On 1 November 2016, FINMA published the revised circulars 2008/21 on “Operational risks – banks” and 2010/1 on “Remuneration schemes” which both have been revised in the context of the new FINMA circular 2017/1 “Corporate governance – banks”. The most significant changes pertain to i) the adoption of minimum requirements for the regulation of IT and cyber risks in the revised circular 2008/21 as well as ii) a narrowed scope of application and the prohibition of hedge transactions in the revised circular 2010/1. Both revised circulars will enter into force on 1 July 2017.

By Peter Ch. Hsu / Sandro Fehlmann (Reference: CapLaw-2017-26)

On 1 November 2016, FINMA published the revised circulars 2008/21 on “Operational risks – banks” (Revised Circular 08/21) and 2010/1 on “Remuneration schemes” (Revised Circular 10/1). Both apply to banks, securities dealers, financial groups and (bank or securities dealer dominated) conglomerates (collectively referred to as Banks). They have been revised in the context of the new FINMA circular 2017/1 “Corporate governance – banks” (see our article in the 2/2017 edition of CapLaw) and will enter into force on 1 July 2017.

The two revised circulars remain to a large extent in line with the currently applicable FINMA guidance (and the draft circulars published on 1 March 2016), except for a number of important changes in specific areas, which will be the focus of this article.

1) The Partially Revised Circular 2008/21 on “Operational risks – banks”

a) Introduction

FINMA considered a partial revision of the circular 2008/21 on “Operational risks – banks” to be required because supervisory practice has shown that operational risks have become more diverse in banking. E.g., the risk management principles regarding technological infrastructure in the Revised Circular 08/21 now specifically regulate the management of IT and cyber risks. In addition, it incorporates the principles set out in the FINMA position paper “Legal and reputational risks in cross-border financial services”. Furthermore, several provisions on corporate governance were transferred from the current version of the circular 2008/21 to circular 2017/1.

b) Further Implementation of the Principle of Proportionality

The partial revision of the Revised Circular 08/21 mainly relates to chapter IV referring to the qualitative requirements on the handling of operational risks. The principle of proportionality already applies to this chapter under the current regime, but the definition of small banks which are exempt from certain duties has been revised: Under the Revised Circular 08/21, banks of the supervisory categories 4 and 5 are deemed to be small banks (note 118 of the Revised Circular 08/21). In contrast, under the current regime, small banks are defined as banks of the supervisory category 5 and securities dealers of the supervisory categories 4 and 5. However, to decide whether certain requirements must be fulfilled by a specific institution, FINMA may still apply an institution-specific assessment of a Bank on the basis of its type, scope, complexity and risks associated with its business activities, as already implemented under the current regime for a Bank in the supervisory category 4.

c) Introduction of New Guidelines on Managing IT and Cyber Risks

Principle no. 5 of the current circular 2008/21 contains basic requirements on the technology infrastructure. As a result of the increasing awareness on IT and cyber risks, FINMA decided to devote particular attention on a broader regulation of such risks. Under the Revised Circular 08/21, Banks will be required to implement a concept of minimum requirements addressing IT and cyber risks (note 135 of the Revised Circular 08/21). However, if compared to its draft version the requirements on the IT and cyber risk concepts in the Revised Circular 08/21 have been softened.

In this context, the Revised Circular 08/21, in principle, requires the management body to develop a concept addressing IT risks that fulfils certain minimum standards such as the outline of an overview on the IT network environment, systemic processes for the identification and assessment of IT risks and appropriate monitoring and risk mitigation measures (notes 135.1-135.5 of the Revised Circular 08/21). However, FINMA explicitly acknowledges that the concrete implementation will be determined on an institution-specific basis on the grounds of the specific technology infrastructure.

The Revised Circular 08/21 further requires Banks to implement a concept addressing cyber risks that particularly ensures the identification of potential risks of cyber-attacks, the protection of its operating processes and technology infrastructure, the prompt reaction to cyber-attacks and the continuation of the Bank’s ordinary business operations in the event of a cyber-attack (notes 135.6-135.12 of the Revised Circular 08/21).

d) Provisions on Recovery and Resolution Planning

For systemically relevant banks, the Revised Circular 08/21 provides for a requirement to (i) identify the bank’s systemically important functions and (ii) design its contingency planning in a way that it can be implemented immediately and ensures the continuation of the bank’s systemically important functions in the event of impending insolvency (note 136.1 of the Revised Circular 08/21). This duty for systemically relevant banks specifies the general requirements for such banks set forth in article 9 (2) (d) Banking Act.

