SWIFT Customer Security Programme – mandatory specifications to protect your local SWIFT infrastructures

The growing number of cyber-attacks, including those on the local infrastructures of SWIFT participants, has prompted SWIFT to create a security programme for its participants in order to fight together against cyber threats.

SWIFT published its Customer Security Programme in April 2017. It defines specific requirements to be met by all connected participants. The programme aims to improve the exchange of information within the SWIFT community, to ensure a high level of security for the local SWIFT infrastructure of participants, and to put in place an assurance framework to counter the ever growing number of cyber threats and strengthen the ability of SWIFT participants to combat cyber-attacks.

SWIFT Customer Security Programme

The programme calls upon all SWIFT participants to implement a control and assurance framework. The control framework consists of a set of 16 mandatory and 11 advisory security controls. The controls are based on existing SWIFT security guidelines, and are in line with good practice standards such as NIST, ISO/IEC 27002 and PCI-DSS. The mandatory controls establish a security baseline for the entire SWIFT community. SWIFT also recommends implementing the advisory controls to provide optimal protection for local SWIFT infrastructures.

Demands placed on SWIFT participants

The SWIFT Customer Security Programme will come into force on 1 January 2018. As well as applying to financial service providers, it is also valid for all companies that participate in the SWIFT network. Before the introduction of the programme, each SWIFT participant must conduct a self-assessment and notify SWIFT of its status regarding compliance with the controls (by the end of 2017). From 2018, all participants must confirm their compliance with controls on an annual basis. This confirmation can be provided via a self-assessment (self-attestation), internal audit (self-inspection) or external audit (third-party inspection). Participants are free to choose the type of confirmation they wish to submit. SWIFT will however also carry out regular spot checks of confirmations via internal or external audits for quality assurance purposes.

SWIFT participants must consider the following points in particular:

  • Should only the mandatory controls be implemented, or also the advisory ones?
  • How should the assurance framework be structured? Is self-assessment sufficient, or should an internal or external audit be conducted on a regular basis?
  • Should the status regarding compliance with controls be made public to other SWIFT participants?
  • How can it be ensured that controls continue to be adhered to in the future?

The support we offer you

SWIFT Readiness Assessment

We can help make sure you comply with the SWIFT requirements by 1 January 2018 by assessing your current status and highlighting any gaps.

SWIFT control support

We can provide support for the implementation of controls by means of a post-implementation review.

SWIFT compliance confirmation

We can assist you with your annual confirmation of compliance with SWIFT requirements.

Please feel free to contact our experts if you are interested in the topic.

More information

Contacts

Jens Probst
Director, Systems & Process
Assurance
+41 58 792 29 59
jens.probst@ch.pwc.com

Claudia Hösli
Senior Manager, Specialist Cyber Security
+41 58 792 14 85
claudia.hoesli@ch.pwc.com

Marco Schurtenberger
Senior Manager, Specialist Cyber Security
+41 58 792 22 33
marco.schurtenberger@ch.pwc.com

Switzerland: New social security treaty between Switzerland and China

A social security treaty between Switzerland and the People’s Republic of China (China) will enter into force on 19 June 2017. The maximum posting period is 72 months. For the duration of the posting employees (regardless their nationality) are exempt from the compulsory insurance obligations of the country of occupation which are covered in the social security treaty. As from 19 June 2017 it will be possible to obtain a Certificate of Coverage.

 

Click here for more details

 

Contact

Véronique Schaller
+41 58 792 5036
veronique.schaller-wiesli@ch.pwc.com

Natalia Graf
+41 58 792 4324
natalia.graf@ch.pwc.com

 

Webinar: How US tax reform impacts Switzerland

Wednesday, 3 May 2017, 4–5pm CET

US tax reform is one of the key topics in the US under the Trump administration. Various proposals are being discussed and prepared − notably measures with the common goal of making the US corporate tax system more competitive. Given the potential magnitude of the proposed changes and the short timeframe within which legal changes are usually implemented in the US, it’s time to consider what US tax reform could mean for Switzerland and Swiss-based companies that do business in the US.

