Risk & Compliance Management in Switzerland

Legal and regulatory framework

Legal role

What legal role does corporate risk and compliance management play in your jurisdiction?

Since the onset of the financial crisis in 2007, Switzerland has seen many cases of organisational governance, risk and compliance failures, such as certain banks turning a blind eye to competition law or client tax law issues, disregarding conflicts of interest or ignoring anti-money laundering compliance, or manufacturers doing business in a manner that distorts the level playing field. These cases have triggered an endless stream of new regulations in Switzerland over the past decade. Many new regulations address integrity, governance, risk or compliance management challenges, directly or indirectly. And, of course, Switzerland, with its small domestic market surrounded by the European Union, must align its legislation with EU rules and international standards that have also become broader and more detailed. As a result of these national and international legal developments, guaranteeing that an organisation meets its compliance obligations has become a challenging task for which responsibility ultimately lies with the board of directors.

Laws and regulations

Which laws and regulations specifically address corporate risk and compliance management?

Generally, Switzerland’s legislation does not specifically address corporate risk and compliance management in a technical sense. However, many provisions in various Swiss laws require diligent and compliant business management at all levels. The most important statute in this respect is article 716a of the Swiss Code of Obligations (CO), which lists the non-transferable and inalienable duties of the members of the board of directors of a limited stock company. This provision emphasises the board’s responsibility for compliance with the law throughout the entire company. in addition, article 102 of the Swiss Criminal Code (SCC) requires corporations to take all necessary and reasonable organisational (compliance) measures to prevent criminal conduct by its employees. With regard to certain industries the financial market laws, such as the Swiss Banking Act (BankA), the Swiss Banking Ordinance (BankO) and the Anti-Money Laundering Act, together with their related ordinances, stipulate a range of obligations with regard to risk and compliance management of financial intermediaries. Companies must also abide by competition law - the most important statute in this respect being the Federal Act on Cartels (CartA).

The Swiss government’s Financial Market Supervisory Authority (FINMA) regularly publishes non-binding circulars. For instance, in connection with risk and compliance management measures, FINMA explained corporate governance for banks and insurance companies and how banks should manage liquidity risks. The latter circular clarifies what the Liquidity Ordinance states regarding the minimum qualitative requirements for the way banks handle liquidity risk.

Other legally non-binding recommendations concerning internal controls, risk and compliance management were issued in 2014 by economiesuisse, the Swiss Business Federation, in its policy paper ‘Fundamentals of effective compliance management’. This is the reference document on the Swiss Code of Best Practice for Corporate Governance. The Swiss Code is intended as a list of recommendations based on the ‘comply or explain’ principle for Swiss public limited companies. Non-listed, economically significant companies or organisations (including those with legal forms other than a public limited company) in practice follow the guidance given by the Swiss Code.

In October 2016, the Corporate Responsibility Initiative was handed in to the Federal Chancellery. The initiative, a request for a direct democracy vote by citizens, aims to ensure that companies with registered offices, headquarters or a main place of business in Switzerland, and their boards, are held accountable for any violation of human rights and environmental standards in Switzerland or abroad. The initiative is encountering criticism from multinationals, but ultimately Swiss voters will decide whether it is adopted.

Technological developments have also led to new compliance requirements, for instance for initial coin offerings and the issuing of cryptocurrencies. FINMA has taken a first step and in February 2018 it published a regulatory framework for initial coin offerings.

Types of undertaking

Which are the primary types of undertakings targeted by the rules related to risk and compliance management?

Compliance and risk management obligations must be fulfilled by all legal entities regardless of their size or business activity. However, larger companies (in terms of revenues, balance sheet and number of employees) are in general subject to stricter statutory compliance and control or audit regulations. The legal entities targeted by statutory risk and compliance obligations are (in order of importance in practice): public limited (stock) companies, private limited companies and foundations (in particular in the area of statutory professional insurance). Listed companies and, in general, companies in the financial sector, are subject to overall stricter risk and compliance management obligations.

Regulatory and enforcement bodies

Identify the principal regulatory and enforcement bodies with responsibility for corporate compliance. What are their main powers?

The principal regulatory and enforcement bodies for the private sector are FINMA, the Office of the Attorney General (OAG), and the Competition Commission (COMCO). For the public sector, the main controlling body is the Federal Audit Office.

