FINMA Tightens Oversight on VASPs: Elevates IT and Cybersecurity Standards in Latest Audit Forms

On 27 August 2024, the Swiss Financial Market Supervisory Authority (FINMA) published two new set of audit forms i.e. GB-A Regulatory audit report investment companies with variable capital (SICAV) 2024 & GB-A Regulatory audit report fund management companies 2024 to enhance oversight of Virtual Asset Service Providers (VASPs). Applicable to financial years beginning on or after 1 January 2024, these forms introduce rigorous reporting and compliance requirements for financial institutions engaged in virtual asset activities. This move is seen as a critical step in ensuring the security and transparency of Switzerland’s financial sector in the rapidly evolving digital asset landscape.

The newly issued audit forms for fund management companies and investment companies with variable capital (SICAV) are designed to include comprehensive evaluations of the involvement of VASPs. These forms mandate detailed disclosures and assessments related to anti-money laundering (AML) measures, the secure management of virtual asset transactions, and the integrity of internal control systems. By mandating such rigorous evaluations, FINMA aims to ensure that financial institutions are not only compliant with existing regulations but are also equipped to handle the unique risks associated with virtual assets. The focus on robust internal controls, particularly in IT and risk management processes, highlights FINMA’s commitment to preventing cyber risks and ensuring the secure handling of data related to virtual assets.

The new audit forms introduce stringent Enhanced IT and Cybersecurity Requirements to  ensure that financial institutions handling virtual assets have sufficient and secure IT infrastructures in place. As per the requirement in the forms, auditors are now required to assess the adequacy of the IT structures, including the infrastructure (hardware and software), IT strategy, and IT organization. The forms emphasize the importance of IT security and Business Continuity Management (BCM), particularly in the context of virtual asset transactions.

Moreover, the audit forms specifically mandate evaluations of the processes and measures in place to detect, minimize, and report cyber risks and cyber attacks. This includes a thorough review of how institutions manage the security of their IT systems to protect sensitive client data and ensure the integrity of virtual asset operations.

By tightening oversight, FINMA is taking proactive steps to protect investors and maintain the integrity of the financial system. The detailed reporting obligations introduced in the new audit forms are viewed as essential for promoting transparency and accountability among financial institutions. It is reasonable to believe that these measures will strengthen Switzerland’s reputation as a secure and well-regulated financial center, particularly in the field of digital assets. The emphasis on compliance with legal frameworks and the proper execution of transactions is expected to instill greater confidence among investors and other stakeholders.

However, the introduction of these stringent requirements has also imposed significant operational and financial burdens on smaller financial institutions and VASPs. The detailed reporting obligations, while promoting transparency, may require substantial investments in compliance infrastructure and personnel. Raising concerns that these costs could be prohibitive for smaller firms, potentially stifling innovation and competition in the virtual asset space. Additionally, there are fears that the heightened scrutiny and regulatory demands could slow down the adoption of virtual assets in Switzerland, as institutions may become more cautious in their approach to this emerging sector. The balance between ensuring security and fostering innovation is a delicate one, and some critics believe that FINMA’s new audit forms may tip the scales too far towards caution. FINMA’s new audit forms is a decisive step towards strengthening the oversight of virtual assets in Switzerland

(Source: https://www.finma.ch/en/~/media/finma/dokumente/dokumentencenter/myfinma/2ueberwachung/pruefwesen-kag/musterbericht-zur-aufsichtsrechtlichen-pruefung–fuer-fondsleitungen.pdf?sc_lang=en&hash=321DB0C4FFE6E3774725554F5D427ED8, https://www.finma.ch/en/~/media/finma/dokumente/dokumentencenter/myfinma/2ueberwachung/pruefwesen-kag/musterbericht-zur-aufsichtsrechtlichen-pruefung-fuer-sicav.pdf?sc_lang=en&hash=4F358FBB327107D7B45455D935FA7353