FINMA does not issue governance guidance for observation. It issues governance guidance to establish the standard against which supervised institutions will be examined. The April 2026 comprehensive AI governance guidelines, described as the most significant regulatory intervention in AI across the Swiss financial sector to date, state explicitly that board-level AI governance will be assessed as part of regular supervisory review processes. The April 2026 Guidance 02/2026 on digital fraud found that 42% of surveyed institutions had no dedicated digital fraud policy, and concluded with an explicit warning that FINMA may impose temporary service restrictions on institutions that cannot manage digital fraud adequately. This is not a description of where the regulator is heading. It is a description of where the regulator already is.
Switzerland has no dedicated AI Act. FINMA’s approach is principle-based and proportionate, with obligations that scale to the complexity and risk of AI applications rather than imposing prescriptive requirements uniformly. That flexibility is sometimes read as meaning governance requirements are less urgent than in the EU or ANZ. The reading is wrong. Principle-based supervision is not lighter supervision. It is supervision that examines whether the institution’s governance is genuinely appropriate to its risk profile, rather than whether it has ticked a defined checklist. A board that cannot describe its AI fraud system’s decision logic, its human oversight mechanism, or its monitoring process has a harder problem in a principle-based supervisory conversation than in a checklist exercise. There is no minimum compliance threshold to hide behind.
What Swiss banking’s regulatory stack actually requires
The binding layer of AI governance requirements for Swiss banks is broader than FINMA’s guidance alone. It combines three frameworks whose requirements are individually significant and collectively comprehensive.
The new Federal Act on Data Protection, nFADP, which has been in force since September 2023, is Switzerland’s GDPR equivalent and contains binding automated decision-making provisions. AI systems that make or significantly influence decisions with legal or similarly significant effects on individuals require specific safeguards: the right to request human review, transparency about the logic of the automated decision, and the ability to contest the outcome. For AI credit decisioning and AI-influenced customer outcomes at Swiss retail banks, nFADP creates obligations that are operational today, not aspirational. A bank with an AI credit model that cannot produce a specific and meaningful explanation of an adverse decision is not only building below FINMA’s governance expectations. It is potentially non-compliant with existing law.
FINMA Guidance 08/2024 adds the AI-specific governance layer. Institutions must maintain comprehensive inventories of all AI systems in use, conduct rigorous risk assessments, document AI governance frameworks, implement explainability across AI-driven decisions, and conduct independent reviews of AI systems where applicable. FINMA’s April 2025 survey found that many institutions concentrate governance attention on data protection rather than model risks, specifically bias, lack of robustness, and lack of explainability. That finding is the gap between what nFADP requires and what FINMA observed institutions actually doing. Closing it is the minimum standard before FINMA’s comprehensive April 2026 guidelines raised the bar further.
For Swiss banks with EU branches or EU clients, the EU AI Act’s extraterritorial reach creates a third layer. Credit scoring AI systems used within the EU, or producing outputs affecting EU residents, fall within the EU AI Act’s Annex III high-risk classification regardless of where the institution is headquartered. Switzerland signed the Council of Europe’s AI Convention in March 2025 and the Swiss Federal Council is developing domestic AI regulation compatible with the EU framework, with non-binding measures planned by end of 2026. Swiss banks that build governance infrastructure aligned with FINMA’s current requirements are simultaneously building toward EU AI Act compliance for their EU-facing activities and ahead of whatever domestic Swiss AI legislation follows.
The compliance view and the advantage view produce different institutions
The framing that produces poor outcomes is familiar in Switzerland as in every other market in this series. Governance is box-ticking. Documentation is a cost. Explainability constrains development. Audit trails are a legal requirement. Human oversight is a policy, not a capability. Banks operating with this framing build AI systems that achieve their technical targets and then discover, at the point of FINMA supervisory examination, that they cannot produce the AI inventory, the risk assessment, the explainability documentation, or the independent review evidence that Guidance 08/2024 describes as expected. They build the governance retrospectively, under examination conditions, at the cost premium that every market in this series has documented: typically three to five times what proactive investment would have cost.
