2024 Horizon scanning for assurance functions

On 6 January 2023, economiesuisse published the Swiss Code of Best Practice for Corporate Governance. According to the publication, “The 2022 revised version takes account, firstly, of the international developments in corporate governance and, secondly, of the changes that have arisen at the Swiss level in particular, due to the revision of the company law dated 19 June 2020 and as a result of the developments in sustainability (particularly environment, social and governance, or ESG for short)."

OECD’s base erosion and profit shifting (BEPS) and art. 725ff OR regulations related to taxation and solvency governance respectively will have a significant impact on board roles for the next few years.

1. Basel III finalisation and other key risk topics:
   The implementation of the Basel III finalisation framework (aka Basel IV in EU and Basel IV Endgame in the US) is expected to be adopted in the Swiss banking industry by January 2025. The amendments to the Capital Ordinance as well as the new ordinances replacing the current FINMA circulars are currently under review by the national working group and will be soon sent for approval to the Swiss law-maker. We highlight the regulatory focus areas for banks in 2024, based on our mandates and interactions with FINMA and other regulators.
2. Interest rate risk management:
   In its 2019/2 circular entitled IRR – Banks, the Swiss financial market supervisory authority (FINMA) stipulates the minimum standards for measuring, managing, monitoring and controlling IR risks. These minimum requirements should be understood in the context of the current IR environment and in view of recent developments in the banking industry. Forward guidance on key topics for 2024 from international supervisory authorities such as the EBA should also be considered.

The ESG regulatory environment is constantly maturing, with new initiatives emerging. Financial services firms need to have a clear strategy for managing risks and opportunities that arise from these market and regulatory pressures. Second and third lines are proactively engaging with ESG topics – particularly in larger organisations, which are already subject to a range of regulatory requirements and may have made public sustainability commitments.

1. Swiss Sustainability Disclosures – RBI update:
   Within a year of implementing non-financial reporting provisions, Switzerland has already acknowledged the need to align its legislation with global regulatory reporting standards.
2. EU Corporate Sustainability Reporting Directive – first insights:
   The CSRD is one of the most comprehensive regulatory ESG frameworks to date – and companies are well advised to embark on their ESG reporting journey as early as possible.
3. Climate reporting for financial and non-financial corporations:
   TCFD implementation/transition plans:
   Climate reporting and transition plans are key instruments that Switzerland has implemented within national law to achieve the transition to net zero.
4. Climate transition planning:
   Climate reporting and transition plans are key instruments that Switzerland has implemented within national law to achieve the transition to net zero.
5. Regulations affecting asset owners – Swiss Stewardship Code 
   and Climate Innovation Act:
   Switzerland is moving forward in many areas of sustainable finance, which is also having an effect on asset owners at a different level.
6. Potential Swiss regulation on greenwashing – updates to monitor:
   Switzerland is moving forward in many areas of sustainable finance, predominantly via industry self-regulation. However, the Federal Council is eager to combat greenwashing.

1. Business continuity management (BCM):
   The Swiss financial services sector is focusing on being more resilient – and BCM is playing an incremental role in achieving this. For good reason, institutions are taking the opportunity to revise their BCM frameworks.
2. Operational resilience for banks (FINMA Circular 2023/01) and Operational resilience (DORA):
   The revised FINMA Operational Risk Circular for Banking enters into force in January 2024, with an additional two-year, staggered grace period for operational resilience requirements. Banks will be required to be resilient by January 2026.
   
   The Digital Operational Resilience Act (DORA) is a new European framework that focuses on embedding a more robust and resilient approach to delivering digital capabilities in financial markets.
3. Cyber:
   Cybersecurity is consistently recognised as one of the top risks faced by the financial sector. The cyber threat landscape is evolving in tandem with the continuing geopolitical turmoil worldwide, leading to increased risk from nation state threat actors. This context is coupled with the rapid pace of change in business and technology, aimed at improving business processes at the same time as the industry is facing pressure and focusing on costs. This has led to organisations becoming more vulnerable to cyber risk and why this remains a top risk for the sector.
4. Digital transformation:
   While cloud offers more agility, resilience and – if governed well – greater sustainability, it has brought new challenges. An increasing number of companies have experienced security breaches, driving a shift into investing in effective detection and response capabilities in and on the cloud in addition to prevention.
   
   In PwC’s 2023 Cloud Business Survey, 78% of respondents said that their company had adopted the cloud in most or all parts of their business. But more than half failed to realise the desired outcomes – such as cutting costs, improving resilience and driving new revenue. Why is tangible value elusive for so many?
   
   Whilst the adoption of cloud in the Financial Services industry is increasing, organisations are still facing challenges evidencing the resilience of cloud technology to regulators and also struggle with modernising their IT processes and controls to work in automated environments.
5. Artificial intelligence:
   In the broadest sense, AI is the use of advanced statistical techniques combined with large computational and data needs. AI applications generally achieve complex goals commonly associated with intelligent beings, while exhibiting characteristics such as learning, reasoning, problem-solving, perception or using language.
   
   While there is currently no globally consistent approach, the regulatory focus is generally characterised by a number of key themes and risk areas. These include bias and fairness, transparency and explicability, data protection, security, governance, accountability and third party management. Global standard-setters will continue to support delivery of a globally consistent regulatory approach to AI.
   
   The potential offered by AI is exciting, but with it comes risk. If you are implementing an AI solution, you need to trust what it produces. The only way to mitigate AI risks is to establish a dedicated Responsible AI (RAI) practice that will bear responsibility for promoting risk management along all lines of defence and enforcing responsible AI standards.
   
   Applying existing AI Risk Management frameworks (RMFs) to GenAI involves several challenges, largely due to the unique characteristics and complexities of new technologies.
6. Markets in Crypto Assets regulation (MiCA):
   The Markets in Crypto Assets Regulation (MiCA) entered into force in June 2023 (read: Countdown to MiCA) and includes level 2 and level 3 measures that must be developed prior to the implementation deadline (12–18 months). ESMA is working with other organisations to consult on technical standards, and will be publishing draft level 2 and 3 measures that incorporate feedback received. The measures will be implemented only once they have been approved by the European Parliament and the Council of the EU.

1. FINMA Supervisory Notice regarding AML risk analysis:
   Embracing the power of an AML risk analysis for effective risk mitigation measures.
2. Periodic review of “all” client files introduced by revised AML Act:
   The revised AML Act entered into force in January 2023. One of the key regulatory developments it contains is the duty of a financial intermediary to review client files/KYCs periodically to ensure that they are current and update them as necessary.

1. The importance of data management incl. critical data (FINMA Circular 2023/01):
   Data is critical in all aspects of an organisation. Without strong data management, organisations are susceptible to a number of risks, as seen in a number of recent developments.
2. Revised Swiss Federal Act on Data Protection (revFADP):
   The revised FADP, along with its implementing Ordinance and the Guidelines on Data Protection Certification, entered into force on1 September 2023.