This webinar addresses questions such as:

  • How is the US tax system unique?
  • What’s involved in the process of transforming tax reform into US law?
  • What are the options for tax reform, and how do they compare and contrast (Camp plan, Trump proposal, Republican blueprint)?
  • What are the consequences for Swiss companies doing business in the US (e.g. interest deducibility, treatment of intangibles, state taxes and border adjustment tax)?
  • What impact will US tax reform have on the Swiss tax reform?

To register for the online event, please click on the link below.

WEBEX LINK

Once you have registered, you will receive the WebEx access details. The WebEx will be recorded and you will receive a link to the recording via e-mail after the event using the same details. There will be time for questions and answers with your speakers during the WebEx. Questions can also be sent in advance of the WebeX session to the following email address: rolf.j.roellin@us.pwc.com.

We do hope that you will join us online!

If you have questions, please contact your usual PwC contact person or one of our US tax experts named below.

Matina M. Walt
Partner
Swiss Tax Desk
PwC New York / Switzerland
martina.m.walt@us.pwc.com

Bernard Moens
Principal
PwC US
bernard.e.moens@us.pwc.com

 

Event series − VAT in ERP systems: how does it challenge IT, the Tax Administration and tax experts?

Register Online to our upcoming series of events on VAT in ERP systems: how does it challenge IT, the Tax Administration and tax experts?

ERP systems are often not equipped to handle the complex requirements of VAT correctly, flexibly and efficiently without extra work or manual intervention.

The legal requirements are constantly changing, and on the basis of the OECD guidelines many countries are exchanging data or demanding evermore detailed information from taxpayers. Organisations are well on the way to transparency.

At these events we’ll be discussing the views of our clients, looking at the different needs of the IT and tax functions, and finally sharing some insights from the Tax Administration.

The aim of the events is to talk about experiences and needs, learn from each other, and build ‘best practice’ together. If required this dialogue can be continued afterwards within our “ITX ERP Support Community”. In the beginning, the questions and the coordination of the same language in the cooperation of the tax and IT department are at the company’s disposal. Our discussions will revolve around the issues that organisations face and creating a common language enabling the tax and IT functions to work together.

Have we piqued your interest? We look forward to welcoming you to one of our discussions.

The dates are planned as follows:

Zurich

  • Wednesday, 31 May 2017, 4.30 pm registration / welcome drink
  • 5.00 pm start, 6.00 pm end, followed by an apéro and individual discussions and questions
  • PricewaterhouseCoopers AG, Birchstrasse 160, 8050 Zurich

Berne

  • Tuesday, 6 June 2017, 4.30 pm registration / welcome drink
  • 5.00 pm start, 6.00 pm end, followed by an apéro and individual discussions and questions
  • PricewaterhouseCoopers AG, Bahnhofplatz 10, 3001 Berne

Geneva

  • Thursday, 15 June 2017, 4.30 pm registration / welcome drink
  • 5.00 pm start, 6.00 pm end, followed by an apéro and individual discussions and questions
  • PricewaterhouseCoopers AG, Avenue Giuseppe-Motta 50, 1211 Geneva
  • This event takes place in English. To discuss your questions, local PwC colleagues will be at your disposal

Basel

  • Thursday, 22 June 2017, 4.30 pm registration / welcome drink
  • 5.00 pm start, 6.00 pm end, followed by an apéro and individual discussions and questions
  • PricewaterhouseCoopers AG, St.Jakobs-Strasse 25, 4002 Basel

The detailed programme has been published on our website www.pwc.ch/vat-erp. We are looking forward to your registration.

