2025 Horizon scanning for assurance functions

1. Key developments for boards:
   While there were no significant new developments during the year 2024 relating specifically to corporate governance in the financial industry, many of the existing and new developments continue to have a profound impact on the role of boards and how they function. Some of the key developments are highlighted below.
2. Base Erosion and Profit Shifting Project (BEPS):
   OECD’s Base Erosion and Profit Shifting (BEPS) pillar two project will have a significant impact on boards’ roles over the next few years.
3. Senior Manager Regime – CH:
   The Senior Managers Regime (SMR) has come into force in the banking and insurance industries in several jurisdictions, notably UK (advanced), with a similar or different nomenclature. The SMR aims to increase personal responsibility by placing responsibility on individuals to demonstrate that appropriate steps have been taken in decision-making and its consequences, accountability and governance. In its CS Lessons Learnt communication, FINMA has demonstrated affirmation for something similar for Switzerland. There are also parallels between the Capital Requirements Directive (CRD, EU) and Senior Managers Regime (SMR, UK) Art. 23, 1d, CRD, which have a profound impact on Swiss organisations.
4. Retail investment strategy:
   Following the 2020 capital markets union (CMU) action plan, the European Commission (EC) issued a Roadmap for Retail Investment Strategy (RIS). The objective of the strategy is to ensure a coherent regulatory framework that empowers consumers to take financial decisions and benefit from the internal market. The Retail Investment Strategy will result in significant changes of existing regimes and will have an impact on the entire retail investment journey.

1. Basel III – update:
   The upcoming adoption of the final Basel III framework in January 2025 will have a broad impact on all Swiss banks. The rules cover all risk types, regardless of the size and Business model of the institution, with the exception of banks in the Small Bank Regime. Due to the extensive and complex nature of the reform package, banks face compliance risks. However, this also presents opportunities for them to enhance their capital ratios and risk management.
2. Counterparty credit risk management:
   The last couple of years have brought a series of counterparty, market and political events, which have fundamentally challenged the way counterparty credit risk is handled from both a risk modelling and a risk management standpoint. As a response to these challenges, the Basel Committee issued a consultation on guidelines in April 2024, which outlines planned adjustments to the overall counterparty credit risk framework from a regulatory perspective.
3. Model risk management – validation of AI models:
   The introduction of large language models (LLMs) such as ChatGPT has fundamentally changed model validation and model governance requirements. Banks need to adapt their model management practices to keep up with the rapid developments in artificial intelligence (AI) and the growing use of LLM-based AI solutions.

ESG regulation is constantly maturing, with new initiatives emerging. Firms must have a clearly defined a strategy for managing risks and opportunities that arise from these market and regulatory pressures. Second and third lines are proactively engaging with ESG topics – particularly in larger organisations which are already subject to a range of regulatory requirements and may have made public sustainability commitments.

1. Enhanced self-regulation landscape to prevent greenwashing in the financial sector:
   Following the Federal Council’s position on preventing greenwashing in the financial sector, the Swiss financial sector has enhanced and tightened the self-regulatory provisions regarding sustainable financial products and services.
2. Consultation on FINMA circular on nature-related financial risks:
   In line with international standard-setters’ recommendations, FINMA has launched consultations on a circular intended to take the existing climate-related financial risk obligations further to encompass a holistic, nature-related perspective.
3. Swiss sustainability reporting – RBI-CP update:
   The Federal Council has opened the consultation process on the next steps to align the Swiss sustainability reporting obligations with the EU CSRD.

1. Reforming payment services and open finance:
   Implementation of the Third Payment Services Directive (PSD3), the EU Payment Services Regulation (PSR) and the Financial Data Access Regulation (FIDAR) aim to modernise the payments and financial services sector, fostering innovation and competition while ensuring a consistent regulatory environment across the EU. With the move from PSD2 and Second Electronic Money Directive (EMD2) to PSD3 and PSR, payment services providers (PSPs) will need to step up their compliance with the new rules, take advantage of new ways of doing business, at the same time meeting stricter supervisory expectations.
2. Updates to SWIFT messaging:
   SWIFT is now moving to the new International Organisation for Standardisation (ISO) 20022 standard using the Financial Information Network (FIN protocol), which defines MX messaging and is designed to provide an open, common international language for payments.
   The Digital Operational Resilience Act (DORA) is a new European framework that focuses on embedding a more robust and resilient approach to delivering digital capabilities in financial markets.

