately 20 in total on category 2 and 3 banks. These totals include reviews with respect to AML/CTF, market conduct issues and compensation so the more prudentially-focused or risk management-focused reviews are about half the total. In some cases these were reviews conducted after material issues were revealed in the marketplace. FINMA reviews generally involve 3-4 persons for a total of 15-40 person days. Assessors discussed this arrangement extensively with FINMA staff at various levels, reviewed documents including examples of supervisory files and discussed the process with representatives of audit firms covering large and smaller and mid-size banks. The review by assessors did not reveal the depth of reviews by audit firms that one would normally find, post-crisis, of risk management and control systems by other supervisors. Assessors’ reviews also noted that in some cases the scope was skewed to specific regulatory requirements and did not consider more general issues of risk management or control effectiveness. FINMA has plans to add more specificity to audit instructions in key risk and compliance areas but significant parts of this will not be in place until 2014 or 2015. Discussions with FINMA staff also revealed difficulty in determining the basis for auditors conclusions in areas where there are only very general requirements (such as what constitutes adequate resources in compliance or risk management), or for understanding the extent to which these conclusions were derived from consistent processes across audit engagements and firms. Prudential audit reports reviewed by assessors often contained considerable factual description of controls or processes and relatively much less on the issues found, their implications or seriousness or the nature of the work done by auditors to support the audit conclusions. FINMA staff participate in on-site work conducted by foreign supervisors, particularly in the UK and the US for the two big Swiss banks. The experience seems to be some 2-4 of these a year (which are included in the number of FINMA reviews noted above). FINMA has participated occasionally in prudential audit firms foreign reviews of large bank operations, but this is not regular practice. FINMA examines the work performed by recognized audit firms, the result of which is communicated at least once a year to the management of the audit firm. Key account managers provide feedback. For the purpose of performing this quality control, FINMA also maintains a special quality control unit. However the number of regulatory reports reviewed is not large (approximately five per year for banks).
EC2	The supervisor has a coherent process for planning and executing on-site and off-site activities. There are policies and processes to ensure that such activities are conducted on a thorough and consistent basis with clear responsibilities, objectives and outputs, and that there is effective coordination and information sharing between the on-site and off-site functions.
Description and findings re EC2	See also EC1. FINMA has a well-developed process for planning and executing regulatory audits and for integrating on-site and off-site activities. Assessors looked into how that process is operating in practice. Planning and executing on-site and off-site activities is an integral part of FINMA’s supervisory approach. Before prudential audits are performed by recognized audit firms, FINMA receives from the external auditor their annual risk analysis and, based on this analysis, the planned audit strategy in a preliminary stage. FINMA has to agree to the risk analysis and audit strategy and considers it therefore its own. Audit depth and frequency then depend on the level of risk identified for every audit field. Only following FINMA’s approval does the audit firm start with its detailed audit work. In case of disagreement, FINMA will ask the audit firm to adapt the audit strategy. For its off-site supervision, FINMA has defined work procedures, which are known as “standard operating procedures” or SOP. Frequencies and the time limit for performing the various tasks listed in the SOP are clearly defined and also depend on the combination of category and rating of the bank. One of the listed tasks covers the examination of the long form audit reports that is delivered by the external auditor. Generally the key account manager (KAM) for larger or mid-size banks would examine the whole audit report and communicate with the audit firm, often extensively. For smaller banks that are risk rated green or low, only the summary report needs to be read, unless there are relevant findings and the communication with the audit firm will often be considerably less. Assessors discussed with major audit firms their internal process for quality control. Major firms have second partner review on all regulatory audit engagements. That also included discussing how they ensuring that their audit affiliates in foreign locations understand how regulatory audit work differs from their normal financial statement audit work. Assessors’ review of these reports revealed some difficulty in determining that adequate consistency exists and that it is fully possible to understand the meaning of the output from the regulatory audit (see EC1). Some of the enhanced procedures required by FINMA were introduced relatively recently, as noted in EC1. FINMA and auditors of major and mid-size banks report there is extensive interaction. Also there are clear examples of extensive feedback from FINMA individual KAMs to auditors on FINMA findings and analysis from other sources that may affect the regulatory audit. However considering whether issues from one audit or analysis might affect regulatory audits of other similar institutions is less structured and frequent. Department heads showed a good understanding of the risks facing institutions.
EC3	The supervisor uses a variety of information to regularly review and assess the safety and soundness of banks, the evaluation of material risks, and the identification of necessary corrective actions and supervisory actions. This includes information, such as prudential reports, statistical returns, information on a bank’s related entities, and publicly available information. The supervisor determines that information provided by banks is reliable21 and obtains, as necessary, additional information on the banks and their related entities.
Description and findings re EC3	Depending on the bank category, different types of reports have to be delivered on a regular basis. For example, banks belonging to category 3 provide quarterly business/risk management reports. The Key Account Manager (KAM) is in charge of analyzing these reports and making sure that the information is reliable. In order to clarify open issues, the KAM stays in direct contact with the bank representative and/or the audit firm. Furthermore, prudential and financial reports are reviewed annually and the concerns are discussed with the audit firm. Moreover, if necessary, other reports are requested such as reports on capital requirements, liquidity coverage, exposure to the group, etc.
EC4	The supervisor uses a variety of tools to regularly review and assess the safety and soundness of banks and the banking system, such as: (a) analysis of financial statements and accounts and a broad range of ratios from the rating system; (b) business model analysis; (c) horizontal peer reviews; (d) review of the outcome of stress tests undertaken by the bank; and (e) analysis of corporate governance, including risk management and internal control systems. The supervisor communicates its findings to the bank as appropriate and requires the bank to take action to mitigate any particular vulnerabilities that have the potential to affect its safety and soundness. The supervisor uses its analysis to determine follow-up work required, if any.
Description and findings re EC4	FINMA, together with the audit firms, applies a mix of the above-mentioned tools depending on the category and rating assigned to the bank. Annual assessment letters are sent to all banks in category 1-2 and some banks in category 3 (all at least every two years) containing the FINMA rating and the actions needed. Banks get a copy of the regulatory audit report with its reservations and comments, and may get a management letter from the regulatory auditor. FINMA communicates the findings resulting from its activities, i.e., supervisory reviews, special analyses, peer reviews, etc. to the banks. FINMA ensures a timely implementation of the notices of reservation and the recommendations. The audit firm checks the implementation of the relevant issues and confirms their resolution status in the next prudential audit. Stress tests and other information and analysis related to capital (and increasingly liquidity) are highly developed and provided to the KAM, reflecting the capital orientation of the Swiss approach.
EC5	The supervisor, in conjunction with other relevant authorities, seeks to identify, assess and mitigate any emerging risks across banks and to the banking system as a whole, potentially including conducting supervisory stress tests (on individual banks or system-wide). The supervisor communicates its findings as appropriate to either banks or the industry and requires banks to take action to mitigate any particular vulnerabilities that have the potential to affect the stability of the banking system, where appropriate. The supervisor uses its analysis to determine follow-up work required, if any.
Description and findings re EC5	FINMA’s early warning and Camels-based rating system provides substantial quantitative data and qualitative information (capital adequacy, asset quality, management factors, earnings, liquidity, and sensitivity to markets risks) on individual banks and banking groups. Outlier analysis is performed within various peer groups, and the system assesses a range of bank financial information and a large number of ratios against various pre-defined thresholds. A system-generated rating is produced that the KAM then accepts or modifies based on other information or expert judgment. FINMA has developed an internal semi-annual publication, the “Risikobarometer”, to track macroeconomic and regulatory risks and developments. This is similar to financial stability reports published in other countries. FINMA also has an internal semi-annual publication with more in-depth analysis of the real estate market (see answer to principle 8, EC 4). This has lead to additional supervisory reviews, more intensive monitoring capital add-ons under pillar 2 for selective banks. In addition, the SNB has triggered the countercyclical buffer for real estate exposures. Further, FINMA establishes a semi-annual macro-financial stress scenario that is used for the supervisory stress-testing of the two Swiss large banks, known as Loss Potential Analysis. Since 2010, additional analysis of capital plans, based on some of the concepts in the LPA, have been extended to a few institutions in categories 2 and 3. This is designed to provide a better appreciation of their vulnerability. FINMA communicates to the banks the issues identified and the measures which have to be implemented. If necessary, measures to adjust risk measurement or reduce risks are agreed.
EC6	The supervisor evaluates the work of the bank’s internal audit function, and determines whether, and to what extent, it may rely on the internal auditors’ work to identify areas of potential risk.
Description and findings re EC6	FINMA Circular 08/24 requires that every bank must have an appropriate and qualified internal audit, directly reporting to the board and independent of operational management. A large number of smaller and mid-size banks outsource internal audit to a recognized external audit firm. Regulatory auditors must explicitly confirm in their annual long form reports that: the technical and personal resources are appropriate for internal audit; the necessary professional competences are effectively available; cooperation between the external audit firms and internal audits is adequate; and, the external audit firms have access to the reports of the internal audit, without any limitation. Assessors discussed with regulatory auditors how they form this judgment. Regulatory auditors have extensive communication with internal audit as part of their reviews, which helps inform their judgment. FINMA has also set informal benchmarks as to what internal audit resources it expects relative to the size of the institution.
EC7	The supervisor maintains sufficiently frequent contacts as appropriate with the bank’s Board, non-executive Board members and senior and middle management (including heads of individual business units and control functions) to develop an understanding of and assess matters such as strategy, group structure, corporate governance, performance, capital adequacy, liquidity, asset quality, risk management systems and internal controls. Where necessary, the supervisor challenges the bank’s Board and senior management on the assumptions made in setting strategies and business models.
Description and findings re EC7	The frequency of contacts with the board of directors as well as with senior and middle managers largely depends on the categorization and rating of banks and banking groups. The interaction at the board level for the two category one banks is extensive. Regulatory auditors have the opportunity to observe boards. They do not however do a formal board effectiveness assessment as part of their methodologies. The results of supervisory examinations are also discussed as appropriate with the external auditor. The supervisor also can meet separately with the bank’s independent board members. Based on discussions, assessors have the impression that for other categories of banks the extent of contact is markedly less, especially at the board level.
EC8	The supervisor communicates to the bank the findings of its on- and off-site supervisory analyses in a timely manner by means of written reports or through discussions or meetings with the bank’s management. The supervisor meets with the bank’s senior management and the Board to discuss the results of supervisory examinations and the external audits, as appropriate. The supervisor also meets separately with the bank’s independent Board members, as necessary.
Description and findings re EC8	Key findings from the ordinary prudential audit performed by the external auditor are captured in writing in the long form report which is submitted to the board and management for discussion and acknowledgment. The results of the on-site reviews conducted by FINMA are also systematically communicated to the bank in written reports and discussed with the appropriate management level. For the two big banks (category 1) and institutions in categories 2 (annually) and 3 (at least every two years), FINMA formally notifies by assessment letters any shortcomings identified and the action required to address them. All assessment letters are provided to both boards and senior management.
EC9	The supervisor undertakes appropriate and timely follow-up to check that banks have addressed supervisory concerns or implemented requirements communicated to them. This includes early escalation to the appropriate level of the supervisory authority and to the bank’s Board if action points are not addressed in an adequate or timely manner.
Description and findings re EC9	Tracking of follow-up actions by banks is normally through the prudential audit process, but can also be directly to FINMA. FINMA’s MIS system tracks deficiencies and allows identification of issues that need to be raised with senior management or boards.
EC10	The supervisor requires banks to notify it in advance of any substantive changes in their activities, structure and overall condition, or as soon as they become aware of any material adverse developments, including breach of legal or prudential requirements.
Description and findings re EC10	Banks licensing process includes approval of internal documents that set out its product and geographic scope. So any substantive change in a banks’ activities requires making changes to the articles of incorporation and the main Organization and Business Rules. These changes require FINMA’s approval (Art. 3 para 3 BA) Furthermore banks have to notify FINMA before they establish, modify or close a subsidiary, branch, agency or representative office abroad (Art. 3 para 7 BA and Art. 6b BO). Licensing staff reported that they can receive 1,000–1,500 notifications a year from each of the two largest Swiss banks, of which normal year 20–30 are licensing requests (rising to up to 100 in special years). Any adverse matter has to be reported to FINMA by the bank’s audit firm or in the annual audit report.
EC11	The supervisor may make use of independent third parties, such as auditors, provided there is a clear and detailed mandate for the work. However, the supervisor cannot outsource its prudential responsibilities to third parties. When using third parties, the supervisor assesses whether the output can be relied upon to the degree intended and takes into consideration the biases that may influence third parties.
Description and findings re EC11	Audit firms (and also the persons performing the audit) must be officially recognized by FINMA (see criteria in Circular 13/04 “Audit firms and lead auditors”). They are subject to ex-post quality controls made by a special FINMA unit. FINMA also uses third party experts/firms for performing targeted interventions (investigations of complicated problems/matters; delivery of a second opinion if it is not convinced by the assessments and confirmations given by the ordinary external audit firms). Assessors had extensive discussions and review with various parties as to how these rules are working in practice. (see CP8 and EC1 of CP9 above) When FINMA mandates specific independent reviews, such as for model approval, assessors saw examples of detailed clear instructions.
EC12	The supervisor has an adequate information system which facilitates the processing, monitoring and analysis of prudential information. The system aids the identification of areas requiring follow-up action.
Description and findings re EC12	For a number of years, FINMA has applied a rating system for banks and banking groups. The rating system provides substantial quantitative data and qualitative information on supervised banks and banking groups. The rating system is one of the main tools available to the supervisor. A large range of standardized reports and specific thematic analyses are centrally prepared to address topical issues and to detect outliers and critical trends.
Additional criteria
AC1	The supervisor has a framework for periodic independent review, for example by an internal audit function or third party assessor, of the adequacy and effectiveness of the range of its available supervisory tools and their use, and makes changes as appropriate.
Description and findings re AC1	FINMA has an internal audit function currently consisting of three people. The internal audit reviews FINMA teams adherence to processes set out in the standard operating procedures, not the content of supervisory reports or risk or rating analysis. FINMA may rely on quality controls carried out by an independent person not attached to the head of supervisory activities (12 intensive controls and 16specific controls were made in 2012). These apply not only to adequacy of procedures but also on risk analyses, audit strategies, and rating analysis, among others.
Assessment of Principle 9	Materially Non Compliant
Comments	The enhancements to on-site and off-site processes put in place recently are appropriate and essential. They start to move FINMA away from the capital-predominant approach of previous agencies, and towards the more intensive supervision prevalent in other jurisdictions after the crisis. However, there is potential for material control or risk management weaknesses to go undetected, and the issues identified in the assessment are not just minor shortcomings. The recent enhancements are in the right direction, although some need to be given time to show results and others need to be materially intensified to achieve the desired goal. Standards for intensive supervision post-crisis have increased considerably. Remedying this is not simple, and it is unclear that compliance can be achieved in the immediate short term given FINMAs commitment to a head-count freeze and the difficulty of enhancing audit procedures, related guidance and instructions quickly. With adequate resources and further changes to processes, remedying the situation can be done within the existing model of use of regulatory auditors. For a jurisdiction with systemically important institutions, the depth of on-site review by auditors and by FINMA is not sufficient. Extensive review appears to occur around capital and risk model processes and outputs for major institutions and on capital and liquidity related quantitative matters including stress tests. The amount of proactive review of the integrity of qualitative risk management and internal control appears less than needed, especially given the major operational and reputational risks to the system. Having annual broad- based supervisory reviews through the regulatory audit process is not a substitute for a sufficient number of proactive targeted in-depth reviews in potentially higher risk and control areas. The basis of conclusions by regulatory auditors is not sufficiently transparent and their scope is not appropriate in certain areas. The focus of regulatory audits on compliance with legal and licensing requirements means that deficiencies in control and governance processes that are not explicitly specified in laws and regulations and circulars, but are part of FINMA expectations, are not being consistently assessed appropriately. A number of detailed reviews appear more reactive than proactive. As well, the on-site process risks too much negotiation of findings, the potential that important findings may be missed or not adequately highlighted, or root cause analysis performed. That requires more effort by FINMA with respect to bringing regulatory audit findings together and assessing them. Cross-system theme reviews may not be performed by auditors to consistent FINMA expectations. There are few cross-system/theme reviews by FINMA. The number of FINMA in-depth reviews of prudential matters appears low. There is insufficient reporting by auditors of the basis for conclusions and of the nature or seriousness of findings. The fact that auditors must reach a formal opinion and the potential seriousness of a formal reservation to the opinion may be reducing the elevation of issues. It is unclear whether on-site findings are sufficiently factored into FINMA assessments and formal feedback to banks. It can be hard for FINMA to tell whether their reliance on auditors is verified. Verification of the trust placed in auditors has increased but appears light. Remedying the situation will require enhanced strategic risk analysis, more focus and depth to the on-site effort on a selective basis to complement the breadth now provided, clearer reporting by auditors to FINMA, more FINMA off-site work across teams to direct and compare work done and findings by auditors (theme reviews) and more and more frequent, in-depth individual or theme reviews by FINMA itself (or through fully independent agents). This should be more proactive in areas likely to be subject to higher risk or control breakdowns. FINMA could also consider whether in certain banks the scope of the base regulatory audit could be reduced from time to time so more audit resources can be redirected to in-depth review of higher risk areas. FINMA participation in on-site work performed by auditors or by foreign supervisors should be substantially increased. That would provide enhanced assurance that prudential audits in those jurisdictions were delivering what FINMA needs.
Principle 10	Supervisory reporting. The supervisor collects, reviews, and analyses prudential reports and statistical returns22 from banks on both a solo and a consolidated basis, and independently verifies these reports through either on-site examinations or use of external experts.
Essential criteria
EC1	The supervisor has the power23 to require banks to submit information, on both a solo and a consolidated basis, on their financial condition, performance, and risks, on demand and at regular intervals. These reports provide information such as on- and off-balance sheet assets and liabilities, profit and loss, capital adequacy, liquidity, large exposures, risk concentrations (including by economic sector, geography and currency), asset quality, loan loss provisioning, related party transactions, interest rate risk, and market risk.
Description and findings re EC1	Under general authority of the FINMA act (Art. 29) Banks are required in FINMA “Circular 08/14 – Supervisory reporting for banks” to report their financial results (on-/off-balance sheet assets and liabilities, profit and loss, asset quality, loan loss provisioning) to FINMA. Other reporting duties cover risk topics such as capital adequacy and liquidity in the context of Basel III, large exposures, risk concentrations, details of credit and market risk capital adequacy inputs, and interest rate risk, as well as share ownership. Data is collected at single entity, and in the case of consolidated supervision, also at group level. FINMA legal power to collect information is general and applies to anyone with a qualified participation in a bank, for example controlling entities. So it can be used for specific information requests as well. Supervisors of major banks also have regular access to individual bank information used by the banks for management purposes (including information going to the board and senior management).
EC2	The supervisor provides reporting instructions that clearly describe the accounting standards to be used in preparing supervisory reports. Such standards are based on accounting principles and rules that are widely accepted internationally.
Description and findings re EC2	Articles 23 to 27 of the Banking Ordinance prescribe the chart of accounts and the structure of the accounting disclosure for banks. Supervisory reporting uses the accounting framework that banks use for their own accounts. Some nine banking groups use IFRS and there is one using U.S. GAAP. Other banks use Swiss GAAP in financial statements (which is generally seen as more conservative than international standard—see CP 27). The fact that one of the large banks is on IFRS and the other on U.S. GAAP can make comparability harder in areas such as the trading book.
EC3	The supervisor requires banks to have sound governance structures and control processes for methodologies that produce valuations. The measurement of fair values maximizes the use of relevant and reliable inputs and are consistently applied for risk management and reporting purposes. The valuation framework and control procedures are subject to adequate independent validation and verification, either internally or by an external expert. The supervisor assesses whether the valuation used for regulatory purposes is reliable and prudent. Where the supervisor determines that valuations are not sufficiently prudent, the supervisor requires the bank to make adjustments to its reporting for capital adequacy or regulatory reporting purposes.
Description and findings re EC3	The accounting standards for positions in the trading book are set out in FINMA-Circular 08/02 Accounting – Banks margin Nos. 22–22d which apply on an individual bank level. They include the possibility of using valuation models for less liquid positions and high level expectations for valuation. The supervisory standards are those of the BCBS (which are implemented in FINMA-Circulars 08/20 Market Risk margin Nos. 32–48 and 08/19 Credit Risk – Banks margin No. 391; requirements regarding valuation adjustments for less liquid positions are set out in FINMA-Circular 08/20 Market Risk margin No 47). Consistency of these Swiss standards has recently been confirmed via the Regulatory Consistency Assessment Program (RCAP) for Switzerland. The prudential audit firm comments in the annual regulatory audit report on the adequacy of the valuation framework and the control procedures of the bank.
EC4	The supervisor collects and analyses information from banks at a frequency commensurate with the nature of the information requested, and the risk profile and systemic importance of the bank.
Description and findings re EC4	Scope and periodicity of standard reports are the same for all banks. Following the risk-based regulatory approach, banks in categories 1 to 3 (banks with an increased systemic importance) have additional, individual reporting duties, where scope and periodicity vary depending on the actual situation.
EC5	In order to make meaningful comparisons between banks and banking groups, the supervisor collects data from all banks and all relevant entities covered by consolidated supervision on a comparable basis and related to the same dates (stock data) and periods (flow data).
Description and findings re EC5	FINMA collects from all supervised banks and banking groups quantitative data and qualitative information in a standardized manner. For reports on capital adequacy and liquidity in the context of Basel III and interest rate risk, frequency varies between single entity level (quarterly reports) and group level (semi-annual reports).
EC6	The supervisor has the power to request and receive any relevant information from banks, as well as any entities in the wider group, irrespective of their activities, where the supervisor believes that it is material to the condition of the bank or banking group, or to the assessment of the risks of the bank or banking group or is needed to support resolution planning. This includes internal management information.
Description and findings re EC6	FINMA has the legal authority in Art. 29 FINMA Act to request and receive from supervised persons and entities all information and documents that it requires to carry out its tasks. This includes also any ad-hoc reports on specific risks and topics and internal management information.
EC7	The supervisor has the power to access24 all bank records for the furtherance of supervisory work. The supervisor also has similar access to the bank’s Board, management and staff, when required.
Description and findings re EC7	Art. 29 FINMASA determines that FINMA has the power to access all records to carry out its tasks if needed. The supervisor also has similar access to the bank’s board, management and staff, when required. For instance, in the framework of supervisory reviews, additional records are accessed, and management and staff are interviewed.
EC8	The supervisor has a means of enforcing compliance with the requirement that the information be submitted on a timely and accurate basis. The supervisor determines-the appropriate level of the bank’s senior management is responsible for the accuracy of supervisory returns, imposes sanctions for misreporting and persistent errors, and requires that inaccurate information be amended.
Description and findings re EC8	Due to the Swiss supervisory approach, the prudential audit firm confirms annually if the bank or the banking group is compliant with applicable reporting requirements, and if deadlines were met. FINMA does not have explicit authority to sanction banks for misreporting.
EC9	The supervisor utilizes policies and procedures to determine the validity and integrity of supervisory information. This includes a programme for the periodic verification of supervisory returns by means either of the supervisor’s own staff or of external experts.25
Description and findings re EC9	In the framework of the annual regulatory audit, the external auditor confirms the accuracy of the quantitative data and the qualitative information reported to FINMA. Quantitative data is collected by the Swiss National Bank (SNB) for FINMA, and SNB performs verification checks. Art. 22 of the Federal Act on the Swiss National Bank determines that the prudential audit firm has to examine annually that banks are compliant with the duty to provide information.
EC10	The supervisor clearly defines and documents the roles and responsibilities of external experts,26 including the scope of the work, when they are appointed to conduct supervisory tasks. The supervisor assesses the suitability of experts for the designated task(s) and the quality of the work and takes into consideration conflicts of interest that could influence the output/recommendations by external experts. External experts may be utilized for routine validation or to examine specific aspects of banks’ operations.
Description and findings re EC10	Assessors saw examples of specific instructions for such reviews (e.g., to support model approval applications). These were extensive and clear. Assessors did extensive reviews of other supervisory files and internal instructions and methodology documents, as well as held discussion with FINMA staff, line supervisors, and representatives of audit firms and banks. These revealed a number of issues with how this approach works in practice, including that lack of specificity in supervisory guidance reduces the clarity of how regulatory auditors are interpreting these standards. These are covered and rated under CP9 (supervisory techniques and tools).
EC11	The supervisor requires that external experts bring to its attention promptly any material shortcomings identified during the course of any work undertaken by them for supervisory purposes.
Description and findings re EC11	Auditors are required to bring to FINMA’s attention material shortcomings. Assessors saw considerable evidence of this in practice, as it is embedded in the model of use of auditors.
EC12	The supervisor has a process in place to periodically review the information collected to determine that it satisfies a supervisory need.
Description and findings re EC12	Periodically, FINMA reviews its data collection and determines if this information still meets its needs. If not, modifications in scope and content are made. Assessors saw evidence of this in practice. Due to the time required for implementing changes FINMA also uses ad hoc focused reporting from major banks or groups of banks on specific topics from time to time.
Assessment re Principle 10	Compliant
Comments	While the use of different accounting standards reduces the potential comparability of supervisory reporting, the similarities in accounting in practice are not serious enough to undercut this compliant rating. FINMA should be given explicit authority to sanction banks for misreporting.
Principle 11	Corrective and sanctioning powers of supervisors. The supervisor acts at an early stage to address unsafe and unsound practices or activities that could pose risks to banks or to the banking system. The supervisor has at its disposal an adequate range of supervisory tools to bring about timely corrective actions. This includes the ability to revoke the banking license or to recommend its revocation.
Essential criteria
EC1	The supervisor raises supervisory concerns with the bank’s management or, where appropriate, the bank’s Board, at an early stage, and requires that these concerns be addressed in a timely manner. Where the supervisor requires the bank to take significant corrective actions, these are addressed in a written document to the bank’s Board. The supervisor requires the bank to submit regular written progress reports and checks that corrective actions are completed satisfactorily. The supervisor follows through conclusively and in a timely manner on matters that are identified.
Description and findings re EC1	Regulatory and supervisory shortcomings are addressed, and corrective action requested, both orally in supervisory meetings and in writing in supervisory assessment letters—These also contain the rating of the bank (a compressed version of the camels 1–9 rating scale). For institutions in category 1 and 2 (and category 3 banks that are medium or higher risk) assessment letters are annual. For lower risk category 3 banks the assessment letter is every second year, and there is no requirement for regular assessment letters for category 4 and 5 banks. Assessment letters would be sent if material issues warrant it. Banks get a copy of every annual or specific regulatory audit report including actions necessary. In addition to assessment letters, formal written communication occurs after any specific supervisory review conducted by FINMA. Corrective measures are monitored on the basis of written progress reports delivered to FINMA, typically on a monthly basis, but more frequent reporting is requested where appropriate, until the matter is resolved. Often regulatory follow up is done as part of the audit.
EC2	The supervisor has available27 an appropriate range of supervisory tools for use when, in the supervisor’s judgment, a bank is not complying with laws, regulations or supervisory actions, is engaged in unsafe or unsound practices or in activities that could pose risks to the bank or the banking system, or when the interests of depositors are otherwise threatened.
Description and findings re EC2	FINMA has specific tools and also uses its general authority (including authority to license institutions) to impose other conditions, short of formal enforcement actions, as a means of reducing risk and/or providing incentives for institutions to rectify problems. These include limits on business activity, Pillar 2 surcharges and other measures. The FINMA act also gives FINMA formal enforcement authority. This applies where a bank “violates provisions of the legislation or if there are other irregularities”. This follows an administrative procedure run by FINMA. The burden of proof is lower than in other proceedings. In situations where speedy action is necessary interim enforcement decrees are possible. Decrees are appealable on legal or procedural grounds, but not generally on the discretion of FINMA in interpreting regulatory standards or requirements. Assessors saw ample evidence that these provisions are used in practice. Decrees are not limited in what they can cover and can, for example be used if necessary to restrict or prohibit certain business activities, request management changes, set capital ratios, suspend shareholders’ voting rights or withdraw an institution’s license. FINMA confirmed to assessors that restrictions are normally possible without resorting to decrees or other formal enforcement mechanisms. FINMA does not have ability to impose monetary penalties. Assessors discussed this with FINMA staff and leadership. They believe that having this tool is not essential to achieving their mandate in bank supervision. In addition, to impose fines, higher standards of proof would likely be required than now needed for enforcement orders. Lastly, FINMA can (and does) refer serious matters for criminal enforcement, where fines are possible. Assessors are not aware of circumstances where achievement of prudential goals was undercut through lack of ability to impose fines. In addition, FINMA can confiscate profits made by supervised entities through serious violation of supervisory provisions. (Art. 35 FINMASA)
EC3	The supervisor has the power to act where a bank falls below established regulatory threshold requirements, including prescribed regulatory ratios or measurements. The supervisor also has the power to intervene at an early stage to require a bank to take action to prevent it from reaching its regulatory threshold requirements. The supervisor has a range of options to address such scenarios.
Description and findings re EC3	If an institution is, based on FINMA’s judgment, at risk of breaching general capital thresholds set by statutory law or individual capital thresholds set by FINMA, FINMA may intervene by requesting or requiring capital injections or other appropriate measures to improve capitalization. FINMA is authorized to take corrective measures if an institution does not meet capital requirements, up to and including revocation of license or institution of insolvency proceedings (see also principles 8 and 9). FINMA has experience of using these tools. The process is also applied in case of breach of liquidity thresholds.
EC4	The supervisor has available a broad range of possible measures to address, at an early stage, such scenarios as described in essential criterion 2 above. These measures include the ability to require a bank to take timely corrective action or to impose sanctions expeditiously. In practice, the range of measures is applied in accordance with the gravity of a situation. The supervisor provides clear prudential objectives or sets out the actions to be taken, which may include restricting the current activities of the bank, imposing more stringent prudential limits and requirements, withholding approval of new activities or acquisitions, restricting or suspending payments to shareholders or share repurchases, restricting asset transfers, barring individuals from the banking sector, replacing or restricting the powers of managers, Board members or controlling owners, facilitating a takeover by or merger with a healthier institution, providing for the interim management of the bank, and revoking or recommending the revocation of the banking license.
Description and findings re EC4	Depending on the gravity of a situation, the following actions are taken: 1. Regular intervention: FINMA will address the issue with the bank under its regular supervision, or if necessary with the special team focusing on intensive supervision. It may request the bank to take immediate corrective measures to restore compliance with the law and set time limits for the implementation. Such corrective measures might include the restriction of the current business activities of the bank (e.g., prohibition of business activities in certain markets), imposing more stringent prudential limits and requirements (e.g., capital or organizational requirements), withholding approval of new business activities or acquisitions (e.g., acquisitions of other business units/teams), restricting or suspending payments to shareholders or share repurchases, restricting asset transfers, barring individuals from the banking sector, and replacing or restricting the powers of managers, board members or controlling owners. If the bank does not implement the requested corrective measures, the issue will be further escalated under regular supervision and may lead to enforcement proceedings. 2. Enforcement: If (a) the bank does not implement the requested corrective measures under its regular supervision (b) it is apparent that the bank is unable or unwilling to implement the required corrective measures or (c) the situation poses immediate risks to the bank or the banking system or to the interests of depositors, FINMA will open administrative enforcement proceedings (Art. 30 Financial Market Supervision Act, FINMASA; see Enforcement policy). Interim measures: In enforcement proceedings, FINMA can order interim measures to safeguard the situation. In particular, FINMA can appoint an investigating agent to implement the required corrective measures (Art. 36 FINMASA). Depending on its mandate, the investigating agent has the authority to act for the bank instead of the former management (i.e., interim management). Final measures: In enforcement proceedings, FINMA can order the restoration of compliance with supervisory law (Art. 31 FINMASA). In this regard, FINMA has a technical discretion in deciding which corrective measures are required to restore compliance. In the past, FINMA has ordered banks to implement a wide range of corrective measures under this title. For example, FINMA has decided to restrict the cross-border activities of a bank or ordered the closing of branch offices in order to limit business risks. Furthermore, FINMA is able to impose prudential limits and requirements on a bank’s business, withhold approval of new activities or acquisitions, restrict or suspend payments to shareholders or share purchases and restrict asset transfers. FINMA may bar a person from acting in a management capacity in the banking sector for a period of up to five years if he/she is responsible for serious violation of supervisory law (Art. 33 FINMASA). Moreover, it can prevent a bank from engaging a person for a senior executive position, who does not provide assurance of proper business conduct (Art. 3 para let. c BA). FINMA may also replace or restrict the powers of managers or board members. In this regard, FINMA is authorized to appoint an investigating agent, as noted above. FINMA also may suspend the voting rights of controlling owners if their conduct is detrimental to the institution (Art. 23ter BA). Often a bank will implement the required corrective measures while the enforcement proceedings are still open. If this is the case, FINMA may still issue a declaratory ruling (Art. 32 FINMASA) and make its final ruling public (“name and shaming”, Art. 34 FINMASA). In addition, FINMA is authorized to disgorge profits made through a serious violation of the supervisory provisions (Art. 35 FINMASA). 3. Resolution: If a bank no longer fulfills the requirements for its activities or seriously violates the supervisory provisions, FINMA can revoke the bank’s license (Art. 37 Para 1 FINMASA). It will be dissolved. In this regard, FINMA may appoint one or several liquidators responsible for the interim management of the bank (Art. 33 Para 2 BA). As part of the restructuring of a bank (Art. 25 f. BA), FINMA may also facilitate a takeover by or merger with a healthier institution. Assessors reviewed the use of enforcement powers applying to banks with FINMA staff. It is clear that they are used in practice. Over the recent past there have been up to 20–25 bank exits a year, of which 3–4 have been involuntary through liquidation or enforcement action, and the rest through voluntary exit and M&A.
EC5	The supervisor applies sanctions not only to the bank but, when and if necessary, also to management and/or the Board, or individuals therein.
Description and findings re EC5	If necessary FINMA opens enforcement proceedings against individuals for violations of supervisory law. If it finds that a person is responsible for a serious violation of supervisory provisions, FINMA may prohibit this person from acting in a management capacity in the banking sector for a period of up to five years (Art. 33 FINMASA). This situation is far less frequent than actions against banks. In addition, if a person is involved in improper business conduct, FINMA may find that the person no longer provide assurance of proper business conduct (Art. 3 para 2 let. c BA) and is, therefore, unfit to serve as a senior executive officer in the banking sector. If FINMA has doubts regarding an individual’s ability to provide assurance of proper business conduct, it will issue a letter with this requirement to the individual where it deems such action to be warranted. The person will also be registered in a “Watch List”. Should the individual thereupon apply for an influential management position, FINMA will assess whether he/she is fit to serve in this specific position based on available evidence of past conduct.
EC6	The supervisor has the power to take corrective actions, including ring-fencing of the bank from the actions of parent companies, subsidiaries, parallel-owned banking structures and other related entities in matters that could impair the safety and soundness of the bank or the banking system.
Description and findings re EC6	FINMA is authorized to take corrective actions that are required to shield an institution from any financial or other risks connected to its parent company, affiliates, shareholders or other related entities (e.g., in parallel-owned banking structures). Such measures may include financial ring-fencing, additional capital requirements, restrictions on dividend payments or organizational measures (e.g., a management structure that is entirely or substantially independent of related entities). FINMA may also suspend the voting rights of a shareholder if their conduct is detrimental to the institution (Art. 23ter Banking Act). Certain of these measures have been used in recent years.
EC7	The supervisor cooperates and collaborates with relevant authorities in deciding when and how to effect the orderly resolution of a problem bank situation (which could include closure, or assisting in restructuring, or merger with a stronger institution).
Description and findings re EC7	FINMA has required the two major banks to prepare recovery and resolution plans, and has had extensive discussions with these banks of those plans. FINMA is assessing what changes in banks structure and operations are needed to enhance resolvability. FINMA has also lead supervisory crisis management colleges to consider these matters involving the U.S. and the U.K. FINMA is the liquidation authority for banks and has considerable experience in managing exits from the sector effectively over the recent past. Insolvency authority for FINMA is shortly to be extended to holding companies in financial groups. FINMA is also strengthening its effort over smaller banks.
Additional criteria
AC1	Laws or regulations guard against the supervisor unduly delaying appropriate corrective actions.
Description and findings re AC1	There is no explicit early intervention framework with defined timelines contained in laws or regulations. However under FINMA policies and procedures, banks rated below certain levels must be considered for special supervision and intervention. FINMA standard operating procedures define timelines within which, depending on the rating, supervisory actions shall be taken. FINMA is liable if it has committed a breach of fundamental duties (Art. 19 FINMASA), which provides an incentive to act.
AC2	When taking formal corrective action in relation to a bank, the supervisor informs the supervisor of non-bank related financial entities of its actions and, where appropriate, coordinates its actions with them.
Description and findings re AC2	FINMA is an integrated supervisory agency, including investment funds and insurance business. Therefore, awareness and coordination are implicit features by design, also with respect to the non-bank related entities of a bank (group or conglomerate). In addition, FINMA shares relevant information and cooperates with federal and cantonal prosecution authorities as well as other domestic regulators, such as the Federal Audit Oversight Authority, the Swiss National Bank, the Takeover Board, the self-regulatory organizations (SROs) under the Anti-Money Laundering Act (AMLA), the relevant bodies of the Swiss stock exchanges and the Competition Commission based on Swiss law.
Assessment re principle 11	Compliant
Comments
Principle 12	Consolidated supervision. An essential element of banking supervision is that the supervisor supervises the banking group on a consolidated basis, adequately monitoring and, as appropriate, applying prudential standards to all aspects of the business conducted by the banking group worldwide.28
Essential criteria
EC1	The supervisor understands the overall structure of the banking group and is familiar with all the material activities (including non-banking activities) conducted by entities in the wider group, both domestic and cross-border. The supervisor understands and assesses how group-wide risks are managed and takes action when risks arising from the banking group and other entities in the wider group, in particular contagion and reputation risks, may jeopardize the safety and soundness of the bank and the banking system.
Description and findings re EC1	FINMA law and regulations define a banking group as two or more companies at least one of which is active as a bank or securities dealer or they are active in the financial area or they form an economic unit. Financial conglomerates are banking or securities groups that also include an insurance company. In addition to the two large banks, FINMA supervises more than 100 Swiss banking groups or sub-groups. One of the two major banks operates in a holding company structure; the other is headed by a licensed bank. FINMA advised that for mid-size banks a typical structure would have one or more banks, and asset management companies under a holding company. Individual banks and financial institutions are licensed by FINMA. Under the legislation holding companies are not formally authorized but integrated into the consolidated supervision performed by FINMA. FINMA has several methods to ensure understanding of the group and its activities. The major source of information flows from the licensing process for authorized institutions, which approves internal corporate documents that set out the bank structure, business lines and geographic scope. As part of this process FINMA also requires this information related to the group structure. Changes in the structure of the bank and its entities, and changes in the group structure below the holdco require approval or notification. In addition, under Art. 3 para 7 BA and Art. 6b para 1 BO, banks must notify FINMA if they intend opening a subsidiary, a branch, an agency or a representation office in a foreign country. The information provided must refer to the business plan, the persons in charge of the management of the local entity, the local audit firm and the name of the host supervisor. This requirement for notification is extended by FINMA to holding companies as part of the licensing process of the banking entities in the group. As well, the regulatory audit reports at the conglomerate level must contain information on the up-to-date group structure. These reports must also contain information and opinions on such matters as: (a) adequacy of group corporate governance, (b) adequacy of measures in place in order to make sure that the requirements relating to capital, risk diversification and liquidity are observed at consolidated level, (c) adequacy of consolidated risk management and efficiency of central functions dedicated to control, mitigation and risk reporting, (d) adequacy of group internal audit, (e) adequacy of measures for ensuring compliance with Swiss and local prudential and behavior rules, notably anti-money laundering rules, (f) confirmation that intra-group exposures and commitments have been approved and are well-supervised, (g) confirmation that entities abroad are not used to get around Swiss provisions. Assessors review of these reports and discussion with FINMA staff and banks indicates that they have a good comprehension of group structures. FINMA legislation provides FINMA with a legal right to information on any entities that hold a direct or indirect majority participation in the bank. This is the legal basis for FINMA collection of information on the group from the holding and from its controlling entities if necessary. Risk profiles of groups are part of the regulatory audit process (see CP8/9). Assessors did not see examples where upstream non-financial risks or risks from non-financial affiliates of the bank were formally considered in risk assessments. These entities may or may not be part of the consolidated group but nevertheless need to be part of risk assessment. Risk assessment instructions to audit firms do not clearly require such an assessment. FINMA has experience in ring fencing part of a group. It also has limited its scope of consolidated supervision in certain cases, so that the group must limit its exposures to entities outside the scope of the consolidation.
EC2	The supervisor imposes prudential standards and collects and analyses financial and other information on a consolidated basis for the banking group, covering areas such as capital adequacy, liquidity, large exposures, exposures to related parties, lending limits and group structure.
Description and findings re EC2	The legal requirements with respect to groups are contained in the banking act and ordinances, with further expansion in certain FINMA circulars. The law subjects financial groups to FINMA supervision. FINMA does not have the power to license or authorize groups or group holding companies. However, under the banking act, FINMA can make its authorization of individual banks dependent on adequate consolidated supervision. FINMA uses this general power extensively. Art. 3f BA requires that financial groups must be organized such that the material risks are identified, controlled, and limited. The banking ordinance (Art. 14a) sets out that FINMA supervision at the group level is designed to determine (among other things): whether the group is appropriately organized, has an adequate internal control system, identifies limits and monitors risks appropriately, complies with provisions on capital adequacy and risk concentrations and has adequate liquidity. The group must have the same audit firm for all entities. In addition, the law requires that management and board at group level must be fit and proper and manage properly. The law provides for FINMA to apply rules on capital adequacy, liquidity, risk distribution and intra-group positions at group level, either in general or in individual cases. The law does not contain explicit qualitative requirements for risk management or internal control at group level. FINMA enforcement power (e.g., to issue formal orders or decrees) does not apply at the group level only to authorized institutions within the group. The power to appoint an agent to replace management does apply at group level. (see CP11) FINMA does not have direct authority to approve or stop foreign acquisitions made by a financial group by a Swiss-based financial group at the holdco level. FINMA does not have insolvency authority at the holding company level but this is planned to be added to the legislation in 2014. While not specified precisely in the legislation, as a general principle, the same supervision expectations of FINMA apply to a bank or securities dealer group on a consolidated basis as they do to a bank or securities dealer on an individual basis. Assessors discussed with FINMA extensively their ability to achieve desired prudential results at group level given the fact that their formal authority to operate directly at group level is less than in some jurisdictions. While FINMA does not have direct powers over the group, FINMA staff indicated that they have the ability and willingness to act at the level of the individual bank to achieve results. FINMA reports that lack of direct legal authority has not been a problem to date.
EC3	The supervisor reviews whether the oversight of a bank’s foreign operations by management (of the parent bank or head office and, where relevant, the holding company) is adequate having regard to their risk profile and systemic importance and there is no hindrance in host countries for the parent bank to have access to all the material information from their foreign branches and subsidiaries. The supervisor also determines that banks’ policies and processes require the local management of any cross-border operations to have the necessary expertise to manage those operations in a safe and sound manner, and in compliance with supervisory and regulatory requirements. The home supervisor takes into account the effectiveness of supervision conducted in the host countries in which its banks have material operations.
Description and findings re EC3	The audits and reports performed by audit firms include group-wide risk assessments and comment on the adequacy of the management’s oversight of a bank’s foreign operations. Subsidiaries abroad are required to report quantitative elements to the parent bank to be able to measure and report these elements at the group-wide level. If there are elements of hindrance in the host countries for the parent bank, this would be captured by the audit firms and addressed in their audit reports. In its position paper (2010) addressing legal and reputational risks in cross-border financial business, FINMA set out its expectations on these matters. In their audit reports, the audit firms report on the bank’s risk management with regard to cross-border activities. FINMA intends to focus more on assessing whether supervised institutions are aware of the risks inherent in their cross-border operations and take appropriate measures to mitigate them. FINMA regularly meets with host authorities, shares information with them and takes into account the effectiveness of supervision conducted in countries in which Swiss banks have material operations. (see CP13)
EC4	The home supervisor visits the foreign offices periodically, the location and frequency being determined by the risk profile and systemic importance of the foreign operation. The supervisor meets the host supervisors during these visits. The supervisor has a policy for assessing whether it needs to conduct on-site examinations of a bank’s foreign operations, or require additional reporting, and has the power and resources to take those steps as and when appropriate.
Description and findings re EC4	Periodic on-site examinations of foreign offices are mainly made by the audit firms as part of their regulatory report. At large Swiss banks, FINMA also occasionally visits foreign offices or performs on-site supervisory reviews. The frequency of on-site examinations of a bank’s foreign operations depends on the one hand on how substantial the foreign operations are for the banking group and on the other hand on the risk assessment relating to those foreign operations. Assessors discussed FINMA practice in this regard. FINMA recognizes that foreign affiliates of recognized audit firms may have less familiarity with FINMAs regulatory expectations of them in assessing Swiss banks foreign operations. Assessors also gained the impression from these discussions that resource constraints are a reason for the limited number of FINMA on-site reviews of foreign operations.
EC5	The supervisor reviews the main activities of parent companies, and of companies affiliated with the parent companies, that have a material impact on the safety and soundness of the bank and the banking group, and takes appropriate supervisory action.
Description and findings re EC5	FINMAs focus on this is informal on a case-by-case basis.
EC6	The supervisor limits the range of activities the consolidated group may conduct and the locations in which activities can be conducted (including the closing of foreign offices) if it determines that: (a) the safety and soundness of the bank and banking group is compromised because the activities expose the bank or banking group to excessive risk and/or are not properly managed; (b) the supervision by other supervisors is not adequate relative to the risks the activities present; and/or (c) the exercise of effective supervision on a consolidated basis is hindered.
Description and findings re EC6	FINMA takes account of these aspects in the ongoing licensing process which considers changes in business structure, scope and geographic location. FINMA has well developed ability to assess quality of supervision in other jurisdictions. FINMA does not have the legal power to directly require the closing of foreign offices but it has the ability to reach this goal by other means. FINMA’s most important tool in this regard is its discretionary ability to require more capital (i.e., in the case of a subsidiary with excessive risks) or to make a statement that the bank/group is not complying with general requirements (i.e., if there is no appropriate control of the group on one of its subsidiaries).
EC7	In addition to supervising on a consolidated basis, the responsible supervisor supervises individual banks in the group. The responsible supervisor supervises each bank on a standalone basis and understands its relationship with other members of the group.29
Description and findings re EC7	As a general principle, the same supervision/regulations apply to a bank or securities dealer group on a consolidated basis as do to a bank or securities dealer at single entity level. Hence, quantitative and qualitative elements as described in description and findings re EC2 are also supervised on a stand-alone basis. Since capital adequacy and large exposure requirements must be complied with on a stand-alone basis, at the consolidated bank level (sub-consolidation) and bank group level, the requirement that all entities in a banking group are supplied with adequate capital according to the allocation of risks must also be fulfilled (see also principle 16, AC2).
Additional criteria
AC1	For countries which allow corporate ownership of banks, the supervisor has the power to establish and enforce fit and proper standards for owners and senior management of parent companies.
Description and findings re AC1	In Switzerland, corporate ownership of banks is possible. Art. 3 para 2 let. C bis BA states that persons or entities who have directly or indirectly 10 percent or more of capital or voting rights or can exercise a significant influence on the bank (i.e., qualified shareholders) must give the guarantee that their influence will not endanger the prudent and sound management of the bank. When FINMA grants a license to a new bank, it examines very closely the nature, identity and possible influence of every qualified shareholder. Recognized banks must send an updated list of the direct and indirect qualified shareholders to FINMA every year. The external auditors, in the context of the prudential audit, must comment every year in their long form reports on the relations of the banks with the qualified shareholders, confirm that the latter do not exercise any negative influence and also confirm that economic transactions are “at arm’s length.”
Assessment of Principle 12	Compliant
Comments	FINMA consolidated supervision is of high quality, as regulation, monitoring and reporting cover groups comprehensively. Risk assessments, however, need to be extended to formally consider risks arising to the group from non-financial entities upstream from the group or from non-financial affiliates. While the legal framework is not as clear as it could be, FINMA is able to achieve its goals indirectly in those cases. Experience in other jurisdictions suggests that, in extremis, the power to act at the level of the individual institution may not be enough to achieve group-wide results. As a preventative measure, the law should be strengthened to allow interim and permanent enforcement decrees to be applied at the holding company level.
Principle 13	Home-host relationships. Home and host supervisors of cross-border banking groups share information and cooperate for effective supervision of the group and group entities, and effective handling of crisis situations. Supervisors require the local operations of foreign banks to be conducted to the same standards as those required of domestic banks.
Essential criteria
EC1	The home supervisor establishes bank-specific supervisory colleges for banking groups with material cross-border operations to enhance its effective oversight, taking into account the risk profile and systemic importance of the banking group and the corresponding needs of its supervisors. In its broadest sense, the host supervisor who has a relevant subsidiary or a significant branch in its jurisdiction and who, therefore, has a shared interest in the effective supervisory oversight of the banking group, is included in the college. The structure of the college reflects the nature of the banking group and the needs of its supervisors.
Description and findings re EC1	FINMA organizes a considerable number of supervisory colleges as home supervisor for UBS and Credit Suisse Group. Key foreign supervisors are the US and UK and in addition to colleges there are extensive regular communication. FINMA staff confirmed to assessors that they are satisfied with the information flow to them as home supervisor from host authorities and to them as host.
EC2	Home and host supervisors share appropriate information on a timely basis in line with their respective roles and responsibilities, both bilaterally and through colleges. This includes information both on the material risks and risk management practices of the banking group30 and on the supervisors’ assessments of the safety and soundness of the relevant entity under their jurisdiction. Informal or formal arrangements (such as memoranda of understanding) are in place to enable the exchange of confidential information.
Description and findings re EC2	FINMA MOUs are focused on supervisory authorities in countries with whom there is an extensive exchange of information due to the large number of cross-border branch offices of supervised institutions. These memoranda of understanding specify cooperation and procedures within the statutory framework (Arts. 42 and 43 FINMASA, Art. 23septies BA, Arts. 38 and 38a SESTA, Art. 143 CISA). FINMA is also legally authorized to cooperate with a foreign supervisory authority even in the absence of a specific agreement between the two. If the cooperation involves the exchange of confidential data, FINMA generally requires an ad-hoc declaration from the requesting supervisory authority stipulating that the information may only be used for the direct supervision of the regulated institutions, that the supervisory authority is bound by official or professional confidentiality provisions, and that the information may not be published or passed on to other authorities and bodies, including other supervisory or criminal prosecution authorities, without the prior consent of FINMA. FINMA processes appear effective and well used, both in its role as home and host supervisor.
EC3	Home and host supervisors coordinate and plan supervisory activities or undertake collaborative work if common areas of interest are identified in order to improve the effectiveness and efficiency of supervision of cross-border banking groups.
Description and findings re EC3	National and international cooperation is one of FINMA’s five strategic goals. Collaborative work is conducted from time to time. In 2011 and 2012, U.K. FSA conducted in depth on-site reviews focused on identifying and supervising politically exposed persons (PEPs) at U.K. banking groups. In collaboration with U.K. FSA, FINMA performed comparable work at Swiss subsidiaries and branches of U.K. banking groups to be able to share the results with the U.K. FSA and to address if necessary the need of improvement in the whole group. FINMA also performs joint reviews together with the Federal Reserve Bank of New York (FRBNY) and the U.K. regulator (U.K. PRA).
EC4	The home supervisor develops an agreed communication strategy with the relevant host supervisors. The scope and nature of the strategy reflects the risk profile and systemic importance of the cross-border operations of the bank or banking group. Home and host supervisors also agree on the communication of views and outcomes of joint activities and college meetings to banks, where appropriate, to ensure consistency of messages on group-wide issues.
Description and findings re EC4	As a follow-up to the supervisory colleges, FINMA provides feedback to the bank on the issues discussed by the regulators. In the case of joint audits, the letter presenting the findings is initially discussed between the regulators involved before being communicated to the bank. Furthermore, in the context of projects involving several authorities, common update meetings are held where all authorities participate.
EC5	Where appropriate, due to the bank’s risk profile and systemic importance, the home supervisor, working with its national resolution authorities, develops a framework for cross-border crisis cooperation and coordination among the relevant home and host authorities. The relevant authorities share information on crisis preparations from an early stage in a way that does not materially compromise the prospect of a successful resolution and subject to the application of rules on confidentiality.
Description and findings re EC5	FINMA has established Crisis Management Colleges for Credit Suisse and UBS. It is developing a global resolution strategy with the key host regulators for both banks based on a single point of entry approach. The resolution plans are expected to become the basis of any future cooperation and coordination arrangement which FINMA will therefore conclude as soon as the resolution plans are in a stable condition. In the interim, FINMA continues to be able and willing to exchange information on resolution planning and resolution actions in accordance with its laws and regulations and will use for that purpose the existing supervisory arrangements on cooperation and information exchange. In addition, FINMA works towards establishing institution-specific cooperation agreements which will go further and, in particular, strive to set modalities for mutual recognition of resolution measures and supportive actions.
EC6	Where appropriate, due to the bank’s risk profile and systemic importance, the home supervisor, working with its national resolution authorities and relevant host authorities, develops a group resolution plan. The relevant authorities share any information necessary for the development and maintenance of a credible resolution plan. Supervisors also alert and consult relevant authorities and supervisors (both home and host) promptly when taking any recovery and resolution measures.
Description and findings re EC6	FINMA has shared the recovery plans provided by both Swiss G-SIB and information on resolution received from the banks with the Crisis Management College members. The resolution plans will also be shared among these authorities once they have been finalized. The resolution plans specify how both home and host authorities will interact with each other and coordinate the resolution process if the resolution triggers are hit either in home or host jurisdictions.
EC7	The host supervisor’s national laws or regulations require that the cross-border operations of foreign banks are subject to prudential, inspection and regulatory reporting requirements similar to those for domestic banks.
Description and findings re EC7	FINMA authority, reporting and requirements for adherence to laws and circulars that apply to domestic banks also apply to foreign banks established in Switzerland. FINMA in licensing foreign banks participation in the Swiss market also pays particular attention to the prudential standards and supervisory approach in the home country. Assessors discussed this with licensing authorities. It was clear from the discussions that FINMA takes these assessments very seriously, has enhanced them post crisis, and uses its authority as necessary to deny licenses or take other actions.
EC8	The home supervisor is given on-site access to local offices and subsidiaries of a banking group in order to facilitate their assessment of the group’s safety and soundness and compliance with customer due diligence requirements. The home supervisor informs host supervisors of intended visits to local offices and subsidiaries of banking groups.
Description and findings re EC8	Under Art. 43 para 2 FINMASA, FINMA may permit foreign authorities responsible for financial market supervision to carry out direct audits at Swiss establishments of foreign institutions, provided these authorities: are responsible for the consolidated supervision of the audited institutions as part of home country supervision; are bound by official or professional secrecy; and will only use the information for the direct supervision of foreign institutions and not pass it on to other authorities without general authorization in an international treaty or FINMA’s prior consent. The group’s safety and soundness and compliance with customer due diligence requirements can be assessed through on-site visits. However, Art. 23septies BA does not grant the foreign supervisor direct access to information which directly or indirectly relates to asset management or deposit activities for specific customers (private banking carve-out). The review therefore has to be conducted on a no-name basis or by a Swiss audit firm that takes the above-mentioned Article into consideration. Individual client files can be accessed after any client-identifying data has been redacted. If necessary, FINMA will collect the client-identifying data and transmit it via administrative assistance. In practice, foreign home supervisors from time to time conduct on-site inspection on Swiss local offices and subsidiaries of their banking groups.
EC9	The host supervisor supervises booking offices in a manner consistent with internationally agreed standards. The supervisor does not permit shell banks or the continued operation of shell banks.
Description and findings re EC9	Not applicable to Switzerland (no existing shell banks).
EC10	A supervisor that takes consequential action on the basis of information received from another supervisor consults with that supervisor, to the extent possible, before taking such action.
Description and findings re EC10	As described in the preceding ECs, FINMA works in close contact with other supervisors through various channels. Before taking supervisory action based on information received from another supervisor, FINMA always consults with that supervisor.
Assessment of Principle 13	Compliant.
Comments	FINMA has well developed relations with key foreign supervisors of the largest banks. Use of audit firms’ global networks increases FINMA reach. The issues with depth and breadth of supervisory coverage on the largest banks are taken into account in grades for CP8/9. It also covers recommendations for additional offshore supervision.

View Table

Principle 1	Responsibilities, objectives and powers. An effective system of banking supervision has clear responsibilities and objectives for each authority involved in the supervision of banks and banking groups.5 A suitable legal framework for banking supervision is in place to provide each responsible authority with the necessary legal powers to authorize banks, conduct ongoing supervision, address compliance with laws and undertake timely corrective actions to address safety and soundness concerns.6
Essential criteria
EC1	The responsibilities and objectives of each of the authorities involved in banking supervision7 are clearly defined in legislation and publicly disclosed. Where more than one authority is responsible for supervising the banking system, a credible and publicly available framework is in place to avoid regulatory and supervisory gaps.
Description and findings re EC1	The Swiss Financial Market Supervisory Authority (FINMA) is responsible for supervision of banks in Switzerland. FINMA is “the authority that supervises the financial market” and a “public institution”. (Financial Market Supervisory Act (FINMASA) Art. 4). It is a unified supervisor; the law provides FINMA the supervisory authority over those licensed by it which includes banks, insurance firms, collective capital investments, and audit companies. (FINMASA Art. 2). FINMA’s authority covers licensing, supervision, application of corrective actions and sanctions, and issuing regulation in the form of ordinances and circulars. According to the National Bank Act (NBA), the Swiss National Bank (SNB) has the mandate to ensure price stability while taking due account of the development of the economy. Within this framework, the SNB has “to contribute to the stability of the financial system” (NBA Art. 5). It also is responsible for the supply of liquidity and act as a lender of last resort in the event of a crisis (NBA Art. 9). There are two particular areas where the SNB participate in decisions affecting microprudential supervision: Under the Banking Act (BA) Art. 8 para 3, the National Bank designates—after consulting FINMA—the systemically important banking institutions and their systemically important functions; and Under the Capital Adequacy Ordinance (CAO) Art. 44 the Swiss National Bank can issue a proposal to the Swiss Federal Council to activate, adjust, or deactivate a countercyclical buffer. Prior to issuing such a proposal, the Swiss National Bank must consult with FINMA. Cooperation between FINMA and SNB is described in a MOU between two institutions established in February 2010. The MOU focuses on the following areas: assessment of soundness of systemically important banks and/or the banking system; regulations that have a major impact on the soundness of banks; and contingency planning and crisis management. A high-level steering committee which meets at least twice a year as well as a standing committee which meets at least four times a year has been established for coordination, including on joint projects. It also provides a framework for information sharing including confidential ones. Currently the two largest banks have been designated as systemically important. The relevant legal fundamentals are made public on FINMA’s website and on that of the Swiss Federal Administration.
EC 2	The primary objective of banking supervision is to promote the safety and soundness of banks and the banking system. If the banking supervisor is assigned broader responsibilities, these are subordinate to the primary objective and do not conflict with it.
Description and findings re EC2	FINMA’s objectives are provided as “[I]n accordance with the financial market acts, financial market supervision has the objectives of protecting creditors, investors, and insured persons as well as ensuring the proper functioning of the financial market” (FINMASA Art. 5). FINMA does so mainly by prudential supervision which – with regard to banks – “promotes the safety and soundness of banks and the banking system”. FINMASA Art. 5 also stipulates that “it (financial market supervision) thus contributes to sustaining the reputation and competitiveness of Switzerland’s financial center”. The authorities explain that this wording—“it thus contributes”—clearly subordinates the contribution to “sustaining the reputation and competitiveness of Switzerland’s financial center” to promoting the safety and soundness of banks and the banking system. They also explain that it is the way in which FINMA understands its responsibilities and conducts banking supervision and that this contribution is performed through creating robust regulatory and supervisory frameworks. The assessors were also informed that there is a Parliamentary initiative to expand the objectives of FINMA by amending FINMASA to include promoting the competitiveness of the financial center as one of the primary objectives. The act also requires FINMA, in exercising its regulatory powers, to take into account the effect that regulation has on competition, innovative ability and the international competitiveness of Switzerland’s financial centre, in addition to the compliance cost and international standards. (FINMASA Art. 7) Again, FINMA explains that this Article. does not cover supervisory actions and that it understands that this requirement is fulfilled by constructing a robust regulatory framework that contributes to the safety and soundness of banking system, and by ensuring meaningful consultation on new initiatives.
EC3	Laws and regulations provide a framework for the supervisor to set and enforce minimum prudential standards for banks and banking groups. The supervisor has the power to increase the prudential requirements for individual banks and banking groups based on their risk profile8 and systemic importance.9
Description and findings re EC3	FINMA is responsible for the supervision of banks and banking groups in Switzerland. The Swiss regulatory framework for banking supervision is formulated at three levels: Federal acts such as the Federal Law on Banks and Savings Banks (Banking Act, BA) and the Financial Market Supervision Act (FINMASA) are issued by Parliament. In the hierarchical structure of Swiss legislation, federal acts are subordinate to the Constitution. Under the Federal Constitution, all important legislative provisions must be passed as a federal act. This includes, for instance, severe restrictions on constitutional rights (e.g., economic freedom), basic provisions on the rights and obligations of persons and on procedures followed by the federal authorities. Federal acts are drafted by FDF and submitted to the parliament. The way this work is conducted depends case-by-case, but a project team consists of relevant parties including FDF and FINMA could be organized. The draft could be changed through the parliamentary process. Ordinances are based on parliamentary laws and are issued by the Swiss Federal Council or very occasionally by FINMA. The Federal Council can pass general legal provisions in the form of an ordinance insofar as it is empowered to do so by an act or directly by the Constitution. Federal ordinances are also drafted by FDF and submitted to the Federal Council. For administrative units such as FINMA to issue ordinances, explicit delegation in laws or Federal Council ordinances is required. Circulars can be issued by FINMA to set forth its practice with regard to the above regulations. The purpose of FINMA circulars is to enable the supervisory authority to implement legislative rules in a uniform and proper manner by specifying open, undefined legal norms and outlining generally abstract requirements for exercising discretionary powers. Circulars do not need any explicit legal basis in an act; their content, however, must be materially related to acts and ordinances. Circulars are binding for FINMA. Circulars must be approved by the board of FINMA. Compliance with all FINMA Circulars (as well as Acts and Ordinances) applicable to banks are subject to the annual audit process and issues of non-compliance will be reported in the annual audit report, based an assessment of risk and materiality. However, Circulars do not have the characteristics of Acts of Ordinance. Accordingly, a supervised institution may appeal against a Circular in a concrete case if the institution considers the Circular is not applicable for its particular circumstances. In addition to these, FINMA publishes guidance through various forms, including Frequent Asked Questions and FINMA position papers. Although these do not formally have same degree of enforceability, they are understood by banks and external auditors to compliment Ordinances and Circulars and banks need to adhere to them.
EC4	Banking laws, regulations and prudential standards are updated as necessary to ensure that they remain effective and relevant to changing industry and regulatory practices. These are subject to public consultation, as appropriate.
Description and findings re EC4	The authorities observe developments on the financial markets, both nationally and internationally to identify and understand the relevant risks and follow the evolution of international regulations as well as its effects on Switzerland, and these developments, as well as parliamentary trigger the regulatory or legislative process. Regulations, including laws and ordinances are revised frequently; for example, BA was most recently amended in September 2011, BO June 2012, the new CAO was issued June 2012, and a number of circulars have been issued each year. However, as explained in relevant CPs, some circulars, particularly those related to specific risk management requirements, are not revised frequently enough to keep them updated and relevant. In the process of formulating regulations, FINMA communicates information on regulatory initiatives and their current status to various stakeholders. Draft regulations and explanatory reports are in general submitted for open consultation to give all interested parties the opportunity to express themselves. In general, comments received are published together with a report on the considerations and the adopted legislation. FINMA’s reactions to relevant issues raised during the consultation are included in the consultation report. Also, public hearings are held about draft regulations to involve wider stakeholders including depositors and other customers. If justified by the importance of a regulatory project and permitted by timing and circumstances, workshops and joint working groups with the supervised entities may also take place. Industry participants that assessors met were generally satisfied with their communication with FINMA, but some noted that more frequent and candid dialogue on regulatory issues between FINMA and the industry would be valuable.
EC5	The supervisor has the power to: (a) have full access to banks’ and banking groups’ Boards, management, staff and records in order to review compliance with internal rules and limits as well as external laws and regulations; (b) review the overall activities of a banking group, both domestic and cross-border; and (c) Supervise the activities of foreign banks incorporated in its jurisdiction.
Description and findings re EC5	(a) FINMA has full access to banks’ and banking group’s Board, management staff and records as provided by FINMASA, Art. 29, which stipulates that “the supervised entities (including the institutions’ management and staff), their audit companies and auditors as well as persons or companies that are qualified investors or that have a substantial participation in the supervised entities must provide FINMA with all information and documents that it requires to carry out its tasks”. (b) Under certain circumstances, not only a bank as a solo entity but also a “financial group” or a “financial conglomerate” including related entities both domestic and cross-border becomes subject of group supervision by FINMA (BA Art. 3b f). (See Cp12.) As a consequence, FINMA reviews the overall activities of a banking group, both domestic and cross-border, if it is the lead home-country regulator of such a group. However, entities conducting non-financial activities are excluded from group supervision. (c) Branches and subsidiaries of foreign banks must obtain a license from FINMA. These institutions are subject to similar regulatory and supervisory requirements applicable to all other Swiss banks, including requirements to furnish information to FINMA.
EC6	When, in a supervisor’s judgment, a bank is not complying with laws or regulations, or it is or is likely to be engaging in unsafe or unsound practices or actions that have the potential to jeopardize the bank or the banking system, the supervisor has the power to: (a) take (and/or require a bank to take) timely corrective action; (b) impose a range of sanctions; (c) revoke the bank’s license; and (d) cooperate and collaborate with relevant authorities to achieve an orderly resolution of the bank, including triggering resolution where appropriate.
Description and findings re EC6	If a bank poses problems as described above FINMA has the power to take the required corrective measures (see CP11). Depending on the gravity of a situation the following measures will be taken and escalated accordingly: Regular supervision: FINMA will address problems with the bank under its regular supervision. In this context, it may request the bank to take immediate corrective measures and impose time limits for the implementation. Enforcement: If (a) the bank does not implement the requested corrective measures under its regular supervision, (b) it is apparent that the bank is unable or unwilling to implement the required corrective measures, or (c) the situation poses immediate risks to the bank, the banking system or to the interests of depositors, FINMA will open administrative enforcement proceeding (Art. 30 FINMASA). Interim measures: In enforcement proceedings, FINMA can order interim measures to safeguard the situation. FINMA can appoint an investigating agent to implement the required corrective measures (Art. 36 FINMASA). Final measures: In enforcement proceedings, FINMA can order the restoration of compliance with the supervisory law (Art. 31 FINMASA). The possible measures are not pre-defined. In addition, FINMA can: bar a person from acting in a management capacity in the banking sector for a period of up to five years (Art. 33 FINMASA); confiscate any profit made through a serious violation of the supervisory provisions (Art. 35 FINMASA); and, revoke the banking license (Art. 37 FINMASA). FINMA is the competent authority for the resolution and/or liquidation of banks in Switzerland. In this regard, FINMA assumes the role of the ordinary bankruptcy authorities, i.e., FINMA decides on the liquidation of a bank (Art. 33 para 1 Banking Act, BA). FINMA may appoint one or several liquidators who are subject to its supervision (Art. 33 para 2 BA). FINMA may also itself assume the role of the liquidator (through a specialized unit within FINMA). In addition, FINMA is the competent authority to recognize the effects of bankruptcy/liquidation proceedings over a foreign bank in Switzerland.
EC7	The supervisor has the power to review the activities of parent companies and of companies affiliated with parent companies to determine their impact on the safety and soundness of the bank and the banking group.
Description and findings re EC7	FINMA establishes its consolidated supervision at the level of the parent company if the group of companies including a bank meets the definition of financial group as noted above. Thus parent companies are included in FINMA’s group supervision and required to provide information and documents. As noted above, group supervision supplements supervision of a bank as a solo entity. In addition, “qualified investors or that have a substantial participation” in a bank are also required to provide information and documents requested by FINMA. In case of companies affiliated with parent companies, if they are companies operating in the financial sector, they will also be subject to group supervision, which gives FINMA the ability to request information. If these companies are not operating in the financial sector, they will be exempted from group supervision and FINMA will have no direct power over these entities.
Assessment of Principle 1	Compliant
Comments	Changes to the objectives of FINMA to elevate promoting competitiveness to a main objective (as described in EC1) would risk confusing FINMAs mandate and would be contrary to this CP. Despite the compliant grade, there are weaknesses in the power of FINMA which are taken into account in assessment of other CPs. In particular, the existence of gaps in the regulatory framework, infrequency of updating circulars, and use of FAQs and other secondary documents to augment regulations, cause a challenge in consistent application of the regulatory framework and in supervisory activities.
Principle 2	Independence, accountability, resourcing and legal protection for supervisors. The supervisor possesses operational independence, transparent processes, sound governance, budgetary processes that do not undermine autonomy and adequate resources, and is accountable for the discharge of its duties and use of its resources. The legal framework for banking supervision includes legal protection for the supervisor.
Essential criteria
EC1	The operational independence, accountability and governance of the supervisor are prescribed in legislation and publicly disclosed. There is no government or industry interference that compromises the operational independence of the supervisor. The supervisor has full discretion to take any supervisory actions or decisions on banks and banking groups under its supervision.
Description and findings re EC1	FINMA is created as a public law institution with its own legal personality and official seat in Bern (FIMASA Art. 4). Governance and independence of FINMA are specified in Section 1 of Chapter 2 of FINMASA and further underpinned by the secondary regulations on the organization of FINMA. FINMSA Arts. 9 and 10 and the related secondary regulation on the organization of FINMA specify the terms and conditions of the composition and tasks of the Board of Directors (BoD) and the management board. It requires BoD, which is appointed by the Federal Council and comprises seven to nine members, to be independent of the supervised persons and entities (FINMASA Art. 9 para 1). The Chair of BoD is not permitted to carry out any other economic activity nor hold any federal or cantonal office unless it is in the interest of fulfillment of the tasks of FINMA (FINMASA Art. 9 para 4). Further, FINMASA Art. 21 para 1 requires FINMA to carry out its supervisory activity autonomously and independently. FINMA is funded independently from the general federal budget by levying fees for individual cases and services as well as annual supervision charges on supervised entities (FINMASA Art. 15). FINMA’s budget is only subject to approval by FINMA’s BoD. The relevant Ordinance issued by the Federal Council sets a broad framework of fees and charges but it does not constrain FINMA’s ability to charge banks. FINMA’s annual report and three year strategic plan is subject to approval by the Federal Council. At least once a year, FINMA discusses the strategy for its supervisory activities and current issues of financial center policy with the Federal Council (FINMASA Art. 21 para 2). FINMA has its own Personnel Ordinance (subject to approval by the Federal Council) which provides FINMA with increased flexibility regarding the remuneration of its employees compared to the federal administration. FINMA explains that it enjoys a large degree of autonomy in the performance of its supervisory duties. Its decisions can only be appealed in court. For regulation above FINMA level (acts and federal ordinances) as well as for international policy development FINMA coordinates with other relevant authorities such as FDF and SNB. There are no observers from government, politics or industry present in meetings of FINMA’s BoD or Executive Board. The government cannot issue operational instructions to the supervisory authority. FINMA is accountable to the Federal Parliament, which exercises general oversight (“Oberaufsicht”) over FINMA according to the ordinary working modalities of the Swiss Parliament (FINMASA Art. 21 para 4). There are no provisions that allow Parliament or the Federal Council to intervene in operational issues under the FINMA’s responsibility, such as supervisory actions and decisions on individual banks. FINMA explains that there is interference on a day-to-day basis with FINMA’s supervisory work neither by Parliament nor by the Federal Council. Currently, however there is substantial parliamentary interest in FINMAs power to issue what amount to rules or guidance, and the effect on various aspects of the sector’s competitiveness. Proposals to change FINMA’s mandate are on hold pending a review of its regulation versus international norms. Recently, in response to FINMAs decision in 2012 to impose Pillar 2 requirements on midsize banks, Parliament passed a motion requiring the Federal Council to take this power away from FINMA and vest it in the federal council instead. That motion indicated in a non- binding way that the resulting Pillar 2 capital charges should be capped at values less than FINMA now has in place.
EC2	The process for the appointment and removal of the head(s) of the supervisory authority and members of its governing body is transparent. The head(s) of the supervisory authority is (are) appointed for a minimum term and is removed from office during his/her term only for reasons specified in law or if (s)he is not physically or mentally capable of carrying out the role or has been found guilty of misconduct. The reason(s) for removal is publicly disclosed.
Description and findings re EC2	The Federal Council appoints the FINMA’s BoD. In doing so, it must ensure the appropriate representation of both genders. It appoints the Chair and the Vice-Chair. It determines the level of remuneration. (FINMASA Art. 9 para 2). The BoD has to be comprised of seven to nine expert members, who are independent of the supervised persons and entities. The members of BoD, including the Chair and Vice Chair, are appointed for a term of office of four years; each member may be reappointed twice (FINMASA Art. 9 paras. 2 and 3). The Federal Council removes members of BoD “if the requirements for holding office are no longer fulfilled” without providing further details, although this has not happened to date. (FINMASA Art. 9 para 5). There is no requirement to disclose the reason(s) for removal. The Chief Executive Officer (CEO) and the members of the Executive Board are appointed by the BoD. The appointment of the CEO is subject to approval by the Federal Council (FINMASA Art. 9 para 1). Consequently, the Federal Council has to approve the decision of BoD to terminate the employment of CEO “if the requirements for holding office are no longer fulfilled” (FINMASA Art. 9 para 5). Moreover, the FINMA Personnel Ordinance Art. 9 para 4 provides that the termination of an employment contract, including the one for CEO, must be for objective reasons and they have to be communicated in writing to the person concerned. For the CEO and other members of the Executive Board, there is no requirement to disclose the reason(s) for removal.
