In a financial environment shaped by rapid technological advancements and increasing regulatory demands, robust Internal Control Systems (ICS) are more critical than ever. In this blog, we explore the regulatory landscape for ICS in banking, examine real-world consequences of control failures, and present Deloitte's Smart Controls Framework. This blog provides actionable insights for financial institutions to strengthen their control frameworks, ensuring resilience and positioning for long-term success.

Why internal controls are more critical than ever

In today’s rapidly evolving financial environment, a robust Internal Control System (ICS) is increasingly important. Banks are exposed to operational risks arising from advances in technology, expanding regulatory requirements, and more complexity in business operations.

A well-designed ICS framework helps banks mitigate risks, to ensure that their operations are resilient, compliant, and efficient. According to Deloitte's Future of Controls benchmark¹, which included over 500 global organizations, companies with ‘high‘ or ‘very high‘ controls maturity experienced an average 50% improvement in share price over five years, while those with ‘low‘ or ‘medium‘ maturity only saw a 5% improvement. This indicates that investing in effective internal controls not only safeguards operations but also delivers long-term financial benefits.

In this blog, we will explore the regulatory landscape for ICS in banking, give examples of the consequences of control failures, and present Deloitte's Smart Controls Framework including real-world use cases to illustrate the benefit for banks. We also discuss how advances in (Gen)AI and automation provide the basis for the next generation control frameworks, enabling banks to improve efficiency and accuracy in risk management.

What are the main regulatory requirements banks must follow?

Banks operate in a highly regulated environment, with internal control systems being a core focus of global regulators. Swiss banks with international booking centres face the added challenge of adhering to both local and international regulations, requiring robust compliance across jurisdictions (Figure 1).

Figure 1: Non-exhaustive selection of regulations impacting ICS in Swiss banks

Basel III Pillar 2: Supervisory review process²

Basel III Pillar 2 requires banks to go beyond minimum capital standards by assessing and maintaining adequate capital based on their specific risk profiles. It mandates controls that cover unique exposures, regular stress tests, and a robust supervisory review process. Effective from January 2025 in Switzerland, the regulation emphasises strong governance, with senior management ensuring that risk assessments are strategically embedded in decision-making processes.

Guidelines on internal governance (2021/5)³

The guidelines outline 7 core elements (and 218 requirements) for internal governance and controls, including clear roles for management bodies, risk culture and business conduct. They promote accountability and ethical conduct, helping banks strengthen resilience and uphold regulatory standards through structured oversight and effective risk controls.

Operational risk and resilience circular (2023/1)⁴

This circular mandates banks to embed internal controls deeply into their risk management frameworks, ensuring that control processes are continuously monitored and assessed across all business areas, have clear governance structures and real-time risk oversight. Banks must implement controls that not only mitigate known risks but also anticipate and adapt to emerging threats, with direct reporting lines to senior management. For further insights on FINMA’s circular 2023/1, see our Deloitte blog series.

Looking ahead, FINMA's strategic goals for 2025–2028⁵ and FINMA’s Risk Monitor⁶, emphasise a stronger focus on governance, resilience, and effective risk culture within Swiss banks. This vision includes setting clearer risk tolerance levels and reinforces the responsibility of banks to adapt control frameworks proactively in response to evolving risks. Given the extensive regulatory pipeline, with several regulations planned for the next 2 years, banks can expect more detailed supervision and increased regulatory scrutiny from FINMA.

Despite increasing regulation, controls fail, and consequences can be severe

Even with strict regulatory frameworks, many financial institutions continue to face ongoing challenges, and the impact of economic and geopolitical uncertainty only increases these vulnerabilities. Despite all-time highs in several markets, many economists are adopting a cautious outlook for 2025, anticipating potential headwinds that could further strain banks struggling with internal control issues and put them at greater risk.

