Resource ID: w-010-8058

Bank Secrecy Laws (Switzerland)

ALEXANDER HOFMANN, LAUX LAWYERS AG, WITH PRACTICAL LAW DATA PRIVACY ADVISOR

Search the Resource ID numbers in blue on Westlaw for more.

A Practice Note discussing the laws, sanctions. Potential sanctions include fines, regulatory actions, and
in severe cases, criminal penalties for disclosing customer data in
regulations, and guidance governing bank violation of bank secrecy laws.
secrecy in Switzerland including the Swiss
This Note discusses the laws and regulations governing bank secrecy
Federal Act on Banks and Savings Banks and in Switzerland. It provides guidance for banking institutions handling
guidance issued by Switzerland’s financial customer data in Switzerland on complying with bank secrecy
obligations, the circumstances in which banks can disclose customer
regulator, the Swiss Financial Market data to third parties, and required steps to permit disclosure.
Supervisory Authority. This Note provides This Note also discusses the Swiss data protection law and how
banks should address data protection obligations when handling
guidance for banking institutions handling customers’ personal data.
customer data in Switzerland on complying with For information on global bank secrecy laws, see Practice Note,
bank secrecy obligations, the circumstances in Global Bank Secrecy Laws: Overview and Global Bank Secrecy
Toolkit (W-002-8052).
which they can disclose customer data to third
parties, and required steps to permit disclosure. CUSTOMER DATA DISCLOSURE LAWS
This Note also discusses the Federal Act on Article 47 of the Swiss Federal Act on Banks and Savings Banks
Data Protection, the Ordinance to the Federal (in Swiss) (Banking Act) is the primary law governing bank secrecy
in Switzerland. Those disclosing customer data in violation of this
Act on Data Protection, and how banks should provision face criminal penalties (see Enforcement and Penalties
address data protection obligations when (W-010-8058)).

handling customers’ personal data. Similar criminal provisions exist in other Swiss financial market laws
including:
„„Article 43 of the Swiss Federal Act on Stock Exchanges and

Bank secrecy laws generally prohibit banking institutions, and their Securities Trading (in Swiss). This imposes secrecy obligations
officers and employees, from disclosing customer data to third on certain individuals and entities handling data received in
parties. However, banks commonly need to disclose customer data connection with a stock exchange or securities dealer.
for routine business purposes including: „„Article 147 of the Swiss Federal Act on Financial Market

„„Providing products and services to customers. Infrastructures and Market Conduct in Securities and Derivatives
Trading (in Swiss). This imposes professional secrecy obligations
„„Making inter-company transfers.
on directors, officers, employees, agents, and liquidators of
„„Outsourcing to third-party service providers. financial market infrastructures. Financial market infrastructures
„„Responding to litigation and regulatory inquiries. include stock exchanges, multilateral trading facilities, central
counterparties, central securities depositories, trade repositories,
Global banks operating in jurisdictions with bank secrecy laws and payments systems.
must find practical solutions to perform business functions or face

© 2019 Thomson Reuters. All rights reserved.

 Bank Secrecy Laws (Switzerland)

