FINMA Circular 23/1: What are the Changes on Management and Protection of Critical Data and What You Need to Do?


In December 2022, the Swiss Financial Market Supervisory Authority (FINMA) released an updated circular on operational risk and resilience, defining a new category of regulatory obligations for in-scope institutions (banks, securities dealers, and financial groups as defined by FINMA). The regulation comes into effect on 1 January 2024, providing institutions with a two-year transition period (till the start of 2026) to demonstrate full compliance - a proactive and time-boxed approach is needed to have everything in place.

In this article, we explore FINMA's latest operational resilience circular, with a focus on data risk management (refer to chapter IV, letter D of the Circular)[1] , delve into how institutions can achieve compliance, and introduce a pragmatic approach to addressing these challenges.

FINMA Circular 23/1 in a nutshell

The new FINMA Circular 2023/1 titled Operational Risks and Resilience - Institutions introduces considerable requirements for financial institutions, focusing on critical data and ICT risk management, business continuity, and cyber risks.

The Circular also introduces new principles for operational resilience, emphasising two key aspects:

  • Firstly, it advocates a strategic approach that prioritises critical business functions based on their strategic importance.
  • Secondly, it promotes a proactive stance that involves targeted preventive measures, operational structure organisation, continuous learning, and enhancements to ensure the utmost resilience of these critical functions, aligning with the concept of "resilience by design”.

Institutions are required to define their critical functions and assess their tolerance for disruption. Moreover, institutions must supervise these critical functions through the operational risk framework, with controls and responsibilities integrated into the existing lines of defence. Operational controls are assigned to the first line of defence, enabling them to manage daily activities and associated risks. The second line of defence oversees the implementation, ensuring they are well-designed, fit-for purpose, and effectively executed to manage operational risks. The audit function serves as a third line to independently supervise and review the operational risk control activities.

In addition, FINMA's regulation emphasises the handling of critical data elements (CDE) to support critical functions. This expanded focus on data reflects the growing importance of data protection in an increasingly data-driven environment.

While the circular’s requirements are the same for all, each institution should implement the framework and controls according to its business model, size, complexity, structure, and risk profile.

What's new in FINMA's Circular 23/1 on the management and protection of critical data?

Compared to previous directives, the updated FINMA regulation expands the definition of critical data. It now includes not only confidential data but also the data required for operating critical business functions, which we call ‘vital data’. This data differs from one bank to another, depending on their business model, role in the financial system, and risk appetite (tolerance for disruption).

Identifying and protecting critical data is a fundamental part of achieving operational resilience. Critical data must be identified across the entire IT landscape and throughout its lifecycle, ensuring that no potential weaknesses remain. Once identified, critical data should be documented comprehensively in a regularly reviewed and updated inventory, enabling institutions to track their most valuable data assets.

The protection of critical data is expanded beyond its confidentiality; it must also maintain its integrity and availability within the established tolerances for disruption. This three-fold approach ensures that institutions can continue to function, even in the face of disruptions, thereby safeguarding the interests of their customers and preventing adverse effects on other players in the financial system.

To achieve these goals, institutions must establish a robust data governance framework, including a data strategy and an effective organisation with defined roles and responsibilities for data stewardship. Monitoring and control mechanisms must extend across the first and second lines of defence, ensuring that critical data remains secure and resilient at all times.

Critical Data Figure
Figure 1. Four key updates in risk management of critical data

Unlock the full insights

What changes are in store for critical data management and protection? How can you effectively steer your institution toward compliance? The answers await in the full article.

Contact us to see how we can support you

At Synpulse, we leverage the full potential of our technological and data expertise through our technology powerhouse, Synpulse8. Coupled with our strengths in business, risk, and regulatory domains, we drive comprehensive productivity across all sectors.

Benefiting from our Swiss heritage, we stand ready to provide unparalleled support in navigating evolving landscapes, particularly concerning the Swiss regulator authority, FINMA. Our deep-rooted understanding of Swiss regulations ensures that you are well-prepared for the challenges ahead. Get in touch with us today to discover how Synpulse can empower your journey towards success.


Our experts in this topic