FINMA supervises and regulates the financial industry: banks, insurance companies, brokers, etc, though as yet not asset managers. It has extensive powers, which it exercises itself or through independent examiners (accredited law firms, auditors and forensic experts) by supervising, monitoring, auditing, investigating and sanctioning financial intermediaries and senior management. Financial intermediaries are required to self-report all major legal risks to FINMA. FINMA issues ordinances and circulars and regularly publishes decisions and guidance on legal requirements for financial institutions, in particular the standard of professional diligence and best practice risk and compliance management.

The OAG, cantonal prosecutors and criminal courts enforce article 102 SCC, under which a company may be held criminally liable for failing to take all necessary and reasonable organisational (compliance) measures to prevent certain key crimes, such as bribery and money laundering. It is important to bear in mind that under the SCC a company may be fined up to 5 million Swiss francs, and have illicit profits confiscated. The cantonal and federal prosecutors play an increasingly significant role as enforcers of adequate corporate compliance. With its landmark case against Alstom in November 2011, the OAG developed its practice of effectively prosecuting companies that violate article 102 SCC for corruption and money laundering. In the Alstom case, the Swiss subsidiary of Alstom Group (FR) was fined for lack of adequate compliance to avoid bribery of foreign officials and, in addition to a fine of 2.5 million Swiss francs, was obliged to disgorge profits of 36.4 million Swiss francs.

On 1 January 2016, a memorandum of understanding on cooperation between FINMA and the OAG came into force, based on article 38 of the Federal Act on the Swiss Financial Market Supervisory Authority (FINMASA). This memorandum highlights the growing importance for Swiss enforcement agencies to exchange information and cooperate to combat corruption. FINMA’s main task is the prudential supervision of institutions it has authorised to engage in financial market activities. The OAG, on the other hand, is the federal agency competent for prosecuting criminal acts with an inter-cantonal or cross-border dimension.

The federal and cantonal prosecutors are responsible for conducting criminal investigations and bringing charges for money laundering. Financial intermediaries and traders that suspect assets stem from a felony or misdemeanour or belong to a criminal organisation must notify the money laundering reporting office which may, in turn, notify the criminal prosecutor, which actually happens in about 70 per cent of cases. The OAG has recently opened a number of criminal investigations against Swiss banks for violating anti-money laundering and anti-bribery statutes.

With regard to COMCO, businesses are sanctioned (under administrative law) if they engage in cartels or illicit vertical restraints, abuse a dominant market position, or ‘gun jump’ to bypass merger control regulations. For example, one of COMCO’s most recent high-profile probes concerned around 20 international banks for fixing the LIBOR, TIBOR and EURIBOR interest rates, with the banks ultimately fined a total of approximately 100 million Swiss francs in December 2016. Other recent COMCO activities include fining one of Switzerland’s largest telecommunications companies, Swisscom, in connection with live sports broadcasting on pay TV, and the prohibition of anticompetitive contract clauses by hotel-booking platforms such as Booking.com, Expedia and HRS.

Definitions

Are ‘risk management’ and ‘compliance management’ defined by laws and regulations?

Risk management and compliance management are not explicitly defined in Swiss legislation. However, international standards are increasingly being accepted as soft law benchmarks for generally accepted best practice. For instance, COMCO, in its public presentations, refers to ISO Standard 19600 - Compliance management systems as one of its benchmarks should a company raise the compliance defence against a sanction.

Processes

Are risk and compliance management processes set out in laws and regulations?

Swiss legislation does not describe risk and compliance management processes specifically. There are, however, certain provisions that stipulate the precautions to be taken in that regard. For instance, article 728a CO states that the external auditor must examine whether an internal control system exists and must take it into account when determining the scope of the audit and during the audit procedure. Furthermore, the external auditor must ensure that the internal control system includes an adequate risk management system.

Standards and guidelines

Give details of the main standards and guidelines regarding risk and compliance management processes.

Risk and compliance management processes are outlined in non-binding soft-law international standards such as ISO Standard 31000 - Risk management and ISO Standard 19600 - Compliance management systems. Some (mainly larger international) corporations also follow the soft-law COSO (Committee of Sponsoring Organizations of the Treadway Commission) enterprise risk management framework or the IIA (Institute of Internal Auditors) three lines of defence position paper (which is a basic risk governance concept rather than a soft-law standard).

