Switzerland: New Regulatory Guidelines On Corporate Governance For Banks, Securities Dealers And Financial Groups/ Conglomerates (FINMA Circular 2017/1)

Reference: CapLaw-2017-17

On 1 November 2016, FINMA published its new circular 2017/1 on "Corporate governance – banks" streamlining the regulatory framework on corporate governance for banks, securities dealers, financial groups and conglomerates by defining partially revised minimum requirements and underlying principles. The new circular consolidates and replaces three former FINMA circulars and addresses the experiences made in the financial crisis as well as the revised international standards. The most significant changes pertain to i) FINMA's commitment to a more principle based approach and consistent application of the principle of proportionality, ii) the introduction of provisions for the audit and risk committee of the governing body as well as iii) the possibility to delegate the internal audit function to another unregulated group company, provided such group company fulfils certain minimum requirements regarding capabilities and resources. The new circular will enter into force on 1 July 2017.

1) Introduction

On 1 November 2016, FINMA published its new Circular 2017/1 "Corporate governance – banks" (Circular 17/1) streamlining the regulatory framework on corporate governance for banks, securities dealers, financial groups and (bank or securities dealer dominated) conglomerates (collectively referred to as Banks) by i) consolidating the currently applicable guidelines outlined in various circulars and FAQs and ii) partially revising the minimum requirements as well as the underlying principles. Circular 17/1 will enter into force on 1 July 2017. Concurrently, FINMA also revised its circulars 2008/21 on "Operational risks – banks" and 2010/1 on "Remuneration schemes", which will both enter into force on 1 July 2017 as well (summary discussion on these to follow in a separate CapLaw publication).

Circular 17/1 remains to a large extent in line with the currently applicable FINMA guidance (and the draft circular published on 1 March 2016), except for a number of important changes in specific areas, which will be the focus of this article.

2) Circular 17/1 on Corporate Governance for Banks

a) Overview

Circular 17/1 consolidates the supervisory law requirements relating to corporate governance, internal control systems and risk management for Banks that were previously scattered between two FINMA circulars: i) circular 2008/24 "Supervision and internal control – banks" and ii) circular 2008/21 "Operational risks – banks" as well as the FAQ on the Governing Body (Oberleitungsorgan).

Circular 17/1 will supersede circular 2008/24 and the FAQ which currently regulates corporate governance aspects for banks and securities dealers. Circular 2008/24 has not been materially amended since its implementation in 2006. Therefore, the circular does not yet reflect lessons learned from the financial crisis. Furthermore, international standard setters such as the Basel Committee on Banking Supervision (BCBS) adjusted their guidelines in the meantime to implement a standard for a modern corporate governance and efficient risk management (e.g. the BCBS Guidelines on Corporate governance principles for banks dated July 2015 available under http://www. bis.org/bcbs). In addition, the International Monetary Fund (IMF) issued in its Financial Sector Assessment Programm of 2014 recommendations on capitalization and corporate governance (see https://www.imf.org). In Circular 17/1, FINMA addresses these developments, completing it with additional risk management aspects demonstrating FINMA's increased focus on a modern corporate governance as well as an adequate and efficient internal control system. Apart from international developments, this strengthened focus on risk management results from FINMA's recent supervisory practice showing that operational risks in banking have become more diverse.

At its core, Circular 17/1 includes provisions relating to various corporate governance aspects such as governing and management bodies, risk management, the internal control system and internal audit. The circular consistently reflects the concept of principle-based regulation. However, FINMA explicitly acknowledged that corporate governance and risk management are regulatory topics that may not be adequately addressed by a "one size fits all"-approach (explanatory report dated 1 March 2016, p. 9). Consequently, the new circular aims to leave room for institutions to implement the requirements on a case-by-case basis, i.e. considering their different business models and the risks associated therewith (consultation report dated 22 September 2016, key point no. 2). Furthermore, FINMA expressly reserves the possibility to grant reliefs or be more restrictive in the individual case (note 8 of Circular 17/1).

