Monitorships: The Swiss Perspective
This is an Insight article, written by a selected partner as part of GIR's co-published content. Read more on Insight
Monitorships – as traditionally understood and used by US regulators – do not yet have a proper legal basis under Swiss Criminal Law, and thus Switzerland does not have an extensive history or experience of locally appointed monitors. However, similar mechanisms are available to the Swiss Financial Market Supervisory Authority (FINMA) for the investigation and the monitoring of financial institutions. Furthermore, voluntary monitorships are an instrument regularly employed by companies in the context of internal or external investigations. In the case of monitorships imposed abroad and operating in Switzerland, foreign monitors must consider the Swiss legal framework.
Monitoring of FINMA-supervised financial institutions
Unlike Swiss criminal law, Swiss administrative financial market law has included the use of monitors for some time. The Federal Act on the Swiss Financial Market Supervisory Authority (FINMASA) permits FINMA to appoint third-party auditors or investigating agents (referred to by FINMA as mandataries) based, respectively, on Articles 24a and 36 of FINMASA to ‘implement supervisory measures that it has ordered’.
In the course of their appointment, the mandataries will review, investigate and evaluate facts relating to supervisory actions. They may be tasked with auditing the institution as instructed by FINMA in the context of FINMA’s supervisory activities and may be deployed as part of a FINMA-ordered enforcement audit, including a review of the implementation of compliance remediation measures ordered by FINMA.
During the course of their tenure, the monitors, whose activities are covered by official secrecy, report directly to FINMA. FINMA will only appoint independent accredited auditors and absent a formal right of refusal of the supervised institution, which can only oppose the engagement in the case of a lack of independence. A current list of accredited mandataries can be accessed on the FINMA website.
A number of multinational financial institutions with subsidiaries or branches in Switzerland have been subject to investigation and monitoring by FINMA, as discussed in the following paragraphs.
In January 2018, FINMA completed its investigation against Gazprombank (Switzerland) Ltd in connection with Panama Papers. FINMA identified serious deficiencies in Gazprombank’s due diligence, compliance and risk management systems, leading to a ban on the bank’s expansion into further private client business and the appointment of an external monitor to closely supervise its remediation measures and efforts to improve its risk and control functions.
According to FINMA’s findings, PKB Privatbank SA, in Lugano, committed serious breaches of money laundering regulations by failing to carry out adequate background checks into business relationships and transactions linked to the petroleum company Petrobras and the Brazilian construction group Odebrecht. FINMA ordered the disgorgement of profits in the amount of 1.3 million Swiss francs and the appointment of an external auditor to monitor the implementation of remediation measures and the effectiveness of the same. PKB Privatbank SA is also subject to investigation by the Office of the Attorney General (OAG) for suspected organisational failure to prevent money laundering.
Raiffeisen Switzerland SA
FINMA determined that the board of directors of Raiffeisen Switzerland failed to adequately supervise its former chief executive officer, who, at the time of writing, is on trial for mismanagement. FINMA requested remediation of the bank’s corporate governance framework, including an evaluation of the transformation from a cooperative to a limited company, and the appointment of an auditor to assess the progress and implementation of the FINMA recommendations.
Credit Suisse SA
In late 2018, enforcement proceedings were concluded against Credit Suisse SA. FINMA identified deficiencies in the bank’s adherence to anti-money laundering rules in relation to suspected corruption concerning the International Federation of Association Football (FIFA), Petrobras and the Venezuelan oil corporation Petróleos de Venezuela, SA. In addition, FINMA identified deficiencies in the anti-money laundering process regarding a ‘politically exposed person’ and shortcomings in the bank’s control mechanisms, risk management and corporate governance. Credit Suisse was required to remediate its control systems and processes to detect, categorise, monitor and document higher-risk relationships adequately. To that end, FINMA mandated a monitor to review the implementation of these measures.
FINMA concluded its investigation in October 2021. In addition to the remediation adopted by the bank, the Swiss supervisory authority recommended additional measures, including the adoption of a new internal reporting system and timely, documented reporting on governance topics to top-level management. Furthermore, FINMA issued written reprimands and opened enforcement proceedings against individuals involved in the matter.