ISO Standard 31000 provides senior management with a framework for designing and implementing an effective risk management system that fosters risk identification, risk analysis and risk evaluation (which, taken together, constitute the risk assessment process) and risk treatment. ISO Standard 19600 sets out the compliance responsibilities at all levels of an organisation, together with the procedure for planning, implementing and monitoring, measuring and continually improving a compliance management system with its governance, organisation and processes.

Obligations

Are undertakings domiciled or operating in your jurisdiction subject to risk and compliance governance obligations?

Yes, businesses domiciled or operating in Switzerland are subject to statutory risk and compliance governance obligations. For instance, article 102 SCC (the corporate criminal offence of failing to employ all necessary and reasonable compliance measures to prevent bribery, money laundering, etc) applies to all businesses domiciled in Switzerland as well as to any businesses operating in Switzerland if they have legal or compliance employees located in Switzerland. In both cases, the company is liable for its global business conduct.

Swiss law also sets out the duties that are specific to the board and inalienable. Under article 716a CO, the board’s inalienable duties are the ultimate leadership and oversight of the company, including compliance with applicable laws.

What are the key risk and compliance management obligations of undertakings?

Under article 102 SCC (the corporate criminal offence of failing to prevent), if a felony or a misdemeanour is committed in the company in the exercise of its business and in accordance with its purpose, the felony or misdemeanour is attributed to the company if it is not possible to attribute this act to any specific natural person as a result of inadequate (compliance) organisation by the company. In case of serious felonies (such as bribery), the company is criminally liable irrespective of the liability of any natural person, if the company has failed to take all necessary and reasonable organisational measures required to prevent such an offence.

In the banking sector, articles 3f and 3g BankA and article 12 BankO explicitly require banks to implement an effective internal control system with an independent internal audit function and proper risk management to identify, treat and monitor all material risks.

Liability

Liability of undertakings

What are the risk and compliance management obligations of members of governing bodies and senior management of undertakings?

Article 716a CO lists the non-transferable and inalienable duties of the members of the board of directors, highlighting their responsibility for the overall management, organisation and (global) compliance of the company. On this statutory basis, the external auditors must provide the board of directors with a comprehensive report on the financial statements and the internal control system of the company (article 728b CO).

Under articles 717 and 754 CO, the members of the board of directors and also the members of the executive board are required to manage the company with an increased degree of diligence (members of the board of directors) or with diligence. This standard requires the members of the board of directors or of the executive board to implement effective risk and compliance management systems.

Do undertakings face civil liability for risk and compliance management deficiencies?

Yes. On an extracontractual basis, third parties are entitled to claim civil damages from companies if the damage has been caused by employees or other auxiliaries who were not diligently selected, instructed and supervised or if the company does not prove that the employer took all necessary precautions to prevent the harmful conduct (article 55 CO). A similar provision exists regarding causal contractual liability (article 101 CO).

Do undertakings face administrative or regulatory consequences for risk and compliance management deficiencies?

One example of administrative consequences for risk and compliance management deficiencies is the sanctions set out in article 49a of the CartA. In case of infringements against the CartA, companies can raise the compliance defence, in other words they can produce evidence that the infringement occurred despite the company’s best practice risk and compliance management. COMCO refers to a number of international standards and best practice guidelines as a benchmark for state-of-the-art compliance management (eg, ISO 19600 and Organisation for Economic Cooperation and Development and International Chamber of Commerce guidelines). If a company successfully raises the compliance defence, it will not suffer sanctions.

Institutions that are subject to FINMA’s regulatory financial market supervision may face specific regulatory consequences in case of risk and compliance management deficiencies. FINMA has a broad range of tools to enforce its regulations:

• precautionary measures;
• orders to restore compliance with the law;
• declaratory rulings;
• directors’ disqualification;
• cease-and-desist orders and bans on trading;
• publication of decisions;
• confiscation of profits; and
• revoking of licences and compulsory liquidation.

In the application of these regulatory enforcement measures, FINMA is guided by the aims of Swiss financial market laws, namely the purposes of protecting creditors and investors, ensuring fair market conduct, and maintaining the good standing and stability of the (Swiss) financial system.

Do undertakings face criminal liability for risk and compliance management deficiencies?