If you have any questions, please get in touch with your usual PwC contact person or one of the experts below

Your contacts

Ilona Paakkala
Director
ITX Technology Leader
Tel. +41 58 792 42 58
paakkala.ilona@ch.pwc.com

Sandra Wirz
Senior Manager
ITX ERP Support Responsible
Tel. +41 58 792 25 32
sandra.wirz@ch.pwc.com

Adapt your SAP authorisation concept to S/4HANA

S/4HANA is SAP’s next-generation business suite that is built on SAP’s proprietary operational database system and in-memory computing platform called SAP HANA. S/4HANA is intended to be easier to use and administer while helping to solve more complex problems and handle vastly larger amounts of data than ist predecessors. S/4HANA is available in on-premises, cloud and hybrid deployment models.

With the release of S/4HANA SAP consolidates the integration and harmonisation of functionalities and processes and further reduces barriers between SAP modules facilitating system integration. New technologies, such as Fiori, enhance the user interface for both desktop and mobile devices. The in-memory HANA database lets you collect, store, and process high volumes of operational and transactional data in real time.

Implementation of S/4HANA will affect your current environment, and not just technologywise because processes are also subject to change. Both – the new technology and the change in processes – will result in new requirements for your current authorisation concept. Whereas parts of your existing authorisation concept can be easily transformed and implemented 1:1 in the SAP S/4 HANA system, other parts need to be changed and adapted to meet the new requirements.

PwC has a proven track record in Switzerland and globally in implementing and transforming SAP authorisation models in the SAP S/4HANA environment. Our GRC Technology Team in Switzerland led and executed the authorisation implementation part of the ninth S4/HANA implementation worldwide from the authorisation concept, to implementation and operation. Our experts have the required skill-set, tools, techniques and experience to discuss your challenges with you, and to actively support you throughout the whole project.

Download the PDF by clicking the image below:

Please contact our team for more details:

Dominik Götz
Senior Manager
dominik.goetz@ch.pwc.com
+41 58 792 28 93

Erik Trouillet
Manager
erik.trouillet@ch.pwc.com
+41 58 792 23 64

The IDD implementation taking a clearer shape: latest EIOPA publications

The Insurance Distribution Directive was published in the Official Journal of the European Union in February 2016.

It will be transposed into law of the EU Member states by 23 February 2018.
The IDD applies to a wide group of insurance and reinsurance distributors and introduces a set of extended and new requirements around the oversight, governance and distribution of insurance products.
Affected firms will need to be compliant with the requirements from that date.

Read the Flyer

Please do not hesitate to contact us.

Philip Kirkpatrick
Insurance Risk and Regulatory Leader
+41 58 792 23 61
philip.d.kirkpatrick@ch.pwc.com

Nadejda Groubnik
Insurance Regulatory &
Compliance Services
+41 58 792 24 52
nadejda.groubnik@ch.pwc.com

Robert Borja
Insurance Risk Assurance Leader
+41 58 792 29 56
robert.borja@ch.pwc.com

Zurich Treasury Conference 2017

The 18th edition of our annual  Zurich Treasury Conference.

We are pleased to send you the invitation for our annual Zurich Treasury Conference on the 4th of April 2017 at the Swissôtel. We are delighted to provide you with the full programme and an excellent line-up of speakers.

We have covered many themes over the years, and our 2017 programme will again live up to this diversity of topics. We will open the afternoon with the impact of banking regulation on corporations and cover two corporate case studies on treasury integration and transformation. Following our PwC Global Treasury Survey highlighting this as a key topic, we will have a presentation on liquidity forecasting, and we will also cover the challenges of the low interest rate environment. Finally we will have a corporate treasurers panel to discuss challenges of midsized treasuries. Of course the event is also an important moment to connect amongst peers, for which there will be ample time provided.

PwC’s Treasury Solutions Group looks forward to welcoming you at the 18th edition of this event.

Date:
Tuesday, 4 April 2017, 13:00 to 18:00, followed by an apéro

Venue:
Swissôtel, Schulstrasse 44, 8050 Zurich

Participation fee:

The price will be CHF 350 per participant (VAT, documentation and refreshments included).

