Internet Security Center
Total Tests:
This Week:
Today:
ImmuniWebComplianceSwiss FINMA Circular 2023/1 Compliance

Swiss FINMA Circular 2023/1 Compliance

Read Time: 10 min. Updated: July 8, 2025

Swiss FINMA Circular 2023/1 outlines enhanced regulatory requirements for financial institutions to combat
money laundering and terrorist financing, focusing on risk-based due diligence,
transparency, and reporting obligations.

Swiss FINMA Circular 2023/1 Compliance
Disclaimer: No Legal Advice – this page is presented for informational and educational purposes only, nothing on this page should be
construed as legal advice. A law firm or attorney should be contacted for advice on specific legal issues.

The Swiss financial sector, renowned for its stability and discretion, operates under a robust regulatory framework designed to safeguard its integrity. A cornerstone of this framework is the Swiss Financial Market Supervisory Authority (FINMA). In December 2022, FINMA published a significant update to its regulatory guidance: FINMA Circular 2023/1 "Operational Risks and Resilience - Banks", which came into force on January 1, 2024, with a two-year transition period for full operational resilience compliance until January 2026.

This circular represents a comprehensive overhaul of its predecessor, Circular 2008/21, and introduces heightened requirements for managing operational risks, particularly those related to information and communication technology (ICT), critical data, and cyber risks, while also emphasizing operational resilience.

Get your free cyber risk exposure assessment

Overview of Swiss FINMA Circular 2023/1

FINMA Circular 2023/1 aims to adapt the supervisory practice to technological advancements and global regulatory developments, including principles from the Basel Committee on Banking Supervision. It is designed to be principle-based and technology-neutral, allowing for proportionality based on an institution's size, complexity, structure, and risk profile.

The circular focuses on several key areas:

  • Operational Risk Management: Refining the identification, assessment, mitigation, and monitoring of operational risks across all business activities.
  • ICT Governance: Establishing clear responsibilities and robust governance frameworks for information and communication technology.
  • Cyber Risks: Strengthening measures to identify, protect against, detect, respond to, and recover from cyber threats.
  • Critical Data Management: Expanding the definition and protection requirements for critical data, encompassing confidentiality, integrity, and availability.
  • Operational Resilience: Introducing the concept of "operational resilience," requiring institutions to identify critical functions, define disruption tolerances, and ensure the ability to deliver minimum business services even in severe but plausible scenarios.
  • Outsourcing: Reinforcing requirements for managing risks associated with outsourcing significant functions to third-party service providers.

Swiss FINMA Circular 2023/1 Compliance

Key Aspects of Swiss FINMA Circular 2023/1 Compliance

Compliance with FINMA Circular 2023/1 demands a multifaceted approach, addressing several technical and organizational aspects:

  • Identification and Classification of Critical Functions and Data: Institutions must thoroughly identify their critical business functions and the underlying ICT assets and data that support them. This includes classifying data based on its criticality (confidentiality, integrity, availability) and maintaining a comprehensive, up-to-date inventory.
  • Defining Disruption Tolerances: For each critical function, institutions must define "tolerances for disruption," specifying the maximum acceptable outage duration and data loss. These tolerances need board approval and regular review.
  • Robust ICT Governance: This includes establishing clear roles and responsibilities for ICT, implementing sound change management processes, maintaining inventories of ICT assets, and developing comprehensive business continuity and disaster recovery plans.
  • Enhanced Cyber Risk Management: Implementing a robust cyber defense strategy covering threat identification, protection measures (e.g., strong authentication, DLP, encryption), real-time detection (e.g., SIEM integration), incident response, and continuous monitoring.
  • Secure Data Handling Across Lifecycle: Ensuring the security of critical data throughout its entire lifecycle, from creation and acquisition to processing, storage, sharing, retention, and purging. This includes strict access controls, continuous monitoring, and secure management of critical data in test environments.
  • Third-Party Risk Management: Exercising heightened due diligence, ongoing monitoring, and contractual controls over outsourced functions and external service providers, especially regarding data protection and cross-border operations.
  • Incident Management and Reporting: Establishing clear procedures for detecting, evaluating, and reporting security incidents, especially cyberattacks and data breaches, to FINMA within specified timelines (e.g., 24 hours for significant cyber incidents, 72 hours for detailed reports).
  • Regular Assessments and Testing: Conducting regular risk and control assessments, including scenario analyses and stress testing, to evaluate the effectiveness of implemented measures and the institution's operational resilience.
  • Board Oversight: The board of directors has a significantly expanded role, requiring them to approve critical functions, disruption tolerances, and the overall approach to operational resilience, and to regularly monitor compliance.
Get your free cyber risk exposure assessment

Why Is Swiss FINMA Circular 2023/1 Compliance Important?

