The Essence of the Circular
Circular 2023/1 applies to banks, individuals, security firms and financial institutions/groups/conglomerates. It is based on the principle of separation of functions, risk management, and internal control as outlined in the Banking Ordinance and the Ordinance on Financial Institutions. It also draws on the Basel Committee's principles for systematic operational risk management and operational resilience.
It outlines principles that form a coherent framework with interdependencies among various components. The guiding principles include proportionality (based on the institution's size, complexity, and risk profile), holistic operational risk management, IT risk management, cyber risk management, critical data management, Business Continuity Management (BCM), and risk management related to cross-border activities.
Chapter V emphasises the duty to ensure operational resilience. The rest of the circular briefly addresses maintaining critical services during liquidation and the recovery of systemically important banks, as well as transitional provisions.
The Crucial Role of Critical Data and Governance
FINMA places a significant emphasis on critical data, describing it as "important for the successful and sustainable provisions of the institution's services for regulatory purposes." This data is related to the bank's key functions, processes, and operational risks. This concept includes the responsibility to ensure the confidentiality, integrity, and availability of the data. We have observed that few regulatory authorities worldwide have been as explicit on this topic. This seems highly relevant given that banks are dealing with an increasing amount of intangible digital data and assets, both internal and external.
In practice, while assisting our clients, we have noted the pivotal role of critical data, as well as the complexity of identifying and uniformly selecting them across a bank's various functions and processes. This complexity arises from the need to grasp and integrate the new concept consistently within the institution, and establish a "screening" method to avoid generating an excessive volume of data. Beyond identification, it is necessary to manage the entire lifecycle of critical data in alignment with risk management (categorisation, classification and monitoring) by integrating them into the broader data governance. The implications of this new imperative are profound and must extend to the bank's information system and cybersecurity systems.
Another challenge is effectively leveraging established data dynamics to serve business interests, harmonising compliance efforts with data requirements expressed by different bank departments.
Key Success Factors
First and foremost, the success of such an initiative relies on strong, high-level sponsorship that can steer progress and mobilise various departments and resources within tight deadlines. The steering committee must also possess decision-making capabilities to address issues, particularly organisational ones that span across bank departments.
Secondly, it is crucial not to underestimate the phase of team acculturation involved in the initiative to ensure a clear understanding of the new challenges and enable them to acquire the fundamentals, particularly data governance. This takes time at the outset but accelerates progress afterward. If this is neglected, then it is often a factor in failure.
Finally, it is important to deploy frameworks that maintain strong coherence between different blocks (e.g., critical data, risks and security) while retaining agility. Through our various missions for Swiss banks, we have capitalised on these experiences and produced tools and methodologies that ensure this. As a result, this allows for flexible guidance of the initiative, adapting to the specific context of the bank.
The scope of FINMA Circular 2023/1 will not end on January 1, 2024. It will extend over the coming years (according to the circular's timelines in 2025 and 2026), with banks needing to maintain a progressively more refined governance of their information assets related to critical data. This will be a significant lever to help them address current and future challenges with the colossal transformations they are implementing.
Contact Persons:
Nicolas CAMBOLIN – Partner, Global Director Data Intelligence
Yann LEBLEVEC – Director Data Intelligence Consulting EMEA
Patrice FERRAGUT – Data Intelligence CH Pratice Lead