In January 2020, FINMA identified serious deficiencies at Julius Baer with regard to both compliance with the bank’s obligations under Swiss money laundering law and the requirements for appropriate risk management. The resulting investigations examined corruption in relation to Petróleos de Venezuela, SA and FIFA. Julius Baer was ordered to implement processes to identify portfolios with a high risk of money laundering, change its remuneration policy, establish a board committee focusing on conduct and compliance issues, and refrain from transactions carrying significant operating risks. As part of the bank’s mandated remediation, FINMA appointed an independent auditor to ensure that the measures are implemented.
The appointment of third-party auditors or investigating agents remains an efficient instrument for FINMA in strengthening banks’ governance, risk management and compliance management, in particular regarding the effectiveness of combating money laundering.
Foreign monitors in Switzerland
Swiss companies or foreign companies with Swiss subsidiaries may find themselves subject to oversight by monitors appointed by supervisory authorities from other countries, primarily from the United States. Recent examples include monitors appointed to oversee Swiss banks that settled with US federal and state supervisory agencies. For instance, in 2014, Credit Suisse agreed to the appointment of a US monitor as part of its consent agreement with the New York State Department of Financial Services (NY DFS). The same year, Bank Leumi USA and Bank Leumi Le-Israel entered into a consent order with the NY DFS and agreed on a US monitor, which also investigated Bank Leumi (Switzerland) Ltd. Following the settlement with the NY DFS, Bank Leumi sold its Swiss private client business to Bank Julius Baer and is now in the process of liquidation.
In the course of their engagement in Switzerland, foreign monitors and the monitored entity must comply with Swiss law and must coordinate their activities closely with Swiss regulators. Monitors are granted unlimited access to confidential information relating to the company, in particular to personal data of employees and clients, and business secrets. This access to confidential data raises several legal questions concerning data protection and employment law, in addition to potential banking secrecy and criminal law aspects, in particular regarding the offences of unlawful sovereign activities on behalf of foreign states and industrial espionage under Articles 271 and 273 of the Swiss Criminal Code (SCC).
Unlawful activities on behalf of foreign states
According to Article 271(1) of the SCC, it is a criminal offence to carry out sovereign activities on behalf of a foreign state on Swiss territory without permission, when those activities are entrusted to a public authority or public official, or to entice, aid or abet those activities.
Article 271(1) of the SCC is derived from the principle of Swiss sovereignty over Swiss territory. It also aims to prevent the circumvention of the rules on international judicial assistance in criminal, administrative or civil matters. Article 271(1) of the SCC is often referred to as a ‘blocking statute’ as it prevents individuals in Switzerland from certain forms of collaboration with foreign authorities in the context of proceedings abroad.
Offences under Article 271(1) of the SCC are prosecuted ex officio by the Federal Office of the Attorney General. Since the offence under Article 271(1) of the SCC qualifies as a ‘state offence’ under Title 13 of the SCC, prosecution of the same by the OAG is subject to prior authorisation by the Swiss federal government.
Perpetrators of an offence under Article 271(1) of the SCC can be liable to imprisonment for up to three years or a monetary penalty of up to 540,000 Swiss francs. Case law considering Article 271(1) is relatively limited because the Swiss criminal system allows prosecutors, except for serious infringements, to sanction defendants by way of penal orders, most of which are not published by the OAG (although they are made public on demand). However, Swiss criminal prosecutorial authorities take offences under Article 271 of the SCC seriously and regularly prosecute suspected offences.
In a 2018 case, the Swiss Federal Criminal Court ruled against the chairman of a wealth management firm who transferred client data to the United States Department of Justice (US DOJ). Following an internal audit, the firm’s board of directors ordered an examination of certain client accounts that possibly were not compliant with US tax obligations. After the US DOJ renounced requesting the data through mutual legal assistance, the company obtained a second legal opinion, confirming one earlier, concluding that Article 271 of the SCC would most likely not be applicable in the circumstances. The arguments were based on the voluntary nature of the submission of personal data, specifically the emergency situation of the bank. Based on these opinions, the chairman voluntarily provided a USB drive holding personal data of potentially non-compliant US clients to facilitate and quickly conclude negotiations for a non-prosecution agreement with the US DOJ.
The Swiss Federal Criminal Court found that, by transferring documents containing the data of third parties to a foreign authority in this context, the chairman violated Article 271(1) of the SCC by circumventing the mutual legal assistance procedure without permission. This decision is now final.
