FINMA has released its Risk Monitor 2025, offering a comprehensive overview of the most critical risks facing the Swiss financial sector over the next three years. Banks, insurers, asset managers and other financial institutions must contend with a mix of traditional financial risks and newly emerging challenges linked to digitalisation, geopolitics and increasingly complex value chains.

The report makes one thing clear: institutions need stronger governance, more effective risk oversight and a more mature compliance culture to remain resilient in a rapidly evolving landscape.

Key Takeaways

• The FINMA Risk Monitor 2025 outlines nine major risks that will be crucial for the Swiss financial industry in the coming years.
• Particularly important are real estate and mortgage risks, credit and market risks, cyber and ICT risks, money laundering threats and outsourcing dependencies.
• Many risks remain at elevated levels or are increasing.
• FINMA formulates concrete supervisory expectations, especially around risk culture, technical resilience, monitoring, outsourcing controls and crisis preparedness.

Why the Risk Monitor 2025 Matters

The Swiss financial centre is highly international, strongly digitalised and significantly exposed in areas such as mortgage financing. Rising interest rates, geopolitical tensions, technological dependencies and new business models increase the pressure on institutions to identify, assess and manage risks proactively.

The Risk Monitor acts as an early warning system. It highlights where vulnerabilities are emerging, where systemic threats may arise and which areas FINMA will scrutinise more closely. For GRC functions, the report provides a clear roadmap of the areas requiring the highest priority.

The Most Important Risks at a Glance

The Risk Monitor 2025 describes several major risk categories. The most relevant include:

Real Estate and Mortgage Risks

The Swiss property market remains tight, with high prices and persistent demand. At the same time, interest rates and leverage ratios have risen, while household debt levels remain high. FINMA expects institutions to apply strict lending standards, conduct realistic stress tests and closely monitor their exposures.

Credit and Market Risks

Volatile markets, geopolitical uncertainties and higher credit spreads increase pressure on institutions. The report emphasises the need for risk-based credit management, adequate value adjustments and close monitoring of concentrated exposures.

Money Laundering and Sanctions Risks

International business models, cross-border activities and new digital financial products increase exposure to financial crime. Institutions must enhance customer risk assessments, strengthen monitoring systems and ensure consistent reporting. A strong risk culture and adequate compliance resources are essential.

Cyber and ICT Risks

With digitalisation accelerating, cyber and ICT risks continue to rise. Attacks on financial infrastructure, failures of IT providers or vulnerabilities in third-party software can have severe consequences. FINMA expects robust systems, effective incident response plans and stringent ICT governance.

Outsourcing and Third-Party Risks

Many institutions rely heavily on outsourced or cloud-based services. This reduces costs but increases vulnerability. FINMA demands clear governance over outsourcing arrangements, monitoring of service providers and the ability to maintain critical functions even during disruptions.

Liquidity and Funding Risks

Even though liquidity conditions appear stable, market stress can quickly lead to funding pressure. Institutions should monitor risk indicators, run scenario analyses and ensure they remain capable of acting in adverse conditions.

What GRC Teams Should Do Now

The Risk Monitor’s message is clear: strong governance, rigorous risk management and consistent compliance are essential for financial stability. Institutions should:

• update their enterprise-wide risk assessments based on the FINMA risk categories
• strengthen risk culture through clear responsibilities and open communication
• conduct regular scenario analyses and stress tests
• improve cyber and ICT resilience, including incident and recovery planning
• map and monitor all outsourcing arrangements and third-party dependencies
• enhance AML/KYC processes and reassess monitoring systems
• define transparent reporting and escalation channels
• modernise technological infrastructure to detect risks earlier

Conclusion

The FINMA Risk Monitor 2025 shows that the Swiss financial sector faces a demanding and highly dynamic risk environment. Many risks remain elevated and require active, forward-looking management. For GRC leaders, this means strengthening governance structures, improving risk transparency and promoting a culture in which risk awareness is embedded across the organisation.

Institutions that act early will not only meet regulatory expectations but also build long-term resilience and trust.

FAQ

What is the FINMA Risk Monitor?
An annual report identifying the most important risks to the Swiss financial market and outlining the supervisory expectations associated with them.

Which risks are highlighted in 2025?
Real estate and mortgage risks, credit and market risks, cyber and ICT risks, money laundering risks, outsourcing risks and liquidity risks.