Pursuant to article 102 SCC, businesses face corporate criminal liability for organisational weaknesses (the failure to prevent criminal conduct by employees). Under paragraph 1, if a felony or a misdemeanour is committed by employees in the exercise of the company’s business in accordance with its purpose, the felony or misdemeanour is attributed to the company if it is not possible to attribute the offence to a specific employee as a result of inadequate organisation by the company. In the case of paragraph 1, the business is liable to a fine not exceeding 5 million Swiss francs (see question 4).

In addition, the company can be convicted under paragraph 2 if the offence committed falls under a list of serious criminal offences, such as bribery and money laundering. If a predicate offence is established and if the company failed to employ all necessary and adequate measures to prevent it, it is criminally liable for its organisational failure. Fines can amount to a maximum of 5 million Swiss francs and the company is obliged to disgorge illicit profits.

Liability of governing bodies and senior management

Do members of governing bodies and senior management face civil liability for breach of risk and compliance management obligations?

Under article 754 CO, the members of the board of directors, senior management and all persons engaged in the liquidation of a limited company face civil liability towards the company, the shareholders and creditors for any loss or damage arising from any intentional or negligent breach of their duties of diligence. One of their key statutory responsibilities is to ensure compliance with the law by all employees. It is important to note that it is not only the members of the company’s formal governing bodies (ie, the members of the board of directors and the members of the executive board) that can be held liable, but also factual members of governing bodies who have not been formally appointed, yet exercise significant influence over the company’s management.

Do members of governing bodies and senior management face administrative or regulatory consequences for breach of risk and compliance management obligations?

Senior members of management only face administrative or regulatory consequences for such breaches in regulated industries, such as the financial industry. Senior members of management at financial institutions regulated by FINMA can face administrative and regulatory consequences should they fail in their duty of diligence. FINMA can take administrative or regulatory measures against managers, such as disqualifying a director, adding a manager to a watchlist and issuing a business conduct letter. FINMA can enter an individual’s information in a database known as the watchlist if the individual’s business conduct is questionable or does not meet the legal requirements. The watchlist is used for assessing relevant information for compliance prerequisites, namely personal details; excerpts from commercial, debt enforcement and bankruptcy registers; criminal, civil and administrative court decisions; and reports by auditors and third-parties appointed by FINMA. Furthermore, under specific circumstances, FINMA can send a business conduct letter to those registered in the watchlist. A business conduct letter does not qualify as a decision; it merely states that FINMA reserves the right to review compliance with the diligence requirements should the manager change position. In the event of a disqualification, FINMA may ban individual directors responsible for serious violations of supervisory law from acting in a senior function at a supervised institution for up to five years.

Do members of governing bodies and senior management face criminal liability for breach of risk and compliance management obligations?

Individuals are criminally liable if they fail to implement effective risk and compliance management and turn a blind eye to mismanagement (article 158 SCC), embezzlement (article 138 SCC), money laundering (article 305-bis SCC) or bribery (article 322-ter et seq SCC), and so on. Failure to prevent serious criminal offences, such as bribery, is a corporate crime (see questions 9 and 13).

Corporate compliance

Corporate compliance defence

Is there a corporate compliance defence? What are the requirements?

Under article 102(2) SCC, a company is criminally liable for certain felonies committed by its employees if it has not implemented the necessary and adequate (compliance) measures to prevent them. The burden of proof for the inadequacy of the compliance measures rests with the prosecutor or court. Nevertheless, the defendant company will want to establish that it has implemented all necessary and adequate compliance measures. To do this, the company will need to submit evidence regarding its compliance policy, its good compliance governance, the overall compliance management system, the procedures involved in the compliance management system, the measurement of the system’s effectiveness, regular reporting to senior management, and continual improvement.

In competition law cases, COMCO, when determining a sanction, also takes the company’s (competition) compliance management into account. The burden of proof rests with the company.

Recent cases

Discuss the most recent leading cases regarding corporate risk and compliance management failures?

In August 2015, the OAG opened criminal proceedings against two former officials at 1MDB and against unknown persons based on the suspicion of bribing foreign public officials (article 322-septies SCC), misconduct in public office (article 314 SCC), money laundering (article 305-bis SCC) and criminal mismanagement (article 158 SCC). In April 2016, the investigation was extended to two former officials who had been in charge of Abu Dhabi sovereign funds. They are suspected of fraud (article 146 SCC), criminal mismanagement (article 158 SCC), misconduct in public office (article 314 SCC), document forgery (article 251 SCC), bribery of foreign public officials (article 322-septies SCC) and money laundering (article 305-bis SCC).