EC3	The supervisor publishes its objectives and is accountable through a transparent framework for the discharge of its duties in relation to those objectives.10
Description and findings re EC3	FINMASA Art. 9 provides that BoD determines the strategic objectives of FINMA and submits them to the Federal Council for approval. The strategic objectives are determined for a period of 3 to 4 years and published on FINMA’s website (Strategic Goals 2013 to 2016). FINMASA also stipulates that BoD “draws up the annual report and submits the annual report to the Federal Council for approval prior to publication.” (Art. 9, Art. 22). This provides information on annual activities and priorities. There is also an annual hearing with the relevant Parliamentary Committees.
EC4	The supervisor has effective internal governance and communication processes that enable supervisory decisions to be taken at a level appropriate to the significance of the issue and timely decisions to be taken in the case of an emergency. The governing body is structured to avoid any real or perceived conflicts of interest.
Description and findings re EC4	FINMASA Art. 9 stipulates that the BoD decides on matters of substantial importance. Details on what constitutes matters of substantial importance are provided in FINMA’s Organizational Rules Art. 2 as: matters of considerable consequence for financial markets or of systemic importance as evidenced at one or more of the supervised institutions; matters of particular interest for the general public; matters that result in establishing rules of practice or a change thereto; matters involving a high liability risk for FINMA or having a long-term effect on FINMA’s reputation; and matters that are designated as such by at least three members of the Board of Directors. Thus, the BoD can be involved in making specific supervisory decisions, although FINMA explains the involvement of BoD on specific supervisory actions has been substantially reduced from its predecessor, EBK. The Executive Board, which is consist of CEO and Head of Divisions of FINMA, decides all matters that do not fall to BoD. In a few cases of lesser importance, the Executive Board may transfer this competence to the divisions. (Organizational Rules Art. 14) FINMA’s BoD as well as the Executive Board can, in urgent cases, pass resolutions via circular (including fax and email), making it possible to respond in a timely manner in the case of emergency. The Chair of the BoD can also take necessary decisions (Chairman’s resolutions) in lieu of the BoD (FINMA’s Organizational Rules Art. 9). FINMA’s internal governance rules at a lower level are mostly established in the Operational Regulations. Regarding conflicts of interest BoD members are required to be independent of the supervised persons and entities (FINMASA Art. 9). In addition, the Chair of the BoD is not allowed to carry out any other economic activities, nor hold any federal or cantonal office, unless they are in the interest of fulfilling FINMA’s tasks (FINMASA Art. 9). This restriction did not apply to other BoD members under the old rule, although they were not allowed to be members of executive boards or chairmen/vice chairmen of Boards of any supervised institutions. The authorities explain that recent appointments were only made under the condition that the candidate gives up any mandate in a supervised entity. Also, as described below, recusal rules apply to prevent potential conflict of interests. The authorities also introduced new rules in December 2013 prohibiting BoD members to engage in any activities in supervised institutions, although it will become effective from 2016. BoD also issued a Code of Conduct that is applicable to BoD and all staff members including members of the Executive Board. It sets out clear prescriptions regarding real and perceived conflicts of interest. For example, FINMA staff members who wish to assume an outside employment position needs to get an approval. Also, FINMA Personnel Ordinance regards outside work by a FINMA employee which results in a conflict of interest with the person’s activities within FINMA as incompatible with the employment with the FINMA, thus no approval will be granted. There are restrictions on transactions of securities of supervised entities, although it is somewhat relaxed for members of BOD who are not chair/vice-chair. The Code of Conduct also requires members of FINMA’s BoD, Executive Board and senior management to recuse themselves from consideration of matters concerning a supervised entity at which they were employed within the previous year.
EC5	The supervisor and its staff have credibility based on their professionalism and integrity. There are rules on how to avoid conflicts of interest and on the appropriate use of information obtained through work, with sanctions in place if these are not followed.
Description and findings re EC5	See EC4. FINMA’s Code of Conduct also includes the duty to protect the confidentiality of official matters (Art. 14). FINMA also has rules on the appropriate use of information (Regulations on the protection of information). In case of violation of these rules, sanctions such as dismissals can be imposed by FINMA (FINMA Personnel Ordinance Art. 10). A breach of official secrecy is liable to prosecution (Swiss Criminal Code Art. 320). The assessors found the quality of FINMA staff to be very high. This view is also generally shared by industry members who the assessment team met.
EC6	The supervisor has adequate resources for the conduct of effective supervision and oversight. It is financed in a manner that does not undermine its autonomy or operational independence. This includes: a budget that provides for staff in sufficient numbers and with skills commensurate with the risk profile and systemic importance of the banks and banking groups supervised; salary scales that allow it to attract and retain qualified staff; the ability to commission external experts with the necessary professional skills and independence, and subject to necessary confidentiality restrictions to conduct supervisory tasks; a budget and program for the regular training of staff; a technology budget sufficient to equip its staff with the tools needed to supervise the banking industry and assess individual banks and banking groups; and a travel budget that allows appropriate on-site work, effective cross-border cooperation and participation in domestic and international meetings of significant relevance (e.g., supervisory colleges).
Description and findings re EC6	FINMA is fully financially independent and has a stable and continuous source of funding. FINMA is funded by directly levying fees for individual cases and services as well as annual supervision charges on supervised entities (FINMASA Art. 15). FINMA’s costs not covered by specific fees are borne by the supervised banks. FINMA determines its budget for staff expenses itself, and the related fees and charges, on the base of its resource planning. FINMA views that it has adequate resources to conduct effective supervision and oversight as well as regulatory work on banks. In this context, it believes that its approach of making external audit firms an integral component (“extended arm”) of the supervisory process reduces the need for FINMA to have the specialized resources internally. Audit firms charge the costs of the regulatory audit directly to banks. FINMA’s budget for the banking supervision department has expanded from CHF 39.5 million in 2009 to CHF 65 million in 2013. The number of staff has increased from 371 FTE in 2010 to 442 FTE in 2012. Bank-related staff increased from around 87 FTE in 2010 to 98 FTE in 2012. Of these, some 38 are for off-site supervision and 22 are in risk management, both of whom also perform FINMA lead reviews. Authorization accounts for some 13 FTE and resolution/legal some 10-20 FTE. In addition, the authorities note that external auditors spend around 700 FTE per year for audit work in recent years. However that covers regulatory and financial audit and only some 200FTE of that is for regulatory audit across all categories of firms for normal supervision and some 135FTE is for special audits and model approval. FINMA did not have statistics for regulatory audit by category of banks. However based on the information for regulatory audit and financial audit combined, it appears that over two thirds would be for the Category 1 banks and foreign banks. FINMA has five off-site staff for each major bank, one each for the three Category 2 banks, seven for the approximately 30 Category 3 banks and 20 staff for the approximately 300 category 4 and 5 banks. Only some five of the risk management FTE time goes to banks in Categories 2–5. In certain specific areas such as operational risk, specialist staff is very limited. FINMA has put in place a head-count freeze. Senior management and the BoD is of the view that current staffing is adequate for banking regulation and supervision and do not see the need to increase it substantially. It informed assessors that the institution’s current focuses are on consolidating the institution after a rapid growth since FINMA’s establishment and on efficient use of existing resources. FINMA’s Personnel Ordinance sets out six different salary scales. FINMA explains that the framework of the salary range is sufficiently flexible to retain qualified staff at different levels, except those at the most senior levels. Also, FINMA states that it does not have understaffed key areas at the moment, and that it does not have much difficulty in attracting new staff, as it has a good reputation and can offer interesting jobs and good salaries. It acknowledges this is helped by the current market situation. Furthermore, FINMA relies on external auditors for some technical expertise. The recent turnover rates in the banking division are relatively low (6.8 percent in 2012, compared to 10.1 percent for FINMA overall). In the budgeting process, FINMA queries the scope of costs for external experts that have the necessary professional skills and independence with every department. Afterwards the amount of expected costs will be controlled by the CEO/Executive Board and the Board of Directors. If they agree, the expected costs are approved as a budget. Also during the budget formulation, a training budget has been explicitly set aside. In the years 2009 to 2011, the amount was CHF 2,000 per FTE per year, since 2012 the amount has been raised to CHF 3,000 per FTE. Every department has the responsibility to control the necessity of training for each person and to plan the training of staff. Regarding the budget for information system, required budget has been allocated. During the budget process, the necessity of additional IT tools is clarified, estimated and prioritized. Afterwards, the amount of expected costs will be approved by the Executive Board and the Board of Directors. Cost for travel is also considered during the budgeting process. The travel costs include trips for domestic and international meetings, on-site work, cross-border corporation and other important meetings. FINMA expresses that it does not experience any problem with these budgets.
EC7	As part of their annual resource planning exercise, supervisors regularly take stock of existing skills and projected requirements over the short- and medium-term, taking into account relevant emerging supervisory practices. Supervisors review and implement measures to bridge any gaps in numbers and/or skill-sets identified.
Description and findings re EC7	FINMA’s personnel planning focuses on determining that its future qualitative and quantitative staff needs are in line with the organization’s strategic needs e.g., FINMA’s Strategic Goals. FINMA states that it needs employees who have both competence and integrity, and operational demands (e.g., experience gained during supervisory reviews, changing supervision categories of several institutions, Basel III (Capital & Liquidity)) to perform its functions. The planned natural attrition of personnel in future years is matched with a succession planning. The resulting difference between supply and demand indicates the future quantitative and qualitative need for personnel. Further, this information feeds into the recruitment and development planning of personnel (e.g., planning personnel developing potential).
EC8	In determining supervisory programs and allocating resources, supervisors take into account the risk profile and systemic importance of individual banks and banking groups, and the different mitigation approaches available.
Description and findings re EC8	Supervisory programs and resource allocations follow a risk-based approach based on a pre-defined process (see CP8/9). For a bank requiring more attention, FINMA will assign more resources to ensure an appropriate level of supervision. The two biggest are overseen by a team of five to six people and supported by specialists in the risk unit as well as in the capital unit, making total FTE allocated to the two biggest banks around 30. For smaller banks, however, even for the three in Category 2, which could be domestically systemically relevant, only one person is assigned to a bank. For the roughly 30 banks in category 3 (which includes the cantonal banks), there are staff assigned, and for the smaller banks, a relationship manager oversees a portfolio of banks, which could consist of at least four to five banks. These supervisors are also supported by specialists, albeit to a much lesser degree. In discussions with assessors, those responsible for supervision of a range of smaller and mid-size banks indicate that between one-third and one-half of supervisory time overall is spent on AML/CTF and cross-border issues.
EC9	Laws provide protection to the supervisor and its staff against lawsuits for actions taken and/or omissions made while discharging their duties in good faith. The supervisor and its staff are adequately protected against the costs of defending their actions and/or omissions made while discharging their duties in good faith.
Description and findings re EC9	FINMASA Art. 19 provides that FINMA is liable only if: a) its management bodies or its staff have committed a breach of fundamental duties; and b) loss or damage is not due to a breach of duty by a supervised person or entity. A breach of fundamental duties may have occurred if measures were taken in bad faith. FINMA and its staff are therefore appropriately protected from being held liable for supervisory measures conducted in good faith. Staff is not personally and directly liable in civil law for discharging their duties, although they can be prosecuted if permitted by the Department of Justice. If a staff member acts in good faith, FINMA’s policy is to cover the expenses of a criminal procedure (e.g., court and lawyer fees). The authorities report that litigations against FINMA have been relatively limited and there has not been any court ruling that is against FINMA since its establishment. No prosecutions or litigation has been made against staff members.
Assessment of Principle 2	Materially Non Compliant
Comments	Assessors are of the view that the current resources of FINMA are not sufficient to supervise and regulate the entire banking system effectively, including effective oversight of supervisory work done by external auditors, and that this is contributing to shortcomings in supervision and timely regulation, and weak practical implementation, as described in various CPs. FINMAs adherence to a head-count freeze, that it has decided upon, needs to be relaxed to achieve compliance and to achieve the recommendations in this report. This issue seems acute for middle sized banks which are not globally systemically important but still systemically important domestically. But even for the largest banks, the limited staff resources is constraining further in-depth supervisory work at the level of intensity and regularity being conducted elsewhere. For mid-size and smaller banks, there is a need to conduct more strategic work to address thematic issues that could have material implications, such as operational, legal and reputational risks. For regulatory work, the assessors found a few but important circulars are not updated as frequently as desirable. The assessors believe this is partly due to lack of personnel. The assessors understand that the use of external auditors as an extend arm of FINMA augment resources in FINMA. But, FINMA still needs to exercise enhanced oversight on regulatory audit activities and control quality by providing guidance, assessing works by auditors, and having frequent communications with them, which it understands and making efforts to improve the supervisory approach. There are also thematic supervisory reviews across ranges of banks that are not amenable to being assigned to regulatory auditors. While oversight of supervisors is necessary even in a system where supervision is mainly conducted ‘in-house’, more oversight work is needed where work is outsourced. Assessors appreciate that FINMA is rightly following a ‘quality instead of quantity’ resourcing strategy, but still see the need to increase its resources. Assessors saw no evidence of interference in FINMA’s day-to-day operational independence. However, the assessors view that there are some potential shortcomings in the current legal framework, including the legally stipulated need for FINMA to consider the competitiveness of Swiss financial center. The risk is that this could lead the supervisor to compromise their pursuit of safety and soundness of the banking system. The assessors are also concerned with the current Parliamentary initiative to upgrade this element of the FINMA’s objectives, and to limit FINMAs existing Pillar 2 authority. Related to the governance issue, the assessors found rules to address conflict of interest in FINMA were incomplete for members of FINMA BoD who were not the Chair and the Vice Chair. Given the current set up of the FINMA BoD which expects or permits the members to be involved in any decision regarding individual entities if supported by three of them, as well as regulatory issues that affect the industry, even with the recusal rules, there was a possibility that these gaps could damage the perceived credibility of the supervisor As noted in EC4, the authorities recently strengthened rules to address conflict of interest of members of FINMA BoD. Assessors welcome the decision but believe sound governance and ability to attract Board members could still be enhanced by more clearly delineating and limiting the FINMA Board’s ability to be involved in individual decisions. Thus, the assessors recommend the authorities take following actions: Increase resources for banking regulation and supervision in FINMA. Do not elevate the competitiveness objective in FINMA mandate. Instead, consider removing the reference to competitiveness if needed to avoid confusion and confirm that the primary objective for the supervisor is to promote the safety and soundness of banks and banking groups. Clarify and limit what decisions on individual institutions FINMA’s board should take. Maintain the current FINMA power to set Pillar 2 add-ons on a group of banks.
Principle 3	Cooperation and collaboration. Laws, regulations or other arrangements provide a framework for cooperation and collaboration with relevant domestic authorities and foreign supervisors. These arrangements reflect the need to protect confidential information.11
Essential criteria
EC1	Arrangements, formal or informal, are in place for cooperation, including analysis and sharing of information, and undertaking collaborative work, with all domestic authorities with responsibility for the safety and soundness of banks, other financial institutions and/or the stability of the financial system. There is evidence that these arrangements work in practice, where necessary.
Description and findings re EC1	BA Art. 23 authorizes FINMA to share confidential information and documents with other financial market supervisory authorities such as the Federal Audit Oversight Authority, the Swiss stock exchanges as well as SNB. A formal arrangement exists between FINMA, the Federal Department of Finance and the Swiss National Bank based on a tripartite MOU for exchange of information and cooperation in the event of crisis. On the information exchange, the MOU establish a senior-level meeting that meets at least twice a year to exchange information on the macroeconomic environment, the situation in the financial markets and the banking sector, domestic regulatory initiatives as well as international regulatory initiatives and standards concerning the financial markets and the banking sector, and challenges and risks facing the Swiss financial center. On the cooperation in the context of a financial crisis, it sets up a high-level Steering Committee and a working-level Committee on Financial Crisis. The latter meets at least once or twice in a year, regardless of whether there is a crisis. Between FINMA and the SNB a Memorandum of Understanding (MOU) provides for exchange of views in the areas of: (1) assessment of the soundness of systemically important banks and/or the banking system; (2) regulations that have a major impact on the soundness of banks, including liquidity, capital adequacy and risk distribution provisions, where they are of relevance for financial stability; and (3) contingency planning and crisis management. (See CP 2) An informal and frequent communication is also taking place with SNB to share information, exchange views, and coordinate their activities, particularly on the biggest banks. Furthermore, FINMA shares relevant confidential information and cooperates with federal and cantonal prosecution authorities, according to FINMASA Art. 38. Also, information can be shared with other domestic regulators including the Takeover-Board and the Competition Committee under the Anti-Money Laundering Act (AMLA) Art. 29.
EC2	Arrangements, formal or informal, are in place for cooperation, including analysis and sharing of information, and undertaking collaborative work, with relevant foreign supervisors of banks and banking groups. There is evidence that these arrangements work in practice, where necessary.
Description and findings re EC2	FINMA has arrangements on cooperation and information exchange with foreign supervisory authorities. FINMA currently has MOUs with 17 jurisdictions, including most major financial centers. These MOUs specify, amongst other things, cooperation on information exchange and on-site inspection within the statutory framework provided by legislation. FINMA is an active organizer of and participant in Supervisory Colleges for cross-border institutions. For the two big Swiss banks, FINMA organizes an annual meeting with all interested foreign supervisory authorities which are of importance for the respective banking group (“general colleges”). In addition, more focused “core colleges” with the key US and UK regulators take place semi-annually. Typically, a US-based meeting focuses on investment banking activities, while a Swiss-based meeting focuses on wealth management activities. These extensive colleges complement bilateral international cooperation. For the two big banks, FINMA also conducts a few joint supervisory reviews annually with UK and US supervisors. This usually takes a form of sending several of its staff members to on-site works by the foreign supervisors, but FINMA also leads supervisory reviews where UK and US supervisors participate in the on-site work. FINMA highly values these exercises, as they promote deeper sharing of views and information among the supervisors, and can send strong and coordinated messages to the banks. FINMASA Art. 42 authorizes FINMA to cooperate with a foreign supervisory authority even in the absence of a specific agreement. If the cooperation involves the exchange of confidential data, FINMA generally requires an ad-hoc declaration from the requesting supervisory authority stipulating that: the information may only be used for the direct supervision of the regulated institutions; the supervisory authority is bound by official or professional confidentiality provisions; and the information may not be published or passed on to other authorities and bodies, including other supervisory or criminal prosecution authorities, without the prior consent of FINMA. FINMA explains that it receives a substantial number of requests each year, and that it is able to provide requested information in most of the cases. FINMA explains strong cooperation with other foreign supervisory authorities was necessitated and took part in international cases where Swiss banks are involved, such as the case regarding LIBOR or a substantial trading loss of a big Swiss bank that took place outside of Switzerland.
EC3	The supervisor may provide confidential information to another domestic authority or foreign supervisor but must take reasonable steps to determine that any confidential information so released will be used only for bank-specific or system-wide supervisory purposes and will be treated as confidential by the receiving party.
Description and findings re EC3	Regarding cooperation with domestic authorities, the legal provisions stipulate that FINMA is authorized to transmit confidential information and documents to another domestic authority if they require the information to fulfill their duties. (FINMASA, Art. 38, BA Art. 23bis, AMLA Art. 29) Swiss legislation (BA Art. 43, Criminal Code Art. 320) provides for professional secrecy obligations, breach of which is subject to criminal law prosecution. Concerning foreign authorities, as described in EC 2, FINMASA Art. 42 expressly requires that in order to share non-public information with another competent foreign authority, the latter must be subject to official or professional secrecy and that the information is to be used exclusively for the direct supervision of foreign institutions. FINMA insists on a declaration by the foreign supervisor that the information will be used as confidential as an integral part of the request for administrative assistance with regard to compliance with the rules of confidentiality. FINMA also demands that the requesting authority grant an explicit warranty that the transmitted information and documents are used exclusively for the direct supervision of foreign institutions and that the transmitted information and documents are passed on to competent authorities or to bodies that are entrusted with supervisory duties that lie in the public interest only on the basis of a general authorization in an international treaty or with FINMA’s prior consent. FINMA notes that experience shows that foreign counterparts respect the confidentiality of information provided by FINMA.
EC4	The supervisor receiving confidential information from other supervisors uses the confidential information for bank-specific or system-wide supervisory purposes only. The supervisor does not disclose confidential information received to third parties without the permission of the supervisor providing the information and is able to deny any demand (other than a court order or mandate from a legislative body) for confidential information in its possession. In the event that the supervisor is legally compelled to disclose confidential information it has received from another supervisor, the supervisor promptly notifies the originating supervisor, indicating what information it is compelled to release and the circumstances surrounding the release. Where consent to passing on confidential information is not given, the supervisor uses all reasonable means to resist such a demand or protect the confidentiality of the information.
Description and findings re EC4	FINMA treats information from other supervisors as confidential and uses the information only for the direct supervision of the regulated institutions. Members of FINMA BoD and FINMA employees are bound by official secrecy under FINMASA Art. 14, FINMA Employees Act and the FINMA Code of Conduct. This duty applies not only with regard to third parties outside the government but also towards other offices of the federal or cantonal administration. In addition, FINMA must comply with the Data Protection Act that imposes restrictions on the processing of personal data. A violation of official secrecy may lead to administrative disciplinary measures and a prison sentence or a fine under Art. 320 of the Criminal Act. As a result, FINMA may in principle neither disclose confidential information nor transfer such information to third parties. However, FINMA has the competence to decide whether to waive official secrecy, according to a decision of the Swiss Supreme Court. In addition, FINMA is an ordinary member (member A) of the IOSCO MMoU. Under Articles 10 and 11 of the IOSCO MMoU, the principle of confidentiality and the principle of specialty are regarded to be great importance and have to be strictly implemented by each member. In the event that FINMA is legally compelled to disclose confidential information it has received from another supervisor, FINMA will promptly notify the originating supervisor, indicating what information it is compelled to release and the circumstances surrounding the release. Where consent to passing on confidential information is not given, FINMA will use all reasonable means to resist such a demand. FINMA may refuse to disclose information that is not publicly accessible or to hand over files to prosecution authorities and other domestic authorities where: (a) the information and the files solely serve the purpose of forming internal opinions; (b) their disclosure or handover would prejudice ongoing proceedings or the fulfillment of its supervisory activity; or (c) it is not compatible with the aims of financial market supervision, or with its purpose. (FINMASA Art. 40) FINMA notes that it has not been requested or ordered to disclose confidential information received from another supervisor.
EC5	Processes are in place for the supervisor to support resolution authorities (e.g., central banks and finance ministries as appropriate) to undertake recovery and resolution planning and actions.
Description and findings re EC5	FINMA acts as both supervisor and resolution authority. Domestic cooperation among FINMA, SNB and FDF is provided in the framework established by the tripartite MOU. As described in EC 1, this MOU sets up a framework to deal with a crisis that threatens the stability of the Swiss financial system, that includes Steering Committee (SC) and the Committee on Financial Crisis (CFC). SC is in charge of performing strategic coordination of crisis management and any interventions to address the crisis, and will be made up of the Head of FDF who will chair the committee, the Chair of Governing Board of SNB and the Chair of FINMA. CFC consists of CEO of FINMA (chair) Vice Chair of the SNB Governing Board, and the Director of Federal Finance Administration, a unit in FDF. CFC is responsible for coordinating precautionary efforts and for crisis management. Even in non-crisis times, a meeting is held once or twice a year as a rule. In practice, the CFC meeting has been held regularly and frequently in recent years to share information on Swiss financial sector in response to the difficult environment surrounding global financial sectors. BA Art. 37f allows FINMA to coordinate with foreign authorities in case of foreclosure proceedings against a bank involves processes abroad. This Article aims in particular at avoiding creditors to avail themselves of deficient coordination to get overcompensation for their losses.
Assessment of Principle 3	Compliant
Comments
Principle 4	Permissible activities. The permissible activities of institutions that are licensed and subject to supervision as banks are clearly defined and the use of the word “bank” in names is controlled.
Essential criteria
EC1	The term “bank” is clearly defined in laws or regulations.
Description and findings re EC1	BO Art. 2a defines banks as enterprises which are active mainly in the field of finance and in particular those: who accept deposits from the public on a professional basis or solicit these publicly in order to finance in any way, for their own account, an undefined number of unrelated persons or enterprises, with which they do not form an economic unit, or who refinance themselves in substantial amounts from a number of banks which are not significant shareholders and with which they do not form an economic entity in order to provide any form of financing for their own account to an undefined number of unrelated persons or institutions.
EC2	The permissible activities of institutions that are licensed and subject to supervision as banks are clearly defined either by supervisors, or in laws or regulations.
Description and findings re EC2	The Swiss banking system is based on the universal banking model and laws or regulation does not clearly define the permissible activities of banks. The banking license, in principle, authorizes exercise of a whole range of possible financial services (such as deposit, credit, asset management, trading, etc.). Non-banking activities are also permitted, provided that the main character of the bank as an institution continues to be mainly active in the field of finance. Unless the institution is not mainly active in the field of finance, it can be licensed as a bank. In supervisory practice, however, the scope of the bank’s operations needs to correspond to its financial capacities, personal resources and organizational structure. The bank must describe precisely its field of business operations with regard to its objectives and geographic terms in articles of incorporation, by-laws and business rules (BO Art. 7 paras. 1 and 3). Articles of incorporation, by-laws and internal regulation of the banks, including there revisions, are subject to FINMA’s formal approval (BA Art. 3 para 3). These documents provide a detailed scope of bank’s operation. Thus, FINMA can restrict and control the scope of bank’s activities. Banks which directly engage in insurance underwriting and selling are prohibited by the Insurance Supervision Act. Moreover, banks’ shareholding of non-financial firms are restricted to not more than 15 percent of their eligible capital and the total amount of such participation to not more than 60 percent. (BA Art. 9 para 4)
EC3	The use of the word “bank” and any derivations such as “banking” in a name, including domain names, is limited to licensed and supervised institutions in all circumstances where the general public might otherwise be misled.
Description and findings re EC3	The term “bank” or “banker”, alone or in combination with other words, may only be used in the company name, designation of the business purpose or advertising, in the case of institutions which have obtained a license from FINMA (BA Art. 1 para 4). A violation to this provision could result in a fine of up to CHF 500,000 (BA Art. 49 para 1). On the contrary, there is no requirement for licensed banks to have the word “bank” in their names.
EC4	The taking of deposits from the public is reserved for institutions that are licensed and subject to supervision as banks.12
Description and findings re EC4	As a rule, only licensed banks are permitted to solicit deposits from the public on professional basis (BA Art. 1 para 2.). Accepting more than 20 deposits on a continuous basis is deemed as soliciting deposits on professional basis (BO Art. 3a para 2). This prohibition extends to all entities including natural persons, except in cases where the Federal Council provides exception where the protection of the depositors is insured. In practice, this is limited to corporate bodies that are established under public law where the state takes full responsibility for their liabilities (BO Art. 3a para 1). Such establishments are regulated and supervised based on individual regulations of public law. They are considered to be as equally stable as common banks licensed by FINMA. However, after the transformation of the postal saving to a licensed bank, there is no significant deposit taking entity outside of licensed banks.
EC5	The supervisor or licensing authority publishes or otherwise makes available a current list of licensed banks, including branches of foreign banks, operating within its jurisdiction in a way that is easily accessible to the public.
Description and findings re EC5	Lists of licensed banks operating in Switzerland, including branches of foreign banks as well as representative offices, are maintained and published on FINMA’s website in four different languages (German, French, Italian, and English).
Assessment of Principle 4	Compliant
Comments
Principle 5	Licensing criteria. The licensing authority has the power to set criteria and reject applications for establishments that do not meet the criteria. At a minimum, the licensing process consists of an assessment of the ownership structure and governance (including the fitness and propriety of Board members and senior management)13 of the bank and its wider group, and its strategic and operating plan, internal controls, risk management and projected financial condition-(including capital base). Where the proposed owner or parent organization is a foreign bank, the prior consent of its home supervisor is obtained.
Essential criteria
EC1	The law identifies the authority responsible for granting and withdrawing a banking license. The licensing authority could be the banking supervisor or another competent authority. If the licensing authority and the supervisor are not the same, the supervisor has the right to have its views on each application considered, and its concerns addressed. In addition, the licensing authority provides the supervisor with any information that may be material to the supervision of the licensed bank. The supervisor imposes prudential conditions or limitations on the newly licensed bank, where appropriate.
Description and findings re EC1	FINMA is the legally established authority that issues banking licenses (BA Art. 3 para 1). Licenses (new licenses and changes in licensing requirements) are processed by a separate organizational unit (Authorization Department) that, alongside the banking supervisory sections, belongs to the Banks division. FINMA explains that the licensing and supervisory sections work closely together. When issuing licenses and changing licensing requirements, opinions are exchanged that take ongoing supervision into consideration. If there are differences of opinions, the division head will be involved to solve the issue. FINMA recognizes the importance of licensing processes given the country’s financial center function. The interest to establish operations in the country is still high in recent years with 55 preliminary as well as formal applications has been submitted in the last five years. New licenses contain conditions and requirements that must be considered when setting up a company. Initially, the business activities that the bank is allowed to conduct are limited, based on bylaws and other major internal rules authorized by FINMA. Those activities are then allowed to be expanded in a controlled manner, taking financial, personnel and organizational resources of the bank into consideration. As noted in CP 4, even after the initial stage, FINMA controls the scope of banks’ activities through authorization of their bylaws and other major internal rules which are required to state their business lines in a detailed manner. Unless authorized by FINMA, these rules will not be entered in to the commercial register and not become effective. During the first few years, a number of interim audits are conducted. Depending on the case in question, it is also possible to determine certain areas to be audited that require special attention when the bank is being set up.
EC2	Laws or regulations give the licensing authority the power to set criteria for licensing banks. If the criteria are not fulfilled or if the information provided is inadequate, the licensing authority has the power to reject an application. If the licensing authority or-supervisor determines that the license was based on false information, the license can be revoked.
Description and findings re EC2	BA Art. 3 provides a number of criteria for licensing banks: Clear scopes of business and adequate organizational frameworks corresponding to their business activities; Establishment of separate bodies for management for one and for providing direction, supervision and control; Fully paid up capital that exceed the minimum determined by the Federal Council (CHF 10 million (BO Art. 4 para 2)); Persons for management who are of good reputation and be able to guarantee the proper conduct of business operations; Natural persons or legal entities that has qualified participation to guarantee that their influence will not have a negative impact on the sound and prudent management of banks; and Persons in charge of management to be domiciled in a place where they can exercise effective management and assume responsibilities. These broad provisions provide FINMA considerable room to set the licensing benchmark appropriately on a case-by-case basis, incorporating specific aspects that need to be addressed in order to be issued with a license for a particular case. FINMA further specifies its requirements for licensed banks in ordinances, circulars and FAQs, which apply to not only ongoing banks but also newly licensed banks. FINMA also publishes a guideline that lists documents an applicant need to submit, that includes detailed information regarding persons responsible for management, organizational framework, business plans, and budgets for first three years. Detailed official interpretation of the above criteria is not published or internally defined, but a booklet written by FINMA staff members explaining licensing process are widely used as reference by FINMA staff and the industry. Licensing process is conducted by the authorization department of FINMA. The staff of the department assess adequacy of application and their compliance to the licensing framework. In addition, an external auditor who will not become a regulatory auditor of the bank needs to assess the compliance of the applicant vis-à-vis licensing requirements. If the licensing requirements cannot be met, incomplete information is submitted or FINMA is not convinced about compliance with the licensing requirements for some other reason, the license is refused and the application is rejected. FINMA is authorized to issue formal decrees stating that a license has not been granted. Under the administrative procedural law in Switzerland, appeals can be made against those decrees to the Federal Administrative Court. Generally, however, applicants will usually withdraw their applications when a negative indication is informally communicated. Licenses issued that are based on incorrect information can be revoked under rules set out in the general administrative procedural law, although it has not happened to date. If there are few shortcomings and they can be remedied, less stringent measures can be taken.
EC3	The criteria for issuing licenses are consistent with those applied in ongoing supervision.
Description and findings re EC3	As mentioned in EC 2, the regulatory framework that applies to ongoing banks are also applies to newly established banks. Thus, during the licensing process, FINMA assesses whether the applicant will be able to meet requirements applied in ongoing supervision, in addition to the requirements only applied for licensing. Moreover, after banks are licensed, FINMA continuously monitors if banks are complying the conditions for licensing. This is one of the main issues that regulatory auditors assess.
EC4	The licensing authority determines that the proposed legal, managerial, operational and ownership structures of the bank and its wider group will not hinder effective supervision on both a solo and a consolidated basis.14 The licensing authority also determines, where appropriate, that these structures will not hinder effective implementation of corrective measures in the future.
Description and findings re EC4	As noted above, BA Art. 3 para 2 stipulates that banks need to establish an adequate organization corresponding to the proposed business activities. Therefore, only structures that can be suitably supervised are permitted in which supervisory requirements can be implemented effectively. Structures that impede supervision, for example, very complex participation structures that are not transparent, are not permitted. The same paragraph requires senior management of a bank domiciled in Switzerland must be resident in the place where they manage and bear responsibility for the bank. This is to ensure that the main management functions of a Swiss bank are in Switzerland, including for globally active banks. In the case of latter, at least the majority of senior management, including those who assume the most important leadership responsibilities, needs to reside in the vicinity in which the bank is domiciled. The same applies at group level: if FINMA is responsible for supervising the group, effective group control should be anchored credibly in Switzerland. Business structures (off-shore/shell entities) without substance are not allowed. If a foreign bank operates from Switzerland or does business only or primarily in or from Switzerland, its organization must comply with Swiss law and is subject to the provisions for Swiss banks. (FBO-FINMA, Art. 1 Para 2)
EC5	The licensing authority identifies and determines the suitability of the bank’s major shareholders, including the ultimate beneficial owners, and others that may exert significant influence. It also assesses the transparency of the ownership structure, the sources of initial capital and the ability of shareholders to provide additional financial support, where needed.
Description and findings re EC5	The fit and proper test are applied for qualified shareholders and other persons substantially influencing a bank during the licensing process and banks must comply to the requirement on an ongoing basis (BA Art. 3 para 2 let. c.bis). Qualified participation is defined in the same paragraph of BA as holding directly or indirectly at least 10 percent of the capital or voting rights of a bank or persons who are in any other way able to influence the bank’s business activities in a significant manner. BA requires qualified participants of banks to guarantee that their influence will not have a negative impact on the sound and prudent management of the bank. The authorities explain that, in comparison with directors and managers, the fit and proper requirement for qualified shareholders focuses more on reputational aspects and not on banking experience and technical know-how. These are usually assessed through references and other means, including interviews if necessary. To enforce the fit and proper standard, FINMA is authorized to impose sanctions that include the suspension of voting rights or revocation of the banking license (BA Art. 23 ter), although this rarely happens. This fit and proper requirement also aims at granting a clear and transparent participation structure up to the ultimate beneficial owner. BO Art. 6 para 2 requires legal entities who have qualified participation in an applicant to provide information regarding their group structures; para 4 requires persons holding qualifying participation to declare the participation is for their own account or on a fiduciary basis. In addition, significant shareholders are required to disclose the origin of their wealth and provide evidence of the capacity to inject further capital if needed. Qualified shareholders and banking institutions are under a legal duty to report relevant shareholdings and any changes to FINMA.
EC6	A minimum initial capital amount is stipulated for all banks.
Description and findings re EC6	BO Art. 4 para 1 stipulates that fully paid in capital must amount to at least CHF 10 million. In the event that a founding shareholder decides to contribute assets other than cash in exchange for the shares issued by the new company, the value of the assets contributed and the extent of liabilities of the shareholder must be verified by a recognized auditing firm and be confirmed to FINMA before authorization. If an existing corporation is converted to a bank, not only paid in capital but also the entire amount of Core Equity Tier 1 can be counted to constitute the initial capital with permission by FINMA. There is also an exception for banks affiliated with a central organization and guaranteed by it. (Bo Art. 4 paras. 2,3)
EC7	The licensing authority, at authorization, evaluates the bank’s proposed Board members and senior management as to expertise and integrity (fit and proper test), and any potential for conflicts of interest. The fit and proper criteria include: (i) skills and experience in relevant financial operations commensurate with the intended activities of the bank; and (ii) no record of criminal activities or adverse regulatory judgments that make a person unfit to uphold important positions in a bank.15 The licensing authority determines whether the bank’s Board has collective sound knowledge of the material activities the bank intends to pursue, and the associated risks.
Description and findings re EC7	BA Art. 3 para 2 requires that “the persons charged with the administration and management of the bank must be of good reputation and must guarantee the proper conduct of business operations”. Further, FINMA FAQs on Board of directors of banks and securities dealers, which is applicable to both newly established banks as well as ongoing banks, provide further details by stipulating that “the members of the supreme governing body should enjoy a good reputation and have sufficient leadership skills, both individually and as a group, as well as the necessary specialist knowledge and experience in banking and finance” and “the body as a whole should have a sufficiently broad background mainly to ensure that—in addition to the main business operations—all other important areas such as finance and accounting, risk management, controlling and compliance are adequately represented”. Similar provisions also exist for financial groups and financial conglomerates (BA Art. 3f). Further, BO provides that all members of the board and management must enjoy an excellent reputation and give proof of no previous convictions and that they are expected to disclose all the details of any completed or pending legal and administrative proceedings (Art. 6 para 1). As mentioned above, the FAQ explains that the bank’s board members need to understand the corporate structures and risks of the institution’s individual business areas and those of the company or group as a whole. In practice, assessors were informed that if the potential candidates are often already known to FINMA or their CVs show conclusive evidence of relevant professional experiences and absence of indications of irregularities, the assessment is done on the basis of the standard documents mentioned in BO Art. 6, i.e., information on their nationality, residency, qualified participations in other companies, and any pending legal or administrative proceedings, as well as signed CVs, references and extracts from the Central Penal Register. In less obvious cases, FINMA applies many other methods to evaluate evidence and conduct further background checks. Additional information can be obtained for example via investigations of the professional or private environment of the person, inquires with other authorities or foreign embassies, investigations using on-line tools (e.g., World Check, Factiva, Google, IOSCO-Portal), assessment of transparency over the due diligence process regarding and behavior in the authorization procedure, and disclosures on remuneration and source of the person’s private wealth. Moreover, candidates for major positions of the Board and management (regularly the Chair, the CEO and other key positions) are personally interviewed by FINMA. Credible references are an important part of the process. In case doubts remained and a negative decision is made regarding a particular candidate, it will be communicated to the applicant. Unless the disputed candidate is not replaced, the license application will be rejected. FINMA explains that this happens from time to time.
EC8	The licensing authority reviews the proposed strategic and operating plans of the bank. This includes determining that an appropriate system of corporate governance, risk management and internal controls, including those related to the detection and prevention of criminal activities, as well as the oversight of proposed outsourced functions, will be in place. The operational structure is required to reflect the scope and degree of sophistication of the proposed activities of the bank.16
Description and findings re EC8	FINMA states that the proposed business strategy and business plan are the key elements that are examined when approving license applications; for example, they are decisive factors in determining adequacy of banks’ internal organizational regulations as the bank’s operational structures must be balanced proportionally with the planned business activities. The guidelines for licensing application requires applicants to submit a comprehensive set of documents regarding strategic and operation plans including: Detailed description of the business activities and the corresponding processes; Articles of Incorporation, partnership agreements and regulations, which are tailored to the business activities; Organization of the applicant; Additional information on the organization, such as staffing, infrastructure and information system, outsourcing, internal control and risk management, separation of functions, compliance and due diligence, internal audit; Business plan for the first three financial years (business development, the clientele, the staff and the organization, etc.); and Financial statements for the first three financial years (balance sheets, income statements). According to the authorities, during the licensing process, the following aspects are analyzed separately in detail according to granular requirements prescribed in FINMA circulars and FAQs for both on-going banks as well as applicants: A balanced management structure with two management levels – the Board and management. The independence of Board as well as an adequate composition of the Board that reflects operation of the banks is required. (BA Art. 3 para 2, BO Art. 8, FINMA FAQs on Board of directors and securities dealers). An adequate internal organization, particularly regarding separation of functions, an effective, internal control system, incl. risk management and compliance (BA Art. 3 para 2, BO Art. 9, FINMA Circular 08/24). Effective measures to comply with due diligence obligations and combating money laundering and terrorist financing (AMLA, AMLO-FINMA). Compliance with provisions on proper outsourcing (FINMA Circular 08/7).
EC9	The licensing authority reviews pro forma financial statements and projections of the proposed bank. This includes an assessment of the adequacy of the financial strength to support the proposed strategic plan as well as financial information on the principal shareholders of the bank.
Description and findings re EC9	As noted above, an applicant submits business plan and financial statements for the first three business years (including balance sheets, income statements and capital planning). This includes results assuming different scenarios. The above mentioned guidelines also require assessment reports on business plans and budgets by an external auditor; the auditor is expected to examine the prospective financial information closely and to judge its plausibility. FINMA accepts banks to be unprofitable during their initial stages as long their business plans are sound in the medium-term. If FINMA judges the business plan is too vague or there is any doubt about how it can be realized, the license application will be rejected. The principal shareholders and other important parties must be able to prove to FINMA that they are capable financially of supplying the bank with more fresh capital if necessary and that they can answer for the sustainable development of the company.
EC10	In the case of foreign banks establishing a branch or subsidiary, before issuing a license, the host supervisor establishes that no objection (or a statement of no objection) from the home supervisor has been received. For cross-border banking operations in its country, the host supervisor determines whether the home supervisor practices global consolidated supervision.
Description and findings re EC10	The home regulator is asked for a statement of no objection in the case of foreign banks establishing a branch or subsidiary (for branches, FBO-FINMA Art. 4; for subsidiaries FBO-FINMA Art. 3bis para 1bis). In the case of branches or subsidiaries of a foreign financial group, the lead home regulator is asked for a statement about adequate supervision at a consolidated basis (for branches, FBO-FINMA Art. 4 para 2; for subsidiaries, BA Art. 3b). FINMA also assesses by itself the adequacy of consolidated supervision by the home supervisor through variety of information, including FSAP reports.
EC11	The licensing authority or supervisor has policies and processes to monitor the progress of new entrants in meeting their business and strategic goals, and to determine that supervisory requirements outlined in the license approval are being met.
Description and findings re EC11	As explained above, initially and during the set-up phase of a bank, FINMA takes various measures; as a rule, the license is at first linked to different requirements and conditions to ensure that the bank can conduct its business in an orderly manner and that its organization functions well. Moreover, the scope of the bank’s business activities during the initial set-up phase will be limited. Once financial and organizational resources permit, the areas in which the bank conducts business can be gradually extended in order to ensure a controlled growth. This is controlled through authorization of banks’ bylaws and business rules. The newly authorized institution is subject to immediate, ongoing supervision. During the set-up phase, various interim audits by external auditors are requested with designated special areas to be audited.
Assessment of Principle 5	Compliant
Comments	The discussion with the staff in charge of licensing as well as review of typical licensing files shows a robust process is in place in assessing various licensing requirements, including the fit and proper test for members of the Board and senior management and other aspects referred to in this principle.
Principle 6	Transfer of significant ownership. The supervisor17 has the power to review, reject and impose prudential conditions on any proposals to transfer significant ownership or controlling interests held directly or indirectly in existing banks to other parties.
Essential criteria
EC1	Laws or regulations contain clear definitions of “significant ownership” and “controlling interest”.
Description and findings re EC1	BA Art. 3 para 2 defines “qualified participation” as direct or indirect holding of at least 10 percent of a bank’s capital or voting rights or having ability to influence the bank’s business activities in a significant manner in any other way. While there is no regulation or guidance that provides more detailed interpretation of the latter, the authorities explain this is applied flexibly to intercept other de facto and de jure influential elements. Examples include the case of parties that have beneficial ownership or have close ties that can exercise their influence based on a shareholders’ agreement or mutual informal arrangements. FINMA explains that consideration is also taken of particularly significant financial or personal dependency relationships such as having additional top management positions or large-scale business dependencies. Even a relatively small amount of shares combined with option elements (e.g., call option to increase to above 10 percent) may be considered as qualified participation ‘by other means’.
EC2	There are requirements to obtain supervisory approval or provide immediate notification of proposed changes that would result in a change in ownership, including beneficial ownership, or the exercise of voting rights over a particular threshold or change in controlling interest.
Description and findings re EC2	BA Art. 3 paras. 5 and 6 prescribes that FINMA is to be informed in advance about any changes in qualified participation, regardless at which level. This reporting requirement concerns buyers and sellers, as well as the bank. Ultimate beneficial owner (UBO) is regarded as indirect qualified participation and is also subject to this reporting requirement. The transaction can only be carried out once FINMA has approved the notification. This notification requirement is also necessary when a qualified participation is increased or reduced thereby exceeding or falling below the thresholds of 20 percent, 33 percent, or 50 percent of the capital or the voting rights. As mentioned above, the definition of qualified participation includes direct and indirect holding of shares or voting rights, thus including ultimate beneficial owners (UBOs), as well as having ability to influence the bank’s business activities in a significant manner. In order to determine UBO, persons having qualified participation in banks must inform FINMA if participation has been acquired for their own account or on behalf of third parties, and if the participation is linked to options or similar rights. (BO Art. 6 para 3). However, as mentioned in EC2, what should constitute “having ability to influence the bank’s business activities in a significant manner” is not publicly defined in any detail. Other jurisdictions often have at least some further criteria specified as to what has to be considered in determining influence. If a foreign-owned bank experiences a change in foreigners with qualified participation or if a bank undergoes foreign ownership, it is necessary to apply for an additional license (BA Art. 3 paras. 5 and 6 and Art. 3ter).
EC3	The supervisor has the power to reject any proposal for a change in significant ownership, including beneficial ownership, or controlling interest, or prevent the exercise of voting rights in respect of such investments to ensure that any change in significant ownership meets criteria comparable to those used for licensing banks. If the supervisor determines that the change in significant ownership was based on false information, the supervisor has the power to reject, modify or reverse the change in significant ownership.
Description and findings re EC3	FINMA understands that it has power to prohibit intended changes in participation about which it has been notified that do not meet the requirements set down in laws and regulations. Changes made with incorrect information provided to FINMA can be revoked. Depending on the case, if there are only few shortcomings and they can be remedied, less stringent measures can be taken. In order to restore lawful conditions, FINMA can adopt appropriate measures in cases where changes in participation have already been made (FINMASA Art. 31). Licenses and other authorization made can be revoked in particularly serious cases (Art. 37 FINMASA); furthermore, it is possible to suspend shareholders’ voting rights (see Art. 23ter BA). Revoking licenses and the other measures described are implemented by way of enforcement proceedings. See CP 11 for details of these enforcement proceedings. In practice, no transfer of significant ownership have been denied in the past five years, but a few application have been withdrawn as FINMA communicated that there is no prospect of them to be approved.
EC4	The supervisor obtains from banks, through periodic reporting or on-site examinations, the names and holdings of all significant shareholders or those that exert controlling influence, including the identities of beneficial owners of shares being held by nominees, custodians and through vehicles that might be used to disguise ownership.
Description and findings re EC4	Banks must report all direct and indirect qualified participations as soon as they have knowledge thereof, at least however once a year and within 60 days following the end of the financial year (BA Art. 3 para 6). The list should include details as to the identity and the share of equity of holders of qualified participation, and necessary documents for those parties in case where the documents have not been submitted before (BO Art. 6a). This includes identities of beneficial owners if parties having direct participation declare if the participation is not for their own account.
EC5	The supervisor has the power to take appropriate action to modify, reverse or otherwise address a change of control that has taken place without the necessary notification to or approval from the supervisor.
Description and findings re EC5	FINMA has the power to address holding of qualified participation that has taken place without the necessary notification to it, including modifying or reversing it. Please refer to EC3 above.
EC6	Laws or regulations or the supervisor require banks to notify the supervisor as soon as they become aware of any material information which may negatively affect the suitability of a major shareholder or a party that has a controlling interest.
Description and findings re EC6	FINMASA Art. 29 para 2 requires supervised banks to report immediately and without being asked any incidents that are of substantial importance to supervision. FINMA explains that this includes important information about qualified shareholders who may influence the bank’s reputation or its sound business activities negatively and this understanding is shared with banks.
Assessment of principle 6	Largely Compliant
Comments	The above grade reflects lack of detailed guidance on who are included in the qualified participation as having ability to influence the bank’s business activities in a significant manner. The current regulatory framework relies on banks to report changes in the qualified participation; it is important to establish a shared understanding on the definition of it. Licensing staff indicated that they and banks apply the generally-worded criteria in practice in ways that have not caused problems to date. The assessors understand the need for flexibility in defining the qualified participation, and thus believe the detailed guidance or interpretation should not be an exhaustive list; instead, it should include general qualitative criteria or further (non exhaustive) items that are included on which to assess the ability to influence the bank’s business activities in a significant manner and several concrete examples.
Principle 7	Major acquisitions. The supervisor has the power to approve or reject (or recommend to the responsible authority the approval or rejection of), and impose prudential conditions on, major acquisitions or investments by a bank, against prescribed criteria, including the establishment of cross-border operations, and to determine that corporate affiliations or structures do not expose the bank to undue risks or hinder effective supervision.
Essential criteria
EC1	Laws or regulations clearly define: (a) what types and amounts (absolute and/or in relation to a bank’s capital) of acquisitions and investments need prior supervisory approval; and (b) cases for which notification after the acquisition or investment is sufficient. Such cases are primarily activities closely related to banking and where the investment is small relative to the bank’s capital.
Description and findings re EC1	Switzerland has three different restriction/requirements on specific types of acquisitions and investment. First, BO Art. 3 para 7 stipulates that banks organized pursuant to Swiss law shall notify FINMA before they establish a subsidiary, branch, agency, or representative office abroad. This provision is understood to include acquisition of participating interests in foreign companies active in the financial sector (Guidelines on preliminary reporting requirements for establishing physical presence abroad). Also, as explained in CP 6, this notification is understood to require FINMA’s approval and FINMA can reject it. According to the Guidelines, financial groups subject to FINMA group supervision are also required to report the acquisition of participating interests by entities shown within the scope of consolidation. BA Art. 6b provides information to be submitted for this notification to be as follows: A business plan which, in particular, describes the type of planned transactions and the organizational structure; The address of the business offices abroad; The names of the persons responsible for administration and management; The audit company; and The supervisory authorities of the host country. FINMA explains that this information serves to ensure that reporting banks are organized properly, have sufficient financial means, and establish solid risk management. FINMA also examines if the country where the bank plans to establish presence has laws or regulations prohibiting information flows necessary for adequate consolidated supervision and takes into consideration the effectiveness of supervision in the host country, and FINMA’s own ability to exercise supervision on a consolidated basis. In addition, the information is used for FINMA to respond to any applications or inquiries made by the host supervisor. Based on information provided in these reports as well as existing information on the bank, FINMA decides either to accept or reject the bank’s planned international activities or changes. Second, the business strategy and organization of a bank is defined in its strategy (business plan), its articles of incorporation and in its main organization and business rules as called for by BO Art. 3 para 2. Also, BA Art. 7 stipulates that the nature and geographic scope of the bank’s business activities must be accurately described in its articles of incorporation, its shareholder agreements, or its bylaws. Thus, it is understood that significant acquisitions and investments that require these rules to be changed (in particular the articles of incorporation and organization and business rules including specific delegations of competences) are subject to FINMA’s approval. Such changes may not be entered in the Commercial Register unless they have been approved by FINMA (BA Art. 3 para 3). The discussion with relevant staff members of FINMA showed this process is conducted rigorously. However, acquisitions and investments that do not need these rules to be changed, such as expansion of current business lines, may not require change in those rules thus out of the scope of FINMA’s approval. Laws and regulations do not provide detailed guidance. Third, investments in any company by a bank or by a company belonging to the same group may not exceed 15 percent of the net own funds of the bank or of the consolidated group to which the bank belongs. Additionally, the total of financial fixed assets of a nonaffiliated company acquired for the purpose of investment may not exceed 60 percent of the net own funds of the bank or the consolidated group. (BA Art. 4 para 4) The Capital Adequacy Ordinance (CAO) provides exceptions to the limits mentioned above where such investments are acquired for restructuring purposes or for the purpose of temporary emission, or the difference between the carrying value of these investments and the limits applicable is fully covered by eligible capital (CAO Art. 13). In addition, the BA Art. 4 bis prescribes that a bank’s participation in any single company must be proportionate the bank’s eligible capital (Art. 4bis BA; Art. 13 of the CAO).
EC2	Laws or regulations provide criteria by which to judge individual proposals
Description and findings re EC2	In case of foreign operations, the Guidelines on preliminary reporting requirements for establishing physical presence abroad sets out that the reporting requirements are to ensure that banks intending to expand their business activities by establishing a physical presence abroad are organized properly and have sufficient financial means to do so. No further details are provided in the regulatory framework. In case of acquisitions and investments that require changes in banks’ articles of incorporation and in its main organization and business rules, it is understood that banks need to comply requirements set out in laws and regulations that are applicable to general operation of banks, including those on organizations, internal control and risk management. Moreover, BO Art. 7 Para 3 stipulates that the scope of the bank’s operations must be commensurate with its financial resources and its administrative organization.
EC3	Consistent with the licensing requirements, among the objective criteria that the supervisor uses is that any new acquisitions and investments do not expose the bank to undue risks or hinder effective supervision. The supervisor also determines, where appropriate, that these new acquisitions and investments will not hinder effective implementation of corrective measures in the future.18 The supervisor can prohibit banks from making major acquisitions/investments (including the establishment of cross-border banking operations) in countries with laws or regulations prohibiting information flows deemed necessary for adequate consolidated supervision. The supervisor takes into consideration the effectiveness of supervision in the host country and its own ability to exercise supervision on a consolidated basis.
Description and findings re EC3	See EC 2. For acquisitions and investments that establish foreign financial operations, adequacy of its operation, including solid risk management, is required. Thus, it is expected that if establishing foreign operations may expose banks to undue risks or hinder effective supervision as well as implementation of corrective actions, FINMA will not approve, including a cases where laws and regulations of a jurisdiction inhibits effective consolidated supervision. Adequacy of effectiveness of supervision in the host country is also assessed. To ensure this, a comprehensive and detailed set of information is required to be provided to FINMA as set out in the Guidelines, including: Details of the legal structure (subsidiaries, branch offices, representative offices) and its share-holding structure. The shareholding structure and information on other participating shareholders are to be indicated in case participating interest is acquired in existing companies. Details of the type of business planned: outline of the business activities foreseen (business-model and plan), client target group, internal organization, especially in relation to risk management and local compliance. For parent companies, details of the existing reporting line, supervision of activities, risk management and compliance are to be included. Details of the structure of the executive management (board of directors) and of management (senior management). Information on any other functions exercised by the persons named at other group entities is to be indicated. Details of the assigned audit firm. Details of the local financial supervisory authority and of the approval granted for the foreseen business activities. Any information on possible restrictions imposed by the local financial supervisory authority and on the possibility of using the licenses granted outside Switzerland, e.g., European banking passport, is to be mentioned. Also, the Guidelines require banks to submit external auditor’s reports that indicate if the risk analysis of expanding business activities abroad is adequate and if these risks were considered in the institution’s global risk management. In case of acquisitions and investments that require changes in bank’s articles of incorporation and in its main organization and business rules, while general requirements for banking operations apply, no detailed requirements for information submission comparable to those for establishing foreign operations are provided.
EC4	The supervisor determines that the bank has, from the outset, adequate financial, managerial and organizational resources to handle the acquisition/investment.
Description and findings re EC4	See EC 2. BO Art. 7 Para 3 stipulates that the scope of the bank’s operations must be commensurate with its financial resources and its administrative organization. Thus, for foreign operations and acquisitions and investments that require changes in bank’s articles of incorporation and in its main organization and business rules, existence of adequate financial, managerial and organizational resources are assessed by FINMA.
EC5	The supervisor is aware of the risks that non-banking activities can pose to a banking group and has the means to take action to mitigate those risks. The supervisor considers the ability of the bank to manage these risks prior to permitting investment in non-banking activities.
Description and findings re EC5	Generally, Swiss banking law imposes no specific structural conditions or restrictions on bank investments in non-financial activities. However, as described in EC 1 and 2, if the acquisitions and investments are significant enough to require changes in bank’s articles of incorporation and in its main organization and business rules, FINMA will assess adequacy of management and control (BA Art. 3 para 2). However, there is no specific provision that focuses on risks arising from non-banking activities.
Assessment of Principle 7	Compliant
Comments
Principle 8	Supervisory approach. An effective system of banking supervision requires the supervisor to develop and maintain a forward-looking assessment of the risk profile of individual banks and banking groups, proportionate to their systemic importance; identify, assess and address risks emanating from banks and the banking system as a whole; have a framework in place for early intervention; and have plans in place, in partnership with other relevant authorities, to take action to resolve banks in an orderly manner if they become non-viable.
Essential criteria
EC1	The supervisor uses a methodology for determining and assessing on an ongoing basis the nature, impact and scope of the risks: which banks or banking groups are exposed to, including risks posed by entities in the wider group; and which banks or banking groups present to the safety and soundness of the banking system The methodology addresses, among other things, the business focus, group structure, risk profile, internal control environment and the resolvability of banks, and permits relevant comparisons between banks. The frequency and intensity of supervision of banks and banking groups reflect the outcome of this analysis.
Description and findings re EC1	FIINMA classifies all banks according to their relative size and complexity (categories 1–5). The two biggest banks which are globally systemically important are in Category 1, the three next largest are in Category 2. Category 3 contains some 30 banks (most of the cantonal banks) with some 70 banks in Category 4 and the rest, some 160 banks and 50 securities firms in Category 5. Assessors judge that a number of banks in Category 2 and 3 are systemically important in terms of the national market. Categorization is an important driver of FINMAs supervisory methodology and effort. Recently, for example, FINMA has decided to significantly reduce effort on Category 5 banks as they judge failures in this category would not be systemically important (median assets CHF250m). This strategy is understandable, though assessors did not review in detail the supervisory effort with respect to these banks. FINMA supervisory methodology is based on a combination of: annual formalized regulatory review/audit by external auditors hired and paid by banks, specific FINMA-mandated reviews by third parties and supervisory reviews conducted by FINMA itself (offsite and a limited number of on-site). FINMA has accredited 7 audit firms and some 150 lead auditors (who work with their auditing staff) to perform the regulatory audit of banks. Only the lead auditor has to be accredited. FINMA itself assigns a key account manager (KAM) or lead supervisor for each of the banks in categories 1 and 2 and has approximately 24 KAMs each with a portfolio of institutions in categories 3-5. As part of the regulatory audit performed by the external audit firm on every bank, a risk assessment has to be performed and agreed with FINMA, based on which the review/audit strategy is defined. This drives the specific areas and depth of regulatory audit work, subject to minimum standards for frequency and depth of work (review depth versus audit depth), which is set by FINMA. These standards apply to FINMA-specified areas for regulatory review. The minimum standards have more frequent audit-depth assessment if the bank is a G-SIB in Category 1, or in relation to the risk profile of other institutions. There is guidance given by FINMA with respect to the content and process for such a risk assessment. The risk assessment is based on an assessment of inherent risk (high/medium/low) in various aspects of the bank, an assessment of the quality of controls (H/M/L) and a net risk rating. There are no criteria for determining inherent risk ratings provided by FINMA. Inherent risks are assessed for various audit areas. For controls, ‘high’ risk is when no audit work has been done recently, it is not clear about whether controls exist or the auditor considers the controls ineffective. ‘Moderate’ control risk is when work has been done but the audit firm cannot determine if controls are effective, and ‘low’ control risk is when recent audit work has allowed the firm to conclude that controls are ‘appropriate and effective’. There is no formal process within FINMA to vet consistency of these risk assessments across institutions or groups of institutions in advance of regulatory audit work starting. FINMA and auditors are aware that the mindset needed for a regulatory or supervisory review is different than for a financial statement audit, which is more backward looking. The audit rating by FINMA and audit firms that drives the regulatory audit is designed to be forward looking and forward looking thinking explicitly asked of auditors in the audit circular. Starting this year auditors for the two large banks are required to rate the top ten risks, a process which FINMA and auditors both report as useful. Auditors are required in the circular to make their risk assessment comprehensive, and to add granularity to the formal rating assessment tables as necessary to accurately rate the bank. Required separation of the lead partner for the regulatory audit from the partner for the financial audit (for category 1 and 2 banks) is also designed to promote development of auditors with the desired regulatory mindset. The FINMA methodology controls the interaction of the audit firm with the bank with respect to its risk analysis. Risk assessments are not to be formally shared with firms until they are final and agreed with FINMA. Auditors are of course aware of the banks own risk assessment as well as the risk assessment of Internal audit. Some indicated that they do discuss certain aspects of risks and controls with the bank. Depending on the risk assessment, alterations are made in the standard audit work procedure in terms of focus and depth. Risk assessments can also lead to specific additional reviews by the audit form or by FINMA. Assessors reviewed the rating methodology and discussed these at length with FINMA and with regulatory audit firms. They also saw examples of the new methodology in practice in review of a selection of supervisory files. For a major bank, the methodology leads to one risk assessment for various risk types institution wide—i.e., one risk assessment for each of the major banks credit risk and one for each bank’s overall market risk. Different audit firms have different approaches to risk analysis, some driven by what they see as deficiencies in the FINMA-mandated approach. Some are using a wider and more granular definition of risks coming from their own audit acceptance and continuance risk methodologies, and then fitting the results into FINMAs templates. Others recognize that their high level inherent risk rating for particular risks is not particularly useful. In some cases (e.g., credit risk or market risk) the inherent risk assessment seems to be designed to assess risks in models or capital calculations, rather than risk in the underlying books. Control risk can be rated inconsistently to the resulting audit plan. For example certain examples assessors saw had overall credit or market risk controls rated high risk, apparently referring to control risk around models and related inputs—a potentially serious rating given the definitions. Some have an explicit forward-looking component in their own rating system (e.g., asking themselves if a risk is increasing or decreasing). Others do not. It is clear that risk analysis is not done consistently. In some cases the breakdown of the bank activities for the inherent risk ratings can be driven by the basic scope of the regulatory audit which is based on assessment of adherence to licensing conditions and other rules, and may not cover important risks. For example, for credit risk, banks activities are not broken down by type/geography of exposures as would normally be expected in these inherent risk ratings. Rather, the credit risk rating for certain IRB banks focuses on the risks of the IRB qualifying conditions and methodology not being met. Risks in underlying credit activities in different businesses and geographies can be described separately but not rated or with unclear link to the overall rating or supervisory effort. FINMA is planning to require banks to divide their inherent risk rating for credit risk into more granular categories, and the consultation was about to start at the time of the mission. Quality control systems in audit firms may not pick up important differences in interpretation of what constitutes high or medium or low inherent risk, which is left to individual partner judgment. In addition, FINMA has a camels-based supervisory rating with 9 rating grades. The rating is based on filters and thresholds applied to regulatory data, key flags if any triggered from the audit firm’s work (e.g., are there important formal audit opinion qualifications or not?), overlaid with supervisory judgment. For liquidity for all but the largest two banks, the metrics are based on outdated tests, even though trial LCR data is available (see CP24). Operational risk is not explicitly part of the rating framework (see CP25). Major internal control deficiencies would affect the regulatory audit result and feed into the supervisory rating and supervisory work. There is no explicit link between the annual risk assessment at the start of the supervisory work and the Camels-based rating. The 9-fold categorization is collapsed down to three grades—green, yellow and red which are reported to the institution. Green receives regular supervision in the next cycle, yellow receives increased supervision, and red is intensive. There are no explicit criteria for what constitutes a green as opposed to a yellow or a red. The camels rating is updated quarterly for banks in Category 1–3, quarterly for Category 4 banks with yellow or red grades and at the end of the annual cycle for banks in Category 4 with green grades and for all banks in Category 5. The FINMA-wide quality control process around these ratings is anchored in major annual ratings review meetings attended by the KAM, specialists, and senior management for the banks division. While there is no formal link between the rating system and sector wide risk, systemic trends and analysis by FINMA or SNB can factor into a judgmental overlay and thus into supervisory work. (Currently there is heightened interest about mortgage financing for example.) The camels-based ratings are driven in a major way by the data-driven analysis which is less likely to be forward looking. Assessors examined data on overrides to the system-generated ratings. The number of overrides is extensive and the number of grades that a rating changes is often 2 or more. Overall some 60 percent of banks are in green ratings, down from some 80 percent in 2008, with approximately 20 percent of banks in amber rating. The assignment of banks to category based on size and complexity understandably does not change often. Camels- based rating changes from year to year are infrequent for category 1 and 2 banks. Changes are more frequent for category 3 with some 25–35 percent of ratings changing annually, and higher percentage of changes in category 4 and 5. The degree of change is higher than one might expect in a camels based rating system. It could be due to the new system transitioning in, or to imprecision in the rating process, or to a combination of factors. Resolvability does not formally factor into the rating system but complexity is clearly a factor in splitting banks into categories, which affects supervisory planning. To date resolution and recovery planning has been started for the two large banks.
EC2	The supervisor has processes to understand the risk profile of banks and banking groups and employs a well defined methodology to establish a forward-looking view of the profile. The nature of the supervisory work on each bank is based on the results of this analysis.
Description and findings re EC2	Regulatory risk assessments done by auditors and agreed with FINMA are described in EC1. Standard operating procedures determine the minimum frequency and depth of supervisory work based on the various ratings and supervisory judgment as described in EC1. Assessors reviewed supervisory planning with auditors and FINMA, and reviewed planning of FINMA-lead reviews. They also discussed these matters with banks. As noted in EC1 there are a number of elements that likely make the risk profiles less forward looking than FINMA desires. In addition to the regular risk assessment described in EC1, banks are obliged to perform an annual capital planning based on a forward-looking risk profile. Capital plans are reviewed either by FINMA (banks category 1 and selected banks in categories 2 and 3) or assessed as part of the annual regulatory audit process performed by the external audit firm. Issues from these exercises can also trigger additional supervisory work. As well extensive supervisory work can be triggered by assessments of whether remedial action plans mandated by FINMA have been effectively put in place, or by assessments mandated by FINMA as to whether control issues that have materialized at one institution are being adequately handled by other banks.
EC3	The supervisor assesses banks’ and banking groups’ compliance with prudential regulations and other legal requirements.
Description and findings re EC3	The monitoring of compliance with prudential regulations and guidance and other legal requirements is performed by the external auditor as part of the annual regulatory audit. Assessors reviewed methodology, saw examples of results, and discussed this with FINMA staff and external auditors. As noted in various other CPs, FINMA guidance in certain risk management and control areas is at a very high level. As well, audit methodologies often require auditors to express a very high level judgment on these matters (are they “adequate”) with little or no formal guidance on what is to be considered in making the assessment. (There is FINMA work in progress on this matter.) Auditors are asked to express two kinds of opinions with respect to these matters. In areas where they have done a “review” level work they are examining the design effectiveness of controls and express opinions as to whether anything that came to their attention suggested that the controls were not adequate (negative assurance). In areas where they do “audit” level work they are testing operational effectiveness of controls and express a positive opinion—“controls are adequate…” The standards for what level of seriousness amounts to a qualification to an opinion are not clear, except when there is a breach of regulation which must lead to a qualification. Some auditors that assessors met indicated they had adopted additional methodologies to bring additional rigor to this process, such as specifying how to categorize the seriousness of findings. Others had not, and relied on professional judgment and second partner review, which they indicated could vary considerably across partners. Noteworthy observation must be reported to FINMA who has to evaluate the seriousness of the problem. FINMA staff and auditors confirmed that there are from time to time active discussion between auditors, banks and FINMA on these conclusions and opinions. Some whom assessors talked to described these as amounting occasionally to “negotiations”. Regulatory audit opinions are not published but are provided to banks as well as FINMA. There are no explicit rules prohibiting disclosure of supervisory opinions by audit firms in their regulatory reports (as would normally occur for supervisory findings in other jurisdictions). Discussion with auditors revealed that this had rarely if ever been an issue and that qualifications or reservations would have to be very serious for them to trigger the bank having to consider disclosure under general securities law principles.
EC4	The supervisor takes the macroeconomic environment into account in its risk assessment of banks and banking groups. The supervisor also takes into account cross-sectoral developments, for example in non-bank financial institutions, through frequent contact with their regulators.
Description and findings re EC4	FINMA has established a structured process and semi-annual internal report that informs about the major macroeconomic, capital markets and structural risks (“Risikobarometer”). As part of this report, potential implications for supervised entities broadly (banks, insurances, markets) are considered. This can affect supervisory work. For example, starting in 2010 FINMA and SNB identified heightened level of concern about mortgage exposures in Switzerland and that triggered further extensive supervisory reporting, analysis of exposures and risks by region and also triggered additional cross-system supervisory work on some 20 banks. A regular monitoring report on this system-wide issue is also in place.
EC5	The supervisor, in conjunction with other relevant authorities, identifies, monitors and assesses the build-up of risks, trends and concentrations within and across the banking system as a whole. This includes, among other things, banks’ problem assets and sources of liquidity (such as domestic and foreign currency funding conditions, and costs). The supervisor incorporates this analysis into its assessment of banks and banking groups and addresses proactively any serious threat to the stability of the banking system. The supervisor communicates any significant trends or emerging risks identified to banks and to other relevant authorities with responsibilities for financial system stability.
Description and findings re EC5	FINMA holds regular meetings with the Swiss National Bank, where one standing item is the discussion about the current situation of financial markets. As a consequence, decisions may be taken to assess specific topics more in-depth. For example, in 2012 it was decided to perform an assessment of the vulnerability of the Swiss banking sector towards a potential Eurozone crisis. This can lead to supervisory action. Further, once significant trends or emerging risks are identified, supervisors communicate on a regular basis with their supervised banks and, if needed, specific measures are defined to monitor the situation (e.g., weekly ad-hoc reports, etc.).
EC6	Drawing on information provided by the bank and other national supervisors, the supervisor, in conjunction with the resolution authority, assesses the bank’s resolvability where appropriate, having regard to the bank’s risk profile and systemic importance. When bank-specific barriers to orderly resolution are identified, the supervisor requires, where necessary, banks to adopt appropriate measures, such as changes to business strategies, managerial, operational and ownership structures, and internal procedures. Any such measures take into account their effect on the soundness and stability of ongoing business.
Description and findings re EC6	Resolution and recovery planning is in place for the two large banks. FINMA can grant relief to the progressive capital component requirements provided there is a high probability that the systemically important bank will improve its resolvability in and as well as outside Switzerland. No such relief has been decided in practice as yet. FINMA and banks are in active discussion of various aspects of their operations that would improve resolvability. While FINMA has no explicit legislative authority to impose changes in structure it can use other tools as necessary to induce changes, such as withholding approvals or changing the scope of consolidation.
EC7	The supervisor has a clear framework or process for handling banks in times of stress, such that any decisions to require or undertake recovery or resolution actions are made in a timely manner.
Description and findings re EC7	The supervisor or Key Account Manager (KAM) follows the risk-based approach based on the established Standard Operating Procedures (SOP). As mentioned above, the supervisory category and the assigned rating determine the levels of required supervision. Under these procedures should the camels rating be downgraded to a pre-determined level (8 in the 1–9 rating category), the bank will be supervised by a separate team specialized in intensive supervision – TIS. The task of the TIS is to investigate the causes of problems and oversee crisis management. The primary objective in all cases is to put a swift end to the crisis in order to prevent loss or damage and minimize the use of resources. Assessors reviewed the actual experience of this group, which is extensive. Crises can be ended in a number of ways: at some institutions, the introduction and monitoring of corrective measures will suffice; in other cases, the correct response may well be for the institution to exit the supervised sector. Elsewhere, the investigation may reveal that compulsory measures under supervisory law are the only way to resolve the situation. In this case, the TIS will present the results of its investigations in such a way that enforcement proceedings can be conducted. The TIS will deploy the means of direct supervision: it will carry out on-site investigations, and identify and interact with all relevant parties including owners and shareholders.
EC8	Where the supervisor becomes aware of bank-like activities being performed fully or partially outside the regulatory perimeter, the supervisor takes appropriate steps to draw the matter to the attention of the responsible authority. Where the supervisor becomes aware of banks restructuring their activities to avoid the regulatory perimeter, the supervisor takes appropriate steps to address this.
Description and findings re EC8	When an institution is performing activities outside the regulatory perimeter, FINMA will intervene and generally close the relevant entity. The same applies to non-licensed entities that present themselves as banks without actually carrying out bank like activities. Where a licensed institution carries out business outside the scope of its license FINMA imposes requirements to bring activities in line with that authorized. This has occurred and assessors reviewed examples of the framework working in practice.
Assessment of Principle 8	Largely Compliant
Comments	FINMAs supervisory approach using regulatory auditors can work, but the improvements already made need more time to be embedded and additional improvements to augment FINMA on-site reviews, improve guidance to auditors to improve risk assessments and ensure consistency in ratings and supervisory work, and have more in depth theme reviews of control functions, are required to achieve the necessary effectiveness for both larger and smaller and mid-size banks. The five-fold categorization of banks according to their size and complexity is a reasonable method to link broad supervisory effort to high-level risks. It is unclear however if the broad switch of institutions from balance sheet intensive activities to more wealth management activities (and the consequent increase in operational and reputation risk) has been reflected in supervisory strategies or resources in a proactive way. The risk-based approach for bank supervision has been revised and enhanced after the 2007 banking crisis in an appropriate direction. Methodologies were enhanced, monitoring was increased, additional challenge of external auditors’ contribution to the supervisory approach was instituted, direct FINMA lead or commissioned supervisory reviews were instituted and more forward-looking and system-wide risk assessment elements were added. The intensity of supervision and contact with certain institutions has increased. Progress in implementing these improvements in a short time period is impressive and assessors believe that the basic direction is the correct one. There is no reason why the fundamental supervisory approach cannot deliver the necessary results if it is operated effectively. Use of auditors gives a system-wide annual review that is not present in other approaches. It also allows auditors to benchmark across institutions in other jurisdictions that they audit and to bring their global risk capability to bear. Supervisors generally showed a good understanding of risks in their institutions. There is extensive senior level experienced judgment and oversight of the risk assessment and supervisory process within the Banks division of FINMA. However, several elements mean it is not as it needs to be given the importance of major Swiss institutions globally and in the Swiss marketplace. Lack of granularity in risk assessments for major institutions means that important risks could not be sufficiently highlighted. Forward looking elements need to be formalized. The lack of criteria for various ratings, the inadequate granularity of assessing inherent risks, and the uncertainty surrounding what auditors’ assessment of various controls means in practice, reduce the robustness of the approach and mean it is heavily reliant on expert judgment which is not sufficiently consistent or well documented. Using separate audit firms means that comparisons across institutions in Switzerland that are similar but audited by different auditors is not possible with reliability, unless FINMA puts in place a process. Processes within FINMA to assess and adjust auditor’s risk assessments across groups of institutions should be strengthened. These issues could lead to material misallocation of supervisory effort and missing the opportunity to challenge supervisors on risk assessments and to identify material control or risk management deficiencies, before they have large consequences. Some improvements to address these issues have been identified by FINMA but are not yet implemented, including update of Circular 08/24 re qualitative risk management standards and related auditor instructions. Certain additional improvements are necessary including: providing more guidance for rating criteria; ensuring inherent risk assessments reflect actual business risk; requiring more granularity in risk assessments for larger institutions; enhancing methodology to emphasize forward looking elements such as requiring explicit consideration of whether risks are increasing, stable or decreasing; and instituting more cross-institution analysis by FINMA staff of the risk assessments and what they imply for supervisory effort and focus.