A number of cases have been reported where weaknesses in internal controls have led to serious consequences. For instance, a Canadian G-SIB’s insufficient AML controls allowed criminals to move over USD 670 million in illicit funds undetected, resulting in a record USD 3 billion fine for the bank in 2024.⁷ In 2021, Credit Suisse suffered massive financial losses totalling USD 10 billion due to a lack of oversight and ineffective risk aggregation systems.⁸ This left the bank dangerously exposed to high-risk loans associated with Greensill Capital, and eventually contributed to its forced merger with UBS in 2023. Another example is a Swiss Cantonal Bank where, between 2013 and 2021, a lack of proper fraud detection controls allowed a bank employee to conduct unauthorised foreign exchange transactions, resulting in as estimated loss of CHF 10 million for the bank.⁹

These cases illustrate how critical internal controls are in the banking sector, from global institutions to smaller cantonal banks, and how their ineffectiveness can lead to severe outcomes. But with the stakes so high, how can banks build a control environment resilient enough to prevent such failures?

Deloitte’s Smart Controls Framework to mitigate these risks

To manage the end-to-end controls lifecycle effectively, we identified 5 dimensions that together support robust internal controls (Figure 2). Each dimension aligns risk management practices with strategic business goals while helping organisations optimise the cost of controls.

Figure 2: 5 key dimensions based on Deloitte’s Smart Control Framework

I. Define

To create a resilient control environment, banks must start by defining their risk strategy and risk appetite. This dimension focuses on:

• Risk appetite and control strategy: Develop a clearly documented risk appetite that informs control design, ensuring that all roles and responsibilities are defined and aligned with international regulations and establish design principles that foster integration and efficiency across the organisation. 52% of the respondents to Deloitte’s Future of Controls benchmark linked internal controls with the company’s strategy.¹
• Integrated risk assessment: Use a data-driven approach, including a structured Risk and Control Self-Assessment (RCSA) process, to evaluate inherent risks across multiple domains, accounting for emerging threats such as fraud and systemic vulnerabilities. Collaborate with business units to prioritise risks and design controls that span multiple risk domains, such as financial reporting, ESG, operational and compliance risks.
• Optimised and digitised framework: Establish a balanced, standardised, and transparent set of controls that combine preventive and detective measures based on the organisation’s risk appetite. Controls should leverage automation to minimise manual effort while maintaining effectiveness where full automation isn’t feasible.

Deloitte use case insights – Circular 2023/1 compliance for a Swiss Cantonal Bank

A Swiss cantonal bank conducted a compliance assessment against FINMA’s Circular 2023/1. Through targeted workshops and in-depth documentation analysis, gaps were identified, and a roadmap was developed with prioritized and actionable recommendations. This initiative established a comprehensive risk framework (including critical data handling), enhanced Business Process Model (BPM) and RCSA methodologies and created an internal controls asset inventory, significantly strengthening the bank's resilience and regulatory readiness. The assessment also highlighted the need for a centralised GRC tool to serve as the golden source of risk management data, and the bank is currently preparing for its implementation.

II. Operate

Controls should be effectively implemented and owned throughout the organisation. This dimension focuses on:

• Ownership and capability: Define roles and responsibilities, supported by a digitised delegation of authority. Enhance control operator capability through tailored training programmes and embed controls seamlessly into business operations, including change initiatives.
• Policies and procedures: Develop an exhaustive, integrated set of user-friendly policies and procedures linked to identified risks and controls and use digital platforms to keep governance processes efficient and policies up to date. 78% of the respondents to Deloitte’s Future of Controls benchmark have documented risk and control standards, guidance, and templates to support activity owners.¹
• Smart evidencing: Automate the capture of control evidence, incorporating configured authorisation matrices and ensuring audit traceability and use centralised data platforms to make evidence accessible to all relevant stakeholders, enabling a “one-stop-shop” concept.

Deloitte use case insights – Controls rationalization for a Swiss Private Bank

A globally operating Swiss private bank addressed inefficiencies in control activities by shifting from manual and detective to automated and preventive controls, with integrated smart evidencing. This transformation clarified control roles across regions, streamlined control documentation, and empowered the first line of defence to manage risks proactively. As a result, the bank rationalized controls across 15 client lifecycle and transactions management key processes, such as AML/KYC, account opening and credit granting, management, and monitoring, leading to a 30% reduction in FTEs globally.

III. Monitor

Monitoring control performance and anticipating potential issues are key to maintaining agility. This dimension focuses on:

• Solve and enhance: Leverage data-driven insights to address issues beyond risk and control inefficiencies and create specialised teams to handle real-time control enhancements and remediation.
  MI and dashboarding: Implement automated and dynamic reporting to provide a clear view of risks and control effectiveness. Make data accessible enterprise-wide and focus on both qualitative and quantitative impact assessments.
  Event monitoring: Use predictive analytics and key risk indicators to provide insights and determine when new or enhanced controls are needed. Continuous monitoring ensures the organisation can adapt quickly to risk elevations.

