Artificial intelligence is transforming Swiss financial services — from robo-advisory and credit scoring to fraud detection and compliance automation. FINMA recognised the opportunities and risks by publishing Guidance 08/2024 on artificial intelligence, setting expectations for governance, transparency, and risk management. For FinTech companies deploying AI, this guidance is the regulatory baseline. This article explains what FINMA requires and how to build a compliant AI governance framework.

What Is FINMA Guidance 08/2024?

Published in late 2024, FINMA Guidance 08/2024 addresses the use of artificial intelligence in supervised institutions. Rather than creating new rules, it clarifies how existing requirements — operational risk management, conduct rules, data protection, and outsourcing — apply to AI systems. The guidance applies to all FINMA-supervised entities and serves as best practice for SRO-supervised FinTech firms.

FINMA defines AI broadly: systems that generate outputs such as predictions, recommendations, or decisions based on data inputs, using machine learning, deep learning, natural language processing, or similar techniques. This covers everything from simple scoring models to generative AI chatbots serving clients.

Core Principles of AI Governance

1. Accountability and Governance Structure

Management and the board bear responsibility for AI-related risks. Firms must establish clear governance including an AI inventory, defined roles (model owner, validator, risk reviewer), and escalation paths for AI incidents. FinTech startups often deploy AI without formal governance — FINMA expects proportionate but documented oversight regardless of company size.

2. Risk-Based Approach

Not all AI applications carry equal risk. FINMA expects firms to classify AI use cases by potential impact on clients, financial stability, and regulatory compliance. High-risk applications — credit decisions, investment recommendations, AML scoring — require enhanced controls including independent validation, ongoing monitoring, and human oversight.

3. Transparency and Explainability

Institutions must be able to explain how AI systems reach their outputs, particularly when decisions affect clients. Black-box models are not prohibited, but firms must implement compensating controls: model documentation, feature importance analysis, and human review for consequential decisions. Client-facing AI (chatbots, advisory tools) requires clear disclosure that AI is involved.

4. Data Quality and Integrity

AI outputs are only as reliable as training and input data. Firms must ensure data quality, address bias in training datasets, and monitor for data drift that degrades model performance over time. Personal data used in AI must comply with the revised FADP, including privacy impact assessments for profiling activities.

5. Model Validation and Monitoring

Before deployment and periodically thereafter, AI models must be validated for accuracy, robustness, fairness, and stability. Validation should be independent of the development team where possible. Production monitoring must detect performance degradation, concept drift, and anomalous outputs with automated alerting.

AI Within the Operational Risk Framework

FINMA explicitly links AI governance to operational risk management under Circular 2023/1. AI failures — biased credit decisions, hallucinating chatbot advice, AML false negatives — are operational risk events. Your ORM framework should include:

  • AI systems in the operational risk inventory
  • AI-specific incident classification and reporting criteria
  • Business continuity plans covering AI-dependent processes
  • Third-party risk assessment for AI vendors and cloud ML platforms

Generative AI Considerations

Generative AI (large language models, image generation) introduces unique risks for financial services:

  • Hallucination — Fabricated information presented as factual in client communications.
  • Confidentiality — Sensitive client data inadvertently included in prompts sent to external LLM APIs.
  • Copyright and IP — Generated content may infringe third-party intellectual property.
  • Regulatory advice — AI providing guidance that constitutes regulated financial advice without proper licensing.

FINMA expects firms using generative AI to implement usage policies, restrict access to approved tools, prevent client data leakage, and maintain human review of AI-generated client-facing content.

Automating Compliance with RegTech

Ironically, AI itself powers many compliance functions — transaction monitoring, document analysis, regulatory change detection. Firms deploying AI for compliance must apply the same governance standards to these internal tools. RegTech platforms with built-in model documentation, audit trails, and validation workflows can accelerate compliant AI deployment.

Common Pitfalls

  • No AI inventory — Shadow AI deployments by individual teams bypass governance entirely.
  • Validation as a one-time exercise — Models degrade; continuous monitoring is mandatory.
  • Ignoring bias — Training data reflecting historical discrimination produces discriminatory outputs.
  • Undisclosed AI to clients — Transparency failures violate conduct rules and erode trust.
  • Outsourcing AI without oversight — Vendor models remain the institution's regulatory responsibility.

AI Governance Compliance Checklist

  • AI inventory documenting all models and use cases with risk classification
  • AI governance policy approved by senior management
  • Named AI risk owner with defined responsibilities
  • Model development standards including documentation requirements
  • Independent validation process for high-risk AI applications
  • Production monitoring with automated alerting for model drift
  • Client disclosure procedures for AI-influenced decisions and communications
  • Generative AI usage policy with data leakage prevention controls
  • FADP privacy impact assessments for AI profiling activities
  • AI incidents integrated into operational risk reporting framework

AI governance is not about preventing innovation — it is about deploying AI responsibly within Switzerland's regulatory framework. FinTech firms that establish governance early gain a competitive advantage as FINMA supervision of AI intensifies.