Confidentiality

Obligations

Describe the private banking confidentiality obligations.

Banks incorporated in Switzerland, as well as Swiss branches and representative offices of foreign banks, are bound by a statutory duty of confidentiality towards their clients (ie, banking secrecy). The disclosure of client information to third parties, including parent and affiliated companies, is prohibited in this context.

Banking secrecy is, however, not absolute and may be waived or does not apply under certain exceptional circumstances. In recent years, the importance and scope of Swiss banking secrecy has been subject to intense discussion following pressure from other countries. The situation has, however, changed as regards tax matters with the implementation of the automatic exchange of information (see question 31).

In principle, clients of independent asset managers do not benefit from the protection of the banking secrecy that applies to relationships entered into with banks and securities dealers within the meaning of the BA and SESTA. As a result, specific confidentiality provisions are usually incorporated in the contractual documentation in this respect. However, when FinIA and FinSA are expected to enter into force on 1 January 2020, wealth managers newly subject to supervision will have to comply with a statutory duty of confidentiality (similar to banking secrecy (see above)) towards their clients.

Moreover, clients’ data is also protected by the provisions of the Data Protection Act (DPA), which is generally in line with EU legislation on data protection. Currently, the DPA is under revision in order - at least in theory - to harmonise it with the new data protection standards adopted by the European Union (ie, Regulation (EU) No. 2016/679 (repealing Directive 95/46/EC on General Data Protection (GDPR)) and Directive 2016/680/EU). At the time of writing, the Swiss legislator has not yet published a timeframe for this reform, which will allow Switzerland to uphold its status as a country providing for an equivalent level of data protection and to be recognised as such by EU member states.

Scope

What information and documents are within the scope of confidentiality?

Swiss banking secrecy encompasses all information and documents that pertain to the contractual relationship between the bank and its clients. That said, Swiss case law and scholars make it clear that purely internal notes and instructions of a bank (ie, not specifically relating to a client or containing client-identifying information) pertain to the bank’s own private sphere and are not covered by banking secrecy.

Likewise, the contractual confidentiality provisions within asset management agreements usually cover a similar scope of information.

For the purposes of data protection, the term ‘personal data’ comprises any information relating to an identified or identifiable person (ie, the data subject), it being understood that Swiss law adopts a ‘relative’ approach to the identification, in the sense that the ability to identify a data subject from the data is assessed relative to the person processing the data, by reference to legal means to access other data that may be correlated to the dataset under review, and not merely based on the theoretical ability of any person to reverse engineer a dataset.

Expectations and limitations

What are the exceptions and limitations to the duty of confidentiality?

As mentioned in question 42, Swiss banking secrecy does not apply in certain exceptional situations. This is the case when a bank is under a disclosure of information duty to Swiss public or judicial authorities, in accordance with relevant Swiss procedural regulations. Further, communication of information for the purposes of consolidated supervision over a banking group to which a Swiss bank belongs (provided that such communication is necessary and fulfils further conditions) may be allowed despite banking secrecy. Finally, banks are authorised to disclose client-related data provided the client has given his or her consent. To be valid, the banking secrecy waiver is to be expressly given in writing and the client is to be specifically informed on the consequences of such a waiver. Further, its scope is to be clearly defined.

The exceptions and limitations to the contractual confidentiality duty in asset management agreements with independent asset managers depend on the terms of the contractual provisions. In any event, such confidentiality duty would not apply if the independent asset manager is under a disclosure obligation to a Swiss public or judicial authority, as per the relevant procedural regulations.

In terms of data protection, the exceptions and limitations in relation to the processing or communication of personal data generally rely on the data subject’s consent, a legal obligation or a prevailing public or private interest. Certain limitations also apply in the event of a transmission of data abroad, namely, in the event that the foreign country to which the data is transmitted does not offer an adequate level of data protection.

Breach

What is the liability for breach of confidentiality?

Under Swiss law, a breach of banking secrecy is considered as a breach of the client-bank relationship, and may give rise to criminal and civil liability.

The potential sanction for an intentional breach of banking secrecy is a fine of up to 540,000 Swiss francs or a prison sentence of up to three years for the individuals involved. In cases where a pecuniary advantage was obtained for the individual involved or a third party through the breach, the potential prison sentence is up to five years or a fine. In case of negligence, the sanction is a fine of up to 250,000 Swiss francs. Further, an intentional breach may be considered as an activity contrary to proper banking practice (article 3, paragraph 2(c) of the BA). In practice, the Swiss bank and its management would run a risk of sanctions and may ultimately lead to the withdrawal of the Swiss banking licence, as well as personal bans from exercising any managerial roles in regulated entities for the individuals.

Finally, the Swiss bank would also incur a civil liability based on breach of contract towards its clients for any financial prejudice suffered by them as a result of the disclosure information. The extent of liability for breach of contract will depend on the terms of the contractual agreement, in particular any indemnification or limitation of liability provisions.

As regards the confidentiality duty provided contractually with independent asset managers, in addition to civil liability as described above, the latter may incur criminal liability. Article 162 of the SCC provides that any person who discloses a manufacturing or business secret which that person was legally or contractually bound to maintain commits a criminal offence. This offence is punishable by imprisonment for up to three years or a fine capped at 540,000 Swiss francs. As indicated in question 41, wealth managers subject to FinIA will be, as of January 2020, under a statutory duty of confidentiality. The potential sanctions for an intentional breach will be the same as for a breach of banking secrecy (see above).

For the rest, the potential sanctions in case of intentional breach of certain provisions of the DPA is a fine capped at 10,000 Swiss francs.