Open Banking And Open Finance In Switzerland

Executive Overview

Open Banking and Open Finance have fundamentally reshaped regulatory and competitive dynamics across major financial markets. The European Union introduced a mandatory access-to-account regime under PSD2, while the United Kingdom developed a centralized Open Banking entity model. Switzerland, by contrast, has deliberately refrained from imposing a statutory API-access obligation on banks.

This regulatory restraint does not, however, equate to legal simplicity. Swiss Open Finance initiatives operate within a dense matrix of banking secrecy, data protection, outsourcing regulation, supervisory expectations and competition law. The absence of prescriptive legislation shifts complexity from statutory compliance to contractual structuring and meticulous risk allocation.

The following analysis examines the Swiss framework in depth and evaluates whether the market-led model constitutes a sustainable competitive advantage or reveals a latent regulatory gap.

Conceptual and Structural Foundations

Open Banking, in its narrower sense, refers to structured access to payment account data and payment initiation functionalities through standardized application programming interfaces (APIs). Open Finance broadens this logic beyond payment accounts to encompass mortgages, securities accounts, pension assets, insurance data and wider financial information ecosystems.

Unlike the EU framework, Switzerland has not introduced a statutory third-party provider licensing category specific to account access services. Market participants must therefore be assessed under existing regulatory categories. This gives rise to important classification questions: Does a third party qualify as a financial service provider under the Financial Services Act (FinSA)? As a financial institution under the Financial Institutions Act (FinIA)? As a mere technology service provider? Or as an outsourcing partner subject to FINMA supervisory expectations?

These categorization issues lie at the heart of determining supervisory oversight, conduct duties and prudential requirements.

Banking Secrecy and Data Transfer Constraints

Article 47 of the Swiss Banking Act codifies banking secrecy as a criminally protected obligation. Disclosure of client information to third parties is prohibited unless a valid legal basis exists. In the Open Finance context, this legal basis typically rests on explicit client consent.

Consent, however, must be sufficiently informed and specific. Blanket or overly abstract consent clauses may not withstand scrutiny, particularly where data flows dynamically through APIs over extended periods. Financial institutions must ensure that clients understand the identity of the third-party provider, the categories of data shared, the purpose and duration of access, and the risks associated with onward transfers.

The technological ease of data sharing in no way diminishes the criminal law sensitivity of unauthorized disclosure. Consent management systems must accordingly be robust, traceable and readily revocable.

Data Protection under the Revised Federal Act on Data Protection

The revised Federal Act on Data Protection (revDSG), now fully in force, significantly increases accountability obligations for data controllers. Open Finance ecosystems trigger multiple compliance layers that deserve careful attention.

Transparency and information duties require institutions to provide clear privacy notices explaining API-based data transfers. Where profiling or automated decision-making is involved, additional disclosure obligations arise. The principle of purpose limitation and data minimization demands that APIs refrain from granting unrestricted access where limited data fields would suffice. Technical architecture must reflect the principle of proportionality throughout.

Where a third party qualifies as a processor rather than an independent controller, a compliant data processing agreement is mandatory. Distinguishing between controller-to-controller and controller-to-processor relationships is both legally consequential and highly fact-dependent. Moreover, many fintech models rely on cloud providers or analytics tools located abroad, raising questions around adequacy decisions, standard contractual clauses and supplementary safeguards for cross-border data transfers.

The interplay between the revDSG and banking secrecy produces a dual compliance threshold: even where data protection law permits processing, banking secrecy may impose stricter constraints.

Supervisory Law: FinSA, FinIA and Licensing

Open Finance activities may trigger licensing obligations depending on the specific business model adopted. If a third-party provider merely aggregates data without furnishing individualized investment advice, it may fall outside FinSA licensing requirements but could nonetheless qualify as a financial service provider subject to conduct rules. Where portfolio management functionalities are integrated, FinIA authorization may become necessary.

Swiss banks integrating fintech solutions must further assess whether the arrangement constitutes outsourcing of essential functions under FINMA Circular 2018/3. Where critical services are outsourced, institutions retain full responsibility for compliance and risk management. Due diligence, audit rights and business continuity safeguards remain indispensable.

The absence of a PSD2-style passporting regime means that foreign Open Banking providers cannot rely on an EU license for Swiss market access. Each case requires an independent Swiss regulatory analysis.

Contractual Architecture and Liability Allocation

Under PSD2, the European Union provides statutory liability allocation rules for unauthorized transactions and payment fraud. Switzerland lacks equivalent codified risk allocation mechanisms in the Open Banking context. Contractual drafting therefore assumes central importance.

Agreements between banks and third-party providers must comprehensively address the scope and technical specifications of API access, authentication standards, incident reporting obligations, indemnification clauses, limitation of liability, and termination rights including data deletion procedures.

