FINMA published Guidance 08/2024 in December 2024 on governance and risk management when supervised institutions use artificial intelligence. AI governance is no longer optional; it is a supervisory expectation. For compliance departments in banks, insurers, and asset managers, this means new obligations, new documentation, new processes.
This article explains what FINMA concretely requires, where most institutions stand today, and which steps should take priority now.
What FINMA Guidance 08/2024 Requires
The guidance does not create new laws. It specifies existing supervisory obligations in the context of AI systems. The core requirements:
1. Create an AI Inventory
Every supervised institution must know which AI systems it uses. Not just the obvious ones (chatbots, fraud detection), but every system that makes or prepares automated decisions. A CRM with integrated lead scoring is an AI system. An automatic document classifier too.
FINMA expects a complete inventory with: system name, purpose, data inputs, decision outputs, provider, area of deployment, and risk assessment.
2. Conduct Risk Classification
Every inventoried AI system must be assessed by risk. FINMA does not prescribe a rigid classification matrix, but it expects a traceable methodology. Relevant risk dimensions: impact on customer decisions, data sensitivity, explainability, bias potential.
An internal chatbot supporting staff with HR queries is lower risk. A credit scoring model that co-determines mortgage approvals is high risk. The classification determines the depth of governance requirements.
3. Document the Governance Framework
For medium and high risks, FINMA requires a documented governance framework. This encompasses: clear responsibilities (who decides on AI deployment?), approval processes (how is a new AI system authorised?), ongoing monitoring (how is model quality reviewed?), and incident management (what happens when an AI system produces erroneous results?).
4. Accountability to the Board of Directors
The guidance makes clear that the board of directors bears overall responsibility for AI risks. This means: the board must be informed about which AI systems the institution uses, what risks exist, and how they are mitigated. An annual AI risk report to the board is the minimum expectation.
Where Most Institutions Stand Today
The reality in most mid-sized Swiss financial institutions looks like this:
- No complete AI inventory exists. Individual departments use AI tools (often ChatGPT Enterprise) without the compliance department knowing.
- Risk classification is missing because nobody has defined what “AI” precisely encompasses in the institutional context.
- Governance frameworks exist for IT risks generally, but not specifically for AI.
- The board has the topic on its radar, but has not received structured reporting.
This is not an accusation. It is the starting point. The guidance is recent, the requirements are new, and most institutions are acting in good faith. But FINMA will ask at the next examination. And the documentation must be in place by then.
Five Steps That Should Take Priority Now
Step 1: Create the AI Inventory (Effort: 2-4 Weeks)
Survey every department: “Which software tools do you use that generate automated recommendations, assessments, or decisions?” Capture everything in a structured list. Including third-party tools. Including ChatGPT usage on company devices.
Step 2: Conduct Risk Assessment (Effort: 1-2 Weeks)
Define a risk matrix with at least three levels (low, medium, high). Assess each system. Document the rationale. The methodology must be traceable, not perfect.
Step 3: Draft Governance Policies (Effort: 2-4 Weeks)
For high-risk systems: who approves deployment? Who monitors model quality? What escalation paths exist? For all systems: who is the internal AI officer?
Step 4: Prepare a Board Report (Effort: 1 Week)
A structured report: number of AI systems, risk distribution, governance status, identified gaps, action plan. The board needs overview, not detail.
Step 5: Establish Ongoing Monitoring (Effort: Ongoing)
Regulatory changes in the AI space come continuously. FINMA will develop the guidance further. Those who do not systematically monitor changes will fall behind.
The Connection to the EU AI Act
Swiss financial institutions serving clients in the EU must also observe the EU AI Act alongside the FINMA Guidance. Full enforcement begins on 2 August 2026. The requirements partially overlap (risk assessment, documentation, human oversight), but in some areas go further (CE marking, EU database registration, conformity assessment).
An integrated compliance strategy covering both regulatory frameworks saves time and avoids duplication of effort.
What Mont Virtua Does
We are building a platform that monitors FINMA circulars, guidelines, and regulatory changes in real time. 27 FINMA tables are already structured and searchable. Every answer references the official source. Hosted in Switzerland. No US Cloud Act.
Additionally, we offer a structured EU AI Act compliance assessment: risk classification, documentation gap analysis, and action plan. Not an open consulting fee, but a clearly defined fixed price.
Further information: montvirtua.com
This article is for general information purposes and does not constitute legal advice.