Compliance programmes

Programme requirements

What requirements exist concerning the nature and content of compliance and supervisory programmes for each type of regulated entity?

The main requirements relating to the structure and content of compliance programmes are enshrined in FINMA Circular 2017/1 on corporate governance, risk management and internal controls at banks (FINMA Circular 17/1). Even if FINMA Circular 17/1 applies per se to banks and securities dealers, it constitutes a market standard for all regulated entities.

FINMA Circular 17/1 consistently implements the principle of proportionality, leaving institutions free to implement the requirements in a way that takes account of their differing business models and of the particular risks associated with them. It therefore takes into account the differences in the business operations of the licensees that must comply with its provisions.

The duties and responsibilities of the compliance function include at least the following activities:

  • Conducting an annual assessment of the compliance risk of the institution’s business activities and developing a risk-oriented activity plan for approval by the executive board. The activity plan must also be made available to internal audit.
  • Reporting promptly to the executive board on any major changes in the compliance risk assessment.
  • Reporting annually to the board of directors on the assessment of compliance risk and the activities of the compliance functions. A copy of the relevant reports must be provided to internal audit and the regulatory audit firm.
  • Reporting serious compliance breaches and matters with far-reaching implications in a timely manner to the executive board and the board of directors, as well as supporting the executive board in the choice of appropriate instruction and measures. Internal audit must be informed accordingly.

How important are gatekeepers in the regulatory structure?

The function of chief compliance officer is crucial in the regulatory structure and, as such, must provide the guarantee of irreproachable business conduct. This particularly means that the person acting as a chief compliance officer within a financial services firm is subject to enhanced administrative supervision by FINMA.

According to FINMA Circular 17/1 banks and securities dealers shall establish an internal auditor. If it seems inappropriate to establish an internal auditor because of the size of the regulated entity, the relevant duties and responsibilities can be delegated to an internal auditor of another company of the same group, a second audit firm that is independent of the regulatory audit firm or an independent third party.

The internal auditor shall report directly to the board of directors or its audit committee, and fulfil the auditing and monitoring responsibilities assigned to it in an independent fashion. This means in particular that it has an unlimited right of inspection, information and audit within the regulated entity.

The main roles of the internal auditor are to deliver independent audits and assessments of the appropriateness and effectiveness of the regulated entity’s organisation and business processes, particularly with regard to the risk management and internal control system, and ensure that the executive board, the board of directors or its audit committee and the regulatory audit firm are informed about the risk assessment and audit objectives. Furthermore, the internal auditor defines the audit objectives and planning for the next audit period and submits them and any necessary changes to the board of directors or its audit committee for approval.

With regard to all entities authorised by virtue of CISA, FINMA may require that an internal audit be performed if the scope and nature of their activities demands it.

Directors' duties and liability

What are the duties of directors, and what standard of care applies to the boards of directors of financial services firms?

The board of directors of a Swiss company is responsible for the ultimate management and oversight of the company. As such, the board of directors is also responsible for the oversight of compliance matters. FINMA has issued regulatory guidance with respect to corporate governance that further specifies the board of director’s corporate governance related obligations. According to the guidance, the board of directors is responsible for ensuring an adequate organisation, and appropriate and effective internal control systems. The board of directors is also responsible for appointing the head of the internal audit and, where required by FINMA regulations, the chief risk officer.

When are directors typically held individually accountable for the activities of financial services firms?

Traditionally, FINMA enforcement actions have focused on the institutions rather than individual members of the management. More recently, FINMA has also started to focus on individual decision-makers as part of its enforcement actions. From a regulatory perspective, directors (and other members of the senior management of financial institutions) are held responsible where they have breached their duties (see question 15) and where such breaches were of a significant nature. In such cases, FINMA has, in the past, ordered bans of a professional activity in the regulated sector. Generally speaking, FINMA will open enforcement proceedings against individuals, where it has reason to believe that the individual no longer guarantees proper business conduct.

Private rights of action

Do private rights of action apply to violations of national financial services authority rules and regulations?

Traditionally, Swiss law does not provide for private rights of action to enforce violations of financial market rules. Rather, enforcement of such rules is seen as a task that should fall within the scope of activity of regulators and prosecutors. As a rule, clients of financial institutions may sue financial services providers for individual breaches of contract (ie, breaches of the contractual relationship between the financial services provider and its client), though in such a civil suit, non-compliance by a financial services provider with regulatory rules of conduct (or similar), would be taken into account when assessing an alleged breach of contractual obligations. In cases where Swiss law provides for possibilities of civil law right of action for breaches of financial services regulations (eg, in the context of the Collective Investment Schemes Act, such provisions being transferred on a cross-sector level into the new FinSA), a plaintiff would still have to show individual damages in order for such suit to be successful.

Standard of care for customers

What is the standard of care that applies to each type of financial services firm and authorised person when dealing with retail customers?

From a regulatory point of view, the standard of care does not differ based on the sophistication of the customer or counterparty, except in the funds industry. In the current state of the legislation, the appropriate and proper business conduct requires all types of financial services firms and their agent to act namely with loyalty, diligence and provide all necessary information to their customers.

The codes of conduct enshrined in the CISA and the Stock Exchanges and Securities Trading Act are recognised as minimum standards by FINMA. In addition to the administrative nature of these rules, they also impact the contractual relationship between the financial service firm and its customer under private law. These codes of conduct provide clarifications as to the duties with which the financial services firm shall comply when dealing with customers:

  • duty of loyalty: they act independently and exclusively in the interests of the investors and avoid all conflict of interests;
  • due diligence: they implement the organisational measures that are necessary for proper management and ensure the best execution of the clients’ orders; and
  • duty to provide information: they ensure the provision of transparent financial statements and provide appropriate information about their activity; they disclose all charges and fees incurred directly or indirectly by the investors and their appropriation and inform them in particular about the risks related to a given type of transaction.

As of the entry into force of the FinSA (see also ‘Update and trends’), all financial services firms and authorised persons will need to comply with the following rules of conduct when dealing with retail customers: duty to provide information; assessment of the appropriateness and suitability; documentation and rendering of accounts; and transparency and care in client orders.

Does the standard of care differ based on the sophistication of the customer or counterparty?

As mentioned in question 18, the standard of care does not differ based on the sophistication of the customer or counterparty, except in the funds industry. Indeed, CISA distinguishes three types of customer: regulated qualified investors; non-regulated qualified investors; and retail investors. CISA allows the switch from one category to another and to benefit from a higher or lower level of protection under certain conditions. For instance, high net worth retail clients may declare that they wish to be treated as non-regulated qualified investors (opting out).

In the new FinSA, financial service providers will have to distinguish retail customers from professional customers. This second category will include a subgroup that reassembles institutional clients. By contrast, for retail customers, the FinSA provides that no rule of conduct will apply to institutional clients. With respect to professional clients, they may waive the application of certain rules of conduct, such as the duty to provide information and the documentation and rendering of account by express declaration to the financial service provider.

Rule making

How are rules that affect the financial services industry adopted? Is there a consultation process?

New legislation in Switzerland, including that which relates to the financial services industry, is adopted only after a consultation process. These consultation procedures are available at all levels of the legislative process, with consultation periods typically being longer for parliamentary acts as opposed to implementing ordinances or regulations issued by the Swiss regulator. The consultation process is generally open to all interested parties. In addition, the relevant industry organisations (such as the SBA, SFAMA and the SROs) regularly participate in the consultation process in order to ensure that the industry points of view are taken into account early on in the legislative process.