The advantage framing produces materially different outcomes in the Swiss context. Banks that build explainability into their AI credit and fraud models from the start satisfy nFADP’s automated decision-making requirements as a natural output of good programme design, not as a retrofit. Banks that treat audit trails as a data asset find that every logged SIC5 fraud decision is a labelled training example: the model improves continuously from its own production history, building the detection accuracy advantage that FINMA’s fraud guidance says Swiss banks currently lack. Banks that build AI inventory and governance documentation from the outset can respond to FINMA’s supervisory questions with evidence rather than having to construct it retrospectively. That is the difference between a cooperative supervisory relationship and an adversarial one. And banks that build governance-grade AI fraud detection as SIC5 volumes grow accumulate the outcome data advantage that will widen the gap between their fraud detection accuracy and that of institutions that build later.
FINMA’s Guidance 02/2026 makes one point that deserves particular attention. The regulator stated that in the event of a spate of fraud cases, institutions may face temporary restrictions on the provision of certain services. That consequence, a regulatory restriction on product offering for fraud control failures, has no equivalent in the guidance from FINMA’s AI governance documents, which focus on supervisory findings and required remediation. The digital fraud guidance is sharper. It connects inadequate fraud governance directly to potential service restrictions. Swiss banks that have built governance-grade AI fraud detection before that conversation arises are not exposed to it. Swiss banks that have not are.
Three paths, and the one that is now closing
The supervisory signal from FINMA is as clear as it has been at any point in Swiss banking’s recent history. FINMA has published two governance-focused documents in five months, surveyed the sector’s current state, documented specific gaps by name, assessed AI adoption levels directly, and stated that board-level AI governance will be part of every supervisory review. The direction of travel is not ambiguous. What remains open is timing, and timing in Switzerland determines whether the institution invests proactively or reactively.
The first path is to lead: build governance-grade AI for SIC5 real-time fraud scoring as the first production deployment, with explainability, audit trails, continuous monitoring, and board-level ownership built in from day one rather than deferred. Use the first deployment to establish the internal capability, the FINMA-defensible documentation, and the regulatory relationship that positions subsequent deployments as expansions of a proven programme rather than new compliance challenges. The institutions that move now accumulate outcome data on Switzerland’s specific fraud typologies, including AI-generated social engineering, SIC5 mule account networks, and CEO fraud executed at instant payment speed, before competitors are even ready to start. That outcome data is the input to the next model, which is better than the current one, which is better than the next competitor model for exactly as long as the head start persists.
The second path is to follow: wait for internal consensus and for FINMA’s examination activity to produce public findings that clarify expectations further. This path remains viable. Its costs are real: no first-mover advantage in model quality on the fraud vectors that are already growing, an examination cycle that will ask for documentation that is not yet built, and a talent market for AI governance expertise that is constrained. FINMA’s own survey noted that skills availability is a limiting factor for Swiss financial institutions. Following is not the same as failing. It means building under more pressure and at higher cost than leading, with a regulatory relationship that starts from a gap rather than from a demonstrated capability.
The third path, continuing with current rule-based and batch-scoring systems and deferring AI investment until external pressure forces action, is not a stable position in 2026. FINMA Guidance 02/2026 has already determined that 42% of Swiss banks are in that position, named the specific deficiencies, and stated the potential consequence. The structural fraud disadvantage of batch scoring on an irrevocable SIC5 rail compounds with every month that instant payment volumes grow. The regulatory gap widens with every examination cycle where the documentation is not available. The SBA’s recommendation for a network-level real-time risk scoring service, which will benefit institutions with their own AI fraud models more than those without, and will concentrate advantage at the institutions that have already invested.
FINMA has published its signal. The question for Swiss banks is not whether to respond. It is whether to do so on their own terms.
Part 3 of 3.
Sources
FINMA. Guidance 02/2026: Digital Fraud at Banks: Survey Findings and Supervisory Expectations. April 2026. FINMA. Comprehensive AI Governance Guidelines. April 2026. FINMA. Guidance 08/2024: Governance and Risk Management when using Artificial Intelligence. 18 December 2024. FINMA. Survey on AI Use in the Swiss Financial Sector. April 2025. Republic of Switzerland. Federal Act on Data Protection (nFADP). In force September 2023. Swiss National Bank / SIX. SIC5 Instant Payments. Launched 20 August 2024. Swiss Bankers Association. Collaborative Fraud Prevention Preliminary Study. March 2025. Council of Europe. AI Convention: Switzerland signature, 27 March 2025. Swiss Federal Council. AI Regulation Alignment with EU AI Act and Council of Europe Convention. Ongoing.
