FINMA Circular 2023/1 - What does it mean for your data strategy and data management?

What changes for data management?

Chapter IV, letter D – ‘Critical data risk management’ of the FINMA Circular 2023/1 expands the previous focus on confidentiality of Client Identification Data (CID) to include the dimensions integrity and availability of critical data. Critical data is defined as data considered to be significant for the successful and sustainable provision of services or data required for regulatory purposes.

Key action items

To ensure compliance with the requirements regarding critical data risk management of FINMA Circular 2023/1, organisations need to specifically address the following topics:

• Establish a data strategy which needs to be linked to the overarching business strategy of the institution, as well as other relevant strategies, e.g. IT strategy, and needs to be approved by the Board of Directors (BoD).
• Define and implement data governance structures – based on our experience, the definition of clear tasks, competencies and responsibilities for dealing with critical data is a challenging topic, as it is very often also a political discussion.
• Define a structured methodology to identify and categorise critical data regarding confidentiality, integrity and availability.
• Define appropriate processes, procedures and controls for dealing with critical data along the entire data lifecycle.

Please do not hesitate to contact us if you are interested in an exchange on how we can support you in becoming compliant with the FINMA Circular 2023/1 or require assistance for any other topic related to data management.