Compliance programmes

Programme requirements

What requirements exist concerning the nature and content of compliance and supervisory programmes for each type of regulated entity?

The main requirements relating to the structure and content of compliance programmes are set out in Circular 2017/1 of the Swiss Financial Market Supervisory Authority (FINMA) on corporate governance, risk management and internal controls at banks (FINMA Circular 17/1). Even if FINMA Circular 17/1 applies per se to banks and securities firms, it constitutes a market standard for all regulated entities.

FINMA Circular 17/1 consistently implements the principle of proportionality, leaving institutions free to implement the requirements in a way that takes account of their differing business models and of the particular risks associated with them. It therefore takes into account the differences in the business operations of the licensees that must comply with its provisions.

The duties and responsibilities of the compliance function include the following activities.

  • Conducting an annual assessment of the compliance risk of the institution’s business activities and developing a risk-oriented activity plan for approval by the executive board. The activity plan must also be made available to internal audit.
  • Reporting promptly to the executive board on any major changes in the compliance risk assessment.
  • Reporting annually to the board of directors on the assessment of compliance risk and the activities of the compliance functions. A copy of the relevant reports must be provided to internal audit and the regulatory audit firm.
  • Reporting serious compliance breaches and matters with far-reaching implications in a timely manner to the executive board and the board of directors, as well as supporting the executive board in the choice of appropriate instruction and measures. Internal audit must be informed accordingly.



How important are gatekeepers in the regulatory structure?

The function of chief compliance officer is crucial in the regulatory structure and, as such, must provide the guarantee of irreproachable business conduct. This particularly means that the person acting as a chief compliance officer within a financial services firm is subject to enhanced administrative supervision by FINMA.

According to FINMA Circular 17/1, banks and securities firms shall appoint an internal auditor. If it seems inappropriate to appoint an internal auditor because of the size of the regulated entity, the relevant duties and responsibilities can be delegated to an internal auditor of another company of the same group, a second audit firm that is independent of the regulatory audit firm or is an independent third party.

The internal auditor shall report directly to the board of directors or its audit committee, and fulfil the auditing and monitoring responsibilities assigned to it in an independent fashion. This means in particular that it has an unlimited right of inspection, information and audit within the regulated entity.

The main roles of the internal auditor are to deliver independent audits and assessments of the appropriateness and effectiveness of the regulated entity’s organisation and business processes, particularly with regard to the risk management and internal control system, and to ensure that the executive board, the board of directors or its audit committee and the regulatory audit firm are informed about the risk assessment and audit objectives. Furthermore, the internal auditor defines the audit objectives and planning for the next audit period and submits them and any necessary changes to the board of directors or its audit committee for approval.

With regard to entities authorised by virtue of the Financial Services Act (FinSA) and Collective Investment Schemes Act (CISA), FINMA may require that an internal audit be performed if the scope and nature of their activities demand it.

Special rules apply to portfolio managers and trustees under the Financial Institutions Act (FinIA). Under the FinIA, a risk-based approach is used with respect to separate internal audit and risk management functions. Small portfolio managers and trustees are thus not required to have an independent internal audit and risk management function.

Directors' duties and liability

What are the duties of directors, and what standard of care applies to the boards of directors of financial services firms?

The board of directors of a Swiss company is responsible for the ultimate management and oversight of the company. As such, the board of directors is also responsible for the oversight of compliance matters. FINMA has issued regulatory guidance with respect to corporate governance that further specifies the board of directors’ corporate governance-related obligations. According to the guidance, the board of directors is responsible for ensuring an adequate organisation, and appropriate and effective internal control systems. The board of directors is also responsible for appointing the head of the internal audit and, where required by FINMA regulations, the chief risk officer. Senior managers are typically responsible for the day-to-day management of the company.

When are directors typically held individually accountable for the activities of financial services firms?

Traditionally, FINMA enforcement actions have focused on the institutions rather than individual members of management. More recently, FINMA has also started to focus on individual decision-makers as part of its enforcement actions. From a regulatory perspective, directors and other members of senior management of financial institutions are held responsible where they have breached their duties and where such breaches were of a significant nature. In such cases, FINMA has, in the past, ordered bans of a professional activity in the regulated sector. Generally, FINMA will open enforcement proceedings against individuals where it has reason to believe that the individual no longer guarantees proper business conduct.

Private rights of action

Do private rights of action apply to violations of national financial services authority rules and regulations?

Traditionally, Swiss law does not provide for private rights of action to enforce violations of financial market rules. Rather, enforcement of such rules is seen as a task that should fall within the scope of activity of regulators and prosecutors. As a rule, clients of financial institutions may sue financial services providers for individual breaches of contract (ie, breaches of the contractual relationship between the financial services provider and its client), though in such a civil suit, non-compliance by a financial services provider with regulatory rules of conduct (or similar) would be taken into account when assessing an alleged breach of contractual obligations. In cases where Swiss law provides for possibilities of civil law right of action for breaches of financial services regulations (eg, in the context of the CISA, such having been transferred on a cross-sector level into the FinSA), a plaintiff would still have to show individual damages for such a suit to be successful.

Standard of care for customers

What is the standard of care that applies to each type of financial services firm and authorised person when dealing with retail customers?

Financial services firms and authorised persons have to comply with the following rules of conduct at the point of sale when dealing with retail customers: a duty to provide information, an obligation to verify the appropriateness and suitability of financial instruments and services (as regards investment advice or asset management, but not for execution-only transactions such as recovery time objective services), and a documentation and reporting duty, as well as a duty of transparency and of care. In addition, the appropriate and proper business conduct requires all types of financial services firms and their agents to act with loyalty and diligence, and provide all necessary information to their customers.

As regards collective investment schemes, the rules of conduct set out in the CISA on the level of the fund and the product are recognised as minimum standards by FINMA. These rules are specified by the Code of Conduct of the Asset Management Association Switzerland and provide clarifications as to the duties with which persons administering, holding or representing collective investments schemes as well as their agents shall comply when dealing with customers, as follows.

  • Duty of loyalty: they act independently and exclusively in the interests of the investors and avoid any conflict of interests.
  • Due diligence: they implement the organisational measures that are necessary for proper management and ensure the best execution of the clients’ orders.
  • Duty to provide information: they ensure the provision of transparent financial statements and provide appropriate information about their activity; they disclose all charges and fees incurred directly or indirectly by the investors and their appropriation; and inform them in particular about the risks related to a given type of transaction.


Does the standard of care differ based on the sophistication of the customer or counterparty?

Financial services providers have to distinguish retail clients from professional clients and institutional clients. The FinSA provides for opting-in and opting-out possibilities for professional and institutional clients. As a matter of principle, financial services providers must comply with the FinSA rules of conduct. However, no rules of conduct apply in relation to institutional clients. Furthermore, professional clients may partially waive specific rules of conduct by means of an express declaration. It is noteworthy that the organisational requirements under the FinSA (except the obligation to affiliate with an ombudsman service) apply in all cases and irrespective of the customers’ sophistication.


How are rules that affect the financial services industry adopted? Is there a consultation process?

New legislation in Switzerland, including that which relates to the financial services industry, is adopted only after a consultation process. These consultation procedures are available at all levels of the legislative process, with consultation periods typically being longer for parliamentary acts as opposed to implementing ordinances or regulations issued by the Swiss regulator. The consultation process is generally open to all interested parties. In addition, the relevant industry organisations (such as the Swiss Banking Association, the Asset Management Association Switzerland and the self-regulatory organisations) regularly participate in the consultation process to ensure that the industry points of view are taken into account early on in the legislative process.