At present, monitorships – as traditionally understood – do not have a legal basis under Swiss criminal law, and thus Switzerland does not have an extensive history and experience with locally appointed monitors. However, similar mechanisms are available to the Swiss Financial Market Supervisory Authority (FINMA) for the investigation and monitoring of financial institutions. Further, we have seen the recent trend of voluntary monitorships becoming an element of penal orders in cases of corporate criminal liability investigated by the Swiss Office of the Attorney General (OAG). Although monitorships do not currently exist under Swiss criminal law, this chapter addresses similar mechanisms in financial market law and considerations for foreign monitorships operating in Switzerland. This chapter also addresses a recent proposal to include monitorships in the context of deferred prosecution agreements (DPAs), which has been submitted to the Swiss parliament for consideration later this year.
Monitoring of FINMA-supervised financial institutions
Unlike Swiss criminal law, Swiss administrative financial market law has included the use of monitors for some time. The Swiss Federal Financial Market Supervision Act (FINMASA) permits FINMA to appoint 'mandataries', corresponding to FINMA's term for third-party representatives of this kind,2 based on Articles 24a and 36 FINMASA to 'implement supervisory measures ordered by it'.3
In the course of their appointment, the mandataries will review, investigate and evaluate facts related to supervisory actions. They may be tasked with auditing the institution as instructed by FINMA in the context of FINMA's supervisory activities and may be deployed as part of FINMA-ordered enforcement audits, including the review of the implementation of compliance remediation measures ordered by FINMA.
Most recently, a number of multinational companies with subsidiaries in Switzerland have been subject to monitoring by FINMA.
Following the investigations into 1MDB, FINMA finalised enforcement proceedings in 2017 and 2018 against Coutts & Co SA, JP Morgan (Suisse) SA and Rothschild Bank SA.
Coutts & Co SA was investigated in 2017 for money laundering offences, resulting in FINMA's order to disgorge profits in the amount of 6.5 million Swiss francs. However, FINMA refrained from imposing organisational measures since Coutts had already decided to sell its business to Union Bancaire Privée, UBP SA, but reserved the right to pursue enforcement proceedings against the employees involved.4
FINMA also identified serious shortcomings at JP Morgan (Suisse) SA related to its anti-money laundering controls. In this case, FINMA chose to conduct an in-depth review of the bank's anti-money laundering system and appointed a mandatary to carry out an on-site review. FINMA also informed the Office of the Comptroller of the Currency, the US regulator responsible for the parent of the Swiss bank.5
FINMA also cited Rothschild Bank SA and one of its subsidiaries for lack of due diligence, reporting and documentation that led to breaches of their anti-money laundering obligations in the wake of the 1MDB scandal. Owing to the steps already implemented by the bank, FINMA only appointed a monitor to review remediation measures already undertaken.6
With the conclusion of the enforcement proceedings against Rothschild Bank SA, the current investigations related to the 1MDB scandal have been concluded.
In January 2018, FINMA completed its investigation against Gazprombank (Switzerland) Ltd in connection with the Panama Papers. FINMA identified serious deficiencies in Gazprombank's due diligence, compliance and risk management systems, leading to a ban on the bank's expansion into further private client business and the appointment of an external monitor to closely supervise its remediation measures and efforts to improve its risk and control functions.7
According to the findings of FINMA, PKB Privatbank SA committed serious breaches of money laundering regulations by failing to carry out adequate background checks into business relationships and transactions linked to the petroleum company Petrobras and the Brazilian construction group Odebrecht. FINMA ordered the disgorgement of profits in the amount of 1.3 million Swiss francs and the appointment of an external auditor to monitor the implementation of remediation measures and the effectiveness of the same.8
Raiffeisen Switzerland SA
Most recently, FINMA determined that the board of Raiffeisen Switzerland SA failed to adequately supervise its former chief executive officer, who is under criminal investigation for mismanagement. FINMA requested remediation of the bank's corporate governance framework, including the evaluation of the transformation from a cooperative to a limited company, and the appointment of an auditor to assess the progress and implementation of the FINMA recommendations.9
During the course of their appointment, the monitors, whose activities are covered by official secrecy, report directly to FINMA. FINMA will only appoint accredited representatives without input from the supervised institution, which cannot oppose the engagement. A current list of accredited mandataries can be accessed on the FINMA website.10
Credit Suisse SA