„„Article 148 of the Swiss Federal Act on Collective Investment „„A liquidator of a bank.
Schemes (in Swiss). This imposes secrecy obligations on members „„A member of a body or employee of an audit firm.
of an executive or governing body, employees, agents, or
(Article 47(1)(a), Banking Act.)
liquidators of fund management companies.
Bank secrecy obligations exist even after revocation of a bank license
Swiss banks also have a civil obligation to respect the confidentiality
or termination of an individual’s official responsibilities (Article
of customer data which arises out of:
47(4), Banking Act). Criminal penalties may apply for Article 47 bank
„„The civil right to personal privacy. Article 28 of the Swiss Civil secrecy violations when data is disclosed in Switzerland or abroad
Code recognizes individuals’ and companies’ right to privacy, (Article 8(1), Swiss Criminal Code) (amended January 2017) (stating
including economic privacy and information on their banking that a crime takes place where the offender acts and where the
relationships and the assets concerned. consequences occurred).
„„The contractual relationship between the customer and the
bank. Under Article 398 of the Swiss Code of Obligations an agent PROTECTED CUSTOMER DATA
is liable to the principal for the diligent and faithful performance Article 47 of the Banking Act does not specify the scope of customer
of the business entrusted to him. This obligates a bank to keep data protected from disclosure and broadly precludes the disclosure
customer data entrusted to it confidential. of confidential information entrusted to covered persons and
This Note focuses primarily on a bank’s obligations under the Banking entities. This language covers all data stemming from the business
Act. Other criminal and civil laws are outside the scope of this Note. relationship between the bank and customer including:
„„Information on the customer as a private individual.
COVERED PERSONS AND ENTITIES „„Deposits and withdrawals.
Banks Covered „„Loan information.
The banking secrecy provisions in Article 47 apply to the following „„Value of investments.
entities:
„„Information in banking agreements.
„„Banks licensed in Switzerland.
„„Information requests and offerings for further financial services.
„„Established branches or representative offices of foreign banks in
„„Information given by customers about their financial
Switzerland.
circumstances.
„„Private banks in Switzerland (banks in the legal form of individual
„„The customer’s relationship with other banks, if any.
proprietorships or general and limited partnerships).
„„The bank’s own transactions, if disclosure would harm a customer.
„„Saving banks in Switzerland.
„„Transactions between different banks (which then become
(Articles 1(1) and 2(1), Banking Act.)
customers vis à vis each other).
Article 1a Banking Act defines banks as companies active mainly in „„Information about third-party customers the bank received in the
the financial sector that perform any of the following: course of its business activities.
„„Accept deposits from the public.
The Swiss Financial Market Supervisory Authority (FINMA)
„„Finance own accounts or the accounts of third parties with loans provided guidance on the scope of customer data when discussing
from banks that do not own any significant holdings in them. confidentiality and security requirements in FINMA Circular 2008/21
The Banking Act does not apply to: (amended September 22, 2016) (in Swiss) (FINMA Circular). The
FINMA Circular states that customer identifying data includes direct
„„Stockbrokers and trading houses dealing only in securities and
and indirect customer identification data such as:
directly related transactions if they do not conduct the banking
„„Name (first name, second name, and family name).
activities described above.
„„Passport number.
„„Private investment managers, public notaries, and business agents
who limit their activities to managing their clients’ assets without „„A combination of indirect customer identification data that
conducting the above banking activity. together may identify a specific customer (for example, a
(Article 1(3), Banking Act.) combination of birth, profession, and nationality data).
(Annex 3, FINMA Circular 2008/21.)
The Banking Act does not extend to banks located overseas that
handle Swiss residents’ customer data. The Banking Act only protects information related to an identified or
identifiable customer. A bank can therefore disclose customer data
Individuals Covered by, for example, anonymizing the customer name, account number,
Article 47 of the Banking Act broadly prohibits any individuals from online identifier, or other identifying information, or by aggregating
disclosing customer data entrusted to them or observed in their customer data. FINMA Circular 2008/21 states that when
capacity as: anonymizing customer personal data, the bank should remove or
permanently change (through, for example, deletion or aggregation)
„„A member of an executive or supervisory body of the bank.
all elements that could allow identification of a person (Annex 3,
„„An employee or representative of the bank. FINMA Circular 2008/21, at 35).

2 © 2019 Thomson Reuters. All rights reserved.