To fall under Article 271(1) of the SCC, an offender must act on behalf or on account – although not necessarily at the express request – of a foreign state. The determining factor is whether the offender acts in the interests, that is for the benefit, of the foreign state. According to case law, it is irrelevant whether the act in question is carried out by a foreign official or a private person. Foreign monitors acting on Swiss soil are subject to Article 271(1) of the SCC and require permission from the Federal Council before engaging in any sovereign activity in Switzerland. The same also applies to a company subject to a monitorship and its directors and senior management. Permission pursuant to Article 271 of the SCC is required since foreign monitors are appointed by and report to a foreign authority and typically act with a degree of sovereign authority.
The Swiss government has granted permits under Article 271(1) of the SCC in the context of the US Swiss Bank Tax Compliance Programme to foreign and Swiss independent examiners to investigate and supervise financial institutions in Switzerland and allowed Swiss banks to provide sensitive data to the United States outside the traditional legal and mutual legal assistance procedures. However, these permits were criticised by scholars as being overly accommodating and in violation of Swiss law (data protection and employment laws in particular). Thus, it is still uncertain to what extent permits under Article 271(1) of the SCC will be granted in future. Previous authorisations included extensive obligations on monitors to comply with Swiss law, in particular data protection, employment and banking secrecy laws.
Inevitably, foreign monitors will collect and process personal data in the course of their investigations, and therefore must comply with the Swiss Federal Data Protection Act (FDPA). The Swiss Parliament adopted a revised FDPA on 25 September 2020, which aligns Swiss data protection law with Regulation (EU) 2016/679 (the General Data Protection Regulation). The revised FDPA is expected to enter into force in the second half of 2022. Although Switzerland has always maintained strict data protection regulations, the revised FDPA strengthens existing data protection by introducing more transparency with regard to data processing, the personal responsibility of data processors and the position of the Federal Data Protection Commissioner, and implementing penal provisions should these protections be violated.
Under the FDPA, personal data includes all information relating to an identified or identifiable person. Data subjects are natural persons or legal entities whose data is processed; legal entities are no longer considered data subjects under the revised FDPA. Cross-border transfers of personal data must comply with the requirements of the FDPA, including that the data be transferred only to countries with adequate data protection laws. Article 17 of the revised FDPA sets forth limited circumstances under which personal data may be disclosed outside Switzerland, such as by explicit consent or waiver from the data subject, to protect an overriding public interest or for the establishment, exercise or enforcement of legal claims before a court or competent foreign authority. For a waiver to be considered valid, it must be in writing, given voluntarily and on the basis of adequate information and, as a rule, before the data is processed.
The Swiss Federal Supreme Court has previously prohibited Swiss banks from disclosing information about bank employees and related third parties to US authorities in the context of current tax investigations. The Federal Supreme Court argued that the predominant interest of the bank to transfer the personal data of bank employees and related third parties must be carefully assessed and should not be presumed. Even if a bank enters into a deferred prosecution agreement (DPA) with the US DOJ, the obligation to protect personal data according to Swiss law remains in place. Thus, monitors reporting to foreign authorities must balance the transfer of personal data and Swiss data protection requirements.
For foreign monitors acting in Switzerland, a well-drafted, up-to-date process to protect the data of individuals and legal entities is therefore crucial to ensure compliance with the (revised) FDPA.
Unlike data protection, which has been growing in importance for several years, Switzerland has gradually reduced the protection of bank secrecy as a result of the increased automatic exchange of information between tax authorities and waivers granted to financial institutions by federal government. Nevertheless, Article 47 of the Swiss Federal Banking Act (SBA) remains unchanged to date. The provision prohibits corporate bodies, employees and representatives (such as, arguably, a monitor) from disclosing any information relating to the clients of banks and, therefore, applies equally to (foreign) monitors of Swiss entities. Breaches of Article 47 of the SBA are subject to imprisonment for up to five years or a fine.
In any case, foreign monitors of Swiss financial institutions must take proper measures to ensure that client data is not disclosed to third parties, including foreign supervisory authorities, without legal justification. Thus, monitors must either redact or otherwise anonymise client data or obtain waivers from those clients or individuals before transferring any data covered by Article 47 of the SBA to third parties or abroad.
