and data governance
Discretion, confidentiality and data protection are and will remain core competencies of Swiss banking. Here is an overview of the relevant legal provisions in Switzerland as well as current developments.
Developments in data protection
The Federal Act on Data Protection (FADP) has been updated to take account of advances in technology and societal changes. The Federal Council decided on a total revision of the existing Act and submitted a dispatch to this effect in September 2017. Following a lengthy parliamentary process, the new Act was adopted on 25 September 2020 (nFADP). It is expected to come into force in 2022.
In the parliamentary deliberations, much attention was devoted to ensuring that Switzerland does not add a Swiss finish by introducing or implementing any rules that are stricter than necessary, and that the revised Data Protection Act does not become a carbon copy of the EU’s General Data Protection Regulation (GDPR) but instead retains specifically Swiss features and leaves sufficient scope for them. Additional changes involved making the information requirements and data protection impact assessment more practicable for companies. The new Data Protection Act allows for a significant extension of the information requirement with regard to data protection officers and offers a legal definition of the concept of profiling. It also extends the list of criminal provisions and increases the fines that can be imposed. Professional confidentiality has been extended to all professions, in addition to the sectors that were already regulated, such as banks and lawyers. Overall, the new Act constitutes a long-overdue response to digital challenges, both national and international.
The SBA worked closely with economiesuisse to monitor the revision of the FADP.
The GDPR has been directly applicable since 25 May 2018. It reinforces the rights of natural persons in terms of control over their personal data. The Regulation is binding for all member states of the European Union, some of which have already passed transposition laws to this end. However, the GDPR also has an extraterritorial impact. In practice, this means that a large number of companies in Switzerland have to adhere to both the provisions of the Swiss Federal Data Protection Act and those of the GDPR. New rules routinely give rise to legal uncertainties. The Federal Data Protection and Information Commissioner (FDPIC) and law firm Homburger, among others, have published analyses regarding the ramifications of the GDPR for Switzerland, though these are not exhaustive.
The FinSA, which entered into force on 1 January 2020, also contains specific requirements relating to data protection; these apply in addition to the FADP and can overlap with the provisions under the FADP. For example, the entitlement of customers to receive a copy of all documents that the financial services provider has prepared within the context of their business relationship that is set out in Art. 72 FinSA essentially corresponds to Art. 8 FADP (Art. 25 nFADP), which governs the right to information and therefore also the duty to provide information with regard to personal data.
The protection of privacy is a fundamental right. According to Art. 13 of the Swiss Federal Constitution, every person therefore has the right to privacy in their private and family life and in their home, and in relation to their mail and telecommunications and – in the broader sense – the right to be protected against the misuse of their personal data.
In a world increasingly shaped by digitalisation, data influence our lives, at all times and everywhere. Once saved, data remain on the internet for a very long time and can therefore potentially also be used for purposes that do not correspond to the wishes of the user. Consequently, both companies and private individuals have a strong interest in the protection of their data being respected and ensured. Banks, which have a long tradition of discretion and confidentiality, are acutely aware that detailed information about a person’s financial situation is among the most sensitive forms of personal data.
Data Protection Act
In Switzerland, the Federal Act on Data Protection (FADP) protects the privacy and the fundamental rights of natural and legal persons when their data are processed. It sets out the requirements for permissible data processing in accordance with the rule of law and therefore protects against possible abuses. It lays down the principle that no more personal information than is required may be collected (principle of proportionality and data minimisation).
Data protection serves to protect the right to informational self-determination: the concept that every citizen should be able to define for themselves how their own data are disclosed and used. Data protection law therefore gives citizens various ways to exercise their privacy rights.
Any person may request information from the controller of a data file as to whether and which data concerning them are being processed. The provision of information can only be refused or restricted if a formal enactment so provides or it is in the overriding interests of third parties.
If sensitive personal data and personality profiles are collected, the natural persons affected must be actively informed of this by the controller of the data file. This includes the purpose of the processing and, in the event of disclosure, the data recipient.
In the age of mobile banking and payment apps, countless bank customers use their computer or smartphone daily to access their account or credit card information. Dealing with security vulnerabilities therefore represents a particular challenge. Banks make targeted efforts to identify new risks and attempt to limit them. The boards of directors and executive boards of banks are also increasingly discussing and taking action on the data security aspect of data protection.
Bank-client confidentiality (Art. 47 of the Banking Act) is a professional duty of confidentiality comparable to that imposed on doctors or lawyers. It aims to protect financial privacy and covers all conclusions of fact, value judgements and other information (including personal evaluation results) that can be attributed to a bank customer. Bank-client confidentiality therefore goes further than data protection law. Contrary to a widely held belief, however, it does not apply without limitation. Criminals in particular are not protected by bank-client confidentiality, which dates back to 1934. Since then, banks have been required to disclose information about customers
- in civil proceedings (for example pertaining to inheritances or divorces),
- in debt recovery and compulsory liquidation proceedings,
- in criminal proceedings (especially where tax fraud is involved),
- in proceedings by the financial market supervisory authority, and
- in proceedings relating to the cross-border exchange of information.
Nevertheless, bank-client confidentiality has been fundamentally transformed in recent years, particularly as it relates to tax matters. Developments at the international level have also prompted Switzerland to accord greater importance to transparency vis-à-vis tax and supervisory authorities.
Automatic exchange of information (AEOI)
Since 1 January 2017, Swiss banks have been implementing automatic exchange of information (AEOI) with countries abroad. AEOI governs how the tax authorities of participating countries share data regarding taxpayers’ accounts and safekeeping accounts. Switzerland is particularly impacted by AEOI, as the country manages over a quarter of global cross-border assets. The Swiss government and the banks have therefore argued strongly within the OECD for the AEOI standard to be made as practicable and fair as possible, and have insisted on the need for adequate data protection.
Foreign Account Tax Compliance Act (FATCA)
Increased transparency requirements also apply vis-à-vis the US. FATCA is a unilateral US tax law with extraterritorial effect, which is designed to curb potential tax evasion that is detrimental to the US. It is aimed at financial institutions around the world, and requires them to periodically provide the US tax authorities with information about what are termed “US accounts”. Like many other countries, Switzerland has concluded an intergovernmental agreement (FATCA Agreement) allowing for the facilitated implementation of FATCA. A Swiss FATCA Act adopted on the basis of that agreement has been in force since 30 June 2014.