FINMA AI Guidelines — Swiss Financial Regulation for Artificial Intelligence
The Swiss Financial Market Supervisory Authority (FINMA) oversees the use of artificial intelligence in banking, insurance, and financial markets through a principles-based regulatory approach. Rather than issuing prescriptive AI-specific rules, FINMA integrates AI oversight into its existing supervisory framework — requiring institutions to apply established principles of risk management, governance, and consumer protection to their use of AI systems. This guide provides a comprehensive analysis of FINMA's approach and its practical implications for financial institutions operating in Zürich and across Switzerland.
1. FINMA's Regulatory Philosophy on AI
FINMA's approach to AI regulation reflects Switzerland's broader regulatory philosophy: technology-neutral, principles-based, and proportionate. Rather than creating a standalone AI regulation — as the European Union has done with the EU AI Act — FINMA applies its existing regulatory toolkit to AI-related risks. This approach is consistent with the Swiss sector-specific approach to AI regulation, which avoids overarching horizontal AI legislation in favor of addressing AI risks through existing sectoral authorities.
The core of FINMA's position is that AI is a tool, and the regulatory requirements that apply to the outcomes produced by that tool are the same regardless of whether the outcome was generated by a human, a traditional algorithm, or an AI model. If a bank uses an AI system to make credit decisions, the credit decision must comply with the same regulatory standards as a human-made credit decision — including fairness, accuracy, documentation, and explainability requirements.
This does not mean that FINMA ignores the distinctive risks of AI. On the contrary, FINMA has been increasingly explicit about its expectation that supervised institutions must have robust model risk management frameworks that specifically address the risks introduced by machine learning and other AI techniques. These include model opacity (the "black box" problem), data quality and bias, model drift, adversarial robustness, and the concentration risks that arise from reliance on third-party AI providers.
2. Key Supervisory Expectations
FINMA's supervisory expectations for AI use in financial services can be organized into seven core areas. While these expectations have evolved through supervisory guidance, circular letters, and direct supervisory interactions rather than through a single comprehensive AI regulation, they form a coherent framework that institutions must address.
Principle 1: Governance and Accountability
FINMA expects institutions to establish clear governance structures for AI deployment. This includes designated accountability at the board and senior management level for AI strategy and risk, defined roles and responsibilities for AI model development, validation, and deployment, and formal approval processes for AI models that affect material business decisions. The institution's board of directors must understand the AI capabilities and risks within the organization and must be able to challenge management on AI-related matters.
Principle 2: Model Risk Management
AI models used in regulated activities must be subject to rigorous model risk management. FINMA expects this to include independent model validation (separation of model development and validation functions), ongoing monitoring of model performance and stability, documented model inventories with risk classifications, defined model lifecycle management procedures (development, testing, deployment, monitoring, retirement), and escalation procedures for model failures or unexpected behaviors. For large institutions such as UBS and Zurich Insurance Group, FINMA expects a dedicated model risk management function with sufficient independence and authority.
Principle 3: Explainability and Transparency
FINMA requires that institutions be able to explain the decisions made by their AI systems, particularly when those decisions affect customers. The level of explainability required is proportionate to the impact of the decision. A credit denial based on an AI model requires a higher degree of explainability than an AI-generated marketing recommendation. Institutions must be able to provide meaningful explanations to both supervisors and affected customers, and they must document the rationale for choosing specific AI approaches over more interpretable alternatives.
Principle 4: Data Quality and Bias Management
FINMA expects institutions to ensure that the data used to train, validate, and operate AI models is accurate, complete, representative, and free from discriminatory bias. This expectation extends to third-party data sources. Institutions must have processes to identify, measure, and mitigate bias in AI models, particularly in areas such as credit underwriting, insurance pricing, and customer risk profiling. The expectation of non-discrimination is grounded in Swiss law and in FINMA's mandate to protect financial consumers.
Principle 5: Operational Resilience
AI systems used in critical financial processes must meet FINMA's operational resilience requirements. This includes business continuity planning for AI system failures, fallback procedures that allow business processes to continue if AI systems become unavailable, cybersecurity measures to protect AI models and data from adversarial attacks, and testing of AI systems under stress conditions. FINMA's expectations in this area are informed by its broader operational risk framework, including FINMA Circular 2023/1 on Operational Risks and Resilience.
Principle 6: Outsourcing and Third-Party Risk
Many financial institutions rely on third-party AI services, including cloud-based ML platforms (AWS, Azure, GCP), foundation model providers (OpenAI, Anthropic, Google), and specialized AI vendors. FINMA's outsourcing requirements (FINMA Circular 2018/3) apply to AI services provided by third parties. Institutions must ensure that outsourced AI activities are subject to the same governance, risk management, and audit standards as internally developed AI. This includes contractual provisions for audit rights, data protection, and service continuity.