A recent trend in Switzerland is the implementation of voluntary monitorships, in which companies under (proactive) internal or (reactive) external investigation commit to engage independent external compliance counsel to assess the maturity of the compliance management system and remediate possible compliance shortcomings. This development is certainly a result of the increased enforcement of the corporate criminal offence of failure to prevent bribery and money laundering, which requires companies to take all necessary and appropriate compliance measures to prevent their employees committing these offences. Companies violating this law face fines of up to 5 million Swiss francs and the disgorgement of profits resulting from the corporate criminal offence. In the most recent cases, disgorgement of profits has involved amounts up to 200 million Swiss francs. Furthermore, criminal and civil liability for managers has become an important topic in practice and in the media in the context of corporate governance and compliance scandals at Swiss state-owned enterprises, multinational companies and Swiss banks.
In these types of cases, the best practice would be for the board of directors to appoint an independent monitor who reports to the board. The monitor is typically commissioned to independently assess the maturity of the compliance management system and make recommendations for remediation and improvement. In the past few years, the most common benchmark for the assessment of compliance management systems was ISO Standard 19600, which was replaced in April 2021 by ISO Standard 37301 on Compliance Management Systems and is complemented by ISO 37000, the International Standard on Governance of Organizations. ISO Standard 19600 was introduced by a number of companies, some of which now seek certification under ISO 37301. Also, all federal companies and institutions (such as Swisscom and ETH, the Swiss Federal Institute of Technology) are mandated by the Swiss government to implement risk and compliance management systems in line with ISO standards and seek regular independent audit and certification.
The new ISO Standard 37000:2021 on Governance (which was published on 14 September 2021) sets out 11 core principles of good governance and the role of the members of governing bodies in defining and upholding standards relating to purpose, ethics and values, performance and social responsibility. As a result, companies now have the opportunity to demonstrate the implementation of effective governance.
With regard to state-of-the-art compliance management, the new ISO Standard 37301 does not materially differ from the previous requirements of ISO 19600. However, ISO 37301 now is a requirements standard and is the basis for independent certification (such as ISO 37001 – Anti-bribery management systems).
The ISO Standards have proven to be easy to implement, particularly as many Swiss companies are already familiar with many ISO management system standards. In line with ISO 37301, monitors typically focus on good compliance governance, leadership, values, culture, and remuneration and promotion processes and criteria. Furthermore, communication, measurement of effectiveness, reporting and escalation mechanisms (including reporting mechanisms) are at the core of these verifications.
Potential for criminal law monitorships in Switzerland
Following recent cases of self-reporting of criminal offences by companies, the OAG proposed the introduction of a new Article 318 bis to the Swiss Criminal Procedure Code in March 2018 to establish DPAs for cooperating companies. This proposal included the mandatory imposition of monitors. As proposed, Article 318 bis would have provided for the possibility of deferring charges in criminal investigations against companies under certain conditions, based on the legal institution of the DPA that exists in other countries, such as the United States and United Kingdom. However, in a dispatch released on 28 August 2019, the Federal Council rejected the OAG’s proposal to introduce a DPA-style agreement under Swiss criminal law. The Federal Council considered the proposal as contradictory to the fundamental principles of Swiss criminal law, which requires the punishment of wrongdoing and verification of the decision by a court. Thus, the integration of monitorships into Swiss criminal procedural law seems unlikely, at least in the near future.
Monitorships in Switzerland lack the long tradition and explicit legal basis as known in the United States and, more recently, in France. Nevertheless, as a result of increased enforcement, international cooperation and higher risks of liability, both mandatory and voluntary monitorships are broadly acknowledged and have established their place in practice as an important and effective tool for good control governance and – where necessary – remediation.
1 Simone Nadelhofer and Daniel Lucien Bühr are partners, Katja Böttcher is a legal project manager and Jonathon E Boroski is an associate at LALIVE SA.
2 Swiss Financial Market Supervisory Authority (FINMA), ‘FINMA mandataries’, at https://www.finma.ch/en/finma/finma-mandataries/ (last accessed 23 Feb. 2022).
3 See also FINMA, ‘FINMA mandataries: a key tool of supervision and enforcement’ (1 January 2021), at https://www.finma.ch/~/media/finma/dokumente/dokumentencenter/myfinma/faktenblaetter/20160317-fb-beauftragte-de.pdf (last accessed 23 Feb. 2022).