1. Cyber:
   Cyber crime continues to be an agnostic and pervasive threat, affecting all countries and sectors through a variety of techniques to achieve the common goal of monetising access to firms and their data. Critical to the economic fabric of society, FS firms are a high value target for cyberattacks, with their attack surface broadening as the sector increasingly innovates, digitises its operations, and embraces fintech.
2. Digital Operational Resilience Act (DORA):
   “DORA creates a regulatory framework on digital operational resilience whereby all firms need to make sure they can withstand, respond to and recover from all types of Information and Communication Technology (ICT) related disruptions and threats.” – Council of the EU.
3. Operational resilience for banks (FINMA circular 2023/1):
   Ensuring operational resilience continues to be a critical component for financial institutions to maintain stability and continuity in the face of disruptions, as outlined in FINMA circular 2023/1.
4. The importance of data management, incl. critical data (FINMA circular 2023/01):
   Data is critical in all aspects of an organisation. Without strong data management, there are several risks to which organisations are susceptible, as observed in a number of recent incidents.
5. Third-party risk management:
   Reliance on third-party service providers continues to grow as firms embrace digitisation and scale their operations while reducing costs. The scope of reliance on third parties has expanded significantly so that firms’ critical or important business processes and functions are often underpinned by at least one third party and, in many cases, subcontractors as well. The inherent complexity of the digital supply chain poses significant resilience challenges. Firms must adopt a ‘resilience by design’ approach, emphasising comprehensive understanding and proactive management of third-party dependencies for their own good, but also to comply with increasing regulatory expectations.
6. Digital transformation – cloud risk:
   FS firms face unique challenges when it comes to unlocking the full potential of cloud technology, given the intense regulatory scrutiny of cloud adoption and the need to demonstrate that they are embedding resilience at the heart of their technology architecture. Successfully navigating these obstacles requires a holistic approach that addresses the regulatory, security, technical, operational and organisational aspects of cloud adoption.
7. Artificial intelligence:
   Artificial Intelligence offers a transformative strategic opportunity, enabling organisations to enhance efficiency, innovation and customer experience to produce a competitive advantage. However. AI also introduces unique and complex risks requiring proactive assurance and oversight. As AI becomes more sophisticated, assurance functions must adapt their capabilities to ensure appropriate controls and guardrails governing the development, deployment and performance of AI solutions. AI should also be used in line with firms’ strategic objectives, ethical principles, regulatory obligations and stakeholder expectations.

1. Financial crime:
   “The Swiss financial centre is a leading global cross-border wealth management hub for private clients. This makes it particularly exposed to money-laundering risks. Breaches of due diligence and reporting obligations can result in legal consequences and reputational damage for financial institutions both in Switzerland and abroad. In the past year, money-laundering risk has remained high.” (FINMA Risk Monitor 2023)
2. FinSA code of conduct:
   FINMA has identified inconsistencies in the implementation of the FinSA requirements and uses the circular to set out its supervisory practice on key questions of interpretation. Between 15 May and 15 July 2024, FINMA held a public consultation on a new circular regarding the code of conduct under FinSA (entry into force is expected in early 2025). This new circular is intended to increase transparency and legal certainty regarding FINMA’s supervisory practices on implementation. The draft was addressed to FINMA-supervised financial service providers and supervisory organisations.
3. Fraud risk management:
   Financial Institutions’ role at the centre of economic activity means that they are uniquely exposed to fraud risk. As well as managing typical corporate fraud risks (e.g. internal fraud, supplier fraud) they are exposed to risks of customer fraud and have regulatory and commercial imperatives to manage fraud threats affecting their customers.
4. Market access in Europe for non-EU countries:
   In the fragmented regulatory landscape in the European Economic Area (EEA), the revised Capital Requirements Directive (CRD VI) seeks to harmonise the regulation of non-EEA banks’ operations in the region. Under the new requirements, third-country companies (e.g. Swiss banks) need to establish a branch and apply for authorisation in each EEA Member State, where services to clients and counterparties are provided.
5. European Accessibility Act:
   The European Accessibility Act aims to improve the accessibility of products and services. It focuses on ensuring that people with disabilities have better access to essential products and services, which enhances their participation in society and the economy. Businesses operating within the EU need to be aware of these requirements and take steps to ensure compliance.

1. ISO/ISA changes:
   Over time, it became evident that updates to the ISA were necessary, particularly concerning the provisions on restructuring, intermediary regulations and supervisory relief. Additionally, market dynamics and customer expectations have evolved significantly over the past 15 years. In response to these changes, the Federal Department of Finance (FDF) proposed a partial revision of the ISA in 2020. The primary objectives of this revision were to: Modernise the legal framework for insurance supervision, Enhance the competitiveness of the Swiss insurance sector and Improve protections for customers.
2. Post-IFRS 17 – insurance finance transformation:
   Embracing IFRS 17: navigating compliance, unlocking insights and shaping the future of insurance reporting. The journey ahead involves not only ensuring adherence to the new standards but also capitalising on enhanced data transparency to inform decision-making and foster innovation in the insurance sector.
3. Swiss retail pricing (dynamic pricing):
   The Swiss insurance market used to be rather static, with a low customer fluctuation rate, quite stable prices with slowly shrinking margins, and only slow shifts of market share between insurers. This has changed in the last two years due to the impact of inflation on low margins and new technical opportunities emerging from the AI revolution. The retail market is currently experiencing a dynamism hitherto unknown in Switzerland, resulting in opportunities and challenges for insurers.

1. The IIA’s Global Internal Audit Standards™:
   The new Global Internal Audit Standards were released by the Institute of Internal Auditors in January 2024 and are expected to be implemented by all firms by 9 January 2025. They replace the existing international professional practice framework, including the standards, last revised in 2017. There is a very different structure to the new standards, which are centred on five domains, each one designed for a different group of users. Domain V, for example, is more likely to be used by the audit delivery teams in your function. More information on the domains can be seen on the following pages. Within the new domains and their 15 principles and 52 standards, there is a large degree of consistency with the previous International Professional Practices Framework (IPPF), with some more defined expectations.