FINMA has not adopted general provisions on the recovery and resolution planning for banks in all supervisory category (e.g., an inventory list for most critical services and operations) in the Revised Circular 08/21 as initially suggested in the draft of the revised circular 2008/21 but criticized with regard to the legal basis for such provisions for smaller banks and cost-benefit considerations in the consultation procedure.

e) Incorporation of Principles relating to Risks arising from Cross-border Financial Services

The Revised Circular 08/21 adopts the principles relating to FINMA’s expectation on the management of risks arising from the provision of cross-border financial services as currently set out in the FINMA position paper “Legal and reputational risks in cross-border financial services” (notes 136.2-136.5 of the Revised Circular 08/21). FINMA points out that the new rules in the revised circular are principle-based and reflect the current FINMA practice without material amendments.

External asset manager are considered as “partners” in the Revised Circular 08/21 and Banks are required to “consider the risks generated by external asset managers and adopt a careful approach in the selection and instruction of such partners” (note 136.4 of the Revised Circular 08/21). In the draft of the Revised Circular 2008/21, external asset managers have been referred to as “agents” of the Banks which has been criticized by several participants in the consultation procedure (e.g. by Swiss Banking).

2) The Partially Revised Circular 2010/1 on “Remuneration schemes”

a) Modification of the Scope of Application

The revised Circular 2010/1 on “Remuneration schemes” mandatorily applies to Banks of the supervisory category 1 (i.e. to the financial groups of UBS and Credit Suisse) and the two largest insurance groups, being Zurich und Swiss Re (notes 6 and 7 of the Revised Circular 10/1; explanatory report dated 1 March 2016, p. 21). In contrast, the circular does not apply to financial groups or conglomerates that are not subject to consolidated supervision by FINMA but e.g. subject to the supervision of a foreign regulatory authority. Under the current regime, the provisions mandatorily apply to all Banks of the supervisory categories 1 and 2 as well as the two largest insurance groups. This narrowed scope of application aims to relieve smaller institutions from the more stringent requirements that are appropriate for larger institutions.

However, the circular remains a key guideline for best practice in relation to remuneration schemes for all financial institutions and groups or conglomerates supervised by FINMA.

In addition, FINMA may still require financial institutions other than UBS, Credit Suisse and the two largest insurance groups to mandatorily implement the provisions set out in the circular in full or in part if appropriate in the light of the circumstances (note 9 of the Revised Circular 10/1).

Under the Revised Circular 10/1, a financial institution that is part of a financial group or conglomerate is on the entity level not required to i) adopt remuneration regulations, ii) appoint a remuneration committee or iii) prepare a remuneration report if the financial group/conglomerate as a whole is within the scope of the circular (note 4 of the Revised Circular 10/1). The current circular 2010/1 requires Banks of a group/conglomerate also to implement the provisions on a single entity level if such Bank falls within the circulars’ scope of application. Accordingly, this is a sensible limitation and clarification of the scope of application of the circular for subsidiaries of financial groups.

b) Minor Modifications on Organizational Requirements

The Revised Circular 10/1 contains a few minor, but still interesting modifications on the organizational requirements: Newly, the board of directors has to approve the remuneration of the senior management, of the heads of the control functions and of the total pool of the firm on a yearly basis (note 20 of the Revised Circular 10/1). Under the current regime, the board of directors does not need to approve the remuneration of the heads of the control functions. Interestingly, the term “board of directors” is still being used in the Revised Circular 10/1. In contrast to other new circulars such as the circular 2017/1 on Corporate Governance that introduced the more general term “governing body”.

Furthermore, the board shall establish a remuneration committee irrespective of the size and structure of the financial institution or the complexity of the remuneration system (note 21 of the Revised Circular 10/1). Currently, the establishment of a remuneration committee is dependent on the size and structure of the financial institution or the complexity of its remuneration system.

c) Further Modifications

Content-wise, the Revised Circular 10/1 now explicitly prohibits hedge transactions that run counter to the effectiveness of the elements of the remuneration system (note 24 of the Revised Circular 10/1). This new provision shall further improve the effectiveness of remuneration systems in the financial industry.

In the Revised Circular 10/1, FINMA has not introduced a requirement of a clawback clause to ensure that remunerations paid may be reclaimed from an employee in case of a retrospective discovery of severe misconduct (e.g. by agreement on respective provisions in employment contracts). The draft of the Revised Circular 2010/1 initially suggested such clawback requirement for variable remunerations. However, FINMA abstained from such a clawback clause requirement as a response to the issues of potential legal unenforceability and unclear tax treatment as expressed by the industry in the consultation procedure (see consultation report dated 22 September 2016, p. 30).

Peter Ch. Hsu (peter.hsu@baerkarrer.ch)
Sandro Fehlmann (sandro.fehlmann@baerkarrer.ch)