2. Are there any rules that apply to cloud use by financial institutions (e.g., rules regarding outsourcing or the use of cloud services)?
Yes, the following laws must be observed:
- Federal Act on Data Protection (SR 235.1) and the Ordinance to the Federal Act on Data Protection
- Banking Act (SR 235.11)
- Federal Act on Financial Institutions (SR 954.1 "FinIA")
- Insurance Supervision Act (SR 961.01)
The Swiss Financial Market Supervisory Authority (FINMA) has set out the rules regarding outsourcing in the two circulars below:
- Circular 2018/3 Outsourcing — banks, insurance companies and selected financial institutions under FinIA
- Circular 2008/21 Operational risks at banks (This circular is currently being revised and replaced by the new FINMA Circular 2023/1 Operational risks and resilience — banks, scheduled to enter into force on 1 January 2024).
Draft Circular 2023/1 Operational risks and resilience — banks, focuses on the supervisory practice with regard to the management of operational risks in connection with information and communication technology, including the handling of critical data and cyber risks.