Why are cyber risks so prominent?
Because cyberattacks and ICT failures have increased significantly in frequency and impact, and can cause rapid, widespread disruption.

What does risk culture mean?
A mindset where all employees actively identify, report and manage risks, not only the compliance or risk department.

What should institutions do now?
Reassess risks, strengthen ICT resilience, improve governance and monitoring, ensure transparent reporting and oversee outsourcing arrangements more rigorously.

Switzerland is responding to growing threats in cyberspace. On August 20, 2025, the Federal Council decided to draft legislation on the cyber resilience of digital products. The Federal Office for Cybersecurity (BACS), together with the Federal Office of Communications (BAKOM) and the State Secretariat for Economic Affairs (SECO), has been tasked with preparing a consultation draft by fall 2026. The goal is to establish binding security requirements for products with digital elements and strengthen market surveillance for such products.

Key Takeaways

• The Federal Council intends to enshrine cyber resilience of digital products in law
• BACS, BAKOM, and SECO will draft a consultation template by fall 2026
• Security obligations for the development and marketing of digital products will be defined, including import and sales bans on unsafe devices
• Market surveillance will be enhanced to ensure vulnerabilities are identified and addressed quickly
• Switzerland is aligning itself with EU regulations such as the Cyber Resilience Act and the NIS-2 Directive

Why This Matters

Digital products have become part of every aspect of life – from smart devices to IoT, software, and connected hardware. If vulnerabilities exist in such products, the consequences can be severe for users, businesses, and critical infrastructure. To date, Switzerland has had very few binding regulations on cyber resilience of digital products. With the new initiative, this regulatory gap will finally be closed.

What Will the New Legislation Cover?

The law is expected to include:

• Security requirements for the development and marketing of digital products
• Market surveillance rules to prevent unsafe products from being sold or imported
• Minimum standards for updates, patches, security testing, and disclosure of vulnerabilities
• Enforcement mechanisms and sanctions for non-compliance

Comparison to EU Initiatives

Benefits and Challenges for Switzerland

Potential Benefits

• Stronger protection for consumers and businesses
• Increased trust in digital products and providers
• Legal certainty for manufacturers and importers
• Reduced costs from security incidents through preventive measures

Challenges

• Overly strict requirements may hinder innovation
• Smaller manufacturers may struggle with compliance costs
• Effective enforcement and market surveillance require significant resources
• Harmonization with international supply chains is essential

Conclusion

The planned Swiss cyber resilience law marks an important step toward modern cybersecurity policy. It closes an existing regulatory gap, establishes binding requirements for digital products, and aligns with proven EU initiatives. For companies, now is the time to proactively integrate compliance, governance, and risk processes to avoid costly adjustments later.

FAQ

What is cyber resilience of digital products?
It refers to the ability of hardware and software with digital elements to remain secure, resist attacks, and quickly fix vulnerabilities.

Why is Switzerland introducing this law?
Because there are currently no binding national rules, despite rising risks from insecure digital products.

When will the draft be ready?
A consultation draft is expected by fall 2026.

What requirements are likely to apply?
Security by design, mandatory updates, vulnerability disclosure, and bans on unsafe devices.

How does this compare to EU laws?
Many elements mirror the Cyber Resilience Act and NIS-2 Directive, which also focus on minimum requirements, reporting duties, and market supervision.

What should companies do now?
Review product portfolios, implement security processes, adjust governance structures, and align with EU standards early.

What is the Mozambique Affair?

The so-called Mozambique Affair involving Credit Suisse is one of the most serious financial scandals in recent years. At its core are hidden loans worth billions of dollars, dubious offshore transactions, and extensive allegations of corruption. This scandal vividly demonstrates how inadequate compliance and governance structures can not only bring banks to their knees but also cause devastating economic and political consequences for an entire country.

The Scandal in Detail: Hidden Loans and Opaque Financing

Between 2013 and 2016, Credit Suisse, together with other financial institutions, arranged loans amounting to approximately USD 2 billion for Mozambique. These funds were officially intended for maritime security projects and the development of the tuna fishing industry. However, large portions of the funds were misappropriated or vanished into opaque channels.

The critical issue: The loans were not recorded in Mozambique’s state budget and were therefore kept secret. Key institutions such as the parliament, the International Monetary Fund (IMF), and donor countries were deliberately kept in the dark. When these “hidden debts” became public, confidence in Mozambique’s government collapsed, plunging the country into a severe debt crisis.