Principle 7: Consumer Protection
FINMA places particular emphasis on consumer protection in the context of AI-driven financial services. Institutions must ensure that AI systems do not disadvantage customers through unfair discrimination, opaque decision-making, or inadequate data protection. Customers must be informed when AI is used in decisions that materially affect them, and they must have access to recourse mechanisms if they believe an AI-driven decision was incorrect or unfair.
3. AI in Banking — FINMA's Supervisory Focus
FINMA's supervision of AI in banking focuses on several high-risk application areas where AI models directly affect financial outcomes and customer welfare.
3.1 Credit Decisioning and Underwriting
AI-based credit scoring and lending decisions represent the highest-risk AI application in banking from a regulatory perspective. FINMA expects banks to demonstrate that their AI credit models do not discriminate on prohibited grounds (gender, nationality, ethnicity, religion), produce consistent and reproducible outcomes, can be explained to customers who are denied credit, are validated against independent test datasets, and are subject to ongoing performance monitoring with defined triggers for model review or replacement.
UBS and other major Swiss banks have invested significantly in developing explainable AI approaches for credit decisioning, including the use of SHAP (SHapley Additive exPlanations) values and LIME (Local Interpretable Model-agnostic Explanations) to provide post-hoc explanations for individual credit decisions. These investments are driven both by FINMA expectations and by the practical need to maintain customer trust.
3.2 Anti-Money Laundering (AML) and Fraud Detection
AI is widely used in Swiss banking for transaction monitoring, sanctions screening, and suspicious activity detection. FINMA generally views AI as beneficial in this area, as ML models can detect complex patterns that rule-based systems miss. However, FINMA also expects that AI-based AML systems are regularly tested for effectiveness, false positive and false negative rates are monitored and reported, model updates do not inadvertently create compliance gaps, and human review remains part of the escalation process for suspicious transactions.
The Swiss Anti-Money Laundering Act (AMLA) and FINMA's Anti-Money Laundering Ordinance (AMLO-FINMA) do not prescribe specific technologies for compliance, but they establish outcome-based requirements that AI systems must meet. Financial institutions in Zürich have been at the forefront of developing AI-powered AML systems, with several startups — including NetGuardians and Imtf — offering Swiss-developed AI solutions for financial crime detection.
3.3 Trading and Market Risk
AI-driven trading algorithms and market risk models are subject to FINMA's market conduct rules and capital adequacy requirements. FINMA expects that algorithmic trading systems incorporating AI have pre-trade risk controls and position limits, human oversight mechanisms (kill switches), regular stress testing under extreme market conditions, and documentation of model logic sufficient for supervisory review.
The use of AI in trading has grown substantially at Swiss banks, particularly at UBS, where ML models are used for execution optimization, market making, and risk hedging. FINMA monitors these activities through its market supervision function and through on-site inspections of trading operations.
3.4 Wealth Management and Advisory
AI-powered wealth management tools — including robo-advisors, portfolio optimization algorithms, and client recommendation engines — are subject to FINMA's suitability and appropriateness requirements. When an AI system recommends an investment to a client, the recommendation must meet the same suitability standards as a recommendation made by a human advisor. This includes consideration of the client's risk profile, investment objectives, financial situation, and investment knowledge.
4. AI in Insurance — FINMA's Supervisory Focus
FINMA's insurance supervision has increasingly focused on AI applications in pricing, claims, underwriting, and customer interaction. The insurance sector in Zürich — dominated by Zurich Insurance Group and Swiss Re — has been an early and aggressive adopter of AI technologies, making regulatory oversight particularly important.
4.1 AI-Driven Pricing
The use of AI for insurance pricing raises specific regulatory concerns that FINMA monitors closely. These include the potential for unfair discrimination (using correlated proxies for protected characteristics), the opacity of complex pricing models that makes it difficult for customers to understand how their premiums are determined, and the risk of market-wide pricing correlations if insurers rely on similar AI models or data sources.
FINMA expects insurers to be able to explain the key factors driving individual pricing decisions and to demonstrate that their pricing models do not discriminate on prohibited grounds. The Swiss Insurance Supervision Act (ISA) gives FINMA the authority to review and, if necessary, prohibit pricing practices that are unfair to policyholders.
4.2 Claims Automation
AI-based claims processing — including automated claims triage, damage assessment using computer vision, and fraud detection — is widely deployed by Swiss insurers. FINMA's expectations center on ensuring that automated claims decisions are fair, accurate, and subject to human review when customers dispute the outcome. Insurers must maintain clear escalation paths from automated to human decision-making, and they must monitor automated claims outcomes for bias or systematic errors.