 Bank Secrecy Laws (Switzerland)

PRINCIPLES FOR MANAGING CUSTOMER DATA BANKING ACT EXCEPTIONS PERMITTING DISCLOSURE
Banks covered by the Banking Act must comply with FINMA’s Several Banking Act exceptions allow banks to disclose otherwise
guidance for securing and handling customer data. FINMA Circular protected customer data. Permissible disclosures include those
2008/21 sets out principles on the proper management of risks banks make:
related to electronic customer data. The principles include: „„When requested under a Swiss statute requiring disclosure of
„„Governance risks. Banks must systematically identify, mitigate, information to a government authority (Article 47(5), Banking Act).
and monitor risks in connection with customer data. An „„To a parent company that is supervised by a banking or financial
independent unit must exercise control over the function of market supervisory authority if the disclosure is necessary for
creating a security framework. consolidated supervision purposes provided that:
„„Data classification. Banks must categorize customer data zz the information is used exclusively for internal control or direct
according to confidentiality levels and the protection required. supervision of banks or other financial intermediaries that are
Units responsible for customer data must monitor the entire life subject to a license;
cycle of customer data, including access right approvals and zz official secrecy or professional confidentiality obligations bind
deletion and disposal of backup and operational systems.
the parent company and supervisory authority responsible for
„„Data localization. Banks must maintain an inventory of: consolidated supervision; and
zz where they store customer data; zz the information is not transmitted to third parties without the
zz the applications and IT-systems used for processing; and prior permission of the bank or based on the blanket permission
zz which national and international locations can access data previously defined in a state treaty.
(including outsourced services and external firms). (Article 4quinquies, Banking Act.)
„„Banks must adequately protect customer data stored or accessible „„In cases of an overriding private or public interest (see, for example,
from outside of Switzerland through, for example, anonymization, Article 17, Swiss Criminal Code and Article 2830(2), Swiss Civil Code,
encryption, or pseudonymization. which permit banks to disclose protected data when there is an
„„Data security.Banks should implement security standards for overriding interest). Overriding private interests include, for example:
infrastructure and technology used to protect the confidentiality of zz disclosure to debt collection companies; and
customer data. The bank should compare the security standards to zz solvency checks and credit assessments.
market practice on a regular basis to identify security gaps. Banks
„„(See also, for example, Swiss Federal Court Judgment No 137 II 431
should consider independent reviews and audit reports when
(15 July 2011) (court discussed overriding public interest as a legal
developing security standards.
basis to disclose customer data to US regulators.)
„„Employee training. Banks must train and monitor employees
„„To comply with a bank’s reporting obligations under Swiss law
and third parties with access to customer data regularly
including laws that require banks to:
(see Outsourcing Considerations (W-010-8058)). The bank
should maintain a list of all internal and external information zz provide FINMA with all information and documents that it
technology (IT) users that have access to mass customer data requires to carry out its tasks (Article 29, Federal Act on the
(key employees only). Swiss Financial Market Supervisory Authority (June 22, 2007))
(FINMASA));
„„Risk identification and control. The bank unit responsible for data
security and confidentiality must identify and evaluate inherent zz immediately report to FINMA any incident of substantial
risks regarding customer data confidentiality using a structured importance to the bank’s supervision (Article 29, FINMASA); and
process. The bank must involve the business, IT, and control zz report to the Money Laundering Reporting Office when it has
functions in the process. knowledge or reasonable suspicion that assets involved in the
„„Risk mitigation. Banks must monitor and minimize risks business relationship with a bank customer are the proceeds of a
pertaining to data processing activities when it modifies or crime or serve the financing of terrorism (Article 9, Swiss Federal
migrates large quantities of customer data. Act on Combating Money Laundering and Terrorist Financing).
„„Incidents related to confidentiality of customer data. Banks „„To comply with agreements Switzerland has entered into with

should introduce predefined processes to react swiftly to other countries including:

confidentiality incidents, including a clear strategy on how to zz the OECD Model Tax Convention which permits the exchange
communicate serious incidents. Banks must monitor, analyze, of bank customer data between competent authorities of the
and share with executive management exceptions, incidents, contracting countries if requested in cases of tax fraud and tax
and audit results. evasion;
„„Outsourcing services. Banks must conduct due diligence on zz the Agreement on the Automatic Exchange of Information
whether a third-party service provider can adequately protect (AEOI) which permits the automatic exchange of bank data
customer data (see Outsourcing Considerations (W-010-8058)). on foreign customers between countries signatories to the
(Annex 3, FINMA Circular 2008/21.) agreement to help fight tax evasion; and