b) Scope of Application of Circular 17/1

A significant change in Circular 17/1 vs. the current regulation is the shift from a "comply or explain" approach as currently applied in several areas to a consistently applied principle of proportionality. This allows FINMA to consider on a case-by-case basis the characteristics of each Bank in terms of size, complexity, structure and risk profile (note 8 of Circular 17/1). The principle of proportionality has mainly been implemented by differentiating between the different supervisory categories of Banks. Accordingly, more stringent requirements apply in certain areas for Banks in the supervisory categories 1-3 or for systemically relevant banks, whereas Banks in the supervisory categories 4 and 5 "only" have to fulfill the baseline requirements (see e.g. notes 31, 59 and 70 of Circular 17/1).

The reason for this shift is that the "comply or explain" approach, which is an established concept in self-regulatory regimes (i.e. institutions explaining non-compliance with certain requirements in their annual reports), is rare in the regulated space and has in practice rendered a timely supervision by FINMA difficult. FINMA also highlighted that it will consider granting exceptions in the future should it not be possible to meet the requirements of Circular 17/1 in a specific individual case for convincing reasons (explanatory report dated 1 March 2016, p. 10).

The provisions of Circular 17/1 on group structure have been aligned with international guidelines. Accordingly, the principles and provisions of Circular 17/1 for individual institutions will apply to financial groups and conglomerates by analogy, which largely aligns with current FINMA practice (note 98 of Circular 17/1). In particular, financial groups and conglomerates must implement rules on the tasks and responsibilities of the various bodies being responsible for the group management.

c) Modifications relating to the Responsibilities and Requirements for the Governing Body

Circular 17/1 uses the more general term "governing body" (Oberleitungsorgan) that, in principle, applies to all types of legal entities including e.g. companies limited by shares (AG) and cooperatives (Genossenschaften) as opposed to the term "board of directors" as referred to in circular 2008/24 that mainly refers to companies limited by shares in the meaning of article 620 et seq. CO.

The governing body must play an active role in strategic matters of a Bank (see as well the corporate law provisions on the non-transferable and unalienable competences of the board of directors in article 716a CO). Accordingly, Circular 17/1 contains a list of minimum required tasks and responsibilities for a Bank's governing body, including the approval of the business strategy and risk policies. In this context, the governing body is responsible for the approval of the risk framework as well as the regulation, implementation and monitoring of an appropriate risk management and overall risk steering (note 10 of Circular 17/1). Besides such controlling aspects, Circular 17/1 will implement principles and structures for the governing body relating to the management of the Bank (so-called "checks and balances"), particularly in the areas of organization, accounting and the selection of candidates in key positions (notes 11-14 of Circular 17/1). The rather generic description of such activities corresponds with international standards (see e.g. principle no. 1 of the BCBS Corporate Governance Principles) and remains to a large extent in line with the current FINMA FAQ on the Governing Body. Finally, the governing body has to decide on important changes of the entity (and group) structure and investments of a strategic importance (note 15 of Circular 17/1). Interestingly, under the provisions of the draft circular 2016/xx "Corporate Governance – banks" published on 1 March 2016 (Draft Circular 17/1) the governing body had a general responsibility to decide on changes to the entity (and group) structure (note 17 of Draft Circular 17/1). In contrast, under Circular 17/1, the governing body only has to decide on important changes of the entity (and group) structure. This sensible adjustment allows for more flexibility in delegating tasks.

The provisions of Circular 17/1 on the composition of the governing body are largely similar to the current rules of the FAQ on the Governing Body and the provisions of the circular 2008/24. E.g. the requirement that at least one third of the board members must be independent will continue to apply. However, FINMA may in justified exceptional cases grant exceptions (note 17 of Circular 17/1). This might in particular be relevant in financial groups. Similarly to the current regime, a member of the governing body is deemed to be independent if he/she cumulatively fulfills at least the following criteria (notes 18-22 of Circular 17/1):

  • is not engaging in any other function in the institution or has not been engaged in such function in the last 2 years;
  • has not been employed as the responsible lead auditor of the financial institutions audit company within the last 2 years;
  • does not maintain a business relationship with the financial institution of a type or scope which may lead to a conflict of interests; and
  • is not a qualified shareholder in the meaning of article 3 (2) (cbis) Banking Act and article 10 (2) (d) Stock Exchange Act and also does not represent such a person.