Particular attention should be devoted to cascading liability. Where a third-party provider relies on sub-processors or cloud infrastructure, liability chains must be clearly delineated. In the absence of statutory fallback rules, litigation risk increases considerably in cases of cyber incidents or financial loss attributable to multi-party data flows.

Operational Risk and Cybersecurity

Open APIs inherently expand the technological attack surface of financial institutions. Swiss supervisory expectations require banks to maintain robust ICT governance, intrusion detection systems and effective third-party risk monitoring frameworks.

Operational resilience is not merely a technical challenge but also a governance imperative. Boards of directors retain ultimate responsibility for risk oversight, and failure to supervise API-related risks adequately could trigger supervisory measures or enforcement proceedings.

Multi-factor authentication, state-of-the-art encryption standards and regular penetration testing should be embedded into API design from inception. Security-by-design and privacy-by-design principles are no longer optional compliance enhancements but have become core regulatory expectations.

Competition Law and Market Access

The voluntary Swiss model raises a structural competition law question of considerable significance: may dominant banks refuse API access without infringing refusal-to-deal principles?

Under the Swiss Cartel Act, abusive conduct by dominant undertakings may encompass unjustified refusal to supply. Should API access become economically indispensable for fintech participation in financial markets, a denial of such access could potentially attract scrutiny under competition law.

Although no precedent directly addresses API access as essential infrastructure, the analytical framework is well established. Market power assessments, indispensability criteria and proportionality analysis would determine the legality of any such refusal. The mere absence of a statutory obligation does not immunize conduct from competition review.

Comparative Regulatory Dynamics

The European Union is currently transitioning from PSD2 toward PSD3 and the broader Financial Data Access (FIDA) framework, aiming to extend Open Finance well beyond payments. The United Kingdom continues to refine its centralized governance structures for data sharing in financial services.

Should international standards converge around mandatory interoperability and harmonized API specifications, Switzerland may face indirect regulatory pressure. Swiss institutions operating across borders will need to ensure compatibility with evolving foreign regulatory expectations.

Conversely, Switzerland's inherent flexibility may enable faster adaptation once global standards stabilize. By avoiding premature codification, the Swiss legislature preserves valuable regulatory optionality.

Strategic Implications for the Swiss Financial Centre

Switzerland's approach reflects a broader regulatory philosophy rooted in proportionality and a commitment to innovation. The absence of prescriptive rules reduces immediate compliance burdens and creates space for experimentation.

Innovation, however, thrives not only on flexibility but equally on legal certainty. Fintech investors frequently prefer clearly defined liability and licensing frameworks. Regulatory ambiguity can elevate transaction costs and complicate due diligence, potentially deterring investment in the Swiss fintech ecosystem.

Switzerland's competitive positioning may therefore depend on whether industry self-regulation achieves sufficient standardization to deliver both scalability and investor confidence.

Outlook

Several issues are likely to shape the next phase of Open Finance in Switzerland. These include the possible introduction of minimum interoperability standards, increased supervisory scrutiny of cyber resilience within financial institutions, the clarification of controller versus processor roles within complex data ecosystems, and the expansion of artificial intelligence-driven financial analytics relying on shared datasets.

Legislative intervention remains a distinct possibility should voluntary adoption stagnate or competitive distortions emerge.

Conclusion

Switzerland's Open Banking and Open Finance landscape is characterized by regulatory restraint coupled with considerable legal density. The framework relies on existing banking, data protection, supervisory and competition laws rather than a purpose-built access regime.

This model offers flexibility and preserves contractual freedom. It simultaneously places substantial responsibility on market participants to design legally sound, operationally secure and commercially balanced ecosystems.

Whether Switzerland's distinctive path proves to be a lasting strategic advantage or ultimately necessitates regulatory harmonization will depend on the pace of market adoption, the depth of cross-border integration and the trajectory of supervisory evolution.

Key Takeaways

• Switzerland does not impose a mandatory Open Banking API regime; participation remains voluntary and contract-based.
• Banking secrecy under Article 47 of the Banking Act and the revised Data Protection Act constitute the central legal constraints governing any data-sharing model.
• Licensing analysis under FinSA and FinIA must be conducted on a case-by-case basis, with particular regard to the specific services rendered by each third-party provider.
• Liability allocation is primarily contractual; meticulous drafting of API access and outsourcing agreements is critical to managing risk.
• Cybersecurity and operational resilience obligations remain fully with FINMA-supervised institutions, irrespective of outsourcing arrangements.
• Competition law risks may arise where dominant institutions deny access that is economically indispensable for fintech market participation.
• Cross-border interoperability pressures and evolving international standards may influence the direction of future Swiss regulatory developments.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.