FINMA Circular 2023/1 represents the most significant update to operational risk requirements for Swiss financial institutions in over a decade. For FinTech startups and digital wealth managers, understanding and implementing these requirements is not optional — it is a prerequisite for licensing, ongoing supervision, and client trust. This guide explains what Circular 2023/1 requires, who it applies to, and how to build a compliant operational risk framework.

What Is FINMA Circular 2023/1?

FINMA Circular 2023/1 "Operational risks and resilience — banks" consolidates and replaces earlier guidance on operational risk management (ORM). Although titled for banks, its principles extend to securities firms, asset managers under prudential supervision, and FinTech companies holding FINMA licences. The circular establishes a principles-based framework covering governance, risk identification, incident management, business continuity, and third-party dependencies.

The circular aligns Swiss requirements with international standards including Basel Committee principles on operational resilience. FINMA expects institutions to treat operational risk as a first-class risk category alongside credit, market, and liquidity risk — not as an IT or compliance afterthought.

Who Must Comply?

Circular 2023/1 applies directly to:

  • Licensed banks and securities dealers (Category 1–3 institutions)
  • FinTech licence holders providing deposit-taking or lending services
  • Asset managers and portfolio managers subject to FINMA prudential requirements
  • Insurance-linked and payment institutions where operational resilience is material

Even firms supervised by a Self-Regulatory Organisation (SRO) for AML purposes should adopt ORM principles proportionate to their size and risk profile. FINMA increasingly expects SRO-supervised entities to demonstrate operational resilience during inspections.

Core Requirements Under Circular 2023/1

1. Governance and Accountability

The board of directors (or equivalent governing body) bears ultimate responsibility for operational risk. Management must implement a documented ORM framework with clear roles: a Chief Risk Officer or designated risk owner, business line accountability, and independent control functions. FinTech startups often struggle here because flat hierarchies blur accountability — FINMA expects explicit assignment regardless of company size.

2. Risk Identification and Assessment

Institutions must maintain a comprehensive operational risk inventory covering internal processes, people, systems, and external events. Risk assessments should be updated at least annually and after material changes — new product launches, outsourcing arrangements, or technology migrations all trigger reassessment. Quantitative and qualitative approaches are both acceptable; what matters is that risks are ranked, owned, and mitigated.

3. Incident Reporting and Management

Significant operational incidents must be reported to FINMA without delay. The circular defines materiality thresholds including client impact, financial loss, regulatory breach, and reputational damage. Internal incident management processes must include root cause analysis, remediation tracking, and lessons learned. Many FinTech firms lack formal incident classification — this is a common audit finding.

4. Business Continuity and Operational Resilience

Institutions must identify critical business services and set impact tolerances for disruption. Business continuity plans (BCP) and disaster recovery (DR) must be tested regularly — FINMA expects evidence of testing, not just documented plans. Cloud-native FinTech companies should pay particular attention to multi-region failover, vendor concentration risk, and recovery time objectives (RTO) for payment and trading systems.

5. Third-Party and Outsourcing Risk

Outsourcing critical functions — cloud infrastructure, KYC providers, payment processors — requires due diligence, contractual safeguards, and ongoing monitoring. Circular 2023/1 references FINMA Circular 2018/3 on outsourcing, requiring institutions to maintain oversight even when functions are delegated. RegTech and cloud providers must be assessed as part of the operational risk framework, not separately.

Implementing Circular 2023/1 in a FinTech Context

FinTech firms face unique operational risk profiles: rapid product iteration, reliance on APIs, lean teams, and cloud-first architectures. A proportionate implementation approach includes:

  1. Map critical services — Identify which systems and processes, if disrupted, would harm clients or breach regulations within 24 hours.
  2. Document the ORM framework — Even a 10-page policy covering governance, risk appetite, incident process, and BCP satisfies the documentation requirement for smaller firms.
  3. Integrate with existing controls — Link ORM to your AML/KYC monitoring, FADP data protection, and cyber security programmes rather than building silos.
  4. Automate monitoring — Use RegTech tools for real-time control testing, incident logging, and regulatory reporting to reduce manual overhead.
  5. Prepare for AI-related risks — If you deploy machine learning models, extend your ORM framework to cover model risk per FINMA Guidance 08/2024.

Common Pitfalls and How to Avoid Them

  • Treating ORM as an IT exercise — Operational risk spans people, process, and technology. Assign business owners, not just the CTO.
  • Static risk registers — A risk inventory created at licensing and never updated fails FINMA's ongoing supervision test.
  • Untested BCP/DR plans — Document-only continuity plans are insufficient. Schedule tabletop exercises and technical failover tests quarterly.
  • Delayed incident reporting — Establish clear escalation criteria and train staff. FINMA penalises late or incomplete incident notifications.
  • Ignoring concentration risk — Single cloud provider, single payment rail, or single KYC vendor creates unacceptable dependency without mitigation.

Compliance Checklist

  • Board-approved operational risk policy and appetite statement in place
  • Named risk owner with reporting line to senior management
  • Operational risk inventory with annual review cycle documented
  • Incident classification matrix and FINMA reporting procedure defined
  • Critical business services identified with impact tolerances
  • BCP and DR plans tested within the last 12 months with evidence retained
  • Third-party risk assessments completed for all critical outsourcing arrangements
  • ORM integrated with cyber security, AML, and data protection programmes
  • Staff training on incident reporting and business continuity completed
  • Regulatory reporting calendar includes ORM-related submissions

FINMA Circular 2023/1 is not a one-time project — it requires embedding operational resilience into daily operations. Firms that treat compliance as continuous improvement rather than a checkbox exercise are best positioned for sustainable growth in the Swiss financial market.