© 2019 Thomson Reuters. All rights reserved. 3

 Bank Secrecy Laws (Switzerland)

zz the Agreement between the US and Switzerland for A universal, general waiver of bank secrecy obligations violates the
Cooperation to Facilitate the Implementation of FATCA Swiss Civil Code (Article 27(2), Swiss Civil Code) (stating that “[n]o
(Foreign Account Tax Compliance Act) and the respective Swiss person may surrender his or her freedom or restrict the use of it to a
implementation law. This requires Swiss banks to provide US degree which violates the law or public morals”).
tax authorities with requested account information, either
with affected customer’s consent, or on an anonymous and For more information on obtaining customer consent to disclose
aggregated basis. data under bank secrecy laws, see Standard Clause, Customer
Terms and Conditions for Data Disclosure Under Bank Secrecy Laws
The exceptions permitting disclosure of customer data under (W-008-8111).
the Banking Act are narrow and do not include many disclosures
that banks typically need to make. Article 47 of the Banking Act Before obtaining customer consent, banks should document all
does not specifically permit disclosure with customer consent but disclosures the bank makes, or anticipates making, to third parties
banks commonly obtain customer consent for needed disclosures and compare this list to the exceptions provided in the Banking Act
not permitted under the Banking Act (see Customer Consent for and under Swiss law. If the Banking Act or Swiss law permits the
Disclosures (W-010-8058)). disclosure, banks do not need customer consent to disclose the data.

DISCLOSURE IN LITIGATION AND DISCOVERY DATA PROTECTION LAW

In Swiss civil proceedings, parties to the proceeding and third The Federal Act on Data Protection (19 June 1992) (FADP) governs
parties generally have a duty to cooperate in the evidentiary personal data processing and cross-border personal data transfers in
process. However, persons and entities bound by bank secrecy Switzerland. The Swiss federal counsel also implementing legislation
obligations may refuse to cooperate if they demonstrate that the under the Swiss FADP, known as the Ordinance to the Federal Act on
bank secrecy interests outweigh the interest in establishing the Data Protection (14 June 1993) (Ordinance), which provides details
truth (Articles 163(2) and 166(2), Swiss Civil Procedure Code). For and guidance on some of the FADP’s provisions.
civil proceedings abroad, the Hague Convention on the Taking of
Evidence Abroad applies and on request, a Swiss court may take the APPLICABILITY AND JURISDICTIONAL SCOPE
requested evidence. The FADP applies to any personal data processing that occurs within
In Swiss criminal proceedings, persons bound by bank secrecy must Switzerland pertaining to natural and legal persons (data subjects)
provide requested information or testify. The person responsible for by either:
directing the criminal proceeding may relieve them of the duty to „„Natural or legal persons.
testify if they establish that the interest in preserving confidentiality „„Federal bodies.
outweighs the interest in establishing the truth (Article 173(2), Swiss (Article 2(1), FADP.)
Criminal Procedure Code).
In Google Street View (A-7040/2009), the Federal Administrative
For criminal proceedings abroad, mutual assistance may be rendered Court stated the FADP may further apply where a data processing
to foreign states based on international treaties as well as under the operation is primarily connected with Switzerland, even if the
Swiss Federal Act on International Mutual Assistance in Criminal personal data is saved on servers abroad (for example, through cloud
Matters. Swiss authorities will not lift bank customer secrecy for computing) or published from abroad.
a foreign investigation unless the conduct being investigated also
qualifies as a criminal offense under Swiss law. The FADP does not apply to certain types of data processing
including, for example, data processing in the context of:
CUSTOMER CONSENT FOR DISCLOSURES „„Pending civil proceedings.