The Draft Circular 17/1 envisaged that a significant part of the members of the governing body could not be (or represent) a qualified shareholder of the financial institution. In Circular 17/1, however, this requirement has been eased to the extent that it only has to be fulfilled by at least one third of the board members.

Under Circular 17/1, Banks in the supervisory categories 1-3 are required to establish an audit and a risk committee, irrespective of the total number of members of the governing board (note 31 of Circular 17/1). Under former FINMA practice, a Bank was only allowed to create a committee if the governing body consisted in total of at least five members (see Susan Emmenegger/Hansueli Geiger, Bank-Aktiengesellschaft – Statuten und Reglemente mit Mustern, Zurich/Basel/Geneva 2004, N 145).

The tasks and responsibilities of the committees correspond to a large extent to international standards, in particular principle no. 3 of the BCBS Corporate Governance Principles. Consequently, the responsibilities of the audit committee mainly relate to monitoring and evaluation tasks, e.g. regarding the financial reporting, the internal control and compliance functions, the risk control as well as the independence and effectiveness of the external auditor (notes 34-39 of Circular 17/1). The tasks of the risk committee, in contrast, refer to the framework concept for the entity (or group) wide risk management, the evalution of the capital and liquidity planning as well as the general control over an appropriate risk management and risk strategy (notes 40-46 of Circular 17/1). Under Draft Circular 17/1, it was envisaged that Banks in the supervisory categories 1-3 had to create separately an audit committee and a risk committee (note 36 of Draft Circular 17/1). In contrast, the finalized Circular 17/1 requires this only for Banks in the supervisory categories 1 and 2 (note 31 of Circular 17/1). Accordingly, Banks in the supervisory category 3 may have a combined audit and risk committee. The majority of the members of the audit and the risk committee have to be independent in the meaning set forth above, but not mandatorily independent from the nomination committee as previously proposed in Draft Circular 17/1 (note 33 of Circular 17/1 and note 38 of Draft Circular 17/1).

d) Modifications relating to the Responsibilities and Requirements on the Management Body

Circular 17/1 defines minimum tasks and responsibilities of the management body and minimum requirements for its members which are largely in line with international standards, in particular the BCBS Corporate Governance Principles. Besides the operation of the daily business, the management body is responsible for the implementation of adequate internal systems such as the management information system (MIS), the internal control system and a suitable technology infrastructure (notes 47-50 of Circular 17/1). These management responsibilities have been adopted from circular 2008/24 (notes 80 et seq.) and circular 2008/21 (notes 122-123).

Although not expressly mentioned in Circular 17/1 (other than in the Draft Circular 17/1), the management body is, in our understanding, responsible for the monitoring of the compatibility of the business activities with the law and internal rules.

e) Modifications relating to the Risk Concept

Circular 17/1 provides for a duty to implement and manage a framework concept for the entity (and group) wide risk management which has been adopted from the circular 2008/21. Newly, FINMA explicitly requires such framework concept to be prepared by the management body and approved by the governing body (whereas before circular 2008/21 only referred to the requirement of approval by the governing body). Such framework concept has to include certain minimum standards addressing risk policy, risk appetite and risk limits of the respective institution (notes 53 et seq. of Circular 17/1).