4.3 Underwriting Models
AI-powered underwriting models that assess risk and determine coverage terms are subject to FINMA's oversight of technical provisions and solvency. FINMA expects that AI underwriting models are calibrated against historical loss data, stress-tested under adverse scenarios, and validated by actuarial professionals with appropriate independence from the model development team. The interaction between AI underwriting models and the Swiss Solvency Test (SST) is an area of active supervisory attention, as AI models may introduce risks that are not fully captured by standard SST risk categories.
5. FINMA Circulars and Guidance Relevant to AI
While FINMA has not issued a dedicated AI circular, several existing circulars and guidance documents are directly relevant to AI use in financial services.
| FINMA Document | Relevance to AI | Key Requirements |
|---|---|---|
| Circular 2023/1 — Operational Risks and Resilience | Operational risk management for AI systems | Business continuity, cyber resilience, incident management for technology-dependent processes including AI |
| Circular 2018/3 — Outsourcing | Third-party AI services (cloud ML, foundation models) | Due diligence, contractual requirements, audit rights, data protection for outsourced AI activities |
| Circular 2017/1 — Corporate Governance | Board-level AI governance | Board responsibility for material risks including AI risks; internal control framework covering AI processes |
| Circular 2008/21 — Operational Risks (Banks) | Operational risk from AI failures | Risk identification, assessment, and mitigation for technology-related operational risks |
| Insurance Supervision Ordinance (AVO) | AI in insurance pricing, underwriting, claims | Fair pricing practices, adequate technical provisions, consumer protection |
| FINMA Guidance 05/2024 — AI and Data Analytics | Direct AI supervisory guidance | Expectations for governance, transparency, bias management, and model risk management for AI |
6. Practical Compliance Framework
For financial institutions in Zürich and across Switzerland seeking to align their AI practices with FINMA expectations, the following compliance framework provides a practical roadmap.
6.1 AI Model Inventory
Maintain a comprehensive inventory of all AI models used in regulated activities. Each model entry should include the model name and version, business application and purpose, data inputs and sources, model type and methodology, risk classification (critical, high, medium, low), development and validation dates, responsible owner and validation team, and current performance metrics.
6.2 Risk Classification
Classify AI models by risk level based on the materiality of the decisions they influence, the number of customers affected, the complexity and opacity of the model, and the availability of human oversight and override capability. Risk classification should drive the intensity of governance, validation, and monitoring activities. Critical models (those affecting material financial decisions for large numbers of customers) require the most rigorous oversight.
6.3 Validation Framework
Establish an independent model validation function with the following capabilities: conceptual soundness review (assessing whether the model methodology is appropriate for the intended use), empirical testing (evaluating model performance against out-of-sample data), bias testing (assessing model outputs for discriminatory patterns), stress testing (evaluating model behavior under extreme conditions), and ongoing monitoring (tracking model performance metrics over time and triggering reviews when performance degrades).
6.4 Explainability Standards
Define explainability requirements for each model based on its risk classification and use case. For customer-facing decisions (credit, pricing, claims), institutions should be able to provide individual-level explanations of why a specific decision was made. For internal risk management purposes, global model explanations (understanding the overall behavior and key drivers of the model) may be sufficient. Document the explainability approach for each model and ensure that it is reviewed during model validation.
6.5 Documentation Requirements
FINMA expects comprehensive documentation of AI model development, validation, and deployment. Documentation should include model development rationale and methodology, training data description and quality assessment, model performance metrics and validation results, known limitations and failure modes, deployment procedures and monitoring plans, and change management procedures. Documentation must be sufficient for FINMA supervisors to understand the model's purpose, methodology, risks, and controls during on-site inspections.
7. FINMA vs. EU AI Act — Key Differences
Swiss financial institutions that operate in EU markets (which includes most major Swiss banks and insurers) must navigate both FINMA's principles-based approach and the EU AI Act's prescriptive requirements. The key differences between these frameworks have practical implications for compliance strategies.
| Dimension | FINMA Approach | EU AI Act |
|---|---|---|
| Regulatory Style | Principles-based; integrated into existing financial regulation | Prescriptive; standalone AI-specific legislation |
| Scope | Financial services only (banking, insurance, securities) | All sectors; cross-cutting horizontal regulation |
| Risk Classification | Proportionality-based; institution defines risk levels | Defined risk categories (unacceptable, high, limited, minimal) |
| Conformity Assessment | No formal conformity assessment; supervisory review | Formal conformity assessment required for high-risk AI |
| Penalties | Supervisory measures (conditions, restrictions, license revocation) | Fines up to 7% of global turnover or EUR 35 million |
| Transparency | Proportionate to decision impact; no general disclosure | Mandatory transparency for certain AI categories |
| Third-Party Obligations | Outsourcing framework applies to AI providers | Specific obligations for AI providers, deployers, importers |
For Swiss financial institutions with EU operations, the practical approach is to build compliance frameworks that meet the more prescriptive EU AI Act requirements while also satisfying FINMA's principles-based expectations. This typically means adopting the EU AI Act's risk classification methodology as a baseline and supplementing it with FINMA-specific requirements around model risk management, governance, and supervisory reporting. For a broader analysis of Switzerland's regulatory approach, see our Swiss AI Regulation guide.
