Skip to content

FINMA publishes a risk monitor every year. It serves as an overview of the highest risks for the supervised institutions. It also presents developments that could have a lasting impact on the Swiss financial market. Below is a brief overview of the risks in the areas of cyber attacks, outsourcing and money laundering.

FINMA is mandated by law to protect creditors, investors, insured persons and the proper functioning of the financial markets. FINMA’s main function is to supervise the financial sector and consequently to assess the risk of supervised institutions.

The core risks of last year remain unchanged:

  • Interest rate risks
  • Credit risks for mortgages
  • Credit risks for other loans
  • Risks of higher yield spreads
  • Risks of cyber attacks
  • Risks in the fight against money laundering
  • Risks due to more difficult cross-border market access

This year, however, the risks of liquidity and refinancing risks and outsourcing are now also listed separately:

Cyber risks

The risk of an institution being breached by a cyber attack remains one of the greatest operational risks and requires that the current threat situation be kept under constant review and that the institution’s own infrastructure be monitored and tested for vulnerabilities.

Distributed denial-of-service attacks (DDoS attacks) are frequently carried out on the federal administration, authorities or financial institutions, where the system is overloaded by a high number of requests. Over the last twelve months, these DDoS attacks have accounted for a total of 20% of the cyber reports received by FINMA. This type of cyberattack is therefore the third most common type of attack. Unauthorised access is the most common type, accounting for 43% of the reports received by FINMA. This is followed by malware as the second most common type of attack.

The trend shows that, in addition to asset managers and insurance companies, small institutions are also increasingly threatened by cyberattacks. Such cyberattacks not only target customer data, they can also affect other company data, such as business secrets, employee data and investment strategies. The most common attack vector for such attacks is the software vulnerability, followed by web-based attacks. The third most common attack vector is via an external service provider (outsourcing).

Outsourcing

Outsourcing means that financial institutions are increasingly dependent on external service providers. Despite the many advantages that outsourcing brings, it also harbours significant risks. As the number and scope of outsourcing increases, so does the complexity of the supply chain. The fact that one in three cyberattacks on financial institutions is carried out by a third party (outsourcing) emphasises the high risks involved.

As responsibility for the proper conduct of business cannot be delegated, monitoring also extends to third-party providers and the associated risks.

According to FINMA, there is a particular need to catch up when it comes to identifying the entire supply chain and the associated risks. Furthermore, the risks associated with significant outsourcing are often not adequately identified, monitored and managed. As a result, institutions must build up the necessary expertise to monitor third-party providers and initiate measures if necessary.

Money laundering and sanctions

As the Swiss financial centre manages the assets of private clients across borders, it is exposed to significant money laundering risks, which can have legal consequences.

A high risk of money laundering can arise from complex structures of business relationships because the economic purpose can no longer be recognised transparently and the origin of funds can be concealed as a result. New customers who carry out financial transactions from emerging countries with a high risk of corruption and embezzlement are also exposed to risk.

In addition to conventional money laundering risks, there are now increasing risks in the crypto sector. The risk of money laundering and terrorist financing is accentuated by the anonymity and speed of transactions in the crypto sector. In addition, cryptocurrencies are often used as a means of payment for illegal trading or cyberattacks.

Reports received by the Money Laundering Reporting Office Switzerland (MROS) show an increase of 28 per cent within a year. The increase in MROS reports over the last few years may indicate a change in culture and better control systems. On the other hand, it may also indicate that high risks continue to exist.

To combat this, a financial institution must adapt its compliance measures and ensure that risks are limited by means of control mechanisms. The supervised financial institutions must therefore adequately identify, limit and monitor all risks, including legal and reputational risks, and set up an effective internal control system. This in turn requires careful risk management.

Longer-term trends and risks

FINMA also identifies trends such as artificial intelligence (AI) as part of its risk monitoring. Its importance is also steadily increasing in the financial market and, in addition to various changes, will also entail risks.

FINMA sees particular challenges in the use of AI, for example in the areas of governance and accountability. Even if decisions are increasingly based on the results of AI applications, responsibility for decisions cannot be delegated to AI. Clear responsibilities and risk management processes must therefore be defined. This also includes critically scrutinising the results of AI and checking their reliability. In addition, those involved must have sufficient expertise in AI.

According to FINMA, a further risk associated with the use of AI lies in the transparency and explainability of such AI decisions. Due to the large number of parameters and complex models, the influence of individual parameters on the result can often no longer be understood in AI applications. Without a corresponding understanding of how the results are achieved, there is therefore a risk that decisions can no longer be understood or verified. However, the explainability of the results and the transparency of their use must be ensured depending on the recipient, relevance and process integration.

Sources