In late 2018, FINMA concluded enforcement proceedings against Credit Suisse SA. FINMA identified deficiencies in the bank's adherence to anti-money laundering in relation to suspected corruption related to the International Federation of Association Football, Petrobras and the Venezuelan oil corporation Petróleos de Venezuela SA. In addition, FINMA also identified deficiencies in the anti-money laundering process related to a 'politically exposed person' and shortcomings in the bank's control mechanisms and risk management. Credit Suisse is now required to remediate its control systems and processes to detect, categorise, monitor and document higher-risk relationships adequately. To that end, FINMA will mandate a monitor to review the implementation of these measures.11
Foreign monitors in Switzerland
Swiss companies or foreign companies with Swiss subsidiaries may find themselves subject to monitors appointed by supervisory authorities from other countries, primarily from the United States. Recent examples include monitors appointed to oversee Swiss banks who settled with US federal and state supervisory agencies. For instance, in 2014, Credit Suisse agreed to the appointment of a US monitor as part of its consent agreement with the New York State Department of Financial Services (DFS). The same year, Bank Leumi USA and Bank Leumi Le-Israel entered into a consent order with the DFS and agreed on a US monitor, which also investigated Bank Leumi (Switzerland) Ltd. Following the settlement with the DFS, Bank Leumi sold its Swiss private client business to Bank Julius Bär and is now in the process of liquidation.
In the course of their engagement in Switzerland, foreign monitors and the monitored entity must comply with Swiss law and should coordinate their activities closely with Swiss regulators. Monitors are often granted unlimited access to confidential information related to the company, in particular to personal data of employees and clients, and business secrets. This access to confidential data raises several legal questions concerning data protection, employment law, and potential banking secrecy and criminal law aspects, in particular regarding the offences of unlawful activities on behalf of foreign states and industrial espionage, according to Articles 271 and 273 of the Swiss Criminal Code (SCC).
Unlawful activities on behalf of foreign states
According to Article 271(1) SCC, it is a criminal offence to carry out activities on behalf of a foreign state on Swiss territory without permission, where these activities are entrusted to a public authority or public official, or to entice, aid or abet these activities.
Article 271(1) SCC is derived from the principle of Swiss sovereignty over Swiss territory. It also aims to prevent the circumvention of the rules on international judicial assistance in criminal, administrative or civil matters. Article 271(1) SCC is often referred to as a 'blocking statute' as it prevents individuals in Switzerland from certain forms of collaboration with foreign authorities in the context of proceedings abroad.
Offences under Article 271(1) SCC are prosecuted ex officio by the Federal Office of the Attorney General.12 Since the offence under Article 271(1) SCC qualifies as a 'political offence' according to Title 13 SCC, prosecution of the same by the OAG is subject to prior authorisation by the Swiss federal government.13
Perpetrators of Article 271(1) SCC can be subject to imprisonment of up to three years or a monetary penalty of up to 540,000 Swiss francs. Case law considering Article 271(1) SCC is relatively limited because the Swiss criminal system allows prosecutors, except for serious infringements, to sanction defendants by way of penal orders, which are in most cases not published by the OAG (but are made public on demand). However, Swiss criminal prosecutorial authorities take offences under Article 271 SCC seriously. Recent cases have resulted in lengthy and costly proceedings that have been heard before the Swiss Supreme Court.
To fall under Article 271(1) SCC, the offender must act on behalf or on account – although not necessarily at the express request – of a foreign state. The determining factor is whether the offender acts in the interest (i.e., for the benefit of the foreign state). According to case law, it is irrelevant whether the act in question is carried out by a foreign official or a private person. Foreign monitors acting on Swiss soil are subject to Article 271(1) SCC and before engaging in any activity in Switzerland require permission from the Federal Council. The same also applies to a company subject to a monitorship and its directors and senior management. Permission pursuant to Article 271 SCC is required since foreign monitors are appointed by and report to a foreign authority and typically act with some degree of sovereign authority.
The Swiss government has previously granted permits under Article 271(1) SCC in the context of the US Swiss Bank Tax Compliance Program to foreign and Swiss independent examiners to investigate and supervise financial institutions in Switzerland and allowed Swiss banks to provide sensitive data to the United States outside of the traditional legal and mutual legal assistance procedures.14 However, these permits were criticised by scholars as overly accommodating and being in violation of Swiss law, in particular regarding Swiss data protection and employment laws. Thus, it remains uncertain to what extent Article 271 SCC permits will be granted in future. Previous authorisations included extensive obligations on the monitors to comply with Swiss law, in particular data protection, employment and banking secrecy laws.
