Overview
The Swiss Financial Market Supervisory Authority (FINMA) continuously adapts its regulatory framework to address emerging risks in the financial sector. This timeline highlights key publications and their focus areas, demonstrating FINMA's proactive approach to operational resilience, cybersecurity, data management, and new technologies like AI and climate risk.
Updated regulatory requirements for outsourcing material business functions, including considerations for higher risks when activities are performed outside Switzerland. Effective April 1, 2018.
Initial guidance addressing the growing landscape of cyber threats for supervised institutions.
Entered into force, clarifying supervisory practice for operational risks, particularly in connection with ICT, critical data handling, and cyber risks. Replaced previous BCM recommendations.
Highlights increasing complexity of cyberattacks (30% increase in reported attacks) and emphasizes concentration risk in outsourcing.
Sets out findings from supervisory work related to cyber risks and provides further clarifications, supplementing Guidance 05/2020.
Introduced to address environmental degradation and biodiversity loss, requiring robust frameworks for managing nature-related financial risks.
Surveyed around 400 licensed institutions on their use of AI, tracking development, governance, and risk management.
Published guidance drawing attention to the risks associated with the rapid adoption of AI in finance, including model risks and data-related risks.
Came into force, outlining detailed requirements for liquidity management, planning, and reserves for insurers.
Top 10 Pragmatic KRIs for Emerging Financial Institutions
These Key Risk Indicators (KRIs) provide early warning signals, enabling proactive risk management and aligning with regulatory expectations and industry best practices.
| KRI | FINMA Reference(s) | Risk Management Literature Reference(s) |
|---|---|---|
| **1. Percentage of Employees Failing Phishing Simulations** | FINMA expects robust cyber risk management including appropriate training and exercises on cyber incidents, and raising staff awareness. Human error remains a common vulnerability. FINMA Guidance 03/2024 on Cyber Risks. | "Percent of users who fail a phishing exercise" is a forward-looking cybersecurity KRI. Employee training programs are crucial for combating cyber threats. Human behavior is often the weakest link in security.[1] |
| **2. System Uptime / Mean Time Between Failures (MTBF)** | FINMA Circular 2023/1 "Operational risks and resilience – banks" focuses on operational resilience and ICT risk management. Ensures IT systems are available at all times. Operational resilience is the ability to restore critical functions in disruptions.[2, 3] | MTBF is an operational KRI measuring system failure frequency and restoration speed. IT system downtime is an example of an operational KRI. Business interruption and hardware/software system failures are operational risks. |
| **3. Rate of Compliance Training Completion** | FINMA expects robust cyber risk management including appropriate training. Employee awareness and training are stressed for cyber threats. AMLA and Ordinances. | This KRI measures compliance risk exposure. Employee training plays a crucial role in compliance risk management.[4] Regular training ensures teams stay updated on evolving threats.[5] |
| **4. Vendor Security Posture Score (or Number of Critical Vendors with Low Scores)** | FINMA regards outsourcing of significant functions as one of the most important risks. Increased attacks targeting external service providers (30% of reported cyber attacks in 2024). Significant increase in outsourcing IT infrastructure and critical data to public cloud. FINMA Circular 2018/3 "Outsourcing – Banks and Insurance Companies". | Third-party relationships are a key operational risk. Continuous monitoring of vendor security performance is crucial. "Number of vendors with a low-risk score" is a leading indicator of third-party security issues. Vendor risk management is about reducing the risk vendors expose an organization to. |
| **5. Liquidity Ratio (e.g., Current Ratio or Quick Ratio)** | FINMA Circular 2025/3 "Liquidity - Insurers" outlines requirements for liquidity management, planning, and reserves. FINMA expects robust and forward-looking liquidity risk management and conducts industry-wide liquidity stress tests. Market volatility can affect liquidity flows. | Measures an organization's ability to meet short-term financial obligations. Low levels of cash reserves or high dependency on short-term funding indicate liquidity risk. |
| **6. Number of Regulatory Non-Compliance Incidents / Audit Findings** | FINMA enforces supervisory law, conducts proceedings, issues rulings, implements sanctions. Regulatory frameworks play a vital role in safeguarding the financial system, and regular audits and security assessments are essential to verify compliance. FINMA's Circular on rules of conduct under the Financial Services Act creates transparency and legal certainty. | Monitors instances of non-compliance with specific regulations or industry standards. Measures the results of internal or external audits. Non-compliance can result in hefty fines, legal sanctions, and damage to reputation. |
| **7. Employee Turnover Rate** | FINMA Circular 2023/1 "Operational risks and resilience – banks" covers overarching management of operational risks. High turnover can impact operational stability and institutional knowledge, which falls under general operational risk management and resilience. | Tracks the rate at which employees leave the organization. High employee turnover can signal operational instability, loss of institutional knowledge, and increased risk of human error or security vulnerabilities. Categorized as a people risk indicator. |
| **8. Loan Delinquency Rate / Non-Performing Loans (for lending institutions)** | FINMA's prudential supervision ensures the resilience of institutions. While primarily a credit risk, its impact on a financial institution's stability and ability to operate effectively falls under FINMA's broader supervisory mandate for resilience. | Strong indicators of increased credit risks. Elevated rates of loan defaults or diminished credit quality are possible KRIs. |
| **9. Number of Detected Malware / Botnet Infections** | FINMA intensified supervisory work in cyber risks in 2024. Number of reported cyber attacks increased by 30% in 2024. FINMA Circular 2023/1 "Operational risks and resilience – banks". FINMA Guidance 03/2024 sets out findings from supervisory work relating to cyber risks. | Indicates the presence of active cyber threats. Measures the number of machines impacted by malware or botnets. Attempted cybersecurity breaches are operational risk KRIs. |
| **10. Volume/Value of Detected Fraudulent Transactions** | AMLA and Ordinances govern combating money laundering and terrorist financing. Fraud and financial crimes are at the forefront of operational risks. FINMA's focus on AML compliance is a strategic imperative. | High incidence of fraud could imply weaknesses in internal controls. Fraud and financial crimes remain at the forefront of operational risks faced by banks. Real-time fraud detection based on behavioral patterns is a preventive strategy.[5] |