At present, monitorships – as traditionally understood – do not have a legal basis under Swiss Criminal Law, and thus Switzerland does not have an extensive history or experience of locally appointed monitors. However, similar mechanisms are available to the Swiss Financial Market Supervisory Authority (FINMA) for the investigation and the monitoring of financial institutions. Furthermore, we have seen a recent trend of voluntary monitorships becoming an element of penal orders in cases of corporate criminal liability investigated by the Swiss Office of the Attorney General (OAG).
Monitoring of FINMA-supervised financial institutions
Unlike Swiss criminal law, Swiss administrative financial market law has included the use of monitors for some time. The Federal Act on the Swiss Financial Market Supervisory Authority (FINMASA) permits FINMA to appoint third-party auditors or investigating agents (referred to by FINMA as mandataries) based, respectively, on Articles 24a and 36 of FINMASA to ‘implement supervisory measures that it has ordered’.
In the course of their appointment, the mandataries will review, investigate and evaluate facts relating to supervisory actions. They may be tasked with auditing the institution as instructed by FINMA in the context of FINMA’s supervisory activities and may be deployed as part of a FINMA-ordered enforcement audit, including a review of the implementation of compliance remediation measures ordered by FINMA.
A number of multinational financial institutions with subsidiaries or branches in Switzerland have been subjected to investigation monitoring by FINMA, as discussed below.
Following investigations into 1MDB, FINMA finalised enforcement proceedings in 2017 and 2018 against Coutts & Co SA, JPMorgan (Suisse) SA and Rothschild Bank SA.
Coutts & Co SA was investigated in 2017 for money laundering offences resulting in FINMA’s order to disgorge profits in the amount of 6.5 million Swiss francs. However, FINMA refrained from imposing organisational measures since Coutts had already decided to sell its business to Union Bancaire Privée, UBP SA, but reserved the right to pursue enforcement proceedings against the employees involved.
FINMA identified serious shortcomings at JPMorgan (Suisse) SA relating to its anti-money laundering controls. In this case, FINMA chose to conduct an in-depth review of the bank’s anti-money laundering system and appointed a mandatary to carry out an on-site review. FINMA also informed the Office of the Comptroller of the Currency, the US regulator responsible for the parent of the Swiss bank.
FINMA cited Rothschild Bank SA and one of its subsidiaries for lack of due diligence, reporting and documentation that led to breaches of their anti-money laundering obligations in the wake of the 1MDB scandal. As a result of the steps already implemented by the bank, FINMA appointed a monitor only to review remediation measures already undertaken.
With the conclusion of the enforcement proceedings against Rothschild Bank SA, the current investigations relating to the 1MDB scandal have been concluded.
In January 2018, FINMA completed its investigation against Gazprombank (Switzerland) Ltd in connection with Panama Papers. FINMA identified serious deficiencies in Gazprombank’s due diligence, compliance and risk management systems, leading to a ban on the bank’s expansion into further private client business and the appointment of an external monitor to closely supervise its remediation measures and efforts to improve its risk and control functions.
According to FINMA’s findings, PKB Privatbank SA, Lugano, committed serious breaches of money laundering regulations by failing to carry out adequate background checks into business relationships and transactions linked to the petroleum company Petrobras and the Brazilian construction group Odebrecht. FINMA ordered the disgorgement of profits in the amount of 1.3 million Swiss francs and the appointment of an external auditor to monitor the implementation of remediation measures and the effectiveness of the same. PKB Privatbank SA is also subject to investigation by the OAG for suspected organisational failure to prevent money laundering.
Raiffeisen Switzerland SA
FINMA determined that the board of directors of Raiffeisen Switzerland failed to adequately supervise its former chief executive officer, who is under criminal investigation for mismanagement. FINMA requested remediation of the bank’s corporate governance framework, including an evaluation of the transformation from a cooperative to a limited company, and the appointment of an auditor to assess the progress and implementation of the FINMA recommendations.
During the course of their appointment, the monitors, whose activities are covered by official secrecy, report directly to FINMA. FINMA will only appoint accredited representatives without input from the supervised institution, which cannot oppose the engagement. A current list of accredited mandataries can be accessed on the FINMA website.
Credit Suisse SA
In late 2018, enforcement proceedings were concluded against Credit Suisse SA. FINMA identified deficiencies in the bank’s adherence to anti-money laundering in relation to suspected corruption relating to the International Federation of Association Football (FIFA), Petrobras and the Venezuelan oil corporation Petróleos de Venezuela, SA. In addition, FINMA identified deficiencies in the anti-money laundering process relating to a ‘politically exposed person’ and shortcomings in the bank’s control mechanisms and risk management. Credit Suisse is now required to remediate its control systems and processes to detect, categorise, monitor and document higher-risk relationships adequately. To that end, FINMA will mandate a monitor to review the implementation of these measures.