Deloitte use case insights – Design and implementation of RCSA framework for a Swiss Private Bank

The RCSA framework of a Swiss private bank facing critical gaps in risk management, was strengthened through the creation of a greenfield business process model and executive reporting, using a top-down risk-based approach. As part of the RCSA assessment, a comprehensive compliance comparison against all major FINMA Regulatory Standards (RS) was conducted to identify control gaps. Over 150 processes and 1,800 controls were analysed, and a tactical tool compatible with the bank's GRC system was implemented, enhancing user experience, and facilitating data-driven reporting. This initiative resulted in a 38% reduction in the total number of controls and established a robust foundation for the bank’s RCSA practices.

IV. Assure

The fourth dimension focuses on building trust in the control framework through integrated assurance mechanisms:

• Assurance strategy: Develop a comprehensive assurance programme that spans all three lines of defence and use a data-driven approach to define testing strategies and plans, integrating these across the organisation. 76% of the respondents to Deloitte’s Future of Controls benchmark stated an increased level of controls assurance effort in the last 12 months.¹
• Controls testing: Digitise the entire controls testing lifecycle, incorporating automation and advanced technologies such as Gen(AI) or RPA. Focus on testing the full population of data or use risk-based sampling for targeted evaluations.
• Reporting and remediation: Provide dynamic reporting that identifies control weaknesses and drives action and establish remediation teams to address root causes efficiently and ensure that issues are resolved with a focus on long-term resilience. 82% of the respondents to Deloitte’s Future of Controls benchmark stated that external audit relies on their internal control environment to support their opinion.¹

Deloitte use case insights – Control framework review for a Swiss G-SIB

A control framework review within a Swiss G-SIB included, from a top-down perspective, benchmarking the control framework against Swiss banking peers, analysing the Key Performance Controls (KPCs) portfolio for automation opportunities, and assessing the risk coverage of core end-to-end processes (e.g., mortgages, onboarding, or payments), to identify gaps and areas where the bank was exposed to risk. One key finding from the top-down review was the potential to increase preventive controls from 30% to 80% of the total number of controls. In parallel, from a bottom-up perspective, a design effectiveness testing exercise was performed for over 80 KPCs and findings consolidated into actionable recommendations.

V. Technology and data

As banks undergo larger technology transformations, implementing GRC tools and technologies such as (Gen)AI must be considered to align with broader strategic, regulatory and digitalization goals, ensuring institutions maintain a competitive edge. For further insights on tech-enabled transformations in banking, see our Deloitte blog series focused on this topic.

GRC tools form the foundational technological backbone of a bank's risk and control strategy, centralising risk management and providing a single source of truth for all risk and control data. A well-configured GRC platform enables consistent risk assessments (e.g., RCSA), as well as automated control testing, streamlined reporting, and smart evidencing through automatic capture and documentation of control evidence.

Building on this foundation, (Gen)AI brings an additional level of maturity by automating and enhancing complex control processes. The technology enables analysis of vast data sets to identify patterns, anomalies, and risks that would be difficult or impossible for humans to detect. For instance, Deutsche Bank is using GenAI to streamline compliance and audit functions, where AI automatically drafts audit reports and control documentation based on regulatory standards, ensuring consistency, and reducing the manual workload for compliance teams.¹⁰ Citibank employs AI-driven anomaly detection systems to monitor financial reporting, identifying unusual variances in real time and ensuring swift corrective action.¹¹ Mastercard uses GenAI to detect and block fraudulent transactions in real time by analysing patterns and anomalies across large datasets.¹² ING uses AI to automate the generation of loan documentation, embedding legal and regulatory requirements to minimise the risk of errors and streamline compliance processes.¹³ These use cases illustrate how (Gen)AI strengths internal controls by improving precision, automating evidence collection, and enabling proactive risk management, ultimately reducing manual effort and increasing reliability.