Unlike most country’s bank secrecy laws, the Banking Act does not „„Criminal proceedings.
explicitly allow for the disclosure of customer data with customer „„International mutual assistance proceedings.
consent. However, the legal effect of customer consent to disclose „„Proceedings under constitutional or under administrative law,
data is that an unlawful disclosure of customer data becomes lawful except for first instance administrative proceedings (this means the
(see, for example, Article 2830(2), Swiss Civil Code) (”An infringement lowest or first of several governmental authority proceedings).
is unlawful unless it is justified by the consent of the person whose
rights are infringed or by an overriding private or public interest or (Article 2(2), FADP.)
by law”). Banks should review the FADP for exempt data processing activities
Banks commonly obtain consent when the customer opens an to determine applicability.
account by requiring the customer to agree to the bank’s standard
CATEGORIES OF PERSONAL DATA
terms and conditions and privacy policy. To ensure the customer
understands the scope of disclosure, banks should: The FADP defines personal data as all information relating to an
identified or identifiable natural or legal person (Article 3(a), FADP).
„„Place the consent clause in a clearly visible and prominent place.
Sensitive personal data is data relating to:
„„Clearly define the scope of consent.
„„Religious, ideological, political, or trade union-related views or
„„Provide the customer with sufficient information about the activities.
potential impact of consent.

4 © 2019 Thomson Reuters. All rights reserved.

 Bank Secrecy Laws (Switzerland)

„„Health. organizations must have a justification under Article 13, even if the
„„Racial origin. organization discloses personal data in compliance with the general
principles (Article 12(2)(c), FADP).
„„Social security measures.

„„Administrative or criminal proceedings and sanctions. Overriding Private or Public Interest

(Article 3(c), FADP.) The FADP permits personal data processing if justified by an
The FADP is currently under revision to adapt to developments in overriding private or public interest. The means the person
the EU, in particular the EU General Data Protection Regulation processing personal data:
(Regulation (EU) 2016/679) (GDPR) and the Data Protection „„Processes personal data of a contractual party in direct connection
Convention of the Council of Europe (ETS 108). A draft version of the with the conclusion or the performance of a contract.
new Swiss data protection law was released on September 15, 2017 „„Is or intends to be in commercial competition with another and for
and the law is expected to come into force not earlier than 2020. this purpose processes personal data without disclosing the data
to third parties.
PRINCIPLES
„„Processes personal data that is neither sensitive personal data
The FADP imposes the following data protection principles on banks nor a personality profile profiles (a collection of personal data
handling personal data: that permits an assessment of essential characteristics of the
„„Banks must process personal data lawfully, in good faith, and personality of a natural person) to verify the creditworthiness of
proportionately, meaning the bank should limit the personal data another, and discloses that data to third parties only if the data is
processing to what is necessary for it to achieve the purpose of required for the conclusion or the performance of a contract with
processing. the affected individual or entity.
„„Banks may only process personal data for the purposes: „„Processes personal data on a professional basis exclusively for

zz indicated at the time of collection; publication in the edited section of a periodically published medium.
„„Processes personal data for purposes not relating to a specific
zz evident from the circumstances; or
person, in particular for the purposes of research, planning, and
zz provided for by applicable law. statistics and publishes the results in a manner that the data
„„The collection of personal data and in particular the purpose of its subjects may not be identified.
processing must be evident to the data subject. „„Collects data on a person of public interest, provided the data
„„(Article 4, FADP.) relates to the public activities of that person.
In addition, the FADP provides that: (Article 13(2), FADP.)
„„Anyone who processes personal data must ensure that it is correct For more information on Switzerland’s data protection rules and
(Article 5, FADP). principles, see Country Q&A, Data protection in Switzerland:
„„Anyone who processes personal data must protect it against overview (9-502-5369).
unauthorized processing through adequate technical and
organizational measures (Article 7, FADP). CONSENT UNDER THE DATA PROTECTION LAW
„„Any person may request information from the organization If a bank complies with the general data processing principles set out
responsible for personal data processing (data controller) in the FADP (see Principles), the customer does not need to consent
about the personal data processing activities pertaining to that to the personal data processing. However, if a bank relies customer
individual. The data controller must then notify the data subject consent to process personal data, the consent is valid only if the
about those processing activities and provide the information customer:
specified in Article 8 of the FADP (Article 8, FADP). „„Consents voluntarily.