Compliance Failures on Multiple Levels

The Mozambique Affair highlights significant weaknesses in Credit Suisse’s compliance structures. Key compliance failures included:

• Inadequate due diligence: The vetting of loan recipients and verification of loan utilization were insufficient. Politically exposed persons (PEPs) were involved without adequate risk assessments.
• Poor risk management: Despite obvious red flags, the loans were approved. Internal warning signals were ignored or not systematically pursued.
• Failure of internal control systems: Mechanisms designed to scrutinize transactions for legality and transparency either failed or were bypassed.
• Conflicts of interest and lack of independence: Compliance departments lacked sufficient independence from commercial divisions, contributing to a culture of turning a blind eye.

Consequences for Credit Suisse

Credit Suisse faced fines from multiple regulatory bodies and had to settle for millions in penalties. The bank’s reputation suffered significantly. The scandal was a key factor in the erosion of trust in the bank’s leadership and contributed to its eventual acquisition by UBS.

How Effective GRC Can Prevent Such Scandals

Governance, Risk & Compliance (GRC) is not a bureaucratic formality—it is a core component of modern corporate management. An effective GRC framework could have prevented many of the issues exposed by the Mozambique Affair. Key success factors include:

• Strong governance structures: A clearly defined control environment with transparent responsibilities helps prevent abuse of power and lack of transparency.
• Risk-based compliance programs: Integrating risk assessments into decision-making ensures that transactions with high reputational or financial risks are identified early.
• Independent and empowered compliance functions: Compliance teams must operate independently and have direct access to senior management.
• Transparent reporting and communication channels: Internal and external stakeholders must be informed about critical business activities. Whistleblower systems should be protected and actively encouraged.
• Ongoing training and awareness programs: Employees must receive regular training on ethics, integrity, and regulatory requirements.

Conclusion: Lessons from the Mozambique Affair

The Mozambique Affair is a stark reminder of the devastating effects of weak compliance and poor governance. It underscores the importance of viewing GRC not as a checkbox exercise but as a strategic success factor. Only with robust structures, transparent processes, and a true culture of integrity can such scandals be prevented in the future.

A functioning GRC framework not only protects against regulatory penalties—it protects the organization from itself.

1. Why Geopolitical Risk Is Crucial for Swiss Banks

Geopolitical risks have become a decisive factor in the financial sector over the past few years. Whether it’s the Russia–Ukraine conflict, tensions in East Asia, or potential shifts in U.S. monetary policy, these developments carry significant implications for Swiss banks. Traditionally, Swiss financial institutions enjoy a reputation as a “safe haven,” yet new risk areas—such as sanctions, deglobalization, and technological disruption (e.g., generative AI)—are reshaping even the most stable structures.

The study conducted by zeb and the Swiss Bankers Association (SBA) underscores the need for banking strategies that integrate geopolitical considerations more closely than ever before, in order to maintain long-term stability and competitiveness.

2. Overview of the 34 Identified Geopolitical Risk Factors

The study evaluated 34 geopolitical risk factors, including:

• International Conflicts: Russia–Ukraine, China–Taiwan, U.S.–China, and Middle Eastern disputes.
• Deglobalization and a New World Order: Increasing friendshoring and rising trade barriers.
• Switzerland-Specific Factors: Neutrality debates and intensifying scrutiny around sanctions.
• Technological Developments: The impact of (generative) AI, digital innovation, and related regulations.
• Global Economic Shifts: A possible U.S. debt crisis, commodity price volatility, and competition from Asian tax havens.

These factors were analyzed in terms of connectivity (network analysis) and relevance (e.g., central risk factors such as sanctions) for Swiss banking.

3. Key Risk Factors: Sanctions as the Pivotal Element

Among the most prominent risk factors, sanctions stand out. While Switzerland has traditionally upheld a stance of neutrality, international pressure to align with global sanctions regimes is increasing. This development affects:

• Compliance Requirements: More complex due diligence processes and stricter controls lead to higher costs.
• Reputational Risks: An inadequate response to sanctions could undermine international client trust.
• Competitiveness: Being too strict or too lenient with sanctions policies can influence market access and perceptions of Swiss banks.

According to the study, “positioning toward sanctions” is the most central risk factor, demanding urgent attention in strategic planning.