Principle 9	Supervisory techniques and tools. The supervisor uses an appropriate range of techniques and tools to implement the supervisory approach and deploys supervisory resources on a proportionate basis, taking into account the risk profile and systemic importance of banks.
Essential criteria
EC1	The supervisor employs an appropriate mix of on-site19 and off-site20 supervision to evaluate the condition of banks and banking groups, their risk profile, internal control environment and the corrective measures necessary to address supervisory concerns. The specific mix between on-site and off-site supervision may be determined by the particular conditions and circumstances of the country and the bank. The supervisor regularly assesses the quality, effectiveness and integration of its on-site and off-site functions, and amends its approach, as needed.
Description and findings re EC1	FINMA employs a mix of the on-site and off-site supervisory tools. These were enhanced starting in 2010 including promulgating a new audit circular at the end of 2012 on FINMAs enhanced expectations. This new circular was in effect for risk assessments done in early in 2013 and 2013 audits. On-site examinations are mainly performed by the recognized audit firms. As part of FINMA’s supervisory approach, audit firms are in charge of performing a comprehensive prudential audit, following general instructions given by FINMA. FINMA refers to these auditors as “FINMA’s extended arm”. FINMA has employed this approach because of the fundamental nature of its banking system, which is large relative to the country and has several institutions with complex global reach. FINMA believes that only by levering its resources through regulatory audits conducted by audit firms can it adequately have access to resources necessary to perform its supervisory mandate. It also notes that its approach provides an annual supervisory review across every supervised institution. FINMA also conducts certain on-site supervisory reviews itself, or by hiring and paying its own third party reviewers. Off-site supervision mainly relies on the examination of reports provided by the banks, the external auditors (delivery of ‘long form’ regulatory audit reports) and also results from other activities such as meetings with the banks’ management, attending supervisory colleges and/or discussions with other supervisory authorities. Assessors discussed these activities with FINMA staff and saw examples of the reports generated by this process. There is also clear evidence that these off-site activities influence supervision and actions vis-à-vis individual banks. On-site supervision is through regulatory audits performed by audit firms chosen by the banks (from the FINMA approved list of seven audit firms and some 150 accredited regulatory auditors who work with audit staff), and paid directly by the bank, not by FINMA. The regulatory audit is in practice done by the same firm as the financial audit (separate lead partner for the two largest banks and for the three banks in category 2). The regulatory audit is lead from Switzerland and can involve audit firm resources in other global financial centers and locations, as necessary, depending on the individual audit firm approach. FINMA is aware of the independence, mindset and expertise issues (and issues of who is the client) that this arrangement gives rise to. Regulatory assessments are fundamentally different than financial audits. FINMA has instituted various compensating measures. There are standard procedures that specify minimum periodicity and depth of work. To remain certified auditors have to perform a minimum number of hours of relevant work. FINMA off site supervisory staff challenge risk assessments and audit strategies and findings based on their knowledge of the bank. The findings of FINMA reviews can demonstrate inadequate work in the same areas by audit firms and puts pressure on them to perform. FINMA can de-certify individual partners or senior staff of audit firms from being eligible to do regulatory audits. This has occurred. FINMA also performs ex-post quality assurance on audit firms doing regulatory audits, much in the same way as the Swiss audit oversight body assesses audit firms financial audits. Annually, there is an inspection of each of the major audit firms with examination of one of their files including their working papers, and other audit firms are on a 2-3 year inspection cycle. This involves selecting and reviewing approximately 5 regulatory files a year (one each from the larger audit firms and a selection of smaller audit firms). Staff doing inspections report that issues of adequate professional skepticism do arise. This can lead to de-certifying certain persons of audit firms as noted above. The essence of the mandate of the audit firm is to confirm (or not) compliance of the bank with regulatory requirements (laws, ordinances, circulars). This culminates in an overall opinion whether the bank is meeting its licensing conditions. In audit reports it is rare to have an overall qualification but there can be 2-5 qualifications in specific areas for a large number of banks. Audit firms are to provide formal opinions on these matters (either positive or negative assurance) depending on the scope, depth and nature of the work performed. This means that the regulatory audit scope and opinions is dependent on the nature and completeness and specificity of the guidance it is auditing against. That also can have a material impact on the meaning of various conclusions. As FINMA guidance lacks specificity in qualitative criteria (see CP 15, 17, 19 and 24 for example), the nature of audit work and opinions in these areas can be difficult to assess. There is a standard annual audit report formulation and instructions from FINMA on what it is to cover. Often FINMA is asking auditors to express an opinion (pass/fail) on whether a particular process is ‘appropriate’ or whether resources in a control function are ‘adequate’. This comes from the generally-worded requirements in banking legislation or ordinances, compliance with which is the fundamental purpose of the regulatory audit. Audit firms have developed methodologies. FINMA does not approve these audit programs, but may approve the detailed scope for FINMA-mandated additional audits. FINMA has started sending a letter to audit firms at the beginning of the cycle on areas it wants emphasized. There is no guidance on what constitutes findings of various degrees of significance. Certain audit firms have determined that themselves. The assessment culminates in a long form report that is relayed to FINMA and the bank four months after the year-end. Audit reports and reporting cycles are not modular with continuous reporting on work done throughout the year. Timing of reporting on specific additional work mandated by FINMA could be dependent on the engagement. Assessors discussed the methodologies with FINMA, with representatives of larger and medium-size audit firms and with FINMAs audit inspection department. They also reviewed a sample of audit reports, though the changes for 2013 audits are not observable at the time of the mission. Discussions revealed material differences in what standards auditors are auditing to, and what constituted findings of various degrees of seriousness. Some firms indicated that certain of these aspects could vary partner to partner. In a number of cases because of lack of criteria, the audit opinion as to what is adequate depends to a very large degree on individual auditors’ professional judgment. The nature and seriousness of issues can be difficult to determine from the reports, which contain a large amount of factual information on the bank. Understanding is therefore driven by the quality and depth of discussion between the auditor and the FINMA key account manager (KAM). Auditors and banks report that there can be intense three-way discussion between auditors, banks and FINMA on the seriousness of particular issues. It also appears that what leads to a reservation on a risk management or control rating can be hard to assess. Examples seem to occur regularly of a process being judged ‘adequate’ while noting serious deficiencies but also noting that these are in the process of being rectified and have been reported to FINMA, making it hard to determine the basis for auditors judgments. As deficiencies or reservations are a key flag in FINMAs internal rating system, this approach depends on KAMs judgment and escalating important issues for discussion and decision on whether to intervene. Audit firms report that in certain areas where FINMA guidance is not detailed they will choose to supplement with relevant international guidance or firm-developed methodology. But the approach to that varies across audit firms and these firm-specific methodologies are not included in the standards that ex-post inspections inspect against. FINMA also can set guidance in frequently asked questions (FAQs) on its website. FINMA and banks indicated that these are taken very seriously and can be used by FINMA to respond rapidly rather than issuing a board-approved circular. FAQs will be consistent with requirements in legislation ordinances or guidance in circulars, but can be more specific and essentially contain important additional guidance on FINMA expectations. There was a difference of opinion between audit firms that assessors met, and between various staff within FINMA, as to whether FAQs formed part of the basis of rules and guidance against which regulatory audits are assessing. FINMA also reported that the regulatory audit report is used as information to supervisors but is not necessarily the full reality of the situation. FINMA applies its own judgment in determining ratings and supervisory interventions. (see CP8) Assessors discussed the regulatory audit work effort. On medium size banks, auditors report that up to 10 people can be involved, and the regulatory audit is around 1,000-1,500 hours (135-200 person days). Some 2-3 deeper dive reviews are conducted at major banks annually with a deep dive review normally being 1,000-3,500 hours (135-650 person days). Occasionally the depth and scope will be markedly more. FINMA conducts some 15 of its own reviews a year on average over the past two years on the two category 1 banks together, and approximately 20 in total on category 2 and 3 banks. These totals include reviews with respect to AML/CTF, market conduct issues and compensation so the more prudentially-focused or risk management-focused reviews are about half the total. In some cases these were reviews conducted after material issues were revealed in the marketplace. FINMA reviews generally involve 3-4 persons for a total of 15-40 person days. Assessors discussed this arrangement extensively with FINMA staff at various levels, reviewed documents including examples of supervisory files and discussed the process with representatives of audit firms covering large and smaller and mid-size banks. The review by assessors did not reveal the depth of reviews by audit firms that one would normally find, post-crisis, of risk management and control systems by other supervisors. Assessors’ reviews also noted that in some cases the scope was skewed to specific regulatory requirements and did not consider more general issues of risk management or control effectiveness. FINMA has plans to add more specificity to audit instructions in key risk and compliance areas but significant parts of this will not be in place until 2014 or 2015. Discussions with FINMA staff also revealed difficulty in determining the basis for auditors conclusions in areas where there are only very general requirements (such as what constitutes adequate resources in compliance or risk management), or for understanding the extent to which these conclusions were derived from consistent processes across audit engagements and firms. Prudential audit reports reviewed by assessors often contained considerable factual description of controls or processes and relatively much less on the issues found, their implications or seriousness or the nature of the work done by auditors to support the audit conclusions. FINMA staff participate in on-site work conducted by foreign supervisors, particularly in the UK and the US for the two big Swiss banks. The experience seems to be some 2-4 of these a year (which are included in the number of FINMA reviews noted above). FINMA has participated occasionally in prudential audit firms foreign reviews of large bank operations, but this is not regular practice. FINMA examines the work performed by recognized audit firms, the result of which is communicated at least once a year to the management of the audit firm. Key account managers provide feedback. For the purpose of performing this quality control, FINMA also maintains a special quality control unit. However the number of regulatory reports reviewed is not large (approximately five per year for banks).
EC2	The supervisor has a coherent process for planning and executing on-site and off-site activities. There are policies and processes to ensure that such activities are conducted on a thorough and consistent basis with clear responsibilities, objectives and outputs, and that there is effective coordination and information sharing between the on-site and off-site functions.
Description and findings re EC2	See also EC1. FINMA has a well-developed process for planning and executing regulatory audits and for integrating on-site and off-site activities. Assessors looked into how that process is operating in practice. Planning and executing on-site and off-site activities is an integral part of FINMA’s supervisory approach. Before prudential audits are performed by recognized audit firms, FINMA receives from the external auditor their annual risk analysis and, based on this analysis, the planned audit strategy in a preliminary stage. FINMA has to agree to the risk analysis and audit strategy and considers it therefore its own. Audit depth and frequency then depend on the level of risk identified for every audit field. Only following FINMA’s approval does the audit firm start with its detailed audit work. In case of disagreement, FINMA will ask the audit firm to adapt the audit strategy. For its off-site supervision, FINMA has defined work procedures, which are known as “standard operating procedures” or SOP. Frequencies and the time limit for performing the various tasks listed in the SOP are clearly defined and also depend on the combination of category and rating of the bank. One of the listed tasks covers the examination of the long form audit reports that is delivered by the external auditor. Generally the key account manager (KAM) for larger or mid-size banks would examine the whole audit report and communicate with the audit firm, often extensively. For smaller banks that are risk rated green or low, only the summary report needs to be read, unless there are relevant findings and the communication with the audit firm will often be considerably less. Assessors discussed with major audit firms their internal process for quality control. Major firms have second partner review on all regulatory audit engagements. That also included discussing how they ensuring that their audit affiliates in foreign locations understand how regulatory audit work differs from their normal financial statement audit work. Assessors’ review of these reports revealed some difficulty in determining that adequate consistency exists and that it is fully possible to understand the meaning of the output from the regulatory audit (see EC1). Some of the enhanced procedures required by FINMA were introduced relatively recently, as noted in EC1. FINMA and auditors of major and mid-size banks report there is extensive interaction. Also there are clear examples of extensive feedback from FINMA individual KAMs to auditors on FINMA findings and analysis from other sources that may affect the regulatory audit. However considering whether issues from one audit or analysis might affect regulatory audits of other similar institutions is less structured and frequent. Department heads showed a good understanding of the risks facing institutions.
EC3	The supervisor uses a variety of information to regularly review and assess the safety and soundness of banks, the evaluation of material risks, and the identification of necessary corrective actions and supervisory actions. This includes information, such as prudential reports, statistical returns, information on a bank’s related entities, and publicly available information. The supervisor determines that information provided by banks is reliable21 and obtains, as necessary, additional information on the banks and their related entities.
Description and findings re EC3	Depending on the bank category, different types of reports have to be delivered on a regular basis. For example, banks belonging to category 3 provide quarterly business/risk management reports. The Key Account Manager (KAM) is in charge of analyzing these reports and making sure that the information is reliable. In order to clarify open issues, the KAM stays in direct contact with the bank representative and/or the audit firm. Furthermore, prudential and financial reports are reviewed annually and the concerns are discussed with the audit firm. Moreover, if necessary, other reports are requested such as reports on capital requirements, liquidity coverage, exposure to the group, etc.
EC4	The supervisor uses a variety of tools to regularly review and assess the safety and soundness of banks and the banking system, such as: (a) analysis of financial statements and accounts and a broad range of ratios from the rating system; (b) business model analysis; (c) horizontal peer reviews; (d) review of the outcome of stress tests undertaken by the bank; and (e) analysis of corporate governance, including risk management and internal control systems. The supervisor communicates its findings to the bank as appropriate and requires the bank to take action to mitigate any particular vulnerabilities that have the potential to affect its safety and soundness. The supervisor uses its analysis to determine follow-up work required, if any.
Description and findings re EC4	FINMA, together with the audit firms, applies a mix of the above-mentioned tools depending on the category and rating assigned to the bank. Annual assessment letters are sent to all banks in category 1-2 and some banks in category 3 (all at least every two years) containing the FINMA rating and the actions needed. Banks get a copy of the regulatory audit report with its reservations and comments, and may get a management letter from the regulatory auditor. FINMA communicates the findings resulting from its activities, i.e., supervisory reviews, special analyses, peer reviews, etc. to the banks. FINMA ensures a timely implementation of the notices of reservation and the recommendations. The audit firm checks the implementation of the relevant issues and confirms their resolution status in the next prudential audit. Stress tests and other information and analysis related to capital (and increasingly liquidity) are highly developed and provided to the KAM, reflecting the capital orientation of the Swiss approach.
EC5	The supervisor, in conjunction with other relevant authorities, seeks to identify, assess and mitigate any emerging risks across banks and to the banking system as a whole, potentially including conducting supervisory stress tests (on individual banks or system-wide). The supervisor communicates its findings as appropriate to either banks or the industry and requires banks to take action to mitigate any particular vulnerabilities that have the potential to affect the stability of the banking system, where appropriate. The supervisor uses its analysis to determine follow-up work required, if any.
Description and findings re EC5	FINMA’s early warning and Camels-based rating system provides substantial quantitative data and qualitative information (capital adequacy, asset quality, management factors, earnings, liquidity, and sensitivity to markets risks) on individual banks and banking groups. Outlier analysis is performed within various peer groups, and the system assesses a range of bank financial information and a large number of ratios against various pre-defined thresholds. A system-generated rating is produced that the KAM then accepts or modifies based on other information or expert judgment. FINMA has developed an internal semi-annual publication, the “Risikobarometer”, to track macroeconomic and regulatory risks and developments. This is similar to financial stability reports published in other countries. FINMA also has an internal semi-annual publication with more in-depth analysis of the real estate market (see answer to principle 8, EC 4). This has lead to additional supervisory reviews, more intensive monitoring capital add-ons under pillar 2 for selective banks. In addition, the SNB has triggered the countercyclical buffer for real estate exposures. Further, FINMA establishes a semi-annual macro-financial stress scenario that is used for the supervisory stress-testing of the two Swiss large banks, known as Loss Potential Analysis. Since 2010, additional analysis of capital plans, based on some of the concepts in the LPA, have been extended to a few institutions in categories 2 and 3. This is designed to provide a better appreciation of their vulnerability. FINMA communicates to the banks the issues identified and the measures which have to be implemented. If necessary, measures to adjust risk measurement or reduce risks are agreed.
EC6	The supervisor evaluates the work of the bank’s internal audit function, and determines whether, and to what extent, it may rely on the internal auditors’ work to identify areas of potential risk.
Description and findings re EC6	FINMA Circular 08/24 requires that every bank must have an appropriate and qualified internal audit, directly reporting to the board and independent of operational management. A large number of smaller and mid-size banks outsource internal audit to a recognized external audit firm. Regulatory auditors must explicitly confirm in their annual long form reports that: the technical and personal resources are appropriate for internal audit; the necessary professional competences are effectively available; cooperation between the external audit firms and internal audits is adequate; and, the external audit firms have access to the reports of the internal audit, without any limitation. Assessors discussed with regulatory auditors how they form this judgment. Regulatory auditors have extensive communication with internal audit as part of their reviews, which helps inform their judgment. FINMA has also set informal benchmarks as to what internal audit resources it expects relative to the size of the institution.
EC7	The supervisor maintains sufficiently frequent contacts as appropriate with the bank’s Board, non-executive Board members and senior and middle management (including heads of individual business units and control functions) to develop an understanding of and assess matters such as strategy, group structure, corporate governance, performance, capital adequacy, liquidity, asset quality, risk management systems and internal controls. Where necessary, the supervisor challenges the bank’s Board and senior management on the assumptions made in setting strategies and business models.
Description and findings re EC7	The frequency of contacts with the board of directors as well as with senior and middle managers largely depends on the categorization and rating of banks and banking groups. The interaction at the board level for the two category one banks is extensive. Regulatory auditors have the opportunity to observe boards. They do not however do a formal board effectiveness assessment as part of their methodologies. The results of supervisory examinations are also discussed as appropriate with the external auditor. The supervisor also can meet separately with the bank’s independent board members. Based on discussions, assessors have the impression that for other categories of banks the extent of contact is markedly less, especially at the board level.
EC8	The supervisor communicates to the bank the findings of its on- and off-site supervisory analyses in a timely manner by means of written reports or through discussions or meetings with the bank’s management. The supervisor meets with the bank’s senior management and the Board to discuss the results of supervisory examinations and the external audits, as appropriate. The supervisor also meets separately with the bank’s independent Board members, as necessary.
Description and findings re EC8	Key findings from the ordinary prudential audit performed by the external auditor are captured in writing in the long form report which is submitted to the board and management for discussion and acknowledgment. The results of the on-site reviews conducted by FINMA are also systematically communicated to the bank in written reports and discussed with the appropriate management level. For the two big banks (category 1) and institutions in categories 2 (annually) and 3 (at least every two years), FINMA formally notifies by assessment letters any shortcomings identified and the action required to address them. All assessment letters are provided to both boards and senior management.
EC9	The supervisor undertakes appropriate and timely follow-up to check that banks have addressed supervisory concerns or implemented requirements communicated to them. This includes early escalation to the appropriate level of the supervisory authority and to the bank’s Board if action points are not addressed in an adequate or timely manner.
Description and findings re EC9	Tracking of follow-up actions by banks is normally through the prudential audit process, but can also be directly to FINMA. FINMA’s MIS system tracks deficiencies and allows identification of issues that need to be raised with senior management or boards.
EC10	The supervisor requires banks to notify it in advance of any substantive changes in their activities, structure and overall condition, or as soon as they become aware of any material adverse developments, including breach of legal or prudential requirements.
Description and findings re EC10	Banks licensing process includes approval of internal documents that set out its product and geographic scope. So any substantive change in a banks’ activities requires making changes to the articles of incorporation and the main Organization and Business Rules. These changes require FINMA’s approval (Art. 3 para 3 BA) Furthermore banks have to notify FINMA before they establish, modify or close a subsidiary, branch, agency or representative office abroad (Art. 3 para 7 BA and Art. 6b BO). Licensing staff reported that they can receive 1,000–1,500 notifications a year from each of the two largest Swiss banks, of which normal year 20–30 are licensing requests (rising to up to 100 in special years). Any adverse matter has to be reported to FINMA by the bank’s audit firm or in the annual audit report.
EC11	The supervisor may make use of independent third parties, such as auditors, provided there is a clear and detailed mandate for the work. However, the supervisor cannot outsource its prudential responsibilities to third parties. When using third parties, the supervisor assesses whether the output can be relied upon to the degree intended and takes into consideration the biases that may influence third parties.
Description and findings re EC11	Audit firms (and also the persons performing the audit) must be officially recognized by FINMA (see criteria in Circular 13/04 “Audit firms and lead auditors”). They are subject to ex-post quality controls made by a special FINMA unit. FINMA also uses third party experts/firms for performing targeted interventions (investigations of complicated problems/matters; delivery of a second opinion if it is not convinced by the assessments and confirmations given by the ordinary external audit firms). Assessors had extensive discussions and review with various parties as to how these rules are working in practice. (see CP8 and EC1 of CP9 above) When FINMA mandates specific independent reviews, such as for model approval, assessors saw examples of detailed clear instructions.
EC12	The supervisor has an adequate information system which facilitates the processing, monitoring and analysis of prudential information. The system aids the identification of areas requiring follow-up action.
Description and findings re EC12	For a number of years, FINMA has applied a rating system for banks and banking groups. The rating system provides substantial quantitative data and qualitative information on supervised banks and banking groups. The rating system is one of the main tools available to the supervisor. A large range of standardized reports and specific thematic analyses are centrally prepared to address topical issues and to detect outliers and critical trends.
Additional criteria
AC1	The supervisor has a framework for periodic independent review, for example by an internal audit function or third party assessor, of the adequacy and effectiveness of the range of its available supervisory tools and their use, and makes changes as appropriate.
Description and findings re AC1	FINMA has an internal audit function currently consisting of three people. The internal audit reviews FINMA teams adherence to processes set out in the standard operating procedures, not the content of supervisory reports or risk or rating analysis. FINMA may rely on quality controls carried out by an independent person not attached to the head of supervisory activities (12 intensive controls and 16specific controls were made in 2012). These apply not only to adequacy of procedures but also on risk analyses, audit strategies, and rating analysis, among others.
Assessment of Principle 9	Materially Non Compliant
Comments	The enhancements to on-site and off-site processes put in place recently are appropriate and essential. They start to move FINMA away from the capital-predominant approach of previous agencies, and towards the more intensive supervision prevalent in other jurisdictions after the crisis. However, there is potential for material control or risk management weaknesses to go undetected, and the issues identified in the assessment are not just minor shortcomings. The recent enhancements are in the right direction, although some need to be given time to show results and others need to be materially intensified to achieve the desired goal. Standards for intensive supervision post-crisis have increased considerably. Remedying this is not simple, and it is unclear that compliance can be achieved in the immediate short term given FINMAs commitment to a head-count freeze and the difficulty of enhancing audit procedures, related guidance and instructions quickly. With adequate resources and further changes to processes, remedying the situation can be done within the existing model of use of regulatory auditors. For a jurisdiction with systemically important institutions, the depth of on-site review by auditors and by FINMA is not sufficient. Extensive review appears to occur around capital and risk model processes and outputs for major institutions and on capital and liquidity related quantitative matters including stress tests. The amount of proactive review of the integrity of qualitative risk management and internal control appears less than needed, especially given the major operational and reputational risks to the system. Having annual broad- based supervisory reviews through the regulatory audit process is not a substitute for a sufficient number of proactive targeted in-depth reviews in potentially higher risk and control areas. The basis of conclusions by regulatory auditors is not sufficiently transparent and their scope is not appropriate in certain areas. The focus of regulatory audits on compliance with legal and licensing requirements means that deficiencies in control and governance processes that are not explicitly specified in laws and regulations and circulars, but are part of FINMA expectations, are not being consistently assessed appropriately. A number of detailed reviews appear more reactive than proactive. As well, the on-site process risks too much negotiation of findings, the potential that important findings may be missed or not adequately highlighted, or root cause analysis performed. That requires more effort by FINMA with respect to bringing regulatory audit findings together and assessing them. Cross-system theme reviews may not be performed by auditors to consistent FINMA expectations. There are few cross-system/theme reviews by FINMA. The number of FINMA in-depth reviews of prudential matters appears low. There is insufficient reporting by auditors of the basis for conclusions and of the nature or seriousness of findings. The fact that auditors must reach a formal opinion and the potential seriousness of a formal reservation to the opinion may be reducing the elevation of issues. It is unclear whether on-site findings are sufficiently factored into FINMA assessments and formal feedback to banks. It can be hard for FINMA to tell whether their reliance on auditors is verified. Verification of the trust placed in auditors has increased but appears light. Remedying the situation will require enhanced strategic risk analysis, more focus and depth to the on-site effort on a selective basis to complement the breadth now provided, clearer reporting by auditors to FINMA, more FINMA off-site work across teams to direct and compare work done and findings by auditors (theme reviews) and more and more frequent, in-depth individual or theme reviews by FINMA itself (or through fully independent agents). This should be more proactive in areas likely to be subject to higher risk or control breakdowns. FINMA could also consider whether in certain banks the scope of the base regulatory audit could be reduced from time to time so more audit resources can be redirected to in-depth review of higher risk areas. FINMA participation in on-site work performed by auditors or by foreign supervisors should be substantially increased. That would provide enhanced assurance that prudential audits in those jurisdictions were delivering what FINMA needs.
Principle 10	Supervisory reporting. The supervisor collects, reviews, and analyses prudential reports and statistical returns22 from banks on both a solo and a consolidated basis, and independently verifies these reports through either on-site examinations or use of external experts.
Essential criteria
EC1	The supervisor has the power23 to require banks to submit information, on both a solo and a consolidated basis, on their financial condition, performance, and risks, on demand and at regular intervals. These reports provide information such as on- and off-balance sheet assets and liabilities, profit and loss, capital adequacy, liquidity, large exposures, risk concentrations (including by economic sector, geography and currency), asset quality, loan loss provisioning, related party transactions, interest rate risk, and market risk.
Description and findings re EC1	Under general authority of the FINMA act (Art. 29) Banks are required in FINMA “Circular 08/14 – Supervisory reporting for banks” to report their financial results (on-/off-balance sheet assets and liabilities, profit and loss, asset quality, loan loss provisioning) to FINMA. Other reporting duties cover risk topics such as capital adequacy and liquidity in the context of Basel III, large exposures, risk concentrations, details of credit and market risk capital adequacy inputs, and interest rate risk, as well as share ownership. Data is collected at single entity, and in the case of consolidated supervision, also at group level. FINMA legal power to collect information is general and applies to anyone with a qualified participation in a bank, for example controlling entities. So it can be used for specific information requests as well. Supervisors of major banks also have regular access to individual bank information used by the banks for management purposes (including information going to the board and senior management).
EC2	The supervisor provides reporting instructions that clearly describe the accounting standards to be used in preparing supervisory reports. Such standards are based on accounting principles and rules that are widely accepted internationally.
Description and findings re EC2	Articles 23 to 27 of the Banking Ordinance prescribe the chart of accounts and the structure of the accounting disclosure for banks. Supervisory reporting uses the accounting framework that banks use for their own accounts. Some nine banking groups use IFRS and there is one using U.S. GAAP. Other banks use Swiss GAAP in financial statements (which is generally seen as more conservative than international standard—see CP 27). The fact that one of the large banks is on IFRS and the other on U.S. GAAP can make comparability harder in areas such as the trading book.
EC3	The supervisor requires banks to have sound governance structures and control processes for methodologies that produce valuations. The measurement of fair values maximizes the use of relevant and reliable inputs and are consistently applied for risk management and reporting purposes. The valuation framework and control procedures are subject to adequate independent validation and verification, either internally or by an external expert. The supervisor assesses whether the valuation used for regulatory purposes is reliable and prudent. Where the supervisor determines that valuations are not sufficiently prudent, the supervisor requires the bank to make adjustments to its reporting for capital adequacy or regulatory reporting purposes.
Description and findings re EC3	The accounting standards for positions in the trading book are set out in FINMA-Circular 08/02 Accounting – Banks margin Nos. 22–22d which apply on an individual bank level. They include the possibility of using valuation models for less liquid positions and high level expectations for valuation. The supervisory standards are those of the BCBS (which are implemented in FINMA-Circulars 08/20 Market Risk margin Nos. 32–48 and 08/19 Credit Risk – Banks margin No. 391; requirements regarding valuation adjustments for less liquid positions are set out in FINMA-Circular 08/20 Market Risk margin No 47). Consistency of these Swiss standards has recently been confirmed via the Regulatory Consistency Assessment Program (RCAP) for Switzerland. The prudential audit firm comments in the annual regulatory audit report on the adequacy of the valuation framework and the control procedures of the bank.
EC4	The supervisor collects and analyses information from banks at a frequency commensurate with the nature of the information requested, and the risk profile and systemic importance of the bank.
Description and findings re EC4	Scope and periodicity of standard reports are the same for all banks. Following the risk-based regulatory approach, banks in categories 1 to 3 (banks with an increased systemic importance) have additional, individual reporting duties, where scope and periodicity vary depending on the actual situation.
EC5	In order to make meaningful comparisons between banks and banking groups, the supervisor collects data from all banks and all relevant entities covered by consolidated supervision on a comparable basis and related to the same dates (stock data) and periods (flow data).
Description and findings re EC5	FINMA collects from all supervised banks and banking groups quantitative data and qualitative information in a standardized manner. For reports on capital adequacy and liquidity in the context of Basel III and interest rate risk, frequency varies between single entity level (quarterly reports) and group level (semi-annual reports).
EC6	The supervisor has the power to request and receive any relevant information from banks, as well as any entities in the wider group, irrespective of their activities, where the supervisor believes that it is material to the condition of the bank or banking group, or to the assessment of the risks of the bank or banking group or is needed to support resolution planning. This includes internal management information.
Description and findings re EC6	FINMA has the legal authority in Art. 29 FINMA Act to request and receive from supervised persons and entities all information and documents that it requires to carry out its tasks. This includes also any ad-hoc reports on specific risks and topics and internal management information.
EC7	The supervisor has the power to access24 all bank records for the furtherance of supervisory work. The supervisor also has similar access to the bank’s Board, management and staff, when required.
Description and findings re EC7	Art. 29 FINMASA determines that FINMA has the power to access all records to carry out its tasks if needed. The supervisor also has similar access to the bank’s board, management and staff, when required. For instance, in the framework of supervisory reviews, additional records are accessed, and management and staff are interviewed.
EC8	The supervisor has a means of enforcing compliance with the requirement that the information be submitted on a timely and accurate basis. The supervisor determines-the appropriate level of the bank’s senior management is responsible for the accuracy of supervisory returns, imposes sanctions for misreporting and persistent errors, and requires that inaccurate information be amended.
Description and findings re EC8	Due to the Swiss supervisory approach, the prudential audit firm confirms annually if the bank or the banking group is compliant with applicable reporting requirements, and if deadlines were met. FINMA does not have explicit authority to sanction banks for misreporting.
EC9	The supervisor utilizes policies and procedures to determine the validity and integrity of supervisory information. This includes a programme for the periodic verification of supervisory returns by means either of the supervisor’s own staff or of external experts.25
Description and findings re EC9	In the framework of the annual regulatory audit, the external auditor confirms the accuracy of the quantitative data and the qualitative information reported to FINMA. Quantitative data is collected by the Swiss National Bank (SNB) for FINMA, and SNB performs verification checks. Art. 22 of the Federal Act on the Swiss National Bank determines that the prudential audit firm has to examine annually that banks are compliant with the duty to provide information.
EC10	The supervisor clearly defines and documents the roles and responsibilities of external experts,26 including the scope of the work, when they are appointed to conduct supervisory tasks. The supervisor assesses the suitability of experts for the designated task(s) and the quality of the work and takes into consideration conflicts of interest that could influence the output/recommendations by external experts. External experts may be utilized for routine validation or to examine specific aspects of banks’ operations.
Description and findings re EC10	Assessors saw examples of specific instructions for such reviews (e.g., to support model approval applications). These were extensive and clear. Assessors did extensive reviews of other supervisory files and internal instructions and methodology documents, as well as held discussion with FINMA staff, line supervisors, and representatives of audit firms and banks. These revealed a number of issues with how this approach works in practice, including that lack of specificity in supervisory guidance reduces the clarity of how regulatory auditors are interpreting these standards. These are covered and rated under CP9 (supervisory techniques and tools).
EC11	The supervisor requires that external experts bring to its attention promptly any material shortcomings identified during the course of any work undertaken by them for supervisory purposes.
Description and findings re EC11	Auditors are required to bring to FINMA’s attention material shortcomings. Assessors saw considerable evidence of this in practice, as it is embedded in the model of use of auditors.
EC12	The supervisor has a process in place to periodically review the information collected to determine that it satisfies a supervisory need.
Description and findings re EC12	Periodically, FINMA reviews its data collection and determines if this information still meets its needs. If not, modifications in scope and content are made. Assessors saw evidence of this in practice. Due to the time required for implementing changes FINMA also uses ad hoc focused reporting from major banks or groups of banks on specific topics from time to time.
Assessment re Principle 10	Compliant
Comments	While the use of different accounting standards reduces the potential comparability of supervisory reporting, the similarities in accounting in practice are not serious enough to undercut this compliant rating. FINMA should be given explicit authority to sanction banks for misreporting.
Principle 11	Corrective and sanctioning powers of supervisors. The supervisor acts at an early stage to address unsafe and unsound practices or activities that could pose risks to banks or to the banking system. The supervisor has at its disposal an adequate range of supervisory tools to bring about timely corrective actions. This includes the ability to revoke the banking license or to recommend its revocation.
Essential criteria
EC1	The supervisor raises supervisory concerns with the bank’s management or, where appropriate, the bank’s Board, at an early stage, and requires that these concerns be addressed in a timely manner. Where the supervisor requires the bank to take significant corrective actions, these are addressed in a written document to the bank’s Board. The supervisor requires the bank to submit regular written progress reports and checks that corrective actions are completed satisfactorily. The supervisor follows through conclusively and in a timely manner on matters that are identified.
Description and findings re EC1	Regulatory and supervisory shortcomings are addressed, and corrective action requested, both orally in supervisory meetings and in writing in supervisory assessment letters—These also contain the rating of the bank (a compressed version of the camels 1–9 rating scale). For institutions in category 1 and 2 (and category 3 banks that are medium or higher risk) assessment letters are annual. For lower risk category 3 banks the assessment letter is every second year, and there is no requirement for regular assessment letters for category 4 and 5 banks. Assessment letters would be sent if material issues warrant it. Banks get a copy of every annual or specific regulatory audit report including actions necessary. In addition to assessment letters, formal written communication occurs after any specific supervisory review conducted by FINMA. Corrective measures are monitored on the basis of written progress reports delivered to FINMA, typically on a monthly basis, but more frequent reporting is requested where appropriate, until the matter is resolved. Often regulatory follow up is done as part of the audit.
EC2	The supervisor has available27 an appropriate range of supervisory tools for use when, in the supervisor’s judgment, a bank is not complying with laws, regulations or supervisory actions, is engaged in unsafe or unsound practices or in activities that could pose risks to the bank or the banking system, or when the interests of depositors are otherwise threatened.
Description and findings re EC2	FINMA has specific tools and also uses its general authority (including authority to license institutions) to impose other conditions, short of formal enforcement actions, as a means of reducing risk and/or providing incentives for institutions to rectify problems. These include limits on business activity, Pillar 2 surcharges and other measures. The FINMA act also gives FINMA formal enforcement authority. This applies where a bank “violates provisions of the legislation or if there are other irregularities”. This follows an administrative procedure run by FINMA. The burden of proof is lower than in other proceedings. In situations where speedy action is necessary interim enforcement decrees are possible. Decrees are appealable on legal or procedural grounds, but not generally on the discretion of FINMA in interpreting regulatory standards or requirements. Assessors saw ample evidence that these provisions are used in practice. Decrees are not limited in what they can cover and can, for example be used if necessary to restrict or prohibit certain business activities, request management changes, set capital ratios, suspend shareholders’ voting rights or withdraw an institution’s license. FINMA confirmed to assessors that restrictions are normally possible without resorting to decrees or other formal enforcement mechanisms. FINMA does not have ability to impose monetary penalties. Assessors discussed this with FINMA staff and leadership. They believe that having this tool is not essential to achieving their mandate in bank supervision. In addition, to impose fines, higher standards of proof would likely be required than now needed for enforcement orders. Lastly, FINMA can (and does) refer serious matters for criminal enforcement, where fines are possible. Assessors are not aware of circumstances where achievement of prudential goals was undercut through lack of ability to impose fines. In addition, FINMA can confiscate profits made by supervised entities through serious violation of supervisory provisions. (Art. 35 FINMASA)
EC3	The supervisor has the power to act where a bank falls below established regulatory threshold requirements, including prescribed regulatory ratios or measurements. The supervisor also has the power to intervene at an early stage to require a bank to take action to prevent it from reaching its regulatory threshold requirements. The supervisor has a range of options to address such scenarios.
Description and findings re EC3	If an institution is, based on FINMA’s judgment, at risk of breaching general capital thresholds set by statutory law or individual capital thresholds set by FINMA, FINMA may intervene by requesting or requiring capital injections or other appropriate measures to improve capitalization. FINMA is authorized to take corrective measures if an institution does not meet capital requirements, up to and including revocation of license or institution of insolvency proceedings (see also principles 8 and 9). FINMA has experience of using these tools. The process is also applied in case of breach of liquidity thresholds.
EC4	The supervisor has available a broad range of possible measures to address, at an early stage, such scenarios as described in essential criterion 2 above. These measures include the ability to require a bank to take timely corrective action or to impose sanctions expeditiously. In practice, the range of measures is applied in accordance with the gravity of a situation. The supervisor provides clear prudential objectives or sets out the actions to be taken, which may include restricting the current activities of the bank, imposing more stringent prudential limits and requirements, withholding approval of new activities or acquisitions, restricting or suspending payments to shareholders or share repurchases, restricting asset transfers, barring individuals from the banking sector, replacing or restricting the powers of managers, Board members or controlling owners, facilitating a takeover by or merger with a healthier institution, providing for the interim management of the bank, and revoking or recommending the revocation of the banking license.
Description and findings re EC4	Depending on the gravity of a situation, the following actions are taken: 1. Regular intervention: FINMA will address the issue with the bank under its regular supervision, or if necessary with the special team focusing on intensive supervision. It may request the bank to take immediate corrective measures to restore compliance with the law and set time limits for the implementation. Such corrective measures might include the restriction of the current business activities of the bank (e.g., prohibition of business activities in certain markets), imposing more stringent prudential limits and requirements (e.g., capital or organizational requirements), withholding approval of new business activities or acquisitions (e.g., acquisitions of other business units/teams), restricting or suspending payments to shareholders or share repurchases, restricting asset transfers, barring individuals from the banking sector, and replacing or restricting the powers of managers, board members or controlling owners. If the bank does not implement the requested corrective measures, the issue will be further escalated under regular supervision and may lead to enforcement proceedings. 2. Enforcement: If (a) the bank does not implement the requested corrective measures under its regular supervision (b) it is apparent that the bank is unable or unwilling to implement the required corrective measures or (c) the situation poses immediate risks to the bank or the banking system or to the interests of depositors, FINMA will open administrative enforcement proceedings (Art. 30 Financial Market Supervision Act, FINMASA; see Enforcement policy). Interim measures: In enforcement proceedings, FINMA can order interim measures to safeguard the situation. In particular, FINMA can appoint an investigating agent to implement the required corrective measures (Art. 36 FINMASA). Depending on its mandate, the investigating agent has the authority to act for the bank instead of the former management (i.e., interim management). Final measures: In enforcement proceedings, FINMA can order the restoration of compliance with supervisory law (Art. 31 FINMASA). In this regard, FINMA has a technical discretion in deciding which corrective measures are required to restore compliance. In the past, FINMA has ordered banks to implement a wide range of corrective measures under this title. For example, FINMA has decided to restrict the cross-border activities of a bank or ordered the closing of branch offices in order to limit business risks. Furthermore, FINMA is able to impose prudential limits and requirements on a bank’s business, withhold approval of new activities or acquisitions, restrict or suspend payments to shareholders or share purchases and restrict asset transfers. FINMA may bar a person from acting in a management capacity in the banking sector for a period of up to five years if he/she is responsible for serious violation of supervisory law (Art. 33 FINMASA). Moreover, it can prevent a bank from engaging a person for a senior executive position, who does not provide assurance of proper business conduct (Art. 3 para let. c BA). FINMA may also replace or restrict the powers of managers or board members. In this regard, FINMA is authorized to appoint an investigating agent, as noted above. FINMA also may suspend the voting rights of controlling owners if their conduct is detrimental to the institution (Art. 23ter BA). Often a bank will implement the required corrective measures while the enforcement proceedings are still open. If this is the case, FINMA may still issue a declaratory ruling (Art. 32 FINMASA) and make its final ruling public (“name and shaming”, Art. 34 FINMASA). In addition, FINMA is authorized to disgorge profits made through a serious violation of the supervisory provisions (Art. 35 FINMASA). 3. Resolution: If a bank no longer fulfills the requirements for its activities or seriously violates the supervisory provisions, FINMA can revoke the bank’s license (Art. 37 Para 1 FINMASA). It will be dissolved. In this regard, FINMA may appoint one or several liquidators responsible for the interim management of the bank (Art. 33 Para 2 BA). As part of the restructuring of a bank (Art. 25 f. BA), FINMA may also facilitate a takeover by or merger with a healthier institution. Assessors reviewed the use of enforcement powers applying to banks with FINMA staff. It is clear that they are used in practice. Over the recent past there have been up to 20–25 bank exits a year, of which 3–4 have been involuntary through liquidation or enforcement action, and the rest through voluntary exit and M&A.
EC5	The supervisor applies sanctions not only to the bank but, when and if necessary, also to management and/or the Board, or individuals therein.
Description and findings re EC5	If necessary FINMA opens enforcement proceedings against individuals for violations of supervisory law. If it finds that a person is responsible for a serious violation of supervisory provisions, FINMA may prohibit this person from acting in a management capacity in the banking sector for a period of up to five years (Art. 33 FINMASA). This situation is far less frequent than actions against banks. In addition, if a person is involved in improper business conduct, FINMA may find that the person no longer provide assurance of proper business conduct (Art. 3 para 2 let. c BA) and is, therefore, unfit to serve as a senior executive officer in the banking sector. If FINMA has doubts regarding an individual’s ability to provide assurance of proper business conduct, it will issue a letter with this requirement to the individual where it deems such action to be warranted. The person will also be registered in a “Watch List”. Should the individual thereupon apply for an influential management position, FINMA will assess whether he/she is fit to serve in this specific position based on available evidence of past conduct.
EC6	The supervisor has the power to take corrective actions, including ring-fencing of the bank from the actions of parent companies, subsidiaries, parallel-owned banking structures and other related entities in matters that could impair the safety and soundness of the bank or the banking system.
Description and findings re EC6	FINMA is authorized to take corrective actions that are required to shield an institution from any financial or other risks connected to its parent company, affiliates, shareholders or other related entities (e.g., in parallel-owned banking structures). Such measures may include financial ring-fencing, additional capital requirements, restrictions on dividend payments or organizational measures (e.g., a management structure that is entirely or substantially independent of related entities). FINMA may also suspend the voting rights of a shareholder if their conduct is detrimental to the institution (Art. 23ter Banking Act). Certain of these measures have been used in recent years.
EC7	The supervisor cooperates and collaborates with relevant authorities in deciding when and how to effect the orderly resolution of a problem bank situation (which could include closure, or assisting in restructuring, or merger with a stronger institution).
Description and findings re EC7	FINMA has required the two major banks to prepare recovery and resolution plans, and has had extensive discussions with these banks of those plans. FINMA is assessing what changes in banks structure and operations are needed to enhance resolvability. FINMA has also lead supervisory crisis management colleges to consider these matters involving the U.S. and the U.K. FINMA is the liquidation authority for banks and has considerable experience in managing exits from the sector effectively over the recent past. Insolvency authority for FINMA is shortly to be extended to holding companies in financial groups. FINMA is also strengthening its effort over smaller banks.
Additional criteria
AC1	Laws or regulations guard against the supervisor unduly delaying appropriate corrective actions.
Description and findings re AC1	There is no explicit early intervention framework with defined timelines contained in laws or regulations. However under FINMA policies and procedures, banks rated below certain levels must be considered for special supervision and intervention. FINMA standard operating procedures define timelines within which, depending on the rating, supervisory actions shall be taken. FINMA is liable if it has committed a breach of fundamental duties (Art. 19 FINMASA), which provides an incentive to act.
AC2	When taking formal corrective action in relation to a bank, the supervisor informs the supervisor of non-bank related financial entities of its actions and, where appropriate, coordinates its actions with them.
Description and findings re AC2	FINMA is an integrated supervisory agency, including investment funds and insurance business. Therefore, awareness and coordination are implicit features by design, also with respect to the non-bank related entities of a bank (group or conglomerate). In addition, FINMA shares relevant information and cooperates with federal and cantonal prosecution authorities as well as other domestic regulators, such as the Federal Audit Oversight Authority, the Swiss National Bank, the Takeover Board, the self-regulatory organizations (SROs) under the Anti-Money Laundering Act (AMLA), the relevant bodies of the Swiss stock exchanges and the Competition Commission based on Swiss law.
Assessment re principle 11	Compliant
Comments
Principle 12	Consolidated supervision. An essential element of banking supervision is that the supervisor supervises the banking group on a consolidated basis, adequately monitoring and, as appropriate, applying prudential standards to all aspects of the business conducted by the banking group worldwide.28
Essential criteria
EC1	The supervisor understands the overall structure of the banking group and is familiar with all the material activities (including non-banking activities) conducted by entities in the wider group, both domestic and cross-border. The supervisor understands and assesses how group-wide risks are managed and takes action when risks arising from the banking group and other entities in the wider group, in particular contagion and reputation risks, may jeopardize the safety and soundness of the bank and the banking system.
Description and findings re EC1	FINMA law and regulations define a banking group as two or more companies at least one of which is active as a bank or securities dealer or they are active in the financial area or they form an economic unit. Financial conglomerates are banking or securities groups that also include an insurance company. In addition to the two large banks, FINMA supervises more than 100 Swiss banking groups or sub-groups. One of the two major banks operates in a holding company structure; the other is headed by a licensed bank. FINMA advised that for mid-size banks a typical structure would have one or more banks, and asset management companies under a holding company. Individual banks and financial institutions are licensed by FINMA. Under the legislation holding companies are not formally authorized but integrated into the consolidated supervision performed by FINMA. FINMA has several methods to ensure understanding of the group and its activities. The major source of information flows from the licensing process for authorized institutions, which approves internal corporate documents that set out the bank structure, business lines and geographic scope. As part of this process FINMA also requires this information related to the group structure. Changes in the structure of the bank and its entities, and changes in the group structure below the holdco require approval or notification. In addition, under Art. 3 para 7 BA and Art. 6b para 1 BO, banks must notify FINMA if they intend opening a subsidiary, a branch, an agency or a representation office in a foreign country. The information provided must refer to the business plan, the persons in charge of the management of the local entity, the local audit firm and the name of the host supervisor. This requirement for notification is extended by FINMA to holding companies as part of the licensing process of the banking entities in the group. As well, the regulatory audit reports at the conglomerate level must contain information on the up-to-date group structure. These reports must also contain information and opinions on such matters as: (a) adequacy of group corporate governance, (b) adequacy of measures in place in order to make sure that the requirements relating to capital, risk diversification and liquidity are observed at consolidated level, (c) adequacy of consolidated risk management and efficiency of central functions dedicated to control, mitigation and risk reporting, (d) adequacy of group internal audit, (e) adequacy of measures for ensuring compliance with Swiss and local prudential and behavior rules, notably anti-money laundering rules, (f) confirmation that intra-group exposures and commitments have been approved and are well-supervised, (g) confirmation that entities abroad are not used to get around Swiss provisions. Assessors review of these reports and discussion with FINMA staff and banks indicates that they have a good comprehension of group structures. FINMA legislation provides FINMA with a legal right to information on any entities that hold a direct or indirect majority participation in the bank. This is the legal basis for FINMA collection of information on the group from the holding and from its controlling entities if necessary. Risk profiles of groups are part of the regulatory audit process (see CP8/9). Assessors did not see examples where upstream non-financial risks or risks from non-financial affiliates of the bank were formally considered in risk assessments. These entities may or may not be part of the consolidated group but nevertheless need to be part of risk assessment. Risk assessment instructions to audit firms do not clearly require such an assessment. FINMA has experience in ring fencing part of a group. It also has limited its scope of consolidated supervision in certain cases, so that the group must limit its exposures to entities outside the scope of the consolidation.
EC2	The supervisor imposes prudential standards and collects and analyses financial and other information on a consolidated basis for the banking group, covering areas such as capital adequacy, liquidity, large exposures, exposures to related parties, lending limits and group structure.
Description and findings re EC2	The legal requirements with respect to groups are contained in the banking act and ordinances, with further expansion in certain FINMA circulars. The law subjects financial groups to FINMA supervision. FINMA does not have the power to license or authorize groups or group holding companies. However, under the banking act, FINMA can make its authorization of individual banks dependent on adequate consolidated supervision. FINMA uses this general power extensively. Art. 3f BA requires that financial groups must be organized such that the material risks are identified, controlled, and limited. The banking ordinance (Art. 14a) sets out that FINMA supervision at the group level is designed to determine (among other things): whether the group is appropriately organized, has an adequate internal control system, identifies limits and monitors risks appropriately, complies with provisions on capital adequacy and risk concentrations and has adequate liquidity. The group must have the same audit firm for all entities. In addition, the law requires that management and board at group level must be fit and proper and manage properly. The law provides for FINMA to apply rules on capital adequacy, liquidity, risk distribution and intra-group positions at group level, either in general or in individual cases. The law does not contain explicit qualitative requirements for risk management or internal control at group level. FINMA enforcement power (e.g., to issue formal orders or decrees) does not apply at the group level only to authorized institutions within the group. The power to appoint an agent to replace management does apply at group level. (see CP11) FINMA does not have direct authority to approve or stop foreign acquisitions made by a financial group by a Swiss-based financial group at the holdco level. FINMA does not have insolvency authority at the holding company level but this is planned to be added to the legislation in 2014. While not specified precisely in the legislation, as a general principle, the same supervision expectations of FINMA apply to a bank or securities dealer group on a consolidated basis as they do to a bank or securities dealer on an individual basis. Assessors discussed with FINMA extensively their ability to achieve desired prudential results at group level given the fact that their formal authority to operate directly at group level is less than in some jurisdictions. While FINMA does not have direct powers over the group, FINMA staff indicated that they have the ability and willingness to act at the level of the individual bank to achieve results. FINMA reports that lack of direct legal authority has not been a problem to date.
EC3	The supervisor reviews whether the oversight of a bank’s foreign operations by management (of the parent bank or head office and, where relevant, the holding company) is adequate having regard to their risk profile and systemic importance and there is no hindrance in host countries for the parent bank to have access to all the material information from their foreign branches and subsidiaries. The supervisor also determines that banks’ policies and processes require the local management of any cross-border operations to have the necessary expertise to manage those operations in a safe and sound manner, and in compliance with supervisory and regulatory requirements. The home supervisor takes into account the effectiveness of supervision conducted in the host countries in which its banks have material operations.
Description and findings re EC3	The audits and reports performed by audit firms include group-wide risk assessments and comment on the adequacy of the management’s oversight of a bank’s foreign operations. Subsidiaries abroad are required to report quantitative elements to the parent bank to be able to measure and report these elements at the group-wide level. If there are elements of hindrance in the host countries for the parent bank, this would be captured by the audit firms and addressed in their audit reports. In its position paper (2010) addressing legal and reputational risks in cross-border financial business, FINMA set out its expectations on these matters. In their audit reports, the audit firms report on the bank’s risk management with regard to cross-border activities. FINMA intends to focus more on assessing whether supervised institutions are aware of the risks inherent in their cross-border operations and take appropriate measures to mitigate them. FINMA regularly meets with host authorities, shares information with them and takes into account the effectiveness of supervision conducted in countries in which Swiss banks have material operations. (see CP13)
EC4	The home supervisor visits the foreign offices periodically, the location and frequency being determined by the risk profile and systemic importance of the foreign operation. The supervisor meets the host supervisors during these visits. The supervisor has a policy for assessing whether it needs to conduct on-site examinations of a bank’s foreign operations, or require additional reporting, and has the power and resources to take those steps as and when appropriate.
Description and findings re EC4	Periodic on-site examinations of foreign offices are mainly made by the audit firms as part of their regulatory report. At large Swiss banks, FINMA also occasionally visits foreign offices or performs on-site supervisory reviews. The frequency of on-site examinations of a bank’s foreign operations depends on the one hand on how substantial the foreign operations are for the banking group and on the other hand on the risk assessment relating to those foreign operations. Assessors discussed FINMA practice in this regard. FINMA recognizes that foreign affiliates of recognized audit firms may have less familiarity with FINMAs regulatory expectations of them in assessing Swiss banks foreign operations. Assessors also gained the impression from these discussions that resource constraints are a reason for the limited number of FINMA on-site reviews of foreign operations.
EC5	The supervisor reviews the main activities of parent companies, and of companies affiliated with the parent companies, that have a material impact on the safety and soundness of the bank and the banking group, and takes appropriate supervisory action.
Description and findings re EC5	FINMAs focus on this is informal on a case-by-case basis.
EC6	The supervisor limits the range of activities the consolidated group may conduct and the locations in which activities can be conducted (including the closing of foreign offices) if it determines that: (a) the safety and soundness of the bank and banking group is compromised because the activities expose the bank or banking group to excessive risk and/or are not properly managed; (b) the supervision by other supervisors is not adequate relative to the risks the activities present; and/or (c) the exercise of effective supervision on a consolidated basis is hindered.
Description and findings re EC6	FINMA takes account of these aspects in the ongoing licensing process which considers changes in business structure, scope and geographic location. FINMA has well developed ability to assess quality of supervision in other jurisdictions. FINMA does not have the legal power to directly require the closing of foreign offices but it has the ability to reach this goal by other means. FINMA’s most important tool in this regard is its discretionary ability to require more capital (i.e., in the case of a subsidiary with excessive risks) or to make a statement that the bank/group is not complying with general requirements (i.e., if there is no appropriate control of the group on one of its subsidiaries).
EC7	In addition to supervising on a consolidated basis, the responsible supervisor supervises individual banks in the group. The responsible supervisor supervises each bank on a standalone basis and understands its relationship with other members of the group.29
Description and findings re EC7	As a general principle, the same supervision/regulations apply to a bank or securities dealer group on a consolidated basis as do to a bank or securities dealer at single entity level. Hence, quantitative and qualitative elements as described in description and findings re EC2 are also supervised on a stand-alone basis. Since capital adequacy and large exposure requirements must be complied with on a stand-alone basis, at the consolidated bank level (sub-consolidation) and bank group level, the requirement that all entities in a banking group are supplied with adequate capital according to the allocation of risks must also be fulfilled (see also principle 16, AC2).
Additional criteria
AC1	For countries which allow corporate ownership of banks, the supervisor has the power to establish and enforce fit and proper standards for owners and senior management of parent companies.
Description and findings re AC1	In Switzerland, corporate ownership of banks is possible. Art. 3 para 2 let. C bis BA states that persons or entities who have directly or indirectly 10 percent or more of capital or voting rights or can exercise a significant influence on the bank (i.e., qualified shareholders) must give the guarantee that their influence will not endanger the prudent and sound management of the bank. When FINMA grants a license to a new bank, it examines very closely the nature, identity and possible influence of every qualified shareholder. Recognized banks must send an updated list of the direct and indirect qualified shareholders to FINMA every year. The external auditors, in the context of the prudential audit, must comment every year in their long form reports on the relations of the banks with the qualified shareholders, confirm that the latter do not exercise any negative influence and also confirm that economic transactions are “at arm’s length.”
Assessment of Principle 12	Compliant
Comments	FINMA consolidated supervision is of high quality, as regulation, monitoring and reporting cover groups comprehensively. Risk assessments, however, need to be extended to formally consider risks arising to the group from non-financial entities upstream from the group or from non-financial affiliates. While the legal framework is not as clear as it could be, FINMA is able to achieve its goals indirectly in those cases. Experience in other jurisdictions suggests that, in extremis, the power to act at the level of the individual institution may not be enough to achieve group-wide results. As a preventative measure, the law should be strengthened to allow interim and permanent enforcement decrees to be applied at the holding company level.
Principle 13	Home-host relationships. Home and host supervisors of cross-border banking groups share information and cooperate for effective supervision of the group and group entities, and effective handling of crisis situations. Supervisors require the local operations of foreign banks to be conducted to the same standards as those required of domestic banks.
Essential criteria
EC1	The home supervisor establishes bank-specific supervisory colleges for banking groups with material cross-border operations to enhance its effective oversight, taking into account the risk profile and systemic importance of the banking group and the corresponding needs of its supervisors. In its broadest sense, the host supervisor who has a relevant subsidiary or a significant branch in its jurisdiction and who, therefore, has a shared interest in the effective supervisory oversight of the banking group, is included in the college. The structure of the college reflects the nature of the banking group and the needs of its supervisors.
Description and findings re EC1	FINMA organizes a considerable number of supervisory colleges as home supervisor for UBS and Credit Suisse Group. Key foreign supervisors are the US and UK and in addition to colleges there are extensive regular communication. FINMA staff confirmed to assessors that they are satisfied with the information flow to them as home supervisor from host authorities and to them as host.
EC2	Home and host supervisors share appropriate information on a timely basis in line with their respective roles and responsibilities, both bilaterally and through colleges. This includes information both on the material risks and risk management practices of the banking group30 and on the supervisors’ assessments of the safety and soundness of the relevant entity under their jurisdiction. Informal or formal arrangements (such as memoranda of understanding) are in place to enable the exchange of confidential information.
Description and findings re EC2	FINMA MOUs are focused on supervisory authorities in countries with whom there is an extensive exchange of information due to the large number of cross-border branch offices of supervised institutions. These memoranda of understanding specify cooperation and procedures within the statutory framework (Arts. 42 and 43 FINMASA, Art. 23septies BA, Arts. 38 and 38a SESTA, Art. 143 CISA). FINMA is also legally authorized to cooperate with a foreign supervisory authority even in the absence of a specific agreement between the two. If the cooperation involves the exchange of confidential data, FINMA generally requires an ad-hoc declaration from the requesting supervisory authority stipulating that the information may only be used for the direct supervision of the regulated institutions, that the supervisory authority is bound by official or professional confidentiality provisions, and that the information may not be published or passed on to other authorities and bodies, including other supervisory or criminal prosecution authorities, without the prior consent of FINMA. FINMA processes appear effective and well used, both in its role as home and host supervisor.
EC3	Home and host supervisors coordinate and plan supervisory activities or undertake collaborative work if common areas of interest are identified in order to improve the effectiveness and efficiency of supervision of cross-border banking groups.
Description and findings re EC3	National and international cooperation is one of FINMA’s five strategic goals. Collaborative work is conducted from time to time. In 2011 and 2012, U.K. FSA conducted in depth on-site reviews focused on identifying and supervising politically exposed persons (PEPs) at U.K. banking groups. In collaboration with U.K. FSA, FINMA performed comparable work at Swiss subsidiaries and branches of U.K. banking groups to be able to share the results with the U.K. FSA and to address if necessary the need of improvement in the whole group. FINMA also performs joint reviews together with the Federal Reserve Bank of New York (FRBNY) and the U.K. regulator (U.K. PRA).
EC4	The home supervisor develops an agreed communication strategy with the relevant host supervisors. The scope and nature of the strategy reflects the risk profile and systemic importance of the cross-border operations of the bank or banking group. Home and host supervisors also agree on the communication of views and outcomes of joint activities and college meetings to banks, where appropriate, to ensure consistency of messages on group-wide issues.
Description and findings re EC4	As a follow-up to the supervisory colleges, FINMA provides feedback to the bank on the issues discussed by the regulators. In the case of joint audits, the letter presenting the findings is initially discussed between the regulators involved before being communicated to the bank. Furthermore, in the context of projects involving several authorities, common update meetings are held where all authorities participate.
EC5	Where appropriate, due to the bank’s risk profile and systemic importance, the home supervisor, working with its national resolution authorities, develops a framework for cross-border crisis cooperation and coordination among the relevant home and host authorities. The relevant authorities share information on crisis preparations from an early stage in a way that does not materially compromise the prospect of a successful resolution and subject to the application of rules on confidentiality.
Description and findings re EC5	FINMA has established Crisis Management Colleges for Credit Suisse and UBS. It is developing a global resolution strategy with the key host regulators for both banks based on a single point of entry approach. The resolution plans are expected to become the basis of any future cooperation and coordination arrangement which FINMA will therefore conclude as soon as the resolution plans are in a stable condition. In the interim, FINMA continues to be able and willing to exchange information on resolution planning and resolution actions in accordance with its laws and regulations and will use for that purpose the existing supervisory arrangements on cooperation and information exchange. In addition, FINMA works towards establishing institution-specific cooperation agreements which will go further and, in particular, strive to set modalities for mutual recognition of resolution measures and supportive actions.
EC6	Where appropriate, due to the bank’s risk profile and systemic importance, the home supervisor, working with its national resolution authorities and relevant host authorities, develops a group resolution plan. The relevant authorities share any information necessary for the development and maintenance of a credible resolution plan. Supervisors also alert and consult relevant authorities and supervisors (both home and host) promptly when taking any recovery and resolution measures.
Description and findings re EC6	FINMA has shared the recovery plans provided by both Swiss G-SIB and information on resolution received from the banks with the Crisis Management College members. The resolution plans will also be shared among these authorities once they have been finalized. The resolution plans specify how both home and host authorities will interact with each other and coordinate the resolution process if the resolution triggers are hit either in home or host jurisdictions.
EC7	The host supervisor’s national laws or regulations require that the cross-border operations of foreign banks are subject to prudential, inspection and regulatory reporting requirements similar to those for domestic banks.
Description and findings re EC7	FINMA authority, reporting and requirements for adherence to laws and circulars that apply to domestic banks also apply to foreign banks established in Switzerland. FINMA in licensing foreign banks participation in the Swiss market also pays particular attention to the prudential standards and supervisory approach in the home country. Assessors discussed this with licensing authorities. It was clear from the discussions that FINMA takes these assessments very seriously, has enhanced them post crisis, and uses its authority as necessary to deny licenses or take other actions.
EC8	The home supervisor is given on-site access to local offices and subsidiaries of a banking group in order to facilitate their assessment of the group’s safety and soundness and compliance with customer due diligence requirements. The home supervisor informs host supervisors of intended visits to local offices and subsidiaries of banking groups.
Description and findings re EC8	Under Art. 43 para 2 FINMASA, FINMA may permit foreign authorities responsible for financial market supervision to carry out direct audits at Swiss establishments of foreign institutions, provided these authorities: are responsible for the consolidated supervision of the audited institutions as part of home country supervision; are bound by official or professional secrecy; and will only use the information for the direct supervision of foreign institutions and not pass it on to other authorities without general authorization in an international treaty or FINMA’s prior consent. The group’s safety and soundness and compliance with customer due diligence requirements can be assessed through on-site visits. However, Art. 23septies BA does not grant the foreign supervisor direct access to information which directly or indirectly relates to asset management or deposit activities for specific customers (private banking carve-out). The review therefore has to be conducted on a no-name basis or by a Swiss audit firm that takes the above-mentioned Article into consideration. Individual client files can be accessed after any client-identifying data has been redacted. If necessary, FINMA will collect the client-identifying data and transmit it via administrative assistance. In practice, foreign home supervisors from time to time conduct on-site inspection on Swiss local offices and subsidiaries of their banking groups.
EC9	The host supervisor supervises booking offices in a manner consistent with internationally agreed standards. The supervisor does not permit shell banks or the continued operation of shell banks.
Description and findings re EC9	Not applicable to Switzerland (no existing shell banks).
EC10	A supervisor that takes consequential action on the basis of information received from another supervisor consults with that supervisor, to the extent possible, before taking such action.
Description and findings re EC10	As described in the preceding ECs, FINMA works in close contact with other supervisors through various channels. Before taking supervisory action based on information received from another supervisor, FINMA always consults with that supervisor.
Assessment of Principle 13	Compliant.
Comments	FINMA has well developed relations with key foreign supervisors of the largest banks. Use of audit firms’ global networks increases FINMA reach. The issues with depth and breadth of supervisory coverage on the largest banks are taken into account in grades for CP8/9. It also covers recommendations for additional offshore supervision.

B. Prudential Regulations and Requirements

Principle 14	Corporate governance. The supervisor determines that banks and banking groups have robust corporate governance policies and processes covering, for example, strategic direction, group and organizational structure, control environment, responsibilities of the banks’ Boards and senior management,31 and compensation. These policies and processes are commensurate with the risk profile and systemic importance of the bank.
Essential criteria
EC1	Laws, regulations or the supervisor establish the responsibilities of a bank’s Board and senior management with respect to corporate governance to ensure there is effective control over the bank’s entire business. The supervisor provides guidance to banks and banking groups on expectations for sound corporate governance.
Description and findings re EC1	Through regulation, guidance, and supervisory practice, FINMA sets expectations for the board and senior management in respect of exercising the effective control of the institution’s business and operations. For example, FINMA Circular 08/24, Supervision and internal controls – banks set outs specific expectations, including oversight by the board of directors and its committees. A key building block in FINMA’s overall governance approach is the requirement under the banking law for sound and proper conduct of business (“Gewähr”), the responsibility for which lies with the board of directors and management. In addition to other legal sources applicable to all Swiss companies (e.g., requirements in the Swiss Code of Obligations (CO) regarding the duties of the board of directors and that of external auditors to check the existence of an internal control system in each company), the citations listed below are to key laws and ordinances specific for banks containing governance-related provisions. Further, the Swiss Stock Exchange’s additional governance obligations apply to banks which are listed publicly. Art. 3 Banking Act (BA) Art. 8 and 9 Banking Ordinance (BO) Relevant circulars include: FINMA Circular 08/24, Supervision and internal controls – banks FINMA Circular 08/21, Operational risks – banks FINMA Circular 08/20, Market risks – banks FINMA Circular 08/19, Credit risks – banks To further deepen the board’s understanding of FINMA’s expectations, FINMA published frequently asked questions (FAQs) in October 2012. These contain summaries of requirements in laws, ordinances and circulars, and additional more detailed guidance. The law requires a minimum board size of three persons and specifies that management members may not be board members. FINMA circulars 08/24 establish independence criteria and specify that at least one-third of board members must be independent. Members appointed by Cantons to cantonal bank boards are independent if they are not part of the cantonal administration or government and do not receive instructions from the canton. FINMA circulars require board members to have ‘technical’ expertise, experience and continual availability. The frequently asked questions goes farther to require specialist expertise, experience in banking and finance, and to note that the board as a whole should have adequate representation of skills in finance and accounting, risk management, and compliance, as well as in the areas of business operations. Examination of the board qualifications for a number of mid-size banks (and discussion with FINMA and with smaller banks) suggest that often these specific skills are not easily identifiable, or are being met by persons with legal or audit experience in the financial sector. The circulars require the board to bear responsibility for establishment, maintenance, oversight of an appropriate internal control framework tailored to the size complexity, structure and risk profile of the institution. There are also requirements for regular discussion of risks with management. In some smaller and mid-size institutions this occurs formally only once or twice a year. Many of the requirements in circulars are also at a high level. For example the FAQs indicate that the board must define a risk appetite, and this is referred to in several circulars, but there is little or no guidance as to what it should contain. Guidance overall covers responsibilities and desired characteristics of boards but does not contain expectations on effective behaviors for boards, as is increasingly the case in leading jurisdictions. FINMA decided not to proceed with comprehensive guidance on corporate governance.
EC2	The supervisor regularly assesses a bank’s corporate governance policies and practices, and their implementation, and determines that the bank has robust corporate governance policies and processes commensurate with its risk profile and systemic importance. The supervisor requires banks and banking groups to correct deficiencies in a timely manner.
Description and findings re EC2	FINMA’s supervision in the corporate governance area takes several forms. It includes: (1) Reviews made by FINMA during the licensing process which focuses on the fit and proper requirements and considers board members on appointment (2) FINMA’s specific reviews of particular areas may consider governance aspects. Assessors were told that the governance aspect most frequently considered is the information going to the board. FINMA staff indicated to assessors that none of those reviews recently are explicitly directed at governance, and FINMA has not conducted theme reviews of governance practices or board operations and effectiveness. FINMA has conducted several reviews of compensation and this has included the role of remuneration committees. (3) Annual assessments by external auditors which include governance-related areas carried out pursuant to FINMA’s approach to supervision. A review-level engagement annually is sufficient. Assessors discussed the work auditors do in this regard and the nature of the opinion they are required to provide to FINMA. It does not amount to a review of effectiveness. Also since auditors reviews are targeted to formal requirements, lack of adherence those contained in instruments like FAQs may not be identified in auditor’s work. The continuous supervisory process for the two major institutions includes regular highlevel meetings with the Chairman of Board of Directors (BoD) and other BoD members as well as periodic meetings with the BoD Risk Committee and other relevant risk committees. FINMA senior staff also meet annually with the boards of important mid-size institutions. This assists FINMA to gain insights into board effectiveness. For banks in categories 2-3 these meetings are not directed to determining effectiveness, according to what staff told assessors. FINMA does not have a dedicated corporate governance specialist group. Rather, it works with an expert group approach bringing together members from various departments. Identified gaps and deficiencies in the governance area are required to be remediated by the institution and are followed up by FINMA.
EC3	The supervisor determines that governance structures and processes for nominating and appointing Board members are appropriate for the bank and across the banking group. Board membership includes experienced non-executive members, where appropriate. Commensurate with the risk profile and systemic importance, Board structures include audit, risk oversight and remuneration committees with experienced non-executive members
Description and findings re EC3	FINMA expects a distinct separation between the board of directors and management. For banks, this does not permit members of the board of directors to be members of management of the same legal entity. This includes prohibiting the CEO to be chairman of the board or otherwise be a member of the board of directors. Banks are expected to select board members who meet FINMA’s expectations as noted in EC1 and in respect of experience and other suitability factors, as further set out under the comments to EC4 below. FINMA must be notified of potential board appointments and considers their appropriateness. Audit committees are required above a minimum size of bank and they must have a majority of independent members. Separate risk committees are not required. Major banks in category one or two have separate risk committees. For the approximately 30 banks in category 3 (which includes most cantonal banks), 22 had either no separate risk committee or risk and audit were combined. Below category 3 separate risk committees are rare. Assessors reviewed the published board backgrounds of a number of mid size banks, including several cantonal banks. They also discussed FINMAs approach to desired board skillset. Clearly-demonstrated experience in risk management or banking was not common, and appeared frequently to be met by persons with previous bank audit experience. Certain banks that assessors met indicated that they were looking for board members with more ability to go into risks and risk appetite. Observers suggested there appears to be significant variation across cantonal banks in influence of the local cantonal government. Considerable progress has been made over the past two years as FINMA continues to promote sound governance.
EC4	Board members are suitably qualified, effective and exercise their “duty of care” and “duty of loyalty”.32
Description and findings re EC 4	All members of the board of directors, individually and as a whole, must be fit and proper, and possess the necessary skills and know-how as well as sufficient experience to carry out their oversight duties. Duty of care The duty of care and loyalty of members of the board of directors is enshrined in the Swiss Code of Obligations (“Obligationsrecht”) applicable to all companies (Art. 717). It is further supported, inter alia, by the requirement set out in the Swiss Banking Act for the sound and proper conduct of business (“Gewähr”), the responsibility for which lies with the board of directors and management. FINMA considers fitness and propriety of board of directors and senior management members: when reviewing new applications for licenses; in case of changes of functions or individuals in such positions; following irregularities or evidence of non-fulfillment of duties. This is a consideration of experience and soundness of reputation. There is no specific fit and proper test for individual members. FINMA enforcement powers allow removal of board members. FINMA has intervened in specific cases where it believed individual appointments were not appropriate.
EC5	The supervisor determines that the bank’s Board approves and oversees implementation of the bank’s strategic direction, risk appetite33 and strategy, and related policies, establishes and communicates corporate culture and values (e.g., through a code of conduct), and establishes conflicts of interest policies and a strong control environment.
Description and findings re EC5	Strategic direction, risk appetite and risk policy Determining and overseeing the implementation of overall company strategy is the responsibility of the board of directors. FINMA also expects the board to approve a risk policy, define the risk appetite and key risk limits, and periodically review the adequacy of the company’s risk approach, including managing and mitigating risks. Guidance does not explicitly cover the board role in setting codes of ethics, or cultural matters and some of the expectations are only in frequently asked questions on FINMAs website. FINMA has interacted with banks where breakdowns have been identified as due in part to risk culture issues, and monitors cultural change programs. Assessors reviewed examples of actual practice and discussed this with FINMA and auditors. Below Category 2, formal risk appetite statements are not common. There may be more general statements of risk philosophy in some banks, and focus on a few key limits at board level, such ensuring that stress losses under pre-defined scenarios do not put capital below specified triggers or do not result in more than a quarter’s loss. As in other jurisdictions, explicitly linking risk and strategy can be challenging for smaller and mid-size banks. Conflicts of interest FINMA expects the board of directors to regulate how conflicts of interest are dealt with and sets out when members are obliged to withdraw from deliberations on certain matters. Existing and prior interests are to be disclosed, and conflicts of interest must be effectively resolved. Mandates and business relationships that may potentially lead to conflicts of interest or damage the institution’s reputation are to be avoided.