Compliance with FINMA Circular 2023/1 is paramount for Swiss financial institutions for several critical reasons:

  • Maintaining Financial Stability: The circular directly addresses operational risks that could disrupt an institution's stability and potentially spill over to the broader financial system. By enhancing resilience, it contributes to overall financial stability.
  • Protecting Customer Data: With an increased focus on critical data management, the circular aims to safeguard sensitive customer information from breaches, loss, and unauthorized access, thus maintaining trust and reputation.
  • Mitigating Reputational and Financial Risks: Non-compliance can lead to severe reputational damage, significant financial penalties, and even the loss of operating licenses.
  • Adapting to Evolving Threats: The financial landscape is constantly exposed to new and sophisticated cyber threats. The circular ensures that institutions have up-to-date defenses and response capabilities.
  • Meeting International Standards: By aligning with international principles on operational resilience, FINMA Circular 2023/1 ensures Swiss financial institutions remain competitive and compliant with global best practices.
  • Ensuring Business Continuity: The emphasis on operational resilience ensures that institutions can continue to deliver essential services even in the face of major disruptions, minimizing the impact on customers and the market.

Swiss FINMA Circular 2023/1 Compliance

Who Needs to Comply with Swiss FINMA Circular 2023/1?

FINMA Circular 2023/1 primarily applies to banks, securities dealers, financial groups, and conglomerates supervised by FINMA. While the core requirements apply to all, the circular explicitly incorporates the principle of proportionality, meaning that smaller or less complex institutions may benefit from certain alleviations, while larger, systemically important institutions face more stringent requirements.

The board of directors and executive management bear significant responsibility for ensuring compliance and establishing robust governance frameworks.

Get your free cyber risk exposure assessment

Swiss FINMA Circular 2023/1 vs. GDPR Comparison

While both FINMA Circular 2023/1 and the General Data Protection Regulation (GDPR) aim to protect data, they operate with different scopes and focuses:

Feature Swiss FINMA Circular 2023/1 GDPR (General Data Protection Regulation)
Scope Operational risks, resilience, and data management for FINMA-supervised financial institutions. Focus on critical data (confidentiality, integrity, availability). Protection of personal data for individuals within the EU/EEA. Focus on personal data and individual rights.
Primary Goal Ensure the operational stability and resilience of financial institutions, including the security and availability of critical data. Safeguard the privacy and fundamental rights of individuals regarding their personal data.
Data Definition Broader concept of "critical data" includes data crucial for business operations, regulatory reporting, and decision-making, in addition to confidential data. Strictly defines "personal data" as any information relating to an identified or identifiable natural person.
Emphasis Operational continuity, cyber resilience, and the robustness of IT systems and processes. Data privacy principles (e.g., lawful processing, data minimization, accuracy), data subject rights (e.g., right to access, erasure), and accountability.
Enforcement FINMA, through supervisory actions, fines, and potential license withdrawal. Data Protection Authorities (DPAs) in EU member states, with significant administrative fines (up to 4% of global annual revenue or €20 million).
Cross-Border Specific requirements for cross-border operations and data transfers, emphasizing risk assessment and adherence to Swiss confidentiality. Strict rules for international data transfers, requiring adequacy decisions, Standard Contractual Clauses (SCCs), or Binding Corporate Rules (BCRs).
Overlap While FINMA Circular 2023/1 is broader, any critical data that also constitutes personal data will naturally fall under the scope of Switzerland's revised Federal Act on Data Protection (FADP), which aligns more closely with GDPR. Institutions must ensure compliance with both. Financial institutions processing personal data of EU/EEA residents must comply with GDPR in addition to FINMA Circular 2023/1 and FADP.

How to Ensure Swiss FINMA Circular 2023/1 Compliance?