8. Enforcement and Supervisory Practices
FINMA enforces its AI expectations through its established supervisory toolkit rather than through dedicated AI enforcement actions. The primary mechanisms include:
- On-site inspections — FINMA conducts regular on-site inspections of supervised institutions, during which AI governance, model risk management, and specific AI models may be reviewed. Inspections may be triggered by routine supervisory planning or by specific concerns.
- Supervisory reviews by external auditors — FINMA relies on external auditors (Prüfgesellschaften) to conduct regulatory audits of supervised institutions. AI-related topics are increasingly included in audit scope, particularly model risk management and IT governance.
- Supervisory dialogue — FINMA maintains ongoing dialogue with supervised institutions through regular meetings with senior management and the board. AI strategy, risks, and governance are topics that FINMA may raise in these discussions.
- Supervisory measures — If FINMA identifies deficiencies in an institution's AI practices, it can impose conditions, restrictions, or requirements through formal supervisory orders. In severe cases, FINMA can restrict an institution from using specific AI applications until compliance is demonstrated.
FINMA has not publicly disclosed specific enforcement actions related to AI as of early 2026. However, industry sources indicate that FINMA has raised AI governance and model risk management concerns in supervisory interactions with several large institutions, leading to remediation programs. The supervisory focus is expected to intensify as AI adoption accelerates across the Swiss financial sector.
9. Emerging Regulatory Trends
9.1 Generative AI in Financial Services
The rapid adoption of generative AI (large language models, generative image models) by financial institutions has created new regulatory questions that FINMA is actively considering. Key concerns include the use of LLMs in customer-facing interactions (chatbots, virtual assistants) where generated content may contain inaccuracies or misleading information, the use of generative AI to produce regulatory reports, risk assessments, or compliance documentation, intellectual property and data protection risks associated with sending proprietary financial data to third-party LLM providers, and the potential for generative AI to facilitate sophisticated fraud, social engineering, or market manipulation.
FINMA's evolving position appears to favor a cautious but permissive approach: generative AI may be used in financial services, but institutions must apply the same governance, risk management, and consumer protection standards as for other AI applications. The use of generative AI in critical decision-making processes (credit, trading, compliance) requires particularly robust human oversight.
9.2 AI and the Swiss Solvency Test (SST)
For insurance companies, the interaction between AI models and the SST regulatory capital framework is an area of growing importance. FINMA is considering how AI-driven risks — including model risk, data quality risk, and operational dependency on AI systems — should be reflected in SST capital requirements. This could lead to additional capital charges for insurers with material AI dependencies, creating a financial incentive for robust AI governance.
9.3 International Coordination
FINMA participates in international regulatory coordination on AI through the Financial Stability Board (FSB), the Basel Committee on Banking Supervision (BCBS), the International Association of Insurance Supervisors (IAIS), and bilateral cooperation with other national regulators. These international forums are developing common principles for AI regulation in financial services that will influence FINMA's future guidance.
10. Practical Recommendations for AI Teams
Building a FINMA-Ready AI Practice
For AI teams at financial institutions in Zürich and across Switzerland, the following practical recommendations will help ensure alignment with FINMA expectations:
- Engage compliance early — Involve your institution's compliance and legal teams at the design stage of AI projects, not after deployment. Regulatory requirements should be treated as design constraints, not post-hoc checks.
- Document everything — FINMA expects comprehensive documentation. Establish documentation standards for model development, data sources, validation results, and deployment decisions from the beginning of every AI project.
- Build explainability into the design — Choose model architectures and techniques that support explainability. Where complex models (deep neural networks, ensemble methods) are necessary, implement post-hoc explainability tools (SHAP, LIME, counterfactual explanations) as a standard part of the model pipeline.
- Test for bias systematically — Implement bias testing as a mandatory step in model validation. Use statistical tests to evaluate model outputs across protected characteristics and document the results.
- Maintain human oversight — Ensure that AI-driven decisions, particularly customer-facing decisions, have defined human oversight mechanisms. Automated decisions should be subject to sampling-based human review, and customers should have access to human decision-makers when they dispute AI-generated outcomes.
- Monitor continuously — Deploy model monitoring systems that track performance metrics, detect drift, and generate alerts when model behavior deviates from expected parameters. Define clear thresholds and escalation procedures.