EC6	The supervisor determines that the bank’s Board, except where required otherwise by laws or regulations, has established fit and proper standards in selecting senior management, maintains plans for succession, and actively and critically oversees senior management’s execution of Board strategies, including monitoring senior management’s performance against standards established for them.
Description and findings re EC6	Suitability of senior managers FINMA expects members of the management board to meet similar fitness and propriety standards as those for the board of directors (see answer to EC 4 above). The board of directors provides oversight in this regard to ensure appropriate individuals occupy senior management positions. Under the Swiss Code of Obligations (Art. 716), the board of directors has the duty to select the members of senior management (e.g., usually of the management board, executive committee or similar). Supervision of management Part of the duty of oversight by the board of directors is to supervise management, including their execution of board-approved strategies and quality of performance. Succession planning Succession plans are expected both for the board of directors and senior management in category 1 and 2 banks. These are reviewed from time to time by FINMA in the course of its supervision. The annual meeting that FINMA has at board level with other institutions is an opportunity to discuss succession planning.
EC7	The supervisor determines that the bank’s Board actively oversees the design and operation of the bank’s and banking group’s compensation system, and that it has appropriate incentives, which are aligned with prudent risk taking. The compensation system, and related performance standards, are consistent with long-term objectives and financial soundness of the bank and is rectified if there are deficiencies.
Description and findings re EC7	Board of Directors oversight FINMA Circular 10/1 Minimum standards for remuneration schemes of financial institutions, (Remuneration schemes) issued in 2009, requires board of director’s oversight of the design and operation of an institution’s compensation system. In its supervision of the remuneration practices of significant financial institutions, a key FINMA focus is reviewing the extent and quality of direct board of directors’ oversight of the remuneration system as required in the FINMA Remuneration Circular. To this end, FINMA’s engagement with each significant financial institution includes the Chair of the Remuneration Committee of the board of directors. Where in its supervision FINMA identifies gaps or deficiencies at an institution, FINMA expects that those which are material will be remedied under the oversight of the board of directors of the institution. FINMA monitors the progress of such remediation. A number of the specific review done by FINMA in 2012 and so far in 2013 are directed at this issue. Alignment with risk, financial soundness and long-term orientation The Circular is consistent with the FSB Remuneration Principles and also specifies that a) the appropriateness of incentives, b) alignment with risk, c) long-term orientation, and d) alignment with capital, liquidity and other financial soundness considerations are taken into account. Other It merits mentioning that the above supervisory activities are carried out by joint work of the FINMA supervisory team for each institution and a dedicated senior-level FINMA-wide resource responsible for remuneration and corporate governance. This allows for more in-depth and consistent supervision and assessments. FINMA is an active participant in the FSB Compensation Monitoring Group.
EC8	The supervisor determines that the bank’s Board and senior management know and understand the bank’s and banking group’s operational structure and its risks, including those arising from the use of structures that impede transparency (e.g., special-purpose or related structures). The supervisor determines that risks are effectively managed and mitigated, where appropriate.
Description and findings re EC8	Structures and risks FINMA’s expectations of board of directors’ oversight include their understanding of the corporate and operational structure, as well as the institution’s specific risks. FINMA interacts extensively with boards of the two major institutions and that would permit them to judge these aspects. They are not formally included in FINMAs supervisory methodology. FINMA contacts with boards of other banks are less extensive and are less likely to permit such assessments.
EC9	The supervisor has the power to require changes in the composition of the bank’s Board if it believes that any individuals are not fulfilling their duties related to the satisfaction of these criteria.
Description and findings re EC9	FINMA’s powers include being able to require change where an individual does not meet the fitness and propriety expectations or has failed to live up to the expectations for sound management of the business (Gewähr). For more details, please refer to Principle 11.
Additional criteria
AC1	Laws, regulations or the supervisor require banks to notify the supervisor as soon as they become aware of any material and bona fide information that may negatively affect the fitness and propriety of a bank’s Board member or a member of the senior management.
Description and findings re AC1	Among other legal sources, a bank is required under Art. 29 para 2 FINMASA to inform FINMA without delay of any matter which may be of material significance for the bank. This would include any circumstances that materially adversely affect the suitability of persons on the board of directors or senior management.
Assessment of Principle 14	Largely Compliant
Comments	FINMA practice in the governance area is evolving. Formal guidance is fundamentally sound, but is incomplete vis-à-vis a number of important matters in this CP such as having risk and banking expertise on the board and the expectations of effective behaviors and key elements such as risk appetite statements. In practice the supervisory review process makes up for some of these deficiencies but it is unclear how much that occurs on a consistent basis for smaller and mid-size banks. It should be updated to add more specificity. FINMA has advised it plans to do this in the course of 2014. Rules, governance practices, and supervisory practice are well developed for the major banks but supervision should be more structured and regular in assessing governance effectiveness. Supervisory practice needs to be enhanced in assessing boards of mid-size and smaller institutions. Use of theme reviews conducted by FINMA, and more explicit requirements on auditors, would help in this regard. Certain basic corporate governance standards applying to mid-size institutions, such as the proportion of independent directors, requirements for separate risk committees, and banking and risk expertise need to be enhanced in formal guidance and reviewed systematically in supervisory practice. The practice in a number of major mid-size banks of the CRO not being a member of the executive committee should be reviewed. Consideration could be given to gradually raising the requirements for the proportion of independent directors.
Principle 15	Risk management process. The supervisor determines that banks34 have a comprehensive risk management process (including effective Board and senior management oversight) to identify, measure, evaluate, monitor, report and control or mitigate35 all material risks on a timely basis and to assess the adequacy of their capital and liquidity in relation to their risk profile and market and macroeconomic conditions. This extends to development and review of contingency arrangements (including robust and credible recovery plans where warranted) that take into account the specific circumstances of the bank. The risk management process is commensurate with the risk profile and systemic importance of the bank.36
Essential criteria
EC1	The supervisor determines that banks have appropriate risk management strategies that have been approved by the banks’ Boards and that the Boards set a suitable risk appetite to define the level of risk the banks are willing to assume or tolerate. The supervisor also determines that the Board ensures that: (a) a sound risk management culture is established throughout the bank; (b) policies and processes are developed for risk-taking, that are consistent with the risk management strategy and the established risk appetite; (c) uncertainties attached to risk measurement are recognized; (d) appropriate limits are established that are consistent with the bank’s risk appetite, risk profile and capital strength, and that are understood by, and regularly communicated to, relevant staff; and (e) senior management takes the steps necessary to monitor and control all material risks consistent with the approved strategies and risk appetite.
Description and findings re EC1	Requirements for sound risk management in Switzerland are a combination of high level, generally-worded principles in formal banking laws and ordinances (e.g., Art. 9 Banking ordinance) coupled with more detailed guidance in selective areas. Guidance is expressed in circulars (esp. FINMA circular 08/24) and in FINMA frequently asked questions, disseminated on FINMAs web site. In general, the degree of qualitative guidance on risk management is considerably less detailed and comprehensive than would be found in many other jurisdictions. Overall, FINMA expects that boards will formulate a suitable risk policy, define risk appetite and monitor adherence to it, oversee putting in place of an effective risk management system for controlling overall risks, and regularly review suitability of risk policy and risk appetite. Management is responsible for the design and operation of appropriate, effective, risk and internal control system. There is no single document that describes the desired characteristics of a comprehensive risk management system. In certain risk areas there are qualitative standards that are derived from Basel sound practice documents or generally match them, or there are official references to these documents. In other areas (e.g., credit risk) these are missing, though Basel sound practice papers have been used in previous thematic regulatory audit reviews (such as for credit risk in 2002, and FINMA staff believes that these are understood to continue to apply). Compliance with laws and circulars is performed by recognized audit firms as part of the regulatory audit. As noted in CP8/9 auditors are instructed to determine if risk management is “appropriate”. Review of illustrative reports and discussion with auditors suggests that there can be uncertainty and inconsistency about what this means in practice. Standards set by FINMA for auditors reporting contain sections on individual risk categories (credit, market, operational liquidity, etc.) but do not contain a section for assessment of overall risk management where issue like comprehensiveness, extent of integration of analysis across risk categories, cross risk data aggregation and so on would normally be included. Assessors reviewed audit approaches and reports and discussed this process with FINMA and with regulatory auditors. The extent and nature of work performed, and the basis for conclusions, is unclear in reports submitted to FINMA that assessors reviewed. FINMA has access to programs and working papers where this can be found. Assessors also discussed the state of board involvement in risk management. While the two large banks and some mid-size banks have well-developed risk appetite frameworks with links to strategies, others do not. In addition, in supervisory work, it can often be the case that risk management deficiencies can be identified that are not material now but are a signal of a deeper root cause that needs rectifying for risk management to be effective. As auditors are being asked to determine whether they can express an unreserved opinion, these type of matters or root cause analysis may not be adequately flagged in regulatory auditors’ reports so supervisory staff has a chance to assess them. The audit circular removes materiality assessments from the audit opinion process and requires reporting of all matters to FINMA (who has to decide on seriousness). But regulatory reports and related FINMA assessments under the new approach were not available to assessors to see it working in practice, since it only started in 2013.
EC2	The supervisor requires banks to have comprehensive risk management policies and processes to identify, measure, evaluate, monitor, report and control or mitigate all material risks. The supervisor determines that these processes are adequate: (a) to provide a comprehensive “bank-wide” view of risk across all material risk types; (b) for the risk profile and systemic importance of the bank; and (c) to assess risks arising from the macroeconomic environment affecting the markets in which the bank operates and to incorporate such assessments into the bank’s risk management process.
Description and findings re EC2	See general answer to EC1. These matters are covered explicitly at a high level in FINMA Circular 08/24 (see paragraph 10), the audit standards (FINMA Circular 13/3) and FINMA-mandated template include a mandatory assessment of the adequate management of credit risks, market risks, operational risks and other risks. Assessors discussed with FINMA and with banks the state of risk management, and reviewed several aspects in audit reports and with auditors. All concurred that major Swiss banks, like other major international banks, continue to face challenges in comprehensive timely aggregation of risk positions and related data, adequately linked to the entities G/L, for purposes of risk measurement. For some banks this challenge remains material and will for some time. FINMA has not itself conducted reviews in this area.
EC3	The supervisor determines that risk management strategies, policies, processes and limits are: (a) properly documented; (b) regularly reviewed and appropriately adjusted to reflect changing risk appetites, risk profiles and market and macroeconomic conditions; and (c) communicated within the bank. The supervisor determines that exceptions to established policies, processes and limits receive the prompt attention of, and authorization by, the appropriate level of management and the bank’s Board where necessary.
Description and findings re EC3	See general answer to EC1 and EC2.
EC4	The supervisor determines that the bank’s Board and senior management obtain sufficient information on, and understand the nature and level of risk being taken by the bank and how this risk relates to adequate levels of capital and liquidity. The supervisor also determines that the Board and senior management regularly review and understand the implications and limitations (including the risk measurement uncertainties) of the risk management information that they receive.
Description and findings re EC4	See general answer to EC1. FINMA Circular 08/24 margin Nos. 121–126 define supervisory standards that cover the requirements for risk and internal control having necessary information to monitor risks and supervisory expectations re risk reporting to the board and senior management. Margin Nos. 42 and 43 require that the executive board is responsible for capital planning and the board of directors has to approve a capital planning at least annually. Requirements for relating capital to risk are contained in the capital ordinance, and liquidity reporting requirements are contained in the liquidity ordinance. An assessment of compliance with these requirements is part of a regular audit. The executive board must be involved closely in the stress-testing process and stress-testing results have to be communicated to the board of directors at least annually (FINMA Circular 13/6, Art. 44). The board of directors is required to make a statement on liquidity risk appetite/tolerance (Art. 6, para 1 LO, FINMA Circular 13/6 Arts. 13 and 14). Regulatory auditors review board and senior management reporting and determine that it is appropriate.
EC5	The supervisor determines that banks have an appropriate internal process for assessing their overall capital and liquidity adequacy in relation to their risk appetite and risk profile. The supervisor reviews and evaluates banks’ internal capital and liquidity adequacy assessments and strategies.
Description and findings re EC5	FINMA pays considerable attention to the capital adequacy assessment process, which is understandable given the general importance of focusing on capital in the Swiss regulatory and supervisory system. For the capital adequacy assessment process the relevant pieces of guidance are FINMA Circular 11/2 and CAO. For small and medium-sized banks (categories 2–5), FINMA Circular 11/2 Margin Nos. 2, 10, 44, 45; for large banks (category 1), Articles 41–45 CAO while Articles 128–132 describe the requirements in terms of the internal capital adequacy assessment process as well the supervisor’s expectations. In-depth supervisory discussions occur particularly during the capital planning approval process. Due to their complexity, an additional review process has been established for the two large banks. On a quarterly frequency, FINMA organizes technical discussions on the methodologies underpinning the internal capital adequacy assessment process (both economic capital and stress-testing models) to review their soundness and appropriateness in relation to their risk appetite and profile. Liquidity adequacy assessment process: banks define their risk appetite, perform stress tests and define the size and the composition of the liquidity buffer according to their risk appetite and the results of stress tests. The results of stress tests have to be taken into account in their contingency funding plans. The external auditors assess all qualitative risk management requirements annually and report to FINMA. FINMA has an ongoing dialogue with the two big banks on their stress-testing practices. While the process described above will be in place for small and medium-sized banks from 2014 onwards, the process has already been in place for the two big banks since 2010. Assessors discussed risk appetite and approaches to assessing capital in relation to risk with banks of various sizes. For major banks the frameworks are extensive and the processes appear robust at a high level. Smaller and mid-size banks are less likely to have a fully developed risk appetite framework linked to strategy, but do often have specific measures and targets for key risks that they run stress scenarios against. Assessors discussed examples of FINMA supervisory practice in this area. FINMA has reviewed some 15 banks capital planning and related stress testing for the mortgage book. This included assessing how the generally-worded requirement that capital planning cover ‘adverse’ conditions was applied in practice. That review identified weaknesses that were fed back to the banks involved. FINMA has not extended this analysis more generally to other banks where relating capital to risk might also be problematic. Nor has FINMA adjusted its guidance to communicate findings and alert banks more broadly of its expectations.
EC6	Where banks use models to measure components of risk, the supervisor determines that: (a) banks comply with supervisory standards on their use; (b) the banks’ Boards and senior management understand the limitations and uncertainties relating to the output of the models and the risk inherent in their use; and (c) banks perform regular and independent validation and testing of the models. The supervisor assesses whether the model outputs appear reasonable as a reflection of the risks assumed.
Description and findings re EC6	See general answer to EC1. Elements (a) to (c) are covered by regular audit: The mandatory reporting template for FINMA Circular 13/3 requires an assessment by regulatory auditors whereby the methods used for risk measurement and management are adequate. Further, when models are also used for regulatory purposes, the relevant model approval standards for market, credit and operational risk models also apply (see FINMA Circulars 08/19, 08/20, 08/21). See answer to EC4 above. Margin No. 123 of FINMA Circular 08/24. If banks use models also for regulatory purposes, specific validation requirements also apply (see FINMA Circulars 08/19, 08/20 and 08/21).
EC7	The supervisor determines that banks have information systems that are adequate (both under normal circumstances and in periods of stress) for measuring, assessing and reporting on the size, composition and quality of exposures on a bank-wide basis across all risk types, products and counterparties. The supervisor also determines that these reports reflect the bank’s risk profile and capital and liquidity needs, and are provided on a timely basis to the bank’s Board and senior management in a form suitable for their use.
Description and findings re EC7	Explicit requirements or guidance do not exist concerning bank-wide capability of information systems to aggregate and report risk. Assessment of information systems with the above characteristics is a mandatory element of the regular audit. Discussions with auditors and banks, and with FINMA staff, and review of audit reports indicates that major Swiss banks have considerable ways to go to meet requirements for adequate ability to aggregate risk information on a timely basis.
EC8	The supervisor determines that banks have adequate policies and processes to ensure that the banks’ Boards and senior management understand the risks inherent in new products,37 material modifications to existing products, and major management initiatives (such as changes in systems, processes, business model and major acquisitions). The supervisor determines that the Boards and senior management are able to monitor and manage these risks on an ongoing basis. The supervisor also determines that the bank’s policies and processes require the undertaking of any major activities of this nature to be approved by their Board or a specific committee of the Board.
Description and findings re EC8	FINMA Circular 08/24 Margin Nos. 123 requires that the risk management system must be adjusted to new business lines and new products. There is no explicit requirement for a new product or new initiative approval process (though major banks have these). FINMA expects appropriate approval of major new initiatives by senior management and/or the board and is able to view this process directly as many of these also require explicit approval under the ongoing licensing process. (See CP5).
EC9	The supervisor determines that banks have risk management functions covering all material risks with sufficient resources, independence, authority and access to the banks’ Boards to perform their duties effectively. The supervisor determines that their duties are clearly segregated from risk-taking functions in the bank and that they report on risk exposures directly to the Board and senior management. The supervisor also determines that the risk management function is subject to regular review by the internal audit function.
Description and findings re EC9	See general answer to EC1 for requirements and supervisory expectations, which generally cover many of these matters. Adequacy of resources and authority is addressed in FINMA circular 08/24 (para 114) and adequacy of resources is a subject of the regulatory audit. Sufficient resources is a mandatory element to be assessed and reported on a regular basis. Discussion with auditors indicated difficulty for them to consistently determine how to assess adequacy of resources. However they can benefit from information in their networks.
EC10	The supervisor requires larger and more complex banks to have a dedicated risk management unit overseen by a Chief Risk Officer (CRO) or equivalent function. If the CRO of a bank is removed from his/her position for any reason, this should be done with the prior approval of the Board and generally should be disclosed publicly. The bank should also discuss the reasons for such removal with its supervisor.
Description and findings re EC10	See general answer to EC1. All banks must have a risk control function. FINMA in practice expects banks in category 1 and 2 and a number of banks in category 3 to have a dedicated risk unit headed by a CRO. Banks can have risk as part of the finance function, or merged with compliance under one executive, which can reduce its stature. Assessors saw examples of major mid-size banks where the CRO is not a separate role on the executive board. In case of a removal, FINMA expects board approval, disclosure and discussion with FINMA.
EC11	The supervisor issues standards related to, in particular, credit risk, market risk, liquidity risk, interest rate risk in the banking book and operational risk.
Description and findings re EC11	Regarding these standards, there are the relevant Pillar 1 standards of the Basel Committee on Banking supervision implemented in CAO and LO and related FINMA Circulars on Credit Risk (08/19), Market Risk (08/20), Operational Risk (08/21) and Liquidity Risk (13/06). In certain cases these are the circulars that deal with capital calculation for these risks and may or may not apply generally. FINMA sometimes sets qualitative standards on sound risk management practices similar to Basel standards in these areas and sometimes has not. (see individual risk CPs) Interest rate risks in the banking book are covered by FINMA Circular 08/6.
EC12	The supervisor requires banks to have appropriate contingency arrangements, as an integral part of their risk management process, to address risks that may materialize and actions to be taken in stress conditions (including those that will pose a serious risk to their viability). If warranted by its risk profile and systemic importance, the contingency arrangements include robust and credible recovery plans that take into account the specific circumstances of the bank. The supervisor, working with resolution authorities as appropriate, assesses the adequacy of banks’ contingency arrangements in the light of their risk profile and systemic importance (including reviewing any recovery plans) and their likely feasibility during periods of stress. The supervisor seeks improvements if deficiencies are identified.
Description and findings re EC12	A mandatory assessment topic of regular audit is appropriate contingency arrangements. These are listed in FINMA Circular 08/10 Margin No. 7 in the form of recognized self-regulation of the Swiss Bankers’ Association. Art. 9 BA sets out that systemically important banks must be organized in such a way that, in the event of impending insolvency, the continuation of the banks’ systemically important functions is assured with regard to structure, infrastructure, management and control, intra-group liquidity and capital flows. Art. 21 BO requires the preparation (and regular updates) of an emergency plan which is assessed by FINMA. If the emergency plan does not meet requirements, FINMA will set the bank an appropriate deadline to rectify the shortcomings identified.
EC13	The supervisor requires banks to have forward-looking stress testing programs, commensurate with their risk profile and systemic importance, as an integral part of their risk management process. The supervisor regularly assesses a bank’s stress testing program and determines that it captures material sources of risk and adopts plausible adverse scenarios. The supervisor also determines that the bank integrates the results into its decision-making, risk management processes (including contingency arrangements) and the assessment of its capital and liquidity levels. Where appropriate, the scope of the supervisor’s assessment includes the extent to which the stress testing program: (a) promotes risk identification and control, on a bank-wide basis; (b) adopts suitably severe assumptions and seeks to address feedback effects and system-wide interaction between risks; (c) benefits from the active involvement of the Board and senior management; and (d) is appropriately documented and regularly maintained and updated. The supervisor requires corrective action if material deficiencies are identified in a bank’s stress testing program or if the results of stress tests are not adequately taken into consideration in the bank’s decision-making process
Description and findings re EC13	For the purpose of stress-testing capital levels: FINMA Circular 11/2, Margin Nos. 34–45. FINMA Circular 08/24 Margin Nos. 1–2, 9–12, 80–81, 85, 113–120, 121–125, 126. FINMA Boards of Directors of Banks and Securities Dealers, FAQs 8/12, Q5. Capital Adequacy Ordinance (CAO), Art. 45. On liquidity stress-testing: forward-looking stress-testing programs: LO Art. 9; FINMA Circular 13/6 Articles 41 – 47; the external auditors assess the bank’s stress-testing program, determining whether it captures material sources of risk and adopts plausible adverse scenarios (for the two large banks since 2010, for all other banks from 2014 onwards, extensive stress-testing dialogue between FINMA and the two large banks in addition to the annual assessment of the external auditors); integration of stress-testing results in determining the size and composition of the liquidity buffer (FINMA Circular 13/6 Art. 36c), contingency planning, FINMA Circular 13/6 Art. 48) and decision-making risk management processes (FINMA Circular 13/6 Arts. 43, 44); active involvement of the executive board and the board of directors (Arts. 1, 2 LO, Art. 44, in conjunction with FINMA Circular 13/6 Arts. 13 and 14); stress-testing documentation, maintenance, update (FINMA Circular 13/6 Art. 41 c); and severity of assumptions (FINMA Circular 13/6 Art. 45). In terms of corrective actions, FINMA has taken several types of supervisory measures, when deficiencies have been identified. Some examples of such measures include: (i) a capital measure consisting of a capital multiplier applied to a large bank for operational risk; (ii) a supervisory measure consisting of more frequent reporting requirements due to increased liquidity risk; (iii) a supervisory measure consisting of initiating supervisory reviews on specific risk areas (such as basis risk); and (iv) a measure consisting of assigning the bank to the intensive supervision group.
EC14	The supervisor assesses whether banks appropriately account for risks (including liquidity impacts) in their internal pricing, performance measurement and new product approval process for all significant business activities.
Description and findings re EC14	This may form part of the regulatory audit.
Additional criteria
AC1	The supervisor requires banks to have appropriate policies and processes for assessing other material risks not directly addressed in the subsequent Principles, such as reputational and strategic risks.
Description and findings re AC1	Art. 9 BO covers reputational and legal risks. Furthermore, external auditors need to cover all material risks in their prudential activity, thus including such risks, while FINMA Circular 08/24 margin 98 specifically mentions reputational risk in the context of compliance risk. Finally, under Art. 45 CAO banks need to have an additional capital buffer to cover all risks not well covered by minimum capital requirements.
Assessment of Principle 15	Largely Compliant
Comments	FINMA generally has high expectations of banks’ risk management. However the comprehensiveness of qualitative guidance in certain risk management areas should be improved and updated, or explicit reference should be made to Basel texts, and guidance should be put in place re enterprise-wide risk measurement and risk management, either in guidance to institutions or in more detailed instructions to auditors. This would enhance institutions understanding of FINMA expectations, and would also enhance the extent to which regulatory audits are addressing the right things. The issues of adequacy of assessments by auditors and FINMA of bank risk management is considered and assessed in CP8 and CP9. More domestically-important mid-size banks should elevate the position of CRO to be a full executive board member, and more mid-size domestically systemic banks should be required to have a separate board risk committee. FINMA should review thematically risk appetite frameworks across mid-size banks. FINMA should do more thematic reviews to test the adequacy of important mid-size institutions’ process to relate capital to risk and whether they consider scenarios that are adverse enough. FINMA should also find a way to communicate lessons learned from the mortgage risk capital planning review more broadly to improve banks practice.
Principle 16	Capital adequacy.38 The supervisor sets prudent and appropriate capital adequacy requirements for banks that reflect the risks undertaken by, and presented by, a bank in the context of the markets and macroeconomic conditions in which it operates. The supervisor defines the components of capital, bearing in mind their ability to absorb losses. At least for internationally active banks, capital requirements are not less than the applicable Basel standards.
Essential criteria
EC 1	Laws, regulations or the supervisor require banks to calculate and consistently observe prescribed capital requirements, including thresholds by reference to which a bank might be subject to supervisory action. Laws, regulations or the supervisor define the qualifying components of capital, ensuring that emphasis is given to those elements of capital permanently available to absorb losses on a going concern basis.
Description and findings re EC1	BA Art. 4 stipulates that banks have to maintain, individually and on a consolidated basis, appropriate capital adequacy and liquidity, and that the Federal Council shall determine the elements of capital adequacy and liquidity and establish the minimum requirements in accordance with the business practices and the risks. The Capital Adequacy Ordinance (CAO) then sets out detailed regulatory capital framework. As of January 1, 2013 the Basel III framework capital minimum and buffer requirements were implemented along with Swiss-specific rules for systemically important banks by amending the existing CAO. By consequence the composition of capital follows Pillar 1 capital requirements in the Basel III framework. The calculation of eligible capital has been aligned with Basel III definitions. After deductions, banks must hold minimum capital in the amount of 8 percent of the risk-weighted positions. A minimum of 4.5 percent of the risk-weighted positions must be held in common equity tier 1 capital and a minimum of 6 percent must be held in tier 1 capital (CAO Art. 42 para 1). Banks must hold a common equity tier 1 capital buffer of 2.5 percent of risk weighted assets (CAO Art. 43). Upon the Swiss National Bank’s request, the Swiss Federal Council may require the banks to hold a counter-cyclical buffer of a maximum of 2.5 percent of their risk-weighted positions in Switzerland (CAO Art. 44 para 1). According to this, the Federal Council published in February 2013 that it activated a one percent counter-cyclical buffer for loans collateralized by residential mortgages which would be applicable beginning end-September. The Regulatory Consistency Assessment Program of the Basel Committee for Banking Supervision in the first half of 2013 assessed the Swiss Implementation of Basel II and Basel III as compliant. The rules for systemically important banks (TBTF package) include in addition to the Basel III framework particular capital requirements. They require common equity of at least 10 percent of the risk-weighted position as a basic requirement and contingent capital or other qualifying capital of at least 9 percent of risk-weighted positions, which can be divided to the buffer capital of 3 percent and the progressive component of 6 percent, although the latter requirement changes according to the banks’ size and market share. In order to be eligible to form part of the buffer and progressive component, capital instruments of systemically important banks must include loss absorbing triggers that are automatically activated at 7 percent (buffer component) and 5 percent (progressive component) calculated on the basis of the CET1 capital ratio to risk-weighted positions.
EC2	At least for internationally active banks,39 the definition of capital, the risk coverage, the method of calculation and thresholds for the prescribed requirements are not lower than those established in the applicable Basel standards.
Description and findings re EC2	See EC1. The Swiss RCAP conducted by BCBS confirmed that Basel III capital requirements have been implemented by the CAO without material deviations from the Basel standards. The CAO and FINMA circulars apply to all banks whether they are internationally active or not.
EC3	The supervisor has the power to impose a specific capital charge and/or limits on all material risk exposures, if warranted, including in respect of risks that the supervisor considers not to have been adequately transferred or mitigated through transactions (e.g., securitization transactions)40 entered into by the bank. Both on-balance sheet and off-balance sheet risks are included in the calculation of prescribed capital requirements.
Description and findings re EC3	The Swiss capital adequacy framework follows Basel II, II.5 and III for risk weights. Thus, it covers both on-balance sheet and off-balance sheet risks. The treatment of securitization follows Basel II.5 and III provisions. Its general authorization rules in BA (Art. 3) give FINMA extensive power to limit material risk exposure. BA Art. 4 also allows FINMA to impose more stringent requirements for particular banks. Specifically CAO Art. 45 provides that FINMA may set a specific capital charge (Pillar 2 charge) to specifically cover the risks that are not covered or not sufficiently covered by the minimum required capital if applying a risk-oriented approach and, together with the capital buffer, the additional capital is meant to ensure compliance with minimum capital requirements even in unfavorable conditions. It also provides that if a bank does not have additional capital, the FINMA may stipulate special measures to monitor and supervise the capital adequacy and risk situation. Accordingly, FINMA Circular 11/02 “Capital buffer and capital planning” stipulates additional buffers required uniformly depending on categories each bank belongs. (See EC4.) Furthermore, CAO allows FINMA to, under certain circumstances and on an individual basis, demand further capital, namely if the minimum required capital, the capital buffer and the additional capital do not ensure an appropriate level of security in view of that bank’s business activities, its risks taken, its business strategy, the quality of its risk management or the state of development of the techniques used. The process of setting a specific Pillar 2 charge on individual banks is described further in Circular 11/02 Margin Nos. 30–33. Also, as a part of Pillar 2 process, Banks are required to carry out capital planning for both solo and consolidated levels annually since 2012. The circular requires capital planning to be forward looking and providing a reliable forecast of available capital (including in ‘adverse’ conditions), tied closely to overall planning particularly the institution’s income targets and budget process, based on realistic assumptions with regard to business performance, and approved by BoD. External auditors are required to assess banks’ capital planning and comment in there regulatory audit reports, which then reviewed by FINMA. In practice, other information such as those results of stress testing is used for evaluating the adequacy of capital level of individual banks. Through discussion with FINMA staff, assessors are informed that when a bank is assessed as having insufficient capital, FINMA usually approaches the bank and discuss how to address the issue. FINMA explains in some cases the bank may reduce risk, and other cases they may increase capital levels, as requested by FINMA. The assessors are also informed that there is a Parliamentary initiative that requires the Federal Council to conduct a study on moving FINMA’s power to require Pillar 2 charge across banks to the Federal Council. The initiative also expresses the Parliamentarians’ view that the minimum capital ratio for non-systemically important banks should not exceed 13 percent for a proportionality reason.
EC4	The prescribed capital requirements reflect the risk profile and systemic importance of banks41 in the context of the markets and macroeconomic conditions in which they operate and constrain the build-up of leverage in banks and the banking sector. Laws and regulations in a particular jurisdiction may set higher overall capital adequacy standards than the applicable Basel requirements.
Description and findings re EC4	The CAO prescribes specific capital requirements which ensure a higher loss absorbency of the systemically important banks. (See EC1) In addition, a leverage ratio has been introduced for these banks (CAO Art. 133). This leverage ratio is set at a level of 24 percent of the minimum capital ratio requirement for the capital base, the buffer component and the progressive component (CAO Art. 134). For other banks, as explained in EC 3, FINMA has set capital targets beyond the Basel minimum requirements as Pillar 2 charges in Circular 11/02, except for Category 5 banks. Different ratios are set for banks in different Categories, which are set based on sizes of banks’ assets, assets under management, privileged deposits and required own funds, as shown in the table below. In addition, as explained in EC 1, in order to prevent excessive credit growth, banks could be required to account for a countercyclical buffer of up to 2.5 percent Common Equity Tier 1 (CET 1) capital to cover all or only certain credit positions, based on recommendation by SNB. SNB may publish views on adequacy of capital levels of banks from the perspective of systemic-relevance, after informal but close consultations with FINMA. Capital Ratio42 Determining Capital Adequacy Target (In percent) Capital Ratio Below Which Immediate and Extensive Action Is Taken Under Supervisory Law (Intervention Threshold) (In percent) Category 2 13.6-14.4 11.5 Category 3 12 11 Category 4 11.2 10.5 Category 5 10.5 10.5
EC5	The use of banks’ internal assessments of risk as inputs to the calculation of regulatory capital is approved by the supervisor. If the supervisor approves such use: (a) such assessments adhere to rigorous qualifying standards; (b) any cessation of such use, or any material modification of the bank’s processes and models for producing such internal assessments, are subject to the approval of the supervisor; (c) the supervisor has the capacity to evaluate a bank’s internal assessment process in order to determine that the relevant qualifying standards are met and that the bank’s internal assessments can be relied upon as a reasonable reflection of the risks undertaken; (d) the supervisor has the power to impose conditions on its approvals if the supervisor considers it prudent to do so; and (e) if a bank does not continue to meet the qualifying standards or the conditions imposed by the supervisor on an ongoing basis, the supervisor has the power to revoke its approval.
Description and findings re EC5	In Switzerland, six banks are using advanced approaches for credit risk, five for market risk, and two for operational risk. Banks using an IRB or EPE model approach for measuring credit risk must validate their models and parameter estimates as foreseen by the Basel Committee’s minimum standards. These standards were incorporated into Swiss regulation via a reference to the applicable Basel standards. (Circular 08/19 Margin Nos. 1021 (EPE) and 266 and following (IRB)). Also in the area of securitizations a direct link to the Basel minimum standards is made (see Margin 253). Banks using a market risk model approach must validate their models according to the Basel minimum standards. This includes, but is clearly not limited to back testing (see margins. 320–335). It includes also stress testing (see margins. 336–351) Banks using an AMA approach have to fulfill specific quantitative requirements under Circular 08/21 margin Nos. 69–75. Banks validation units are expected to adhere to transparency and quality requirements (margin Nos. 66–68) and to ensure data quality standards (margin no 79). Despite its reliance on external audit firms for supervisory activities, in the area of internal assessments/models, FINMA executes own model approval audits/assessments/on-site reviews, in addition to the ones executed by external audit. Through discussion with the FINMA staff, assessors understand that a substantial effort is put in validation of models and that it has always been a core topic of interest by FINMA. FINMA receives the annual validation reports by banks using internal models and conducts analysis.
EC6	The supervisor has the power to require banks to adopt a forward-looking approach to capital management (including the conduct of appropriate stress testing).43 The supervisor has the power to require banks: (a) to set capital levels and manage available capital in anticipation of possible events or changes in market conditions that could have an adverse effect; and (b) to have in place feasible contingency arrangements to maintain or strengthen capital positions in times of stress, as appropriate in the light of the risk profile and systemic importance of the bank.
Description and findings re EC6	See EC 3 and 4. For non-systemically important banks, Circular 11/02 sets capital target ratios and corresponding intervention thresholds which are significantly higher than the Basel minimum requirements. If a bank falls below these levels, immediate supervisory action to force banks to restore their capital levels will be triggered. Also, these banks are obliged to maintain a capital planning process. The capital planning has to take into account the economic cycle and need to show that the bank will meet their capital adequacy requirements even in the event of an economic downturn and their revenues falling sharply (Margin Nos. 35 and 36). For systemically important banks, a tighter capital planning process is in place. The capital plan is challenged based on the results from regulatory stress testing. (See also CP 15)
AC1	For non-internationally active banks, capital requirements, including the definition of capital, the risk coverage, the method of calculation, the scope of application and the capital required, are broadly consistent with the principles of the applicable Basel standards relevant to internationally active banks.
Description and findings re AC1	The current CAO does not distinguish between internationally and non-internationally active banks. However, in the old regulation, an adjusted standardized approach for credit risk exists, mostly used by non-internationally active banks. This Swiss Standardized approach will be phased out when Basel III capital rules is fully applied in 2019, but the most of banks plan to adopt the Basel Standardized Approach earlier than the deadline. The table below illustrates some difference in risk weights (or capital charges): Area sa-bis (In percent) sa-ch (In percent) Credit risk: All exposures where 20 percent risk weights are applicable 20 25 Commercial real estate 100 75 for LTV tranche < =50% 100 for LTV tranche > 50% Equity 100 (or 150) 125 public equity 250 private equity 500 if qualified participation (i.e., >10) in a firm active in the financial sector Market risk: FX risks and gold 8 10 (capital charge) Commodities 15 20 (capital charge) Non-counterparty related risks: 100 for all other assets 250 bank-buildings 375 other real estate 625 other assets and software, without goodwill and other intangible assets
AC2	The supervisor requires adequate distribution of capital within different entities of a banking group according to the allocation of risks.44
Description and findings re AC2	For financial groups, capital requirements apply at the consolidated and sub-consolidated level and at single entity level (CAO Arts. 7 and 11). This ensures that at least capitals are distributed to important subsidiaries such as banks within the group to meet their regulatory minimum at solo-basis. Also, capital planning exercises on the largest banks contributes to assess whether each entity has an adequate level of capital.
Assessment of Principle 16	Compliant
Comments	While the assessors view the current framework as compliant with this principle, improvements in assessing risks each bank is facing in a more granular way as recommended in relevant CPs are essential to further strengthen the Pillar 2 process in setting bank specific surcharges. Limiting the maximum amount that can be charged under the Pillar 2 process, as suggested by the Parliamentary initiative, should not proceed as it would deprive FINMA of one supervisory tool if the risk in the system becomes substantial. It is also important that this power remains with the supervisor, either in full or by formally making clear that actions by the Council are to be on the recommendation of FINMA.
Principle 17	Credit risk.45 The supervisor determines that banks have an adequate credit risk management process that takes into account their risk appetite, risk profile and market and macroeconomic conditions. This includes prudent policies and processes to identify, measure, evaluate, monitor, report and control or mitigate credit risk46 (including counterparty credit risk)47 on a timely basis. The full credit lifecycle is covered including credit underwriting, credit evaluation, and the ongoing management of the bank’s loan and investment portfolios.
Essential criteria
EC1	Laws, regulations or the supervisor require banks to have appropriate credit risk management processes that provide a comprehensive bank-wide view of credit risk exposures. The supervisor determines that the processes are consistent with the risk appetite, risk profile, systemic importance and capital strength of the bank, take into account market and macroeconomic conditions and result in prudent standards of credit underwriting, evaluation, administration and monitoring.
Description and findings re EC1	Based on Art. 9 of the Banking Ordinance, the bank must set out in internal regulations or in internal guidelines the main principles underlying the management of risks, and identify, limit and monitor all types of risks, including credit risk. These high level policies are subject to FINMA approval on licensing and when material changes occur. In addition, FINMA Circular 08/24 contains high level, principles-based guidance on risk management and internal control that apply to all risks. The board has the responsibility to establish and monitor this system which must be tailored to the size complexity, structure and risk profile of the bank. The Swiss Bankers Association sets professional guidelines for mortgage lending which banks have to adhere to as a minimum standard as they are officially recognized as such by FINMA under the legislated approach to self regulation. These standards were promulgated in 2011 and cover qualitative aspects of mortgage underwriting, credit monitoring and exception reporting. Further recognized guidelines were issued by the bankers association in June 2012, applying to new lending or increases in existing loans. They restrict minimum down payment to 10 percent and limit the maximum amortization period to 20 years. Specific regulations on risk concentrations in relation to the bank’s capital are defined in the Capital Adequacy Ordinance. Also, the banks are obliged to monitor its ten largest borrowers or groups of related borrowers and report them on a yearly basis to FINMA, and on a quarterly basis to the accredited external auditor and its own board of directors. FINMA circulars on credit risk for capital purposes also apply. Assessors reviewed the regulatory and financial audit processes on credit risk with FINMA and with regulatory audit firms. While FINMA rules and guidance is high level in some areas, it is clear that the criteria used for these audits by auditors often goes beyond the law and circulars issued by FINMA to incorporate best practice guidance from the BCBS for example, or best practices from the audit firm’s experience with its clients. Financial and regulatory reviews regularly include sampling of credit files and verifying the integrity of underwriting, risk rating and reporting, and monitoring of exceptions to policies. When assessing whether their capital is appropriate, institutions must take into account the economic cycle. Banks must show in their capital planning that they are in a position to meet capital adequacy requirements in future, even in the event of an economic downturn and if their revenues were to fall sharply. A theme review has been done recently with respect to stress testing the mortgage portfolio at some 15 banks which lead to feedback on capital planning to a number of banks.
EC2	The supervisor determines that a bank’s Board approves, and regularly reviews, the credit risk management strategy and significant policies and processes for assuming,48 identifying, measuring, evaluating, monitoring, reporting and controlling or mitigating credit risk (including counterparty credit risk and associated potential future exposure) and that these are consistent with the risk appetite set by the Board. The supervisor also determines that senior management implements the credit risk strategy approved by the Board and develops the aforementioned policies and processes.
Description and findings re EC2	As noted in EC1, boards have certain responsibilities under the ordinances and circulars. The board of directors also is required to regularly discuss with the management its assessment of the adequacy and effectiveness of the internal controls. Regulatory audits generally review the involvement of senior management and the board in risk management, in determining their opinion as to whether the overall system is ‘appropriate’. Assessors discussed this with FINMA, with auditors, and with banks of various sizes and complexities. As expected, for larger and many mid-size banks this interaction is frequent and extensive, and is linked to a formalized risk appetite framework that comprehensively covers risk types. In practice, discussions between the board of directors and management with smaller banks are on a yearly or twice yearly basis, when discussing the strategy, business plan or capital planning. Board-approved risk policies may be more general and high level and may not have specific quantitative elements for all major risk types. They may be scenario based linked to the bank capital not falling below certain targets. This also appeared to be the case for some mid-size banks. Based on statistical reporting (e.g., development and changes in credit portfolio, risk concentration, large exposures, capital ratio, capital adequacy) received from the banks, FINMA itself performs quantitative analyses related to credit risk. Outliers will be analyzed in detail. FINMA may also perform specific inspections. FINMA also verifies by own risk analyses (e.g., problem-specific analyses), and identifies banks with higher risk exposures. In special assessments, meetings and further analyses, FINMA requires banks to review and reduce risks.
EC3	The supervisor requires, and regularly determines, that such policies and processes establish an appropriate and properly controlled credit risk environment, including: (a) a well documented and effectively implemented strategy and sound policies and processes for assuming credit risk, without undue reliance on external credit assessments; (b) well defined criteria and policies and processes for approving new exposures (including prudent underwriting standards) as well as for renewing and refinancing existing exposures, and identifying the appropriate approval authority for the size and complexity of the exposures; (c) effective credit administration policies and processes, including continued analysis of a borrower’s ability and willingness to repay under the terms of the debt (including review of the performance of underlying assets in the case of securitization exposures); monitoring of documentation, legal covenants, contractual requirements, collateral and other forms of credit risk mitigation; and an appropriate asset grading or classification system; (d) effective information systems for accurate and timely identification, aggregation and reporting of credit risk exposures to the bank’s Board and senior management on an ongoing basis; (e) prudent and appropriate credit limits, consistent with the bank’s risk appetite, risk profile and capital strength, which are understood by, and regularly communicated to, relevant staff; (f) exception tracking and reporting processes that ensure prompt action at the appropriate level of the bank’s senior management or Board where necessary; and (g) effective controls (including in respect of the quality, reliability and relevancy of data and in respect of validation procedures) around the use of models to identify and measure credit risk and set limits.
Description and findings re EC3	As noted in EC1 and EC2, various rules and guidance, including formally recognized self regulatory minimum requirements, apply which cover a number of these areas. In addition, FINMA indicated that supervisory standards had been communicated in 2002 in the context of an in-depth audit of credit risk management involving well over 100 banks. FINMA considered that these still applied. With respect to information systems, the IT governance is subject to the annual examination of the auditors. The scope of any audit is the GITCs (general IT controls) which must comply with an international framework (e.g., COBIT) Assessors discussed issues of ability to aggregate data at major banks in order to comprehensively address exposures. As is the case elsewhere, there has been considerable progress in dealing with this, and more remains to be done, particularly where banks have made acquisitions and data systems need further integration to reduce the use of manual work-arounds.
EC4	The supervisor determines that banks have policies and processes to monitor the total indebtedness of entities to which they extend credit and any risk factors that may result in default including significant unhedged foreign exchange risk.
Description and findings re EC4	FINMA requires banks to have internal regulations in place to monitor potential impairments of loans, clients or legal entities. This also includes foreign exchange risk. There are no specific requirements with respect to this matter applying to all banks but it normally would form part of the regulatory audit review.
EC5	The supervisor requires that banks make credit decisions free of conflicts of interest and on an arm’s length basis.
Description and findings re EC5	Under Art. 4ter of the Banking Act, credits may be granted to the bank’s governing bodies and controlling shareholders, as well as to related persons and companies, but only in conformity with generally accepted principles of the banking profession (“at arm’s length”). In practice, affected bodies must withdraw from the authorization process. The auditor assesses the approval and monitoring process in accordance with the above- mentioned regulations. Furthermore, the conditions of credit exposures to shareholders or associated bodies must be granted at arm’s length based on tax regulations. Minimum and maximum interests for credit exposures for shareholders or associated bodies are given every year by the tax authorities. The auditor is obliged to control the interests for credits to shareholders or associated bodies when auditing tax expenses and tax provisions.
EC6	The supervisor requires that the credit policy prescribes that major credit risk exposures exceeding a certain amount or percentage of the bank’s capital are to be decided by the bank’s Board or senior management. The same applies to credit risk exposures that are especially risky or otherwise not in line with the mainstream of the bank’s activities.
Description and findings re EC6	As mentioned in EC1 and EC2, banks have to set various policies re credit risk, including exception to policy provisions and reporting lines, in Business Rules subject to FINMA approval. During this approval process, the role of the board or senior management are analyzed to ensure they meet FINMA expectations. Banks then flesh out these strategic competences and rules in the form of (credit) guidelines and instructions for divisions, departments, teams and key personnel which do not require FINMA’s approval. FINMA expects that credit exposures above a certain size are to be decided by the bank’s board or senior management.
EC7	The supervisor has full access to information in the credit and investment portfolios and to the bank officers involved in assuming, managing, controlling and reporting on credit risk.
Description and findings re EC7	Based on Art. 29 of the Financial Market Supervisory Act and with reference to FINMA Circular 2013/3 Margin No. 71, FINMA and regulatory auditors have unlimited access to all information at the banks.
EC8	The supervisor requires banks to include their credit risk exposures into their stress testing programs for risk management purposes.
Description and findings re EC8	Based on FINMA Circular 2011/02 (Capital buffer and capital planning), FINMA expects supervised banks to have adequate capital planning, documented in writing, that reflects banks’ individual circumstances. When assessing whether their capital is appropriate, institutions must take into account the economic cycle. Also, the banks must show in their capital planning that they are in a position to meet their capital adequacy requirements for the next three years, even in the event of an economic downturn, and if their revenues were to fall sharply. The underlying assumptions for capital planning must be documented in a transparent and comprehensible manner. The assumptions must reflect the individual effects of an economic downturn also on the credit exposures and the counterparties. Boards of directors are required to approve the capital plan at least annually. In addition, FINMA may require individual stress tests from the banks. For such tests, FINMA defines the parameters and scenarios. This was done over the recent past for selected banks with respect to their mortgage lending. Last, there is also an explicit credit risk stress-testing regulation in force for banks applying the IRB approach.
Assessment of Principle 17	Compliant
Comment	While FINMA rules and guidance are not as comprehensive and detailed as expected by this CP in certain cases, or as is found in some other jurisdictions, the supervisory process for credit risk fills gaps, is comprehensive and allows FINMA to obtain a good sense of the quality of credit risk management. Some improvements to guidance and instructions to regulatory auditors should be made to ensure that their work is focusing consistently on qualitative requirements for credit risk management across the full range of banks and audit firms involved in regulatory audits. As well, further comparison across mid-size banks of capital planning by FINMA would act to ensure that assumptions are consistently appropriate.
Principle 18	Problem assets, provisions and reserves.49 The supervisor determines that banks have adequate policies and processes for the early identification and management of problem assets, and the maintenance of adequate provisions and reserves.50
Essential criteria
EC1	Laws, regulations or the supervisor require banks to formulate policies and processes for identifying and managing problem assets. In addition, laws, regulations or the supervisor require regular review by banks of their problem assets (at an individual level or at a portfolio level for assets with homogenous characteristics) and asset classification, provisioning and write-offs.
Description and findings re EC1	FINMA regulations and ordinances do not contain comprehensive rules or guidance on management of problem assets. The definitions of impaired and non-performing loans are aligned with IAS39-definitions, and included in the accounting guidelines (Circular 08/02). The main verification of how banks deal with problem assets is dealt with in the external financial audit. The results of this are also naturally available to the regulatory auditor and to FINMA. See also answer to EC5.
EC2	The supervisor determines the adequacy of a bank’s policies and processes for grading and classifying its assets and establishing appropriate and robust provisioning levels. The reviews supporting the supervisor’s opinion may be conducted by external experts, with the supervisor reviewing the work of the external experts to determine the adequacy of the bank’s policies and processes
Description and findings re EC2	As mentioned in EC1, the external auditors are to a large extent FINMA’s ‘investigating unit’ at the banks, and they intervene every year, not only for auditing the financial statements but also for performing the prudential audit according to FINMA’s general instructions. On the basis of the annual prudential reporting sent to FINMA, peer-groups are created and the level of impaired loans and provisions are compared across banks to identify outliers, which are referred to supervisory teams and auditors as necessary.
EC3	The supervisor determines that the bank’s system for classification and provisioning takes into account off-balance sheet exposures.51
Description and findings re EC3	Off-balance sheet exposures are taken into account and treated in the same way as on-balance sheet exposures.
EC4	The supervisor determines that banks have appropriate policies and processes to ensure that provisions and write-offs are timely and reflect realistic repayment and recovery expectations, taking into account market and macroeconomic conditions.
Description and findings re EC4	See answers to EC1 and EC2.
EC5	The supervisor determines that banks have appropriate policies and processes, and organizational resources for the early identification of deteriorating assets, for ongoing oversight of problem assets, and for collecting on past due obligations. For portfolios of credit exposures with homogeneous characteristics, the exposures are classified when payments are contractually in arrears for a minimum number of days (e.g., 30, 60, 90 days). The supervisor tests banks’ treatment of assets with a view to identifying any material circumvention of the classification and provisioning standards (e.g., rescheduling, refinancing or reclassification of loans).
Description and findings re EC5	Under circular 08/02 (FINMA Accounting Guidelines): “Loans are non-performing where at least one of the following payments has not yet been effected in full as of ninety days from the due date: (a) interest payments; (b) commission payments; (c) amortization (partial repayments of principal); and (d) full repayment of principal. If payments for interest, commission and/or amortization are overdue, the face value of the loan is also to be considered as non-performing. Loans to debtors undergoing liquidation are always to be considered as non-performing. Loans subject to special conditions based on the borrower’s credit standing (e.g., significant reductions in interest rates, with interest dipping below the bank’s refinancing costs) are to be considered non-performing. Past due receivables are frequently a component of impaired loans/receivables”. FINMA requires special classification and reporting of a) impaired loans (see below) and b) non-performing loans. If the interest has not been paid after a period of 90 days, they are considered non- performing and cannot be included in the income statement until payment has been made (and the whole loan is considered as non-performing). Impaired loans (Margin No. 239 of Circular 08/02) are loans/receivables for which the debtor will unlikely be able to fulfill its future obligations. Indications for an impaired loan/receivable include: considerable financial difficulties on the part of the debtor; actual breach of contract (e.g., default on or delay in interest or principal payments); concessions on the part of the lender to the borrower based on economic or legal circumstances linked to the financial difficulties of the borrower that would not be granted under normal conditions; high probability of bankruptcy or otherwise the need for restructuring on the part of the debtor; recording of impairment for the respective asset in a previous reporting period; disappearance of an active market for this particular financial asset due to financial difficulties; and previous experience in connection with debt collection that indicates that the total face value of a portfolio of receivables is not collectible. Impaired loans/receivables and any collateral are to be valued at their liquidation value and the value to be adjusted taking the debtor’s creditworthiness into account. Where the recovery of the loan/receivable is dependent exclusively on the liquidation proceeds value of the collateral, an allowance must be established to completely cover the unsecured portion. The financial audit covers provisioning practices and policies and impairment testing. FINMA reported that this regularly includes specific file review to validate the robustness of the process and of the bank’s rating system. FINMA supervisors interact with financial auditors on the results of these reviews and react accordingly, including as necessary requiring more provisions or reclassification of assets.
EC6	The supervisor obtains information on a regular basis, and in relevant detail, or has full access to information concerning the classification of assets and provisioning. The supervisor requires banks to have adequate documentation to support their classification and provisioning levels.
Description and findings re EC6	Considerable information is given by banks to FINMA annually on provisioning. This includes a complete picture of all allowances and provisions, impaired loans as well as non-performing loans. These elements are to be publicly disclosed within a deadline of 120 days (with the exception of non-performing loans), after having been audited. Adequacy of documentation is reviewed in the financial statement audit process.
EC7	The supervisor assesses whether the classification of the assets and the provisioning is adequate for prudential purposes. If asset classifications are inaccurate or provisions are deemed to be inadequate for prudential purposes (e.g., if the supervisor considers existing or anticipated deterioration in asset quality to be of concern or if the provisions do not fully reflect losses expected to be incurred), the supervisor has the power to require the bank to adjust its classifications of individual assets, increase its levels of provisioning, reserves or capital and, if necessary, impose other remedial measures.
Description and findings re EC7	The first step is the financial and the prudential audit done by the external auditors and FINMA’s preliminary examination of the data given in the context of the prudential reporting. The second step is the examination by FINMA supervisors of the public disclosure of the bank and the long form reports remitted by the external auditors. If FINMA does not agree with an assessment (e.g., provisions) of the bank supported by the ordinary audit firm, it is FINMA policy to mandate another audit firm in order to obtain a second opinion. On rare occasions, FINMA has also made an assessment. Where FINMA disagrees at an early stage or has material doubts about the quality of the assets and the adequacy of provisions, the bank/banking group is informed that it may not disclose its financial statements before an agreement has been found. FINMA does not have authority to require more provisions. If FINMA had concerns in that regard it would require a Pillar 2 add-on.
EC8	The supervisor requires banks to have appropriate mechanisms in place for regularly assessing the value of risk mitigants, including guarantees, credit derivatives and collateral. The valuation of collateral reflects the net realizable value, taking into account prevailing market conditions.
Description and findings re EC8	FINMA guidance or rules are not detailed in this regard. In the context of “Lombard” lending (credits collateralized by marketable financial instruments), banks must apply haircuts whose size depends on the type of securities (high haircuts for shares, moderate haircuts for bonds), in order to take into account a possible negative price fluctuation of the market value. The present market value of the collateral must be reassessed very frequently and the limit granted to the customer must be adapted. As regards the mortgage loans, guidelines were issued by the Swiss Bankers Association (Guidelines on auditing, valuation and treatment of mortgage-backed loans of 28.10.2011) are recognized as minimum standards by FINMA and cover the need for regularly assessing collateral and other risk mitigants.
EC9	Laws, regulations or the supervisor establish criteria for assets to be: (a) identified as a problem asset (e.g., a loan is identified as a problem asset when there is reason to believe that all amounts due, including principal and interest, will not be collected in accordance with the contractual terms of the loan agreement); and (b) reclassified as performing (e.g., a loan is reclassified as performing when all arrears have been cleared and the loan has been brought fully current, repayments have been made in a timely manner over a continuous repayment period and continued collection, in accordance with the contractual terms, is expected).
Description and findings re EC9	See EC 5 (regulatory definitions of impaired loans and non-performing loans). These definitions are similar to those of IAS 39.
EC10	The supervisor determines that the bank’s Board obtains timely and appropriate information on the condition of the bank’s asset portfolio, including classification of assets, the level of provisions and reserves and major problem assets. The information includes, at a minimum, summary results of the latest asset review process, comparative trends in the overall quality of problem assets, and measurements of existing or anticipated deterioration in asset quality and losses expected to be incurred.
Description and findings re EC10	Under FINMA Circular 08/24 (Internal control and supervision), the board of directors or its audit committee are responsible for: (a) a critical analysis of the financial statements and the reliability of the related internal controls procedures (based also on discussions with the top operational management, the internal audit and the external audit firm); (b) critical review of the risk profile of the bank, the efficiency of the central compliance function and the central risk management and reporting function; (c) the examination of the risk analyses of the external audit and the related audit strategy; and (d) the examination of internal and external audit reports.
EC11	The supervisor requires that valuation, classification and provisioning, at least for significant exposures, are conducted on an individual item basis. For this purpose, supervisors require banks to set an appropriate threshold for the purpose of identifying significant exposures and to regularly review the level of the threshold.
Description and findings re EC11	FINMA Circular 08/02 (FINMA Accounting – Banks) states: “Impaired loans/receivables are to be valued on an item-by-item basis, and their impairment (…) covered by individual value adjustments. A collective assessment is permitted only for homogenous credit portfolios consisting exclusively of a large number of small receivables, e.g., consumer credit, leasing and credit card receivables - (general individual value adjustment)”. Furthermore, additional general value adjustments must be established to cover existing latent default risks.
EC12	The supervisor regularly assesses any trends and concentrations in risk and risk build-up across the banking sector in relation to banks’ problem assets and takes into account any observed concentration in the risk mitigation strategies adopted by banks and the potential effect on the efficacy of the mitigant in reducing loss. The supervisor considers the adequacy of provisions and reserves at the bank and banking system level in the light of this assessment.
Description and findings re EC12	Based on the data received in the context of prudential reporting but also on other data collected regularly by the Swiss National Bank, FINMA regularly analyses the evolution of the different types of credit portfolios, as well as the evolutions regarding impaired loans, non-performing loans, specific and general provisions, on a global and specific basis. Particular attention is paid to outliers. At the macro-economic level, the Swiss National Bank also observes the trends, especially in the mortgage sector, which are developing in Switzerland. This institution is responsible for taking the initiative to submit to the Government a proposal to activate, adjust or deactivate the countercyclical capital buffer (after consultation with FINMA). This regulatory instrument was introduced in the context of the implementation of Basel III in Switzerland. The Government has very recently accepted the proposal to partially activate this buffer (1 percent of residential mortgage RWA) starting from September 30, 2013, limited to mortgage loans in Switzerland.
Assessment of Principle 18	Compliant
Comments	FINMA should consider seeking the explicit power to require a bank to add to provisions, to supplement their Pillar 2 power re capital add-ons, as direct additional provisions may be a more appropriate remedy in certain cases to any inadequate provisioning practices by banks.
Principle 19	Concentration risk and large exposure limits. The supervisor determines that banks have adequate policies and processes to identify, measure, evaluate, monitor, report and control or mitigate concentrations of risk on a timely basis. Supervisors set prudential limits to restrict bank exposures to single counterparties or groups of connected counterparties.52
Essential criteria
EC1	Laws, regulations or the supervisor require banks to have policies and processes that provide a comprehensive bank-wide view of significant sources of concentration risk.53 Exposures arising from off-balance sheet as well as on-balance sheet items and from contingent liabilities are captured.
Description and findings re EC1	As noted in EC 5 and 6, CAO provides in Arts. 95–123 rules for large exposures to a single counterparty or a group of related counterparties. For systemically important banks, CAO Art. 136 CAO requires need to use narrower definition of capital in calculating large exposures. In addition, Banks are required by law to have a sound credit risk management in place. FINMA understand that this covers risks stemming from counterparties in the same industry, economic sector or geographic region and counterparties whose financial performance is dependent on the same activity or commodity, including Off-balance sheet exposures.
EC2	The supervisor determines that a bank’s information systems identify and aggregate on a timely basis, and facilitate active management of, exposures creating risk concentrations and large exposure54 to single counterparties or groups of connected counterparties.
Description and findings re EC2	For large exposure to single counterparties or groups of connected counterparties, CAO Art. 100 para 1 provides it to be reported at the solo level every three months within one month after the end of a period to the statutory auditor using a form provided by FINMA. At the consolidated level, the reporting has to be submitted every six months within six weeks. The reporting must be done on gross positions. The same Art. also requires external auditors to verify the bank’s internal monitoring of large exposures and assess its progress. Similarly, there is a reporting requirement on exposures to same geographic and industrial sectors. External auditors are required to confirm adequacy of measurement and monitoring of risk concentrations and include the assessment in their regulatory audit reports. (See EC3)
EC3	The supervisor determines that a bank’s risk management policies and processes establish thresholds for acceptable concentrations of risk, reflecting the bank’s risk appetite, risk profile and capital strength, which are understood by, and regularly communicated to, relevant staff. The supervisor also determines that the bank’s policies and processes require all material concentrations to be regularly reviewed and reported to the bank’s Board.
Description and findings re EC3	FINMA Circular 08/24 “Supervision and internal control” require banks’ BoD to ensure that all material risks are recorded, limited and monitored. In particular, it refers to single-name concentration risk by stipulating that in financial groups and financial conglomerates dominated by entities active in banking and securities trading, it is especially important to consider the risks that may arise from the union of several companies into a single economic entity. This requirement is understood by FINMA to extend to other kinds of concentration risks. The limit system has to be regularly communicated to relevant staff. FINMA expects that a bank adequately addresses concentration risk in their governance and risk frameworks and that material concentrations would be reported to the bank’s board. External auditors must assess concentration risk during its regulatory audit. The standard form for regulatory audit reports require audit firms to confirm: (a) Methods for identifying, measuring, managing and monitoring risk concentrations in connection with lending business are appropriate; (b) The responsible management body has introduced an adequate risk policy and appropriate limits; and (c) The risk policy and the limits are effectively applied and respected.
EC4	The supervisor regularly obtains information that enables concentrations within a bank’s portfolio, including sectoral, geographical and currency exposures, to be reviewed.
Description and findings re EC4	For single name concentrations, see EC 2. The statutory auditors are expected to review on a regular basis a bank’s credit portfolio and any negative observations need to be reported to FINMA. In addition, FINMA monitors and analyzes credit concentrations and resulting solvency risk of counterparties in the interbank market through its off-site monitoring. All banks and bank groups without branches of foreign banks in Switzerland report the twenty largest claims and liabilities positions vis-à-vis other banks or bank groups in Switzerland and abroad. Furthermore, banks having exposures to foreign counterparties or fiduciary claims exceeding CHF 1 billion in aggregate terms are required to report exposures by country and counterparty types (banks, sovereigns, private sector) quarterly. For other banks, this is reported on an annual basis. As noted above, there is also a requirement to report to SNB exposures to different industrial sectors, which is also available to FINMA and used for its off-site monitoring. Discussion with FINMA showed, however, the work on monitoring concentration risk other than country risk exposure is still in progress, including the use of stress testing to detect weakness in the system.
EC5	In respect of credit exposure to single counterparties or groups of connected counterparties, laws or regulations explicitly define, or the supervisor has the power to define, a “group of connected counterparties” to reflect actual risk exposure. The supervisor may exercise discretion in applying this definition on a case by case basis.
Description and findings re EC5	CAO Art. 109 defines ‘connected counterparties’ as the total exposure to a group of related counterparties is the sum of the total position for each counterparty. Two or more persons or legal entities are deemed to be a group of related counterparties and are to be treated as a stand-alone entity, if: (a) one of them directly or indirectly holds more than half of the voting rights of the other or exercises a dominant influence over it in some other way; (b) there is clear evidence of a financial dependency between them such that it seems likely that if one gets into financial distress, the others will encounter payment difficulties; (c) they are held by the same individual or legal entity or are controlled by it; (d) they form a syndicate; or (e) the counterparties are connected through a mutual refinancing source. For claims in securitization positions, holdings in investment capital or other loans that are covered with assets, the Art. also require the bank to choose the borrower in a manner that accounts for the economical substance and the business risks inherent in the structure of the transactions and particularly of the possible large exposures. In exceptional circumstances, the supervisory authority is entitled to alleviate or tighten the applicable risk diversification standards (CAO Art. 112).
EC6	Laws, regulations or the supervisor set prudent and appropriate55 requirements to control and constrain large credit exposures to a single counterparty or a group of connected counterparties. “Exposures” for this purpose include all claims and transactions (including those giving rise to counterparty credit risk exposure), on-balance sheet as well as offbalance sheet. The supervisor determines that senior management monitors these limits and that they are not exceeded on a solo or consolidated basis.
Description and findings re EC6	CAO Art. 95 defines a large exposure as the total position to a single counterparty or a group of related counterparties which is equal to or greater than 10 percent of the bank’s adjusted eligible capital. Adjusted eligible capital is defined as total regulatory capital (Tier 1 and Tier 2) less regulatory deductions. An individual large exposure must not exceed 25 percent of the adjusted eligible capital (Art. 97 CAO). The total position is calculated by adding the amount of on-balance sheet items (including net long positions in securities) and the amount of off-balance sheet items converted to credit equivalents as well as positions in relation with securities lending and repos. (CAO Arts. 112-119) Exposures to central banks and central governments risk weighted at zero percent, positions in domestic mortgage bonds (up to a maximum of 50 percent of corresponding property’s market value), positions covered by a certain residential mortgages, among several other kinds of exposures, are excluded from the restriction. Special risk concentration ceilings are in place for smaller banks’ positions to banks and securities dealers who are neither nationally nor internationally systemically relevant banks or financial groups (SIFIs). The limits are as follows: 100 percent of the adjusted eligible capital, provided that adjusted eligible capital does not amount to more than CHF 250 million. CHF 250 million, provided the adjusted eligible capital amounts to between CHF 250 million and 1 billion. The original 25 percent ceiling apply to banks with eligible capital higher than CHF 1 billion as well as exposures to SIFIs. On the contrary, a tighter ceiling applies for SIFIs where a single risk concentration must not exceed 25 percent of their common equity tier1 (CET1) that isn’t used to cover the progressive component (CAO Art. 136). The upper limits on individual and aggregate risk concentrations may be exceeded if: (a) the excess amount is covered by disposable eligible capital; or (b) the excess is solely attributable to an affiliation between previously unconnected counterparties, or an affiliation between the bank and other companies active in the financial sector. Where capital is used to cover a risk concentration limit excess, this must be mentioned in the statement of capital. (CAO Art. 98). These requirements must be met both at the solo and the consolidated levels (financial groups or financial conglomerates). (CAO Art. 7). CAO Art. 95 requires banks to limit and monitor their large exposures. Also, as noted in EC2, reporting requirements of large exposures are established by CAO, through them supervisors monitor their developments against limits.
EC7	The supervisor requires banks to include the impact of significant risk concentrations into their stress testing programs for risk management purposes.
Description and findings re EC7	FINMA Circular 11/2 “Capital buffer and capital planning banks” require banks to show in their capital planning that they are in a position to meet their capital adequacy requirements in future (over a three-year horizon), even in the event of an economic downturn and their revenues falling sharply. FINMA understands that banks have to take into account risk concentrations in their internal stress testing programs to meet this requirement.
Additional criteria
AC1	In respect of credit exposure to single counterparties or groups of connected counterparties, banks are required to adhere to the following: (a) ten per cent or more of a bank’s capital is defined as a large exposure; and (b) twenty-five per cent of a bank’s capital is the limit for an individual large exposure to a private sector non-bank counterparty or a group of connected counterparties. Minor deviations from these limits may be acceptable, especially if explicitly temporary or related to very small or specialized banks.
Description and findings re AC1	See EC6. A large exposure is defined as ten percent or more of a bank’s eligible capital and the limit for an individual large exposure to a non-bank counter party or a group of connected counter parties are 25 percent or more of a bank’s eligible capital. One important exception to note is the case where the excess exposure amount is covered in full by disposable eligible capital.
Assessment of Principle 19	Largely Compliant
Comments	There are several regulatory and supervisory gaps regarding large exposure and concentration. Exposures covered by residential mortgages up to a certain amount are excluded from the calculation of large exposure limit. While this is in line with the current EU regulation, it has a risk to allow significant single-name concentration risk particularly for smaller banks. Also, a higher large amount inter-bank exposure ceiling set for small banks is against conservative concentration risk management. Regarding more general concentration risk management, while assessors welcome the explicit reference in the standard audit template, lack of clear guidance or expectation for banks and regulatory auditors would limit its usefulness. Further, assessors see there is a substantial room for improvement in proactive supervision of concentration risk by FINMA. Assessors thus recommend authorities to take following measures: For single-name concentration, include exposures to residential mortgage fully in the calculation of exposures and introduce the same limit for interbank exposures of smaller banks as larger banks. Provide clear guidance on auditors (and banks) on how to assess concentration risk. This should include expectations on policies and processes regarding concentration risk management. Conduct more supervisory work on concentration. FINMA is in a better position to assess concentration and detect risks as it has access to information on the entire banking system. More active use of stress testing, particularly for smaller banks, including improvements in methodologies, data and integration to ordinary supervisory processes, should be an important pillar of this effort.
Principle 20	Transactions with related parties. In order to prevent abuses arising in transactions with related parties56 and to address the risk of conflict of interest, the supervisor requires banks to enter into any transactions with related parties57 on an arm’s length basis; to monitor these transactions; to take appropriate steps to control or mitigate the risks; and to write off exposures to related parties in accordance with standard policies and processes.
Essential criteria
EC1	Laws or regulations provide, or the supervisor has the power to prescribe, a comprehensive definition of “related parties”. This considers the parties identified in the footnote to the Principle. The supervisor may exercise discretion in applying this definition on a case by case basis.
Description and findings re EC1	BA Art. 4ter stipulates that banks may grant credit to members of their governing bodies and to their controlling shareholders, as well as to related persons and companies, only in conformity with ‘generally accepted principles of the banking profession’, thus giving FINMA the general power to restrict a bank’s lending to related persons. The authorities explain that secondary legislation avoids defining the group of related parties in order not to limit the wide scope of application of the said article, although Commentary to BA explains that in principle this includes close relatives and spouses and companies in which members of the bank have a significant stake or the ability to influence how the business is run. FINMA has the discretion on whom to impose lending restrictions on a case by case basis. Also, while not explicitly linked to this article, CAO Art. 100 requires banks to report large exposures under the term “transactions with affiliated parties” that involves a member of the bank’s supervising body or a qualified shareholder as defined in BA or a closely affiliated individual or company.
EC2	Laws, regulations or the supervisor require that transactions with related parties are not undertaken on more favorable terms (e.g., in credit assessment, tenor, interest rates, fees, amortization schedules, requirement for collateral) than corresponding transactions with non-related counterparties.58
Description and findings re EC2	See EC1. BA Art. 4ter requires extension of credit to related persons and companies to be in conformity with generally accepted principles of the banking profession. In addition, Circular 08/24 “Supervision and Internal Control” provides a general requirement focusing on conflict of interest by stipulating that the Board of directors must ensure that the handling of conflicts of interest is regulated and if a specific conflict of interest cannot be avoided, the institution takes measures to deal with it appropriately. No detailed guidance is provided regarding “generally accepted principles of the banking profession”, but the Commentary to BA explains that special caution must be exercised when granting loans to bank officers and related persons and referred to an old EBK bulletin that requires loans to be granted on the basis of the same information, documentation and collateral criteria that apply to loans to unrelated third parties. Also, the provision in the law is understood to only cover transactions involving credit risk, and not other kinds of transactions.
EC3	The supervisor requires that transactions with related parties and the write-off of related-party exposures exceeding specified amounts or otherwise posing special risks are subject to prior approval by the bank’s Board. The supervisor requires that Board members with conflicts of interest are excluded from the approval process of granting and managing related party transactions.
Description and findings re EC3	The authorities state that FINMA, in its authorization process, requires banks internal policies (by laws, organizational chart, credit regulations) to ensure that transactions with related parties are handled as described under this EC (BA Art. 3 para 2 and para 3). Also, as described in EC2, Circular 08/24 “Supervision and internal control” prescribes a general requirement to control conflict of interest. More specifically on conflicts of interest involving Board members, “FAQs on Board of directors” stipulates that the supreme governing body must regulate how conflicts of interest are dealt with and set out when members are obliged to withdraw from deliberations on certain matters. The guidelines also require existing and prior interests of the members to be disclosed, conflicts of interest to be effectively resolved, and mandates and business relationships that may potentially lead to conflicts of interest or damage the institution’s reputation to be avoided.
EC4	The supervisor determines that banks have policies and processes to prevent persons benefiting from the transaction and/or persons related to such a person from being part of the process of granting and managing the transaction.
Description and findings re EC4	As a part of regulatory audits, external auditors are required to assess correctness of dealings/businesses with management bodies and significant shareholders; they are asked to confirm if these dealings/businesses were completed according to recognized principles. They are also expected to report instances in which the management bodies and/or significant shareholders were granted preferential terms. (Template for supervisory audit report 6.5.2).
EC5	Laws or regulations set, or the supervisor has the power to set on a general or case by case basis, limits for exposures to related parties, to deduct such exposures from capital when assessing capital adequacy, or to require collateralization of such exposures. When limits are set on aggregate exposures to related parties, those are at least as strict as those for single counterparties or groups of connected counterparties.
Description and findings re EC5	FINMA has the power to restrict lending to related parties, to deduct such exposures from the capital or to require collateral. No detailed guidance, including on the limit on aggregate exposures to related parties, is provided, except for intra-group positions (FINMA Circular 13/07 “Limitation—Intragroup exposure).
EC6	The supervisor determines that banks have policies and processes to identify individual exposures to and transactions with related parties as well as the total amount of exposures, and to monitor and report on them through an independent credit review or audit process. The supervisor determines that exceptions to policies, processes and limits are reported to the appropriate level of the bank’s senior management and, if necessary, to the Board, for timely action. The supervisor also determines that senior management monitors related party transactions on an ongoing basis, and that the Board also provides oversight of these transactions.
Description and findings re EC6	As mentioned in EC4, external auditors are required to assess correctness of dealings/businesses with management bodies and significant shareholders. This is expected to include assessment of policies and processes as well as practices, including evaluation of terms of individual cases of transactions whether they are done arm’s length or not. (Template for regulatory audit report 6.5.2) However, this section only refers to dealings with management bodies and significant shareholders. In addition, as noted in EC1, if a position to a related party amounts to a large exposure, it must be reported to the board or an external auditor (CAO Art. 100 para 4 CAO).
EC7	The supervisor obtains and reviews information on aggregate exposures to related parties.