Ensuring compliance with FINMA Circular 2023/1 requires a structured and continuous effort:

  1. Conduct a Comprehensive Gap Analysis: Assess current operational risk management, ICT governance, cyber security, and data management practices against the circular's requirements.
  2. Define Critical Functions and Data: Meticulously identify all critical business functions and the data elements crucial for their operation. Classify data based on its criticality (Confidentiality, Integrity, Availability).
  3. Establish Disruption Tolerances: For each critical function, set clear and measurable disruption tolerances, approved by the board of directors.
  4. Implement Robust ICT Controls: Strengthen IT governance, access controls, change management, incident response plans, and business continuity measures.
  5. Enhance Cyber Security Posture: Implement a multi-layered cyber defense strategy, including threat intelligence, vulnerability management, security monitoring, and regular penetration testing.
  6. Strengthen Data Protection Measures: Implement measures to protect critical data throughout its lifecycle, including encryption, data loss prevention (DLP), and robust access management.
  7. Review and Enhance Outsourcing Frameworks: Ensure third-party service providers meet FINMA's requirements, including robust due diligence, contractual agreements, and ongoing monitoring.
  8. Develop and Test Resilience Plans: Create and regularly test comprehensive operational resilience plans, including scenarios that involve severe but plausible disruptions.
  9. Train and Raise Awareness: Educate employees on their roles and responsibilities concerning operational risks, data protection, and cyber security.
  10. Establish Reporting Mechanisms: Implement clear and timely reporting lines for operational risks, incidents, and compliance status to senior management and the board.
  11. Proportionality Application: Tailor the implementation based on the institution's size, complexity, and risk profile.
Get your free cyber risk exposure assessment

Consequences of Non-Compliance with Swiss FINMA Circular 2023/1

Non-compliance with FINMA Circular 2023/1 can lead to severe consequences for supervised institutions:

  • Regulatory Enforcement Actions: FINMA can impose a range of administrative measures, including warnings, reprimands, activity restrictions, and ultimately, withdrawal of the operating license.
  • Financial Penalties: While the circular itself doesn't specify direct fines like GDPR, violations can lead to financial penalties, especially if they are linked to breaches of other laws (e.g., data protection laws, banking secrecy).
  • Reputational Damage: Breaches of security or operational failures due to non-compliance can severely damage an institution's reputation and client trust.
  • Civil Liability: Institutions may face civil claims from affected clients or other parties due to data loss, service disruptions, or other damages caused by operational failures.
  • Criminal Liability: In certain cases, particularly involving violations of banking secrecy or unauthorized disclosure of sensitive data (e.g., under Articles 271 or 273 of the Swiss Criminal Code), individuals within the institution could face criminal charges.
  • Increased Scrutiny: Non-compliant institutions may face heightened scrutiny from FINMA, leading to more frequent audits and supervisory interventions.

How ImmuniWeb Helps Comply with Swiss FINMA Circular 2023/1

ImmuniWeb, with its AI-powered Application Security and Attack Surface Management platform, can significantly assist Swiss financial institutions in achieving and maintaining compliance with FINMA Circular 2023/1:

API Penetration Testing API Penetration Testing
ImmuniWeb conducts deep API penetration testing, uncovering vulnerabilities like insecure endpoints, broken authentication, and data leaks, ensuring compliance with OWASP API Security Top 10.
API Security Scanning API Security Scanning
Automated AI-driven scans detect misconfigurations, excessive permissions, and weak encryption in REST, SOAP, and GraphQL APIs, providing actionable remediation insights.
Application Penetration Testing Application Penetration Testing
ImmuniWeb provides Application Penetration Testing services with our award-winning ImmuniWeb® On-Demand product.
Application Security Posture Management Application Security Posture Management
The award-winning ImmuniWeb® AI Platform for Application Security Posture Management (ASPM) helps aggressively and continuously discover an organization's entire digital footprint, including hidden, unknown, and forgotten web applications, APIs, and mobile applications.
Attack Surface Management Attack Surface Management
ImmuniWeb continuously discovers and monitors exposed IT assets (web apps, APIs, cloud services), reducing blind spots and preventing breaches via real-time risk scoring.
Automated Penetration Testing Automated Penetration Testing
ImmuniWeb provides Automated Penetration Testing services with our award-winning ImmuniWeb® Continuous product.
Cloud Penetration Testing Cloud Penetration Testing
Simulates advanced attacks on AWS, Azure, and GCP environments to identify misconfigurations, insecure IAM roles, and exposed storage, aligning with CIS benchmarks.
Cloud Security Posture Management (CSPM) Cloud Security Posture Management (CSPM)
Automates detection of cloud misconfigurations, compliance gaps (e.g., PCI DSS, HIPAA), and shadow IT, offering remediation guidance for a resilient cloud infrastructure.
Continuous Automated Red Teaming Continuous Automated Red Teaming
Combines AI-powered attack simulations with human expertise to test defenses 24/7, mimicking real-world adversaries without disrupting operations.
Continuous Breach and Attack Simulation (BAS) Continuous Breach and Attack Simulation (BAS)
Runs automated attack scenarios to validate security controls, exposing weaknesses in networks, apps, and endpoints before attackers exploit them.
Continuous Penetration Testing Continuous Penetration Testing
Provides ongoing, AI-augmented pentesting to identify new vulnerabilities post-deployment, ensuring proactive risk mitigation beyond one-time audits.
Continuous Threat Exposure Management (CTEM) Continuous Threat Exposure Management (CTEM)
Prioritizes and remediates risks in real time by correlating threat intelligence with asset vulnerabilities, minimizing exploit windows.
Cyber Threat Intelligence Cyber Threat Intelligence
Monitors dark web, paste sites, and hacker forums for stolen credentials, leaked data, and targeted threats, enabling preemptive action.
Data Security Posture Management Data Security Posture Management
The award-winning ImmuniWeb® AI Platform for Data Security Posture Management helps continuously discover and monitor an organization's internet-facing digital assets, including web applications, APIs, cloud storage, and network services.
Dark Web Monitoring Dark Web Monitoring
Scans underground markets for compromised employee/customer data, intellectual property, and fraud schemes, alerting organizations to breaches.
Mobile Penetration Testing Mobile Penetration Testing
Tests iOS/Android apps for insecure data storage, reverse engineering risks, and API flaws, following OWASP Mobile Top 10 guidelines.
Mobile Security Scanning Mobile Security Scanning
Automates static (SAST) and dynamic (DAST) analysis of mobile apps to detect vulnerabilities like hardcoded secrets or weak TLS configurations.
Network Security Assessment Network Security Assessment
Identifies misconfigured firewalls, open ports, and weak protocols across on-premises and hybrid networks, hardening defenses.
Penetration Testing-as-a-Service (PTaaS) Penetration Testing-as-a-Service (PTaaS)
Delivers scalable, subscription-based pentesting with detailed reporting and remediation tracking for agile security workflows.
Phishing Websites Takedown Phishing Websites Takedown
Detects and expedites takedowns of phishing sites impersonating your brand, minimizing reputational damage and fraud losses.
Third-Party Risk Management Third-Party Risk Management
Assesses vendors’ security posture (e.g., exposed APIs, outdated software) to prevent supply chain attacks and ensure compliance.
Threat-Led Penetration Testing (TLPT) Threat-Led Penetration Testing (TLPT)
Simulates advanced persistent threats (APTs) tailored to your industry, testing detection/response capabilities against realistic attack chains.
Web Penetration Testing Web Penetration Testing
Manual and automated tests uncover SQLi, XSS, and business logic flaws in web apps, aligned with OWASP Top 10 and regulatory standards.
Web Security Scanning Web Security Scanning
Performs continuous DAST scans to detect vulnerabilities in real time, integrating with CI/CD pipelines for DevSecOps efficiency.

By leveraging ImmuniWeb's comprehensive solutions, Swiss financial institutions can strengthen their operational resilience, enhance their cyber security posture, and demonstrate robust compliance with the technical and organizational demands of FINMA Circular 2023/1, ultimately safeguarding their operations and protecting their clients.

Get your free cyber risk exposure assessment

List of authoritative resources

Meet Regulatory Requirements with ImmuniWeb® AI Platform

Cybersecurity Compliance

ImmuniWeb can also help to comply with other data protection laws and regulations:

Get a Demo
Get your free cyber risk exposure assessment

This website uses cookies to provide you with a better surfing experience. To learn more, please visit our Privacy Policy. By continuing to use this website you consent to our use of cookies.

Ask a Question