AI Regulation Tracker / Supervisory guidance
FINMA Tells Swiss Financial Institutions to Govern and Manage Their AI Risk
In FINMA Guidance 08/2024, published December 18, 2024, Switzerland's financial regulator set out what it expects of supervised institutions using artificial intelligence: identify the risks, assign accountability, and manage and monitor AI the way you manage any other operational risk. Originally published December 18, 2024; this is non-binding supervisory guidance applying existing Swiss financial-sector principles, not a Swiss AI statute. It remains in force and under active supervision.
Switzerland does not have a dedicated AI law for the financial sector, and FINMA has been clear that it does not intend to write one for its own sake. Swiss financial regulation is principle-based and technology-neutral, which means the existing requirements on governance, operational risk, and outsourcing already apply when an institution uses AI. Guidance 08/2024 takes that starting point and spells out what FINMA expects in practice.
The framing in the release is plain. In FINMA's words, "FINMA is drawing the supervised institutions' attention to the need for appropriate identification, assessment, management and monitoring of the risks resulting from the adoption of AI." The stated purpose is not box-ticking. As FINMA puts it, the aim is "to strengthen the reputation of the financial centre and help institutions to sustainably protect their business models against risks."
What FINMA actually expects
The guidance groups the AI risks FINMA is watching into familiar operational buckets: model risk, including lack of robustness, correctness, and explainability and the risk of bias; data risk, covering quality, availability, and security; IT and cyber risk; growing dependence on third parties; and legal and reputational risk. None of that is exotic. It is the risk map any senior operator would draw if you asked where a model could hurt the firm.
From there, the expectations run in a straight line. Institutions should know where AI is used across the organization and be able to classify those uses by risk, rather than letting tools spread through the business unseen. Governance should assign clear responsibility and accountability for developing, implementing, and using AI, so that a named function owns each material application instead of the model being nobody's job. Institutions should test and monitor AI on an ongoing basis, checking the quality and reliability of outputs rather than trusting them once and walking away. And they should document the processes and findings, with independent review where the application is material enough to warrant a second set of eyes separate from the people who built it.
FINMA has paired the guidance with supervision rather than leaving it on paper. Between late 2024 and early 2025 it surveyed around 400 licensed institutions on their AI use, and on April 24, 2025 it reported that roughly half already use AI or have applications in development, with a large majority of those users also using generative AI. That survey is how a principle-based regulator keeps a non-binding document live: it looks, it asks, and it forms a view of who is meeting the expectation and who is not.
What this is, and what it is not
I want to be exact about the status, because it is easy to inflate a regulator's guidance into a rule it is not.
This is guidance. FINMA guidance describes the authority's expectations and observations. It is non-binding in form and does not, on its own, create a new legal obligation the way a statute or a binding circular would. FINMA itself notes that Switzerland has no specific AI law and that it is applying existing, technology-neutral requirements to AI.
That said, non-binding is not the same as optional. When your supervisor writes down how it will read the existing rules and then surveys the market to see who is following, the practical distance between guidance and expectation is short. A supervised institution that ignores Guidance 08/2024 is not breaking a dedicated AI law. It is inviting questions about whether it is meeting the governance and operational-risk duties it already owes. That is the correct way to hold this: a clear statement of supervisory expectation under rules that already bind, not a new rulebook.
Why a US firm should care
FINMA is not your regulator if you are a US registered investment adviser, broker-dealer, or wealth manager. This guidance carries no direct authority over a US firm or a US filing. The reason it lands on your desk is the plumbing of cross-border wealth management.
If you custody client assets with a Swiss bank, run private-bank relationships in Zurich or Geneva, or rely on a Swiss counterparty for booking, execution, or reporting, then your counterparty is FINMA-supervised and is being measured against exactly these expectations. When they deploy AI in onboarding, screening, portfolio tooling, or reporting that touches your clients, FINMA expects them to have the governance, testing, and documentation described here. In a cross-border relationship, their AI risk becomes part of your third-party and vendor risk. The sensible move is to ask your Swiss counterparties how they meet Guidance 08/2024, the same way you would ask about their cyber or business-continuity posture, and to keep that answer on file.
There is a second reason to read it. The FINMA approach, principle-based, technology-neutral, and built on inventory, accountability, testing, and documentation, is the same shape US regulators and standard-setters have been describing for AI. It is a useful benchmark for your own governance even where it does not bind you, because the questions it forces are the ones that turn into findings when they go unanswered: where is AI used, who owns it, who checked the output, and can you show it.
What to do now
Treat this as a supervisory expectation, not a statute, and calibrate accordingly. If you deal with Swiss counterparties, add a line to your vendor due diligence asking how they align with FINMA Guidance 08/2024 on AI governance and risk management, and get it in writing. Map where AI touches any Swiss-booked relationship you hold, and make sure a named person owns each material use. Keep the documentation FINMA points to, on data, testing, monitoring, and review, because a counterparty that cannot produce it is a risk you inherit. And do not overstate the instrument in your own compliance file: it is non-binding guidance applying existing Swiss rules, and any change you make to your controls should rest on your own applicable US obligations and your counsel's advice.
Questions professionals are asking
Is FINMA Guidance 08/2024 a binding AI law?
No. It is non-binding supervisory guidance published December 18, 2024. Switzerland has no dedicated AI law for finance. FINMA applies existing principle-based, technology-neutral rules to AI and, in this guidance, describes what it expects on AI governance and risk management. It creates no new statutory duty on its own.
What does FINMA expect supervised institutions to do?
Identify, assess, manage, and monitor the risks of AI use. In practice that means knowing where AI is used and classifying it by risk, assigning clear accountability, testing and monitoring output quality on an ongoing basis, documenting the processes and findings, and arranging independent review for material applications.
Does this apply to US RIAs, broker-dealers, or wealth managers?
Not directly. FINMA has no authority over US firms or US filings. It matters because your Swiss custodian or private-bank counterparty is FINMA-supervised and is measured against this guidance. Their AI governance becomes part of your third-party and vendor risk in any cross-border relationship.
Is the guidance still current if it dates from December 2024?
Yes. It remains in force and under active supervision. FINMA surveyed around 400 institutions on AI use and reported findings on April 24, 2025, which is how a principle-based regulator keeps a non-binding expectation live. It is evergreen supervisory guidance, not a one-off announcement.
Should we change our controls because of this guidance?
Only on your own terms. Use it to benchmark and to sharpen vendor due diligence on Swiss counterparties. Any change to your own controls or disclosures should rest on your applicable US obligations and your counsel's advice, not on a Swiss supervisory guidance that does not bind you.
RELATED BRIEFINGS
Browse the full AI Regulation News tracker
Informational analysis for working professionals, not legal, accounting, or audit advice. Confirm how any standard or requirement applies to your situation with qualified professionals in the relevant jurisdiction.