Banks in the supervisory categories 1-3 have to include in their framework concept provisions referring to the risk data aggregation and reporting (Risikodatenaggregation und –berichterstattung), not only systemically relevant banks as it was initially envisaged in the Draft Circular 17/1. Systemically relevant banks are, however, required to certain additional specifications in their risk data aggregation rules (note 59 of Circular 17/1). FINMA included transitional provisions for the implementation of the respective rules: Banks in the supervisory categories 1-3 have to implement such provisions on risk data within a one year transitional period (note 103 of Circular 17/1). Systemically relevant banks, however, have to implement the additional requirements already at the time of the entry into force of the circular or within a three year transitional period upon classification as systemically relevant bank (note 105 of Circular 17/1).

As widely criticised by the participants in the consultation procedure for the Draft Circular 17/1 (e.g. by Postfinance AG or the University of St. Gallen), the existing regulation lacked a proper definition of the term "risk management" and its distinction from "risk control". Unfortunately, Circular 17/1 does neither define the term nor otherwise bring more clarity in this regard.

f) Modifications relating to the Internal Control System and the Internal Audit

Circular 17/1 envisages a holistic concept of an internal control system (ICS) in line with international guidelines, such as the ISO 31000 rules on Risk management, comprising at least the performance-oriented business units and independent supervisory bodies (note 60 of Circular 17/1). Furthermore, Circular 17/1 requires Banks in the supervisory categories 1-3 to implement the role of an independent chief risk officer (CRO), who has to be a member of the management body if the Bank is systemically relevant. Such CRO may be responsible also for other independent control functions (e.g. for the compliance function) even in case of systemically relevant banks (notes 67 and 68 of Circular 17/1). In Draft Circular 17/1, a more restrictive approach was suggested as it required the CRO to be exclusively responsible for the risk control function.

Besides a semi annual report to the management body and an annual report to the governing body, the risk control function has to timely inform the management on special developments and, more extensively than under the current regime in circular 2008/24, in important cases, also the governing body (notes 75 and 76 of Circular 17/1).

Circular 17/1 adopts the detailed provisions referring to the implementation of an internal audit function from the circular 2008/24 almost verbatim. However, under the current regime, FINMA may in exceptional cases exempt a Bank from the requirement to implement an internal audit function (note 55 of circular 2008/24). Under Circular 17/1, no such explicit exemption option is envisaged. Similar to the current regime, in circumstances where the establishment of an institution-specific internal audit function appears to be inadequate (e.g. because of the small size of the Bank), the Bank may delegate the internal audit duties to i) the internal audit function of its parent company or of another group company, if this company is also a bank, a securities dealer or another supervised financial institution (e.g. and insurance company), ii) a second audit firm which is independent from the institution's audit firm or iii) another group company or an independent third party, if the auditors confirm the professional capabilities and availability of appropriate technical and human resources (notes 83-86 of Circular 17/1). Extending the previous regime, Circular 17/1 in above iii) now also allows a delegation of the internal audit function to another (unregulated) group company, subject to the above confirmations by the auditors. This is particularly relevant if a Bank intends to outsource its internal audit function to e.g. an unregulated group internal service company. Considering the recent trend of financial institutions to implement a service company structure, this amendment is a sensible response to this trend.

Circular 17/1 provides for several minimum requirements on the remit of the internal audit. The requirement to prepare a multi-year plan for all risk relevant business activities which was contemplated in the Draft Circular 17/1 has not been adopted in Circular 17/1.

g) No Adoption of Provisions relating to Disclosure Duties

Draft Circular 17/1 envisaged to impose extended public disclosure obligations on Banks in the supervisory categories 1-3 similar to the corporate governance guidelines of the SIX. Such disclosure duties would have referred to information e.g. on the internal organization and functioning of the governing and the management body as well as vested interests of the members of the governing and the management body.

