Compliance, Financial Services
Managing Director ASC Schweiz AG
Stefan A. Bütler is Managing Director of ASC Switzerland AG, a subsidiary of globally active ASC Technologies AG. For many years, he has been working in developing compliance recording solutions for financial centers in Switzerland and the Principality of Liechtenstein to enable them to meet the requirements of the respective legal regulations. In this function, he advises and supports partner enterprises of ASC Switzerland as well as the financial institutions within the economic area of Switzerland and the Principality of Liechtenstein directly.
Financial Market Supervisory Authority FINMA: Framework, Tasks and Objectives of Federal Regulation
The Swiss banking sector enjoys a first-class reputation and is one of the most important in the world. However, even in Switzerland, the financial sector is one of the most heavily regulated areas of the economy. Accordingly, banking and financial market regulation, and in this context in particular the secure recording and archiving of financial communications, are of great importance. Regulation forms an important basis for the corporate governance of institutions and strengthens the confidence of creditors and investors.
The regulation of banks, insurers and asset managers serves primarily to protect customers and ensure the security and stability of the financial system. While the basic principles are laid down in legislation (e.g. the Banking Act, the Financial Market Supervision Act), the details are specified in ordinances issued by the Federal Council (e.g. the Banking Ordinance). The Financial Services Act (FinSA) specifies these objectives and regulates the provision of financial services. The Swiss Financial Market Supervisory Authority FINMA, based in Bern, sets out its supervisory practices in circulars, among other things. Investors and insured persons are also protected by self-regulation (guidelines, recommendations) within the financial sector itself.
Banks are monitored on their behalf by auditing companies acting as auditors in accordance with the Banking Act (dual supervisory system). In order to combat money laundering, insider agreements or deliberate misinformation in consultations, the provability of orders, consultations and decisions has been strengthened by regulation. A central compliance recording solution supports institutions in implementing these requirements efficiently and in an audit-proof manner.
FINMA Recording Obligation: Communication, Storage and Evidence
Retention periods and security of evidence according to GeBüV
This FINMA regulation includes an electronic recording requirement that applies not only to internal and external landline calls, but also to mobile phone calls, electronic correspondence, multimedia communication channels (SMS, chat) and the associated connection information. The FINMA recording requirement for landline, mobile and electronic correspondence is anchored in FINMA's supervisory practice and circulars.
The recordings must be kept unchanged for at least two years for FINMA's purposes. Many institutions extend their retention periods significantly beyond this in order to cover civil and supervisory requirements. The use of means of communication that cannot guarantee recording is not permitted.
In order for these recordings to serve as evidence in the event of a dispute, the requirements of the Ordinance on Business Records (GeBüV) must be taken into account. In addition to the recording obligation, additional requirements from the internal control system (ICS), internal compliance, data protection, protection of personal rights and the areas of education and training must be observed. With an omnichannel compliance recording solution (e.g. for voice, video, chat and email), these FINMA recording obligations can be implemented centrally.
- Compliance with regulatory and legal requirements
- Increased legal certainty and protection against unjustified claims
- Proof of a professional approach and comprehensive fulfilment of the duty to provide information and clarification
- Two-stage order processing through confirmation of the protocol or explicit consent by the customer
- Optimization of communication and business processes
- Demonstration of responsible corporate governance
Data Protection: nFADP and Its Impact on Records
The revised Data Protection Act (nFADP) strengthens information obligations (transparency), anchors privacy by design & default, and requires data protection impact assessments (DPIA/DSFA) in cases of high risk. In practice: Customers must be informed about recordings; systems must be designed in such a way that data protection is maintained by default.
- Information obligation: Provide clear and comprehensible information before/after starting the recording (also for remote/mobile calls).
- Privacy by Design/Default: Minimization, deletion concepts, access roles, logging.
- DPIA/DSFA: For recording/analytics setups with potentially high risk (e.g. voice/AI analysis).
With an AI-based analysis platform and an AI policy engine, data protection and governance requirements can be mapped in a structured manner.