Register by clicking here

Swiss-US Privacy Shield: New Framework for the Transfer of Data to the USA

The so-called Swiss-US Privacy Shield replaces the Safe Harbor Agreement between Switzerland and the USA. The agreement establishes a new regulatory framework for the transmission of personal data from Switzerland to certified companies domiciled in the US. The same standards will apply for Swiss transfers of personal data to the USA as for data transfers from the EU.

Swiss data protection legislation stipulates specific requirements for the transfer of personal data abroad. They protect the personality and the rights of the data subjects concerned. However, the US is not deemed to provide an adequate level of data protection in terms of Swiss law. Swiss companies therefore have to take specific measures to safeguard personal data when it is transferred to the US.

Until recently, Swiss companies could rely on the Swiss-US Safe Harbor Agreement. After the Court of Justice of the European Union declared the EU-US Safe Harbor Agreement invalid, the Swiss Federal Data Protection and Information Commissioner (FDPIC) put the Swiss-EU Safe Harbor Agreement into question.

In August 2016, the EU and USA put into place a successor agreement, the EU-US Privacy Shield. Switzerland also entered into negotiations with the USA, which resulted in the Swiss-US Privacy Shield.

Enhancing the Application of Data Protection Principles, New Tasks for the FDPIC
The agreement is expected to substantially improve the position of those concerned by personal data transfers. The application of data protection principles by participant companies should be enhanced, as should the management and supervision of the framework by the US authorities. Cooperation between the US Department of Commerce (DOC) and the Federal Data Protection and Information Commissioner (FDPIC) should be intensified. The persons concerned are being given specific instruments to enable them to find out about data processing directly from certified US companies or the competent authorities, and to ensure that any required corrections or deletions are made. For example, the FDPIC will act as a point of contact for persons in Switzerland in the event of any problems in connection with the transfer of data.

Same Conditions as in the EU for the Transmission of Personal Data to the US
The new regulatory framework corresponds to the solution adopted by the USA and the EU and implemented within the European Economic Area (EEA) – the EU-US Privacy Shield. The similarity is highly significant, as it guarantees the same framework conditions for persons and businesses in Switzerland and the EU/EEA area in relation to transatlantic data flows. The same standards therefore apply for Swiss personal data transfers to the USA as for data transfers from the EU. This increases legal certainty in commercial transactions and reduces additional costs for the economy.

Need for Action for Companies
US companies can start the certification process with the DOC three months after the finalization of the agreement. Interested US companies are advised to obtain a Privacy Shield Certificate from the DOC. Swiss companies should make sure that their US partners possess such a certificate. These conditions are essential for Swiss companies to submit personal data to the US without requiring additional contractual guarantees. Furthermore, companies should review their current contractual basis for data transfers to the US and adapt it to the Swiss-US Privacy Shield where required.

SAP GRC Access Control upgrade & migration service

SAP GRC

What is it about?

SAP GRC Access Control 5.3 is built on a technology which does not allow extensive customising. But this is possible again with versions 10.0 and 10.1. This means that we will adapt your SAP GRC Access Control System to your needs and requirements. It’s also important to realise that new functionality such as improved firefighting, reporting and user interfaces, and the integration of new technology such as Hana or Fiori, is only provided with the latest version (10.1).
Given that version 5.3 is based on a different technology than versions 10.0 and 10.1, a migration path is required. If you plan to move from version 10.0 to 10.1, only an upgrade is required. SAP provides standard tools supporting the migration. Nevertheless, further accelerators and a proven methodology are required for ensuring data consistent and auditability / traceability.

What you get from our service

The latest release provides a wide range of new functionalities and improvements, which PwC and Xiting will combine and adapt to your organisation’s requirements. What you can expect:

service SAP GRC

Read more here.

Our approach

Our approach is tailored to your needs and split into four phases, from assess & design to operate & support. We will implement the functionalities you have already been using in addition to new functionalities as defined in the business blueprint. You’ll enjoy a smooth transition to a new system tailored to your needs.

approach SAP GRC

Read more here.