During the consultation period, the participants (such as UBS AG or the Verband Schweizerischer Kantonalbanken) questioned the legal basis for such disclosure duties and whether Circular 17/1 is the appropriate place for such disclosure rules. In response to this criticism, the entire chapter on disclosure requirements has not been included in Circular 17/1 but has been moved (in a reduced fashion) to the revised circular 2016/1 "disclosure – banks" which was published on 19 December 2016 and entered into force on 1 January 2017.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Some comments from our readers…
“The articles are extremely timely and highly applicable”
“I often find critical information not available elsewhere”
“As in-house counsel, Mondaq’s service is of great value”

Up-coming Events Search
Font Size:
Mondaq on Twitter
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).
Email Address
Company Name
Confirm Password
Mondaq Topics -- Select your Interests
 Law Performance
 Law Practice
 Media & IT
 Real Estate
 Wealth Mgt
Asia Pacific
European Union
Latin America
Middle East
United States
Worldwide Updates
Mondaq Ltd requires you to register and provide information that personally identifies you, including what sort of information you are interested in, for three primary purposes:
  • To allow you to personalize the Mondaq websites you are visiting.
  • To enable features such as password reminder, newsletter alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our information providers who provide information free for your use.
  • Mondaq (and its affiliate sites) do not sell or provide your details to third parties other than information providers. The reason we provide our information providers with this information is so that they can measure the response their articles are receiving and provide you with information about their products and services.
    If you do not want us to provide your name and email address you may opt out by clicking here
    If you do not wish to receive any future announcements of products and services offered by Mondaq you may opt out by clicking here

    Terms & Conditions and Privacy Statement

    Mondaq.com (the Website) is owned and managed by Mondaq Ltd and as a user you are granted a non-exclusive, revocable license to access the Website under its terms and conditions of use. Your use of the Website constitutes your agreement to the following terms and conditions of use. Mondaq Ltd may terminate your use of the Website if you are in breach of these terms and conditions or if Mondaq Ltd decides to terminate your license of use for whatever reason.

    Use of www.mondaq.com

    You may use the Website but are required to register as a user if you wish to read the full text of the content and articles available (the Content). You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these terms & conditions or with the prior written consent of Mondaq Ltd. You may not use electronic or other means to extract details or information about Mondaq.com’s content, users or contributors in order to offer them any services or products which compete directly or indirectly with Mondaq Ltd’s services and products.


    Mondaq Ltd and/or its respective suppliers make no representations about the suitability of the information contained in the documents and related graphics published on this server for any purpose. All such documents and related graphics are provided "as is" without warranty of any kind. Mondaq Ltd and/or its respective suppliers hereby disclaim all warranties and conditions with regard to this information, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Mondaq Ltd and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use or performance of information available from this server.

    The documents and related graphics published on this server could include technical inaccuracies or typographical errors. Changes are periodically added to the information herein. Mondaq Ltd and/or its respective suppliers may make improvements and/or changes in the product(s) and/or the program(s) described herein at any time.


    Mondaq Ltd requires you to register and provide information that personally identifies you, including what sort of information you are interested in, for three primary purposes:

    • To allow you to personalize the Mondaq websites you are visiting.
    • To enable features such as password reminder, newsletter alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
    • To produce demographic feedback for our information providers who provide information free for your use.

    Mondaq (and its affiliate sites) do not sell or provide your details to third parties other than information providers. The reason we provide our information providers with this information is so that they can measure the response their articles are receiving and provide you with information about their products and services.

    Information Collection and Use

    We require site users to register with Mondaq (and its affiliate sites) to view the free information on the site. We also collect information from our users at several different points on the websites: this is so that we can customise the sites according to individual usage, provide 'session-aware' functionality, and ensure that content is acquired and developed appropriately. This gives us an overall picture of our user profiles, which in turn shows to our Editorial Contributors the type of person they are reaching by posting articles on Mondaq (and its affiliate sites) – meaning more free content for registered users.