Description and findings re EC7	No constant reporting requirements are applied related to aggregated exposures to related parties, although FINMA may require at any time information on aggregate exposures to related parties. As mentioned in previous ECs, if such exposures qualify as a large exposure, they have to be reported on a quarterly basis to the auditor (CAO Art. 100 paras. 4 and 5).
Assessment of Principle 20	Largely Compliant
Comments	The related party transaction regulation in BA only covers transactions involving credit risk, but not other kind of transactions. This CP covers other kind of transactions as noted in the footnote as other kind of transactions, such as sales and purchase of real estate or service contracts or forgiveness of loans, could also pose risk to health of a bank. Similarly, while BA Art. 4 ter has a flexibility to cover a broad range of related parties, requirement for regulatory audit specified in the template refers to a narrower range of related parties. Also, there is no clear guidance on risk management framework required for related party transactions, such as the need to monitor the total exposure of related party exposures or the BoD to provide oversight on these transactions. Furthermore, there is no reporting requirement for banks on exposures to related parties to the supervisor, unless they are qualified as large exposure. This would inhibit monitoring by the supervisor. The assessors thus recommend the authorities update the regulatory framework regarding related party transactions, possibly in the form of a circular, which should explicitly cover a full range of transactions, stipulate requirements for policies and processes for managing the related risk, and provide reporting requirements on aggregated related party exposures to the supervisor.
Principle 21	Country and transfer risks. The supervisor determines that banks have adequate policies and processes to identify, measure, evaluate, monitor, report and control or mitigate country risk59 and transfer risk60 in their international lending and investment activities on a timely basis.
Essential criteria
EC1	The supervisor determines that a bank’s policies and processes give due regard to the identification, measurement, evaluation, monitoring, reporting and control or mitigation of country risk and transfer risk. The supervisor also determines that the processes are consistent with the risk profile, systemic importance and risk appetite of the bank, take into account market and macroeconomic conditions and provide a comprehensive bank-wide view of country and transfer risk exposure. Exposures (including, where relevant, intragroup exposures) are identified, monitored and managed on a regional and an individual country basis (in addition to the end-borrower/end-counterparty basis). Banks are required to monitor and evaluate developments in country risk and in transfer risk and apply appropriate countermeasures.
Description and findings re EC1	The “Guidelines for the Management of Country Risk” issued by Swiss Bankers Association in 1997 regulates banks’ country and transfer risks. The guidelines define the minimum standard for identifying, measuring, monitoring and controlling country risks, which is explicitly defined to include transfer risks. The guidelines are binding for all banks as a minimum standard based on FINMA Circular 08/10 Self-Regulation. Regarding the risk policy the guidelines requires that: To include the strategy developed for assuming country risks, the principles for the recording (identification and measurement), management and control of country risk, as well as the organizational structures. To ensure that country risk is identified, measured, assessed, limited and controlled by all banks. The scope, degree of detail, and systems and methods must be appropriate to the extent of the business activities and their associated risks. There must be an adequate internal control system. Regarding identification and measurement: Each bank must be in a position to identify country risk exposure and monitor the performance of these positions. The assessment of country risk should be uniform within a bank and be appropriate to the size of the exposure. The basis for this could be the bank’s own country risk analyses (e.g., including classification into rating categories) or accepted externally available country assessments. Banks with considerable foreign exposure and considerable country risk have to periodically review the influence of potential credit deterioration, or payment problems of specific countries or groups of countries, on their balance sheet and P&L performance. The findings must be brought to the attention of the responsible senior management members. Foreign exposure, risk assessments and, where necessary, the results of periodic stress tests should be appropriately documented. Assessment of banks’ compliance with these minimum requirements is expected to be conducted primarily by external auditors, on which concerns are conveyed to FINMA and followed-up as described in CP 8 and 9. The Guidelines require auditors to examine whether these Guidelines have been adhered to and to record the audit results in the ordinary audit report. Also, the Standard audit strategy, Annex to FINMA Circular 13/03, requires external auditors to assess geographical risk as a part of risk concentrations in connection with lending.
EC2	The supervisor determines that banks’ strategies, policies and processes for the management of country and transfer risks have been approved by the banks’ Boards and that the Boards oversee management in a way that ensures that these policies and processes are implemented effectively and fully integrated into the banks’ overall risk management process.
Description and findings re EC2	See EC1. In particular, the guidelines provide that: Top management, i.e., the Board of directors is responsible for the risk policy in respect of country risk; The senior management (executive board, group executive board, etc.) formulates the risk policy, which is to be approved and periodically assessed for its suitability by the Board of directors. Senior management issues instructions for the implementation of the risk policy and delegates authority for the assumption of risks. Adherence to these regulations is to be monitored. Furthermore FINMA Circular 08/24 provides similar requirements for the Board of directors regarding the overall risk management framework.
EC3	The supervisor determines that banks have information systems, risk management systems and internal control systems that accurately aggregate, monitor and report country exposures on a timely basis; and ensure adherence to established country exposure limits.
Description and findings re EC3	See EC1. In particular, the guidelines sets out the requirements as: Banks with foreign exposure must have an adequate limit system in place for country risk. The limits must be regularly reviewed and authorized by the senior management function designated for that purpose. The banks are obliged to have adequate information systems to monitor compliance with country risk limits. It must be possible to detect timely a limit violation and this should result in a report to higher authorities. The employees who are entrusted with the controlling function must have the required knowledge and must be sufficiently independent from the staff whose work they are assigned to monitor. While the guidelines do not explicitly mention the need for aggregation, it is understood to be a necessary requirement. Furthermore, there is a general requirement for adequate information systems and internal control systems as set out in FINMA Circular 08/24 Margin No. 34; they are mandatory elements of regular audit activities (FINMA Circular 13/3).
EC4	There is supervisory oversight of the setting of appropriate provisions against country risk and transfer risk. There are different international practices that are all acceptable as long as they lead to risk-based results. These include: (a) The supervisor (or some other official authority) decides on appropriate minimum provisioning by regularly setting fixed percentages for exposures to each country taking into account prevailing conditions. The supervisor reviews minimum provisioning levels where appropriate. (b) The supervisor (or some other official authority) regularly sets percentage ranges for each country, taking into account prevailing conditions and the banks may decide, within these ranges, which provisioning to apply for the individual exposures. The supervisor reviews percentage ranges for provisioning purposes where appropriate. (c) The bank itself (or some other body such as the national bankers association) sets percentages or guidelines or even decides for each individual loan on the appropriate provisioning. The adequacy of the provisioning will then be judged by the external auditor and/or by the supervisor.
Description and findings re EC4	See EC1. The Swiss practice is for the bank to set provisions and its adequacy is judged by the external auditor. The Guidelines define the following standards regarding provisioning: The banks make adequate value adjustments, on the basis of their own valuation principles. Country risk, value adjustments and provisions must be recorded such that they can easily be reviewed by the auditors. In addition, banks decide for themselves on their own provisioning against future unexpected losses on the basis of their internal risk models and within the scope of the current accounting rules (e.g., reserves for cyclical fluctuations).
EC5	The supervisor requires banks to include appropriate scenarios into their stress testing programs to reflect country and transfer risk analysis for risk management purposes.
Description and findings re EC5	As described in EC1, stress-testing of country and transfer risk, such as in cases of credit deterioration or payment problems in a country or a group of countries, is required by the Guidelines. Also, FINMA explains that country risk is prominently featured in the large banks’ stress-testing analyses where FINMA makes requests from time to time. For example, in the context of a contingency planning exercise for large banks assuming a severe European crisis, FINMA has explicitly asked for an assessment of the related country and transfer risk.
EC6	The supervisor regularly obtains and reviews sufficient information on a timely basis on the country risk and transfer risk of banks. The supervisor also has the power to obtain additional information, as needed (e.g., in crisis situations).
Description and findings re EC6	See CP 19. FINMA monitors information on country exposures provided by banks. It also required specific reporting for intra-group and interbank exposures of individual banks, banking groups and at system level on quarterly basis (ARIS Report: Exposures related to banking groups based outside Switzerland; “exposure/name of the banking Group and location”). The report is also generated on an ad-hoc basis with focus on specifically high exposure. The largest Swiss banks perform internal stress tests including, e.g., the exit of a country from the Eurozone or a market turmoil scenario. In 2012, FINMA asked the banks to perform a Eurozone crisis readiness assessment and will continue to be in close contact with the institutions to monitor their respective risk management and mitigating actions. Similarly, FINMA assesses country risk of wider groups of banks during its regular stress testing activity (see CP 15 for further references). Discussions with FINMA indicted that the recent review of mid-size banks exposure to GIIPS countries was more of an analysis of direct credit exposure than a full scenario. FINMA also informed assessors that it flexibly enhances monitoring on country and transfer risks responding to developments in the world economy. For example, the supervisory focus is currently on EU peripheral country risk where various measures has been implemented: For large banks, in addition to what mentioned above, FINMA monitors their risk exposure evolution on a monthly basis. Also, the semi-annual firm-wide stress-testing exercise (LPA) focuses on default risk of several peripheral European countries. For smaller banks, although small and medium-sized banks other than subsidiaries and branches of foreign groups generally have a low exposure to the European interbank market, it has also been the focus of stress-testing activities performed on some small and medium sized banks which are exposed to peripheral countries during the regular capital planning process. For banks whose parent companies are based in European countries that are particularly affected by the crisis, FINMA imposed limitation of intragroup exposure and introduced new monitoring and reporting tools in 2010. Since 2011 some banks must report detailed monthly information on intra-group exposures.
Assessment of Principle 21	Compliant
Comments	Additional on-site reviews by FINMA, recommended in CP8/9, could periodically cover country risk practices at banks to ensure they are adequate.
Principle 22	Market risk. The supervisor determines that banks have an adequate market risk management process that takes into account their risk appetite, risk profile, and market and macroeconomic conditions and the risk of a significant deterioration in market liquidity. This includes prudent policies and processes to identify, measure, evaluate, monitor, report and control or mitigate market risks on a timely basis.
Essential criteria
EC1	Laws, regulations or the supervisor require banks to have appropriate market risk management processes that provide a comprehensive bank-wide view of market risk exposure. The supervisor determines that these processes are consistent with the risk appetite, risk profile, systemic importance and capital strength of the bank; take into account market and macroeconomic conditions and the risk of a significant deterioration in market liquidity; and clearly articulate the roles and responsibilities for identification, measuring, monitoring and control of market risk.
Description and findings re EC1	BO Art. 9 provides general requirements for risk management, including market risk. Its paragraph 2 refers to the need to identify, limit and control market risk. FINMA Circular 08/24 sets out more detailed guidelines for corporate governance, the supervision of business activities and internal control, and the supervision thereof by the responsible function in banks. Specifically on market risk management, FINMA Circular 08/20 “Market risks” Margin Nos. 6–13 define roles and responsibilities for positions in the trading book. The same circular also sets out a requirement that units responsible for the valuation of the positions in the trading book to be independent. Banks using a model approach to calculate their regulatory capital requirement for market risk must adhere to additional qualitative requirements set out in Circular 08/20 Margin Nos. 302–361. There are currently five banks using advanced approaches for market risk. As discussed in CP 15, the risk appetite is usually discussed by the supervisor with representatives of the BoD and senior management of a bank. Determination of whether the processes are consistent with the risk appetite, risk profile, etc. of the bank is part of the regular audit process through which compliance with these regulatory requirements is frequently assessed. Relevant regulation on the general framework is provided by FINMA Circular 11/2 “Capital buffer and capital planning” and supplemented by FINMA’s document on “Capital planning and capital planning process; description and standard requirements”. The consistency of the risk profile with the systemic importance of the bank and its capital strength are assessed mainly for the largest banks through capital planning and stress-testing process as described in the above document. For smaller banks, sensitivity analysis is conducted by FINMA and feeds into the CAMELS ratings. Adherence to the requirements of FINMA Circulars forms a part of the regular annual audit process.
EC2	The supervisor determines that banks’ strategies, policies and processes for the management of market risk have been approved by the banks’ Boards, and that the Boards oversee management in a way that ensures that these policies and processes are implemented effectively and fully integrated into the banks’ overall risk management process.
Description and findings re EC2	BoD has to ensure that all relevant risks are covered by the internal control system of the bank (Circular 08/24 margin No. 10). The executive board is responsible for the implementation of an effective control and reporting environment. The effectiveness of the control environment must be discussed with BoD on a regular basis (Circular 08/24 margin Nos. 80–85). As mentioned above, compliance with FINMA Circulars are assessed by external auditors through regulatory audit processes. Particularly for high risk areas, regulatory audit checks the effectiveness of the internal control system annually. For nonhigh risk areas, effectiveness is assessed on a less frequent basis.
EC3	The supervisor determines that the bank’s policies and processes establish an appropriate and properly controlled market risk environment including: (a) effective information systems for accurate and timely identification, aggregation, monitoring and reporting of market risk exposure to the bank’s Board and senior management; (b) appropriate market risk limits consistent with the bank’s risk appetite, risk profile and capital strength, and with the management’s ability to manage market risk and which are understood by, and regularly communicated to, relevant staff; (c) exception tracking and reporting processes that ensure prompt action at the appropriate level of the bank’s senior management or Board, where necessary; (d) effective controls around the use of models to identify and measure market risk, and set limits; and (e) sound policies and processes for allocation of exposures to the trading book.
Description and findings re EC3	On top of what is stipulated in BO as described in EC1, Circular 08/24 provides general expectations for risk management and Circular 08/20 focuses on trading book activities: (a) Circular 08/24 Margin Nos. 82-83 set out that a bank need to maintain an organization structure in which information flows are explicitly defined and to ensure that all relevant information on the day-to-day business is gathered, transmitted and processed. (b) BO Art. 9 para 2 provides that risk limits and strategies have to be approved by senior management. Circular 08/24 requires a bank to have control activities that review compliance with specified limits. In addition, Circular 08/20 provides specifically that a bank must have a trading strategy (Margin No. 6), position limits are laid down and compliance to them needs to be monitored (Margin No. 8), and reporting of positions to senior management should be an integral part of the bank’s risk management process (Margin No. 11). No guidance is provided on the appropriateness of market risk limits. (c) FINMA expects banks to have an adequate exception tracking and reporting process as part of the internal control system and the respective management information system as required by Circular 08/24 Margin No. 83; this provides that the senior management needs to ensure that all relevant information on the day-to-day business is gathered, transmitted and processed (management information system). On the market risk position in particular, Circular 08/20 Margin No. 11 as described above sets out a requirement for a reporting framework to senior management. (d) Circular 08/24 Margin No. 123 provides a general requirement that a bank’s control function needs to be responsible for the design and implementation of an adequate system of risk supervision, which is constantly adjusted to new business lines and products and that principles and methods for assessing risks, including validation of models, are clarified and applied. Specifically on market risk, Circular 08/20 Margin No. 10 provides that for positions marked to models, their valuation parameters must be reassessed daily. For banks using market risk models for regulatory capital purposes, the Circular sets out further detailed requirements for the controls of models, limits, among others. (e) Circular 08/20 Section C discusses allocation of positions to the trading book. In principle, a bank must define appropriate and consistent criteria for assigning positions to the trading book, and its control systems are required to ensure compliance with these criteria and the proper, accountable treatment of internal transactions (Margin No. 14). It also requires a bank to implement clearly defined instructions and procedures to determine which positions are held in trading book, including criteria for transfers of positions between the trading book and the banking book. Whether banks are complying these requirements are mainly expected to be assessed by external auditors through their regulatory audit. Also, in case of banks using advanced approaches for market risk, associated qualitative requirements are assessed by FINMA.
EC4	The supervisor determines that there are systems and controls to ensure that banks’ marked-to-market positions are revalued frequently. The supervisor also determines that all transactions are captured on a timely basis and that the valuation process uses consistent and prudent practices, and reliable market data verified by a function independent of the relevant risk-taking business units (or, in the absence of market prices, internal or industry-accepted models). To the extent that the bank relies on modeling for the purposes of valuation, the bank is required to ensure that the model is validated by a function independent of the relevant risk-taking businesses units. The supervisor requires banks to establish and maintain policies and processes for considering valuation adjustments for positions that otherwise cannot be prudently valued, including concentrated, less liquid, and stale positions.
Description and findings re EC4	Circular 08/20 Margin No. 10 requires a daily revaluation. Requirements to ensure integrity of transactions data are described in Margin Nos. 298–301. Generally, banks need to demonstrate that they have sound, documented, internally reviewed and approved processes that guarantee all transactions are fully, accurately, and promptly captured, evaluated, and prepared for risk measurement. Manual corrections of data need to be documented, so that the cause and the exact content of the correction can be checked. Specifically, the following principles apply: All transactions should be reconciled daily with the counterparty. Transactions should be confirmed and reconciled by a unit that is independent of the trading department. Discrepancies should be resolved immediately; Procedures must be in place to ensure that the data used in the valuation models are adequate, consistent, constant, up-to-date, and independent; and All positions should be prepared in such a way that all aspects of risk are fully captured. These requirements are not only applicable to banks using a model approach for market risk, but also for banks using the standardized approach. (Margin No. 64) Regarding the valuation process, Circular 08/20 Margin Nos. 32–48 provide specific detailed requirements for valuation of trading assets stipulating that banks must have appropriate systems and controls to ensure prudent and reliable valuations. This systems and controls should consist of, among others, documented guidelines and procedures for the valuation process and reporting by the unit responsible for the valuation that are independent of the trading activity right up to the senior management level. Valuation by an independent unit is also required at least monthly. The requirements for the use of valuation models are also set out in Circular 08/20. As noted above, Margin No. 41 requires approval of the valuation model in use by an independent unit. For those positions which require particular guidance for prudent valuation, Margin Nos. 46–48 stipulates requirements regarding valuation adjustments. According to these, banks must have instructions in place covering how valuation adjustments are to be taken into account at least in the following cases: credit spreads not yet assumed; settlement costs; operational risks; early redemptions; investment and refinancing costs; future administration costs; and where appropriate, model risks (Margin No. 46). Regarding valuation adjustments for less liquid positions, the time required to hedge a position, average volatility of the bid-offer spreads, availability of independent market prices and the extent of marking to model need to be considered in determining the necessity for adjustments. For large positions and less liquid holdings, the fact that settlement prices are more likely to be unfavorable should be taken into account (Margin No. 47). For complex instruments (such as securitization positions and nth-to-Default credit derivatives), a bank must consider the need for valuation adjustments to reflect the model risk associated with the use of a potentially incorrect valuation method and the risk arising from the use of non-observable (and potentially incorrect) calibration parameters for the valuation model. Whether banks follow these practices are primarily assessed through regulatory and financial audits by external auditors. Review of supervisory files as well as discussion with banks and auditors confirm that external auditors are conducting in-depth assessments on market risk particularly where models are used for calculation of regulatory capital.
EC5	The supervisor determines that banks hold appropriate levels of capital against unexpected losses and make appropriate valuation adjustments for uncertainties in determining the fair value of assets and liabilities.
Description and findings re EC5	Capital adequacy under adverse scenarios is assessed during the capital planning process required by Circular 11/2 “Capital buffer and capital planning”. Capital plans are reviewed by FINMA for banks in category 1 and selected banks in categories 2 and 3. For the remaining banks, the capital planning process is assessed as part of the annual regulatory audit process performed by the external audit firm, and only reviewed by FINMA if there are indications that a bank is holding only a small capital buffer in excess of the requirements. In addition, Category 1 banks have to participate in a semi-annually loss potential analysis (LPA), where FINMA prescribes the relevant scenarios to be used for stress testing calculations by banks. As described above, the determination of appropriate valuation adjustments for uncertainties is covered by Circular 08/20 Margin No. 47 and accounting standards. FINMA explains that it sees further supervisory guidelines are ultimately necessary to ensure that valuation adjustments beyond those required by accounting standards are adequate and done consistently among banks. It has thus initiated a project and intends to refer to the forthcoming EBA guidelines on the issue.
EC6	The supervisor requires banks to include market risk exposure into their stress testing programs for risk management purposes.
Description and findings re EC6	See answer to EC1 and EC 5. FINMA understands that not conducting stress testing despite significant positions would for instance be a violation of Circular 08/24 Margin Nos. 10, 81, and 123. Moreover, as mentioned in EC5, for category 1–3 banks, FINMA is frequently reviewing the capital planning process for larger banks, which includes effects of adverse scenarios. FINMA expects banks with significant market risks to include appropriate stress assumptions in these adverse scenarios. Regulatory auditors are not expected to sign off their audit reports without this stress testing. For the largest banks, market stress scenarios are provided as a part of loss potential analysis (LPA) stipulated by FINMA.
Assessment of Principle 22	Compliant
Comments
Principle 23	Interest rate risk in the banking book. The supervisor determines that banks have adequate systems to identify, measure, evaluate, monitor, report and control or mitigate interest rate risk61 in the banking book on a timely basis. These systems take into account the bank’s risk appetite, risk profile and market and macroeconomic conditions.
Essential criteria
EC1	Laws, regulations or the supervisor require banks to have an appropriate interest rate risk strategy and interest rate risk management framework that provides a comprehensive bank-wide view of interest rate risk. This includes policies and processes to identify, measure, evaluate, monitor, report and control or mitigate material sources of interest rate risk. The supervisor determines that the bank’s strategy, policies and processes are consistent with the risk appetite, risk profile and systemic importance of the bank, take into account market and macroeconomic conditions, and are regularly reviewed and appropriately adjusted, where necessary, with the bank’s changing risk profile and market developments.
Description and findings re EC1	FINMA Circular 08/6 “Bank interest rate risks” sets out comprehensive and detailed requirements regarding interest rate risk in the banking book: The Board of directors, based on the bank’s business strategy, are required to approve the risk policy, the key elements of provisions on limits (including the measurement method), and the most essential reporting points. Based on these, banks are required to determine the extent to which risks are to be assumed and/or hedged and in which markets. The risk policy also needs to define the basic authorities and responsibilities regarding identifying, measuring, managing, and monitoring interest rate risks. There should be global limits (and potentially limits per currency), defined according to the measurement system, and set according to the bank’s capital funding and the anticipated future earnings position (Margin No. 20). The Board of directors must be informed of the bank’s interest rate risks on a regular basis (Margin No. 21). At least an annual review and updating of risk policy and practice needs to be undertaken by the Board of directors, and an independent information system that periodically provides meaningful, level-specific, and timely information about the risk and earnings situation is also required (Margin No. 22). Senior management is responsible for ensuring the implementation of and compliance with the risk policy approved by the Board of directors, and it needs to set rules regarding (Margin 23): the function and responsibility of individual work units, employees, and committees, including the control function, and the resulting responsibilities and accountability; the counterparties with which negotiations may be conducted; suitable systems and standards for risk measurement, including reviews of the assumptions and models applied; permissible instruments and hedging strategies; the amount of permissible risk positions according to type of transaction and product (limit system) within the global limits approved by the board of directors; authorities and procedures when limits and authorities are exceeded; the performance, analysis, and reporting of stress tests standards for the evaluation of positions; notification of interest rate risks; organizational prerequisites for effective independent control; and analysis of the income and asset effects. These elements are assessed through regulatory audits by external auditors. FINMA particularly emphasize the need to assess the integrity of banks’ data. Also, FINMA conducted an on-site review on the issue on several banks in 2011.
EC2	The supervisor determines that a bank’s strategy, policies and processes for the management of interest rate risk have been approved, and are regularly reviewed, by the bank’s Board. The supervisor also determines that senior management ensures that the strategy, policies and processes are developed and implemented effectively.
Description and findings re EC2	See EC1. The circular stipulates that the Board of directors need to approve risk policy regarding interest rate risk that includes key strategy, policies and processes. An annual review by the Board is also required. For senior management, the Circular also sets out its responsibility to develop and implement detailed strategy, policies and processes. These elements are reviewed by external auditors during regulatory audits.
EC3	The supervisor determines that banks’ policies and processes establish an appropriate and properly controlled interest rate risk environment including: (a) comprehensive and appropriate interest rate risk measurement systems; (b) regular review, and independent (internal or external) validation, of any models used by the functions tasked with managing interest rate risk (including review of key model assumptions); (c) appropriate limits, approved by the banks’ Boards and senior management, that reflect the banks’ risk appetite, risk profile and capital strength, and are understood by, and regularly communicated to, relevant staff; (d) effective exception tracking and reporting processes which ensure prompt action at the appropriate level of the banks’ senior management or Boards where necessary; and (e) effective information systems for accurate and timely identification, aggregation, monitoring and reporting of interest rate risk exposure to the banks’ Boards and senior management.
Description and findings re EC3	As noted in EC1 and EC2, Circular 08/06 provides a comprehensive and detailed set of requirements regarding interest rate risks. For the risk measurement system, it must: record all essential interest rate risks of a bank arising from assets, liabilities, and offbalance-sheet positions; include parameters and assumptions that are substantiated, appropriately documented, and periodically reviewed as to their appropriateness; depict interest rate risks in the form of fluctuations both in interest income and in the present value of equity; record all essential types of interest rate risks, i.e., repricing, basis, and options; cover all of a bank’s interest rate-sensitive positions; and closely analyze instruments that could significantly influence a bank’s overall position, particularly instruments with significant implicit options. (Margin Nos. 29-30). On review and validation of models, there are five to six banks using models for IRRBB. The circular requires paying particular caution against techniques that use complex simulations and requires senior management and the risk management function to have precise knowledge of the most important assumptions and review them periodically, at least annually. Furthermore, such assumptions needs to be well documented, and their significance must be clear to all involved parties. (Margin No. 38). On limits, the Board of directors is required to set major limits and the senior management to provide and implement a system of limits (See EC1). The Circular specifically stipulates additionally that the goal of risk management is to keep a bank’s interest rate risk within certain parameters established by the bank itself in the event of a number of possible changes in interest rates, and that this goal is achieved using a system of limits. It thus requires a system of limits to enable senior management to control the risk exposure and to measure the actually incurred risks based on tolerances that have been established by the board of directors (Margin No. 39). On exception tracking and limits, Margin No. 45 of the circular stipulates that clear principles must be established for what action is to be taken if limits are exceeded - i.e., whether minor deviations over a short period can be tolerated and how senior management is to be informed. It also requires that if the global limits set by the Board of directors are exceeded, the responsible persons in senior management and on the Board of directors must be notified without delay. On information system, the Circular Margin No. 48 states that a precise, meaningful, and timely management information system is of key importance to the monitoring and control of interest rate risks and requires that the system must provide information to the responsible members of senior management on a weekly basis and also support the monitoring of compliance with the policy established by the Board of directors. It also sets out that to allow senior management to evaluate the form and amount of the interest rate risks, the reports produced by the system should be formulated both in aggregate form and with an adequate degree of detail and that reporting must take place regularly, and the current risk exposure must be compared to the limits. Margin No. 49 provides a set of requirements for internal reporting, including a requirement that reports must be discussed by the Board of directors on a regular basis, and that body’s decisions must be recorded. It requires that the reports should include: overview of the total interest rate risk incurred by the bank; report on how the internal rules and limits are being complied with; results of stress tests; and summary of the results of reviews of the internal rules regarding interest rate risks and of the adequacy of the systems for measuring interest rate risks, including any findings by internal auditors, external auditors, or engaged consultants. Compliance to these requirements is assessed through regulatory audits by external auditors. (Margin No. 52).
EC4	The supervisor requires banks to include appropriate scenarios into their stress testing programs to measure their vulnerability to loss under adverse interest rate movements.
Description and findings re EC4	Circular 08/06, Margin Nos. 46–47 (stress test) provides comprehensive and detailed requirements for stress testing on interest rate risk. They provide that stress tests must consider scenarios that lead to extraordinary losses for the bank and for that extreme changes in market risk factors as well as scenarios need to be covered that deemed to be especially serious in view of the bank-specific risk positions. Possible stress scenarios listed as examples are: an abrupt change in the general interest rate level; a change in the relationship among important market interest rates (basis risk); changes in the slope and shape of the yield curve; a decrease in the liquidity of important financial markets; and a change in the volatilities and correlations of market interest rates. They also require that: the stress testing to take into account of factors such as sudden changes in assumptions and parameters during crisis situations, in particular for assumptions used for illiquid instruments and core deposit products and instruments or markets in which concentrations exist; a worst-case scenario as well as a more likely, less extreme event to be tested; and senior management to periodically review the design and results of stress tests, to remain informed about their effects on the bank’s earnings and financial position, and to ensure that appropriate measures are taken.
Additional criteria
AC1	The supervisor obtains from banks the results of their internal interest rate risk measurement systems, expressed in terms of the threat to economic value, including using a standardized interest rate shock on the banking book.
Description and findings re AC1	Circular 08/6, Margin No. 53 require banks to report to SNB information regarding interest rate risk, quarterly for solo basis and semiannually for group-wide basis. These are set out in Standardized reporting and used by FINMA for analysis of outliers.
AC2	The supervisor assesses whether the internal capital measurement systems of banks adequately capture interest rate risk in the banking book.
Description and findings re AC2	See AC1. FINMA sets up a standardized supervision policy in order to identify outlier institutions, to harmonize supervisory actions, and to calibrate Pillar 2 capital surcharges for institutions with elevated IRRBB exposures. This policy defines a set of risk indicators for outlier identification, based on a present value sensitivity in relation to eligible regulatory capital reported by banks, and a parallel IR shift. FINMA’s main supervisory measures include the analysis of alternative replication assumptions (average industry replication portfolio/standard durations specified by FINMA), of individual currencies and re-pricing maturity types, of IRR in proportion to capitalization, and of IRR in proportion to interest income (risk/return ratio). These analyses are done on individual banks quarterly, on banking group semi-annually, and also on the system level.
Assessment of Principle 23	Compliant
Comments	FINMA should update its thematic reviews of IRRBB for smaller and mid-size banks, particularly those in Categories 4 and 5, to ensure that their stress scenarios in capital planning are sufficiently adverse and that risk management is appropriate.
Principle 24	Liquidity risk. The supervisor sets prudent and appropriate liquidity requirements (which can include either quantitative or qualitative requirements or both) for banks that reflect the liquidity needs of the bank. The supervisor determines that banks have a strategy that enables prudent management of liquidity risk and compliance with liquidity requirements. The strategy takes into account the bank’s risk profile as well as market and macroeconomic conditions and includes prudent policies and processes, consistent with the bank’s risk appetite, to identify, measure, evaluate, monitor, report and control or mitigate liquidity risk over an appropriate set of time horizons. At least for internationally active banks, liquidity requirements are not lower than the applicable Basel standards.
Essential criteria
EC1	Laws, regulations or the supervisor require banks to consistently observe prescribed liquidity requirements including thresholds by reference to which a bank is subject to supervisory action. At least for internationally active banks, the prescribed requirements are not lower than, and the supervisor uses a range of liquidity monitoring tools no less extensive than, those prescribed in the applicable Basel standards.
Description and findings re EC1	BA Art. 4 sets out the requirement for banks to maintain adequate liquidity and gives the Federal Council to establish a minimum requirement. The Liquidity Ordinance (LO) provides concrete minimum quantitative requirements for non-systemically banks. These requirements are, however, currently in a transition phase in preparation of the LCR introduction in 2015. Additional and stricter quantitative liquidity requirements for the two large banks are in place since 2010 based on FINMA’s communication to the two banks, which was then included in LO. The quantitative requirement for ordinary banks is set out in LO Arts. 12–17. It aims to ensure that banks have a certain amount of liquid assets compared to its short-term liabilities, with particular focus on liabilities that matures within one month. The detailed designs are as follows: Liquid assets should be at least 33 percent of short-term liability. Liquid assets consist of cash, precious metals, assets eligible for SNB operations, debt instruments issued by domestic borrowers that are traded in a representative market (except a bank’s own and other related companies’ debt instruments), debt instruments of foreign countries and other corporate entities subject to public law traded in a representative market, debt instruments and acceptances of first-class foreign banks and other equivalent securities falling due within six months, current accounts receivable and advances falling due within one month that are covered by central bank eligible assets or domestic debt instruments traded in a representative market. Short-term liabilities consist of 50 percent of the demand deposits as well as other accounts or passbook accounts with no withdrawal restrictions and 15 percent of the deposits on savings and passbook accounts as well as on similar accounts with withdrawal restrictions (with no tied pension assets). For assets and liabilities that mature within one month, their difference (net amount) will be added to liquid assets if positive and to short-term liabilities if negative. Banks need to report the status of liquidity to FINMA quarterly. This requirement is only applied to Swiss operations. All banks have substantially higher amount of liquid assets than required by this rule, which is not used for banks for their international liquidity management anymore. Still, this ratio feeds into the CAMELS rating. This quantitative minimum requirement will be replaced by the LCR at the beginning of 2015. A test-reporting on the LCR has been started with almost 40 banks and FINMA regards that it has increasingly become, already prior to its introduction, the benchmark for the assessment of the liquidity risk situation with the results being used by supervisors in their discussions with the banks. Starting July 2013, the LCR reporting is extended to all banks in Switzerland. Reporting frequency is monthly. Although the average ratio is above 60 percent, there is a wide difference among banks. A specific quantitative liquidity requirement for the two large banks was introduced in 2010 (BA Art. 9 para 2b); details are provided in LO Arts. 19–28. This requirement is conceptually based on the LCR. Its main features are as follows: Banks are required to continuously maintain liquidity buffers that cover net expected outflows under stress for the periods of seven days as well as 30 days. Net outflow is calculated in a similar manner with LCR; balance sheet items both on the asset side and the liability side are multiplied by different factors reflecting different natures of assets and liabilities under a stress scenario assuming banks are losing access to unsecured financing in the markets and there is a large-scale withdrawal of deposits. Central bank standing facilities within the agreed limits that are still open as well as the exceptional liquidity facility for which arrangements have been made in the coverage for outflows of liquidity—up to the amount that is still available—can be counted to reduce the net outflow for both seven day horizon scenario and 30-day scenario. Assets that are eligible for the liquidity buffer are categorized to two components: the primary component is similar to Level 1 HQLA in the LCR framework and includes such assets as government and central bank bonds, certain kinds of mortgage backed securities, and central bank reserves; the secondary component is comparable to Level 2 HQLA and consists of corporate bonds with high ratings, listed stocks, mortgage backed securities not included in the primary component, among others. Different haircut ratios are applied to reflect their expected liquidity during stress periods. For the seven-day horizon scenario, at least 75 percent of the gap needs to be filled by the primary component liquidity buffer, whereas for the 30-days horizon scenario it is 50 percent. Banks need to report monthly the situation of liquidity before the end of next month. In addition, if the requirements are breached or expected to be breached, banks need to report to FINMA and SNB immediately. Given the introduction of LCR in 2015, FINMA is currently studying if this requirement is more conservative, equivalent, or less conservative compared to the LCR, in order to determine whether to continue to apply this requirement for the two big banks in addition to LCR. Generally speaking, Compared to LCR, this requirement has: generally higher run-off ratios (retail deposits assigned 15 percent to 30 percent runoff ratios compared to three to ten percent in LCR); lower inflow rates for some cash inflows (zero percent for retail loans compared to 50 percent in LCR) but higher for maturing securities lending; and higher haircut ratio for some high quality assets (five percent for domestic sovereign bonds compared to zero percent in LCR) but lower for some (10 percent for Swiss covered bonds compared to 15 percent in LCR). FINMA uses a range of liquidity monitoring tools beyond the regulatory liquidity requirements (e.g., banks internal stress models) for the two big banks and for selected other banks. In addition to these quantitative requirements, qualitative requirements for liquidity management are set in LO as well as Circular 13/06 “Liquidity”. The qualitative Basel Sound Principles are already effective for systemically important banks. They will become effective for all other banks at the beginning of 2014.
EC2	The prescribed liquidity requirements reflect the liquidity risk profile of banks (including on- and off-balance sheet risks) in the context of the markets and macroeconomic conditions in which they operate.
Description and findings re EC2	The quantitative liquidity requirement for all banks focuses on deposit withdrawal and maturing short term funding. It does not cover liquidity needs arising from off-B/S items. However, as noted above, this requirement will be replaced by LCR from 2015, which (through the calibration and stress testing requirements) reflects risk profile of banks and includes off-balance sheet risks. The quantitative liquidity requirement for systemically important banks is, in contrast, tailored to a market-wide and idiosyncratic liquidity stress event, where different calibration of inflows and outflows compared from the LCR is provided. Off-B/S liquidity needs are also explicitly considered in this requirement. The qualitative requirements set out in LO as well as Circular 13/06 provides that the liquidity risk management practices of all banks have to reflect the liquidity risk profile of banks. For example, banks are required to include idiosyncratic, market-wide and combined sources and factors of liquidity risk in their stress-testing models. (LO Art. 9).
EC3	The supervisor determines that banks have a robust liquidity management framework that requires the banks to maintain sufficient liquidity to withstand a range of stress events, and includes appropriate policies and processes for managing liquidity risk that have been approved by the banks’ Boards. The supervisor also determines that these policies and processes provide a comprehensive bank-wide view of liquidity risk and are consistent with the banks’ risk profile and systemic importance
Description and findings re EC3	As noted in above, LO and Circular 13/06 stipulates elements required in a liquidity management framework in banks. Particularly, LO Art. 6 provides that banks shall: define the extent to which they are prepared to assume liquidity risks (their liquidity risk tolerance); establish strategies for the management of liquidity risk in accordance with their liquidity risk tolerance; and take into account the liquidity costs and liquidity risks associated with all of their material balance-sheet and off-balance sheet business lines, and in particular in the process of price-setting, in the introduction of new products, and in the measurement of earnings. Similarly, Art. 7 provides that banks shall: establish sound processes for the identification, assessment, management, and monitoring of liquidity risks; identify, manage, and monitor liquidity risk exposures and funding needs within the entire financial group and across legal entities, business lines, and currencies that are significant in terms of liquidity risk, taking into account legal, regulatory, or operational limitations with regard to the transferability of liquidity; identify, manage, and monitor their intraday liquidity risk exposures; and manage assets that serve to generate liquidity, differentiating between encumbered and unencumbered assets. In addition, Circular 13/06 requires: Banks to have liquidity risk management processes integrated into the bank-wide risk management process (Margin No. 11); Liquidity risk management should aim to ensure banks’ continuous solvency during bank-specific and/or market-wide stress periods (Margin No. 12); The Board of directors to set the liquidity risk tolerance and ensure compliance to it (Margin No. 13); and Senior management or a committee directly reporting to senior management to develop liquidity risk management strategy and processes (Margin No. 15). The proportionality principle is explicitly noted in the Circular, stating that qualitative requirements for liquidity risk management shall apply depending on size, complexity and inherent risk of banks, and that small banks shall be exempted from the implementation of their certain aspects. Compliance to these risks is expected to be assessed primarily through regulatory audits, but the FINMA has also carried out a survey for banks to assess their preparedness to the qualitative requirements. Its liquidity experts are also working with external auditors to establish a common understanding on the qualitative requirements. Also see CP 15.
EC4	The supervisor determines that banks’ liquidity strategy, policies and processes establish an appropriate and properly controlled liquidity risk environment including: (a) clear articulation of an overall liquidity risk appetite that is appropriate for the banks’ business and their role in the financial system and that is approved by the banks’ Boards; (b) sound day-to-day, and where appropriate intraday, liquidity risk management practices; (c) effective information systems to enable active identification, aggregation, monitoring and control of liquidity risk exposures and funding needs (including active management of collateral positions) bank-wide; (d) adequate oversight by the banks’ Boards in ensuring that management effectively implements policies and processes for the management of liquidity risk in a manner consistent with the banks’ liquidity risk appetite; and (e) regular review by the banks’ Boards (at least annually) and appropriate adjustment of the banks’ strategy, policies and processes for the management of liquidity risk in the light of the banks’ changing risk profile and external developments in the markets and macroeconomic conditions in which they operate.
Description and findings re EC4	See EC3. Particularly, LO Art. 6 and Circular 13/06 Margin Nos. 13 and 14 set out requirements for banks’ BoD to: establish liquidity risk tolerances; ensure that strategies, policies and processes are consistent with the risk tolerance; and review the risk tolerances, strategies and policies at least annually. On day-to-day/intraday risk management practices, LO Art. 7 and in particular Circular 13/06 Margin No. 16 requires senior management to set, among others, policies and processes for allocation of liquidity risk to various business lines, intraday management, and setting limits and the escalation procedures. The Circular further provides detailed guidance on these issues. On the need for effective information system, Circular 13/06 Margin No. 21 requires the liquidity risk management and control process to include information system to ensure the timely measurement, monitoring and reporting of liquidity positions in comparison with the established limits.
EC5	The supervisor requires banks to establish, and regularly review, funding strategies and policies and processes for the ongoing measurement and monitoring of funding requirements and the effective management of funding risk. The policies and processes include consideration of how other risks (e.g., credit, market, operational and reputation risk) may impact the bank’s overall liquidity strategy, and include: (a) an analysis of funding requirements under alternative scenarios; (b) the maintenance of a cushion of high quality, unencumbered, liquid assets that can be used, without impediment, to obtain funding in times of stress; (c) diversification in the sources (including counterparties, instruments, currencies and markets) and tenor of funding, and regular review of concentration limits; (d) regular efforts to establish and maintain relationships with liability holders; and (e) regular assessment of the capacity to sell assets.
Description and findings re EC5	FINMA expects funding strategies, policies and processes to be covered in the overall liquidity risk management frameworks described in above ECs. (Circular 13/06, Margin Nos. 15 and 16) On the analysis of funding requirements under alternative scenarios, stress testing requirements for liquidity risk covers impacts on funding under different scenarios according to the principle of proportionality. In particular, Circular 13/06 Margin No. 46 provides that stress scenarios should include deterioration in market conditions or rapid withdrawal of deposits. Also see EC 7. On the maintenance of a liquidity cushion, LO Art. 2 stipulates that a bank must have an adequate, sustainable liquidity reserve to address rapidly deteriorating liquidity situations. Further, Circular 13/06 provides qualitative requirements to maintain liquidity reserves that are sufficiently large and composed of sustainable assets. (Margin Nos. 36–40) It requires, among others, that the reserves are to be based on the banks’ business models and liquidity characteristics as well as the results of stress tests. Circular13/06 requires banks to limit and monitor large exposures to specific financing sources and maturities by taking appropriate measures. It requires diversification in terms of maturity, types of counterparties, instruments, markets, or currencies. Adequate measures could include, for instance, the setting of exposure limits. (Margin No. 32) Small banks not active in capital markets and trading or those that do not rely on market funding or funding by institutional investors are exempted from these requirements (Margin No. 33). The circular requires banks to regularly estimate how quickly liquidity can be generated from relevant financing sources that are available to it in stress situations, and particularly for those relying on funding by institutional investors through markets to assess the consequences of the case where such funding become impossible. (Margin Nos. 34–35) FINMA understands regular efforts to establish and maintain relationships with liability holders are in particular important for banks that rely on short term wholesale funding markets. There is an expectation that the two large banks have to fully adhere to Principle 7 of the BCBS’s Principles on Sound Liquidity Management and Supervision. Small and medium-sized banks that are mainly active in the mortgage market and that do not rely on short-term wholesale funding markets do not have to take that requirement into account, as FINMA assumes their funding channel through Swiss covered bonds, which are guaranteed by one of the two covered bond issuance institutions, would continue to be available. All other banks have to adhere to that requirement according to the principle of proportionality. In terms of assessment of capacity to sell assets, although the two large banks have to adhere entirely to the above mentioned BCBS Principles and as such have to assess the capacity regularly, this is not the case for other banks. FINMA sees limited benefits in assessing the capacity regularly, as it believes occasional use of potential funding sources does not provide any assurance that the funding will be available during a crisis.
EC6	The supervisor determines that banks have robust liquidity contingency funding plans to handle liquidity problems. The supervisor determines that the bank’s contingency funding plan is formally articulated, adequately documented and sets out the bank’s strategy for addressing liquidity shortfalls in a range of stress environments without placing reliance on lender of last resort support. The supervisor also determines that the bank’s contingency funding plan establishes clear lines of responsibility, includes clear communication plans (including communication with the supervisor) and is regularly tested and updated to ensure it is operationally robust. The supervisor assesses whether, in the light of the bank’s risk profile and systemic importance, the bank’s contingency funding plan is feasible and requires the bank to address any deficiencies.
Description and findings re EC6	LO Art. 10 stipulates that every bank shall prepare a contingency plan that contains effective strategies for dealing with liquidity shortages and banks shall establish the relevant responsibilities, lines of communication, and the necessary measures in the appropriate form in their internal guidelines and instructions. Further guidance is provided by Circular 13/06 Margin Nos. 48–53. The guidance provides that the plans should: be documented (Margin No. 53); include possible actions depending on the level of escalation or the stress event (Margin No. 49 c); include clear definition of roles and assignment of responsibilities (Margin No. 49 e); include clear procedures, decision tress and reporting duties as well as clearly developed and defined communication paths and strategies for information flow to external and internal parties (including FINMA) in the event of an emergency (Margin Nos. 49 f, 49 g, and 50); and be reviewed annually and updated accordingly (Margin No. 51). Currently, for the two large banks the external auditors assess annually the feasibility of the funding plan and whether there exists deficiencies that require the banks’ attention.
EC7	The supervisor requires banks to include a variety of short-term and protracted bank-specific and market-wide liquidity stress scenarios (individually and in combination), using conservative and regularly reviewed assumptions, into their stress testing programs for risk management purposes. The supervisor determines that the results of the stress tests are used by the bank to adjust its liquidity risk management strategies, policies and positions and to develop effective contingency funding plans.
Description and findings re EC7	LO Art. 9 stipulates that every bank must establish various stress scenarios for liquidity risks and perform stress tests of their liquidity positions based on these scenarios. It also requires that, in this process, banks shall take into account the cash flows on off-balancesheet items and other contingent liabilities, including those involving securitization specialpurpose entities and other special-purpose entities that a bank uses to generate liquidity or under which a bank is required to provide material liquidity assistance either contractually or due to reputation considerations. Regarding stress scenarios, the Art. requires the following to be taken into account: institution-specific, market-wide, and combined causes and factors; time horizons of varying length; and varying degrees of severity for stress events, including a scenario involving a loss of unsecured financing as well as cutbacks in secured financing. It also requires that the assumptions involved in the scenarios, in particular those relating to cash flows and the liquidity value of assets in the case of a stress event must be reviewed regularly following the onset of a stress event. Further detailed requirements are provided by Circular 13/06 Margin Nos. 41–47. In particular, it requires that the results of stress tests to be used to understand the bank’s liquidity situation vis-à-vis its liquidity risk tolerance as well as its liquidity buffer and to set exposure limits and that the results must be reported to the Board at least annually. In terms of stress testing scenarios, it requires scenarios to: be based on historical events, case studies, and/or hypothetical models; cover all the potential material liquidity risks; cover both short-term and long-term liquidity shortages; and have parameters that are as conservative as possible. The Circular also provides that small banks can choose one scenario (based on LCR) if they can prove that one scenario is sufficient given their business model. In case of the two big banks, intense and continuous stress-testing dialogue between banks and FINMA are taking place on various aspects of their stress testing including the design of the internal stress-testing models, the assumptions, the bank internal “use test” and their relation to the contingency funding plans. For other banks, while there is no systematic assessment, FINMA has started supervisory reviews on the liquidity situation of a selected number of banks based on LCR reporting results.
EC8	The supervisor identifies those banks carrying out significant foreign currency liquidity transformation. Where a bank’s foreign currency business is significant, or-the bank has significant exposure in a given currency, the supervisor requires the bank to undertake separate analysis of its strategy and monitor its liquidity needs separately for each such significant currency. This includes the use of stress testing to determine the appropriateness of mismatches in that currency and, where appropriate, the setting and regular review of limits on the size of its cash flow mismatches for foreign currencies in aggregate and for each significant currency individually. In such cases, the supervisor also monitors the bank’s liquidity needs in each significant currency, and evaluates the bank’s ability to transfer liquidity from one currency to another across jurisdictions and legal entities.
Description and findings re EC8	LO Art. 7 para 2 sets out a general requirement for banks to identify, manage, and monitor liquidity risk exposures and funding needs across currencies that are significant in terms of liquidity risk, taking into account legal, regulatory, or operational limitations with regard to the transferability of liquidity. Circular 13/06 further requires banks with significant assets or liabilities in foreign currencies and considerable mismatches in terms of both maturities and currencies of these foreign currency assets and liabilities to: carry out adequate processes to manage its foreign currency liquidity in the most important currencies in order to ensure fulfillment of its commitments; include in the process at the least a separate overview of liquidity developments for each currency, separate stress tests for these foreign currencies, and explicit consideration in a contingency plan set up for periods of inadequate liquidity; monitor developments in liquidity on foreign exchange swap markets and the ability to exchange currencies in a timely manner and be ready to take proper measures; and integrate into the stress tests scenarios affecting foreign exchange swap markets that intensify mismatches between currencies and cause unexpected price volatilities. In addition, LCR by currency for the two large banks are introduced at the beginning of 2012 as a monitoring tool. Also, through the stress testing dialogue with the banks described in EC7, FINMA requires to include a FX swap market shock scenario in their stress-testing models. For other banks, as a part of measures for the LCR monitoring period, FINMA has also introduced a LCR by currency reporting under the requirements stipulated in the Basel text (i.e., for all significant currencies, where significant means that the aggregate liabilities denominated in that currency amount to 5 percent or more of the bank’s total B/S).
Additional criteria
AC1	The supervisor determines that banks’ levels of encumbered balance-sheet assets are managed within acceptable limits to mitigate the risks posed by excessive levels of encumbrance in terms of the impact on the banks’ cost of funding and the implications for the sustainability of their long-term liquidity position. The supervisor requires banks to commit to adequate disclosure and to set appropriate limits to mitigate identified risks.
Description and findings re AC1	Circular 13/06 provides that banks have to evaluate the extent of legal, regulatory or operational restrictions to use the “liquidity reserve” and acceptability of assets by counterparties as collateral. Also, when LCR is formally adopted as a minimum standard, the operational criteria for HQLA which cover the issue of encumbrance will also come into effect. In addition, monitoring of unencumbered liquid assets is undertaken for the two big banks. With these banks, the supervisor discusses their overall level of encumbrance frequently. Currently, a 30 percent ceiling for covered bond issuance to total mortgage loans is imposed for these big banks, which is reviewed regularly. However, assessment of the level of encumbrance in regard to its impact to long-term cost and availability of funding from unsecured creditors are not required or undertaken. Neither disclosure of the level of encumbrance nor setting limits to encumbrance is currently required, but banks in Categories 1 and 2 disclose information on their encumbered/pledged mortgages in their covered bond programs as required by accounting standards.
Assessment of Principle 24	Largely Compliant
Comments	While the new draft Circular 13/06 covers substantial parts of the requirements set out in this principle and is a substantial improvement, there are still some elements that are lacking in the assessors view, such as the need for banks to establish liquidity risk appetites (not just liquidity risk tolerance) or to monitor and assess adequacy of the level of overall encumbrance. Also, the assessors were not able to assess the actual application of this circular as banks are only required to adhere to qualitative requirements set out in the circular by beginning of 2014. Moreover, the assessors view exempting small banks from a qualitative requirement on diversification of the financing structure is not warranted, as even a small bank could face problems if it is relying on a few large depositors for funding. The assessors also see application of outdated quantitative requirements (and their use in the FINMA internal rating system) except for the largest banks as a problem, although the current authorities’ plan to implement LCR according to internationally agreed schedule will improve the framework substantially. Looking forward, the assessors believe effective and rigorous implementation of Circular 13/06 as well as understanding banks’ LCR data would be critical. Particularly on the former, the assessors recommend FINMA to have close dialogue with banks as well as external auditors to set a clear expectation regarding qualitative requirements, building on efforts currently being made. This is especially needed in applying the principle of proportionality. FINMA needs to monitor how the proportionality is interpreted by banks and auditors and to ensure that this is not used as an excuse for applying a weak risk management framework. FINMA may also want to review the status of implementation of the circular after a few years and revise it to reflect as needed.
Principle 25	Operational risk. The supervisor determines that banks have an adequate operational risk management framework that takes into account their risk appetite, risk profile and market and macroeconomic conditions. This includes prudent policies and processes to identify, assess, evaluate, monitor, report and control or mitigate operational risk62 on a timely basis.
Essential criteria
EC1	Law, regulations or the supervisor require banks to have appropriate operational risk management strategies, policies and processes to identify, assess, evaluate, monitor, report and control or mitigate operational risk. The supervisor determines that the bank’s strategy, policies and processes are consistent with the bank’s risk profile, systemic importance, risk appetite and capital strength, take into account market and macroeconomic conditions, and address all major aspects of operational risk prevalent in the businesses of the bank on a bank-wide basis (including periods when operational risk could increase).
Description and findings re EC1	As in other risk areas, FINMA Circular 08/24 provides a general requirement for risk management and control for all risk areas, including operational risk. Circular 08/21 “Operational risk” covers specific requirements for operational risk. Circular 08/24 Margin Nos. 121 to 124 set out the following requirements for general risk management strategies, policies and processes: Tasks, responsibilities and reporting are to be established in a regulation that is to be approved by senior management or BoD. As an independent control function, the risk control function monitors the risk profile of the institution. It prepares the risk information necessary for monitoring risks and lays the foundations for the institution’s risk policy, risk appetite and its risk limits, which are to be approved by senior management or the BoD. The responsibilities of the risk control function include the design and implementation of an adequate system of risk supervision and its constant adjustment to new business lines and products, the standardization and application of principles and methods for assessing risk (e.g., valuation and aggregation methods, validation of models), as well as the monitoring of adequate systems to assess the requirements concerning capital adequacy, large exposures and liquidity. Risk control, at a minimum on a semi-annual basis, submits a report on risks and risk positions, respectively, to senior management. In the case of unusual developments, it informs senior management and the internal audit function immediately. Appendix 1 to Circular 08/21 provides basic qualitative requirements applicable to banks, although those using Basic Indicator Approach of Basel II and whose required capital is less than a certain amount are exempted from the requirements. In particular, Margin Nos. 2, 6, and 7 detail further operational risk specific requirements as: BoD must be aware of its bank’s material operational risk. It must—directly or by way of a committee—approve written policies for the treatment of operational risk and review those policies periodically. Such policies concern identifying, assessing, monitoring, and controlling operational risk and measures to reduce the operational risk exposure. Banks must systematically monitor their operational risk profile and their material operational risk. Senior management and BoD must be kept up-to-date about the corresponding results so that they can proactively determine measures to be taken as needed. Banks must have frameworks and concrete measures to monitor and/or mitigate material operational risk. These must be matched to the bank’s current situation. Circular 08/21 is currently under revision (public consultation of May 23 to July 1, 2013) and a revised circular is expected to be published soon, aiming to be implemented from 2015. It will include more granular qualitative requirements for managing operational risks (section IV.B) in line with the respective principles published by the Basel Committee. Still, small banks (some Category 4 banks and all Category 5 banks) will not be required to comply with all requirements, but only with a subset of them. The discussion with FINMA revealed detailed and horizontal assessments on operational risk management over a large number of small banks would be difficult, even after the introduction of the new circular, given limited resources.
EC2	The supervisor requires banks’ strategies, policies and processes for the management of operational risk (including the banks’ risk appetite for operational risk) to be approved and regularly reviewed by the banks’ Boards. The supervisor also requires that the Board oversees management in ensuring that these policies and processes are implemented effectively.
Description and findings re EC2	As noted above, FINMA Circulars 08/24 and 08/21 provides requirements that BoD approves and reviews strategies, policies and process for the management of operational risk. Specifically, Circular 08/24 Margin Nos. 9 to 14 stipulates that: BoD bears responsibility for the regulation, establishment, maintenance, monitoring and regular supervision of an appropriate internal control function tailored to the size, complexity, structure and risk profile of the institution; BoD regularly discusses with senior management its assessment of the adequacy and effectiveness of the internal controls; and By issuing guidelines for senior management, BoD ensures that employees of all levels are aware of and understand their duties and responsibilities regarding the internal control process. For related provisions in Appendix 1 to FINMA Circulars 08/21, see EC1. Also, BoD is required to ensure that the policies for the treatment of operational risk are reviewed by internal auditors.
EC3	The supervisor determines that the approved strategy and significant policies and processes for the management of operational risk are implemented effectively by management and fully integrated into the bank’s overall risk management process.
Description and findings re EC3	Implementation of strategies, policies and processes for the management of operational risk is covered by the regular audit process through which compliance with Circular 08/24 Circular 08/21 are assessed. Appendix 1 to Circular 08/21, in particular, Margin No. 4 details further requirements specifically for implementation of operational risk management framework, stipulating that senior management bears responsibility for implementing the bank’s policies for the treatment of operational risk, that the body must see to it that the policies are implemented consistently throughout the organizational structure and ensure that all employees are aware of their responsibilities in the treatment of operational risk, and that senior management is also responsible for designing measures to manage operational risk arising from all of the bank’s operations. Banks using the Standardized Approach (SA) for capital calculations and with foreign representations (internationally active banks) are required to fulfill additional qualitative requirements under Circular 08/21. This includes a requirement that the operational risk assessment system must be closely integrated into the bank’s overall risk management processes (Margin No. 37). Similarly, additional qualitative requirements for banks using the Advanced Measurement Approach (AMA) for capital calculations include the institution- specific quantification system for operational risk to be closely integrated into the bank’s day-to-day overall risk management processes, and its output to be an integral part of overall risk profile monitoring and control. (Margins 61 and 62).
EC4	The supervisor reviews the quality and comprehensiveness of the bank’s disaster recovery and business continuity plans to assess their feasibility in scenarios of severe business disruption which might plausibly affect the bank. In so doing, the supervisor determines that the bank is able to operate as a going concern and minimize losses, including those that may arise from disturbances to payment and settlement systems, in the event of severe business disruption.
Description and findings re EC4	On contingency and business continuity plans, Appendix 1 to Circular 08/21 Margin No. 8 stipulates that banks must have emergency measures that allow them to continue their activities under extraordinary circumstances and thus make it possible to limit the impact of severe impairments of normal business operations. Additionally, SBA published “Recommendations for Business Continuity Management (BCM)” which is treated by FINMA as a minimum standard. Assessment of banks’ adherence to these requirements is included in the Standard Audit Strategies, so that external auditors need to assess them.
EC5	The supervisor determines that banks have established appropriate information technology policies and processes to identify, assess, monitor and manage technology risks. The supervisor also determines that banks have appropriate and sound information technology infrastructure to meet their current and projected business requirements (under normal circumstances and in periods of stress), which ensures data and system integrity, security and availability and supports integrated and comprehensive risk management.
Description and findings re EC5	Current FINMA circulars only implicitly address requirements to the management of technology risks. For example, Appendix 1 to FINMA Circular 08/21 Margin No. 7 provides the requirements for banks to implement procedures and measures to monitor and mitigate all material operational risks, which implicitly includes technology risks according to the authorities. The upcoming revised circular will explicitly refer to technology risk management.
EC6	The supervisor determines that banks have appropriate and effective information systems to: (a) monitor operational risk; (b) compile and analyze operational risk data; and (c) facilitate appropriate reporting mechanisms at the banks’ Boards, senior management and business line levels that support proactive management of operational risk.
Description and findings re EC6	Circular 08/24 provides requirements regarding information systems for risk management stipulating that senior management need to ensure that all relevant information on the day-to-day business is gathered, transmitted and processed through management information system. More specifically, Circular 08/21, Appendix 1 Margin No. 7 require banks to have frameworks and concrete measures to monitor and/or mitigate material operational risk as described above, although it does not explicitly mention information systems. For AMA banks, the Circular provides additional requirements to collect internal loss data and comply with quality and procedural requirements (Margin Nos. 76 to 85). SA banks with foreign representation are also required to collect internal loss data, although it is limited to significant losses (Margin Nos. 35 and 36). The definition of significant losses is not defined. FINMA explains that the upcoming revised Circular 08/21, currently in the process of public consultation, extends requirements to data collection and analysis to a broader set of banks (all banks belonging to FINMA categories 1 to 3 and a large portion of banks in category 4). On reporting mechanism to BoD and senior management, Circular 08/21 Margin Nos. 52 to 54 provides qualitative requirements for AMA banks by stipulating that BoD must be actively involved in oversight of the approach, senior management must be familiar with the basic framework of the approach and be capable of performing its corresponding oversight functions, and the bank must have a conceptually solid and reliable system that is implemented with integrity. Additionally, Margin Nos. 62 and 63 cover the topic of reporting and the breakdown of AMA outcomes for major business lines.
EC7	The supervisor requires that banks have appropriate reporting mechanisms to keep the supervisor apprised of developments affecting operational risk at banks in their jurisdictions.
Description and findings re EC7	See EC6. Moreover, although there is no further formal reporting mechanisms, FINMA explains that, in general, banks report their large operational loss incidents to FINMA. The revised Circular 08/21 will extend requirements for reporting operational risk, including reporting of internal events and breaches to risk appetite and tolerance statements, as well as reporting of external events occurring at peers with relevance for a specific institution.
EC8	The supervisor determines that banks have established appropriate policies and processes to assess, manage and monitor outsourced activities. The outsourcing risk management program covers: (a) conducting appropriate due diligence for selecting potential service providers; (b) structuring the outsourcing arrangement; (c) managing and monitoring the risks associated with the outsourcing arrangement; (d) ensuring an effective control environment; and (e) establishing viable contingency planning. Outsourcing policies and processes require the bank to have comprehensive contracts and/or service level agreements with a clear allocation of responsibilities between the outsourcing provider and the bank.
Description and findings re EC8	FINMA Circular 08/07 “outsourcing” provides comprehensive and detailed requirements for banks’ outsourcing activities, covering such areas as: Selection of service providers (Margin Nos. 21, 22); Agreement and contract with service providers including structure of the outsourcing arrangement (Margin Nos. 25, 51–53); Arrangement to manage and monitor risks, including security, banking secrecy and data protection (Margin Nos. 26–36); and Control of service providers (Margin Nos. 23–24). The Circular also requires that the bank’s internal auditor, external auditor as well as FINMA should be able to inspect and audit outsourced activities (Margin No. 51).
Additional criteria
AC1	The supervisor regularly identifies any common points of exposure to operational risk or potential vulnerability (e.g., outsourcing of key operations by many banks to a common service provider or disruption to outsourcing providers of payment and settlement activities).
Description and findings re AC1	FINMA explains that it tries to identify common operational risk exposure or potential vulnerability across banks and conduct supervisory activities over those issues, although no formal framework exists. In recent years FINMA focused on the following two areas and has issued requirements or recommendations: Operational risks in capital markets. FINMA issued in December 2011 a selection of recommendations for reducing the risk of unauthorized trading incidents. This was reactive to problems observed in the marketplace. Operational risks in handling electronic client data. FINMA has developed an extensive new set of requirements in the appendix to revised Circular 08/21 (which compliance assessment will be part of the regular audit).
Assessment of Principle 25	Largely Compliant
Comments	The current regulatory framework on operational risk has several deficiencies, which drive the above grade. These include limited application of basic qualitative requirements where even the basic and minimum qualitative requirements do not apply a substantial part of the banking sector and lack of reference on operational risk management regarding information systems. On the supervisory side, lack of adequate treatment of operational risk in the supervisory rating system is a source of concern. Currently, FINMA’s CAMELS rating system does not incorporate operational risk explicitly. Given operational risk could be the primary risk area for banks specializing in asset management business, which is large in Switzerland, the framework needs to be adjusted so that operational risk assessment could affect the overall rating in a more straight-forward manner, at least for banks with business models which have high potential of operational risk. Furthermore, absence of clear guidance on reporting of operational risk related incidents to the supervisor may make it difficult for FINMA to detect emerging horizontal operational risk related issues. The assessors understand the authorities are preparing to issue the revised circular on operational risk management soon, which is expected to be implemented from beginning of 2015. The assessors believe the new circular would address most of the issues listed above, but still believe that non application of some of the qualitative requirements in the circular to some Category 4 banks and all Category 5 banks may leave vulnerability in the system. Even though these banks are small, if similar incidents related to operational risk happen in a number of banks, it could damage reputation of Swiss banks. Thus, the assessors recommend more close evaluation of inherent operational risk in smaller banks by FINMA staff before deciding which of Categories 4 and 5 banks are excluded from some of the qualitative requirements on operational risk management. Similarly, it is important for FINMA to push external auditors to strengthen intensity and quality of their work on operational risk management. These clearly require FINMA to increase its own specialist resource. The assessors also recommend that the overall supervisory framework should give operational risk more priority, at least for banks with business models in which inherent operational risk level is high. One possible approach would be to revise the current CAMELS rating system as suggested above. Given the importance of operational risk in the Swiss banking sector, it is also important for FINMA to take a more proactive stance on this issue by, for example, assessing common risk factors and carrying out thematic supervisory reviews using FINMA’s own resources or third parties.
Principle 26	Internal control and audit. The supervisor determines that banks have adequate internal control frameworks to establish and maintain a properly controlled operating environment for the conduct of their business taking into account their risk profile. These include clear arrangements for delegating authority and responsibility; separation of the functions that involve committing the bank, paying away its funds, and accounting for its assets and liabilities; reconciliation of these processes; safeguarding the bank’s assets; and appropriate independent63 internal audit and compliance functions to test adherence to these controls as well as applicable laws and regulations.
Essential criteria
EC1	Laws, regulations or the supervisor require banks to have internal control frameworks that are adequate to establish a properly controlled operating environment for the conduct of their business, taking into account their risk profile. These controls are the responsibility of the bank’s Board and/or senior management and deal with organizational structure, accounting policies and processes, checks and balances, and the safeguarding of assets and investments (including measures for the prevention and early detection and reporting of misuse such as fraud, embezzlement, unauthorized trading and computer intrusion). More specifically, these controls address: (a) organizational structure: definitions of duties and responsibilities, including clear delegation of authority (e.g., clear loan approval limits), decision-making policies and processes, separation of critical functions (e.g., business origination, payments, reconciliation, risk management, accounting, audit and compliance); (b) accounting policies and processes: reconciliation of accounts, control lists, information for management; (c) checks and balances (or “four eyes principle”): segregation of duties, cross-checking, dual control of assets, double signatures; and (d) safeguarding assets and investments: including physical control and computer access.
Description and findings re EC1	The banking act, ordinance, and FINMA circulars combine to require banks to have comprehensive internal control frameworks. (Art. 3 para 2 of the Federal Law of 8 November 1934 on Banks and Savings Banks, Art. 9 para 4 of the Federal Ordinance of 17 May 1972 on Banks and Savings Banks, and FINMA Circular 08/24, Supervision and internal controls) Guidance and requirements are expressed as very high level principles and not as detailed requirements. There are responsibilities placed on boards as ultimately responsible and on management for establishing, maintenance and regular testing of internal control systems. There are high-level criteria concerning adequacy of these frameworks. Matters such as appropriate organization structure, checks and balances, appropriate MIS, definition and segregation of duties, and compliance review are all covered. A number of the requirements are specified in a general way (e.g., ‘an effective system, an appropriate system, appropriate resources in control functions’) The various laws, ordinances or circulars state that requirements are to be in conformity with the size complexity and risk profile of the institution or that their appropriateness is to be judged taking account of these factors. Detailed guidance is not provided on these matters. Rather, it is left to banks, regulatory auditors, and FINMA supervisors to judge what this means in practice. Other circulars deal with such matters as accounting policies. Assessment of these processes occurs mostly through the regulatory audit. Auditors must express an opinion (negative assurance or positive assurance depending on the scope of review or audit performed) on adherence to laws, ordinances and circulars. Audit instructions from FIMA explicitly require auditors to consider the adequacy of internal control, compliance and risk management functions.
EC2	The supervisor determines that there is an appropriate balance in the skills and resources of the back office, control functions and operational management relative to the business origination units. The supervisor also determines that the staff of the back office and control functions have sufficient expertise and authority within the organization (and, where appropriate, in the case of control functions, sufficient access to the bank’s Board) to be an effective check and balance to the business origination units.
Description and findings re EC2	Under FINMA circulars management must ensure an appropriate segregation of duties between the business lines, the back office and the control functions (FINMA Circular 08/24, Margin No. 86). The compliance function and the risk control must be allocated adequate resources and authority according to the size of the bank, the complexity of the business and the organization, and the risk profile of the institution. The institution must designate one member of management who is responsible for the compliance function and one for risk control (FINMA Circular 08/24). Under FINMA audit instructions for the regulatory audit the adequacy of resources in these functions is to be assessed. There is no explicit guidance externally or internally on how this judgment is to be made.
EC3	The supervisor determines that banks have an adequately staffed, permanent and independent compliance function64 that assists senior management in managing effectively the compliance risks faced by the bank. The supervisor determines that staff within the compliance function is suitably trained, have relevant experience and have sufficient authority within the bank to perform their role effectively. The supervisor determines that the bank’s Board exercises oversight of the management of the compliance function.
Description and findings re EC3	Compliance functions must be allocated adequate resources and authority according to the size of the institution, the complexity of the business and its organization, and compliance issues. Board oversight is required (see EC2). Compliance functions are required under FINMA circulars to perform assessment of compliance risk and prepare an activity plan at least once a year to be approved by senior management, provide the senior management with timely reporting regarding material changes in the assessment of compliance risks, and determine and investigate serious violations (FINMA Circular 08/24, Margin No. 108 ff.). Compliance duties also include annual reporting to the board of directors regarding the assessment of the compliance risks and the activities of the compliance function (FINMA Circular 08/24, Margin No. 112). Assessors discussed with FINMA staff and with representatives of audit firms how audit firms make the assessment of effectiveness and adequacy of resources. FINMA staff indicated that this judgment is largely left to audit firms and their methodologies, though there is substantial discussion in the case of larger banks. Audit firms indicated that they had extensive exposure to these functions as part of their work and that is was a matter of professional judgment. Individual KAMs can intervene to require more regularity audit work as part of the planning process. For Category 1 banks (the largest two) standard audit strategy requires coverage of various elements of internal control over a six year period, annual critical evaluation of internal audit, annual review of central risk control functions (audit once every three years for central risk functions). For Category 2 banks and below, the minimum audit requirement for central risk control functions is relaxed to once every six years. FINMA has the ability to direct auditors work or commission independent focused reviews of compliance and has done so for individual large banks. Recently these have tended to be reactive to identified breakdowns. Other reviews are not frequent and no in-depth thematic reviews of these functions have been performed by FINMA in recent years.
EC4	The supervisor determines that banks have an independent, permanent and effective internal audit function65 charged with: (a) assessing whether existing policies, processes and internal controls (including risk management, compliance and corporate governance processes) are effective, appropriate and remain sufficient for the bank’s business; and (b) ensuring that policies and processes are complied with.
Description and findings re EC4	Various elements of the Banking law, ordinances and circulars place requirements on internal audit. (Art. 3 para 2 let. a BA, Art. 9 para 4 BO, FINMA Circular 08/24, Supervision and internal controls - banks, Margin No. 54 ff.) Banks must appoint internal auditors independent from the management. In cases of very small entities, FINMA may, after consulting with the external audit company, exempt an institution from this obligation. The duties of the internal audit may be delegated to a third company provided the external audit company confirms the competence and professional manner and independence of the third party. For smaller banks, outsourcing of internal audit is frequent. Direct reporting to the board of directors is required and the board must appoint the head of internal audit. Organization, duties and responsibilities are to be set by the board and internal audit must meet the standards promulgated by the Swiss Institute of Internal auditing. And internal auditors are governed by standards of professional practice. There are general requirements for sufficient and appropriate resources and expertise in relation to the size complexity and risk profile of the institution. There is a requirement for comprehensive risk assessment by IA at least annually and for reporting of plans for approval by the board and for reporting of results and follow up. This is assessed by FINMA through the regulatory audit process. For category one institutions the regulatory audit is to conduct a critical review of internal audit every year.
EC5	The supervisor determines that the internal audit function: (a) has sufficient resources, and staff that are suitably trained and have relevant experience to understand and evaluate the business they are auditing; (b) has appropriate independence with reporting lines to the bank’s Board or to an audit committee of the Board, and has status within the bank to ensure that senior management reacts to and acts upon its recommendations; (c) is kept informed in a timely manner of any material changes made to the bank’s risk management strategy, policies or processes; (d) has full access to and communication with any member of staff as well as full access to records, files or data of the bank and its affiliates, whenever relevant to the performance of its duties; (e) employs a methodology that identifies the material risks run by the bank; (f) prepares an audit plan, which is reviewed regularly, based on its own risk assessment and allocates its resources accordingly; and (g) has the authority to assess any outsourced functions.
Description and findings re EC5	FINMA Circular 08/24, Supervision and internal controls – banks, specifies that internal audit function is to be formed according to the size, complexity and the risk profile of the institution. It is required to be allocated sufficient personnel and maintain the appropriate technical expertise in order to fulfill their mandate. (see EC5 re independence and planning) The key personnel must maintain in-depth knowledge in the areas of activity in which the bank is operative. Overall, it must be ensured that the appropriateness of the internal controls are assessed by qualified auditors (FINMA Circular 08/24, Margin No.67). The internal audit function has unlimited auditing authority within the institution and its companies subject to consolidation. It has unrestricted access to information that is required for fulfilling its audit duties (FINMA Circular 08/24, Margin No. 64). The internal audit of the enterprise must maintain the right to complete an unrestricted inspection of the outsourced business (FINMA Circular 08/7, Outsourcing – banks). FINMA has set internal guidelines which are available to regulatory auditors on its expected resourcing of internal audit relative to the size of banks. Regulatory auditors must express an opinion on adequacy of resources in internal audit. Assessors discussed with regulatory auditors how they made this judgment. Regulatory auditors have considerable contact with IA and review and rely on its work, which aids their ability to make the judgments required.
Assessment of Principle 26	Compliant
Comments	FINMA has put pressure on regulatory auditors to enhance their effectiveness and to be more forward looking in all of their assessments, including of control systems. Recent reviews by FINMA of compliance appear more reactive. Publicized breakdowns at a number of banks related to compliance issues suggest that the supervisory approach needs to be ramped up on a proactive basis. While some of these relate to criminal activity, FINMA’s expost reviews has also found there were serious deficiencies in risk management and controls that, if they had not existed, would have lead to the problems being detected sooner. This is part of a more general issue of supervisory approach and technique that is assessed under CPs 8-9. New qualitative operational risk requirements from FINMA will assist in the strengthening of supervisory work in this area.