Foreign monitors in Switzerland
Swiss companies or foreign companies with Swiss subsidiaries may find themselves subject to monitors appointed by supervisory authorities from other countries, primarily from the United States. Recent examples include monitors appointed to oversee Swiss banks that settled with US federal and state supervisory agencies. For instance, in 2014, Credit Suisse agreed to the appointment of a US monitor as part of its consent agreement with the New York State Department of Financial Services (NY DFS). The same year, Bank Leumi USA and Bank Leumi Le-Israel entered into a consent order with the NY DFS and agreed on a US monitor, which also investigated Bank Leumi (Switzerland) Ltd. Following the settlement with the NY DFS, Bank Leumi sold its Swiss private client business to Bank Julius Bär and is now in the process of liquidation.
In the course of their engagement in Switzerland, foreign monitors and the monitored entity must comply with Swiss law and should coordinate their activities closely with Swiss regulators. Monitors are often granted unlimited access to confidential information relating to the company, in particular to personal data of employees and clients, and business secrets. This access to confidential data raises several legal questions concerning data protection and employment law, in addition to potential banking secrecy and criminal law aspects, in particular regarding the offences of unlawful activities on behalf of foreign states and industrial espionage under Articles 271 and 273 of the Swiss Criminal Code (SCC).
Unlawful activities on behalf of foreign states
According to Article 271(1) of the SCC, it is a criminal offence to carry out activities on behalf of a foreign state on Swiss territory without permission, when those activities are entrusted to a public authority or public official, or to entice, aid or abet those activities.
Article 271(1) of the SCC is derived from the principle of Swiss sovereignty over Swiss territory. It also aims to prevent the circumvention of the rules on international judicial assistance in criminal, administrative or civil matters. Article 271(1) of the SCC is often referred to as a ‘blocking statute’ as it prevents individuals in Switzerland from certain forms of collaboration with foreign authorities in the context of proceedings abroad.
Offences under Article 271(1) of the SCC are prosecuted ex officio by the Federal Office of the Attorney General. Since the offence under Article 271(1) of the SCC qualifies as a ‘political offence’ under Title 13 of the SCC, prosecution of the same by the OAG is subject to prior authorisation by the Swiss federal government.
Perpetrators of an offence Article 271(1) SCC can be liable to imprisonment for up to three years or a monetary penalty of up to 540,000 Swiss francs. Case law considering Article 271(1) of the SCC is relatively limited because the Swiss criminal system allows prosecutors, except for serious infringements, to sanction defendants by way of penal orders, most of which are not published by the OAG (but are made public on demand). However, Swiss criminal prosecutorial authorities take offences under Article 271 of the SCC seriously and regularly prosecute suspected offences.
In a 2018 case, the Swiss Federal Criminal Court ruled against the chairman of a wealth management firm who transferred client data to the United States Department of Justice. Following an internal audit, the firm’s board of directors ordered an examination of certain client accounts that possibly were not compliant with US tax obligations. After the US Department of Justice renounced requesting the data through mutual legal assistance, the company obtained a second legal opinion, confirming an earlier opinion, concluding that Article 271 would not be applicable in the circumstances. The arguments were based on the voluntary nature of the submission of personal data, specifically the emergency situation of the bank. Based on these opinions, the chairman voluntarily provided a USB drive holding personal data of potentially non-compliant US clients to facilitate and quickly conclude negotiations for a non-prosecution agreement with the US Department of Justice.
The Swiss Federal Criminal Court found that, by transferring documents containing the data of third parties to a foreign authority in this context, the chairman violated Article 271(1) of the SCC by circumventing the mutual legal assistance procedure without permission. This decision is now final.
To fall under Article 271(1) of the SCC, an offender must act on behalf or on account – although not necessarily at the express request – of a foreign state. The determining factor is whether the offender acts in the interests, that is for the benefit, of the foreign state. According to case law, it is irrelevant whether the act in question is carried out by a foreign official or a private person. Foreign monitors acting on Swiss soil are subject to Article 271(1) of the SCC and require permission from the Federal Council before engaging in any sovereign activity in Switzerland. The same also applies to a company subject to a monitorship and its directors and senior management. Permission pursuant to Article 271 of the SCC is required since foreign monitors are appointed by and report to a foreign authority and typically act with a degree of sovereign authority.