Non-compliance with the above principles constitutes a violation of „„Consents in advance of the personal data processing.

the data subject’s privacy unless the processing is justified by: „„Receives adequate and clear information about the personal data

„„The data subject’s consent (see Consent Under the Data processing.
Protection Law). (Article 4(5), FADP.)
„„A provision of Swiss law requiring or permitting the processing
The FADP does not require that customer consent in writing.
including for example, an obligation to disclose information under Therefore, consent given orally or via electronic means (for example,
the Banking Act (see Banking Act Exceptions Permitting Disclosure by mouse click) is generally deemed sufficient. However, the bank
(W-010-8058)). bears the burden of proving consent, so consent in an explicit and
„„An overriding private or public interest (see Overriding Private or recordable format is recommended for evidentiary purposes.
Public Interest (W-010-8058)).
Implicit consent is sufficient for personal data processing except
(Article 13(1), FADP.)
when seeking consent to process sensitive personal data or
Disclosure of personal data to third parties is generally lawful if personality profiles (Article 4(5), FADP). The FADP requires express
the bank satisfies the FADP principles or an Article 13 legal basis. consent for processing of sensitive personal data or personality
However, for disclosure of sensitive personal data to third parties,

© 2019 Thomson Reuters. All rights reserved. 5

 Bank Secrecy Laws (Switzerland)

profiles (a collection of personal data that permits an assessment of For example:

essential characteristics of the personality of a natural person). „„The FADP protects privacy in all areas and sectors and applies
A customer has the right to withdraw consent at any time, although to any information identifying a natural or legal person, while
such withdrawal will not usually be applied retrospectively the Banking Act protects a more limited set of data that includes
customer account information when associated with a particular
CROSS-BORDER TRANSFER RESTRICTIONS customer.
The FADP restricts the transfer of personal data outside of Switzerland „„The FADP broadly applies to the collection, processing, and cross-

to countries that do not guarantee an adequate level of data protection border transfer of broadly defined personal data while the Banking
(Article 6(1), FADP). The Swiss Federal Data Protection and Information Act protects the disclosure of a bank’s customer data.
Commissioner (FDPIC) has published a list of jurisdictions that it
IDENTIFYING POTENTIAL CONFLICTS BETWEEN
considers as providing adequate protection. In cases of transfers to the THE BANK SECRECY AND DATA PROTECTION LAWS
US, the data recipient can also receive personal data if it is certified
under the Swiss-US Privacy Shield Framework. The Banking Act and the FADP serve the same purpose of protecting
data from access by unauthorized third parties. However, the
For more information on certifying under the Swiss-US Privacy Banking Act permits or requires banks to disclose data under certain
Shield Framework, see Privacy Shield Self-Certification Checklist circumstances (see Banking Act Exceptions Permitting Disclosure).
(W-002-7961). In those circumstances, the FADP permits the processing and
disclosure of personal data because the disclosure is authorized
In the absence of legislation that guarantees adequate protection,
under another Swiss law. (Article 13(1), FADP.)
banks can only transfer customer personal data outside of
Switzerland if: Banks may face a conflict between the Banking Act and the FADP
„„The customer consents to the transfer. where one law allows for disclosure of information and the other
„„The bank establishes measures to ensure that it adequately
does not. For example, the FADP generally allows disclosure of
protects personal data, by: customer personal data in accordance with the general principles (see
Principles) while the Banking Act as a principle prohibits disclosure.
zz sufficient contractual guarantees; or
zz Binding Corporate Rules if the transfer is between legal entities Organizations should work with counsel to ensure that they comply
under common control. with both the Banking Act and FADP requirements prior to disclosing
customer data.
„„The processing is directly connected with the conclusion or the
performance of a contract and the personal data concerns the
customer. OUTSOURCING CONSIDERATIONS
BANK SECRECY ACT COMPLIANCE IN OUTSOURCING
„„Disclosure is essential to either safeguard an overriding public
ARRANGEMENTS
interest or for the establishment, exercise, or enforcement of legal
claims before the courts. Outsourcing to a service provider is not considered an unlawful
disclosure under Article 47 of the Banking Act if the bank obligates
„„Disclosure is required to protect the customer’s life or the physical
the outsourcing provider and its employees to comply with bank
integrity of the data subject.
secrecy rules. The outsourcing provider and its employees may then
„„The customer has made the personal data generally accessible be considered bank representatives under Article 47 and functionally
and has not expressly prohibited its processing. integrated into the bank’s organization. However, banks outsourcing
(Articles 6(1) and 6(2), FADP.) services to a third-party service provider remain accountable to
FINMA in the same way as if performing the services themselves.
Banks that use measures set out in the second bullet above to
transfer personal data must inform the FDPIC of those measures FINMA Circular 2018/3 (effective April 1, 2018) sets out requirements
(Article 6(3), FADP). However, if the bank transfers personal data for banks outsourcing services to third parties. Circular 2018/3
based on FDPIC pre-approved safeguards (for example, model data requirements include:
transfer agreements issued by the FDPIC on its website), banks only „„Banks must maintain an inventory of the outsourced functions
need to inform the FDPIC that they are using these arrangements to including a description of the outsourcing, the service provider, and
transfer personal data (Article 6(3), Ordinance). the unit responsible for services within the outsourcing company.
„„Banks must conduct a risk analysis prior to retaining a third-party
CUSTOMER DATA COVERED BY THE FADP service provider and assign a responsible person within the bank to
AND THE BANKING ACT monitor and control the service provider.
MANAGING COMPLIANCE WITH BANK SECRECY AND DATA „„Banks must specify the internal approval procedures for
PROTECTION LAWS
outsourcing projects and the responsibilities for signing
Banks must conduct separate analyses of their customer data outsourcing agreements.
handling and compliance obligations under the Banking Act and „„Banks must enter into a written agreement with the service
FADP because these laws: provider that:
„„Protect different categories of data. zz grants the bank the right to instruct and control the service
„„Apply in different circumstances. provider;