Deloitte use case insights – AI program governance for an Italian G-SIB

Intesa Sanpaolo enhanced the governance and operational model of its AI programme, focusing on a scalable and sustainable strategy aligned with broader digital transformation goals.¹⁴ The approach included designing an AI target operating model adaptable to various business units, managing key stakeholders to accelerate AI use case adoption, and establishing robust mechanisms for monitoring results. A significant achievement was the implementation of the AI tool Lisa (Linguistic Intelligence for Supervisory Awareness), which automates the processing of thousands of regulatory publications, strengthening the bank’s GRC framework by supporting proactive risk management and regulatory compliance.

Strengthening internal controls is a strategic imperative

The consequences of inadequate internal controls can be severe, impacting a bank’s stability, efficiency, and reputation. However, financial and non-financial risks can be managed by adopting an end-to-end control framework that is resilient, proactive, and well-aligned with strategic objectives, turning risk management into a driver of value, not just a compliance measure.

A strong internal controls framework enables financial institutions to address emerging risks while building a solid foundation for future growth. At a time of increasing regulatory scrutiny and rapid technological advancements, banks that invest in robust internal controls will not only safeguard their operations but position themselves for lasting success.

References

¹ https://www.deloitte.com/global/en/services/risk-advisory/research/becoming-control-intelligent-through-future-of-controls.html
² https://www.bis.org/fsi/fsisummaries/pillar2.htm
³ https://www.eba.europa.eu/activities/single-rulebook/regulatory-activities/internal-governance/guidelines-internal-governance
⁴ https://www.finma.ch/en/~/media/finma/dokumente/dokumentencenter/myfinma/rundschreiben/finma-rs-2023-01-20221207.pdf
⁵ https://www.finma.ch/en/finma/supervisory-objectives/strategy/
⁶ https://www.finma.ch/en/news/2024/11/20241118-mm-finma-risikomonitor-24/
⁷ https://stories.td.com/us/en/article/td-bank-group-announces-resolution-of-aml-investigations
⁸ https://www.finma.ch/en/news/2023/02/20230228-mm-greensill/
⁹ https://www.rtn.ch/rtn/Actualite/Region/20220608-Escroquerie-de-10-millions-de-francs-a-la-BCN.html
¹⁰ https://corporates.db.com/files/documents/in-focus/focus-topics/artificial-intelligence/Deutsche-Bank-AG-Corporate-Bank-Artificial-Intelligence-Jan-2024.pdf
¹¹ https://www.citigroup.com/global/news/press-release/2019/citireg-payment-outlier-detection-launches-in-90-countries
¹² https://www.mastercard.com/news/press/2024/may/mastercard-accelerates-card-fraud-detection-with-generative-ai-technology/
¹³ https://www.ingwb.com/en/insights/innovation/orange-blog/how-artificial-intelligence-is-influencing-the-banking-of-the-future
¹⁴ https://group.intesasanpaolo.com/en/newsroom/press-releases/2023/10/intesa-sanpaolo-first-european-bank-to-use-artificial-intelligen#

Key contact

David Klidjian - Partner, Industry Solutions Banking

David is a Partner in the Deloitte Switzerland Consulting team leading the Industry Solutions Banking practice. He has over 20 years of experience in financial services with focus on global private and investment banking large operations transformations. He has worked in Switzerland, US, APAC, and the UK, covering the implementation of regulatory requirements, definition and implementation of target operating models, optimisation and automation of front-to-back banking processes and business restructuring.

Email | LinkedIn 

Eric Gutzwiller - Director, Industry Solutions Banking

Eric is a Director at Deloitte with a focus on the Financial Services industry, especially focused on process optimization and digitalization such as in credit as well as TOM design projects. He brings over 12 years of strategy consulting experience in financial services for both leading global institutions and emerging players, as well as central banks and regulators in several established markets (Switzerland, UK, US, HK, Germany, Canada) and emerging ones (CEE, Middle East).

Email | LinkedIn 

Luis Silva - Manager, Industry Solutions Banking

Luis is a Manager at Deloitte Consulting's Industry Solutions Banking practice in Zurich, focused on supporting clients to design and implement target operating models, enhance operational efficiency, drive change initiatives and leverage digitalization for innovative business models.
Over 8 of experience across banking, insurance and payments across Europe, Middle East, and Africa.

Email | LinkedIn