The Swiss government has granted permits under Article 271(1) of the SCC in the context of the US Swiss Bank Tax Compliance Programme to foreign and Swiss independent examiners to investigate and supervise financial institutions in Switzerland and allowed Swiss banks to provide sensitive data to the United States outside the traditional legal and mutual legal assistance procedures. However, these permits were criticised by scholars as being overly accommodating and in violation of Swiss law (data protection and employment laws in particular). Thus, it is still uncertain to what extent permits under Article 271(1) of the SCC will be granted in future. Previous authorisations included extensive obligations on the monitors to comply with Swiss law, in particular data protection, employment and banking secrecy laws.
Inevitably, foreign monitors will collect and process personal data in the course of their investigations, and therefore must comply with the Swiss Federal Data Protection Act (FDPA). Personal data includes all information relating to an identified or identifiable person. Data subjects are natural persons or legal entities whose data is processed. Cross-border transfers of personal data must comply with the requirements of the FDPA, including that the data be transferred only to countries with adequate data protection laws. Article 6 of the FDPA sets forth limited circumstances under which personal data may be disclosed outside Switzerland, such as by waiver from the data subject or for an overriding public interest. For a waiver to be considered valid, it must be in writing, given voluntarily and on the basis of adequate information and, as a rule, before the data is processed.
The Swiss Federal Supreme Court has previously prohibited Swiss banks from disclosing information about bank employees and related third parties to US authorities in the context of current tax investigations. The Federal Supreme Court argued that the predominant interest of the bank to transfer the personal data of bank employees and related third parties must be carefully assessed and should not be presumed. Even if a bank enters into a deferred prosecution agreement (DPA) with the US Department of Justice, the obligation to protect personal data according to Swiss law remains in place. Thus, monitors reporting to foreign authorities must balance the transfer of personal data and Swiss data protection requirements.
The FDPA is currently being revised to align it with the European Union General Data Protection Regulation and the amended FDPA is expected to enter into force in 2021. For foreign monitors acting in Switzerland, a well-drafted, up-to-date process to protect the data of individuals and legal entities is therefore crucial to ensure compliance with the FDPA.
Unlike data protection, which has been growing in importance for several years, Switzerland has gradually reduced the protection of bank secrecy as a result of the increased automatic exchange of information between tax authorities and waivers granted to financial institutions by federal government. Nevertheless, Article 47 of the Swiss Federal Banking Act (SBA) remains unchanged to date. The provision prohibits corporate bodies, employees and representatives (such as, arguably, a monitor) from disclosing any information relating to the clients of banks and therefore equally applies to (foreign) monitors of Swiss entities. Breaches of Article 47 of the SBA are subject to imprisonment for up to five years or a fine.
In any case, foreign monitors of Swiss financial institutions must take proper measures to ensure that client data is not disclosed to third parties, including foreign supervisory authorities, without legal justification. Thus, monitors must either redact or otherwise anonymise client data or obtain waivers from those clients or individuals before transferring any data covered by Article 47 of the SBA to third parties or abroad.
A recent trend in Switzerland is voluntary monitorships, in which companies under investigation commit to engage independent external compliance counsel to remediate compliance shortcomings. This development is certainly a result of the increased enforcement of the corporate criminal offence of failure to prevent bribery and money laundering, which requires companies to take all necessary and appropriate compliance measures to prevent such offences by their employees. Companies violating this law face fines of up to 5 million Swiss francs and the disgorgement of profits resulting from the corporate criminal offence. In the most recent cases, disgorgement of profits has involved amounts up to 200 million Swiss francs. Furthermore, criminal and civil liability for managers has become an important topic in practice and in the media in the context of corporate governance and compliance scandals at Swiss state-owned enterprises, multinational companies and Swiss banks.
In these types of cases, the best practice would be for the board of directors to appoint an independent monitor who reports to the board. The monitor is typically commissioned to independently assess the maturity of the compliance management system and make recommendations for remediation and improvement. The most common benchmark for the assessment of compliance management systems is ISO Standard 19600 on compliance management systems. The ISO Standard has been introduced by a number of companies, some of which are independently certified under the Standard. Currently, several companies listed on Switzerland’s principal stock exchange, SIX, are seeking certification under the Standard.
The ISO Standard has proven to be easy to implement, particularly as many Swiss companies are already familiar with many ISO management system standards. In line with ISO 19600, monitors typically focus on good compliance governance, leadership, values, culture, and remuneration and promotion processes and criteria. Also, communication, measurement of effectiveness, reporting and escalation mechanisms (including reporting mechanisms) are at the core of these verifications.
Potential for criminal law monitorships in Switzerland
Following recent cases of self-reporting of criminal offences by companies, the OAG has proposed the introduction of a new Article 318 bis to the Swiss Criminal Procedure Code to establish DPAs for cooperating companies. This proposal included the mandatory imposition of monitors. Article 318 bis, Paragraph 1 would have allowed the prosecutor to suspend an indictment against a company and conclude an agreement similar to a DPA concluded in common law countries such as the United States.