6 © 2019 Thomson Reuters. All rights reserved.

 Bank Secrecy Laws (Switzerland)

zz obligates the service provider to ensure that they can continue to „„A monetary penalty under the Swiss Criminal Code based on a
perform in the event of an emergency; maximum of 360 daily penalty units. The court decides on the
zz requires the service provider to provide FINMA with all number of daily penalty units considering the culpability of the
documentations on the outsourced function if the service offender. A daily penalty unit amounts to a maximum of 3,000
provider is not supervised by FINMA; Swiss Francs. The court decides on the value of the daily penalty
unit according to the personal and financial circumstances of the
zz grants the bank, its audit firm, and FINMA the right to inspect
offender at the time of conviction (Article 47(1), Banking Act and
and audit information relating to the outsourced function at all
Article 34, Swiss Criminal Code).
times; and
zz requires the service provider to obtain approval to retain sub- For negligent violations of Article 47 of the Banking Act, violators
contractors and bind them to the obligations in Circular 2018/3. face a criminal monetary penalty of up to 250,000 Swiss Francs
„„When outsourcing abroad, the bank must demonstrate that its
(Article 47(4), Banking Act).
external auditor under bank and stock-exchange laws and the There are only a few convictions annually under Article 47 Banking Act.
FINMA can assume and legally enforce their auditing rights.
Administrative and Civil Measures
Banks outsourcing services will also need to fully comply with
Article 47 of the Banking Act, the FADP, and the requirements in Violation of the bank secrecy obligation is a breach of financial
Annex 3 to FINMA Circular 2008/21 (see Principles for Managing markets law which can lead to administrative measures under the
Customer Data). Federal Act on the Swiss Financial Market Supervisory Authority
(June 22, 2007) (FINMASA) including, but not limited, to:
FADP „„Withdrawal of the bank’s license in the case of serious breach of a
Under the FADP, the processing of personal data may be assigned to legal obligation (Article 37, FINMASA).
third parties by agreement or by law if: „„Prohibiting the person responsible from acting in a management
„„The third-party service provider only processes the data in the capacity at any entity subject to FINMA’s supervision (Article 33,
manner allowed for by the instructing party. FINMASA).
„„A statutory or contractual duty of confidentiality does not prohibit „„Issuance of a declaratory ruling when there is no longer a need
the assignment. to order measures to restore compliance with the law (Article 33,
„„The instructing party ensures that the third party guarantees data
FINMASA).
security. „„Publication in electronic or printed form of FINMA’s final ruling

(Article 10a, FADP.) (Article 34, FINMASA).