Inevitably, foreign monitors will collect and process personal data in the course of their investigations, and therefore must comply with the Swiss Federal Data Protection Act (FDPA). Personal data includes all information relating to an identified or identifiable person. Data subjects are natural persons or legal entities whose data is processed.15 Cross-border transfers of personal data must comply with the requirements of the FDPA, including that the data be transferred only to countries with adequate data protection laws.16 Article 6 FDPA sets forth limited circumstances under which personal data may be disclosed outside Switzerland, such as by waiver from the data subject or for an overriding public interest. For a waiver to be considered valid, it must be in writing, given voluntarily and on the basis of adequate information and, as a rule, before the data is processed.
In recent cases, the Swiss Federal Supreme Court prohibited Swiss banks from disclosing information on bank employees and related third parties to US authorities in the context of ongoing tax investigations. The Federal Supreme Court argued that the predominant interest of the bank to transfer the personal data of bank employees and related third parties must be carefully assessed and should not be presumed.17 Even if a bank enters into a DPA with the US Department of Justice, the obligation to protect personal data according to Swiss law remains in place. Thus, monitors reporting to foreign authorities will inevitably be forced to balance the intended transfer of personal data with Swiss data protection considerations.
The FDPA is currently being revised to align it with the EU General Data Protection Regulation (GDPR), and the amended FDPA is expected to enter into force later in 2019. For foreign monitors acting in Switzerland, a well-drafted, up-to-date process to protect the data of individuals and legal entities is, therefore, crucial to ensure compliance with the FDPA.
Unlike data protection, which has grown in importance over the past several years, Switzerland has gradually reduced the protection of bank secrecy as a result of the increased automatic exchange of information between tax authorities and waivers granted to financial institutions by federal government. Nevertheless, Article 47 of the Swiss Federal Banking Act (SBA) remains unchanged. The provision prohibits corporate bodies, employees and representatives (such as, arguably, a monitor) from disclosing any information related to the clients of banks and, therefore, equally applies to (foreign) monitors of Swiss entities. Breaches of Article 47 SBA are subject to the imprisonment for a period up to five years or a fine.
In any case, foreign monitors of Swiss financial institutions must take proper measures to ensure that client data is not disclosed to third parties, including foreign supervisory authorities without legal justification. Thus, the monitors must either redact or otherwise anonymise client data or obtain waivers from those clients or individuals before transferring any data covered by Article 47 SBA to third parties or abroad.
A recent trend in Switzerland is voluntary monitorships, where companies under investigation commit to engage independent external compliance counsel to remediate compliance shortcomings. This development is certainly a result of the increased enforcement of the corporate criminal offence of failure to prevent bribery and money laundering, which requires companies to take all necessary and appropriate compliance measures to prevent such offences by their employees.18 Companies violating this law face fines of up to 5 million Swiss francs and the disgorgement of profits resulting from the corporate criminal offence. In recent cases, disgorgement of profits has involved amounts up to 200 million Swiss francs. Further, criminal and civil liability for managers has become an important topic in practice and in the media in the context of corporate governance and compliance scandals at Swiss state-owned enterprises, multinational companies and Swiss banks.
In these cases, the best practice would be for the board to appoint an independent monitor who reports to the board. The monitor is typically commissioned to independently assess the maturity of the compliance management system and make recommendations for remediation and improvement. The most common benchmark for the assessment of compliance management systems is ISO Standard 19600 Compliance Management Systems, which is also available in the official languages of German and French and as a Swiss Standard.19 Meanwhile, the ISO Standard has been introduced by a number of companies, some of which are independently certified under the Standard. Currently, several companies listed on the SIX Swiss Exchange are seeking certification under the Standard. The ISO Standard has proven to be easy to implement, particularly as many Swiss companies are already familiar with a number of ISO management system standards.20 In line with ISO 19600, monitors typically focus on good compliance governance, leadership, values, culture and remuneration or promotion processes and criteria. Also, communication, measurement of effectiveness, reporting and escalation mechanisms (including reporting mechanisms) are at the core of these verifications.