Principle 27	Financial reporting and external audit. The supervisor determines that banks and banking groups maintain adequate and reliable records, prepare financial statements in accordance with accounting policies and practices that are widely accepted internationally and annually publish information that fairly reflects their financial condition and performance and bears an independent external auditor’s opinion. The supervisor also determines that banks and parent companies of banking groups have adequate governance and oversight of the external audit function.
	General remark: With regard to the external audit of financial intermediaries, it is important to note that FINMA mandates audit firms for a considerable part of its on-site activities. While FINMA is responsible for the supervision of audit firms with regard to their supervisory audit activities, the Federal Audit Oversight Authority (FAOA) is responsible for the supervision of audit firms with regard to their financial audit activities.
Essential criteria
EC1	The supervisor66 holds the bank’s Board and management responsible for ensuring that financial statements are prepared in accordance with accounting policies and practices that are widely accepted internationally and that these are supported by recordkeeping systems in order to produce adequate and reliable data.
Description and findings re EC1	Under the Directive on Financial Reporting of the SIX Exchange Regulation, all issuers must apply IFRS or US GAAP to the Main Standard of the SIX Swiss Exchange. Large banks and a number of mid-size banks are listed. FINMA permits the application of IFRS and US GAAP for consolidated financial statements and supplementary unconsolidated financial statements prepared according to the true and fair view principle and Swiss GAAP. Ten banking groups use internationally recognized standards, the two in category 1, four in category 3, and four banks in categories 4/5. Smaller and mid-size banks can use Swiss GAAP for consolidated statements as well, and most banks do so. Assessors discussed the main differences between Swiss GAAP and IFRS with FINMA and auditors. They noted that Swiss GAAP is similar to IFRS and the exceptions are generally more conservative than IFRS. The most important is that certain fair value provisions of IFRS (IAS39) are not permitted with financial assets not in the “current” book valued instead at acquisition cost. Another important difference is that Swiss requirements for instruments to qualify for hedging treatment are less strict than under IFRS with macro hedging permitted and effectiveness testing not required. FINMA reports that these differences are in practice not material. Lastly Swiss GAAP permits banks to have “hidden reserves”. There are requirements for adequate recordkeeping systems. A separate public audit opinion on the adequacy of internal controls supporting financial statements is not required.
EC2	The supervisor holds the bank’s Board and management responsible for ensuring that the financial statements issued annually to the public bear an independent external auditor’s opinion as a result of an audit conducted in accordance with internationally accepted auditing practices and standards.
Description and findings re EC2	Under the Banking Act (Art. 18), every bank has to have an annual audit performed by an authorized audit firm. The audit firm has to examine whether the bank’s accounts are compliant with the applicable accounting standards. Audits are based on international standards of auditing (ISA) for financial statements prepared in accordance with international accounting standards while the local adopted Swiss auditing standards for financial statements are prepared in accordance with Swiss accounting standards (Arts. 2 and 3 of the Ordinance of the Federal Audit Oversight Authority on the Oversight of Audit Firms). Local auditing standards closely match international standards. The independence of the audit firm is specified in FINMA Circular 13/4 Audit firms and lead auditors (Margin No. 32 ff.), which is based on the independency rules of the Swiss Code of Obligations (Art. 728) and the Auditor Oversight Act (Art. 11).
EC3	The supervisor determines that banks use valuation practices consistent with accounting standards widely accepted internationally. The supervisor also determines that the framework, structure and processes for fair value estimation are subject to independent verification and validation, and that banks document any significant differences between the valuations used for financial reporting purposes and for regulatory purposes.
Description and findings re EC3	Specific provisions are set out in FINMA Circular 08/20 Market risks – banks for prudent valuation of fair values of the trading book and the banking book (see Margin Nos. 32 ff.) for regulatory purposes. See also CP 22.
EC4	Laws or regulations set, or the supervisor has the power to establish the scope of external audits of banks and the standards to be followed in performing such audits. These require the use of a risk and materiality based approach in planning and performing the external audit.
Description and findings re EC4	FINMA does not have authority to specify the scope of external financial audits. However if FINMA had concerns it could use the regulatory audit scope, which it does control, to have additional work done.
EC5	Supervisory guidelines or local auditing standards determine that audits cover areas such as the loan portfolio, loan loss provisions, non-performing assets, asset valuations, trading and other securities activities, derivatives, asset securitizations, consolidation of and other involvement with off-balance sheet vehicles and the adequacy of internal controls over financial reporting.
Description and findings re EC5	The financial audit has to be carried out in line with the principles of the regular audit of the Swiss Code of Obligations and international auditing standards or equivalent Swiss standards apply.
EC6	The supervisor has the power to reject and rescind the appointment of an external auditor who is deemed to have inadequate expertise or independence, or is not subject to or does not adhere to established professional standards.
Description and findings re EC6	FINMA and FAOA have the power to reject and rescind the appointment of an external auditor who is deemed to have inadequate expertise or independence, or does not adhere to established professional standards. The requirements of professional behavior, expertise and independence are based on federal law as well as enforcement by FAOA/FINMA concerning breaches of these requirements. FINMA staff reported that this has occurred.
EC7	The supervisor determines that banks rotate their external auditors (either the firm or individuals within the firm) from time to time.
Description and findings re EC7	Under the Swiss Code of Obligations, the lead auditor may exercise his mandate for seven years at the most. He may only accept the same mandate again after an interruption of three years.
EC8	The supervisor meets periodically with external audit firms to discuss issues of common interest relating to bank operations.
Description and findings re EC8	FINMA interaction with audit firms for regulatory audits is extensive. The same audit firms carries out the regulatory and financial audit (and this can be lead by the same partner except in the case of the category 1 and 2 banks. So FINMA views can be taken into account in the financial audit as well.
EC9	The supervisor requires the external auditor, directly or through the bank, to report to the supervisor matters of material significance, for example failure to comply with the licensing criteria or breaches of banking or other laws, significant deficiencies and control weaknesses in the bank’s financial reporting process or other matters that they believe are likely to be of material significance to the functions of the supervisor. Laws or regulations provide that auditors who make any such reports in good faith cannot be held liable for breach of a duty of confidentiality.
Description and findings re EC9	Reporting duties for audit firms are set in different regulations: (1) Ongoing reporting obligation under FINMASA Art. 27: In the case of serious violations of supervisory provisions or serious irregularities, the audit company notifies FINMA immediately”. (2) FINMA Circular 03/13 Auditing (Margin No. 78) specifies that criminal acts must also be reported immediately. (3) Reporting duties for the regulatory long form report (FINMA Circular 03/13 Auditing, Margin No. 55ff.): the audit firm has to make a reservation in the case of a breach of regulatory law or internal policies with regulatory relevance. If the audit firm detects other significant deficiencies or evidence that regulatory law cannot be complied with in the future, it has to make a recommendation. (4) Reporting duties to the FAOA are outlined in the Federal Act on the Licensing and Oversight of Auditors and specifically FAOA Circular 1/2010 on reporting to the Audit Oversight Authority by Audit firms under state oversight These obligations overrule the duty of confidentiality.
Additional criteria
AC1	The supervisor has the power to access external auditors’ working papers, where necessary.
Description and findings re AC1	FINMA has access to working papers for both the regulatory audit and the financial audit.
Assessment of Principle 27	Compliant
Comments	FINMA needs to be sure that differences in Swiss GAAP with IFRS, such as valuation standards for traded instruments or permitting macro hedging, are not interacting with emerging regulatory rules in a way that provided unintended benefits to those banks using this accounting standard.
Principle 28	Disclosure and transparency. The supervisor determines that banks and banking groups regularly publish information on a consolidated and, where appropriate, solo basis that is easily accessible and fairly reflects their financial condition, performance, risk exposures, risk management strategies and corporate governance policies and processes.
Essential criteria
EC1	Laws, regulations or the supervisor require periodic public disclosures67 of information by banks on a consolidated and, where appropriate, solo basis that adequately reflect the bank’s true financial condition and performance, and adhere to standards promoting comparability, relevance, reliability and timeliness of the information disclosed.
Description and findings re EC1	Banks and banking groups must publicly disclose their annual financial statements (solo and consolidated), with the exception of private bankers who do not publicly solicit customer deposits (see Arts. 26 and 27 of Banking Ordinance). Annual financial statements comprise a balance sheet and an income statement, and also a comprehensive appendix giving quantitative and qualitative explanations about the risks and the financial situation (see Arts. 23-28 of the Banking Ordinance and FINMA Circular 108/02). Banks with a balance sheet of more than CHF 100 million are also required to disclose semi-annual balance sheets and income statements (Art. 23b of Banking Ordinance). Quarterly disclosure is made by the biggest banks. Additional quantitative and qualitative disclosure is required by Circular 08/22 dedicated to the 3rd pillar of Basel II. Depending on the size of the capital requirements, disclosure is required with a frequency that can be annual, semi-annual or quarterly. For smaller banks the Pillar 3 disclosure is simplified to cover essential details of available and required capital only. Auditors confirmed that disclosure obligations under Swiss GAAP (which is used by all but 10 banking groups), are less than for IFRS.
EC2	The supervisor determines that the required disclosures include both qualitative and quantitative information on a bank’s financial performance, financial position, risk management strategies and practices, risk exposures, aggregate exposures to related parties, transactions with related parties, accounting policies, and basic business, management, governance and remuneration. The scope and content of information provided and the level of disaggregation and detail is commensurate with the risk profile and systemic importance of the bank.
Description and findings re EC2	Requirements concerning these matters are in various circulars. Bank disclosures including qualitative and quantitative, are reviewed by auditors, which in turn are overseen by FINMA.
EC3	Laws, regulations or the supervisor require banks to disclose all material entities in the group structure.
Description and findings re EC3	FINMA Circular 08/22 (Capital adequacy disclosure - banks) requires: (a) the description of the regulatory scope of consolidation, with indication of the differences with the accounting scope of consolidation; (b) the names of the material group companies, indicating the eventual non-inclusion in one of the two consolidation scopes, and the consolidation technique. Furthermore, the amount of the balance sheet and of the equity of the subsidiary must be disclosed. Its main activity must be described. The Banking Ordinance and Circular 08/02 (Accounting - banks) require indication in the appendix to the financial statements of a list of all material permanent participations (regardless of whether a consolidation has been made or not), indicating the name, activity, equity and the percentage of detention. All direct and indirect shareholders having more than 5 percent of the voting rights of the bank must also be disclosed in the notes to the financial statements.
EC4	The supervisor or another government agency effectively reviews and enforces compliance with disclosure standards.
Description and findings re EC4	FINMA examines the financial reports disclosed by the banks, in order to assess proper use and compliance with its disclosure standards. For IFRS or US GAAP users, FINMA also makes critical reviews of the quality of these financial statements. After the conclusion of agreement between FINMA and the Swiss Stock Exchange (SIX), it was decided that SIX is responsible for controlling the correct application of accounting rules by the listed companies (banks included) applying IFRS or US GAAP (FINMA is fully responsible for the listed users of its accounting standards).
EC5	The supervisor or other relevant bodies regularly publishes information on the banking system in aggregate to facilitate public understanding of the banking system and the exercise of market discipline. Such information includes aggregate data on balance sheet indicators and statistical parameters that reflect the principal aspects of banks’ operations (balance sheet structure, capital ratios, income earning capacity, and risk profiles).
Description and findings re EC5	Considerable aggregated information is published by the Swiss National bank.
Additional criteria
AC1	The disclosure requirements imposed promote disclosure of information that will help in understanding a bank’s risk exposures during a financial reporting period, for example on average exposures or turnover during the reporting period.
Description and findings re AC1	FINMA is of the opinion that the information that must be publicly disclosed (see EC1) is sufficient to fulfill the goal described in AC1, i.e., understanding a bank’s risk exposures during a financial reporting period, though the disclosure of average measures is not mandatory.
Assessment of Principle 28	Compliant
Comments
Principle 29	Abuse of financial services. The supervisor determines that banks have adequate policies and processes, including strict customer due diligence (CDD) rules to promote high ethical and professional standards in the financial sector and prevent the bank from being used, intentionally or unintentionally, for criminal activities.68
Essential criteria
EC1	Laws or regulations establish the duties, responsibilities and powers of the supervisor related to the supervision of banks’ internal controls and enforcement of the relevant laws and regulations regarding criminal activities.
Description and findings re EC1	The basic principles of FINMA’s duties, responsibilities and powers related to the supervision of financial institutions are defined in FINMASA. Art. 24 provides that FINMA carries audits of supervised persons and entities, either by itself or through auditing firms appointed by the firms or third parties appointed by FINMA. Specifically, duties, responsibilities and powers with regard to the supervision of financial intermediaries’ obligations towards the prevention of money laundering and financing of terrorism are set out in the Anti-Money Laundering Act (AMLA), which was substantially strengthened and broadened recently. AMLA Art. 12 provides the responsibility of FINMA for supervising banks’ compliance with their AML/CFT duties (including with respect to customer due diligence, internal controls and reporting of suspicious transactions). Also, Art. 17 provides that FINMA shall specify the duties of diligence of banks and stipulate how these duties must be fulfilled. Supervisory instruments are also defined in FINMASA, including restoration of compliance with the law if a supervised person or entity violates provisions of any financial market acts, including the Anti-Money Laundering Act (AMLA) (FINMASA Art. 1 and 31), prohibition from acting in a management capacity at any person or entity subject to its supervision (Art. 33), ordering the confiscation of profits (Art. 35), appointment of investigating agents (Art. 36) or revocation of licenses, withdrawal of recognition, and cancellation of registration (Art. 37). Further relevant rules are set out in BA Art. 3, 4, and BO Art. 9. Furthermore, FINMA Circular 8/24 “Supervision and internal control” specifies the aforementioned rules in a detailed manner and sets guidelines for corporate governance, the supervision of business activities and internal control, and the supervision thereof by the responsible function at banks. In practice, adherence to laws, regulations and circulars are mostly assessed through regulatory audits by external auditors. Standard operating procedures require regulatory audits to review the issue annually and audit at least once in every three years. (Also see CP8)
EC2	The supervisor determines that banks have adequate policies and processes that promote high ethical and professional standards and prevent the bank from being used, intentionally or unintentionally, for criminal activities. This includes the prevention and detection of criminal activity, and reporting of such suspected activities to the appropriate authorities.
Description and findings re EC2	BA Art. 3 provides that the persons belonging to senior management, supervision and control must enjoy a good reputation and guarantee compliance with their duties. Banks, groups of banks and financial conglomerates must know their risks and be able to supervise and limit them. Consequently, banks are obliged to establish internal rules and guidelines for risk management for all risks and especially legal risks. (BO Art. 3). AMLA Art. 9 then sets the obligation for a bank to file a report if it knows or has reasonable grounds to suspect that assets involved in its business with customers are connected to a criminal offence, are the proceeds of a felony, are subject to the power of disposal of a criminal organization, or serve the financing of terrorism. FINMASA also explicitly provides that the prevention of money laundering and terrorist financing requires personnel who are of integrity and appropriately trained (Art.25). It therefore imposes an obligation on banks to ensure the prudent selection of the personnel as well as the regular training of all concerned staff on aspects relevant to the prevention of money laundering and terrorist financing. FINMA Ordinance on Prevention of Money Laundering and Financing of Terrorism (MLO- FINMA) sets out general requirements for banks regarding their policies and processes, including detection of high-risk transactions, due diligence obligations, and reporting requirements. The Agreement on Swiss banks’ Code of Conduct with regard to the Exercise of Due Diligence established by SBA in 2008 (CDB 08) also provides self-regulation regarding detailed rules for banks including the prevention and detection of criminal activity (formally recognized as minimum standards by FINMA). This lays down binding rules of good conduct in banking as a code of professional ethics. They are designed to give specific effect to certain points of due diligence governed by the Anti-Money Laundering Act (AMLA Arts. 3-5) and the concept of “the diligence that can be reasonably expected under the circumstances” in accepting assets as provided in the Swiss Criminal Code (SCC) Art. 305ter. Assessors discussed with FINMA the fact that the number of STRs from banks is only some 1000 a year. FINMA explained that it is comfortable with the figure as banks have low thresholds for alerts but then analyze the information before deciding whether to file STRs.
EC3	In addition to reporting to the financial intelligence unit or other designated authorities, banks report to the banking supervisor suspicious activities and incidents of fraud when such activities/incidents are material to the safety, soundness or reputation of the bank.69
Description and findings re EC3	Under FINMASA Art. 29 para 2, supervised persons and entities must immediately report to FINMA any incident that is of substantial importance to supervision. This requirement is understood to include any incidents related to fraud and other criminal activities that are material to the safety, soundness or reputation of the bank. Further, MLO-FINMA Art. 31 stipulates that banks must inform FINMA of reports filed with the Money Laundering Reporting Office (MROS) which concern business relations with significant assets or where it can be assumed that, based on the circumstances, the events giving rise to such a report could affect the reputation of the financial intermediary and that of the Swiss financial center.
EC4	If the supervisor becomes aware of any additional suspicious transactions, it informs the financial intelligence unit and, if applicable, other designated authority of such transactions. In addition, the supervisor, directly or indirectly, shares information related to suspected or actual criminal activities with relevant authorities.
Description and findings re EC4	AMLA Art. 16 obliges FINMA to inform MROS if there are reasonable grounds to suspect that a criminal offence has been committed or the assets are subject of a felony or to the power of disposal of a criminal organization or serve the financing of terrorism. This duty applies if the financial intermediary or the self-regulatory organization has not already submitted an STR. AMLA Art. 29 also stipulates that the supervisor and MROS may provide each other any information or documents required for the enforcement of this Act. Also prosecution authorities may provide the supervisor with any information and documents that it requires to fulfill its duties. From the FINMA side, FINMASA Art. 38 and 39 provides the legal basis for mutual and administrative assistance between the supervisor and the prosecution authorities of the Confederation and the cantons or other domestic authorities. They coordinate their investigations as far as it is practical and required. Where the supervisor obtains knowledge of felonies and misdemeanors or of offences against this Act or the financial market acts, it shall notify the competent prosecution authorities. In practice, FINMA communicates with and shares information with other competent authorities as needed.
EC5	The supervisor determines that banks establish CDD policies and processes that are well documented and communicated to all relevant staff. The supervisor also determines that such policies and processes are integrated into the bank’s overall risk management and there are appropriate steps to identify, assess, monitor, manage and mitigate risks of money laundering and the financing of terrorism with respect to customers, countries and regions, as well as to products, services, transactions and delivery channels on an ongoing basis. The CDD management program, on a group-wide basis, has as its essential elements: (a) a customer acceptance policy that identifies business relationships that the bank will not accept based on identified risks; (b) a customer identification, verification and due diligence program on an ongoing basis; this encompasses verification of beneficial ownership, understanding the purpose and nature of the business relationship, and risk-based reviews to ensure that records are updated and relevant; (c) policies and processes to monitor and recognize unusual or potentially suspicious transactions; (d) enhanced due diligence on high-risk accounts (e.g., escalation to the bank’s senior management level of decisions on entering into business relationships with these accounts or maintaining such relationships when an existing relationship becomes high-risk); (e) enhanced due diligence on politically exposed persons (including, among other things, escalation to the bank’s senior management level of decisions on entering into business relationships with these persons); and (f) clear rules on what records must be kept on CDD and individual transactions and their retention period. Such records have at least a five year retention period.
Description and findings re EC5	The banks’ CDD duties are set out in extensive details in laws and regulations. Chapter 2 of the AMLA provides the general requirements related to customer due diligence and reporting of suspicious transactions. FINMA specified these duties and stipulated how they must be fulfilled in MLO-FINMA. Under the supervision of FINMA, a self-regulatory organization can regulate the CDD duties and their fulfillment (AMLA Art. 17). Accordingly, CDB 08, which is recognized by FINMA as a minimum standard applicable to all banks regarding the identification of contracting parties and the determination of beneficial owners, complements provisions in MLO-FINMA (Art. 32). Under Art. 6 MLO-FINMA, banks that have foreign branches or which control a financial group with non-Swiss group companies are required to identify, mitigate and monitor the legal and reputational risks associated with money laundering or the financing of terrorism at the global level. Therefore, banks forming part of a financial group, either from Switzerland or abroad, shall allow the group’s internal control bodies and audit company of the group to access any information which may be required concerning specific business relations, provided that such information is essential for the management of legal and reputational risks at the global level. Furthermore, banks shall ensure that their branches or group companies abroad operating in the financial sector comply with the core principles of AMLA and MLO-FINMA (MLO-FINMA Art. 5). In general, under Art. 24 MLO-FINMA, banks must issue internal directives for CDD, which, among others, should include: the criteria to be applied in identifying business relationships with increased risks and in detecting transactions with increased risks; the basic principles for the monitoring of transactions; the cases in which the internal compliance office must be involved and the senior executive body notified; the company policy on politically exposed persons (PEPs); and the method in which the bank records, limits and monitors increased risks as well as the threshold amounts pursuant to business relationships and transactions with increased risks must be set out. Some specific requirements regarding the content of the CDD policy is also given in laws and regulations: Banks need to undertake to verify the identity of the contracting partner when establishing business relationships. (AMLA Art. 4) Banks are required to identify the nature and purpose of the business relationship with customers. (AMLA Art.6) Banks must clarify the economic background and the purpose of a transaction or a business relationship if it appears unusual or if there are indications that assets are the proceeds of a felony, are subject to the power of disposal of a criminal organization, or serve the financing of terrorism (AMLA Art. 6). The extent of the information that must be obtained is determined by the risk represented by the customer; business relationships and transactions that involve increased risks must be subject to enhanced due diligence (MLO-FINMA Art. 12 and 13). Banks are not allowed to accept assets that they know, or are expected to know, are proceeds of criminal activities, even if committed outside Switzerland. (The negligent acceptance of assets derived from criminal activity may call into question the required guarantee for proper business conduct.) Banks are not permitted to maintain business relations with fictive banks or with any individuals or undertakings of which they know or must assume constitute a terrorist or criminal organization, or which are affiliated to, support, or finance such an organization (MLO-FINMA Arts. 7 and 8). If the contracting partner is not the same as the beneficial owner, or if this is in doubt, banks must require the contracting partner to provide a written declaration of the identity of the beneficial owner (CDB 08 Art. 6). If serious doubts persist concerning the accuracy of the contracting partner’s declaration and these cannot be dispelled by further clarification, the bank must refuse to establish the business relationship or to execute the transaction (CDB 08 Art. 29). Banks are required to terminate their relationship with the contracting partner if they establish that the bank has been deceived when identifying the beneficial owner, that false information regarding beneficial ownership has deliberately been provided to them, or if doubts about the information provided by the contracting partner persist (CDB 08 Art. 6). Banks must provide for an effective monitoring of the business relationships and transactions, and ensure that increased risks are identified (MLO-FINMA Art. 19 para 1). Banks must have an information system to monitor transactions and detect high-risk transactions (MLO-FINMA Art. 12). Art. 23 sets out a requirement for banks to have an information system to provide information to relevant authorities. Banks have to carry out additional investigations for business relationships or transactions with increased risks (MLO-FINMA Art. 14). This may also lead to the termination of the business relationship or to a report to the FIU. Banks must repeatedly conduct these procedures if during the business relationship doubts arise regarding he identity of the contracting partner and the beneficial owner (CDB 08 Art. 6). Regarding enhanced due diligence, MLO-FINMA requires banks to formulate criteria to identify business relationships and detect transactions which involve increased risks (Arts. 12 and 13). Business relationships with PEPs and with foreign banks for which a Swiss financial intermediary carries out correspondent bank transactions as well as transactions in which assets exceeding more than CHF 100,000 are physically deposited in a single or series of deposits at the onset of the business relationship are, in all cases, deemed to be business relationships or transactions with increased risks. Banks must identify and label any business relationships involving higher risk. Further, MLO-FINMA requires banks to include in their internal directives policies and processes to be applied for business relationships with increased risks: the criteria to be applied in detecting transactions with increased risks, the basic principles for the monitoring of transactions; the cases in which the internal compliance office must be involved and the senior executive body notified; the company policy on politically exposed persons (PEPs); the method in which the bank records, limits and monitors the increased risks; and the threshold amounts pursuant to business relationships and transactions with increased risks. The directives must be adopted by BoD or the upper management. Banks have to carry out additional investigations for business relationships or transactions with increased risks (MLO-FINMA Art. 14). The acceptance of business relationships involving increased risk requires the approval of a senior person or body or the management (MLO-FINMA Art. 17). The senior executive body, or at least one of its members, must decide on the planning of regular reviews of all relationships involving higher risk, and monitor and evaluate such relationships (MLO-FINMA Art. 18). Business relationships with PEPs are, in all cases, deemed to be business relationships with increased risks (MLO-FINMA Art. 12 para 3). Thus, the senior executive body, or at least one of its members, must decide on the acceptance of business relationships with PEPs, and, on an annual basis, the continuation of such relationships. Banks must keep records of transactions carried out and of CDD clarifications required in such a manner that other specially qualified persons are able to make a reliable assessment of the transactions and business relationships and of compliance with the AMLA provisions (Art. 7). In particular, banks must establish, organize and retain their documentation such that FINMA, audit companies, or FINMA appointed investigating agents can form, within a reasonable period, a reliable opinion on the compliance with the duties regarding the prevention of money laundering and the financing of terrorism (MLO-FINMA Art. 20). Furthermore, the documentation must be established, organized and retained such that banks are able, within a reasonable period, to comply with any request for information and sequestration from the prosecuting authority or another licensed authority (AMLA Art. 7 para 2, MLO-FINMA Art. 20 para 2). Banks are also obliged to organize their documentation at least such that they are capable of providing information within a reasonable period of time on the identity of the initiator of an outgoing payment order and whether a company or a person: is the contracting party or beneficial owner; has placed a cash transaction that requires the identification of the related person; and possesses an ongoing power-of- attorney over an account or safekeeping account provided that the company or person is not already listed in a public registry (MLO-FINMA Art. 36). Under AMLA Art. 7 para 3, banks are required retain records for a minimum of ten years after the termination of the business relationship or after completion of the transaction. As described in EC1, banks’ compliance to these requirements is primarily assessed by external auditors through annual regulatory audits. Discussions with FINMA staff and auditors as well as review of reports show efforts are made in assessing these issues during regulatory audits. FINMA may also conduct its own assessment. For example, it conducted inspection of 20 banks in 2011 regarding compliance with supervisory rules concerning business relationships with PEPs from several foreign countries, which resulted in some enforcement proceedings.
EC6	The supervisor determines that banks have in addition to normal due diligence, specific policies and processes regarding correspondent banking. Such policies and processes include: (a) gathering sufficient information about their respondent banks to understand fully the nature of their business and customer base, and how they are supervised; and (b) not establishing or continuing correspondent relationships with those that do not have adequate controls against criminal activities or that are not effectively supervised by the relevant authorities, or with those banks that are considered to be shell banks.
Description and findings re EC6	As described above, MLO-FINMA Art. 12 requires business relations with foreign correspondent banks must be classified as business relationships with increased risks. In the case of increased risks, additional investigations have to be performed. In addition to these investigations, MLO-FINMA Art. 34 provides that: the bank is obliged to execute further clarifications in case of correspondent bank relationships with foreign banks; the bank shall adequately ensure that it is not conducting business relations with fictive banks; the bank must ascertain, as needed, whether adequate controls for the prevention of money laundering and the financing of terrorism are carried out by the corresponding bank; and the bank shall define procedures for cases where it receives repeated payment orders that clearly contain incomplete information.
EC7	The supervisor determines that banks have sufficient controls and systems to prevent, identify and report potential abuses of financial services, including money laundering and the financing of terrorism.
Description and findings re EC7	Compliance with due diligence obligations is subject to review as part of FINMA’s supervisory approach as described in relevant CPs. The annual regulatory audit, conducted at all banks, covers broad compliance issues, including issues related to abuses of financial services. The standard audit strategies for regulatory audits normally emphasize as an audit item issues related with money laundering and criminal activities. If necessary, remedial work is followed up by the audit company as well as by FINMA. FINMA may also conduct its own inspection of banks (See EC5). Through discussions with FINMA and external auditors, assessors confirmed that a significant portion of supervisory time both by external auditors and FINMA’s supervisory staff is devoted to AML/CTF matters.
EC8	The supervisor has adequate powers to take action against a bank that does not comply with its obligations related to relevant laws and regulations regarding criminal activities.
Description and findings re EC8	For general enforcement powers and processes, see CP 11. In addition, MLO-FINMA Art. 9 specifies that a violation of the ordinance may call into question the assurance of proper business conduct of financial intermediaries and that it may also trigger enforcement measures (suspension of persons from acting in banks’ management positions, disgorgement of profits, etc.). Accordingly, if a bank is not complying with its AML/CFT obligations, FINMA will address this issue and eventually escalate it to administrative enforcement proceedings. For example, as explained above, FINMA instituted enforcement proceedings against six banks as a result of its inspections on their compliance regarding business relationship with PEPs which took place late-2011.
EC9	The supervisor determines that banks have: (a) requirements for internal audit and/or external experts70 to independently evaluate the relevant risk management policies, processes and controls. The supervisor has access to their reports; (b) established policies and processes to designate compliance officers at the banks’ management level, and appoint a relevant dedicated officer to whom potential abuses of the banks’ financial services (including suspicious transactions) are reported; (c) adequate screening policies and processes to ensure high ethical and professional standards when hiring staff; or when entering into an agency or outsourcing relationship; and (d) ongoing training programs for their staff, including on CDD and methods to monitor and detect criminal and suspicious activities.
Description and findings re EC9	For general provisions on internal control, audit, compliance and governance, as well as respective organizational and training requirement, see EC1 above. With regard to AML/CTF regulation, the following applies: (a) Under MLO-FINMA Art. 6, financial intermediaries must ensure that a financial group’s internal control bodies and its audit company are able to access information concerning specific business relations in all group companies if needed. (b) Under MLO-FINMA Art. 22, each bank must designate one or more qualified persons to form a competence center to combat money laundering and assume the responsibilities. Further provisions on the integrity and training required by staff members are set out in MLO-FINMA Art. 25. Circular 08/24 also provides requirements for banks on the compliance function, including the need to designate one member of management to be responsible for the compliance function (Margin No. 102). (c) Under MLO-FINMA Art. 25, banks are required to ensure that their staff has integrity and receives appropriate training in order to be able to contribute to the prevention of money laundering and the financing of terrorism. Banks are also required to ensure prudent selection of their employees. Applicable requirements to be observed when outsourcing business activities to a third party are defined in Circular 08/07 Outsourcing (Margin No. 21).
EC10	The supervisor determines that banks have and follow clear policies and processes for staff to report any problems related to the abuse of the banks’ financial services to either local management or the relevant dedicated officer or to both. The supervisor also determines that banks have and utilize adequate management information systems to provide the banks’ Boards, management and the dedicated officers with timely and appropriate information on such activities.
Description and findings re EC10	FINMA Circular 8/24 margin No. 28 requires management of a bank to maintain an organizational structure in which responsibilities, authorities, accountabilities, discretionary decision-making powers and information flows are explicitly defined and documented. With regard to the escalation of AML/CTF related problems, MLO-FINMA Art. 22 and following outline the roles and responsibilities of the compliance department and Art. 24 defines the requirements for internal policies, including escalation to senior management.
EC11	Laws provide that a member of a bank’s staff who reports suspicious activity in good faith either internally or directly to the relevant authority cannot be held liable.
Description and findings re EC11	The AMLA and relevant legal framework provides legal basis for banks to reports suspicious activities to relevant authority. Art. 11 ensures that anyone who reports suspicious transactions in good faith is not held liable for breach of official professional or trade secrecy or breach of contract.
EC12	The supervisor, directly or indirectly, cooperates with the relevant domestic and foreign financial sector supervisory authorities or shares with them information related to suspected or actual criminal activities where this information is for supervisory purposes.
Description and For findings re EC12	For general exchange of information with foreign supervisors, see CP 3. Specifically related to AML/CT issues, under AMLA Art. 29, FINMA, MROS and law enforcement agencies may exchange among them all the information they need and do so. Further, FINMA and the SROs may exchange all information they require in order to fulfill their duty. Regarding relations with foreign authorities, FINMASA Art. 42 enables the FINMA to exchange information with equivalent foreign authorities if certain conditions are met, e.g., to enforce financial market acts such as the AMLA, the information is exclusively used for direct supervision of foreign institutions.
EC13	Unless done by another authority, the supervisor has in-house resources with specialist expertise for addressing criminal activities. In this case, the supervisor regularly provides information on risks of money laundering and the financing of terrorism to the banks.
Description and findings re EC13	FINMA maintains a money laundering and financial crime unit which participates in national risk and threat assessments, supervises financial institutions as well as self-regulatory organizations including SBA, observes international developments, participates in law-making projects at the federal level and specifies the AML/CFT regulation within their area of responsibility as delegated by the law. As part of these tasks, FINMA regularly updates financial institutions on generic financial crime risks as well as regulatory developments at the national and international level, also with regard to sanctions and embargoes. However, information on particular criminal cases is provided to banks by law enforcement agencies and not by FINMA.
Assessment of Principle 29	Compliant
Comments

View Table

Principle 14	Corporate governance. The supervisor determines that banks and banking groups have robust corporate governance policies and processes covering, for example, strategic direction, group and organizational structure, control environment, responsibilities of the banks’ Boards and senior management,31 and compensation. These policies and processes are commensurate with the risk profile and systemic importance of the bank.
Essential criteria
EC1	Laws, regulations or the supervisor establish the responsibilities of a bank’s Board and senior management with respect to corporate governance to ensure there is effective control over the bank’s entire business. The supervisor provides guidance to banks and banking groups on expectations for sound corporate governance.
Description and findings re EC1	Through regulation, guidance, and supervisory practice, FINMA sets expectations for the board and senior management in respect of exercising the effective control of the institution’s business and operations. For example, FINMA Circular 08/24, Supervision and internal controls – banks set outs specific expectations, including oversight by the board of directors and its committees. A key building block in FINMA’s overall governance approach is the requirement under the banking law for sound and proper conduct of business (“Gewähr”), the responsibility for which lies with the board of directors and management. In addition to other legal sources applicable to all Swiss companies (e.g., requirements in the Swiss Code of Obligations (CO) regarding the duties of the board of directors and that of external auditors to check the existence of an internal control system in each company), the citations listed below are to key laws and ordinances specific for banks containing governance-related provisions. Further, the Swiss Stock Exchange’s additional governance obligations apply to banks which are listed publicly. Art. 3 Banking Act (BA) Art. 8 and 9 Banking Ordinance (BO) Relevant circulars include: FINMA Circular 08/24, Supervision and internal controls – banks FINMA Circular 08/21, Operational risks – banks FINMA Circular 08/20, Market risks – banks FINMA Circular 08/19, Credit risks – banks To further deepen the board’s understanding of FINMA’s expectations, FINMA published frequently asked questions (FAQs) in October 2012. These contain summaries of requirements in laws, ordinances and circulars, and additional more detailed guidance. The law requires a minimum board size of three persons and specifies that management members may not be board members. FINMA circulars 08/24 establish independence criteria and specify that at least one-third of board members must be independent. Members appointed by Cantons to cantonal bank boards are independent if they are not part of the cantonal administration or government and do not receive instructions from the canton. FINMA circulars require board members to have ‘technical’ expertise, experience and continual availability. The frequently asked questions goes farther to require specialist expertise, experience in banking and finance, and to note that the board as a whole should have adequate representation of skills in finance and accounting, risk management, and compliance, as well as in the areas of business operations. Examination of the board qualifications for a number of mid-size banks (and discussion with FINMA and with smaller banks) suggest that often these specific skills are not easily identifiable, or are being met by persons with legal or audit experience in the financial sector. The circulars require the board to bear responsibility for establishment, maintenance, oversight of an appropriate internal control framework tailored to the size complexity, structure and risk profile of the institution. There are also requirements for regular discussion of risks with management. In some smaller and mid-size institutions this occurs formally only once or twice a year. Many of the requirements in circulars are also at a high level. For example the FAQs indicate that the board must define a risk appetite, and this is referred to in several circulars, but there is little or no guidance as to what it should contain. Guidance overall covers responsibilities and desired characteristics of boards but does not contain expectations on effective behaviors for boards, as is increasingly the case in leading jurisdictions. FINMA decided not to proceed with comprehensive guidance on corporate governance.
EC2	The supervisor regularly assesses a bank’s corporate governance policies and practices, and their implementation, and determines that the bank has robust corporate governance policies and processes commensurate with its risk profile and systemic importance. The supervisor requires banks and banking groups to correct deficiencies in a timely manner.
Description and findings re EC2	FINMA’s supervision in the corporate governance area takes several forms. It includes: (1) Reviews made by FINMA during the licensing process which focuses on the fit and proper requirements and considers board members on appointment (2) FINMA’s specific reviews of particular areas may consider governance aspects. Assessors were told that the governance aspect most frequently considered is the information going to the board. FINMA staff indicated to assessors that none of those reviews recently are explicitly directed at governance, and FINMA has not conducted theme reviews of governance practices or board operations and effectiveness. FINMA has conducted several reviews of compensation and this has included the role of remuneration committees. (3) Annual assessments by external auditors which include governance-related areas carried out pursuant to FINMA’s approach to supervision. A review-level engagement annually is sufficient. Assessors discussed the work auditors do in this regard and the nature of the opinion they are required to provide to FINMA. It does not amount to a review of effectiveness. Also since auditors reviews are targeted to formal requirements, lack of adherence those contained in instruments like FAQs may not be identified in auditor’s work. The continuous supervisory process for the two major institutions includes regular highlevel meetings with the Chairman of Board of Directors (BoD) and other BoD members as well as periodic meetings with the BoD Risk Committee and other relevant risk committees. FINMA senior staff also meet annually with the boards of important mid-size institutions. This assists FINMA to gain insights into board effectiveness. For banks in categories 2-3 these meetings are not directed to determining effectiveness, according to what staff told assessors. FINMA does not have a dedicated corporate governance specialist group. Rather, it works with an expert group approach bringing together members from various departments. Identified gaps and deficiencies in the governance area are required to be remediated by the institution and are followed up by FINMA.
EC3	The supervisor determines that governance structures and processes for nominating and appointing Board members are appropriate for the bank and across the banking group. Board membership includes experienced non-executive members, where appropriate. Commensurate with the risk profile and systemic importance, Board structures include audit, risk oversight and remuneration committees with experienced non-executive members
Description and findings re EC3	FINMA expects a distinct separation between the board of directors and management. For banks, this does not permit members of the board of directors to be members of management of the same legal entity. This includes prohibiting the CEO to be chairman of the board or otherwise be a member of the board of directors. Banks are expected to select board members who meet FINMA’s expectations as noted in EC1 and in respect of experience and other suitability factors, as further set out under the comments to EC4 below. FINMA must be notified of potential board appointments and considers their appropriateness. Audit committees are required above a minimum size of bank and they must have a majority of independent members. Separate risk committees are not required. Major banks in category one or two have separate risk committees. For the approximately 30 banks in category 3 (which includes most cantonal banks), 22 had either no separate risk committee or risk and audit were combined. Below category 3 separate risk committees are rare. Assessors reviewed the published board backgrounds of a number of mid size banks, including several cantonal banks. They also discussed FINMAs approach to desired board skillset. Clearly-demonstrated experience in risk management or banking was not common, and appeared frequently to be met by persons with previous bank audit experience. Certain banks that assessors met indicated that they were looking for board members with more ability to go into risks and risk appetite. Observers suggested there appears to be significant variation across cantonal banks in influence of the local cantonal government. Considerable progress has been made over the past two years as FINMA continues to promote sound governance.
EC4	Board members are suitably qualified, effective and exercise their “duty of care” and “duty of loyalty”.32
Description and findings re EC 4	All members of the board of directors, individually and as a whole, must be fit and proper, and possess the necessary skills and know-how as well as sufficient experience to carry out their oversight duties. Duty of care The duty of care and loyalty of members of the board of directors is enshrined in the Swiss Code of Obligations (“Obligationsrecht”) applicable to all companies (Art. 717). It is further supported, inter alia, by the requirement set out in the Swiss Banking Act for the sound and proper conduct of business (“Gewähr”), the responsibility for which lies with the board of directors and management. FINMA considers fitness and propriety of board of directors and senior management members: when reviewing new applications for licenses; in case of changes of functions or individuals in such positions; following irregularities or evidence of non-fulfillment of duties. This is a consideration of experience and soundness of reputation. There is no specific fit and proper test for individual members. FINMA enforcement powers allow removal of board members. FINMA has intervened in specific cases where it believed individual appointments were not appropriate.
EC5	The supervisor determines that the bank’s Board approves and oversees implementation of the bank’s strategic direction, risk appetite33 and strategy, and related policies, establishes and communicates corporate culture and values (e.g., through a code of conduct), and establishes conflicts of interest policies and a strong control environment.
Description and findings re EC5	Strategic direction, risk appetite and risk policy Determining and overseeing the implementation of overall company strategy is the responsibility of the board of directors. FINMA also expects the board to approve a risk policy, define the risk appetite and key risk limits, and periodically review the adequacy of the company’s risk approach, including managing and mitigating risks. Guidance does not explicitly cover the board role in setting codes of ethics, or cultural matters and some of the expectations are only in frequently asked questions on FINMAs website. FINMA has interacted with banks where breakdowns have been identified as due in part to risk culture issues, and monitors cultural change programs. Assessors reviewed examples of actual practice and discussed this with FINMA and auditors. Below Category 2, formal risk appetite statements are not common. There may be more general statements of risk philosophy in some banks, and focus on a few key limits at board level, such ensuring that stress losses under pre-defined scenarios do not put capital below specified triggers or do not result in more than a quarter’s loss. As in other jurisdictions, explicitly linking risk and strategy can be challenging for smaller and mid-size banks. Conflicts of interest FINMA expects the board of directors to regulate how conflicts of interest are dealt with and sets out when members are obliged to withdraw from deliberations on certain matters. Existing and prior interests are to be disclosed, and conflicts of interest must be effectively resolved. Mandates and business relationships that may potentially lead to conflicts of interest or damage the institution’s reputation are to be avoided.
EC6	The supervisor determines that the bank’s Board, except where required otherwise by laws or regulations, has established fit and proper standards in selecting senior management, maintains plans for succession, and actively and critically oversees senior management’s execution of Board strategies, including monitoring senior management’s performance against standards established for them.
Description and findings re EC6	Suitability of senior managers FINMA expects members of the management board to meet similar fitness and propriety standards as those for the board of directors (see answer to EC 4 above). The board of directors provides oversight in this regard to ensure appropriate individuals occupy senior management positions. Under the Swiss Code of Obligations (Art. 716), the board of directors has the duty to select the members of senior management (e.g., usually of the management board, executive committee or similar). Supervision of management Part of the duty of oversight by the board of directors is to supervise management, including their execution of board-approved strategies and quality of performance. Succession planning Succession plans are expected both for the board of directors and senior management in category 1 and 2 banks. These are reviewed from time to time by FINMA in the course of its supervision. The annual meeting that FINMA has at board level with other institutions is an opportunity to discuss succession planning.
EC7	The supervisor determines that the bank’s Board actively oversees the design and operation of the bank’s and banking group’s compensation system, and that it has appropriate incentives, which are aligned with prudent risk taking. The compensation system, and related performance standards, are consistent with long-term objectives and financial soundness of the bank and is rectified if there are deficiencies.
Description and findings re EC7	Board of Directors oversight FINMA Circular 10/1 Minimum standards for remuneration schemes of financial institutions, (Remuneration schemes) issued in 2009, requires board of director’s oversight of the design and operation of an institution’s compensation system. In its supervision of the remuneration practices of significant financial institutions, a key FINMA focus is reviewing the extent and quality of direct board of directors’ oversight of the remuneration system as required in the FINMA Remuneration Circular. To this end, FINMA’s engagement with each significant financial institution includes the Chair of the Remuneration Committee of the board of directors. Where in its supervision FINMA identifies gaps or deficiencies at an institution, FINMA expects that those which are material will be remedied under the oversight of the board of directors of the institution. FINMA monitors the progress of such remediation. A number of the specific review done by FINMA in 2012 and so far in 2013 are directed at this issue. Alignment with risk, financial soundness and long-term orientation The Circular is consistent with the FSB Remuneration Principles and also specifies that a) the appropriateness of incentives, b) alignment with risk, c) long-term orientation, and d) alignment with capital, liquidity and other financial soundness considerations are taken into account. Other It merits mentioning that the above supervisory activities are carried out by joint work of the FINMA supervisory team for each institution and a dedicated senior-level FINMA-wide resource responsible for remuneration and corporate governance. This allows for more in-depth and consistent supervision and assessments. FINMA is an active participant in the FSB Compensation Monitoring Group.
EC8	The supervisor determines that the bank’s Board and senior management know and understand the bank’s and banking group’s operational structure and its risks, including those arising from the use of structures that impede transparency (e.g., special-purpose or related structures). The supervisor determines that risks are effectively managed and mitigated, where appropriate.
Description and findings re EC8	Structures and risks FINMA’s expectations of board of directors’ oversight include their understanding of the corporate and operational structure, as well as the institution’s specific risks. FINMA interacts extensively with boards of the two major institutions and that would permit them to judge these aspects. They are not formally included in FINMAs supervisory methodology. FINMA contacts with boards of other banks are less extensive and are less likely to permit such assessments.
EC9	The supervisor has the power to require changes in the composition of the bank’s Board if it believes that any individuals are not fulfilling their duties related to the satisfaction of these criteria.
Description and findings re EC9	FINMA’s powers include being able to require change where an individual does not meet the fitness and propriety expectations or has failed to live up to the expectations for sound management of the business (Gewähr). For more details, please refer to Principle 11.
Additional criteria
AC1	Laws, regulations or the supervisor require banks to notify the supervisor as soon as they become aware of any material and bona fide information that may negatively affect the fitness and propriety of a bank’s Board member or a member of the senior management.
Description and findings re AC1	Among other legal sources, a bank is required under Art. 29 para 2 FINMASA to inform FINMA without delay of any matter which may be of material significance for the bank. This would include any circumstances that materially adversely affect the suitability of persons on the board of directors or senior management.
Assessment of Principle 14	Largely Compliant
Comments	FINMA practice in the governance area is evolving. Formal guidance is fundamentally sound, but is incomplete vis-à-vis a number of important matters in this CP such as having risk and banking expertise on the board and the expectations of effective behaviors and key elements such as risk appetite statements. In practice the supervisory review process makes up for some of these deficiencies but it is unclear how much that occurs on a consistent basis for smaller and mid-size banks. It should be updated to add more specificity. FINMA has advised it plans to do this in the course of 2014. Rules, governance practices, and supervisory practice are well developed for the major banks but supervision should be more structured and regular in assessing governance effectiveness. Supervisory practice needs to be enhanced in assessing boards of mid-size and smaller institutions. Use of theme reviews conducted by FINMA, and more explicit requirements on auditors, would help in this regard. Certain basic corporate governance standards applying to mid-size institutions, such as the proportion of independent directors, requirements for separate risk committees, and banking and risk expertise need to be enhanced in formal guidance and reviewed systematically in supervisory practice. The practice in a number of major mid-size banks of the CRO not being a member of the executive committee should be reviewed. Consideration could be given to gradually raising the requirements for the proportion of independent directors.
Principle 15	Risk management process. The supervisor determines that banks34 have a comprehensive risk management process (including effective Board and senior management oversight) to identify, measure, evaluate, monitor, report and control or mitigate35 all material risks on a timely basis and to assess the adequacy of their capital and liquidity in relation to their risk profile and market and macroeconomic conditions. This extends to development and review of contingency arrangements (including robust and credible recovery plans where warranted) that take into account the specific circumstances of the bank. The risk management process is commensurate with the risk profile and systemic importance of the bank.36
Essential criteria
EC1	The supervisor determines that banks have appropriate risk management strategies that have been approved by the banks’ Boards and that the Boards set a suitable risk appetite to define the level of risk the banks are willing to assume or tolerate. The supervisor also determines that the Board ensures that: (a) a sound risk management culture is established throughout the bank; (b) policies and processes are developed for risk-taking, that are consistent with the risk management strategy and the established risk appetite; (c) uncertainties attached to risk measurement are recognized; (d) appropriate limits are established that are consistent with the bank’s risk appetite, risk profile and capital strength, and that are understood by, and regularly communicated to, relevant staff; and (e) senior management takes the steps necessary to monitor and control all material risks consistent with the approved strategies and risk appetite.
Description and findings re EC1	Requirements for sound risk management in Switzerland are a combination of high level, generally-worded principles in formal banking laws and ordinances (e.g., Art. 9 Banking ordinance) coupled with more detailed guidance in selective areas. Guidance is expressed in circulars (esp. FINMA circular 08/24) and in FINMA frequently asked questions, disseminated on FINMAs web site. In general, the degree of qualitative guidance on risk management is considerably less detailed and comprehensive than would be found in many other jurisdictions. Overall, FINMA expects that boards will formulate a suitable risk policy, define risk appetite and monitor adherence to it, oversee putting in place of an effective risk management system for controlling overall risks, and regularly review suitability of risk policy and risk appetite. Management is responsible for the design and operation of appropriate, effective, risk and internal control system. There is no single document that describes the desired characteristics of a comprehensive risk management system. In certain risk areas there are qualitative standards that are derived from Basel sound practice documents or generally match them, or there are official references to these documents. In other areas (e.g., credit risk) these are missing, though Basel sound practice papers have been used in previous thematic regulatory audit reviews (such as for credit risk in 2002, and FINMA staff believes that these are understood to continue to apply). Compliance with laws and circulars is performed by recognized audit firms as part of the regulatory audit. As noted in CP8/9 auditors are instructed to determine if risk management is “appropriate”. Review of illustrative reports and discussion with auditors suggests that there can be uncertainty and inconsistency about what this means in practice. Standards set by FINMA for auditors reporting contain sections on individual risk categories (credit, market, operational liquidity, etc.) but do not contain a section for assessment of overall risk management where issue like comprehensiveness, extent of integration of analysis across risk categories, cross risk data aggregation and so on would normally be included. Assessors reviewed audit approaches and reports and discussed this process with FINMA and with regulatory auditors. The extent and nature of work performed, and the basis for conclusions, is unclear in reports submitted to FINMA that assessors reviewed. FINMA has access to programs and working papers where this can be found. Assessors also discussed the state of board involvement in risk management. While the two large banks and some mid-size banks have well-developed risk appetite frameworks with links to strategies, others do not. In addition, in supervisory work, it can often be the case that risk management deficiencies can be identified that are not material now but are a signal of a deeper root cause that needs rectifying for risk management to be effective. As auditors are being asked to determine whether they can express an unreserved opinion, these type of matters or root cause analysis may not be adequately flagged in regulatory auditors’ reports so supervisory staff has a chance to assess them. The audit circular removes materiality assessments from the audit opinion process and requires reporting of all matters to FINMA (who has to decide on seriousness). But regulatory reports and related FINMA assessments under the new approach were not available to assessors to see it working in practice, since it only started in 2013.
EC2	The supervisor requires banks to have comprehensive risk management policies and processes to identify, measure, evaluate, monitor, report and control or mitigate all material risks. The supervisor determines that these processes are adequate: (a) to provide a comprehensive “bank-wide” view of risk across all material risk types; (b) for the risk profile and systemic importance of the bank; and (c) to assess risks arising from the macroeconomic environment affecting the markets in which the bank operates and to incorporate such assessments into the bank’s risk management process.
Description and findings re EC2	See general answer to EC1. These matters are covered explicitly at a high level in FINMA Circular 08/24 (see paragraph 10), the audit standards (FINMA Circular 13/3) and FINMA-mandated template include a mandatory assessment of the adequate management of credit risks, market risks, operational risks and other risks. Assessors discussed with FINMA and with banks the state of risk management, and reviewed several aspects in audit reports and with auditors. All concurred that major Swiss banks, like other major international banks, continue to face challenges in comprehensive timely aggregation of risk positions and related data, adequately linked to the entities G/L, for purposes of risk measurement. For some banks this challenge remains material and will for some time. FINMA has not itself conducted reviews in this area.
EC3	The supervisor determines that risk management strategies, policies, processes and limits are: (a) properly documented; (b) regularly reviewed and appropriately adjusted to reflect changing risk appetites, risk profiles and market and macroeconomic conditions; and (c) communicated within the bank. The supervisor determines that exceptions to established policies, processes and limits receive the prompt attention of, and authorization by, the appropriate level of management and the bank’s Board where necessary.
Description and findings re EC3	See general answer to EC1 and EC2.
EC4	The supervisor determines that the bank’s Board and senior management obtain sufficient information on, and understand the nature and level of risk being taken by the bank and how this risk relates to adequate levels of capital and liquidity. The supervisor also determines that the Board and senior management regularly review and understand the implications and limitations (including the risk measurement uncertainties) of the risk management information that they receive.
Description and findings re EC4	See general answer to EC1. FINMA Circular 08/24 margin Nos. 121–126 define supervisory standards that cover the requirements for risk and internal control having necessary information to monitor risks and supervisory expectations re risk reporting to the board and senior management. Margin Nos. 42 and 43 require that the executive board is responsible for capital planning and the board of directors has to approve a capital planning at least annually. Requirements for relating capital to risk are contained in the capital ordinance, and liquidity reporting requirements are contained in the liquidity ordinance. An assessment of compliance with these requirements is part of a regular audit. The executive board must be involved closely in the stress-testing process and stress-testing results have to be communicated to the board of directors at least annually (FINMA Circular 13/6, Art. 44). The board of directors is required to make a statement on liquidity risk appetite/tolerance (Art. 6, para 1 LO, FINMA Circular 13/6 Arts. 13 and 14). Regulatory auditors review board and senior management reporting and determine that it is appropriate.
EC5	The supervisor determines that banks have an appropriate internal process for assessing their overall capital and liquidity adequacy in relation to their risk appetite and risk profile. The supervisor reviews and evaluates banks’ internal capital and liquidity adequacy assessments and strategies.
Description and findings re EC5	FINMA pays considerable attention to the capital adequacy assessment process, which is understandable given the general importance of focusing on capital in the Swiss regulatory and supervisory system. For the capital adequacy assessment process the relevant pieces of guidance are FINMA Circular 11/2 and CAO. For small and medium-sized banks (categories 2–5), FINMA Circular 11/2 Margin Nos. 2, 10, 44, 45; for large banks (category 1), Articles 41–45 CAO while Articles 128–132 describe the requirements in terms of the internal capital adequacy assessment process as well the supervisor’s expectations. In-depth supervisory discussions occur particularly during the capital planning approval process. Due to their complexity, an additional review process has been established for the two large banks. On a quarterly frequency, FINMA organizes technical discussions on the methodologies underpinning the internal capital adequacy assessment process (both economic capital and stress-testing models) to review their soundness and appropriateness in relation to their risk appetite and profile. Liquidity adequacy assessment process: banks define their risk appetite, perform stress tests and define the size and the composition of the liquidity buffer according to their risk appetite and the results of stress tests. The results of stress tests have to be taken into account in their contingency funding plans. The external auditors assess all qualitative risk management requirements annually and report to FINMA. FINMA has an ongoing dialogue with the two big banks on their stress-testing practices. While the process described above will be in place for small and medium-sized banks from 2014 onwards, the process has already been in place for the two big banks since 2010. Assessors discussed risk appetite and approaches to assessing capital in relation to risk with banks of various sizes. For major banks the frameworks are extensive and the processes appear robust at a high level. Smaller and mid-size banks are less likely to have a fully developed risk appetite framework linked to strategy, but do often have specific measures and targets for key risks that they run stress scenarios against. Assessors discussed examples of FINMA supervisory practice in this area. FINMA has reviewed some 15 banks capital planning and related stress testing for the mortgage book. This included assessing how the generally-worded requirement that capital planning cover ‘adverse’ conditions was applied in practice. That review identified weaknesses that were fed back to the banks involved. FINMA has not extended this analysis more generally to other banks where relating capital to risk might also be problematic. Nor has FINMA adjusted its guidance to communicate findings and alert banks more broadly of its expectations.
EC6	Where banks use models to measure components of risk, the supervisor determines that: (a) banks comply with supervisory standards on their use; (b) the banks’ Boards and senior management understand the limitations and uncertainties relating to the output of the models and the risk inherent in their use; and (c) banks perform regular and independent validation and testing of the models. The supervisor assesses whether the model outputs appear reasonable as a reflection of the risks assumed.
Description and findings re EC6	See general answer to EC1. Elements (a) to (c) are covered by regular audit: The mandatory reporting template for FINMA Circular 13/3 requires an assessment by regulatory auditors whereby the methods used for risk measurement and management are adequate. Further, when models are also used for regulatory purposes, the relevant model approval standards for market, credit and operational risk models also apply (see FINMA Circulars 08/19, 08/20, 08/21). See answer to EC4 above. Margin No. 123 of FINMA Circular 08/24. If banks use models also for regulatory purposes, specific validation requirements also apply (see FINMA Circulars 08/19, 08/20 and 08/21).
EC7	The supervisor determines that banks have information systems that are adequate (both under normal circumstances and in periods of stress) for measuring, assessing and reporting on the size, composition and quality of exposures on a bank-wide basis across all risk types, products and counterparties. The supervisor also determines that these reports reflect the bank’s risk profile and capital and liquidity needs, and are provided on a timely basis to the bank’s Board and senior management in a form suitable for their use.
Description and findings re EC7	Explicit requirements or guidance do not exist concerning bank-wide capability of information systems to aggregate and report risk. Assessment of information systems with the above characteristics is a mandatory element of the regular audit. Discussions with auditors and banks, and with FINMA staff, and review of audit reports indicates that major Swiss banks have considerable ways to go to meet requirements for adequate ability to aggregate risk information on a timely basis.
EC8	The supervisor determines that banks have adequate policies and processes to ensure that the banks’ Boards and senior management understand the risks inherent in new products,37 material modifications to existing products, and major management initiatives (such as changes in systems, processes, business model and major acquisitions). The supervisor determines that the Boards and senior management are able to monitor and manage these risks on an ongoing basis. The supervisor also determines that the bank’s policies and processes require the undertaking of any major activities of this nature to be approved by their Board or a specific committee of the Board.
Description and findings re EC8	FINMA Circular 08/24 Margin Nos. 123 requires that the risk management system must be adjusted to new business lines and new products. There is no explicit requirement for a new product or new initiative approval process (though major banks have these). FINMA expects appropriate approval of major new initiatives by senior management and/or the board and is able to view this process directly as many of these also require explicit approval under the ongoing licensing process. (See CP5).
EC9	The supervisor determines that banks have risk management functions covering all material risks with sufficient resources, independence, authority and access to the banks’ Boards to perform their duties effectively. The supervisor determines that their duties are clearly segregated from risk-taking functions in the bank and that they report on risk exposures directly to the Board and senior management. The supervisor also determines that the risk management function is subject to regular review by the internal audit function.
Description and findings re EC9	See general answer to EC1 for requirements and supervisory expectations, which generally cover many of these matters. Adequacy of resources and authority is addressed in FINMA circular 08/24 (para 114) and adequacy of resources is a subject of the regulatory audit. Sufficient resources is a mandatory element to be assessed and reported on a regular basis. Discussion with auditors indicated difficulty for them to consistently determine how to assess adequacy of resources. However they can benefit from information in their networks.
EC10	The supervisor requires larger and more complex banks to have a dedicated risk management unit overseen by a Chief Risk Officer (CRO) or equivalent function. If the CRO of a bank is removed from his/her position for any reason, this should be done with the prior approval of the Board and generally should be disclosed publicly. The bank should also discuss the reasons for such removal with its supervisor.
Description and findings re EC10	See general answer to EC1. All banks must have a risk control function. FINMA in practice expects banks in category 1 and 2 and a number of banks in category 3 to have a dedicated risk unit headed by a CRO. Banks can have risk as part of the finance function, or merged with compliance under one executive, which can reduce its stature. Assessors saw examples of major mid-size banks where the CRO is not a separate role on the executive board. In case of a removal, FINMA expects board approval, disclosure and discussion with FINMA.
EC11	The supervisor issues standards related to, in particular, credit risk, market risk, liquidity risk, interest rate risk in the banking book and operational risk.
Description and findings re EC11	Regarding these standards, there are the relevant Pillar 1 standards of the Basel Committee on Banking supervision implemented in CAO and LO and related FINMA Circulars on Credit Risk (08/19), Market Risk (08/20), Operational Risk (08/21) and Liquidity Risk (13/06). In certain cases these are the circulars that deal with capital calculation for these risks and may or may not apply generally. FINMA sometimes sets qualitative standards on sound risk management practices similar to Basel standards in these areas and sometimes has not. (see individual risk CPs) Interest rate risks in the banking book are covered by FINMA Circular 08/6.
EC12	The supervisor requires banks to have appropriate contingency arrangements, as an integral part of their risk management process, to address risks that may materialize and actions to be taken in stress conditions (including those that will pose a serious risk to their viability). If warranted by its risk profile and systemic importance, the contingency arrangements include robust and credible recovery plans that take into account the specific circumstances of the bank. The supervisor, working with resolution authorities as appropriate, assesses the adequacy of banks’ contingency arrangements in the light of their risk profile and systemic importance (including reviewing any recovery plans) and their likely feasibility during periods of stress. The supervisor seeks improvements if deficiencies are identified.
Description and findings re EC12	A mandatory assessment topic of regular audit is appropriate contingency arrangements. These are listed in FINMA Circular 08/10 Margin No. 7 in the form of recognized self-regulation of the Swiss Bankers’ Association. Art. 9 BA sets out that systemically important banks must be organized in such a way that, in the event of impending insolvency, the continuation of the banks’ systemically important functions is assured with regard to structure, infrastructure, management and control, intra-group liquidity and capital flows. Art. 21 BO requires the preparation (and regular updates) of an emergency plan which is assessed by FINMA. If the emergency plan does not meet requirements, FINMA will set the bank an appropriate deadline to rectify the shortcomings identified.
EC13	The supervisor requires banks to have forward-looking stress testing programs, commensurate with their risk profile and systemic importance, as an integral part of their risk management process. The supervisor regularly assesses a bank’s stress testing program and determines that it captures material sources of risk and adopts plausible adverse scenarios. The supervisor also determines that the bank integrates the results into its decision-making, risk management processes (including contingency arrangements) and the assessment of its capital and liquidity levels. Where appropriate, the scope of the supervisor’s assessment includes the extent to which the stress testing program: (a) promotes risk identification and control, on a bank-wide basis; (b) adopts suitably severe assumptions and seeks to address feedback effects and system-wide interaction between risks; (c) benefits from the active involvement of the Board and senior management; and (d) is appropriately documented and regularly maintained and updated. The supervisor requires corrective action if material deficiencies are identified in a bank’s stress testing program or if the results of stress tests are not adequately taken into consideration in the bank’s decision-making process
Description and findings re EC13	For the purpose of stress-testing capital levels: FINMA Circular 11/2, Margin Nos. 34–45. FINMA Circular 08/24 Margin Nos. 1–2, 9–12, 80–81, 85, 113–120, 121–125, 126. FINMA Boards of Directors of Banks and Securities Dealers, FAQs 8/12, Q5. Capital Adequacy Ordinance (CAO), Art. 45. On liquidity stress-testing: forward-looking stress-testing programs: LO Art. 9; FINMA Circular 13/6 Articles 41 – 47; the external auditors assess the bank’s stress-testing program, determining whether it captures material sources of risk and adopts plausible adverse scenarios (for the two large banks since 2010, for all other banks from 2014 onwards, extensive stress-testing dialogue between FINMA and the two large banks in addition to the annual assessment of the external auditors); integration of stress-testing results in determining the size and composition of the liquidity buffer (FINMA Circular 13/6 Art. 36c), contingency planning, FINMA Circular 13/6 Art. 48) and decision-making risk management processes (FINMA Circular 13/6 Arts. 43, 44); active involvement of the executive board and the board of directors (Arts. 1, 2 LO, Art. 44, in conjunction with FINMA Circular 13/6 Arts. 13 and 14); stress-testing documentation, maintenance, update (FINMA Circular 13/6 Art. 41 c); and severity of assumptions (FINMA Circular 13/6 Art. 45). In terms of corrective actions, FINMA has taken several types of supervisory measures, when deficiencies have been identified. Some examples of such measures include: (i) a capital measure consisting of a capital multiplier applied to a large bank for operational risk; (ii) a supervisory measure consisting of more frequent reporting requirements due to increased liquidity risk; (iii) a supervisory measure consisting of initiating supervisory reviews on specific risk areas (such as basis risk); and (iv) a measure consisting of assigning the bank to the intensive supervision group.
EC14	The supervisor assesses whether banks appropriately account for risks (including liquidity impacts) in their internal pricing, performance measurement and new product approval process for all significant business activities.
Description and findings re EC14	This may form part of the regulatory audit.
Additional criteria
AC1	The supervisor requires banks to have appropriate policies and processes for assessing other material risks not directly addressed in the subsequent Principles, such as reputational and strategic risks.
Description and findings re AC1	Art. 9 BO covers reputational and legal risks. Furthermore, external auditors need to cover all material risks in their prudential activity, thus including such risks, while FINMA Circular 08/24 margin 98 specifically mentions reputational risk in the context of compliance risk. Finally, under Art. 45 CAO banks need to have an additional capital buffer to cover all risks not well covered by minimum capital requirements.
Assessment of Principle 15	Largely Compliant
Comments	FINMA generally has high expectations of banks’ risk management. However the comprehensiveness of qualitative guidance in certain risk management areas should be improved and updated, or explicit reference should be made to Basel texts, and guidance should be put in place re enterprise-wide risk measurement and risk management, either in guidance to institutions or in more detailed instructions to auditors. This would enhance institutions understanding of FINMA expectations, and would also enhance the extent to which regulatory audits are addressing the right things. The issues of adequacy of assessments by auditors and FINMA of bank risk management is considered and assessed in CP8 and CP9. More domestically-important mid-size banks should elevate the position of CRO to be a full executive board member, and more mid-size domestically systemic banks should be required to have a separate board risk committee. FINMA should review thematically risk appetite frameworks across mid-size banks. FINMA should do more thematic reviews to test the adequacy of important mid-size institutions’ process to relate capital to risk and whether they consider scenarios that are adverse enough. FINMA should also find a way to communicate lessons learned from the mortgage risk capital planning review more broadly to improve banks practice.
Principle 16	Capital adequacy.38 The supervisor sets prudent and appropriate capital adequacy requirements for banks that reflect the risks undertaken by, and presented by, a bank in the context of the markets and macroeconomic conditions in which it operates. The supervisor defines the components of capital, bearing in mind their ability to absorb losses. At least for internationally active banks, capital requirements are not less than the applicable Basel standards.
Essential criteria
EC 1	Laws, regulations or the supervisor require banks to calculate and consistently observe prescribed capital requirements, including thresholds by reference to which a bank might be subject to supervisory action. Laws, regulations or the supervisor define the qualifying components of capital, ensuring that emphasis is given to those elements of capital permanently available to absorb losses on a going concern basis.
Description and findings re EC1	BA Art. 4 stipulates that banks have to maintain, individually and on a consolidated basis, appropriate capital adequacy and liquidity, and that the Federal Council shall determine the elements of capital adequacy and liquidity and establish the minimum requirements in accordance with the business practices and the risks. The Capital Adequacy Ordinance (CAO) then sets out detailed regulatory capital framework. As of January 1, 2013 the Basel III framework capital minimum and buffer requirements were implemented along with Swiss-specific rules for systemically important banks by amending the existing CAO. By consequence the composition of capital follows Pillar 1 capital requirements in the Basel III framework. The calculation of eligible capital has been aligned with Basel III definitions. After deductions, banks must hold minimum capital in the amount of 8 percent of the risk-weighted positions. A minimum of 4.5 percent of the risk-weighted positions must be held in common equity tier 1 capital and a minimum of 6 percent must be held in tier 1 capital (CAO Art. 42 para 1). Banks must hold a common equity tier 1 capital buffer of 2.5 percent of risk weighted assets (CAO Art. 43). Upon the Swiss National Bank’s request, the Swiss Federal Council may require the banks to hold a counter-cyclical buffer of a maximum of 2.5 percent of their risk-weighted positions in Switzerland (CAO Art. 44 para 1). According to this, the Federal Council published in February 2013 that it activated a one percent counter-cyclical buffer for loans collateralized by residential mortgages which would be applicable beginning end-September. The Regulatory Consistency Assessment Program of the Basel Committee for Banking Supervision in the first half of 2013 assessed the Swiss Implementation of Basel II and Basel III as compliant. The rules for systemically important banks (TBTF package) include in addition to the Basel III framework particular capital requirements. They require common equity of at least 10 percent of the risk-weighted position as a basic requirement and contingent capital or other qualifying capital of at least 9 percent of risk-weighted positions, which can be divided to the buffer capital of 3 percent and the progressive component of 6 percent, although the latter requirement changes according to the banks’ size and market share. In order to be eligible to form part of the buffer and progressive component, capital instruments of systemically important banks must include loss absorbing triggers that are automatically activated at 7 percent (buffer component) and 5 percent (progressive component) calculated on the basis of the CET1 capital ratio to risk-weighted positions.
EC2	At least for internationally active banks,39 the definition of capital, the risk coverage, the method of calculation and thresholds for the prescribed requirements are not lower than those established in the applicable Basel standards.
Description and findings re EC2	See EC1. The Swiss RCAP conducted by BCBS confirmed that Basel III capital requirements have been implemented by the CAO without material deviations from the Basel standards. The CAO and FINMA circulars apply to all banks whether they are internationally active or not.
EC3	The supervisor has the power to impose a specific capital charge and/or limits on all material risk exposures, if warranted, including in respect of risks that the supervisor considers not to have been adequately transferred or mitigated through transactions (e.g., securitization transactions)40 entered into by the bank. Both on-balance sheet and off-balance sheet risks are included in the calculation of prescribed capital requirements.
Description and findings re EC3	The Swiss capital adequacy framework follows Basel II, II.5 and III for risk weights. Thus, it covers both on-balance sheet and off-balance sheet risks. The treatment of securitization follows Basel II.5 and III provisions. Its general authorization rules in BA (Art. 3) give FINMA extensive power to limit material risk exposure. BA Art. 4 also allows FINMA to impose more stringent requirements for particular banks. Specifically CAO Art. 45 provides that FINMA may set a specific capital charge (Pillar 2 charge) to specifically cover the risks that are not covered or not sufficiently covered by the minimum required capital if applying a risk-oriented approach and, together with the capital buffer, the additional capital is meant to ensure compliance with minimum capital requirements even in unfavorable conditions. It also provides that if a bank does not have additional capital, the FINMA may stipulate special measures to monitor and supervise the capital adequacy and risk situation. Accordingly, FINMA Circular 11/02 “Capital buffer and capital planning” stipulates additional buffers required uniformly depending on categories each bank belongs. (See EC4.) Furthermore, CAO allows FINMA to, under certain circumstances and on an individual basis, demand further capital, namely if the minimum required capital, the capital buffer and the additional capital do not ensure an appropriate level of security in view of that bank’s business activities, its risks taken, its business strategy, the quality of its risk management or the state of development of the techniques used. The process of setting a specific Pillar 2 charge on individual banks is described further in Circular 11/02 Margin Nos. 30–33. Also, as a part of Pillar 2 process, Banks are required to carry out capital planning for both solo and consolidated levels annually since 2012. The circular requires capital planning to be forward looking and providing a reliable forecast of available capital (including in ‘adverse’ conditions), tied closely to overall planning particularly the institution’s income targets and budget process, based on realistic assumptions with regard to business performance, and approved by BoD. External auditors are required to assess banks’ capital planning and comment in there regulatory audit reports, which then reviewed by FINMA. In practice, other information such as those results of stress testing is used for evaluating the adequacy of capital level of individual banks. Through discussion with FINMA staff, assessors are informed that when a bank is assessed as having insufficient capital, FINMA usually approaches the bank and discuss how to address the issue. FINMA explains in some cases the bank may reduce risk, and other cases they may increase capital levels, as requested by FINMA. The assessors are also informed that there is a Parliamentary initiative that requires the Federal Council to conduct a study on moving FINMA’s power to require Pillar 2 charge across banks to the Federal Council. The initiative also expresses the Parliamentarians’ view that the minimum capital ratio for non-systemically important banks should not exceed 13 percent for a proportionality reason.
EC4	The prescribed capital requirements reflect the risk profile and systemic importance of banks41 in the context of the markets and macroeconomic conditions in which they operate and constrain the build-up of leverage in banks and the banking sector. Laws and regulations in a particular jurisdiction may set higher overall capital adequacy standards than the applicable Basel requirements.
Description and findings re EC4	The CAO prescribes specific capital requirements which ensure a higher loss absorbency of the systemically important banks. (See EC1) In addition, a leverage ratio has been introduced for these banks (CAO Art. 133). This leverage ratio is set at a level of 24 percent of the minimum capital ratio requirement for the capital base, the buffer component and the progressive component (CAO Art. 134). For other banks, as explained in EC 3, FINMA has set capital targets beyond the Basel minimum requirements as Pillar 2 charges in Circular 11/02, except for Category 5 banks. Different ratios are set for banks in different Categories, which are set based on sizes of banks’ assets, assets under management, privileged deposits and required own funds, as shown in the table below. In addition, as explained in EC 1, in order to prevent excessive credit growth, banks could be required to account for a countercyclical buffer of up to 2.5 percent Common Equity Tier 1 (CET 1) capital to cover all or only certain credit positions, based on recommendation by SNB. SNB may publish views on adequacy of capital levels of banks from the perspective of systemic-relevance, after informal but close consultations with FINMA. Capital Ratio42 Determining Capital Adequacy Target (In percent) Capital Ratio Below Which Immediate and Extensive Action Is Taken Under Supervisory Law (Intervention Threshold) (In percent) Category 2 13.6-14.4 11.5 Category 3 12 11 Category 4 11.2 10.5 Category 5 10.5 10.5
EC5	The use of banks’ internal assessments of risk as inputs to the calculation of regulatory capital is approved by the supervisor. If the supervisor approves such use: (a) such assessments adhere to rigorous qualifying standards; (b) any cessation of such use, or any material modification of the bank’s processes and models for producing such internal assessments, are subject to the approval of the supervisor; (c) the supervisor has the capacity to evaluate a bank’s internal assessment process in order to determine that the relevant qualifying standards are met and that the bank’s internal assessments can be relied upon as a reasonable reflection of the risks undertaken; (d) the supervisor has the power to impose conditions on its approvals if the supervisor considers it prudent to do so; and (e) if a bank does not continue to meet the qualifying standards or the conditions imposed by the supervisor on an ongoing basis, the supervisor has the power to revoke its approval.
