Banking going to the Cloud – Main Swiss regulations to consider - Banking blog


The cloud is not the future or an emerging trend any more: it is the present and is a critical tool for financial institutions if they are to stay competitive in today’s challenging business environment. In our recent published global paper “Getting Cloud Right – How can banks stay ahead of the curve?” we explained the key components of a successful ‘cloud journey’ and the major steps that need to be undertaken.

In this blog we give some deeper insights into Swiss banking-related regulations on banking secrecy and the supervision of outsourcing.

Clound2Swiss banking secrecy

The diligence of Swiss banks with regard to the privacy of customers is one of the most renowned features of the Swiss economy. Violation of banking secrecy is a crime in Switzerland; therefore Swiss banks must consider carefully potential threats to secrecy from the use of cloud services.

The most relevant regulations outlining a bank’s duties in the area of banking secrecy are:

  1. 47 of the Banking Act, which states in principle that the disclosure of a secret by directors, employees or other entrusted persons is a crime;
  2. 398 para 1 in connection with Art. 321a para 4 of the Code of Obligations, which requires banks in a contractual relationship with a customer to treat any secrets as confidential;
  3. 7 of the Data Protection Act, setting the standards for the protection of personal data;
  4. Annex 3 to FINMA Circular 2008/21 outlining FINMA’s expectations regarding the protection of customer identification data by Swiss banks.

The essence of these regulations is that the use of cloud services by a bank can comply with Swiss banking secrecy, provided that the bank assesses carefully the technical, organisational and contractual framework put in place before using cloud services for the storage and processing of customer data. In particular, as explained in detail by the SBA Cloud Guidelines, there is no need to ask the client for a waiver of the banking secrecy rules as these will be maintained – in some cases possibly even more so than before – when a bank sets up an appropriate security framework for the use of cloud services.

Cloud3Supervision of outsourcing

According to the FINMA Outsourcing Circular (in particular Notes 24 and 25) a bank must continuously monitor and assess the services of an outsourcing provider, and for this purpose must establish contractual terms for the necessary inspection, instruction and control rights.

Considering the size and complexity of a hyper-scale cloud provider, a typical Swiss bank cannot perform this duty of supervision without professional support from a trusted third party that has the global presence, expert skills and capacity to perform such a task. In order to establish an economically feasible assurance framework, a trusted third party will itself rely largely on assurance work that has been performed by equally-qualified independent advisers of the outsourcing service providerThe SBA Cloud Guidelines support this approach of ‘pool audits’ or ‘indirect audits’ and express the view that the need for on-site audits performed by the bank itself is limited to the inspection of physical security measures.

Providers of hyper-scale cloud services are fully aware of the  expectations of clients with a (Swiss) banking licence and will offer proactive support to a prospective client in establishing such a regulatory compliant framework. The same applies to assurance providers with the necessary global scale and experience to offer trusted third-party services to banks.

Clound blog 1

The rightful concerns of Swiss banks that face the challenge of putting appropriate supervision in place when outsourcing their business processes to global hyper-scale cloud providers can therefore be mitigated by relying on a qualified trusted third party that has the skills and capacity to provide the necessary level of assurance.

From a legal perspective a transfer of banking activities to the cloud is generally acceptable. In order to launch your ‘cloud journey’, however, it is advisable to consider further aspects. In our next blog we shall provide  insights into the two globally-driven regulatory aspects of GDPR and the US Cloud Act.



Ralph Wyss - Partner, Audit & Assurance

Ralph is a Swiss attorney at law and PhD (law) with more than 25 years of professional experience in the Swiss financial services industry and other industries. He is a well-known AML and compliance expert in the Swiss marketplace.

At Deloitte, he leads our Risk and Regulatory Assurance services. In addition he supports our Restructuring Services in the area of restructuring and liquidation of banks.



Jan Seffinga - Partner, Head Cloud Engineering

Jan is a partner at Deloitte in Financial Services Consulting in Switzerland. For over 20 years he has advised financial services institutions around the world. His focus is on projects for transformation and innovation in the banking sector for Swiss and global banks. Jan’s expertise encompasses the successful planning, management and execution of major transformation projects, the implementation of regulatory requirements and the definition and realisation of strategies for digitalisation.

In addition to his consulting work for financial services institutions, he leads the Cloud Engineering team, and manages and coordinates the blockchain activities of Deloitte Switzerland.



Alexander Eppenberger - Manager, Cloud Engineering

Alexander’s consulting experience is based on digital, regulatory and tax-driven initiatives in the financial industry within varied roles, as business project manager, business analyst, process engineer, and test and launch control manager.

With his in-depth knowledge in ecosystems, cloud services, banking and disruptive technology, Alexander advises leading financial institutions in transforming their business operating model.



Luigi Bruno - Senior Consultant, Cyber Risk

Luigi is a Senior Consultant in the Deloitte’s Cyber Risk practice within the Risk Advisory group.

He focuses on advising clients from various sectors in the areas of data protection, privacy, digital and cyber regulation, networks and information security, critical infrastructure protection, distributed ledger technologies and IT, where his legal background and pragmatic experience in data and technology management drive a hands-on approach to delivering exceptional results for Swiss organisations.



Verify your Comment

Previewing your Comment

This is only a preview. Your comment has not yet been posted.

Your comment could not be posted. Error type:
Your comment has been saved. Comments are moderated and will not appear until approved by the author. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.


Post a comment

Comments are moderated, and will not appear until the author has approved them.