FINMA AI Guidance: Governance and Risk Expectations for Swiss Financial Institutions
In December 2024, FINMA published Guidance 08/2024, setting out governance and risk-management expectations for the use of artificial intelligence in the Swiss financial sector. The document identifies five categories of AI-related risk and observes that many Swiss financial institutions are still in the early stages of AI governance. As of July 2026, the guidance remains non-binding but shapes how FINMA supervisors assess an institution's readiness.
What FINMA Guidance 08/2024 Covers
FINMA issued Guidance 08/2024 in December 2024 in response to the growing use of AI in banking, insurance, and financial services. The document does not introduce new binding regulations; it records supervisory observations and states what FINMA expects from boards and senior management when AI is deployed.
A central finding is that AI governance remains at an early stage in many Swiss institutions. Formal governance structures for AI are still being established in many institutions.
Five Risk Categories FINMA Has Identified
FINMA names five categories of AI-related risk that supervised institutions must actively manage:
Model risk. AI systems may produce inaccurate or unreliable outputs because of insufficient robustness, poor explainability, or algorithmic bias. A credit-scoring model containing undetected bias, for instance, can generate incorrect decisions and expose an institution to regulatory sanctions.
Data quality and security. AI relies on large volumes of data. Insufficient data quality, gaps in availability, or inadequate data protection can distort outputs and create privacy compliance failures.
IT and cyber risk. AI is deeply integrated into IT infrastructure, which can introduce new security vulnerabilities or make AI systems a target for cyber attack.
Third-party dependence. Many AI solutions rely on external cloud platforms, AI providers, or data sources. High dependence on third parties concentrates operational risk. FINMA recommends thorough due diligence and contingency plans for supplier disruptions.
Legal and reputational risk. AI-driven decisions may create legal liability and reputational damage.
What This Means in Practice
FINMA expects boards and management to engage directly with the AI systems deployed in their institutions, not to treat AI governance as a task for IT departments alone.
Two practical expectations stand out. First, institutions should maintain a central AI inventory: a register documenting every AI model or tool in use, its purpose, data inputs, and outputs. This ensures oversight is maintained as AI use grows. Second, responsibility for AI-supported decisions cannot be transferred to the AI system itself or to external providers. Human accountability is preserved regardless of how automated the process becomes.
Ongoing testing and monitoring of AI risks also forms part of FINMA's expectations.
Scope and Where This Applies
FINMA Guidance 08/2024 applies to FINMA-supervised institutions: banks, insurers, and other regulated financial intermediaries. It sits within the broader framework of Swiss financial regulation. Firms active in the crypto sector should note that AI-driven compliance tools are increasingly common there, making the guidance relevant to any supervised institution handling digital assets.
The official guidance document is available on the FINMA guidance documentation page.
Frequently asked questions.
01Is FINMA Guidance 08/2024 legally binding for Swiss banks?
02What is an AI inventory and why does FINMA expect one?
03Which organisations are subject to FINMA's AI guidance?
Send us your enquiry
Describe your situation in a line or two. A partner replies within one business day, in English, German, French, Spanish or Italian. The first conversation is free and carries no obligation.