4. Effects on Different Banking Segments

The study distinguishes six core segments in Swiss banking and assesses the potential effects on risk, revenue, and costs:

1. Large Corporate Banking – International
   • High risk due to international conflicts and sanctions, as large corporate clients may operate in crisis regions.
   • Rising costs from more complex compliance obligations.
   • Revenue could decline if global investment flows shift or contract.
2. Corporate/SME Banking – National
   • Less exposure abroad, but sanctions can still affect small and medium-sized enterprises (SMEs).
   • The study indicates a moderate impact on revenue and costs, with heightened risk awareness.
3. National Wealth Management
   • Experts see a potential advantage here, as wealth owners still perceive Switzerland as a “safe haven” during turbulent times.
   • Costs remain manageable, while revenue often benefits from international investors seeking safety.
4. International Wealth Management
   • Mixed effects: Global tensions can spur capital inflows to Switzerland yet complicate access to key growth markets.
   • Compliance and sanctions issues are particularly pronounced in this segment.
5. Asset Management
   • Higher risk exposure given global capital flows and volatile markets.
   • Costs for risk management and regulation could rise; revenue may suffer from margin pressure.
6. Retail Banking
   • Primarily focused on the domestic market.
   • The study projects stable risk levels and steady revenues, though the broader economic context can eventually influence demand.

5. Historical and Predictive Analyses: Resilience but No Guarantee

According to the study, the Swiss banking sector has historically shown strong resilience. Even during times of elevated global uncertainty—measured by the World Uncertainty Index (WUI)—the Return on Equity (RoE) among Swiss banks has remained relatively stable.

Key Note: This resilience stems from Switzerland’s robust economy, the high level of professionalism in its financial sector, and its global reputation. However, future stability is not guaranteed. Emerging factors such as rapid technological innovation (e.g., AI) and geopolitical realignments (a shift from bipolar to multi-polar power structures) will create complex risk scenarios that demand proactive solutions.

6. Opportunities and Challenges for Swiss Banks

Despite numerous risks, the study also highlights positive aspects:

• “Safe Haven” Advantage: During periods of crisis, Swiss banks benefit from their internationally recognized stability.
• Growth Through Technology: Generative AI and other digital innovations can streamline processes, reduce costs, and create new business models.
• Diversification: Global client bases allow Swiss banks to tap multiple markets and buffer against regional fluctuations.

However, challenges include navigating heightened regulatory pressures and actively adapting to shifting geopolitical landscapes.

7. Recommendations for Financial Institutions

To maintain their leading position, Swiss banks should heed the study’s explicit recommendations:

1. Proactive Sanctions Policy: Collaborate closely with authorities and international bodies to establish clear guidelines and uphold integrity.
2. Geopolitical Risk Management: Build structured frameworks to continuously monitor geopolitical trends and conduct scenario analyses.
3. Competitiveness Through Technology: Invest in AI, digitization, and upskilling to secure competitive advantages.
4. Communication Strategy: Maintain transparent outreach to the public and clients to safeguard trust, even amid contentious political developments.
5. Strengthen Neutrality: Craft a clear stance on international conflicts without undermining the core values that define the Swiss financial sector.

8. Conclusion: Stability Through Foresight and Adaptability

“The Impact of Geopolitical Risks on Swiss Banking” demonstrates that Swiss banks stand to benefit from global turmoil due to their enduring appeal as a financial safe haven. Nonetheless, they must respond proactively to emerging geopolitical realities. The issue of sanctions proves to be a central pivot that will ultimately shape competitiveness, reputation, and regulatory alignment.

While the overall outlook is positive, sustained success hinges on a firm commitment to evolving alongside the geopolitical risk landscape. Whether through technological innovation, refined regulatory strategies, or robust communication efforts, Swiss banks must continually enhance their resilience to navigate the uncertain terrain ahead.

On 18 June 2023, the majority of Swiss voters voted in favor of the climate and innovation bill (Federal law on the goals of climate protection, innovation, and the strengthening of energy security (KIG)). It is a remarkable milestone for Switzerland as this requires Switzerland to become carbon neutral by the year 2050.

Effects of Climate Change in Switzerland

Melting glaciers, drought, less snow, deluges, and other associated events have been the major concern for Switzerland as regards its vulnerability to the climate crisis over the years. A study shows that the average temperature in Switzerland has risen by 2.5° C over the span of the past 150 years, double the global average. It is believed that this legislation will help Switzerland combat these challenges.

The major focal areas of this legislation are to reduce greenhouse gas emissions and utilize negative emission technologies, adapt to and safeguard against the effects of climate change, and direct financial flows towards low-emission and climate change.