However, in a dispatch released on 28 August 2019, the Federal Council decided not to pursue the OAG’s proposal at this time. The Federal Council considered the proposal as contradictory to the fundamental principles of Swiss criminal law, which requires the punishment of wrongdoing and verification of the decision by a court.
Thus, the integration of monitorships into Swiss criminal procedural law seems unlikely, at least in the near future.
In summary, monitorships in Switzerland lack the long tradition and explicit legal basis as in the United States. Nevertheless, as a result of increased enforcement, international cooperation and higher risks of liability, both mandatory and voluntary monitorships are broadly acknowledged and have established their place in practice as an important and effective tool for compliance management and – where necessary – remediation.
1 Simone Nadelhofer and Daniel Lucien Bühr are partners at LALIVE SA. The authors offer their thanks to Katja Böttcher and Jonathon E Boroski for their contributions to this chapter.
4 FINMA, ‘FINMA sanctions Coutts for 1MDB breaches’, 2 February 2017, at https://www.finma.ch/en/news/2017/02/20170202-mm-coutts/.
5 FINMA, ‘Update on 1MDB proceedings against J.P. Morgan’, 21 December 2017, at https://www.finma.ch/en/news/2017/12/20171221-mm-jpm/.
6 FINMA, ‘FINMA concludes final 1MDB proceedings’, 20 July 2018, at https://www.finma.ch/en/news/2018/07/20180720-mm-rothschild/.
7 FINMA, ‘FINMA concludes Panama Papers proceedings against Gazprombank Switzerland’, 1 February 2018, at https://www.finma.ch/en/news/2018/02/20180201-mm-gazprombank-schweiz/.
8 FINMA, ‘Money laundering prevention: FINMA concludes proceedings against PKB’, 1 February 2018, at https://www.finma.ch/en/news/2018/02/20180201-mm-pkb/.
9 Bruppacher, Balz, ‘Geldwäscherei: Nach Korruptionsskandal: Bundesanwaltschaft nimmt Banken ins Visier’, Luzerner Zeitung, 1 February 2018, at https://www.luzernerzeitung.ch/wirtschaft/geldwaescherei-nach-korruptionsskandal-bundesanwaltschaft-nimmt-banken-ins-visier-ld.84874.
10 FINMA, ‘Raiffeisen: major corporate governance failings’, 14 June 2018, at https://www.finma.ch/en/news/2018/06/20180614-mm-raiffeisen.
12 FINMA, ‘FINMA finds deficiencies in anti-money laundering processes at Credit Suisse’, 17 September 2018, at https://www.finma.ch/en/news/2018/09/20180917-mm-gwg-cs/.
13 Swiss Code of Criminal Procedure, Article 23(1)(h).
14 Swiss Act on the Organisation of the Federal Criminal Authorities, Article 66.
15 Decision of the Federal Supreme Court, 4 December 2018, 6B_804/2018 and Federal Criminal Court, 9 May 2018, SK.2017.64.
16 Decision of the Federal Criminal Court, 5 December 2019, CA 2019.6.
17 For further information about the US Programme, see the explanation provided on the website of the Swiss State Secretariat for International Finance, at https://www.sif.admin.ch/sif/en/home/bilateral/amerika/vereinigen-staaten-von-amerika-usa/bankenprogramm.html.
18 Swiss Federal Data Protection Act, Article 3.
19 A list of the countries deemed to have adequate data protection laws is published (in French) on the website of the Swiss Federal Data Protection and Information Commissioner, at https://www.edoeb.admin.ch/edoeb/en/home/data-protection/arbeitsbereich/transborder-data-flows.html.
20 Decisions of the Federal Supreme Court, 26 July 2017, BGE 4A_73/2017 and 20 June 2018, BGE 4A_294/2018.
21 Swiss Criminal Code, Article 102.
22 Also available in German and French as a Swiss Standard (SN ISO 19600).
23 Such as ISO 9001 on quality management, ISO 27000 on IT security management systems, ISO 14001 on environmental management systems, ISO 31000 on risk management and ISO 37001 on anti-bribery management systems.
24 The proposed draft of Article 318 bis of the Swiss Criminal Procedure Code can be found (in German) on the Swiss Federal Council website, at https://www.admin.ch/ch/d/gg/pc/documents/2914/Organisationen_Teil_1.pdf, page 42.
25 Available (in German) at https://www.admin.ch/opc/de/federal-gazette/2019/6697.pdf, page 6722.