On 1 March 2016, FINMA published a draft of its revised circular on the management of operational risks by banks1 .

This partial revision aims to:

  • Simplify the principles already in place regarding operational risks and which will apply now to all risk categories2 ;
  • Integrate the new principles regarding IT risks, cyber risks, the maintenance of critical services in cases of insolvency and the risks relating to cross-border financial activities.

We summarise the key changes of the draft circular 2008/21 below. 

Scope and principle of proportionality

From now on, ‘small banks’ (according to the circular) will comprise banks and securities dealers in the FINMA categories 4 and 5. Hence, it is no longer the bank itself nor its external auditor that decide if a category 4 bank is a ‘small bank’ or a ‘large bank’. In addition, FINMA reserves the right to impose lighter or stricter conditions depending on the circumstances.

Responsibilities of the governing bodies and framework

The requirements in terms of the responsibilities of the governing bodies and the framework for operational risk management are now integrated in the new circular 2016/XX ‘Corporate governance – banks’ and they apply to all risk categories (market risks, credit risks, liquidity risks, operational risks, etc.).

Management of IT risks and cyber risks

Banks must define an IT risk management concept, which shall include an overview of their information systems, in particular. They must implement an integrated and complete IT risk management system that corresponds to their individual strategies and risk appetites.

Further, they must define a concept for the management of cyber risks3 . This document aims to define a holistic approach along the following six dimensions:

  1. Strategy: Ability to regulate and manage cyber risks appropriately;
  2. Identification: Ability to identify and evaluate the threats of cyber attacks;
  3. Protection: Ability to protect key assets against cyber attacks;
  4. Detection: Ability to detect cyber attacks;
  5. Response: Ability to respond adequately to identified cyber attacks;
  6. Recovery: Ability to mitigate cyber attacks and their impact and to recover the initial status.

Note that the above dimensions correspond to the contents of the self-assessment4 performed by category 3 banks in early 2016.

Lastly, banks must ensure they conduct regular vulnerability assessments and penetration testing in order to identify and resolve any deficiencies in their systems.

Maintenance of critical services in case of insolvency

Systemically important banks must ensure that the services5 required for key operations are maintained in situations where there is a risk of insolvency.

Besides the restrictive rules for systemically important banks, certain provisions apply to all institutions. Thus, all banks must prepare an inventory of the services that they deem critical.

Management of risks relating to cross-border financial activities

Banks with cross-border operations must analyse the relevant foreign legislation in place (tax law, criminal law, anti-money laundering law, etc.) and identify the corresponding risks.

Based on their analysis, they must implement the strategic and organisational measures needed to minimise the identified risks.

Processing client identifying data (CID)

Appendix 3 of the circular on the management of client identifying data integrates details that emerged from the FAQ relating to the circular6 , concerning the following principles in particular:

  • Principle 3 (data storage and access location): The inventory of the applications and infrastructure involved in the processing of CID must be promptly updated after any structural changes. Less significant changes shall be accounted for by means of regular updates.
  • Principle 5 (selection, monitoring and training of employees who have access to CID): The tighter security requirements apply to users with access to large volumes of data or access to highly confidential subcategories of CID (e.g. numbered accounts). Moreover, measures must be implemented to enable the identification of such users (e.g. log files).
  • Principle 7 (mitigation of risks relating to CID confidentiality): Small banks that do not use anonymization, pseudo-anonymization or encryption during the development, transformation and migration of systems must apply appropriate procedures for processing large volumes of CID (e.g. four eyes principle or log files).

Hearing and entry into force

All interested parties may submit comments on the draft circular until 13 April 2016. The expected entry into force of the revised circular is 1 August 2016.