    We are only able to provide the material on the Mondaq (and its affiliate sites) site free to site visitors because we can pass on information about the pages that users are viewing and the personal information users provide to us (e.g. email addresses) to reputable contributing firms such as law firms who author those pages. We do not sell or rent information to anyone else other than the authors of those pages, who may change from time to time. Should you wish us not to disclose your details to any of these parties, please tick the box above or tick the box marked "Opt out of Registration Information Disclosure" on the Your Profile page. We and our author organisations may only contact you via email or other means if you allow us to do so. Users can opt out of contact when they register on the site, or send an email to unsubscribe@mondaq.com with “no disclosure” in the subject heading

    Mondaq News Alerts

    In order to receive Mondaq News Alerts, users have to complete a separate registration form. This is a personalised service where users choose regions and topics of interest and we send it only to those users who have requested it. Users can stop receiving these Alerts by going to the Mondaq News Alerts page and deselecting all interest areas. In the same way users can amend their personal preferences to add or remove subject areas.


    A cookie is a small text file written to a user’s hard drive that contains an identifying user number. The cookies do not contain any personal information about users. We use the cookie so users do not have to log in every time they use the service and the cookie will automatically expire if you do not visit the Mondaq website (or its affiliate sites) for 12 months. We also use the cookie to personalise a user's experience of the site (for example to show information specific to a user's region). As the Mondaq sites are fully personalised and cookies are essential to its core technology the site will function unpredictably with browsers that do not support cookies - or where cookies are disabled (in these circumstances we advise you to attempt to locate the information you require elsewhere on the web). However if you are concerned about the presence of a Mondaq cookie on your machine you can also choose to expire the cookie immediately (remove it) by selecting the 'Log Off' menu option as the last thing you do when you use the site.

    Some of our business partners may use cookies on our site (for example, advertisers). However, we have no access to or control over these cookies and we are not aware of any at present that do so.

    Log Files

    We use IP addresses to analyse trends, administer the site, track movement, and gather broad demographic information for aggregate use. IP addresses are not linked to personally identifiable information.


    This web site contains links to other sites. Please be aware that Mondaq (or its affiliate sites) are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of these third party sites. This privacy statement applies solely to information collected by this Web site.

    Surveys & Contests

    From time-to-time our site requests information from users via surveys or contests. Participation in these surveys or contests is completely voluntary and the user therefore has a choice whether or not to disclose any information requested. Information requested may include contact information (such as name and delivery address), and demographic information (such as postcode, age level). Contact information will be used to notify the winners and award prizes. Survey information will be used for purposes of monitoring or improving the functionality of the site.


    If a user elects to use our referral service for informing a friend about our site, we ask them for the friend’s name and email address. Mondaq stores this information and may contact the friend to invite them to register with Mondaq, but they will not be contacted more than once. The friend may contact Mondaq to request the removal of this information from our database.


    From time to time Mondaq may send you emails promoting Mondaq services including new services. You may opt out of receiving such emails by clicking below.

    *** If you do not wish to receive any future announcements of services offered by Mondaq you may opt out by clicking here .


    This website takes every reasonable precaution to protect our users’ information. When users submit sensitive information via the website, your information is protected using firewalls and other security technology. If you have any questions about the security at our website, you can send an email to webmaster@mondaq.com.

    Correcting/Updating Personal Information

    If a user’s personally identifiable information changes (such as postcode), or if a user no longer desires our service, we will endeavour to provide a way to correct, update or remove that user’s personal data provided to us. This can usually be done at the “Your Profile” page or by sending an email to EditorialAdvisor@mondaq.com.

    Notification of Changes

    If we decide to change our Terms & Conditions or Privacy Policy, we will post those changes on our site so our users are always aware of what information we collect, how we use it, and under what circumstances, if any, we disclose it. If at any point we decide to use personally identifiable information in a manner different from that stated at the time it was collected, we will notify users by way of an email. Users will have a choice as to whether or not we use their information in this different manner. We will use information in accordance with the privacy policy under which the information was collected.

    How to contact Mondaq

    You can contact us with comments or queries at enquiries@mondaq.com.

    If for some reason you believe Mondaq Ltd. has not adhered to these principles, please notify us by e-mail at problems@mondaq.com and we will use commercially reasonable efforts to determine and correct the problem promptly.

    By clicking Register you state you have read and agree to our Terms and Conditions