„„Confiscation of any profit that a supervised person or entity or a
The bank continues to be responsible for complying with the FADP responsible person in a management position made through the
even when it retains a third-party service provider to process data. violation (Article 35, FINMASA).
The bank should therefore select and instruct the service provider
carefully and monitor the outsourcing relationship. The third-party Private Lawsuits
service provider must not use the data for its own purposes. If the If the bank violates its contractual bank secrecy obligations owed
provider is located outside of Switzerland, the bank must also comply to customers, it may be liable for damages under the general
with the FADP’s cross-border transfer requirements (see Cross- principles of Swiss contract law. The customer must prove the
Border Transfer Restrictions (W-010-8058)). extent of financial damages suffered from the bank’s infringement
of contractual bank secrecy obligations. The bank has the burden of
ENFORCEMENT AND PENALTIES proving that it was not at fault (Article 97, Swiss Code of Obligation).
BANK SECRECY
FADP
Persons or entities disclosing customer data in violation of the
Banking Act face: Persons and entities violating the FADP face the following penalties:
„„Criminal penalties (see Criminal Penalties (W-010-8058)). „„Criminalsanctions. According to Article 35 of the FADP,
anyone who:
„„Administrative and civil measures (see Administrative and Civil
Measures (W-010-8058)). zz without authorization, willfully discloses confidential, sensitive
personal data, or personality profiles received in the course of
„„Private lawsuits (see Private Lawsuits (W-010-8058)).
their professional activities is, on complaint, liable for a fine; and
Criminal Penalties zz the same penalties apply to anyone who without authorization
willfully discloses confidential, sensitive personal data, or
Persons and entities intentionally violating Article 47 of the Banking
personality profiles that he obtains from a person bound by
Act face:
professional confidentiality.
„„Imprisonment of up to three years (Article 47(1), Banking Act).
„„The unauthorized disclosure of confidential, sensitive personal
„„Imprisonment of up to five years if the violator enriches himself or data, or personality profiles remains an offense after termination of
others through the disclosure (Article 47(1bis), Banking Act). such professional activities or training.

© 2019 Thomson Reuters. All rights reserved. 7

 Bank Secrecy Laws (Switzerland)

„„Administrative proceedings. The FDPIC can initiate investigations

against persons and entities violating the FADP and issue non-
binding recommendations. If a person or entity does not comply
with or rejects a recommendation, the FDPIC may refer the matter
to the Federal Administrative Court for decision.
„„Data subject lawsuits. Data subjects can request that:
zz data processing be stopped;
zz that no data be disclosed to third parties; or
zz that the personal data be corrected or destroyed.
(Article 15, FADP and Articles 28, Art. 28a, and 28l, Swiss Civil Code.)

ABOUT PRACTICAL LAW

Practical Law provides legal know-how that gives lawyers a better starting
point. Our expert team of attorney editors creates and maintains thousands of
up-to-date, practical resources across all major practice areas. We go beyond
primary law and traditional legal research to give you the resources needed to
practice more efficiently, improve client service and add more value.

If you are not currently a subscriber, we invite you to take a trial of our online
services at legalsolutions.com/practical-law. For more information or to
schedule training, call 1-800-733-2889 or e-mail referenceattorneys@tr.com.

11-19
© 2019 Thomson Reuters. All rights reserved. Use of Practical Law websites and services is subject to the
Terms of Use (http://static.legalsolutions.thomsonreuters.com/static/agreement/westlaw-additional-terms.pdf)
and Privacy Policy (https://a.next.westlaw.com/Privacy).