4 FINMA’s full list of approved mandataries can be found at https://www.finma.ch/en/finma/finma-mandataries/.
5 FINMA, ‘FINMA concludes Panama Papers proceedings against Gazprombank Switzerland’, 1 February 2018, at https://www.finma.ch/en/news/2018/02/20180201-mm-gazprombank-schweiz/.
6 FINMA, ‘Money laundering prevention: FINMA concludes proceedings against PKB’ (1 February 2018), at https://www.finma.ch/en/news/2018/02/20180201-mm-pkb/ (last accessed 23 Feb. 2022).
7 Balz Bruppacher, ‘Geldwäscherei: Nach Korruptionsskandal: Bundesanwaltschaft nimmt Banken ins Visier’, Luzerner Zeitung (1 February 2018) (in German), at https://www.luzernerzeitung.ch/wirtschaft/geldwaescherei-nach-korruptionsskandal-bundesanwaltschaft-nimmt-banken-ins-visier-ld.84874 (last accessed 23 Feb. 2022).
8 FINMA, ‘Raiffeisen: major corporate governance failings’ (14 June 2018), at https://www.finma.ch/en/news/2018/06/20180614-mm-raiffeisen (last accessed 23 Feb. 2022).
9 FINMA, ‘Credit Suisse observation activities: FINMA identifies serious breaches of supervisory law’ (19 October 2021), at https://www.finma.ch/en/news/2021/10/20211019---mm---obs/ (last accessed 23 Feb. 2022).
11 FINMA, ‘Serious AML failings at Julius Baer’ (20 February 2020), at https://www.finma.ch/en/news/2020/02/20200220-mm-jb/ (last accessed 23 Feb. 2022).
13 Swiss Code of Criminal Procedure, Article 23(1)(h).
14 Swiss Act on the Organisation of the Federal Criminal Authorities, Article 66.
15 Decision of the Federal Supreme Court, 4 December 2018, 6B_804/2018 and Federal Criminal Court, 9 May 2018, SK.2017.64.
16 The latest decision of the Federal Criminal Court has been confirmed by both the Chamber of Appeal of the Federal Criminal Court (5 December 2019, CA.2019.6) and the Federal Supreme Court (1 November 2021, 6B_216/2020).
17 For further information about the US Programme, see the explanation provided on the website of the Swiss State Secretariat for International Finance, at https://www.sif.admin.ch/sif/en/home/bilateral-relations/countries/united-states-america.html (last accessed 7 Mar. 2022).
18 Revision der Datenschutzverordnung: Bundesrat eröffnet Vernehmlassung’, 23 June 2021, at https://www.admin.ch/gov/de/start/dokumentation/medienmitteilungen.msg-id-84103.html (last accessed 23 Feb. 2022).
19 Swiss Federal Data Protection Act, Article 5a.
20 ibid., Article 5b.
21 A list of the countries deemed to have adequate data protection laws is published (in French) on the website of the Swiss Federal Data Protection and Information Commissioner and is accessible via https://www.edoeb.admin.ch/edoeb/en/home/data-protection/arbeitsbereich/transborder-data-flows.html (last accessed 23 Feb. 2022).
22 Decisions of the Federal Supreme Court, 26 July 2017, BGE 4A_73/2017 and 20 June 2018, BGE 4A_294/2018.
23 Swiss Criminal Code, Article 102.
24 Also available in French as a Swiss Standard (SN ISO 37000:2021) and will be translated into German.
25 Such as ISO 9001 on quality management, ISO 27000 on IT security management systems, ISO 14001 on environmental management systems, ISO 31000 on risk management and ISO 37001 on anti-bribery management systems.
26 The proposed changes to the Swiss Criminal Procedure Code can be found on the Swiss Federal Council website (in German), at https://www.bj.admin.ch/bj/de/home/sicherheit/gesetzgebung/aenderungstpo.html (last accessed 7 Mar. 2022).
27 Dispatch of the Swiss Federal Council dated 28 August 2019, available (in German), at https://www.fedlex.admin.ch/eli/fga/2019/2368/de, page 6722 (last accessed 7 Mar. 2022).