Description and findings re EC5	In Switzerland, six banks are using advanced approaches for credit risk, five for market risk, and two for operational risk. Banks using an IRB or EPE model approach for measuring credit risk must validate their models and parameter estimates as foreseen by the Basel Committee’s minimum standards. These standards were incorporated into Swiss regulation via a reference to the applicable Basel standards. (Circular 08/19 Margin Nos. 1021 (EPE) and 266 and following (IRB)). Also in the area of securitizations a direct link to the Basel minimum standards is made (see Margin 253). Banks using a market risk model approach must validate their models according to the Basel minimum standards. This includes, but is clearly not limited to back testing (see margins. 320–335). It includes also stress testing (see margins. 336–351) Banks using an AMA approach have to fulfill specific quantitative requirements under Circular 08/21 margin Nos. 69–75. Banks validation units are expected to adhere to transparency and quality requirements (margin Nos. 66–68) and to ensure data quality standards (margin no 79). Despite its reliance on external audit firms for supervisory activities, in the area of internal assessments/models, FINMA executes own model approval audits/assessments/on-site reviews, in addition to the ones executed by external audit. Through discussion with the FINMA staff, assessors understand that a substantial effort is put in validation of models and that it has always been a core topic of interest by FINMA. FINMA receives the annual validation reports by banks using internal models and conducts analysis.
EC6	The supervisor has the power to require banks to adopt a forward-looking approach to capital management (including the conduct of appropriate stress testing).43 The supervisor has the power to require banks: (a) to set capital levels and manage available capital in anticipation of possible events or changes in market conditions that could have an adverse effect; and (b) to have in place feasible contingency arrangements to maintain or strengthen capital positions in times of stress, as appropriate in the light of the risk profile and systemic importance of the bank.
Description and findings re EC6	See EC 3 and 4. For non-systemically important banks, Circular 11/02 sets capital target ratios and corresponding intervention thresholds which are significantly higher than the Basel minimum requirements. If a bank falls below these levels, immediate supervisory action to force banks to restore their capital levels will be triggered. Also, these banks are obliged to maintain a capital planning process. The capital planning has to take into account the economic cycle and need to show that the bank will meet their capital adequacy requirements even in the event of an economic downturn and their revenues falling sharply (Margin Nos. 35 and 36). For systemically important banks, a tighter capital planning process is in place. The capital plan is challenged based on the results from regulatory stress testing. (See also CP 15)
AC1	For non-internationally active banks, capital requirements, including the definition of capital, the risk coverage, the method of calculation, the scope of application and the capital required, are broadly consistent with the principles of the applicable Basel standards relevant to internationally active banks.
Description and findings re AC1	The current CAO does not distinguish between internationally and non-internationally active banks. However, in the old regulation, an adjusted standardized approach for credit risk exists, mostly used by non-internationally active banks. This Swiss Standardized approach will be phased out when Basel III capital rules is fully applied in 2019, but the most of banks plan to adopt the Basel Standardized Approach earlier than the deadline. The table below illustrates some difference in risk weights (or capital charges): Area sa-bis (In percent) sa-ch (In percent) Credit risk: All exposures where 20 percent risk weights are applicable 20 25 Commercial real estate 100 75 for LTV tranche < =50% 100 for LTV tranche > 50% Equity 100 (or 150) 125 public equity 250 private equity 500 if qualified participation (i.e., >10) in a firm active in the financial sector Market risk: FX risks and gold 8 10 (capital charge) Commodities 15 20 (capital charge) Non-counterparty related risks: 100 for all other assets 250 bank-buildings 375 other real estate 625 other assets and software, without goodwill and other intangible assets
AC2	The supervisor requires adequate distribution of capital within different entities of a banking group according to the allocation of risks.44
Description and findings re AC2	For financial groups, capital requirements apply at the consolidated and sub-consolidated level and at single entity level (CAO Arts. 7 and 11). This ensures that at least capitals are distributed to important subsidiaries such as banks within the group to meet their regulatory minimum at solo-basis. Also, capital planning exercises on the largest banks contributes to assess whether each entity has an adequate level of capital.
Assessment of Principle 16	Compliant
Comments	While the assessors view the current framework as compliant with this principle, improvements in assessing risks each bank is facing in a more granular way as recommended in relevant CPs are essential to further strengthen the Pillar 2 process in setting bank specific surcharges. Limiting the maximum amount that can be charged under the Pillar 2 process, as suggested by the Parliamentary initiative, should not proceed as it would deprive FINMA of one supervisory tool if the risk in the system becomes substantial. It is also important that this power remains with the supervisor, either in full or by formally making clear that actions by the Council are to be on the recommendation of FINMA.
Principle 17	Credit risk.45 The supervisor determines that banks have an adequate credit risk management process that takes into account their risk appetite, risk profile and market and macroeconomic conditions. This includes prudent policies and processes to identify, measure, evaluate, monitor, report and control or mitigate credit risk46 (including counterparty credit risk)47 on a timely basis. The full credit lifecycle is covered including credit underwriting, credit evaluation, and the ongoing management of the bank’s loan and investment portfolios.
Essential criteria
EC1	Laws, regulations or the supervisor require banks to have appropriate credit risk management processes that provide a comprehensive bank-wide view of credit risk exposures. The supervisor determines that the processes are consistent with the risk appetite, risk profile, systemic importance and capital strength of the bank, take into account market and macroeconomic conditions and result in prudent standards of credit underwriting, evaluation, administration and monitoring.
Description and findings re EC1	Based on Art. 9 of the Banking Ordinance, the bank must set out in internal regulations or in internal guidelines the main principles underlying the management of risks, and identify, limit and monitor all types of risks, including credit risk. These high level policies are subject to FINMA approval on licensing and when material changes occur. In addition, FINMA Circular 08/24 contains high level, principles-based guidance on risk management and internal control that apply to all risks. The board has the responsibility to establish and monitor this system which must be tailored to the size complexity, structure and risk profile of the bank. The Swiss Bankers Association sets professional guidelines for mortgage lending which banks have to adhere to as a minimum standard as they are officially recognized as such by FINMA under the legislated approach to self regulation. These standards were promulgated in 2011 and cover qualitative aspects of mortgage underwriting, credit monitoring and exception reporting. Further recognized guidelines were issued by the bankers association in June 2012, applying to new lending or increases in existing loans. They restrict minimum down payment to 10 percent and limit the maximum amortization period to 20 years. Specific regulations on risk concentrations in relation to the bank’s capital are defined in the Capital Adequacy Ordinance. Also, the banks are obliged to monitor its ten largest borrowers or groups of related borrowers and report them on a yearly basis to FINMA, and on a quarterly basis to the accredited external auditor and its own board of directors. FINMA circulars on credit risk for capital purposes also apply. Assessors reviewed the regulatory and financial audit processes on credit risk with FINMA and with regulatory audit firms. While FINMA rules and guidance is high level in some areas, it is clear that the criteria used for these audits by auditors often goes beyond the law and circulars issued by FINMA to incorporate best practice guidance from the BCBS for example, or best practices from the audit firm’s experience with its clients. Financial and regulatory reviews regularly include sampling of credit files and verifying the integrity of underwriting, risk rating and reporting, and monitoring of exceptions to policies. When assessing whether their capital is appropriate, institutions must take into account the economic cycle. Banks must show in their capital planning that they are in a position to meet capital adequacy requirements in future, even in the event of an economic downturn and if their revenues were to fall sharply. A theme review has been done recently with respect to stress testing the mortgage portfolio at some 15 banks which lead to feedback on capital planning to a number of banks.
EC2	The supervisor determines that a bank’s Board approves, and regularly reviews, the credit risk management strategy and significant policies and processes for assuming,48 identifying, measuring, evaluating, monitoring, reporting and controlling or mitigating credit risk (including counterparty credit risk and associated potential future exposure) and that these are consistent with the risk appetite set by the Board. The supervisor also determines that senior management implements the credit risk strategy approved by the Board and develops the aforementioned policies and processes.
Description and findings re EC2	As noted in EC1, boards have certain responsibilities under the ordinances and circulars. The board of directors also is required to regularly discuss with the management its assessment of the adequacy and effectiveness of the internal controls. Regulatory audits generally review the involvement of senior management and the board in risk management, in determining their opinion as to whether the overall system is ‘appropriate’. Assessors discussed this with FINMA, with auditors, and with banks of various sizes and complexities. As expected, for larger and many mid-size banks this interaction is frequent and extensive, and is linked to a formalized risk appetite framework that comprehensively covers risk types. In practice, discussions between the board of directors and management with smaller banks are on a yearly or twice yearly basis, when discussing the strategy, business plan or capital planning. Board-approved risk policies may be more general and high level and may not have specific quantitative elements for all major risk types. They may be scenario based linked to the bank capital not falling below certain targets. This also appeared to be the case for some mid-size banks. Based on statistical reporting (e.g., development and changes in credit portfolio, risk concentration, large exposures, capital ratio, capital adequacy) received from the banks, FINMA itself performs quantitative analyses related to credit risk. Outliers will be analyzed in detail. FINMA may also perform specific inspections. FINMA also verifies by own risk analyses (e.g., problem-specific analyses), and identifies banks with higher risk exposures. In special assessments, meetings and further analyses, FINMA requires banks to review and reduce risks.
EC3	The supervisor requires, and regularly determines, that such policies and processes establish an appropriate and properly controlled credit risk environment, including: (a) a well documented and effectively implemented strategy and sound policies and processes for assuming credit risk, without undue reliance on external credit assessments; (b) well defined criteria and policies and processes for approving new exposures (including prudent underwriting standards) as well as for renewing and refinancing existing exposures, and identifying the appropriate approval authority for the size and complexity of the exposures; (c) effective credit administration policies and processes, including continued analysis of a borrower’s ability and willingness to repay under the terms of the debt (including review of the performance of underlying assets in the case of securitization exposures); monitoring of documentation, legal covenants, contractual requirements, collateral and other forms of credit risk mitigation; and an appropriate asset grading or classification system; (d) effective information systems for accurate and timely identification, aggregation and reporting of credit risk exposures to the bank’s Board and senior management on an ongoing basis; (e) prudent and appropriate credit limits, consistent with the bank’s risk appetite, risk profile and capital strength, which are understood by, and regularly communicated to, relevant staff; (f) exception tracking and reporting processes that ensure prompt action at the appropriate level of the bank’s senior management or Board where necessary; and (g) effective controls (including in respect of the quality, reliability and relevancy of data and in respect of validation procedures) around the use of models to identify and measure credit risk and set limits.
Description and findings re EC3	As noted in EC1 and EC2, various rules and guidance, including formally recognized self regulatory minimum requirements, apply which cover a number of these areas. In addition, FINMA indicated that supervisory standards had been communicated in 2002 in the context of an in-depth audit of credit risk management involving well over 100 banks. FINMA considered that these still applied. With respect to information systems, the IT governance is subject to the annual examination of the auditors. The scope of any audit is the GITCs (general IT controls) which must comply with an international framework (e.g., COBIT) Assessors discussed issues of ability to aggregate data at major banks in order to comprehensively address exposures. As is the case elsewhere, there has been considerable progress in dealing with this, and more remains to be done, particularly where banks have made acquisitions and data systems need further integration to reduce the use of manual work-arounds.
EC4	The supervisor determines that banks have policies and processes to monitor the total indebtedness of entities to which they extend credit and any risk factors that may result in default including significant unhedged foreign exchange risk.
Description and findings re EC4	FINMA requires banks to have internal regulations in place to monitor potential impairments of loans, clients or legal entities. This also includes foreign exchange risk. There are no specific requirements with respect to this matter applying to all banks but it normally would form part of the regulatory audit review.
EC5	The supervisor requires that banks make credit decisions free of conflicts of interest and on an arm’s length basis.
Description and findings re EC5	Under Art. 4ter of the Banking Act, credits may be granted to the bank’s governing bodies and controlling shareholders, as well as to related persons and companies, but only in conformity with generally accepted principles of the banking profession (“at arm’s length”). In practice, affected bodies must withdraw from the authorization process. The auditor assesses the approval and monitoring process in accordance with the above- mentioned regulations. Furthermore, the conditions of credit exposures to shareholders or associated bodies must be granted at arm’s length based on tax regulations. Minimum and maximum interests for credit exposures for shareholders or associated bodies are given every year by the tax authorities. The auditor is obliged to control the interests for credits to shareholders or associated bodies when auditing tax expenses and tax provisions.
EC6	The supervisor requires that the credit policy prescribes that major credit risk exposures exceeding a certain amount or percentage of the bank’s capital are to be decided by the bank’s Board or senior management. The same applies to credit risk exposures that are especially risky or otherwise not in line with the mainstream of the bank’s activities.
Description and findings re EC6	As mentioned in EC1 and EC2, banks have to set various policies re credit risk, including exception to policy provisions and reporting lines, in Business Rules subject to FINMA approval. During this approval process, the role of the board or senior management are analyzed to ensure they meet FINMA expectations. Banks then flesh out these strategic competences and rules in the form of (credit) guidelines and instructions for divisions, departments, teams and key personnel which do not require FINMA’s approval. FINMA expects that credit exposures above a certain size are to be decided by the bank’s board or senior management.
EC7	The supervisor has full access to information in the credit and investment portfolios and to the bank officers involved in assuming, managing, controlling and reporting on credit risk.
Description and findings re EC7	Based on Art. 29 of the Financial Market Supervisory Act and with reference to FINMA Circular 2013/3 Margin No. 71, FINMA and regulatory auditors have unlimited access to all information at the banks.
EC8	The supervisor requires banks to include their credit risk exposures into their stress testing programs for risk management purposes.
Description and findings re EC8	Based on FINMA Circular 2011/02 (Capital buffer and capital planning), FINMA expects supervised banks to have adequate capital planning, documented in writing, that reflects banks’ individual circumstances. When assessing whether their capital is appropriate, institutions must take into account the economic cycle. Also, the banks must show in their capital planning that they are in a position to meet their capital adequacy requirements for the next three years, even in the event of an economic downturn, and if their revenues were to fall sharply. The underlying assumptions for capital planning must be documented in a transparent and comprehensible manner. The assumptions must reflect the individual effects of an economic downturn also on the credit exposures and the counterparties. Boards of directors are required to approve the capital plan at least annually. In addition, FINMA may require individual stress tests from the banks. For such tests, FINMA defines the parameters and scenarios. This was done over the recent past for selected banks with respect to their mortgage lending. Last, there is also an explicit credit risk stress-testing regulation in force for banks applying the IRB approach.
Assessment of Principle 17	Compliant
Comment	While FINMA rules and guidance are not as comprehensive and detailed as expected by this CP in certain cases, or as is found in some other jurisdictions, the supervisory process for credit risk fills gaps, is comprehensive and allows FINMA to obtain a good sense of the quality of credit risk management. Some improvements to guidance and instructions to regulatory auditors should be made to ensure that their work is focusing consistently on qualitative requirements for credit risk management across the full range of banks and audit firms involved in regulatory audits. As well, further comparison across mid-size banks of capital planning by FINMA would act to ensure that assumptions are consistently appropriate.
Principle 18	Problem assets, provisions and reserves.49 The supervisor determines that banks have adequate policies and processes for the early identification and management of problem assets, and the maintenance of adequate provisions and reserves.50
Essential criteria
EC1	Laws, regulations or the supervisor require banks to formulate policies and processes for identifying and managing problem assets. In addition, laws, regulations or the supervisor require regular review by banks of their problem assets (at an individual level or at a portfolio level for assets with homogenous characteristics) and asset classification, provisioning and write-offs.
Description and findings re EC1	FINMA regulations and ordinances do not contain comprehensive rules or guidance on management of problem assets. The definitions of impaired and non-performing loans are aligned with IAS39-definitions, and included in the accounting guidelines (Circular 08/02). The main verification of how banks deal with problem assets is dealt with in the external financial audit. The results of this are also naturally available to the regulatory auditor and to FINMA. See also answer to EC5.
EC2	The supervisor determines the adequacy of a bank’s policies and processes for grading and classifying its assets and establishing appropriate and robust provisioning levels. The reviews supporting the supervisor’s opinion may be conducted by external experts, with the supervisor reviewing the work of the external experts to determine the adequacy of the bank’s policies and processes
Description and findings re EC2	As mentioned in EC1, the external auditors are to a large extent FINMA’s ‘investigating unit’ at the banks, and they intervene every year, not only for auditing the financial statements but also for performing the prudential audit according to FINMA’s general instructions. On the basis of the annual prudential reporting sent to FINMA, peer-groups are created and the level of impaired loans and provisions are compared across banks to identify outliers, which are referred to supervisory teams and auditors as necessary.
EC3	The supervisor determines that the bank’s system for classification and provisioning takes into account off-balance sheet exposures.51
Description and findings re EC3	Off-balance sheet exposures are taken into account and treated in the same way as on-balance sheet exposures.
EC4	The supervisor determines that banks have appropriate policies and processes to ensure that provisions and write-offs are timely and reflect realistic repayment and recovery expectations, taking into account market and macroeconomic conditions.
Description and findings re EC4	See answers to EC1 and EC2.
EC5	The supervisor determines that banks have appropriate policies and processes, and organizational resources for the early identification of deteriorating assets, for ongoing oversight of problem assets, and for collecting on past due obligations. For portfolios of credit exposures with homogeneous characteristics, the exposures are classified when payments are contractually in arrears for a minimum number of days (e.g., 30, 60, 90 days). The supervisor tests banks’ treatment of assets with a view to identifying any material circumvention of the classification and provisioning standards (e.g., rescheduling, refinancing or reclassification of loans).
Description and findings re EC5	Under circular 08/02 (FINMA Accounting Guidelines): “Loans are non-performing where at least one of the following payments has not yet been effected in full as of ninety days from the due date: (a) interest payments; (b) commission payments; (c) amortization (partial repayments of principal); and (d) full repayment of principal. If payments for interest, commission and/or amortization are overdue, the face value of the loan is also to be considered as non-performing. Loans to debtors undergoing liquidation are always to be considered as non-performing. Loans subject to special conditions based on the borrower’s credit standing (e.g., significant reductions in interest rates, with interest dipping below the bank’s refinancing costs) are to be considered non-performing. Past due receivables are frequently a component of impaired loans/receivables”. FINMA requires special classification and reporting of a) impaired loans (see below) and b) non-performing loans. If the interest has not been paid after a period of 90 days, they are considered non- performing and cannot be included in the income statement until payment has been made (and the whole loan is considered as non-performing). Impaired loans (Margin No. 239 of Circular 08/02) are loans/receivables for which the debtor will unlikely be able to fulfill its future obligations. Indications for an impaired loan/receivable include: considerable financial difficulties on the part of the debtor; actual breach of contract (e.g., default on or delay in interest or principal payments); concessions on the part of the lender to the borrower based on economic or legal circumstances linked to the financial difficulties of the borrower that would not be granted under normal conditions; high probability of bankruptcy or otherwise the need for restructuring on the part of the debtor; recording of impairment for the respective asset in a previous reporting period; disappearance of an active market for this particular financial asset due to financial difficulties; and previous experience in connection with debt collection that indicates that the total face value of a portfolio of receivables is not collectible. Impaired loans/receivables and any collateral are to be valued at their liquidation value and the value to be adjusted taking the debtor’s creditworthiness into account. Where the recovery of the loan/receivable is dependent exclusively on the liquidation proceeds value of the collateral, an allowance must be established to completely cover the unsecured portion. The financial audit covers provisioning practices and policies and impairment testing. FINMA reported that this regularly includes specific file review to validate the robustness of the process and of the bank’s rating system. FINMA supervisors interact with financial auditors on the results of these reviews and react accordingly, including as necessary requiring more provisions or reclassification of assets.
EC6	The supervisor obtains information on a regular basis, and in relevant detail, or has full access to information concerning the classification of assets and provisioning. The supervisor requires banks to have adequate documentation to support their classification and provisioning levels.
Description and findings re EC6	Considerable information is given by banks to FINMA annually on provisioning. This includes a complete picture of all allowances and provisions, impaired loans as well as non-performing loans. These elements are to be publicly disclosed within a deadline of 120 days (with the exception of non-performing loans), after having been audited. Adequacy of documentation is reviewed in the financial statement audit process.
EC7	The supervisor assesses whether the classification of the assets and the provisioning is adequate for prudential purposes. If asset classifications are inaccurate or provisions are deemed to be inadequate for prudential purposes (e.g., if the supervisor considers existing or anticipated deterioration in asset quality to be of concern or if the provisions do not fully reflect losses expected to be incurred), the supervisor has the power to require the bank to adjust its classifications of individual assets, increase its levels of provisioning, reserves or capital and, if necessary, impose other remedial measures.
Description and findings re EC7	The first step is the financial and the prudential audit done by the external auditors and FINMA’s preliminary examination of the data given in the context of the prudential reporting. The second step is the examination by FINMA supervisors of the public disclosure of the bank and the long form reports remitted by the external auditors. If FINMA does not agree with an assessment (e.g., provisions) of the bank supported by the ordinary audit firm, it is FINMA policy to mandate another audit firm in order to obtain a second opinion. On rare occasions, FINMA has also made an assessment. Where FINMA disagrees at an early stage or has material doubts about the quality of the assets and the adequacy of provisions, the bank/banking group is informed that it may not disclose its financial statements before an agreement has been found. FINMA does not have authority to require more provisions. If FINMA had concerns in that regard it would require a Pillar 2 add-on.
EC8	The supervisor requires banks to have appropriate mechanisms in place for regularly assessing the value of risk mitigants, including guarantees, credit derivatives and collateral. The valuation of collateral reflects the net realizable value, taking into account prevailing market conditions.
Description and findings re EC8	FINMA guidance or rules are not detailed in this regard. In the context of “Lombard” lending (credits collateralized by marketable financial instruments), banks must apply haircuts whose size depends on the type of securities (high haircuts for shares, moderate haircuts for bonds), in order to take into account a possible negative price fluctuation of the market value. The present market value of the collateral must be reassessed very frequently and the limit granted to the customer must be adapted. As regards the mortgage loans, guidelines were issued by the Swiss Bankers Association (Guidelines on auditing, valuation and treatment of mortgage-backed loans of 28.10.2011) are recognized as minimum standards by FINMA and cover the need for regularly assessing collateral and other risk mitigants.
EC9	Laws, regulations or the supervisor establish criteria for assets to be: (a) identified as a problem asset (e.g., a loan is identified as a problem asset when there is reason to believe that all amounts due, including principal and interest, will not be collected in accordance with the contractual terms of the loan agreement); and (b) reclassified as performing (e.g., a loan is reclassified as performing when all arrears have been cleared and the loan has been brought fully current, repayments have been made in a timely manner over a continuous repayment period and continued collection, in accordance with the contractual terms, is expected).
Description and findings re EC9	See EC 5 (regulatory definitions of impaired loans and non-performing loans). These definitions are similar to those of IAS 39.
EC10	The supervisor determines that the bank’s Board obtains timely and appropriate information on the condition of the bank’s asset portfolio, including classification of assets, the level of provisions and reserves and major problem assets. The information includes, at a minimum, summary results of the latest asset review process, comparative trends in the overall quality of problem assets, and measurements of existing or anticipated deterioration in asset quality and losses expected to be incurred.
Description and findings re EC10	Under FINMA Circular 08/24 (Internal control and supervision), the board of directors or its audit committee are responsible for: (a) a critical analysis of the financial statements and the reliability of the related internal controls procedures (based also on discussions with the top operational management, the internal audit and the external audit firm); (b) critical review of the risk profile of the bank, the efficiency of the central compliance function and the central risk management and reporting function; (c) the examination of the risk analyses of the external audit and the related audit strategy; and (d) the examination of internal and external audit reports.
EC11	The supervisor requires that valuation, classification and provisioning, at least for significant exposures, are conducted on an individual item basis. For this purpose, supervisors require banks to set an appropriate threshold for the purpose of identifying significant exposures and to regularly review the level of the threshold.
Description and findings re EC11	FINMA Circular 08/02 (FINMA Accounting – Banks) states: “Impaired loans/receivables are to be valued on an item-by-item basis, and their impairment (…) covered by individual value adjustments. A collective assessment is permitted only for homogenous credit portfolios consisting exclusively of a large number of small receivables, e.g., consumer credit, leasing and credit card receivables - (general individual value adjustment)”. Furthermore, additional general value adjustments must be established to cover existing latent default risks.
EC12	The supervisor regularly assesses any trends and concentrations in risk and risk build-up across the banking sector in relation to banks’ problem assets and takes into account any observed concentration in the risk mitigation strategies adopted by banks and the potential effect on the efficacy of the mitigant in reducing loss. The supervisor considers the adequacy of provisions and reserves at the bank and banking system level in the light of this assessment.
Description and findings re EC12	Based on the data received in the context of prudential reporting but also on other data collected regularly by the Swiss National Bank, FINMA regularly analyses the evolution of the different types of credit portfolios, as well as the evolutions regarding impaired loans, non-performing loans, specific and general provisions, on a global and specific basis. Particular attention is paid to outliers. At the macro-economic level, the Swiss National Bank also observes the trends, especially in the mortgage sector, which are developing in Switzerland. This institution is responsible for taking the initiative to submit to the Government a proposal to activate, adjust or deactivate the countercyclical capital buffer (after consultation with FINMA). This regulatory instrument was introduced in the context of the implementation of Basel III in Switzerland. The Government has very recently accepted the proposal to partially activate this buffer (1 percent of residential mortgage RWA) starting from September 30, 2013, limited to mortgage loans in Switzerland.
Assessment of Principle 18	Compliant
Comments	FINMA should consider seeking the explicit power to require a bank to add to provisions, to supplement their Pillar 2 power re capital add-ons, as direct additional provisions may be a more appropriate remedy in certain cases to any inadequate provisioning practices by banks.
Principle 19	Concentration risk and large exposure limits. The supervisor determines that banks have adequate policies and processes to identify, measure, evaluate, monitor, report and control or mitigate concentrations of risk on a timely basis. Supervisors set prudential limits to restrict bank exposures to single counterparties or groups of connected counterparties.52
Essential criteria
EC1	Laws, regulations or the supervisor require banks to have policies and processes that provide a comprehensive bank-wide view of significant sources of concentration risk.53 Exposures arising from off-balance sheet as well as on-balance sheet items and from contingent liabilities are captured.
Description and findings re EC1	As noted in EC 5 and 6, CAO provides in Arts. 95–123 rules for large exposures to a single counterparty or a group of related counterparties. For systemically important banks, CAO Art. 136 CAO requires need to use narrower definition of capital in calculating large exposures. In addition, Banks are required by law to have a sound credit risk management in place. FINMA understand that this covers risks stemming from counterparties in the same industry, economic sector or geographic region and counterparties whose financial performance is dependent on the same activity or commodity, including Off-balance sheet exposures.
EC2	The supervisor determines that a bank’s information systems identify and aggregate on a timely basis, and facilitate active management of, exposures creating risk concentrations and large exposure54 to single counterparties or groups of connected counterparties.
Description and findings re EC2	For large exposure to single counterparties or groups of connected counterparties, CAO Art. 100 para 1 provides it to be reported at the solo level every three months within one month after the end of a period to the statutory auditor using a form provided by FINMA. At the consolidated level, the reporting has to be submitted every six months within six weeks. The reporting must be done on gross positions. The same Art. also requires external auditors to verify the bank’s internal monitoring of large exposures and assess its progress. Similarly, there is a reporting requirement on exposures to same geographic and industrial sectors. External auditors are required to confirm adequacy of measurement and monitoring of risk concentrations and include the assessment in their regulatory audit reports. (See EC3)
EC3	The supervisor determines that a bank’s risk management policies and processes establish thresholds for acceptable concentrations of risk, reflecting the bank’s risk appetite, risk profile and capital strength, which are understood by, and regularly communicated to, relevant staff. The supervisor also determines that the bank’s policies and processes require all material concentrations to be regularly reviewed and reported to the bank’s Board.
Description and findings re EC3	FINMA Circular 08/24 “Supervision and internal control” require banks’ BoD to ensure that all material risks are recorded, limited and monitored. In particular, it refers to single-name concentration risk by stipulating that in financial groups and financial conglomerates dominated by entities active in banking and securities trading, it is especially important to consider the risks that may arise from the union of several companies into a single economic entity. This requirement is understood by FINMA to extend to other kinds of concentration risks. The limit system has to be regularly communicated to relevant staff. FINMA expects that a bank adequately addresses concentration risk in their governance and risk frameworks and that material concentrations would be reported to the bank’s board. External auditors must assess concentration risk during its regulatory audit. The standard form for regulatory audit reports require audit firms to confirm: (a) Methods for identifying, measuring, managing and monitoring risk concentrations in connection with lending business are appropriate; (b) The responsible management body has introduced an adequate risk policy and appropriate limits; and (c) The risk policy and the limits are effectively applied and respected.
EC4	The supervisor regularly obtains information that enables concentrations within a bank’s portfolio, including sectoral, geographical and currency exposures, to be reviewed.
Description and findings re EC4	For single name concentrations, see EC 2. The statutory auditors are expected to review on a regular basis a bank’s credit portfolio and any negative observations need to be reported to FINMA. In addition, FINMA monitors and analyzes credit concentrations and resulting solvency risk of counterparties in the interbank market through its off-site monitoring. All banks and bank groups without branches of foreign banks in Switzerland report the twenty largest claims and liabilities positions vis-à-vis other banks or bank groups in Switzerland and abroad. Furthermore, banks having exposures to foreign counterparties or fiduciary claims exceeding CHF 1 billion in aggregate terms are required to report exposures by country and counterparty types (banks, sovereigns, private sector) quarterly. For other banks, this is reported on an annual basis. As noted above, there is also a requirement to report to SNB exposures to different industrial sectors, which is also available to FINMA and used for its off-site monitoring. Discussion with FINMA showed, however, the work on monitoring concentration risk other than country risk exposure is still in progress, including the use of stress testing to detect weakness in the system.
EC5	In respect of credit exposure to single counterparties or groups of connected counterparties, laws or regulations explicitly define, or the supervisor has the power to define, a “group of connected counterparties” to reflect actual risk exposure. The supervisor may exercise discretion in applying this definition on a case by case basis.
Description and findings re EC5	CAO Art. 109 defines ‘connected counterparties’ as the total exposure to a group of related counterparties is the sum of the total position for each counterparty. Two or more persons or legal entities are deemed to be a group of related counterparties and are to be treated as a stand-alone entity, if: (a) one of them directly or indirectly holds more than half of the voting rights of the other or exercises a dominant influence over it in some other way; (b) there is clear evidence of a financial dependency between them such that it seems likely that if one gets into financial distress, the others will encounter payment difficulties; (c) they are held by the same individual or legal entity or are controlled by it; (d) they form a syndicate; or (e) the counterparties are connected through a mutual refinancing source. For claims in securitization positions, holdings in investment capital or other loans that are covered with assets, the Art. also require the bank to choose the borrower in a manner that accounts for the economical substance and the business risks inherent in the structure of the transactions and particularly of the possible large exposures. In exceptional circumstances, the supervisory authority is entitled to alleviate or tighten the applicable risk diversification standards (CAO Art. 112).
EC6	Laws, regulations or the supervisor set prudent and appropriate55 requirements to control and constrain large credit exposures to a single counterparty or a group of connected counterparties. “Exposures” for this purpose include all claims and transactions (including those giving rise to counterparty credit risk exposure), on-balance sheet as well as offbalance sheet. The supervisor determines that senior management monitors these limits and that they are not exceeded on a solo or consolidated basis.
Description and findings re EC6	CAO Art. 95 defines a large exposure as the total position to a single counterparty or a group of related counterparties which is equal to or greater than 10 percent of the bank’s adjusted eligible capital. Adjusted eligible capital is defined as total regulatory capital (Tier 1 and Tier 2) less regulatory deductions. An individual large exposure must not exceed 25 percent of the adjusted eligible capital (Art. 97 CAO). The total position is calculated by adding the amount of on-balance sheet items (including net long positions in securities) and the amount of off-balance sheet items converted to credit equivalents as well as positions in relation with securities lending and repos. (CAO Arts. 112-119) Exposures to central banks and central governments risk weighted at zero percent, positions in domestic mortgage bonds (up to a maximum of 50 percent of corresponding property’s market value), positions covered by a certain residential mortgages, among several other kinds of exposures, are excluded from the restriction. Special risk concentration ceilings are in place for smaller banks’ positions to banks and securities dealers who are neither nationally nor internationally systemically relevant banks or financial groups (SIFIs). The limits are as follows: 100 percent of the adjusted eligible capital, provided that adjusted eligible capital does not amount to more than CHF 250 million. CHF 250 million, provided the adjusted eligible capital amounts to between CHF 250 million and 1 billion. The original 25 percent ceiling apply to banks with eligible capital higher than CHF 1 billion as well as exposures to SIFIs. On the contrary, a tighter ceiling applies for SIFIs where a single risk concentration must not exceed 25 percent of their common equity tier1 (CET1) that isn’t used to cover the progressive component (CAO Art. 136). The upper limits on individual and aggregate risk concentrations may be exceeded if: (a) the excess amount is covered by disposable eligible capital; or (b) the excess is solely attributable to an affiliation between previously unconnected counterparties, or an affiliation between the bank and other companies active in the financial sector. Where capital is used to cover a risk concentration limit excess, this must be mentioned in the statement of capital. (CAO Art. 98). These requirements must be met both at the solo and the consolidated levels (financial groups or financial conglomerates). (CAO Art. 7). CAO Art. 95 requires banks to limit and monitor their large exposures. Also, as noted in EC2, reporting requirements of large exposures are established by CAO, through them supervisors monitor their developments against limits.
EC7	The supervisor requires banks to include the impact of significant risk concentrations into their stress testing programs for risk management purposes.
Description and findings re EC7	FINMA Circular 11/2 “Capital buffer and capital planning banks” require banks to show in their capital planning that they are in a position to meet their capital adequacy requirements in future (over a three-year horizon), even in the event of an economic downturn and their revenues falling sharply. FINMA understands that banks have to take into account risk concentrations in their internal stress testing programs to meet this requirement.
Additional criteria
AC1	In respect of credit exposure to single counterparties or groups of connected counterparties, banks are required to adhere to the following: (a) ten per cent or more of a bank’s capital is defined as a large exposure; and (b) twenty-five per cent of a bank’s capital is the limit for an individual large exposure to a private sector non-bank counterparty or a group of connected counterparties. Minor deviations from these limits may be acceptable, especially if explicitly temporary or related to very small or specialized banks.
Description and findings re AC1	See EC6. A large exposure is defined as ten percent or more of a bank’s eligible capital and the limit for an individual large exposure to a non-bank counter party or a group of connected counter parties are 25 percent or more of a bank’s eligible capital. One important exception to note is the case where the excess exposure amount is covered in full by disposable eligible capital.
Assessment of Principle 19	Largely Compliant
Comments	There are several regulatory and supervisory gaps regarding large exposure and concentration. Exposures covered by residential mortgages up to a certain amount are excluded from the calculation of large exposure limit. While this is in line with the current EU regulation, it has a risk to allow significant single-name concentration risk particularly for smaller banks. Also, a higher large amount inter-bank exposure ceiling set for small banks is against conservative concentration risk management. Regarding more general concentration risk management, while assessors welcome the explicit reference in the standard audit template, lack of clear guidance or expectation for banks and regulatory auditors would limit its usefulness. Further, assessors see there is a substantial room for improvement in proactive supervision of concentration risk by FINMA. Assessors thus recommend authorities to take following measures: For single-name concentration, include exposures to residential mortgage fully in the calculation of exposures and introduce the same limit for interbank exposures of smaller banks as larger banks. Provide clear guidance on auditors (and banks) on how to assess concentration risk. This should include expectations on policies and processes regarding concentration risk management. Conduct more supervisory work on concentration. FINMA is in a better position to assess concentration and detect risks as it has access to information on the entire banking system. More active use of stress testing, particularly for smaller banks, including improvements in methodologies, data and integration to ordinary supervisory processes, should be an important pillar of this effort.
Principle 20	Transactions with related parties. In order to prevent abuses arising in transactions with related parties56 and to address the risk of conflict of interest, the supervisor requires banks to enter into any transactions with related parties57 on an arm’s length basis; to monitor these transactions; to take appropriate steps to control or mitigate the risks; and to write off exposures to related parties in accordance with standard policies and processes.
Essential criteria
EC1	Laws or regulations provide, or the supervisor has the power to prescribe, a comprehensive definition of “related parties”. This considers the parties identified in the footnote to the Principle. The supervisor may exercise discretion in applying this definition on a case by case basis.
Description and findings re EC1	BA Art. 4ter stipulates that banks may grant credit to members of their governing bodies and to their controlling shareholders, as well as to related persons and companies, only in conformity with ‘generally accepted principles of the banking profession’, thus giving FINMA the general power to restrict a bank’s lending to related persons. The authorities explain that secondary legislation avoids defining the group of related parties in order not to limit the wide scope of application of the said article, although Commentary to BA explains that in principle this includes close relatives and spouses and companies in which members of the bank have a significant stake or the ability to influence how the business is run. FINMA has the discretion on whom to impose lending restrictions on a case by case basis. Also, while not explicitly linked to this article, CAO Art. 100 requires banks to report large exposures under the term “transactions with affiliated parties” that involves a member of the bank’s supervising body or a qualified shareholder as defined in BA or a closely affiliated individual or company.
EC2	Laws, regulations or the supervisor require that transactions with related parties are not undertaken on more favorable terms (e.g., in credit assessment, tenor, interest rates, fees, amortization schedules, requirement for collateral) than corresponding transactions with non-related counterparties.58
Description and findings re EC2	See EC1. BA Art. 4ter requires extension of credit to related persons and companies to be in conformity with generally accepted principles of the banking profession. In addition, Circular 08/24 “Supervision and Internal Control” provides a general requirement focusing on conflict of interest by stipulating that the Board of directors must ensure that the handling of conflicts of interest is regulated and if a specific conflict of interest cannot be avoided, the institution takes measures to deal with it appropriately. No detailed guidance is provided regarding “generally accepted principles of the banking profession”, but the Commentary to BA explains that special caution must be exercised when granting loans to bank officers and related persons and referred to an old EBK bulletin that requires loans to be granted on the basis of the same information, documentation and collateral criteria that apply to loans to unrelated third parties. Also, the provision in the law is understood to only cover transactions involving credit risk, and not other kinds of transactions.
EC3	The supervisor requires that transactions with related parties and the write-off of related-party exposures exceeding specified amounts or otherwise posing special risks are subject to prior approval by the bank’s Board. The supervisor requires that Board members with conflicts of interest are excluded from the approval process of granting and managing related party transactions.
Description and findings re EC3	The authorities state that FINMA, in its authorization process, requires banks internal policies (by laws, organizational chart, credit regulations) to ensure that transactions with related parties are handled as described under this EC (BA Art. 3 para 2 and para 3). Also, as described in EC2, Circular 08/24 “Supervision and internal control” prescribes a general requirement to control conflict of interest. More specifically on conflicts of interest involving Board members, “FAQs on Board of directors” stipulates that the supreme governing body must regulate how conflicts of interest are dealt with and set out when members are obliged to withdraw from deliberations on certain matters. The guidelines also require existing and prior interests of the members to be disclosed, conflicts of interest to be effectively resolved, and mandates and business relationships that may potentially lead to conflicts of interest or damage the institution’s reputation to be avoided.
EC4	The supervisor determines that banks have policies and processes to prevent persons benefiting from the transaction and/or persons related to such a person from being part of the process of granting and managing the transaction.
Description and findings re EC4	As a part of regulatory audits, external auditors are required to assess correctness of dealings/businesses with management bodies and significant shareholders; they are asked to confirm if these dealings/businesses were completed according to recognized principles. They are also expected to report instances in which the management bodies and/or significant shareholders were granted preferential terms. (Template for supervisory audit report 6.5.2).
EC5	Laws or regulations set, or the supervisor has the power to set on a general or case by case basis, limits for exposures to related parties, to deduct such exposures from capital when assessing capital adequacy, or to require collateralization of such exposures. When limits are set on aggregate exposures to related parties, those are at least as strict as those for single counterparties or groups of connected counterparties.
Description and findings re EC5	FINMA has the power to restrict lending to related parties, to deduct such exposures from the capital or to require collateral. No detailed guidance, including on the limit on aggregate exposures to related parties, is provided, except for intra-group positions (FINMA Circular 13/07 “Limitation—Intragroup exposure).
EC6	The supervisor determines that banks have policies and processes to identify individual exposures to and transactions with related parties as well as the total amount of exposures, and to monitor and report on them through an independent credit review or audit process. The supervisor determines that exceptions to policies, processes and limits are reported to the appropriate level of the bank’s senior management and, if necessary, to the Board, for timely action. The supervisor also determines that senior management monitors related party transactions on an ongoing basis, and that the Board also provides oversight of these transactions.
Description and findings re EC6	As mentioned in EC4, external auditors are required to assess correctness of dealings/businesses with management bodies and significant shareholders. This is expected to include assessment of policies and processes as well as practices, including evaluation of terms of individual cases of transactions whether they are done arm’s length or not. (Template for regulatory audit report 6.5.2) However, this section only refers to dealings with management bodies and significant shareholders. In addition, as noted in EC1, if a position to a related party amounts to a large exposure, it must be reported to the board or an external auditor (CAO Art. 100 para 4 CAO).
EC7	The supervisor obtains and reviews information on aggregate exposures to related parties.
Description and findings re EC7	No constant reporting requirements are applied related to aggregated exposures to related parties, although FINMA may require at any time information on aggregate exposures to related parties. As mentioned in previous ECs, if such exposures qualify as a large exposure, they have to be reported on a quarterly basis to the auditor (CAO Art. 100 paras. 4 and 5).
Assessment of Principle 20	Largely Compliant
Comments	The related party transaction regulation in BA only covers transactions involving credit risk, but not other kind of transactions. This CP covers other kind of transactions as noted in the footnote as other kind of transactions, such as sales and purchase of real estate or service contracts or forgiveness of loans, could also pose risk to health of a bank. Similarly, while BA Art. 4 ter has a flexibility to cover a broad range of related parties, requirement for regulatory audit specified in the template refers to a narrower range of related parties. Also, there is no clear guidance on risk management framework required for related party transactions, such as the need to monitor the total exposure of related party exposures or the BoD to provide oversight on these transactions. Furthermore, there is no reporting requirement for banks on exposures to related parties to the supervisor, unless they are qualified as large exposure. This would inhibit monitoring by the supervisor. The assessors thus recommend the authorities update the regulatory framework regarding related party transactions, possibly in the form of a circular, which should explicitly cover a full range of transactions, stipulate requirements for policies and processes for managing the related risk, and provide reporting requirements on aggregated related party exposures to the supervisor.
Principle 21	Country and transfer risks. The supervisor determines that banks have adequate policies and processes to identify, measure, evaluate, monitor, report and control or mitigate country risk59 and transfer risk60 in their international lending and investment activities on a timely basis.
Essential criteria
EC1	The supervisor determines that a bank’s policies and processes give due regard to the identification, measurement, evaluation, monitoring, reporting and control or mitigation of country risk and transfer risk. The supervisor also determines that the processes are consistent with the risk profile, systemic importance and risk appetite of the bank, take into account market and macroeconomic conditions and provide a comprehensive bank-wide view of country and transfer risk exposure. Exposures (including, where relevant, intragroup exposures) are identified, monitored and managed on a regional and an individual country basis (in addition to the end-borrower/end-counterparty basis). Banks are required to monitor and evaluate developments in country risk and in transfer risk and apply appropriate countermeasures.
Description and findings re EC1	The “Guidelines for the Management of Country Risk” issued by Swiss Bankers Association in 1997 regulates banks’ country and transfer risks. The guidelines define the minimum standard for identifying, measuring, monitoring and controlling country risks, which is explicitly defined to include transfer risks. The guidelines are binding for all banks as a minimum standard based on FINMA Circular 08/10 Self-Regulation. Regarding the risk policy the guidelines requires that: To include the strategy developed for assuming country risks, the principles for the recording (identification and measurement), management and control of country risk, as well as the organizational structures. To ensure that country risk is identified, measured, assessed, limited and controlled by all banks. The scope, degree of detail, and systems and methods must be appropriate to the extent of the business activities and their associated risks. There must be an adequate internal control system. Regarding identification and measurement: Each bank must be in a position to identify country risk exposure and monitor the performance of these positions. The assessment of country risk should be uniform within a bank and be appropriate to the size of the exposure. The basis for this could be the bank’s own country risk analyses (e.g., including classification into rating categories) or accepted externally available country assessments. Banks with considerable foreign exposure and considerable country risk have to periodically review the influence of potential credit deterioration, or payment problems of specific countries or groups of countries, on their balance sheet and P&L performance. The findings must be brought to the attention of the responsible senior management members. Foreign exposure, risk assessments and, where necessary, the results of periodic stress tests should be appropriately documented. Assessment of banks’ compliance with these minimum requirements is expected to be conducted primarily by external auditors, on which concerns are conveyed to FINMA and followed-up as described in CP 8 and 9. The Guidelines require auditors to examine whether these Guidelines have been adhered to and to record the audit results in the ordinary audit report. Also, the Standard audit strategy, Annex to FINMA Circular 13/03, requires external auditors to assess geographical risk as a part of risk concentrations in connection with lending.
EC2	The supervisor determines that banks’ strategies, policies and processes for the management of country and transfer risks have been approved by the banks’ Boards and that the Boards oversee management in a way that ensures that these policies and processes are implemented effectively and fully integrated into the banks’ overall risk management process.
Description and findings re EC2	See EC1. In particular, the guidelines provide that: Top management, i.e., the Board of directors is responsible for the risk policy in respect of country risk; The senior management (executive board, group executive board, etc.) formulates the risk policy, which is to be approved and periodically assessed for its suitability by the Board of directors. Senior management issues instructions for the implementation of the risk policy and delegates authority for the assumption of risks. Adherence to these regulations is to be monitored. Furthermore FINMA Circular 08/24 provides similar requirements for the Board of directors regarding the overall risk management framework.
EC3	The supervisor determines that banks have information systems, risk management systems and internal control systems that accurately aggregate, monitor and report country exposures on a timely basis; and ensure adherence to established country exposure limits.
Description and findings re EC3	See EC1. In particular, the guidelines sets out the requirements as: Banks with foreign exposure must have an adequate limit system in place for country risk. The limits must be regularly reviewed and authorized by the senior management function designated for that purpose. The banks are obliged to have adequate information systems to monitor compliance with country risk limits. It must be possible to detect timely a limit violation and this should result in a report to higher authorities. The employees who are entrusted with the controlling function must have the required knowledge and must be sufficiently independent from the staff whose work they are assigned to monitor. While the guidelines do not explicitly mention the need for aggregation, it is understood to be a necessary requirement. Furthermore, there is a general requirement for adequate information systems and internal control systems as set out in FINMA Circular 08/24 Margin No. 34; they are mandatory elements of regular audit activities (FINMA Circular 13/3).
EC4	There is supervisory oversight of the setting of appropriate provisions against country risk and transfer risk. There are different international practices that are all acceptable as long as they lead to risk-based results. These include: (a) The supervisor (or some other official authority) decides on appropriate minimum provisioning by regularly setting fixed percentages for exposures to each country taking into account prevailing conditions. The supervisor reviews minimum provisioning levels where appropriate. (b) The supervisor (or some other official authority) regularly sets percentage ranges for each country, taking into account prevailing conditions and the banks may decide, within these ranges, which provisioning to apply for the individual exposures. The supervisor reviews percentage ranges for provisioning purposes where appropriate. (c) The bank itself (or some other body such as the national bankers association) sets percentages or guidelines or even decides for each individual loan on the appropriate provisioning. The adequacy of the provisioning will then be judged by the external auditor and/or by the supervisor.
Description and findings re EC4	See EC1. The Swiss practice is for the bank to set provisions and its adequacy is judged by the external auditor. The Guidelines define the following standards regarding provisioning: The banks make adequate value adjustments, on the basis of their own valuation principles. Country risk, value adjustments and provisions must be recorded such that they can easily be reviewed by the auditors. In addition, banks decide for themselves on their own provisioning against future unexpected losses on the basis of their internal risk models and within the scope of the current accounting rules (e.g., reserves for cyclical fluctuations).
EC5	The supervisor requires banks to include appropriate scenarios into their stress testing programs to reflect country and transfer risk analysis for risk management purposes.
Description and findings re EC5	As described in EC1, stress-testing of country and transfer risk, such as in cases of credit deterioration or payment problems in a country or a group of countries, is required by the Guidelines. Also, FINMA explains that country risk is prominently featured in the large banks’ stress-testing analyses where FINMA makes requests from time to time. For example, in the context of a contingency planning exercise for large banks assuming a severe European crisis, FINMA has explicitly asked for an assessment of the related country and transfer risk.
EC6	The supervisor regularly obtains and reviews sufficient information on a timely basis on the country risk and transfer risk of banks. The supervisor also has the power to obtain additional information, as needed (e.g., in crisis situations).
Description and findings re EC6	See CP 19. FINMA monitors information on country exposures provided by banks. It also required specific reporting for intra-group and interbank exposures of individual banks, banking groups and at system level on quarterly basis (ARIS Report: Exposures related to banking groups based outside Switzerland; “exposure/name of the banking Group and location”). The report is also generated on an ad-hoc basis with focus on specifically high exposure. The largest Swiss banks perform internal stress tests including, e.g., the exit of a country from the Eurozone or a market turmoil scenario. In 2012, FINMA asked the banks to perform a Eurozone crisis readiness assessment and will continue to be in close contact with the institutions to monitor their respective risk management and mitigating actions. Similarly, FINMA assesses country risk of wider groups of banks during its regular stress testing activity (see CP 15 for further references). Discussions with FINMA indicted that the recent review of mid-size banks exposure to GIIPS countries was more of an analysis of direct credit exposure than a full scenario. FINMA also informed assessors that it flexibly enhances monitoring on country and transfer risks responding to developments in the world economy. For example, the supervisory focus is currently on EU peripheral country risk where various measures has been implemented: For large banks, in addition to what mentioned above, FINMA monitors their risk exposure evolution on a monthly basis. Also, the semi-annual firm-wide stress-testing exercise (LPA) focuses on default risk of several peripheral European countries. For smaller banks, although small and medium-sized banks other than subsidiaries and branches of foreign groups generally have a low exposure to the European interbank market, it has also been the focus of stress-testing activities performed on some small and medium sized banks which are exposed to peripheral countries during the regular capital planning process. For banks whose parent companies are based in European countries that are particularly affected by the crisis, FINMA imposed limitation of intragroup exposure and introduced new monitoring and reporting tools in 2010. Since 2011 some banks must report detailed monthly information on intra-group exposures.
Assessment of Principle 21	Compliant
Comments	Additional on-site reviews by FINMA, recommended in CP8/9, could periodically cover country risk practices at banks to ensure they are adequate.
Principle 22	Market risk. The supervisor determines that banks have an adequate market risk management process that takes into account their risk appetite, risk profile, and market and macroeconomic conditions and the risk of a significant deterioration in market liquidity. This includes prudent policies and processes to identify, measure, evaluate, monitor, report and control or mitigate market risks on a timely basis.
Essential criteria
EC1	Laws, regulations or the supervisor require banks to have appropriate market risk management processes that provide a comprehensive bank-wide view of market risk exposure. The supervisor determines that these processes are consistent with the risk appetite, risk profile, systemic importance and capital strength of the bank; take into account market and macroeconomic conditions and the risk of a significant deterioration in market liquidity; and clearly articulate the roles and responsibilities for identification, measuring, monitoring and control of market risk.
Description and findings re EC1	BO Art. 9 provides general requirements for risk management, including market risk. Its paragraph 2 refers to the need to identify, limit and control market risk. FINMA Circular 08/24 sets out more detailed guidelines for corporate governance, the supervision of business activities and internal control, and the supervision thereof by the responsible function in banks. Specifically on market risk management, FINMA Circular 08/20 “Market risks” Margin Nos. 6–13 define roles and responsibilities for positions in the trading book. The same circular also sets out a requirement that units responsible for the valuation of the positions in the trading book to be independent. Banks using a model approach to calculate their regulatory capital requirement for market risk must adhere to additional qualitative requirements set out in Circular 08/20 Margin Nos. 302–361. There are currently five banks using advanced approaches for market risk. As discussed in CP 15, the risk appetite is usually discussed by the supervisor with representatives of the BoD and senior management of a bank. Determination of whether the processes are consistent with the risk appetite, risk profile, etc. of the bank is part of the regular audit process through which compliance with these regulatory requirements is frequently assessed. Relevant regulation on the general framework is provided by FINMA Circular 11/2 “Capital buffer and capital planning” and supplemented by FINMA’s document on “Capital planning and capital planning process; description and standard requirements”. The consistency of the risk profile with the systemic importance of the bank and its capital strength are assessed mainly for the largest banks through capital planning and stress-testing process as described in the above document. For smaller banks, sensitivity analysis is conducted by FINMA and feeds into the CAMELS ratings. Adherence to the requirements of FINMA Circulars forms a part of the regular annual audit process.
EC2	The supervisor determines that banks’ strategies, policies and processes for the management of market risk have been approved by the banks’ Boards, and that the Boards oversee management in a way that ensures that these policies and processes are implemented effectively and fully integrated into the banks’ overall risk management process.
Description and findings re EC2	BoD has to ensure that all relevant risks are covered by the internal control system of the bank (Circular 08/24 margin No. 10). The executive board is responsible for the implementation of an effective control and reporting environment. The effectiveness of the control environment must be discussed with BoD on a regular basis (Circular 08/24 margin Nos. 80–85). As mentioned above, compliance with FINMA Circulars are assessed by external auditors through regulatory audit processes. Particularly for high risk areas, regulatory audit checks the effectiveness of the internal control system annually. For nonhigh risk areas, effectiveness is assessed on a less frequent basis.
EC3	The supervisor determines that the bank’s policies and processes establish an appropriate and properly controlled market risk environment including: (a) effective information systems for accurate and timely identification, aggregation, monitoring and reporting of market risk exposure to the bank’s Board and senior management; (b) appropriate market risk limits consistent with the bank’s risk appetite, risk profile and capital strength, and with the management’s ability to manage market risk and which are understood by, and regularly communicated to, relevant staff; (c) exception tracking and reporting processes that ensure prompt action at the appropriate level of the bank’s senior management or Board, where necessary; (d) effective controls around the use of models to identify and measure market risk, and set limits; and (e) sound policies and processes for allocation of exposures to the trading book.
Description and findings re EC3	On top of what is stipulated in BO as described in EC1, Circular 08/24 provides general expectations for risk management and Circular 08/20 focuses on trading book activities: (a) Circular 08/24 Margin Nos. 82-83 set out that a bank need to maintain an organization structure in which information flows are explicitly defined and to ensure that all relevant information on the day-to-day business is gathered, transmitted and processed. (b) BO Art. 9 para 2 provides that risk limits and strategies have to be approved by senior management. Circular 08/24 requires a bank to have control activities that review compliance with specified limits. In addition, Circular 08/20 provides specifically that a bank must have a trading strategy (Margin No. 6), position limits are laid down and compliance to them needs to be monitored (Margin No. 8), and reporting of positions to senior management should be an integral part of the bank’s risk management process (Margin No. 11). No guidance is provided on the appropriateness of market risk limits. (c) FINMA expects banks to have an adequate exception tracking and reporting process as part of the internal control system and the respective management information system as required by Circular 08/24 Margin No. 83; this provides that the senior management needs to ensure that all relevant information on the day-to-day business is gathered, transmitted and processed (management information system). On the market risk position in particular, Circular 08/20 Margin No. 11 as described above sets out a requirement for a reporting framework to senior management. (d) Circular 08/24 Margin No. 123 provides a general requirement that a bank’s control function needs to be responsible for the design and implementation of an adequate system of risk supervision, which is constantly adjusted to new business lines and products and that principles and methods for assessing risks, including validation of models, are clarified and applied. Specifically on market risk, Circular 08/20 Margin No. 10 provides that for positions marked to models, their valuation parameters must be reassessed daily. For banks using market risk models for regulatory capital purposes, the Circular sets out further detailed requirements for the controls of models, limits, among others. (e) Circular 08/20 Section C discusses allocation of positions to the trading book. In principle, a bank must define appropriate and consistent criteria for assigning positions to the trading book, and its control systems are required to ensure compliance with these criteria and the proper, accountable treatment of internal transactions (Margin No. 14). It also requires a bank to implement clearly defined instructions and procedures to determine which positions are held in trading book, including criteria for transfers of positions between the trading book and the banking book. Whether banks are complying these requirements are mainly expected to be assessed by external auditors through their regulatory audit. Also, in case of banks using advanced approaches for market risk, associated qualitative requirements are assessed by FINMA.
EC4	The supervisor determines that there are systems and controls to ensure that banks’ marked-to-market positions are revalued frequently. The supervisor also determines that all transactions are captured on a timely basis and that the valuation process uses consistent and prudent practices, and reliable market data verified by a function independent of the relevant risk-taking business units (or, in the absence of market prices, internal or industry-accepted models). To the extent that the bank relies on modeling for the purposes of valuation, the bank is required to ensure that the model is validated by a function independent of the relevant risk-taking businesses units. The supervisor requires banks to establish and maintain policies and processes for considering valuation adjustments for positions that otherwise cannot be prudently valued, including concentrated, less liquid, and stale positions.
Description and findings re EC4	Circular 08/20 Margin No. 10 requires a daily revaluation. Requirements to ensure integrity of transactions data are described in Margin Nos. 298–301. Generally, banks need to demonstrate that they have sound, documented, internally reviewed and approved processes that guarantee all transactions are fully, accurately, and promptly captured, evaluated, and prepared for risk measurement. Manual corrections of data need to be documented, so that the cause and the exact content of the correction can be checked. Specifically, the following principles apply: All transactions should be reconciled daily with the counterparty. Transactions should be confirmed and reconciled by a unit that is independent of the trading department. Discrepancies should be resolved immediately; Procedures must be in place to ensure that the data used in the valuation models are adequate, consistent, constant, up-to-date, and independent; and All positions should be prepared in such a way that all aspects of risk are fully captured. These requirements are not only applicable to banks using a model approach for market risk, but also for banks using the standardized approach. (Margin No. 64) Regarding the valuation process, Circular 08/20 Margin Nos. 32–48 provide specific detailed requirements for valuation of trading assets stipulating that banks must have appropriate systems and controls to ensure prudent and reliable valuations. This systems and controls should consist of, among others, documented guidelines and procedures for the valuation process and reporting by the unit responsible for the valuation that are independent of the trading activity right up to the senior management level. Valuation by an independent unit is also required at least monthly. The requirements for the use of valuation models are also set out in Circular 08/20. As noted above, Margin No. 41 requires approval of the valuation model in use by an independent unit. For those positions which require particular guidance for prudent valuation, Margin Nos. 46–48 stipulates requirements regarding valuation adjustments. According to these, banks must have instructions in place covering how valuation adjustments are to be taken into account at least in the following cases: credit spreads not yet assumed; settlement costs; operational risks; early redemptions; investment and refinancing costs; future administration costs; and where appropriate, model risks (Margin No. 46). Regarding valuation adjustments for less liquid positions, the time required to hedge a position, average volatility of the bid-offer spreads, availability of independent market prices and the extent of marking to model need to be considered in determining the necessity for adjustments. For large positions and less liquid holdings, the fact that settlement prices are more likely to be unfavorable should be taken into account (Margin No. 47). For complex instruments (such as securitization positions and nth-to-Default credit derivatives), a bank must consider the need for valuation adjustments to reflect the model risk associated with the use of a potentially incorrect valuation method and the risk arising from the use of non-observable (and potentially incorrect) calibration parameters for the valuation model. Whether banks follow these practices are primarily assessed through regulatory and financial audits by external auditors. Review of supervisory files as well as discussion with banks and auditors confirm that external auditors are conducting in-depth assessments on market risk particularly where models are used for calculation of regulatory capital.
EC5	The supervisor determines that banks hold appropriate levels of capital against unexpected losses and make appropriate valuation adjustments for uncertainties in determining the fair value of assets and liabilities.
Description and findings re EC5	Capital adequacy under adverse scenarios is assessed during the capital planning process required by Circular 11/2 “Capital buffer and capital planning”. Capital plans are reviewed by FINMA for banks in category 1 and selected banks in categories 2 and 3. For the remaining banks, the capital planning process is assessed as part of the annual regulatory audit process performed by the external audit firm, and only reviewed by FINMA if there are indications that a bank is holding only a small capital buffer in excess of the requirements. In addition, Category 1 banks have to participate in a semi-annually loss potential analysis (LPA), where FINMA prescribes the relevant scenarios to be used for stress testing calculations by banks. As described above, the determination of appropriate valuation adjustments for uncertainties is covered by Circular 08/20 Margin No. 47 and accounting standards. FINMA explains that it sees further supervisory guidelines are ultimately necessary to ensure that valuation adjustments beyond those required by accounting standards are adequate and done consistently among banks. It has thus initiated a project and intends to refer to the forthcoming EBA guidelines on the issue.
EC6	The supervisor requires banks to include market risk exposure into their stress testing programs for risk management purposes.
Description and findings re EC6	See answer to EC1 and EC 5. FINMA understands that not conducting stress testing despite significant positions would for instance be a violation of Circular 08/24 Margin Nos. 10, 81, and 123. Moreover, as mentioned in EC5, for category 1–3 banks, FINMA is frequently reviewing the capital planning process for larger banks, which includes effects of adverse scenarios. FINMA expects banks with significant market risks to include appropriate stress assumptions in these adverse scenarios. Regulatory auditors are not expected to sign off their audit reports without this stress testing. For the largest banks, market stress scenarios are provided as a part of loss potential analysis (LPA) stipulated by FINMA.
Assessment of Principle 22	Compliant
Comments
Principle 23	Interest rate risk in the banking book. The supervisor determines that banks have adequate systems to identify, measure, evaluate, monitor, report and control or mitigate interest rate risk61 in the banking book on a timely basis. These systems take into account the bank’s risk appetite, risk profile and market and macroeconomic conditions.
Essential criteria
EC1	Laws, regulations or the supervisor require banks to have an appropriate interest rate risk strategy and interest rate risk management framework that provides a comprehensive bank-wide view of interest rate risk. This includes policies and processes to identify, measure, evaluate, monitor, report and control or mitigate material sources of interest rate risk. The supervisor determines that the bank’s strategy, policies and processes are consistent with the risk appetite, risk profile and systemic importance of the bank, take into account market and macroeconomic conditions, and are regularly reviewed and appropriately adjusted, where necessary, with the bank’s changing risk profile and market developments.
Description and findings re EC1	FINMA Circular 08/6 “Bank interest rate risks” sets out comprehensive and detailed requirements regarding interest rate risk in the banking book: The Board of directors, based on the bank’s business strategy, are required to approve the risk policy, the key elements of provisions on limits (including the measurement method), and the most essential reporting points. Based on these, banks are required to determine the extent to which risks are to be assumed and/or hedged and in which markets. The risk policy also needs to define the basic authorities and responsibilities regarding identifying, measuring, managing, and monitoring interest rate risks. There should be global limits (and potentially limits per currency), defined according to the measurement system, and set according to the bank’s capital funding and the anticipated future earnings position (Margin No. 20). The Board of directors must be informed of the bank’s interest rate risks on a regular basis (Margin No. 21). At least an annual review and updating of risk policy and practice needs to be undertaken by the Board of directors, and an independent information system that periodically provides meaningful, level-specific, and timely information about the risk and earnings situation is also required (Margin No. 22). Senior management is responsible for ensuring the implementation of and compliance with the risk policy approved by the Board of directors, and it needs to set rules regarding (Margin 23): the function and responsibility of individual work units, employees, and committees, including the control function, and the resulting responsibilities and accountability; the counterparties with which negotiations may be conducted; suitable systems and standards for risk measurement, including reviews of the assumptions and models applied; permissible instruments and hedging strategies; the amount of permissible risk positions according to type of transaction and product (limit system) within the global limits approved by the board of directors; authorities and procedures when limits and authorities are exceeded; the performance, analysis, and reporting of stress tests standards for the evaluation of positions; notification of interest rate risks; organizational prerequisites for effective independent control; and analysis of the income and asset effects. These elements are assessed through regulatory audits by external auditors. FINMA particularly emphasize the need to assess the integrity of banks’ data. Also, FINMA conducted an on-site review on the issue on several banks in 2011.
EC2	The supervisor determines that a bank’s strategy, policies and processes for the management of interest rate risk have been approved, and are regularly reviewed, by the bank’s Board. The supervisor also determines that senior management ensures that the strategy, policies and processes are developed and implemented effectively.
Description and findings re EC2	See EC1. The circular stipulates that the Board of directors need to approve risk policy regarding interest rate risk that includes key strategy, policies and processes. An annual review by the Board is also required. For senior management, the Circular also sets out its responsibility to develop and implement detailed strategy, policies and processes. These elements are reviewed by external auditors during regulatory audits.
EC3	The supervisor determines that banks’ policies and processes establish an appropriate and properly controlled interest rate risk environment including: (a) comprehensive and appropriate interest rate risk measurement systems; (b) regular review, and independent (internal or external) validation, of any models used by the functions tasked with managing interest rate risk (including review of key model assumptions); (c) appropriate limits, approved by the banks’ Boards and senior management, that reflect the banks’ risk appetite, risk profile and capital strength, and are understood by, and regularly communicated to, relevant staff; (d) effective exception tracking and reporting processes which ensure prompt action at the appropriate level of the banks’ senior management or Boards where necessary; and (e) effective information systems for accurate and timely identification, aggregation, monitoring and reporting of interest rate risk exposure to the banks’ Boards and senior management.
Description and findings re EC3	As noted in EC1 and EC2, Circular 08/06 provides a comprehensive and detailed set of requirements regarding interest rate risks. For the risk measurement system, it must: record all essential interest rate risks of a bank arising from assets, liabilities, and offbalance-sheet positions; include parameters and assumptions that are substantiated, appropriately documented, and periodically reviewed as to their appropriateness; depict interest rate risks in the form of fluctuations both in interest income and in the present value of equity; record all essential types of interest rate risks, i.e., repricing, basis, and options; cover all of a bank’s interest rate-sensitive positions; and closely analyze instruments that could significantly influence a bank’s overall position, particularly instruments with significant implicit options. (Margin Nos. 29-30). On review and validation of models, there are five to six banks using models for IRRBB. The circular requires paying particular caution against techniques that use complex simulations and requires senior management and the risk management function to have precise knowledge of the most important assumptions and review them periodically, at least annually. Furthermore, such assumptions needs to be well documented, and their significance must be clear to all involved parties. (Margin No. 38). On limits, the Board of directors is required to set major limits and the senior management to provide and implement a system of limits (See EC1). The Circular specifically stipulates additionally that the goal of risk management is to keep a bank’s interest rate risk within certain parameters established by the bank itself in the event of a number of possible changes in interest rates, and that this goal is achieved using a system of limits. It thus requires a system of limits to enable senior management to control the risk exposure and to measure the actually incurred risks based on tolerances that have been established by the board of directors (Margin No. 39). On exception tracking and limits, Margin No. 45 of the circular stipulates that clear principles must be established for what action is to be taken if limits are exceeded - i.e., whether minor deviations over a short period can be tolerated and how senior management is to be informed. It also requires that if the global limits set by the Board of directors are exceeded, the responsible persons in senior management and on the Board of directors must be notified without delay. On information system, the Circular Margin No. 48 states that a precise, meaningful, and timely management information system is of key importance to the monitoring and control of interest rate risks and requires that the system must provide information to the responsible members of senior management on a weekly basis and also support the monitoring of compliance with the policy established by the Board of directors. It also sets out that to allow senior management to evaluate the form and amount of the interest rate risks, the reports produced by the system should be formulated both in aggregate form and with an adequate degree of detail and that reporting must take place regularly, and the current risk exposure must be compared to the limits. Margin No. 49 provides a set of requirements for internal reporting, including a requirement that reports must be discussed by the Board of directors on a regular basis, and that body’s decisions must be recorded. It requires that the reports should include: overview of the total interest rate risk incurred by the bank; report on how the internal rules and limits are being complied with; results of stress tests; and summary of the results of reviews of the internal rules regarding interest rate risks and of the adequacy of the systems for measuring interest rate risks, including any findings by internal auditors, external auditors, or engaged consultants. Compliance to these requirements is assessed through regulatory audits by external auditors. (Margin No. 52).
EC4	The supervisor requires banks to include appropriate scenarios into their stress testing programs to measure their vulnerability to loss under adverse interest rate movements.
Description and findings re EC4	Circular 08/06, Margin Nos. 46–47 (stress test) provides comprehensive and detailed requirements for stress testing on interest rate risk. They provide that stress tests must consider scenarios that lead to extraordinary losses for the bank and for that extreme changes in market risk factors as well as scenarios need to be covered that deemed to be especially serious in view of the bank-specific risk positions. Possible stress scenarios listed as examples are: an abrupt change in the general interest rate level; a change in the relationship among important market interest rates (basis risk); changes in the slope and shape of the yield curve; a decrease in the liquidity of important financial markets; and a change in the volatilities and correlations of market interest rates. They also require that: the stress testing to take into account of factors such as sudden changes in assumptions and parameters during crisis situations, in particular for assumptions used for illiquid instruments and core deposit products and instruments or markets in which concentrations exist; a worst-case scenario as well as a more likely, less extreme event to be tested; and senior management to periodically review the design and results of stress tests, to remain informed about their effects on the bank’s earnings and financial position, and to ensure that appropriate measures are taken.
Additional criteria
AC1	The supervisor obtains from banks the results of their internal interest rate risk measurement systems, expressed in terms of the threat to economic value, including using a standardized interest rate shock on the banking book.
Description and findings re AC1	Circular 08/6, Margin No. 53 require banks to report to SNB information regarding interest rate risk, quarterly for solo basis and semiannually for group-wide basis. These are set out in Standardized reporting and used by FINMA for analysis of outliers.
AC2	The supervisor assesses whether the internal capital measurement systems of banks adequately capture interest rate risk in the banking book.
Description and findings re AC2	See AC1. FINMA sets up a standardized supervision policy in order to identify outlier institutions, to harmonize supervisory actions, and to calibrate Pillar 2 capital surcharges for institutions with elevated IRRBB exposures. This policy defines a set of risk indicators for outlier identification, based on a present value sensitivity in relation to eligible regulatory capital reported by banks, and a parallel IR shift. FINMA’s main supervisory measures include the analysis of alternative replication assumptions (average industry replication portfolio/standard durations specified by FINMA), of individual currencies and re-pricing maturity types, of IRR in proportion to capitalization, and of IRR in proportion to interest income (risk/return ratio). These analyses are done on individual banks quarterly, on banking group semi-annually, and also on the system level.
Assessment of Principle 23	Compliant
Comments	FINMA should update its thematic reviews of IRRBB for smaller and mid-size banks, particularly those in Categories 4 and 5, to ensure that their stress scenarios in capital planning are sufficiently adverse and that risk management is appropriate.
Principle 24	Liquidity risk. The supervisor sets prudent and appropriate liquidity requirements (which can include either quantitative or qualitative requirements or both) for banks that reflect the liquidity needs of the bank. The supervisor determines that banks have a strategy that enables prudent management of liquidity risk and compliance with liquidity requirements. The strategy takes into account the bank’s risk profile as well as market and macroeconomic conditions and includes prudent policies and processes, consistent with the bank’s risk appetite, to identify, measure, evaluate, monitor, report and control or mitigate liquidity risk over an appropriate set of time horizons. At least for internationally active banks, liquidity requirements are not lower than the applicable Basel standards.
Essential criteria
EC1	Laws, regulations or the supervisor require banks to consistently observe prescribed liquidity requirements including thresholds by reference to which a bank is subject to supervisory action. At least for internationally active banks, the prescribed requirements are not lower than, and the supervisor uses a range of liquidity monitoring tools no less extensive than, those prescribed in the applicable Basel standards.
