By Andrea Briganti
On September 1st, 2023, the new Swiss data protection law, known as nFADP, came into force. This law has far-reaching implications for Swiss banks, adding an extra layer of complexity to the already stringent GDPR regulations that apply to EU residents.
Dual Regulatory Oversight:
One of the immediate challenges facing Swiss banks is the dual regulatory oversight imposed by the nFADP law. Banks now find themselves under the watchful eyes of two regulatory bodies: the Financial Market Supervisory Authority (FINMA) and the Federal Data Protection and Information Commissioner (FDPIC). This dual supervision underscores the importance of compliance with the new regulations and the importance of data management and protection, which is also a topic at the core of the new FINMA Circular 2023/1 on Operational risks and resilience – banks.
The Challenge of Data Identification:
Compliance with the nFADP law can be divided into two main categories. The first challenge is identifying relevant data. Swiss banks have always been obligated to retain client data for various purposes, including transaction monitoring, Anti-Money Laundering (AML), and Know Your Customer (KYC) procedures. With the introduction of nFADP, the challenge now extends to discerning what data falls into the category of "nice to have" data, which may be subject to certain nFADP measures, requiring deletion or specific treatment.
Internal Data Access and Control:
The second aspect of compliance revolves around internal data access and control. Some departments in banks may need to retain certain types of data, such as the Central File, for specific purposes. However, ensuring that this data remains inaccessible to other departments may be essential to meet nFADP requirements. Striking this balance may represent a daunting task for institutions.
Adding to the complexity is the absence of clear, detailed guidelines for banks on how to navigate the intricacies of nFADP compliance across various departments, leaving room for interpretation. While the law outlines the obligations, it does not provide a step-by-step roadmap, leaving banks grappling with uncertainty and seeking best practices.
The Imperative of Staff Training:
In light of these challenges, what is clear is that staff training is essential. From the reception desk to the boardroom, every staff member must be well-versed in the nuances of the new law to ensure compliance with FINMA’s requirement of proper and good diligence.
Indigita: Your Partner in Compliance
In these challenging times, financial institutions in Switzerland can turn to Indigita for support. Indigita offers a foundation course on nFADP designed to equip banks with the knowledge and skills necessary for compliance with the new law. Moreover, in the coming months, a suite of specialised courses tailored to the unique needs of different bank departments will be made available.
Conclusion:
The implementation of Switzerland's new nFADP law signifies a significant shift in data protection regulations for the banking sector. While the challenges are undeniable, they also present an opportunity for financial institutions to enhance their data handling practices and reinforce customer trust. As the regulatory landscape continues to evolve, staying informed and prepared is imperative. Indigita is here to guide Swiss banks on their journey towards nFADP compliance with its e-Learning courses, and ensure they navigate these changes successfully.
To learn more on our e-Learning offering, please contact us at info@indigita.ch