AI Governance in the Financial Sector: FINMA Expectations and the EU AI Act
Artificial intelligence (AI) is increasingly finding its way into the financial world. For example, in the transcription of advisory meetings, compliance analyses or risk management. In its Supervisory Notice 2024, FINMA has for the first time formulated clear expectations regarding the use of AI. In future, institutions will be required to maintain a central inventory of all AI systems used, classify them according to risk and clearly assign responsibilities. The supervisory authority also demands high standards of data quality. Completeness, correctness and stability are just as important as dealing with possible bias. In addition, there is ongoing monitoring, testing for model and data drift, and defined fallback mechanisms in the event of system failures. Particular emphasis is also placed on explainability: black box models are considered critical, and results must be traceable. Finally, FINMA expects independent verification, for example through the second line of defence in risk management or through external reviews.
Stephan A. Bütler:
„The topic of AI in relation to regulations is also very central. The use of AI is growing rapidly, but strict compliance with legal requirements is essential. Anyone who uses AI must always be one step ahead in terms of regulation.“
These requirements are particularly relevant in the area of recording and archiving: many institutions already use AI-supported solutions for speech and pattern recognition or automated transcription. In future, such systems will clearly fall under FINMA's governance requirements: transparency, traceability and documented controls are crucial here.
Parallel to these developments in Switzerland, regulation is also progressing in Europe. With the EU AI Act, which has been in force since August 2024 and will be implemented in stages until 2027, the EU is creating a comprehensive legal framework for the use of AI for the first time. The first obligations have been in force since February 2025, with stricter requirements for so-called ‘high-risk systems’ to follow in the coming years. Anyone operating across borders should keep an eye on these developments. You can find an in-depth overview in our blog post ‘The EU AI Act – what does it mean for Switzerland?’.
„Thanks to our global experience and in-depth expertise, we develop solutions that are both regulatory and technologically leading. We know what markets and regulators expect“
FIDLEG 2025: Switzerland's Response to MiFID II and MiFID III
Voice recording in the banking sector is not unique to Switzerland: in May 2014, the European Parliament passed a tightening of the Markets in Financial Instruments Directive (MiFID II) to protect bank customers. With this highly complex set of rules, the EU aims, among other things, to better protect small investors and eliminate conflicts of interest. It is intended to make the financial system safer, more transparent and more responsible. Since the beginning of 2017, relevant telephone calls and consultations must be recorded in all EU and EEA countries – on both landline and mobile networks.
The EU regulations are also having an impact outside the Union. Although Switzerland is not a member of the EU (as is well known), local financial institutions that have customers in the EU or do business there and do not want to give up business with EU customers have no choice but to implement the directive.
For this reason, Swiss legislators have introduced a national version of MiFID II in the form of the Financial Services Act (FinSA), which is to be implemented as a leaner regulation recognised by the EU as equivalent. Under this version, financial institutions from third countries will only be admitted to the EU market if the supervisory and conduct of business rules in their country are equivalent to those in the EU.
With the Financial Services Act (FinSA) and the Financial Services Ordinance (FinSO), Switzerland has had its own set of rules for investor protection, information, appropriateness/suitability, documentation and accountability since 2020. FINMA further clarified this practice in Circular 2025/02 ‘Conduct obligations under FinSA/FinSO’ as of 1 January 2025: How is transparency achieved towards clients? The circular creates legal certainty and a comparable level of protection among supervised entities.
On the EU side, MiFID II remains the central directive, but it was comprehensively reformed in 2024. Many are therefore already talking about ‘MiFID III’. The core of the changes are greater transparency, stricter reporting requirements and the creation of a more uniform database for trading and monitoring. The new rules will come into force gradually over the coming years. For Swiss institutions with EU clients, this means that those operating across borders should adapt their reporting and protocol standards at an early stage in order to remain compliant without any problems.
One key difference remains: MiFID II expressly requires the recording of telephone and electronic communications that lead or may lead to transactions, with storage for at least five years (up to seven years if ordered by the supervisory authority). In addition, institutions must prevent employees from using non-recordable private devices for such conversations. In Switzerland, this obligation is not enshrined in the FinSA; however, FINMA's supervisory practice has regulated recordings very clearly for years. For this reason, many institutions effectively align themselves with the EU level of protection in order to strengthen evidence gathering and customer protection and to remain compliant across borders.
Our customers, such as Swiss financial institutions, must now comply not only with national requirements, but also with EU and global regulations such as the EU AI Act, MiFID II/III and international data protection standards. Compliance has long since become global and requires solutions that can cope with this complexity.
Please note
We do not provide legal advice and this information cannot replace legal review or consultation.
