Legal and regulatory framework

Legal role

What legal role does corporate risk and compliance management play in your jurisdiction?

Since the onset of the financial crisis in 2007, Switzerland has seen many cases of organisational governance, risk and compliance failures, such as certain banks turning a blind eye to competition law or client tax law issues, disregarding conflicts of interest or ignoring anti-money laundering compliance, or manufacturers doing business in a manner that distorts the level playing field. These cases have triggered an endless stream of new regulations in Switzerland over the past decade. Many new regulations address integrity, governance, risk or compliance management challenges, directly or indirectly. And, of course, Switzerland, with its small domestic market surrounded by the European Union, must align its legislation with EU rules and international standards that have also become broader and more detailed. As a result of these national and international legal developments, guaranteeing that an organisation meets its compliance obligations has become a challenging task for which responsibility ultimately lies with the board of directors.

Laws and regulations

Which laws and regulations specifically address corporate risk and compliance management?

Generally, Switzerland’s legislation does not specifically address corporate risk and compliance management in a technical sense. However, many provisions in various Swiss laws require diligent and compliant business management at all levels. The most important statute in this respect is article 716a of the Swiss Code of Obligations (CO), which lists the non-transferable and inalienable duties of the members of the board of directors of a limited stock company. This provision emphasises the board’s responsibility for compliance with the law throughout the entire company. in addition, article 102 of the Swiss Criminal Code (SCC) requires corporations to take all necessary and reasonable organisational (compliance) measures to prevent criminal conduct by its employees. With regard to certain industries the financial market laws, such as the Swiss Banking Act (BankA), the Swiss Banking Ordinance (BankO) and the Anti-Money Laundering Act, together with their related ordinances, stipulate a range of obligations with regard to risk and compliance management of financial intermediaries. Companies must also abide by competition law - the most important statute in this respect being the Federal Act on Cartels (CartA).

The Swiss government’s Financial Market Supervisory Authority (FINMA) regularly publishes non-binding circulars. For instance, in connection with risk and compliance management measures, FINMA explained corporate governance for banks and insurance companies and how banks should manage liquidity risks. The latter circular clarifies what the Liquidity Ordinance states regarding the minimum qualitative requirements for the way banks handle liquidity risk.

Other legally non-binding recommendations concerning internal controls, risk and compliance management were issued in 2014 by economiesuisse, the Swiss Business Federation, in its policy paper ‘Fundamentals of effective compliance management’. This is the reference document on the Swiss Code of Best Practice for Corporate Governance. The Swiss Code is intended as a list of recommendations based on the ‘comply or explain’ principle for Swiss public limited companies. Non-listed, economically significant companies or organisations (including those with legal forms other than a public limited company) in practice follow the guidance given by the Swiss Code.

In October 2016, the Corporate Responsibility Initiative was handed in to the Federal Chancellery. The initiative, a request for a direct democracy vote by citizens, aims to ensure that companies with registered offices, headquarters or a main place of business in Switzerland, and their boards, are held accountable for any violation of human rights and environmental standards in Switzerland or abroad. The initiative is encountering criticism from multinationals, but ultimately Swiss voters will decide whether it is adopted.

Technological developments have also led to new compliance requirements, for instance for initial coin offerings and the issuing of cryptocurrencies. FINMA has taken a first step and in February 2018 it published a regulatory framework for initial coin offerings.

Standards and guidelines

Give details of the main standards and guidelines regarding risk and compliance management processes.

Risk and compliance management processes are outlined in non-binding soft-law international standards such as ISO Standard 31000 - Risk management and ISO Standard 19600 - Compliance management systems. Some (mainly larger international) corporations also follow the soft-law COSO (Committee of Sponsoring Organizations of the Treadway Commission) enterprise risk management framework or the IIA (Institute of Internal Auditors) three lines of defence position paper (which is a basic risk governance concept rather than a soft-law standard).

ISO Standard 31000 provides senior management with a framework for designing and implementing an effective risk management system that fosters risk identification, risk analysis and risk evaluation (which, taken together, constitute the risk assessment process) and risk treatment. ISO Standard 19600 sets out the compliance responsibilities at all levels of an organisation, together with the procedure for planning, implementing and monitoring, measuring and continually improving a compliance management system with its governance, organisation and processes.


Are undertakings domiciled or operating in your jurisdiction subject to risk and compliance governance obligations?

Yes, businesses domiciled or operating in Switzerland are subject to statutory risk and compliance governance obligations. For instance, article 102 SCC (the corporate criminal offence of failing to employ all necessary and reasonable compliance measures to prevent bribery, money laundering, etc) applies to all businesses domiciled in Switzerland as well as to any businesses operating in Switzerland if they have legal or compliance employees located in Switzerland. In both cases, the company is liable for its global business conduct.

Swiss law also sets out the duties that are specific to the board and inalienable. Under article 716a CO, the board’s inalienable duties are the ultimate leadership and oversight of the company, including compliance with applicable laws.

What are the key risk and compliance management obligations of undertakings?

Under article 102 SCC (the corporate criminal offence of failing to prevent), if a felony or a misdemeanour is committed in the company in the exercise of its business and in accordance with its purpose, the felony or misdemeanour is attributed to the company if it is not possible to attribute this act to any specific natural person as a result of inadequate (compliance) organisation by the company. In case of serious felonies (such as bribery), the company is criminally liable irrespective of the liability of any natural person, if the company has failed to take all necessary and reasonable organisational measures required to prevent such an offence.

In the banking sector, articles 3f and 3g BankA and article 12 BankO explicitly require banks to implement an effective internal control system with an independent internal audit function and proper risk management to identify, treat and monitor all material risks.