Further to the substantial number of Petrobras/Lava Jato-related investigations, the OAG convicted Brazilian company Odebrecht SA and its subsidiary Braskem in December 2016 for organisational failure to prevent the bribery of foreign officials and money laundering under article 102(2) SCC. The OAG stated that Odebrecht SA had created slush funds throughout the world to pay bribes to government officials, representatives and political parties in a bid to obtain business and projects from state-owned companies. As a result, Odebrecht SA was fined 4.5 million Swiss francs and was obliged to disgorge profits of more than 200 million Swiss francs. A number of banks have been affected by the Petrobras/Lava Jato investigations and filed suspicious-activity reports. This led to follow-up investigations in 2017 against individuals, such as a banker in Brazil.

The year 2017 saw the first settlement in a case of self-reporting to the OAG of suspected failure to prevent bribery of foreign officials. The reporting company was fined a symbolic amount of one Swiss franc in consideration of its timely self-reporting, full cooperation in the investigation and its substantial remediation. The OAG also set a compensatory claim of 35 million Swiss francs (disgorgement of illicit profits). The investigation took 13 months and illustrates the benefits of self-reporting.

Another notable example is the first conviction in the World Football’s governing body, FIFA investigation, in which a former Swiss banker was convicted of failing to file mandatory money-laundering reports, and the opening of a new FIFA-related bribery investigation against the former secretary-general of FIFA and the CEO of a media group in connection with the granting of World Cup media rights for events up to 2030.

Other key cases are the ongoing investigation of a pharmaceuticals company for alleged bribery in Greece, investigations into a major Swiss bank for its alleged involvement in a Venezuelan bribery scandal and its recruitment practices in Asia, and in October 2017 FINMA opened an investigation into the Raiffeisen Group and its former CEO for suspected corporate governance and conflict of interest issues.

Government obligations

Are there risk and compliance management obligations for government, government agencies and state-owned enterprises?

When it comes to corporate criminal liability, the SCC does not differentiate between private and public companies. Within the meaning of article 102(4) SCC, the German term Unternehmen includes entities under both private and public law. Swiss state-owned companies such as cantonal banks, hospitals, telecommunications providers, energy suppliers, railways, defence companies, certain insurance companies, airports, etc, must employ best practice risk and compliance management to meet their compliance obligations and avoid criminal liability in the event of employee misconduct.

The government and all government agencies are obliged to conduct themselves in accordance with the statutes under which they are established and governed. These statutes all require the government and government bodies to meet their compliance obligations.

Digital transformation

Framework covering digital transformation

What are the key statutory and regulatory differences between public sector and private sector risk and compliance management obligations?

The principle that all organisations must meet their compliance obligations is the same in both the private and public sector. All organisations must introduce and maintain best practice (legal) risk management systems and compliance management systems. The main difference between private sector and public sector obligations is the overall purpose, which for public sector organisations covers the smooth running of government and the maintenance of citizens’ trust, and for private sector companies covers such items as the protection of employees, shareholders and creditors.

Update and trends

Update and trends

Updates and trends

Corporate Switzerland is facing a series of crises owing to increasing regulation and tighter controls by the authorities. A number of first-tier companies and public entities have recently been confronted with governance and compliance failures. By way of example, in February 2018, the public transport subsidiary of Swiss Post (PostAuto Schweiz AG) was accused of accounts and records violations from 2007 to 2015, with the intention of illegally obtaining at least 90 million Swiss francs in public subsidies for the operation of its regional transportation services.

The major investigative trend is that Swiss and foreign companies in all sectors are now more often targeted by criminal investigations on the basis of suspected organisational failure to prevent bribery and money laundering. In addition, employees at all levels who have either actively committed or passively turned a blind eye to fraud, mismanagement, corruption and money laundering are now systematically investigated. International cooperation has also been stepped up in 2017, notably with Brazil, France, Germany, Greece, Italy, the Netherlands, Spain and the United States.

Law stated date

Correct as of

Unprocessed questions

All questions