Rhone glacier river retreated in Switzerland from 1850 to 2010 (VAW-ETHZ, 2010)

The Climate Law

With the objective of Switzerland becoming a carbon-neutral country by 2050, this legislation mandates the federal government to ensure that greenhouse gas emissions are reduced by at least 75 percent by 2040 compared to 1990 levels. The federal government along with the cantonal authorities are also ordained to take all the required steps and set an example in achieving net-zero emissions by 2040. Benchmarks with regard to reducing greenhouse gas emissions have also been specified in this legislation for different sectors such as the building sector, transport sector, and industry sector. The building sector, transport sector, and industry sector must ensure a minimum reduction of 82 percent, 57 percent, and 50 percent respectively in greenhouse gas emissions by the year 2040, while both the building and transport sectors have been obliged to sew up greenhouse gas emissions by 100 percent by 2050 and the industry sector have been commanded to reduce greenhouse gas emissions by 90 percent by 2050.

The Swiss financial sector is also required by this legislation to make an effective contribution to low-emissions and climate-resistive development by taking measures to reduce the climate impact of national and international financial flows and by focusing more on the climate-friendly orientation of financial flows.

The mentioning of the promotion of new technologies and processes in the legislation is indeed timely. This will help businesses understand the significance of opting for different technologies and/or technological services to have net zero emissions by 2050.

With a profound understanding of the significance and gravity of the new climate and innovation law, we confidently offer our software equipped with a range of ESG features. We firmly believe that these features will aid businesses to successfully achieve the targets set forth by this ground-breaking legislation.

The entry into force of the revised Data Protection Act (revDSG) on September 1, 2023, will result in new requirements for Swiss companies and their data protection measures. The updated DPA has been adapted in particular to technical progress and is intended to improve the protection of personal data in the future. The new law strengthens self-determination and increases transparency in the procurement of personal data. The revised law tightens the regulations for companies and forces them to adapt their existing data protection guidelines and concepts. We have summarized the most important changes here.

Changes affecting individuals

Only data from natural persons

The revised DPA only applies to data of natural persons; legal entities are no longer protected by the DPA. Swiss companies and international organizations that process the personal data of Swiss residents and conduct cross-border transactions must apply the revised DPA. In this respect, the scope of application of the revised DPA is the same as that of the GDPR, which also focuses only on the protection of the privacy of natural persons with respect to their personal data. Data protection officer

Private companies have the option of appointing a data protection officer, who can either be an employee or an external party to the company. Unlike the European General Data Protection Regulation, private companies are not legally required to appoint advisors, and only federal agencies are required to do so. The data protection officer must provide independent advice on data protection issues and avoid any influence from other company activities. It is recommended that privacy advice be kept separate from other legal advice and representation. In situations where disagreements arise, the data protection officer should have the opportunity to raise his or her concerns with company management.

Expanded handling of important information

Extension of the duty to inform

The revised DPA also extends the obligation to provide information. In this case, the data subject is informed in advance whenever personal data is collected. The old law provided for a duty to inform only if particularly sensitive personal data was collected. At a minimum, the identity and contact details of the controller, the purpose of the processing, and the categories of recipients must be provided. If data flows abroad, this fact must be communicated, as well as other information such as this data protection regulation.

Particularly sensitive personal data

An important change concerns the list of so-called sensitive data, which in the future will include genetic and biometric data. Genetic data, which can be obtained from biological samples, provide information about a person’s genetic characteristics, such as their health. Examples include DNA analysis and similar tests. Biometric data enable people to be uniquely identified. Examples include facial images or fingerprints.

The term profiling, i.e. the automated evaluation of personal data, was also newly included in the law. If unique characteristics of a person can be identified in a profile, this is high-risk profiling. The express consent of the data subject must always be obtained in advance for this.

New documentation requirements

Directory of data processing activities

As far as documentation requirements are concerned, a comprehensive register of processing activities is now also mandatory, with the exception of small and medium-sized enterprises with fewer than 250 employees. Another exception applies to companies whose data processing poses a low risk of personal data breaches. The register is an inventory of all data processing activities, which contributes to transparency and helps determine whether data processing was lawful. The nature and scope of the personal data processed and their recipients must also be indicated.