Description and findings re EC1	BA Art. 4 sets out the requirement for banks to maintain adequate liquidity and gives the Federal Council to establish a minimum requirement. The Liquidity Ordinance (LO) provides concrete minimum quantitative requirements for non-systemically banks. These requirements are, however, currently in a transition phase in preparation of the LCR introduction in 2015. Additional and stricter quantitative liquidity requirements for the two large banks are in place since 2010 based on FINMA’s communication to the two banks, which was then included in LO. The quantitative requirement for ordinary banks is set out in LO Arts. 12–17. It aims to ensure that banks have a certain amount of liquid assets compared to its short-term liabilities, with particular focus on liabilities that matures within one month. The detailed designs are as follows: Liquid assets should be at least 33 percent of short-term liability. Liquid assets consist of cash, precious metals, assets eligible for SNB operations, debt instruments issued by domestic borrowers that are traded in a representative market (except a bank’s own and other related companies’ debt instruments), debt instruments of foreign countries and other corporate entities subject to public law traded in a representative market, debt instruments and acceptances of first-class foreign banks and other equivalent securities falling due within six months, current accounts receivable and advances falling due within one month that are covered by central bank eligible assets or domestic debt instruments traded in a representative market. Short-term liabilities consist of 50 percent of the demand deposits as well as other accounts or passbook accounts with no withdrawal restrictions and 15 percent of the deposits on savings and passbook accounts as well as on similar accounts with withdrawal restrictions (with no tied pension assets). For assets and liabilities that mature within one month, their difference (net amount) will be added to liquid assets if positive and to short-term liabilities if negative. Banks need to report the status of liquidity to FINMA quarterly. This requirement is only applied to Swiss operations. All banks have substantially higher amount of liquid assets than required by this rule, which is not used for banks for their international liquidity management anymore. Still, this ratio feeds into the CAMELS rating. This quantitative minimum requirement will be replaced by the LCR at the beginning of 2015. A test-reporting on the LCR has been started with almost 40 banks and FINMA regards that it has increasingly become, already prior to its introduction, the benchmark for the assessment of the liquidity risk situation with the results being used by supervisors in their discussions with the banks. Starting July 2013, the LCR reporting is extended to all banks in Switzerland. Reporting frequency is monthly. Although the average ratio is above 60 percent, there is a wide difference among banks. A specific quantitative liquidity requirement for the two large banks was introduced in 2010 (BA Art. 9 para 2b); details are provided in LO Arts. 19–28. This requirement is conceptually based on the LCR. Its main features are as follows: Banks are required to continuously maintain liquidity buffers that cover net expected outflows under stress for the periods of seven days as well as 30 days. Net outflow is calculated in a similar manner with LCR; balance sheet items both on the asset side and the liability side are multiplied by different factors reflecting different natures of assets and liabilities under a stress scenario assuming banks are losing access to unsecured financing in the markets and there is a large-scale withdrawal of deposits. Central bank standing facilities within the agreed limits that are still open as well as the exceptional liquidity facility for which arrangements have been made in the coverage for outflows of liquidity—up to the amount that is still available—can be counted to reduce the net outflow for both seven day horizon scenario and 30-day scenario. Assets that are eligible for the liquidity buffer are categorized to two components: the primary component is similar to Level 1 HQLA in the LCR framework and includes such assets as government and central bank bonds, certain kinds of mortgage backed securities, and central bank reserves; the secondary component is comparable to Level 2 HQLA and consists of corporate bonds with high ratings, listed stocks, mortgage backed securities not included in the primary component, among others. Different haircut ratios are applied to reflect their expected liquidity during stress periods. For the seven-day horizon scenario, at least 75 percent of the gap needs to be filled by the primary component liquidity buffer, whereas for the 30-days horizon scenario it is 50 percent. Banks need to report monthly the situation of liquidity before the end of next month. In addition, if the requirements are breached or expected to be breached, banks need to report to FINMA and SNB immediately. Given the introduction of LCR in 2015, FINMA is currently studying if this requirement is more conservative, equivalent, or less conservative compared to the LCR, in order to determine whether to continue to apply this requirement for the two big banks in addition to LCR. Generally speaking, Compared to LCR, this requirement has: generally higher run-off ratios (retail deposits assigned 15 percent to 30 percent runoff ratios compared to three to ten percent in LCR); lower inflow rates for some cash inflows (zero percent for retail loans compared to 50 percent in LCR) but higher for maturing securities lending; and higher haircut ratio for some high quality assets (five percent for domestic sovereign bonds compared to zero percent in LCR) but lower for some (10 percent for Swiss covered bonds compared to 15 percent in LCR). FINMA uses a range of liquidity monitoring tools beyond the regulatory liquidity requirements (e.g., banks internal stress models) for the two big banks and for selected other banks. In addition to these quantitative requirements, qualitative requirements for liquidity management are set in LO as well as Circular 13/06 “Liquidity”. The qualitative Basel Sound Principles are already effective for systemically important banks. They will become effective for all other banks at the beginning of 2014.
EC2	The prescribed liquidity requirements reflect the liquidity risk profile of banks (including on- and off-balance sheet risks) in the context of the markets and macroeconomic conditions in which they operate.
Description and findings re EC2	The quantitative liquidity requirement for all banks focuses on deposit withdrawal and maturing short term funding. It does not cover liquidity needs arising from off-B/S items. However, as noted above, this requirement will be replaced by LCR from 2015, which (through the calibration and stress testing requirements) reflects risk profile of banks and includes off-balance sheet risks. The quantitative liquidity requirement for systemically important banks is, in contrast, tailored to a market-wide and idiosyncratic liquidity stress event, where different calibration of inflows and outflows compared from the LCR is provided. Off-B/S liquidity needs are also explicitly considered in this requirement. The qualitative requirements set out in LO as well as Circular 13/06 provides that the liquidity risk management practices of all banks have to reflect the liquidity risk profile of banks. For example, banks are required to include idiosyncratic, market-wide and combined sources and factors of liquidity risk in their stress-testing models. (LO Art. 9).
EC3	The supervisor determines that banks have a robust liquidity management framework that requires the banks to maintain sufficient liquidity to withstand a range of stress events, and includes appropriate policies and processes for managing liquidity risk that have been approved by the banks’ Boards. The supervisor also determines that these policies and processes provide a comprehensive bank-wide view of liquidity risk and are consistent with the banks’ risk profile and systemic importance
Description and findings re EC3	As noted in above, LO and Circular 13/06 stipulates elements required in a liquidity management framework in banks. Particularly, LO Art. 6 provides that banks shall: define the extent to which they are prepared to assume liquidity risks (their liquidity risk tolerance); establish strategies for the management of liquidity risk in accordance with their liquidity risk tolerance; and take into account the liquidity costs and liquidity risks associated with all of their material balance-sheet and off-balance sheet business lines, and in particular in the process of price-setting, in the introduction of new products, and in the measurement of earnings. Similarly, Art. 7 provides that banks shall: establish sound processes for the identification, assessment, management, and monitoring of liquidity risks; identify, manage, and monitor liquidity risk exposures and funding needs within the entire financial group and across legal entities, business lines, and currencies that are significant in terms of liquidity risk, taking into account legal, regulatory, or operational limitations with regard to the transferability of liquidity; identify, manage, and monitor their intraday liquidity risk exposures; and manage assets that serve to generate liquidity, differentiating between encumbered and unencumbered assets. In addition, Circular 13/06 requires: Banks to have liquidity risk management processes integrated into the bank-wide risk management process (Margin No. 11); Liquidity risk management should aim to ensure banks’ continuous solvency during bank-specific and/or market-wide stress periods (Margin No. 12); The Board of directors to set the liquidity risk tolerance and ensure compliance to it (Margin No. 13); and Senior management or a committee directly reporting to senior management to develop liquidity risk management strategy and processes (Margin No. 15). The proportionality principle is explicitly noted in the Circular, stating that qualitative requirements for liquidity risk management shall apply depending on size, complexity and inherent risk of banks, and that small banks shall be exempted from the implementation of their certain aspects. Compliance to these risks is expected to be assessed primarily through regulatory audits, but the FINMA has also carried out a survey for banks to assess their preparedness to the qualitative requirements. Its liquidity experts are also working with external auditors to establish a common understanding on the qualitative requirements. Also see CP 15.
EC4	The supervisor determines that banks’ liquidity strategy, policies and processes establish an appropriate and properly controlled liquidity risk environment including: (a) clear articulation of an overall liquidity risk appetite that is appropriate for the banks’ business and their role in the financial system and that is approved by the banks’ Boards; (b) sound day-to-day, and where appropriate intraday, liquidity risk management practices; (c) effective information systems to enable active identification, aggregation, monitoring and control of liquidity risk exposures and funding needs (including active management of collateral positions) bank-wide; (d) adequate oversight by the banks’ Boards in ensuring that management effectively implements policies and processes for the management of liquidity risk in a manner consistent with the banks’ liquidity risk appetite; and (e) regular review by the banks’ Boards (at least annually) and appropriate adjustment of the banks’ strategy, policies and processes for the management of liquidity risk in the light of the banks’ changing risk profile and external developments in the markets and macroeconomic conditions in which they operate.
Description and findings re EC4	See EC3. Particularly, LO Art. 6 and Circular 13/06 Margin Nos. 13 and 14 set out requirements for banks’ BoD to: establish liquidity risk tolerances; ensure that strategies, policies and processes are consistent with the risk tolerance; and review the risk tolerances, strategies and policies at least annually. On day-to-day/intraday risk management practices, LO Art. 7 and in particular Circular 13/06 Margin No. 16 requires senior management to set, among others, policies and processes for allocation of liquidity risk to various business lines, intraday management, and setting limits and the escalation procedures. The Circular further provides detailed guidance on these issues. On the need for effective information system, Circular 13/06 Margin No. 21 requires the liquidity risk management and control process to include information system to ensure the timely measurement, monitoring and reporting of liquidity positions in comparison with the established limits.
EC5	The supervisor requires banks to establish, and regularly review, funding strategies and policies and processes for the ongoing measurement and monitoring of funding requirements and the effective management of funding risk. The policies and processes include consideration of how other risks (e.g., credit, market, operational and reputation risk) may impact the bank’s overall liquidity strategy, and include: (a) an analysis of funding requirements under alternative scenarios; (b) the maintenance of a cushion of high quality, unencumbered, liquid assets that can be used, without impediment, to obtain funding in times of stress; (c) diversification in the sources (including counterparties, instruments, currencies and markets) and tenor of funding, and regular review of concentration limits; (d) regular efforts to establish and maintain relationships with liability holders; and (e) regular assessment of the capacity to sell assets.
Description and findings re EC5	FINMA expects funding strategies, policies and processes to be covered in the overall liquidity risk management frameworks described in above ECs. (Circular 13/06, Margin Nos. 15 and 16) On the analysis of funding requirements under alternative scenarios, stress testing requirements for liquidity risk covers impacts on funding under different scenarios according to the principle of proportionality. In particular, Circular 13/06 Margin No. 46 provides that stress scenarios should include deterioration in market conditions or rapid withdrawal of deposits. Also see EC 7. On the maintenance of a liquidity cushion, LO Art. 2 stipulates that a bank must have an adequate, sustainable liquidity reserve to address rapidly deteriorating liquidity situations. Further, Circular 13/06 provides qualitative requirements to maintain liquidity reserves that are sufficiently large and composed of sustainable assets. (Margin Nos. 36–40) It requires, among others, that the reserves are to be based on the banks’ business models and liquidity characteristics as well as the results of stress tests. Circular13/06 requires banks to limit and monitor large exposures to specific financing sources and maturities by taking appropriate measures. It requires diversification in terms of maturity, types of counterparties, instruments, markets, or currencies. Adequate measures could include, for instance, the setting of exposure limits. (Margin No. 32) Small banks not active in capital markets and trading or those that do not rely on market funding or funding by institutional investors are exempted from these requirements (Margin No. 33). The circular requires banks to regularly estimate how quickly liquidity can be generated from relevant financing sources that are available to it in stress situations, and particularly for those relying on funding by institutional investors through markets to assess the consequences of the case where such funding become impossible. (Margin Nos. 34–35) FINMA understands regular efforts to establish and maintain relationships with liability holders are in particular important for banks that rely on short term wholesale funding markets. There is an expectation that the two large banks have to fully adhere to Principle 7 of the BCBS’s Principles on Sound Liquidity Management and Supervision. Small and medium-sized banks that are mainly active in the mortgage market and that do not rely on short-term wholesale funding markets do not have to take that requirement into account, as FINMA assumes their funding channel through Swiss covered bonds, which are guaranteed by one of the two covered bond issuance institutions, would continue to be available. All other banks have to adhere to that requirement according to the principle of proportionality. In terms of assessment of capacity to sell assets, although the two large banks have to adhere entirely to the above mentioned BCBS Principles and as such have to assess the capacity regularly, this is not the case for other banks. FINMA sees limited benefits in assessing the capacity regularly, as it believes occasional use of potential funding sources does not provide any assurance that the funding will be available during a crisis.
EC6	The supervisor determines that banks have robust liquidity contingency funding plans to handle liquidity problems. The supervisor determines that the bank’s contingency funding plan is formally articulated, adequately documented and sets out the bank’s strategy for addressing liquidity shortfalls in a range of stress environments without placing reliance on lender of last resort support. The supervisor also determines that the bank’s contingency funding plan establishes clear lines of responsibility, includes clear communication plans (including communication with the supervisor) and is regularly tested and updated to ensure it is operationally robust. The supervisor assesses whether, in the light of the bank’s risk profile and systemic importance, the bank’s contingency funding plan is feasible and requires the bank to address any deficiencies.
Description and findings re EC6	LO Art. 10 stipulates that every bank shall prepare a contingency plan that contains effective strategies for dealing with liquidity shortages and banks shall establish the relevant responsibilities, lines of communication, and the necessary measures in the appropriate form in their internal guidelines and instructions. Further guidance is provided by Circular 13/06 Margin Nos. 48–53. The guidance provides that the plans should: be documented (Margin No. 53); include possible actions depending on the level of escalation or the stress event (Margin No. 49 c); include clear definition of roles and assignment of responsibilities (Margin No. 49 e); include clear procedures, decision tress and reporting duties as well as clearly developed and defined communication paths and strategies for information flow to external and internal parties (including FINMA) in the event of an emergency (Margin Nos. 49 f, 49 g, and 50); and be reviewed annually and updated accordingly (Margin No. 51). Currently, for the two large banks the external auditors assess annually the feasibility of the funding plan and whether there exists deficiencies that require the banks’ attention.
EC7	The supervisor requires banks to include a variety of short-term and protracted bank-specific and market-wide liquidity stress scenarios (individually and in combination), using conservative and regularly reviewed assumptions, into their stress testing programs for risk management purposes. The supervisor determines that the results of the stress tests are used by the bank to adjust its liquidity risk management strategies, policies and positions and to develop effective contingency funding plans.
Description and findings re EC7	LO Art. 9 stipulates that every bank must establish various stress scenarios for liquidity risks and perform stress tests of their liquidity positions based on these scenarios. It also requires that, in this process, banks shall take into account the cash flows on off-balancesheet items and other contingent liabilities, including those involving securitization specialpurpose entities and other special-purpose entities that a bank uses to generate liquidity or under which a bank is required to provide material liquidity assistance either contractually or due to reputation considerations. Regarding stress scenarios, the Art. requires the following to be taken into account: institution-specific, market-wide, and combined causes and factors; time horizons of varying length; and varying degrees of severity for stress events, including a scenario involving a loss of unsecured financing as well as cutbacks in secured financing. It also requires that the assumptions involved in the scenarios, in particular those relating to cash flows and the liquidity value of assets in the case of a stress event must be reviewed regularly following the onset of a stress event. Further detailed requirements are provided by Circular 13/06 Margin Nos. 41–47. In particular, it requires that the results of stress tests to be used to understand the bank’s liquidity situation vis-à-vis its liquidity risk tolerance as well as its liquidity buffer and to set exposure limits and that the results must be reported to the Board at least annually. In terms of stress testing scenarios, it requires scenarios to: be based on historical events, case studies, and/or hypothetical models; cover all the potential material liquidity risks; cover both short-term and long-term liquidity shortages; and have parameters that are as conservative as possible. The Circular also provides that small banks can choose one scenario (based on LCR) if they can prove that one scenario is sufficient given their business model. In case of the two big banks, intense and continuous stress-testing dialogue between banks and FINMA are taking place on various aspects of their stress testing including the design of the internal stress-testing models, the assumptions, the bank internal “use test” and their relation to the contingency funding plans. For other banks, while there is no systematic assessment, FINMA has started supervisory reviews on the liquidity situation of a selected number of banks based on LCR reporting results.
EC8	The supervisor identifies those banks carrying out significant foreign currency liquidity transformation. Where a bank’s foreign currency business is significant, or-the bank has significant exposure in a given currency, the supervisor requires the bank to undertake separate analysis of its strategy and monitor its liquidity needs separately for each such significant currency. This includes the use of stress testing to determine the appropriateness of mismatches in that currency and, where appropriate, the setting and regular review of limits on the size of its cash flow mismatches for foreign currencies in aggregate and for each significant currency individually. In such cases, the supervisor also monitors the bank’s liquidity needs in each significant currency, and evaluates the bank’s ability to transfer liquidity from one currency to another across jurisdictions and legal entities.
Description and findings re EC8	LO Art. 7 para 2 sets out a general requirement for banks to identify, manage, and monitor liquidity risk exposures and funding needs across currencies that are significant in terms of liquidity risk, taking into account legal, regulatory, or operational limitations with regard to the transferability of liquidity. Circular 13/06 further requires banks with significant assets or liabilities in foreign currencies and considerable mismatches in terms of both maturities and currencies of these foreign currency assets and liabilities to: carry out adequate processes to manage its foreign currency liquidity in the most important currencies in order to ensure fulfillment of its commitments; include in the process at the least a separate overview of liquidity developments for each currency, separate stress tests for these foreign currencies, and explicit consideration in a contingency plan set up for periods of inadequate liquidity; monitor developments in liquidity on foreign exchange swap markets and the ability to exchange currencies in a timely manner and be ready to take proper measures; and integrate into the stress tests scenarios affecting foreign exchange swap markets that intensify mismatches between currencies and cause unexpected price volatilities. In addition, LCR by currency for the two large banks are introduced at the beginning of 2012 as a monitoring tool. Also, through the stress testing dialogue with the banks described in EC7, FINMA requires to include a FX swap market shock scenario in their stress-testing models. For other banks, as a part of measures for the LCR monitoring period, FINMA has also introduced a LCR by currency reporting under the requirements stipulated in the Basel text (i.e., for all significant currencies, where significant means that the aggregate liabilities denominated in that currency amount to 5 percent or more of the bank’s total B/S).
Additional criteria
AC1	The supervisor determines that banks’ levels of encumbered balance-sheet assets are managed within acceptable limits to mitigate the risks posed by excessive levels of encumbrance in terms of the impact on the banks’ cost of funding and the implications for the sustainability of their long-term liquidity position. The supervisor requires banks to commit to adequate disclosure and to set appropriate limits to mitigate identified risks.
Description and findings re AC1	Circular 13/06 provides that banks have to evaluate the extent of legal, regulatory or operational restrictions to use the “liquidity reserve” and acceptability of assets by counterparties as collateral. Also, when LCR is formally adopted as a minimum standard, the operational criteria for HQLA which cover the issue of encumbrance will also come into effect. In addition, monitoring of unencumbered liquid assets is undertaken for the two big banks. With these banks, the supervisor discusses their overall level of encumbrance frequently. Currently, a 30 percent ceiling for covered bond issuance to total mortgage loans is imposed for these big banks, which is reviewed regularly. However, assessment of the level of encumbrance in regard to its impact to long-term cost and availability of funding from unsecured creditors are not required or undertaken. Neither disclosure of the level of encumbrance nor setting limits to encumbrance is currently required, but banks in Categories 1 and 2 disclose information on their encumbered/pledged mortgages in their covered bond programs as required by accounting standards.
Assessment of Principle 24	Largely Compliant
Comments	While the new draft Circular 13/06 covers substantial parts of the requirements set out in this principle and is a substantial improvement, there are still some elements that are lacking in the assessors view, such as the need for banks to establish liquidity risk appetites (not just liquidity risk tolerance) or to monitor and assess adequacy of the level of overall encumbrance. Also, the assessors were not able to assess the actual application of this circular as banks are only required to adhere to qualitative requirements set out in the circular by beginning of 2014. Moreover, the assessors view exempting small banks from a qualitative requirement on diversification of the financing structure is not warranted, as even a small bank could face problems if it is relying on a few large depositors for funding. The assessors also see application of outdated quantitative requirements (and their use in the FINMA internal rating system) except for the largest banks as a problem, although the current authorities’ plan to implement LCR according to internationally agreed schedule will improve the framework substantially. Looking forward, the assessors believe effective and rigorous implementation of Circular 13/06 as well as understanding banks’ LCR data would be critical. Particularly on the former, the assessors recommend FINMA to have close dialogue with banks as well as external auditors to set a clear expectation regarding qualitative requirements, building on efforts currently being made. This is especially needed in applying the principle of proportionality. FINMA needs to monitor how the proportionality is interpreted by banks and auditors and to ensure that this is not used as an excuse for applying a weak risk management framework. FINMA may also want to review the status of implementation of the circular after a few years and revise it to reflect as needed.
Principle 25	Operational risk. The supervisor determines that banks have an adequate operational risk management framework that takes into account their risk appetite, risk profile and market and macroeconomic conditions. This includes prudent policies and processes to identify, assess, evaluate, monitor, report and control or mitigate operational risk62 on a timely basis.
Essential criteria
EC1	Law, regulations or the supervisor require banks to have appropriate operational risk management strategies, policies and processes to identify, assess, evaluate, monitor, report and control or mitigate operational risk. The supervisor determines that the bank’s strategy, policies and processes are consistent with the bank’s risk profile, systemic importance, risk appetite and capital strength, take into account market and macroeconomic conditions, and address all major aspects of operational risk prevalent in the businesses of the bank on a bank-wide basis (including periods when operational risk could increase).
Description and findings re EC1	As in other risk areas, FINMA Circular 08/24 provides a general requirement for risk management and control for all risk areas, including operational risk. Circular 08/21 “Operational risk” covers specific requirements for operational risk. Circular 08/24 Margin Nos. 121 to 124 set out the following requirements for general risk management strategies, policies and processes: Tasks, responsibilities and reporting are to be established in a regulation that is to be approved by senior management or BoD. As an independent control function, the risk control function monitors the risk profile of the institution. It prepares the risk information necessary for monitoring risks and lays the foundations for the institution’s risk policy, risk appetite and its risk limits, which are to be approved by senior management or the BoD. The responsibilities of the risk control function include the design and implementation of an adequate system of risk supervision and its constant adjustment to new business lines and products, the standardization and application of principles and methods for assessing risk (e.g., valuation and aggregation methods, validation of models), as well as the monitoring of adequate systems to assess the requirements concerning capital adequacy, large exposures and liquidity. Risk control, at a minimum on a semi-annual basis, submits a report on risks and risk positions, respectively, to senior management. In the case of unusual developments, it informs senior management and the internal audit function immediately. Appendix 1 to Circular 08/21 provides basic qualitative requirements applicable to banks, although those using Basic Indicator Approach of Basel II and whose required capital is less than a certain amount are exempted from the requirements. In particular, Margin Nos. 2, 6, and 7 detail further operational risk specific requirements as: BoD must be aware of its bank’s material operational risk. It must—directly or by way of a committee—approve written policies for the treatment of operational risk and review those policies periodically. Such policies concern identifying, assessing, monitoring, and controlling operational risk and measures to reduce the operational risk exposure. Banks must systematically monitor their operational risk profile and their material operational risk. Senior management and BoD must be kept up-to-date about the corresponding results so that they can proactively determine measures to be taken as needed. Banks must have frameworks and concrete measures to monitor and/or mitigate material operational risk. These must be matched to the bank’s current situation. Circular 08/21 is currently under revision (public consultation of May 23 to July 1, 2013) and a revised circular is expected to be published soon, aiming to be implemented from 2015. It will include more granular qualitative requirements for managing operational risks (section IV.B) in line with the respective principles published by the Basel Committee. Still, small banks (some Category 4 banks and all Category 5 banks) will not be required to comply with all requirements, but only with a subset of them. The discussion with FINMA revealed detailed and horizontal assessments on operational risk management over a large number of small banks would be difficult, even after the introduction of the new circular, given limited resources.
EC2	The supervisor requires banks’ strategies, policies and processes for the management of operational risk (including the banks’ risk appetite for operational risk) to be approved and regularly reviewed by the banks’ Boards. The supervisor also requires that the Board oversees management in ensuring that these policies and processes are implemented effectively.
Description and findings re EC2	As noted above, FINMA Circulars 08/24 and 08/21 provides requirements that BoD approves and reviews strategies, policies and process for the management of operational risk. Specifically, Circular 08/24 Margin Nos. 9 to 14 stipulates that: BoD bears responsibility for the regulation, establishment, maintenance, monitoring and regular supervision of an appropriate internal control function tailored to the size, complexity, structure and risk profile of the institution; BoD regularly discusses with senior management its assessment of the adequacy and effectiveness of the internal controls; and By issuing guidelines for senior management, BoD ensures that employees of all levels are aware of and understand their duties and responsibilities regarding the internal control process. For related provisions in Appendix 1 to FINMA Circulars 08/21, see EC1. Also, BoD is required to ensure that the policies for the treatment of operational risk are reviewed by internal auditors.
EC3	The supervisor determines that the approved strategy and significant policies and processes for the management of operational risk are implemented effectively by management and fully integrated into the bank’s overall risk management process.
Description and findings re EC3	Implementation of strategies, policies and processes for the management of operational risk is covered by the regular audit process through which compliance with Circular 08/24 Circular 08/21 are assessed. Appendix 1 to Circular 08/21, in particular, Margin No. 4 details further requirements specifically for implementation of operational risk management framework, stipulating that senior management bears responsibility for implementing the bank’s policies for the treatment of operational risk, that the body must see to it that the policies are implemented consistently throughout the organizational structure and ensure that all employees are aware of their responsibilities in the treatment of operational risk, and that senior management is also responsible for designing measures to manage operational risk arising from all of the bank’s operations. Banks using the Standardized Approach (SA) for capital calculations and with foreign representations (internationally active banks) are required to fulfill additional qualitative requirements under Circular 08/21. This includes a requirement that the operational risk assessment system must be closely integrated into the bank’s overall risk management processes (Margin No. 37). Similarly, additional qualitative requirements for banks using the Advanced Measurement Approach (AMA) for capital calculations include the institution- specific quantification system for operational risk to be closely integrated into the bank’s day-to-day overall risk management processes, and its output to be an integral part of overall risk profile monitoring and control. (Margins 61 and 62).
EC4	The supervisor reviews the quality and comprehensiveness of the bank’s disaster recovery and business continuity plans to assess their feasibility in scenarios of severe business disruption which might plausibly affect the bank. In so doing, the supervisor determines that the bank is able to operate as a going concern and minimize losses, including those that may arise from disturbances to payment and settlement systems, in the event of severe business disruption.
Description and findings re EC4	On contingency and business continuity plans, Appendix 1 to Circular 08/21 Margin No. 8 stipulates that banks must have emergency measures that allow them to continue their activities under extraordinary circumstances and thus make it possible to limit the impact of severe impairments of normal business operations. Additionally, SBA published “Recommendations for Business Continuity Management (BCM)” which is treated by FINMA as a minimum standard. Assessment of banks’ adherence to these requirements is included in the Standard Audit Strategies, so that external auditors need to assess them.
EC5	The supervisor determines that banks have established appropriate information technology policies and processes to identify, assess, monitor and manage technology risks. The supervisor also determines that banks have appropriate and sound information technology infrastructure to meet their current and projected business requirements (under normal circumstances and in periods of stress), which ensures data and system integrity, security and availability and supports integrated and comprehensive risk management.
Description and findings re EC5	Current FINMA circulars only implicitly address requirements to the management of technology risks. For example, Appendix 1 to FINMA Circular 08/21 Margin No. 7 provides the requirements for banks to implement procedures and measures to monitor and mitigate all material operational risks, which implicitly includes technology risks according to the authorities. The upcoming revised circular will explicitly refer to technology risk management.
EC6	The supervisor determines that banks have appropriate and effective information systems to: (a) monitor operational risk; (b) compile and analyze operational risk data; and (c) facilitate appropriate reporting mechanisms at the banks’ Boards, senior management and business line levels that support proactive management of operational risk.
Description and findings re EC6	Circular 08/24 provides requirements regarding information systems for risk management stipulating that senior management need to ensure that all relevant information on the day-to-day business is gathered, transmitted and processed through management information system. More specifically, Circular 08/21, Appendix 1 Margin No. 7 require banks to have frameworks and concrete measures to monitor and/or mitigate material operational risk as described above, although it does not explicitly mention information systems. For AMA banks, the Circular provides additional requirements to collect internal loss data and comply with quality and procedural requirements (Margin Nos. 76 to 85). SA banks with foreign representation are also required to collect internal loss data, although it is limited to significant losses (Margin Nos. 35 and 36). The definition of significant losses is not defined. FINMA explains that the upcoming revised Circular 08/21, currently in the process of public consultation, extends requirements to data collection and analysis to a broader set of banks (all banks belonging to FINMA categories 1 to 3 and a large portion of banks in category 4). On reporting mechanism to BoD and senior management, Circular 08/21 Margin Nos. 52 to 54 provides qualitative requirements for AMA banks by stipulating that BoD must be actively involved in oversight of the approach, senior management must be familiar with the basic framework of the approach and be capable of performing its corresponding oversight functions, and the bank must have a conceptually solid and reliable system that is implemented with integrity. Additionally, Margin Nos. 62 and 63 cover the topic of reporting and the breakdown of AMA outcomes for major business lines.
EC7	The supervisor requires that banks have appropriate reporting mechanisms to keep the supervisor apprised of developments affecting operational risk at banks in their jurisdictions.
Description and findings re EC7	See EC6. Moreover, although there is no further formal reporting mechanisms, FINMA explains that, in general, banks report their large operational loss incidents to FINMA. The revised Circular 08/21 will extend requirements for reporting operational risk, including reporting of internal events and breaches to risk appetite and tolerance statements, as well as reporting of external events occurring at peers with relevance for a specific institution.
EC8	The supervisor determines that banks have established appropriate policies and processes to assess, manage and monitor outsourced activities. The outsourcing risk management program covers: (a) conducting appropriate due diligence for selecting potential service providers; (b) structuring the outsourcing arrangement; (c) managing and monitoring the risks associated with the outsourcing arrangement; (d) ensuring an effective control environment; and (e) establishing viable contingency planning. Outsourcing policies and processes require the bank to have comprehensive contracts and/or service level agreements with a clear allocation of responsibilities between the outsourcing provider and the bank.
Description and findings re EC8	FINMA Circular 08/07 “outsourcing” provides comprehensive and detailed requirements for banks’ outsourcing activities, covering such areas as: Selection of service providers (Margin Nos. 21, 22); Agreement and contract with service providers including structure of the outsourcing arrangement (Margin Nos. 25, 51–53); Arrangement to manage and monitor risks, including security, banking secrecy and data protection (Margin Nos. 26–36); and Control of service providers (Margin Nos. 23–24). The Circular also requires that the bank’s internal auditor, external auditor as well as FINMA should be able to inspect and audit outsourced activities (Margin No. 51).
Additional criteria
AC1	The supervisor regularly identifies any common points of exposure to operational risk or potential vulnerability (e.g., outsourcing of key operations by many banks to a common service provider or disruption to outsourcing providers of payment and settlement activities).
Description and findings re AC1	FINMA explains that it tries to identify common operational risk exposure or potential vulnerability across banks and conduct supervisory activities over those issues, although no formal framework exists. In recent years FINMA focused on the following two areas and has issued requirements or recommendations: Operational risks in capital markets. FINMA issued in December 2011 a selection of recommendations for reducing the risk of unauthorized trading incidents. This was reactive to problems observed in the marketplace. Operational risks in handling electronic client data. FINMA has developed an extensive new set of requirements in the appendix to revised Circular 08/21 (which compliance assessment will be part of the regular audit).
Assessment of Principle 25	Largely Compliant
Comments	The current regulatory framework on operational risk has several deficiencies, which drive the above grade. These include limited application of basic qualitative requirements where even the basic and minimum qualitative requirements do not apply a substantial part of the banking sector and lack of reference on operational risk management regarding information systems. On the supervisory side, lack of adequate treatment of operational risk in the supervisory rating system is a source of concern. Currently, FINMA’s CAMELS rating system does not incorporate operational risk explicitly. Given operational risk could be the primary risk area for banks specializing in asset management business, which is large in Switzerland, the framework needs to be adjusted so that operational risk assessment could affect the overall rating in a more straight-forward manner, at least for banks with business models which have high potential of operational risk. Furthermore, absence of clear guidance on reporting of operational risk related incidents to the supervisor may make it difficult for FINMA to detect emerging horizontal operational risk related issues. The assessors understand the authorities are preparing to issue the revised circular on operational risk management soon, which is expected to be implemented from beginning of 2015. The assessors believe the new circular would address most of the issues listed above, but still believe that non application of some of the qualitative requirements in the circular to some Category 4 banks and all Category 5 banks may leave vulnerability in the system. Even though these banks are small, if similar incidents related to operational risk happen in a number of banks, it could damage reputation of Swiss banks. Thus, the assessors recommend more close evaluation of inherent operational risk in smaller banks by FINMA staff before deciding which of Categories 4 and 5 banks are excluded from some of the qualitative requirements on operational risk management. Similarly, it is important for FINMA to push external auditors to strengthen intensity and quality of their work on operational risk management. These clearly require FINMA to increase its own specialist resource. The assessors also recommend that the overall supervisory framework should give operational risk more priority, at least for banks with business models in which inherent operational risk level is high. One possible approach would be to revise the current CAMELS rating system as suggested above. Given the importance of operational risk in the Swiss banking sector, it is also important for FINMA to take a more proactive stance on this issue by, for example, assessing common risk factors and carrying out thematic supervisory reviews using FINMA’s own resources or third parties.
Principle 26	Internal control and audit. The supervisor determines that banks have adequate internal control frameworks to establish and maintain a properly controlled operating environment for the conduct of their business taking into account their risk profile. These include clear arrangements for delegating authority and responsibility; separation of the functions that involve committing the bank, paying away its funds, and accounting for its assets and liabilities; reconciliation of these processes; safeguarding the bank’s assets; and appropriate independent63 internal audit and compliance functions to test adherence to these controls as well as applicable laws and regulations.
Essential criteria
EC1	Laws, regulations or the supervisor require banks to have internal control frameworks that are adequate to establish a properly controlled operating environment for the conduct of their business, taking into account their risk profile. These controls are the responsibility of the bank’s Board and/or senior management and deal with organizational structure, accounting policies and processes, checks and balances, and the safeguarding of assets and investments (including measures for the prevention and early detection and reporting of misuse such as fraud, embezzlement, unauthorized trading and computer intrusion). More specifically, these controls address: (a) organizational structure: definitions of duties and responsibilities, including clear delegation of authority (e.g., clear loan approval limits), decision-making policies and processes, separation of critical functions (e.g., business origination, payments, reconciliation, risk management, accounting, audit and compliance); (b) accounting policies and processes: reconciliation of accounts, control lists, information for management; (c) checks and balances (or “four eyes principle”): segregation of duties, cross-checking, dual control of assets, double signatures; and (d) safeguarding assets and investments: including physical control and computer access.
Description and findings re EC1	The banking act, ordinance, and FINMA circulars combine to require banks to have comprehensive internal control frameworks. (Art. 3 para 2 of the Federal Law of 8 November 1934 on Banks and Savings Banks, Art. 9 para 4 of the Federal Ordinance of 17 May 1972 on Banks and Savings Banks, and FINMA Circular 08/24, Supervision and internal controls) Guidance and requirements are expressed as very high level principles and not as detailed requirements. There are responsibilities placed on boards as ultimately responsible and on management for establishing, maintenance and regular testing of internal control systems. There are high-level criteria concerning adequacy of these frameworks. Matters such as appropriate organization structure, checks and balances, appropriate MIS, definition and segregation of duties, and compliance review are all covered. A number of the requirements are specified in a general way (e.g., ‘an effective system, an appropriate system, appropriate resources in control functions’) The various laws, ordinances or circulars state that requirements are to be in conformity with the size complexity and risk profile of the institution or that their appropriateness is to be judged taking account of these factors. Detailed guidance is not provided on these matters. Rather, it is left to banks, regulatory auditors, and FINMA supervisors to judge what this means in practice. Other circulars deal with such matters as accounting policies. Assessment of these processes occurs mostly through the regulatory audit. Auditors must express an opinion (negative assurance or positive assurance depending on the scope of review or audit performed) on adherence to laws, ordinances and circulars. Audit instructions from FIMA explicitly require auditors to consider the adequacy of internal control, compliance and risk management functions.
EC2	The supervisor determines that there is an appropriate balance in the skills and resources of the back office, control functions and operational management relative to the business origination units. The supervisor also determines that the staff of the back office and control functions have sufficient expertise and authority within the organization (and, where appropriate, in the case of control functions, sufficient access to the bank’s Board) to be an effective check and balance to the business origination units.
Description and findings re EC2	Under FINMA circulars management must ensure an appropriate segregation of duties between the business lines, the back office and the control functions (FINMA Circular 08/24, Margin No. 86). The compliance function and the risk control must be allocated adequate resources and authority according to the size of the bank, the complexity of the business and the organization, and the risk profile of the institution. The institution must designate one member of management who is responsible for the compliance function and one for risk control (FINMA Circular 08/24). Under FINMA audit instructions for the regulatory audit the adequacy of resources in these functions is to be assessed. There is no explicit guidance externally or internally on how this judgment is to be made.
EC3	The supervisor determines that banks have an adequately staffed, permanent and independent compliance function64 that assists senior management in managing effectively the compliance risks faced by the bank. The supervisor determines that staff within the compliance function is suitably trained, have relevant experience and have sufficient authority within the bank to perform their role effectively. The supervisor determines that the bank’s Board exercises oversight of the management of the compliance function.
Description and findings re EC3	Compliance functions must be allocated adequate resources and authority according to the size of the institution, the complexity of the business and its organization, and compliance issues. Board oversight is required (see EC2). Compliance functions are required under FINMA circulars to perform assessment of compliance risk and prepare an activity plan at least once a year to be approved by senior management, provide the senior management with timely reporting regarding material changes in the assessment of compliance risks, and determine and investigate serious violations (FINMA Circular 08/24, Margin No. 108 ff.). Compliance duties also include annual reporting to the board of directors regarding the assessment of the compliance risks and the activities of the compliance function (FINMA Circular 08/24, Margin No. 112). Assessors discussed with FINMA staff and with representatives of audit firms how audit firms make the assessment of effectiveness and adequacy of resources. FINMA staff indicated that this judgment is largely left to audit firms and their methodologies, though there is substantial discussion in the case of larger banks. Audit firms indicated that they had extensive exposure to these functions as part of their work and that is was a matter of professional judgment. Individual KAMs can intervene to require more regularity audit work as part of the planning process. For Category 1 banks (the largest two) standard audit strategy requires coverage of various elements of internal control over a six year period, annual critical evaluation of internal audit, annual review of central risk control functions (audit once every three years for central risk functions). For Category 2 banks and below, the minimum audit requirement for central risk control functions is relaxed to once every six years. FINMA has the ability to direct auditors work or commission independent focused reviews of compliance and has done so for individual large banks. Recently these have tended to be reactive to identified breakdowns. Other reviews are not frequent and no in-depth thematic reviews of these functions have been performed by FINMA in recent years.
EC4	The supervisor determines that banks have an independent, permanent and effective internal audit function65 charged with: (a) assessing whether existing policies, processes and internal controls (including risk management, compliance and corporate governance processes) are effective, appropriate and remain sufficient for the bank’s business; and (b) ensuring that policies and processes are complied with.
Description and findings re EC4	Various elements of the Banking law, ordinances and circulars place requirements on internal audit. (Art. 3 para 2 let. a BA, Art. 9 para 4 BO, FINMA Circular 08/24, Supervision and internal controls - banks, Margin No. 54 ff.) Banks must appoint internal auditors independent from the management. In cases of very small entities, FINMA may, after consulting with the external audit company, exempt an institution from this obligation. The duties of the internal audit may be delegated to a third company provided the external audit company confirms the competence and professional manner and independence of the third party. For smaller banks, outsourcing of internal audit is frequent. Direct reporting to the board of directors is required and the board must appoint the head of internal audit. Organization, duties and responsibilities are to be set by the board and internal audit must meet the standards promulgated by the Swiss Institute of Internal auditing. And internal auditors are governed by standards of professional practice. There are general requirements for sufficient and appropriate resources and expertise in relation to the size complexity and risk profile of the institution. There is a requirement for comprehensive risk assessment by IA at least annually and for reporting of plans for approval by the board and for reporting of results and follow up. This is assessed by FINMA through the regulatory audit process. For category one institutions the regulatory audit is to conduct a critical review of internal audit every year.
EC5	The supervisor determines that the internal audit function: (a) has sufficient resources, and staff that are suitably trained and have relevant experience to understand and evaluate the business they are auditing; (b) has appropriate independence with reporting lines to the bank’s Board or to an audit committee of the Board, and has status within the bank to ensure that senior management reacts to and acts upon its recommendations; (c) is kept informed in a timely manner of any material changes made to the bank’s risk management strategy, policies or processes; (d) has full access to and communication with any member of staff as well as full access to records, files or data of the bank and its affiliates, whenever relevant to the performance of its duties; (e) employs a methodology that identifies the material risks run by the bank; (f) prepares an audit plan, which is reviewed regularly, based on its own risk assessment and allocates its resources accordingly; and (g) has the authority to assess any outsourced functions.
Description and findings re EC5	FINMA Circular 08/24, Supervision and internal controls – banks, specifies that internal audit function is to be formed according to the size, complexity and the risk profile of the institution. It is required to be allocated sufficient personnel and maintain the appropriate technical expertise in order to fulfill their mandate. (see EC5 re independence and planning) The key personnel must maintain in-depth knowledge in the areas of activity in which the bank is operative. Overall, it must be ensured that the appropriateness of the internal controls are assessed by qualified auditors (FINMA Circular 08/24, Margin No.67). The internal audit function has unlimited auditing authority within the institution and its companies subject to consolidation. It has unrestricted access to information that is required for fulfilling its audit duties (FINMA Circular 08/24, Margin No. 64). The internal audit of the enterprise must maintain the right to complete an unrestricted inspection of the outsourced business (FINMA Circular 08/7, Outsourcing – banks). FINMA has set internal guidelines which are available to regulatory auditors on its expected resourcing of internal audit relative to the size of banks. Regulatory auditors must express an opinion on adequacy of resources in internal audit. Assessors discussed with regulatory auditors how they made this judgment. Regulatory auditors have considerable contact with IA and review and rely on its work, which aids their ability to make the judgments required.
Assessment of Principle 26	Compliant
Comments	FINMA has put pressure on regulatory auditors to enhance their effectiveness and to be more forward looking in all of their assessments, including of control systems. Recent reviews by FINMA of compliance appear more reactive. Publicized breakdowns at a number of banks related to compliance issues suggest that the supervisory approach needs to be ramped up on a proactive basis. While some of these relate to criminal activity, FINMA’s expost reviews has also found there were serious deficiencies in risk management and controls that, if they had not existed, would have lead to the problems being detected sooner. This is part of a more general issue of supervisory approach and technique that is assessed under CPs 8-9. New qualitative operational risk requirements from FINMA will assist in the strengthening of supervisory work in this area.
Principle 27	Financial reporting and external audit. The supervisor determines that banks and banking groups maintain adequate and reliable records, prepare financial statements in accordance with accounting policies and practices that are widely accepted internationally and annually publish information that fairly reflects their financial condition and performance and bears an independent external auditor’s opinion. The supervisor also determines that banks and parent companies of banking groups have adequate governance and oversight of the external audit function.
	General remark: With regard to the external audit of financial intermediaries, it is important to note that FINMA mandates audit firms for a considerable part of its on-site activities. While FINMA is responsible for the supervision of audit firms with regard to their supervisory audit activities, the Federal Audit Oversight Authority (FAOA) is responsible for the supervision of audit firms with regard to their financial audit activities.
Essential criteria
EC1	The supervisor66 holds the bank’s Board and management responsible for ensuring that financial statements are prepared in accordance with accounting policies and practices that are widely accepted internationally and that these are supported by recordkeeping systems in order to produce adequate and reliable data.
Description and findings re EC1	Under the Directive on Financial Reporting of the SIX Exchange Regulation, all issuers must apply IFRS or US GAAP to the Main Standard of the SIX Swiss Exchange. Large banks and a number of mid-size banks are listed. FINMA permits the application of IFRS and US GAAP for consolidated financial statements and supplementary unconsolidated financial statements prepared according to the true and fair view principle and Swiss GAAP. Ten banking groups use internationally recognized standards, the two in category 1, four in category 3, and four banks in categories 4/5. Smaller and mid-size banks can use Swiss GAAP for consolidated statements as well, and most banks do so. Assessors discussed the main differences between Swiss GAAP and IFRS with FINMA and auditors. They noted that Swiss GAAP is similar to IFRS and the exceptions are generally more conservative than IFRS. The most important is that certain fair value provisions of IFRS (IAS39) are not permitted with financial assets not in the “current” book valued instead at acquisition cost. Another important difference is that Swiss requirements for instruments to qualify for hedging treatment are less strict than under IFRS with macro hedging permitted and effectiveness testing not required. FINMA reports that these differences are in practice not material. Lastly Swiss GAAP permits banks to have “hidden reserves”. There are requirements for adequate recordkeeping systems. A separate public audit opinion on the adequacy of internal controls supporting financial statements is not required.
EC2	The supervisor holds the bank’s Board and management responsible for ensuring that the financial statements issued annually to the public bear an independent external auditor’s opinion as a result of an audit conducted in accordance with internationally accepted auditing practices and standards.
Description and findings re EC2	Under the Banking Act (Art. 18), every bank has to have an annual audit performed by an authorized audit firm. The audit firm has to examine whether the bank’s accounts are compliant with the applicable accounting standards. Audits are based on international standards of auditing (ISA) for financial statements prepared in accordance with international accounting standards while the local adopted Swiss auditing standards for financial statements are prepared in accordance with Swiss accounting standards (Arts. 2 and 3 of the Ordinance of the Federal Audit Oversight Authority on the Oversight of Audit Firms). Local auditing standards closely match international standards. The independence of the audit firm is specified in FINMA Circular 13/4 Audit firms and lead auditors (Margin No. 32 ff.), which is based on the independency rules of the Swiss Code of Obligations (Art. 728) and the Auditor Oversight Act (Art. 11).
EC3	The supervisor determines that banks use valuation practices consistent with accounting standards widely accepted internationally. The supervisor also determines that the framework, structure and processes for fair value estimation are subject to independent verification and validation, and that banks document any significant differences between the valuations used for financial reporting purposes and for regulatory purposes.
Description and findings re EC3	Specific provisions are set out in FINMA Circular 08/20 Market risks – banks for prudent valuation of fair values of the trading book and the banking book (see Margin Nos. 32 ff.) for regulatory purposes. See also CP 22.
EC4	Laws or regulations set, or the supervisor has the power to establish the scope of external audits of banks and the standards to be followed in performing such audits. These require the use of a risk and materiality based approach in planning and performing the external audit.
Description and findings re EC4	FINMA does not have authority to specify the scope of external financial audits. However if FINMA had concerns it could use the regulatory audit scope, which it does control, to have additional work done.
EC5	Supervisory guidelines or local auditing standards determine that audits cover areas such as the loan portfolio, loan loss provisions, non-performing assets, asset valuations, trading and other securities activities, derivatives, asset securitizations, consolidation of and other involvement with off-balance sheet vehicles and the adequacy of internal controls over financial reporting.
Description and findings re EC5	The financial audit has to be carried out in line with the principles of the regular audit of the Swiss Code of Obligations and international auditing standards or equivalent Swiss standards apply.
EC6	The supervisor has the power to reject and rescind the appointment of an external auditor who is deemed to have inadequate expertise or independence, or is not subject to or does not adhere to established professional standards.
Description and findings re EC6	FINMA and FAOA have the power to reject and rescind the appointment of an external auditor who is deemed to have inadequate expertise or independence, or does not adhere to established professional standards. The requirements of professional behavior, expertise and independence are based on federal law as well as enforcement by FAOA/FINMA concerning breaches of these requirements. FINMA staff reported that this has occurred.
EC7	The supervisor determines that banks rotate their external auditors (either the firm or individuals within the firm) from time to time.
Description and findings re EC7	Under the Swiss Code of Obligations, the lead auditor may exercise his mandate for seven years at the most. He may only accept the same mandate again after an interruption of three years.
EC8	The supervisor meets periodically with external audit firms to discuss issues of common interest relating to bank operations.
Description and findings re EC8	FINMA interaction with audit firms for regulatory audits is extensive. The same audit firms carries out the regulatory and financial audit (and this can be lead by the same partner except in the case of the category 1 and 2 banks. So FINMA views can be taken into account in the financial audit as well.
EC9	The supervisor requires the external auditor, directly or through the bank, to report to the supervisor matters of material significance, for example failure to comply with the licensing criteria or breaches of banking or other laws, significant deficiencies and control weaknesses in the bank’s financial reporting process or other matters that they believe are likely to be of material significance to the functions of the supervisor. Laws or regulations provide that auditors who make any such reports in good faith cannot be held liable for breach of a duty of confidentiality.
Description and findings re EC9	Reporting duties for audit firms are set in different regulations: (1) Ongoing reporting obligation under FINMASA Art. 27: In the case of serious violations of supervisory provisions or serious irregularities, the audit company notifies FINMA immediately”. (2) FINMA Circular 03/13 Auditing (Margin No. 78) specifies that criminal acts must also be reported immediately. (3) Reporting duties for the regulatory long form report (FINMA Circular 03/13 Auditing, Margin No. 55ff.): the audit firm has to make a reservation in the case of a breach of regulatory law or internal policies with regulatory relevance. If the audit firm detects other significant deficiencies or evidence that regulatory law cannot be complied with in the future, it has to make a recommendation. (4) Reporting duties to the FAOA are outlined in the Federal Act on the Licensing and Oversight of Auditors and specifically FAOA Circular 1/2010 on reporting to the Audit Oversight Authority by Audit firms under state oversight These obligations overrule the duty of confidentiality.
Additional criteria
AC1	The supervisor has the power to access external auditors’ working papers, where necessary.
Description and findings re AC1	FINMA has access to working papers for both the regulatory audit and the financial audit.
Assessment of Principle 27	Compliant
Comments	FINMA needs to be sure that differences in Swiss GAAP with IFRS, such as valuation standards for traded instruments or permitting macro hedging, are not interacting with emerging regulatory rules in a way that provided unintended benefits to those banks using this accounting standard.
Principle 28	Disclosure and transparency. The supervisor determines that banks and banking groups regularly publish information on a consolidated and, where appropriate, solo basis that is easily accessible and fairly reflects their financial condition, performance, risk exposures, risk management strategies and corporate governance policies and processes.
Essential criteria
EC1	Laws, regulations or the supervisor require periodic public disclosures67 of information by banks on a consolidated and, where appropriate, solo basis that adequately reflect the bank’s true financial condition and performance, and adhere to standards promoting comparability, relevance, reliability and timeliness of the information disclosed.
Description and findings re EC1	Banks and banking groups must publicly disclose their annual financial statements (solo and consolidated), with the exception of private bankers who do not publicly solicit customer deposits (see Arts. 26 and 27 of Banking Ordinance). Annual financial statements comprise a balance sheet and an income statement, and also a comprehensive appendix giving quantitative and qualitative explanations about the risks and the financial situation (see Arts. 23-28 of the Banking Ordinance and FINMA Circular 108/02). Banks with a balance sheet of more than CHF 100 million are also required to disclose semi-annual balance sheets and income statements (Art. 23b of Banking Ordinance). Quarterly disclosure is made by the biggest banks. Additional quantitative and qualitative disclosure is required by Circular 08/22 dedicated to the 3rd pillar of Basel II. Depending on the size of the capital requirements, disclosure is required with a frequency that can be annual, semi-annual or quarterly. For smaller banks the Pillar 3 disclosure is simplified to cover essential details of available and required capital only. Auditors confirmed that disclosure obligations under Swiss GAAP (which is used by all but 10 banking groups), are less than for IFRS.
EC2	The supervisor determines that the required disclosures include both qualitative and quantitative information on a bank’s financial performance, financial position, risk management strategies and practices, risk exposures, aggregate exposures to related parties, transactions with related parties, accounting policies, and basic business, management, governance and remuneration. The scope and content of information provided and the level of disaggregation and detail is commensurate with the risk profile and systemic importance of the bank.
Description and findings re EC2	Requirements concerning these matters are in various circulars. Bank disclosures including qualitative and quantitative, are reviewed by auditors, which in turn are overseen by FINMA.
EC3	Laws, regulations or the supervisor require banks to disclose all material entities in the group structure.
Description and findings re EC3	FINMA Circular 08/22 (Capital adequacy disclosure - banks) requires: (a) the description of the regulatory scope of consolidation, with indication of the differences with the accounting scope of consolidation; (b) the names of the material group companies, indicating the eventual non-inclusion in one of the two consolidation scopes, and the consolidation technique. Furthermore, the amount of the balance sheet and of the equity of the subsidiary must be disclosed. Its main activity must be described. The Banking Ordinance and Circular 08/02 (Accounting - banks) require indication in the appendix to the financial statements of a list of all material permanent participations (regardless of whether a consolidation has been made or not), indicating the name, activity, equity and the percentage of detention. All direct and indirect shareholders having more than 5 percent of the voting rights of the bank must also be disclosed in the notes to the financial statements.
EC4	The supervisor or another government agency effectively reviews and enforces compliance with disclosure standards.
Description and findings re EC4	FINMA examines the financial reports disclosed by the banks, in order to assess proper use and compliance with its disclosure standards. For IFRS or US GAAP users, FINMA also makes critical reviews of the quality of these financial statements. After the conclusion of agreement between FINMA and the Swiss Stock Exchange (SIX), it was decided that SIX is responsible for controlling the correct application of accounting rules by the listed companies (banks included) applying IFRS or US GAAP (FINMA is fully responsible for the listed users of its accounting standards).
EC5	The supervisor or other relevant bodies regularly publishes information on the banking system in aggregate to facilitate public understanding of the banking system and the exercise of market discipline. Such information includes aggregate data on balance sheet indicators and statistical parameters that reflect the principal aspects of banks’ operations (balance sheet structure, capital ratios, income earning capacity, and risk profiles).
Description and findings re EC5	Considerable aggregated information is published by the Swiss National bank.
Additional criteria
AC1	The disclosure requirements imposed promote disclosure of information that will help in understanding a bank’s risk exposures during a financial reporting period, for example on average exposures or turnover during the reporting period.
Description and findings re AC1	FINMA is of the opinion that the information that must be publicly disclosed (see EC1) is sufficient to fulfill the goal described in AC1, i.e., understanding a bank’s risk exposures during a financial reporting period, though the disclosure of average measures is not mandatory.
Assessment of Principle 28	Compliant
Comments
Principle 29	Abuse of financial services. The supervisor determines that banks have adequate policies and processes, including strict customer due diligence (CDD) rules to promote high ethical and professional standards in the financial sector and prevent the bank from being used, intentionally or unintentionally, for criminal activities.68
Essential criteria
EC1	Laws or regulations establish the duties, responsibilities and powers of the supervisor related to the supervision of banks’ internal controls and enforcement of the relevant laws and regulations regarding criminal activities.
Description and findings re EC1	The basic principles of FINMA’s duties, responsibilities and powers related to the supervision of financial institutions are defined in FINMASA. Art. 24 provides that FINMA carries audits of supervised persons and entities, either by itself or through auditing firms appointed by the firms or third parties appointed by FINMA. Specifically, duties, responsibilities and powers with regard to the supervision of financial intermediaries’ obligations towards the prevention of money laundering and financing of terrorism are set out in the Anti-Money Laundering Act (AMLA), which was substantially strengthened and broadened recently. AMLA Art. 12 provides the responsibility of FINMA for supervising banks’ compliance with their AML/CFT duties (including with respect to customer due diligence, internal controls and reporting of suspicious transactions). Also, Art. 17 provides that FINMA shall specify the duties of diligence of banks and stipulate how these duties must be fulfilled. Supervisory instruments are also defined in FINMASA, including restoration of compliance with the law if a supervised person or entity violates provisions of any financial market acts, including the Anti-Money Laundering Act (AMLA) (FINMASA Art. 1 and 31), prohibition from acting in a management capacity at any person or entity subject to its supervision (Art. 33), ordering the confiscation of profits (Art. 35), appointment of investigating agents (Art. 36) or revocation of licenses, withdrawal of recognition, and cancellation of registration (Art. 37). Further relevant rules are set out in BA Art. 3, 4, and BO Art. 9. Furthermore, FINMA Circular 8/24 “Supervision and internal control” specifies the aforementioned rules in a detailed manner and sets guidelines for corporate governance, the supervision of business activities and internal control, and the supervision thereof by the responsible function at banks. In practice, adherence to laws, regulations and circulars are mostly assessed through regulatory audits by external auditors. Standard operating procedures require regulatory audits to review the issue annually and audit at least once in every three years. (Also see CP8)
EC2	The supervisor determines that banks have adequate policies and processes that promote high ethical and professional standards and prevent the bank from being used, intentionally or unintentionally, for criminal activities. This includes the prevention and detection of criminal activity, and reporting of such suspected activities to the appropriate authorities.
Description and findings re EC2	BA Art. 3 provides that the persons belonging to senior management, supervision and control must enjoy a good reputation and guarantee compliance with their duties. Banks, groups of banks and financial conglomerates must know their risks and be able to supervise and limit them. Consequently, banks are obliged to establish internal rules and guidelines for risk management for all risks and especially legal risks. (BO Art. 3). AMLA Art. 9 then sets the obligation for a bank to file a report if it knows or has reasonable grounds to suspect that assets involved in its business with customers are connected to a criminal offence, are the proceeds of a felony, are subject to the power of disposal of a criminal organization, or serve the financing of terrorism. FINMASA also explicitly provides that the prevention of money laundering and terrorist financing requires personnel who are of integrity and appropriately trained (Art.25). It therefore imposes an obligation on banks to ensure the prudent selection of the personnel as well as the regular training of all concerned staff on aspects relevant to the prevention of money laundering and terrorist financing. FINMA Ordinance on Prevention of Money Laundering and Financing of Terrorism (MLO- FINMA) sets out general requirements for banks regarding their policies and processes, including detection of high-risk transactions, due diligence obligations, and reporting requirements. The Agreement on Swiss banks’ Code of Conduct with regard to the Exercise of Due Diligence established by SBA in 2008 (CDB 08) also provides self-regulation regarding detailed rules for banks including the prevention and detection of criminal activity (formally recognized as minimum standards by FINMA). This lays down binding rules of good conduct in banking as a code of professional ethics. They are designed to give specific effect to certain points of due diligence governed by the Anti-Money Laundering Act (AMLA Arts. 3-5) and the concept of “the diligence that can be reasonably expected under the circumstances” in accepting assets as provided in the Swiss Criminal Code (SCC) Art. 305ter. Assessors discussed with FINMA the fact that the number of STRs from banks is only some 1000 a year. FINMA explained that it is comfortable with the figure as banks have low thresholds for alerts but then analyze the information before deciding whether to file STRs.
EC3	In addition to reporting to the financial intelligence unit or other designated authorities, banks report to the banking supervisor suspicious activities and incidents of fraud when such activities/incidents are material to the safety, soundness or reputation of the bank.69
Description and findings re EC3	Under FINMASA Art. 29 para 2, supervised persons and entities must immediately report to FINMA any incident that is of substantial importance to supervision. This requirement is understood to include any incidents related to fraud and other criminal activities that are material to the safety, soundness or reputation of the bank. Further, MLO-FINMA Art. 31 stipulates that banks must inform FINMA of reports filed with the Money Laundering Reporting Office (MROS) which concern business relations with significant assets or where it can be assumed that, based on the circumstances, the events giving rise to such a report could affect the reputation of the financial intermediary and that of the Swiss financial center.
EC4	If the supervisor becomes aware of any additional suspicious transactions, it informs the financial intelligence unit and, if applicable, other designated authority of such transactions. In addition, the supervisor, directly or indirectly, shares information related to suspected or actual criminal activities with relevant authorities.
Description and findings re EC4	AMLA Art. 16 obliges FINMA to inform MROS if there are reasonable grounds to suspect that a criminal offence has been committed or the assets are subject of a felony or to the power of disposal of a criminal organization or serve the financing of terrorism. This duty applies if the financial intermediary or the self-regulatory organization has not already submitted an STR. AMLA Art. 29 also stipulates that the supervisor and MROS may provide each other any information or documents required for the enforcement of this Act. Also prosecution authorities may provide the supervisor with any information and documents that it requires to fulfill its duties. From the FINMA side, FINMASA Art. 38 and 39 provides the legal basis for mutual and administrative assistance between the supervisor and the prosecution authorities of the Confederation and the cantons or other domestic authorities. They coordinate their investigations as far as it is practical and required. Where the supervisor obtains knowledge of felonies and misdemeanors or of offences against this Act or the financial market acts, it shall notify the competent prosecution authorities. In practice, FINMA communicates with and shares information with other competent authorities as needed.
EC5	The supervisor determines that banks establish CDD policies and processes that are well documented and communicated to all relevant staff. The supervisor also determines that such policies and processes are integrated into the bank’s overall risk management and there are appropriate steps to identify, assess, monitor, manage and mitigate risks of money laundering and the financing of terrorism with respect to customers, countries and regions, as well as to products, services, transactions and delivery channels on an ongoing basis. The CDD management program, on a group-wide basis, has as its essential elements: (a) a customer acceptance policy that identifies business relationships that the bank will not accept based on identified risks; (b) a customer identification, verification and due diligence program on an ongoing basis; this encompasses verification of beneficial ownership, understanding the purpose and nature of the business relationship, and risk-based reviews to ensure that records are updated and relevant; (c) policies and processes to monitor and recognize unusual or potentially suspicious transactions; (d) enhanced due diligence on high-risk accounts (e.g., escalation to the bank’s senior management level of decisions on entering into business relationships with these accounts or maintaining such relationships when an existing relationship becomes high-risk); (e) enhanced due diligence on politically exposed persons (including, among other things, escalation to the bank’s senior management level of decisions on entering into business relationships with these persons); and (f) clear rules on what records must be kept on CDD and individual transactions and their retention period. Such records have at least a five year retention period.
Description and findings re EC5	The banks’ CDD duties are set out in extensive details in laws and regulations. Chapter 2 of the AMLA provides the general requirements related to customer due diligence and reporting of suspicious transactions. FINMA specified these duties and stipulated how they must be fulfilled in MLO-FINMA. Under the supervision of FINMA, a self-regulatory organization can regulate the CDD duties and their fulfillment (AMLA Art. 17). Accordingly, CDB 08, which is recognized by FINMA as a minimum standard applicable to all banks regarding the identification of contracting parties and the determination of beneficial owners, complements provisions in MLO-FINMA (Art. 32). Under Art. 6 MLO-FINMA, banks that have foreign branches or which control a financial group with non-Swiss group companies are required to identify, mitigate and monitor the legal and reputational risks associated with money laundering or the financing of terrorism at the global level. Therefore, banks forming part of a financial group, either from Switzerland or abroad, shall allow the group’s internal control bodies and audit company of the group to access any information which may be required concerning specific business relations, provided that such information is essential for the management of legal and reputational risks at the global level. Furthermore, banks shall ensure that their branches or group companies abroad operating in the financial sector comply with the core principles of AMLA and MLO-FINMA (MLO-FINMA Art. 5). In general, under Art. 24 MLO-FINMA, banks must issue internal directives for CDD, which, among others, should include: the criteria to be applied in identifying business relationships with increased risks and in detecting transactions with increased risks; the basic principles for the monitoring of transactions; the cases in which the internal compliance office must be involved and the senior executive body notified; the company policy on politically exposed persons (PEPs); and the method in which the bank records, limits and monitors increased risks as well as the threshold amounts pursuant to business relationships and transactions with increased risks must be set out. Some specific requirements regarding the content of the CDD policy is also given in laws and regulations: Banks need to undertake to verify the identity of the contracting partner when establishing business relationships. (AMLA Art. 4) Banks are required to identify the nature and purpose of the business relationship with customers. (AMLA Art.6) Banks must clarify the economic background and the purpose of a transaction or a business relationship if it appears unusual or if there are indications that assets are the proceeds of a felony, are subject to the power of disposal of a criminal organization, or serve the financing of terrorism (AMLA Art. 6). The extent of the information that must be obtained is determined by the risk represented by the customer; business relationships and transactions that involve increased risks must be subject to enhanced due diligence (MLO-FINMA Art. 12 and 13). Banks are not allowed to accept assets that they know, or are expected to know, are proceeds of criminal activities, even if committed outside Switzerland. (The negligent acceptance of assets derived from criminal activity may call into question the required guarantee for proper business conduct.) Banks are not permitted to maintain business relations with fictive banks or with any individuals or undertakings of which they know or must assume constitute a terrorist or criminal organization, or which are affiliated to, support, or finance such an organization (MLO-FINMA Arts. 7 and 8). If the contracting partner is not the same as the beneficial owner, or if this is in doubt, banks must require the contracting partner to provide a written declaration of the identity of the beneficial owner (CDB 08 Art. 6). If serious doubts persist concerning the accuracy of the contracting partner’s declaration and these cannot be dispelled by further clarification, the bank must refuse to establish the business relationship or to execute the transaction (CDB 08 Art. 29). Banks are required to terminate their relationship with the contracting partner if they establish that the bank has been deceived when identifying the beneficial owner, that false information regarding beneficial ownership has deliberately been provided to them, or if doubts about the information provided by the contracting partner persist (CDB 08 Art. 6). Banks must provide for an effective monitoring of the business relationships and transactions, and ensure that increased risks are identified (MLO-FINMA Art. 19 para 1). Banks must have an information system to monitor transactions and detect high-risk transactions (MLO-FINMA Art. 12). Art. 23 sets out a requirement for banks to have an information system to provide information to relevant authorities. Banks have to carry out additional investigations for business relationships or transactions with increased risks (MLO-FINMA Art. 14). This may also lead to the termination of the business relationship or to a report to the FIU. Banks must repeatedly conduct these procedures if during the business relationship doubts arise regarding he identity of the contracting partner and the beneficial owner (CDB 08 Art. 6). Regarding enhanced due diligence, MLO-FINMA requires banks to formulate criteria to identify business relationships and detect transactions which involve increased risks (Arts. 12 and 13). Business relationships with PEPs and with foreign banks for which a Swiss financial intermediary carries out correspondent bank transactions as well as transactions in which assets exceeding more than CHF 100,000 are physically deposited in a single or series of deposits at the onset of the business relationship are, in all cases, deemed to be business relationships or transactions with increased risks. Banks must identify and label any business relationships involving higher risk. Further, MLO-FINMA requires banks to include in their internal directives policies and processes to be applied for business relationships with increased risks: the criteria to be applied in detecting transactions with increased risks, the basic principles for the monitoring of transactions; the cases in which the internal compliance office must be involved and the senior executive body notified; the company policy on politically exposed persons (PEPs); the method in which the bank records, limits and monitors the increased risks; and the threshold amounts pursuant to business relationships and transactions with increased risks. The directives must be adopted by BoD or the upper management. Banks have to carry out additional investigations for business relationships or transactions with increased risks (MLO-FINMA Art. 14). The acceptance of business relationships involving increased risk requires the approval of a senior person or body or the management (MLO-FINMA Art. 17). The senior executive body, or at least one of its members, must decide on the planning of regular reviews of all relationships involving higher risk, and monitor and evaluate such relationships (MLO-FINMA Art. 18). Business relationships with PEPs are, in all cases, deemed to be business relationships with increased risks (MLO-FINMA Art. 12 para 3). Thus, the senior executive body, or at least one of its members, must decide on the acceptance of business relationships with PEPs, and, on an annual basis, the continuation of such relationships. Banks must keep records of transactions carried out and of CDD clarifications required in such a manner that other specially qualified persons are able to make a reliable assessment of the transactions and business relationships and of compliance with the AMLA provisions (Art. 7). In particular, banks must establish, organize and retain their documentation such that FINMA, audit companies, or FINMA appointed investigating agents can form, within a reasonable period, a reliable opinion on the compliance with the duties regarding the prevention of money laundering and the financing of terrorism (MLO-FINMA Art. 20). Furthermore, the documentation must be established, organized and retained such that banks are able, within a reasonable period, to comply with any request for information and sequestration from the prosecuting authority or another licensed authority (AMLA Art. 7 para 2, MLO-FINMA Art. 20 para 2). Banks are also obliged to organize their documentation at least such that they are capable of providing information within a reasonable period of time on the identity of the initiator of an outgoing payment order and whether a company or a person: is the contracting party or beneficial owner; has placed a cash transaction that requires the identification of the related person; and possesses an ongoing power-of- attorney over an account or safekeeping account provided that the company or person is not already listed in a public registry (MLO-FINMA Art. 36). Under AMLA Art. 7 para 3, banks are required retain records for a minimum of ten years after the termination of the business relationship or after completion of the transaction. As described in EC1, banks’ compliance to these requirements is primarily assessed by external auditors through annual regulatory audits. Discussions with FINMA staff and auditors as well as review of reports show efforts are made in assessing these issues during regulatory audits. FINMA may also conduct its own assessment. For example, it conducted inspection of 20 banks in 2011 regarding compliance with supervisory rules concerning business relationships with PEPs from several foreign countries, which resulted in some enforcement proceedings.
EC6	The supervisor determines that banks have in addition to normal due diligence, specific policies and processes regarding correspondent banking. Such policies and processes include: (a) gathering sufficient information about their respondent banks to understand fully the nature of their business and customer base, and how they are supervised; and (b) not establishing or continuing correspondent relationships with those that do not have adequate controls against criminal activities or that are not effectively supervised by the relevant authorities, or with those banks that are considered to be shell banks.
Description and findings re EC6	As described above, MLO-FINMA Art. 12 requires business relations with foreign correspondent banks must be classified as business relationships with increased risks. In the case of increased risks, additional investigations have to be performed. In addition to these investigations, MLO-FINMA Art. 34 provides that: the bank is obliged to execute further clarifications in case of correspondent bank relationships with foreign banks; the bank shall adequately ensure that it is not conducting business relations with fictive banks; the bank must ascertain, as needed, whether adequate controls for the prevention of money laundering and the financing of terrorism are carried out by the corresponding bank; and the bank shall define procedures for cases where it receives repeated payment orders that clearly contain incomplete information.
EC7	The supervisor determines that banks have sufficient controls and systems to prevent, identify and report potential abuses of financial services, including money laundering and the financing of terrorism.
Description and findings re EC7	Compliance with due diligence obligations is subject to review as part of FINMA’s supervisory approach as described in relevant CPs. The annual regulatory audit, conducted at all banks, covers broad compliance issues, including issues related to abuses of financial services. The standard audit strategies for regulatory audits normally emphasize as an audit item issues related with money laundering and criminal activities. If necessary, remedial work is followed up by the audit company as well as by FINMA. FINMA may also conduct its own inspection of banks (See EC5). Through discussions with FINMA and external auditors, assessors confirmed that a significant portion of supervisory time both by external auditors and FINMA’s supervisory staff is devoted to AML/CTF matters.
EC8	The supervisor has adequate powers to take action against a bank that does not comply with its obligations related to relevant laws and regulations regarding criminal activities.
Description and findings re EC8	For general enforcement powers and processes, see CP 11. In addition, MLO-FINMA Art. 9 specifies that a violation of the ordinance may call into question the assurance of proper business conduct of financial intermediaries and that it may also trigger enforcement measures (suspension of persons from acting in banks’ management positions, disgorgement of profits, etc.). Accordingly, if a bank is not complying with its AML/CFT obligations, FINMA will address this issue and eventually escalate it to administrative enforcement proceedings. For example, as explained above, FINMA instituted enforcement proceedings against six banks as a result of its inspections on their compliance regarding business relationship with PEPs which took place late-2011.
EC9	The supervisor determines that banks have: (a) requirements for internal audit and/or external experts70 to independently evaluate the relevant risk management policies, processes and controls. The supervisor has access to their reports; (b) established policies and processes to designate compliance officers at the banks’ management level, and appoint a relevant dedicated officer to whom potential abuses of the banks’ financial services (including suspicious transactions) are reported; (c) adequate screening policies and processes to ensure high ethical and professional standards when hiring staff; or when entering into an agency or outsourcing relationship; and (d) ongoing training programs for their staff, including on CDD and methods to monitor and detect criminal and suspicious activities.
Description and findings re EC9	For general provisions on internal control, audit, compliance and governance, as well as respective organizational and training requirement, see EC1 above. With regard to AML/CTF regulation, the following applies: (a) Under MLO-FINMA Art. 6, financial intermediaries must ensure that a financial group’s internal control bodies and its audit company are able to access information concerning specific business relations in all group companies if needed. (b) Under MLO-FINMA Art. 22, each bank must designate one or more qualified persons to form a competence center to combat money laundering and assume the responsibilities. Further provisions on the integrity and training required by staff members are set out in MLO-FINMA Art. 25. Circular 08/24 also provides requirements for banks on the compliance function, including the need to designate one member of management to be responsible for the compliance function (Margin No. 102). (c) Under MLO-FINMA Art. 25, banks are required to ensure that their staff has integrity and receives appropriate training in order to be able to contribute to the prevention of money laundering and the financing of terrorism. Banks are also required to ensure prudent selection of their employees. Applicable requirements to be observed when outsourcing business activities to a third party are defined in Circular 08/07 Outsourcing (Margin No. 21).
EC10	The supervisor determines that banks have and follow clear policies and processes for staff to report any problems related to the abuse of the banks’ financial services to either local management or the relevant dedicated officer or to both. The supervisor also determines that banks have and utilize adequate management information systems to provide the banks’ Boards, management and the dedicated officers with timely and appropriate information on such activities.
Description and findings re EC10	FINMA Circular 8/24 margin No. 28 requires management of a bank to maintain an organizational structure in which responsibilities, authorities, accountabilities, discretionary decision-making powers and information flows are explicitly defined and documented. With regard to the escalation of AML/CTF related problems, MLO-FINMA Art. 22 and following outline the roles and responsibilities of the compliance department and Art. 24 defines the requirements for internal policies, including escalation to senior management.
EC11	Laws provide that a member of a bank’s staff who reports suspicious activity in good faith either internally or directly to the relevant authority cannot be held liable.
Description and findings re EC11	The AMLA and relevant legal framework provides legal basis for banks to reports suspicious activities to relevant authority. Art. 11 ensures that anyone who reports suspicious transactions in good faith is not held liable for breach of official professional or trade secrecy or breach of contract.
EC12	The supervisor, directly or indirectly, cooperates with the relevant domestic and foreign financial sector supervisory authorities or shares with them information related to suspected or actual criminal activities where this information is for supervisory purposes.
Description and For findings re EC12	For general exchange of information with foreign supervisors, see CP 3. Specifically related to AML/CT issues, under AMLA Art. 29, FINMA, MROS and law enforcement agencies may exchange among them all the information they need and do so. Further, FINMA and the SROs may exchange all information they require in order to fulfill their duty. Regarding relations with foreign authorities, FINMASA Art. 42 enables the FINMA to exchange information with equivalent foreign authorities if certain conditions are met, e.g., to enforce financial market acts such as the AMLA, the information is exclusively used for direct supervision of foreign institutions.
EC13	Unless done by another authority, the supervisor has in-house resources with specialist expertise for addressing criminal activities. In this case, the supervisor regularly provides information on risks of money laundering and the financing of terrorism to the banks.
Description and findings re EC13	FINMA maintains a money laundering and financial crime unit which participates in national risk and threat assessments, supervises financial institutions as well as self-regulatory organizations including SBA, observes international developments, participates in law-making projects at the federal level and specifies the AML/CFT regulation within their area of responsibility as delegated by the law. As part of these tasks, FINMA regularly updates financial institutions on generic financial crime risks as well as regulatory developments at the national and international level, also with regard to sanctions and embargoes. However, information on particular criminal cases is provided to banks by law enforcement agencies and not by FINMA.
Assessment of Principle 29	Compliant
Comments