Future criminal law monitorships in Switzerland
A recent important development is the proposal by the OAG to introduce a new Article 318 bis to the CPC to establish DPAs for companies.21 This proposal also includes the mandatory imposition of monitors. Article 318 bis, Paragraph 1 would allow the prosecutor to suspend an indictment against a company and conclude an agreement similar to a DPA concluded in common law countries such as the United States. To be considered for a DPA, the company must fully cooperate with the prosecutor at all stages of the investigation. A key and compulsory element of such an agreement would be the appointment of an independent monitor tasked with the review and reporting to the prosecutor on the basis of the terms of the agreement. These regular reports would be submitted to the OAG over the course of monitorship, which could last from two to five years. Should the company violate the terms of the agreement, the company would be afforded the opportunity to remedy the weaknesses. Once the company has met the conditions set forth in the agreement, the OAG would conclude the proceedings against the company without indictment. If the company fails to remedy the issues cited in the DPA, it would face indictment.
To date, it is unclear whether the proposal of the OAG to include a 'Swiss DPA' in the revision of the CPC will be adopted by the Swiss parliament. At present, the response from the legislature is expected in the coming months.
In summary, monitorships do not yet have a long tradition and do not currently have an explicit and refined legal basis in Switzerland. Nevertheless, as a result of increased enforcement, international cooperation and higher risks of liability, both mandatory and voluntary monitorships have been acknowledged and established their place in practice as an important and effective tool for sustainable and effective compliance remediation and improvement.
1 Simone Nadelhofer and Daniel Lucien Bühr are partners at LALIVE SA. The authors would like to thank Katja Böttcher and Jonathon E Boroski for their contributions to this chapter.
4 Swiss Financial Market Supervisory Authority, 'FINMA sanctions Coutts for 1MDB breaches', 2 February 2017, https://www.finma.ch/en/news/2017/02/20170202-mm-coutts/.
5 Swiss Financial Market Supervisory Authority, 'Update on 1MDB proceedings against J.P. Morgan', 21 December 2017, https://www.finma.ch/en/news/2017/12/20171221-mm-jpm/.
6 Swiss Financial Market Supervisory Authority, 'FINMA concludes final 1MDB proceedings', 20 July 2018, https://www.finma.ch/en/news/2018/07/20180720-mm-rothschild/.
7 Swiss Financial Market Supervisory Authority, 'FINMA concludes Panama Papers proceedings against Gazprombank Switzerland', 1 February 2018, https://www.finma.ch/en/news/2018/02/20180201-
8 Swiss Financial Market Supervisory Authority, 'Money laundering prevention: FINMA concludes proceedings against PKB', 1 February 2018, https://www.finma.ch/en/news/2018/02/20180201-mm-pkb/.
9 Swiss Financial Market Supervisory Authority, 'Raiffeisen: major corporate governance failings', 14 June 2018, https://www.finma.ch/en/news/2018/06/20180614-mm-raiffeisen.
11 Swiss Financial Market Supervisory Authority, 'FINMA finds deficiencies in anti-money laundering processes at Credit Suisse', 17 September 2018, https://www.finma.ch/en/news/2018/09/20180917-mm-gwg-cs/.
12 Article 23(1)(h) of the Swiss Code of Criminal Procedure.
13 Article 66 of the Swiss Act on the Organization of the Federal Criminal Authorities.
14 For further information on the US programme, please see the explanation provided on the website of the Swiss State Secretariat for Internal Finance: https://www.sif.admin.ch/sif/en/home/bilateral/amerika/vereinigen-staaten-von-amerika-usa/bankenprogramm.html.
15 Article 3 FDPA.
16 A list of the countries deemed to have adequate data protection laws can be found on the website of the Swiss Federal Data Protection and Information Commissioner: https://www.edoeb.admin.ch/edoeb/en/home/data-protection/arbeitsbereich/transborder-data-flows.html.
17 Decision of the Federal Supreme Court, 26 July 2017, BGE 4A_73/2017 and 20 June 2018, BGE 4A_294/2018.
18 Article 102 SCC.
19 SN ISO 19600.
20 e.g., ISO 9001 Quality Management; ISO 27000 IT Security Management Systems; ISO 14001 Environmental Management Systems; ISO 31000 Risk Management; and ISO 37001 Anti-Bribery Management Systems.
21 The proposed draft of Article 318 bis can be found (in German) on the Swiss Federal Council website at: https://www.admin.ch/ch/d/gg/pc/documents/2914/Organisationen_Teil_1.pdf, page 42.