Data protection Impact assessment

Another important addition is the data protection impact assessment. This becomes relevant as soon as there is a high risk to the personality or fundamental rights of the data subjects. A data protection impact assessment involves an evaluation of the potential damage that could result from a lack of data security. The aim is to provide those processes that are at high risk with additional protective measures to reduce the potential damage.

Exceptions for the data protection impact assessment

Adherence to an audited code of conduct

The new DPA encourages professional, trade, and business associations to formulate their own codes of conduct and submit them to the Federal Data Protection and Information Commissioner (FDPIC) for review. The opinions of the FDPIC on these codes are then published and may include objections or recommendations for amendments or clarifications. Organizations that receive a favorable opinion from the FDPIC may assume that the conduct set forth in their code complies with data protection law. However, codes that are too general do not absolve organizations from any risks that are not described in detail. By adhering to a code of conduct, association members can avoid developing their own assistance and guidelines for compliance with the new DPA. Such self-regulation has the advantage that data controllers do not have to conduct their own data protection impact assessment if they adhere to a code of conduct that is based on a previous data protection impact assessment, remains valid, contains measures to protect privacy and fundamental rights, and has been approved by the FDPIC.

Obtain certifications

The new DPA now permits certification not only of management systems and products but also of services and processes. This certification serves as proof to companies that they comply with the privacy-by-default principle and have an appropriate data protection management system in place. By using a certified system, product, or service, data controllers are exempted from having to prepare a data protection impact assessment. The Federal Council has introduced additional regulations on the certification process and seals of approval with an ordinance known as the Data Protection Certification Ordinance.

Additional rights for data subjects

Right to information

Another important innovation is the right to request information about the personal data processed. The new amendment contains a minimum list of information that the data controller must provide, e.g. how long the personal data is stored. In general, data subjects must receive the information as transparently and comprehensively as possible in order to exercise their rights. As before, the data controller has the right to refuse, restrict or withhold information in certain circumstances. This may be the case, for example, if the request is manifestly unfounded and excessive. However, the reasons for a refusal must then also be communicated.

Right to data portability

Data subjects now have the right to request their personal data from a private controller in a commonly used and machine-readable format or to transfer it to a third party. The controller must process the data in an automated form and with the consent of the data subject or if this is directly related to a contract. This right is free of charge unless disclosure or transfer requires a disproportionate effort or cost. An example of this could be communications data where triage is required to separate the data subject’s statements from those of third parties, which can be time-consuming.

Added communication obligations

Obligation to report data security breaches

Recently, immediate notification to the Federal Data Protection and Information Commissioner (FDPIC) is also required in the event of a data breach. The notification requirement applies to any data breach and requires not only notification to the Data Protection Commissioner but also to the affected individuals whose data is no longer secure. However, data subjects must only be notified if their personal or fundamental rights are affected as a result of the data breach. Expansion of preventive protection requirements

Expansion of preventive protection requirements

Cross-border disclosure of personal data

Of particular relevance to companies operating abroad is another article in the revised FADP, which provides that data may only be disclosed abroad if the Federal Council confirms that the legislation of the foreign state ensures adequate protection. The previous list published by the FDPIC is publicly available on the FDPIC’s website. If the destination country is not on the Federal Council’s list, the data may be transferred there as under previous law, provided that adequate protection is guaranteed by other means. Examples of such means are international treaties, data protection clauses notified to the FDPIC, or binding corporate rules. Standard contractual clauses approved by the European Commission under GDPR are also recognized by the FDPIC.

The DPA goes further than the GDPR by requiring that data subjects be informed about the countries involved in the cross-border transfer of personal data, including storage on foreign systems (cloud), regardless of whether they provide adequate data protection. In addition, the disclosure must indicate which data protection guarantees (e.g., EU standard contractual clauses) or exemptions, if any, the controller makes use of. Here, too, the revDSG goes a step further than the EU General Data Protection Regulation.

Data protection through technology and default settings

In addition, the principles of privacy by design and privacy by default apply, requiring developers to build privacy into the structure of products and services from the outset. The principle of “privacy by design” ensures that the highest level of security is already in place when a product or service is launched. Software, hardware, and services must therefore be configured to protect data and safeguard user privacy.

Introduction of fines

Finally, the revised Data Protection Act provides for the adjustment of fines for natural persons responsible for processing activities. Specifically, this involves fines of up to 250,000 Swiss francs per violation if the duties to provide information and disclosure, as well as certain duties of care, are intentionally violated. The cantonal prosecution authorities are responsible for enforcing the criminal sanctions. Civil actions for removal, injunction, or damages are also possible.

