In this article, we explore FINMA's latest operational resilience circular, with a focus on data risk management (refer to chapter IV, letter D of the Circular), delve into how institutions can achieve compliance, and introduce a pragmatic approach to addressing these challenges.
In December 2022, the Swiss Financial Market Supervisory Authority (FINMA) has released an updated circular on operational risk and resilience, marking a significant shift in the regulatory landscape for banks. The regulation comes into effect on 1 January 2024, providing banks with a two-year transition period to align with the new requirements. Banks must demonstrate full compliance with the regulation by 2026, which means they need to be proactive in their approach to achieve operational resilience.
The new FINMA Circular 2023/1 titled Operational Risks and Resilience - Institutions introduces considerable requirements for financial institutions, focusing on critical data and ICT risk management, business continuity, and cyber risks.
The Circular also introduces new principles for operational resilience, emphasising two key aspects. Firstly, it advocates a strategic approach that prioritises critical business functions based on their strategic importance. Secondly, it promotes a proactive stance that involves targeted preventive measures, operational structure organisation, continuous learning, and enhancements to ensure the utmost resilience of these critical functions, aligning with the concept of "resilience by design”.
Institutions are required to define their critical functions and assess their tolerance for disruption. Moreover, institutions must
supervise these critical functions through the operational risk framework, with controls and responsibilities integrated into the
existing lines of defence. Operational controls are assigned to the first line of defence, enabling them to manage daily activities
and associated risks. The second line of defence oversees the implementation, ensuring they are well-designed, fit-for-purpose, and effectively executed to manage operational risks. The audit function serves as a third line to independently supervise and review the operational risk control activities.
In addition, FINMA's regulation emphasises the handling of critical data elements (CDE) to support critical functions. This expanded focus on data reflects the growing importance of data protection in an increasingly data-driven environment.
While the circular’s requirements are the same for all, each institution should implement the framework and controls according to its business model, size, complexity, structure, and risk profile.
Compared to previous directives, the updated FINMA regulation expands the definition of critical data. It now includes not only confidential data but also the data required for operating critical business functions, which we call ‘vital data’. This data differs from one bank to another, depending on their business model, role in the financial system, and risk appetite (tolerance for disruption).
Identifying and protecting critical data is a fundamental part of achieving operational resilience. Critical data must be identified across the entire IT landscape and throughout its lifecycle, ensuring that no potential weaknesses remain. Once identified, critical data should be documented comprehensively in a regularly reviewed and updated inventory, enabling institutions to track their most valuable data assets.
The protection of critical data is expanded beyond its confidentiality; it must also maintain its integrity and availability within the established tolerances for disruption. This three-fold approach ensures that institutions can continue to function, even in the face of disruptions, thereby safeguarding the interests of their customers and preventing adverse effects on other players in the financial system.
To achieve these goals, institutions must establish a robust data governance framework,
including a data strategy and an effective organisation with defined roles and responsibilities for data stewardship. Monitoring and control mechanisms must extend across the first and second lines of defence, ensuring that critical data remains secure and resilient at all times.
At Synpulse, we leverage the full potential of our technological and data expertise through our technology powerhouse, Synpulse8. Coupled with our strengths in business, risk, and regulatory domains, we drive comprehensive productivity across all sectors.
Benefiting from our Swiss heritage, we stand ready to provide unparalleled support in navigating evolving landscapes, particularly concerning the Swiss regulator authority, FINMA. Our deep-rooted understanding of Swiss regulations ensures that you are well-prepared for the challenges ahead. Get in touch with us today to discover how Synpulse can empower your journey towards success.
 FINMA Circ. 23/1 “Operational risks and resilience – banks” (7 December 2022)
Es werden Cookies für Ihren Komfort und zur Analyse bei der Benutzung dieser Webseite verwendet. Wenn Sie diese Seite weiter benutzen akzeptieren Sie unsere Cookie Einstellungen.