Conclusion

In addition to the already known adjustments as of September 1, 2023, it is already foreseeable that the DPA will continue to converge with the General Data Protection Regulation in the future. On the one hand, to strengthen the rights of Swiss citizens, on the other hand, to simplify the economic exchange with the EU. In order to meet the medium and long-term requirements, it makes sense to team up with a strong digital data protection partner. Such a partner knows how to implement and digitize the processes from the new law, but also creates awareness of future regulatory changes and gives you the chance to complete corresponding projects early and in a legally secure manner.

The term ‘Whistleblowing’ refers to the reporting of any wrongdoing and/or misconduct that includes unethical behavior, fraud, corruption, mismanagement, cronyism, abuse, bribery, racism, intimidation, harassment, crime, etc. within organizations. These defects, which are also ubiquitous in our society, can devalue the reputation of an organization if left concealed and untreated. The notion and practice of combating wrongdoing and misconduct have been on the rise in business organizations. The employees are most likely to be the first ones to witness wrongdoing and/or misconduct in the organizations, hence it is very important for the organizations to have a ‘complaint management system’ in place and to make sure that the employees who want to lodge complaints against any wrongdoing and/or misconduct in the organizations have all the necessary support. It will not be wrong to say that it becomes a moral obligation for the employees to report any wrongdoing and/or misconduct in the organization that they have witnessed and/or become aware of.

Trends of Whistleblowing in Business

Whistleblowers are often found to be an invaluable part of the process of detecting crime and complying with relevant legislation. It was found in research conducted by PricewaterhouseCoopers, that “professional auditors only detected 19% of fraudulent activities at private corporations, while whistleblowers detected and exposed 43%.” This study also reveals that ‘whistleblowers saved their shareholders billions of dollars’. A study named ‘Who Blows the Whistle on Corporate Fraud’ by the University of Chicago Booth School of Business, unveils the same kind of outcome which states ‘‘employees clearly have the best access to information. Few, if any, fraud can be committed without the knowledge and often the support of several of them. Some might be accomplices…but most are not.’’

Though business organizations of modern days tend to have whistleblower policies, however, they might, at times, seem very inadequate to support whistleblowers where they would be propelled to lodge complaints voluntarily against any wrongdoing and/or misconduct in the organization. It is therefore very important to have an apt and robust legal framework for whistleblowers in place, which would obligate the organizations to construct a practice of whistleblowing in their organizations. Many jurisdictions have a sufficient legal basis for whistleblowers, however, many still lack. As of 2020, ‘laws as regards whistleblower protection have been enacted at least 59 countries’. The idea of legislating whistleblower laws is to ‘incentivize whistleblower disclosures and protect whistleblowers from retaliation’.

Whistleblowing Legislation in Switzerland

It is very disconcerting that whistleblowers in Switzerland are not protected by law. There are currently no legislative provisions in Switzerland that protect whistleblowers from retaliation. In fact, the existing laws have been shaped in a way that intimidates employees to raise their voices against any wrongdoing and/or misconduct in the organization, as it has been enunciated in Article 321a Para 4 of the Swiss Code of Civil Obligations that “For the duration of the employment relationship the employee must not exploit or reveal confidential information obtained while in the employer’s service, such as manufacturing or trade secrets; he remains bound by such duty of confidentiality even after the end of the employment relationship to the extent required to safeguard the employer’s legitimate interests”.

One might argue that this legal provision does not patently say anything against raising one’s voice against the wrongdoing and/or misconduct in the organization, however, the counterargument could be that such enunciation of the law does not manifestly immune whistleblowers either. One may reckon that the latter overrides the former because there are no laws in Switzerland that shield whistleblowers against any unwarranted consequences. There is, however, an interpretation of this Article, which says exceptions to this Article are “only allowed if the public interest in disclosing the information is deemed higher than the interest of the employer in keeping the information a secret”. However, it is still not clear as to which particular disclosures would be deemed to be serving the public interest. The absence of a legal framework for whistleblowers has reached a worrying point in Switzerland as it has been ‘estimated that more than 95% of the cases of corruption are unreported’.

Though several attempts have been made to legislate a framework for whistleblowers in Switzerland, none of them was successful. It is hoped that the Swiss Federal Assembly shall understand the significance of a legal framework for whistleblowers and legislate one in the near future.