Your journey with us

Upgrading your SAP Access Control system will not only give you immediate benefits now, but will prepare you for your future journey as well.
The upgrade path will enable you with the opportunity to extend the limits and functionality of your current SAP Access Control solution. The upgrade ensure integration with new SAP solutions like Fiori and Hana for a more intuitive interface and reporting capabilities and also utilizing extended functionality available only to the solution version 10.1.
PwC and Xiting would be glad to accompany you on your journey. Thanks to our extensive network, you’ll always be up to date on the latest trends and best practices.

Financial Market Infrastructure Act (FMIA)

FINMA guidance on the postponement of certain transition periods, on equitable compliance under EMIR, and exchange of collateral

The transition periods set out in Article 129 Financial Market Infrastructure Ordinance (FMIO) and Article 58a of the Stock Exchange Ordinance (SESTO) regarding specific provision relating to trading venues and organized trading facilities as well as the recording and reporting obligations were postponed until January 1, 2018 on June 29, 2016. FINMA has issued further guidance on the following points:

Equitable compliance: (Provisional) equivalence of EMIR for the fulfillment of the obligations under FMIA

FINMA recognizes that the main obligations to be fulfilled under FMIA can be fulfilled under EMIR on a provisional basis until the corresponding obligations under EMIR are final. This permits the counterparties which are subject to the clearing obligation (Article 97 para. 1 FMIA), reporting obligation (Art. 104 para. 1 FMIA) and risk mitigation obligations (Art. 107 para. 1 FMIA) to fulfill these obligations under EMIR from the date on which they come into force, provided that the relevant conditions are met. Affected financial market participants should however keep in mind that the reporting and clearing obligation must be fulfilled through a recognized or licensed financial market infrastructure (Art. 95 let. b FMIA).

Potential extension of the deadline for the exchange of collateral (initial and variation margins)

The deadlines for the exchange of collateral (initial and variation margins) (Art. 131 para. 4 and 5 FMIO) are aligned with the corresponding deadlines under EMIR which are not yet final. This means in other words that the deadlines for the initial and variation margins under FMIA will be postponed accordingly if the initial and variation margin obligations under EMIR will kick in later than the current deadlines set forth in the FMIO.

Organized trading facilities (OTF): Postponement of deadlines and new circular

Multiple obligations related to organized trading facilities (OTF) have been postponed until January 1, 2018. These are:

  • Pre-trade transparency of trading venues (Art. 27 FMIO);
  • Post-trade transparency of trading venues (Art. 28 para. 2 to 4 FMIO);
  • IT-systems to ensure an orderly and resilient trading activity (Art. 30 para. 2 and 3 FMIO);
  • Provisions of a trading venue related to algorithmic trading and high frequency trading (Art. 31 FMIO);
  • Guarantee of orderly trading activities (Art. 40 FMIO);
  • Algorithmic trading and high frequency trading, pre-trade transparency, and post-trade transparency for securities (Art. 41 to 43 FMIO).

FINMA also plans to issue a new circular outlining its practice on the operation of OTFs by the spring of 2017.

Record keeping and recording requirements (Journalführungspflicht) as well as the reporting requirements for securities and derivatives transactions (Meldepflicht): Postponement of deadline and new circular

The deadlines for meeting the new requirements under the record keeping and recording requirements as well as the reporting requirements for securities and derivatives transactions (Art. 129 FMIO and Art. 58a SESTO) have been postponed until January 1, 2018. FINMA will also issue a new version of the circular 2008/4 “Securities Journal” reflecting the changes.

No Trade Repository has yet been licensed or recognized

FINMA confirms that as of 7 July 2016 no trade repository has yet been licensed or recognized in Switzerland. At the current time, we expect the first trade repository to be licensed no later than during the third quarter of 2016.

No Central Counterparty under FMIA has yet been licensed or recognized

FINMA confirms its plan that it will decide on the categories of derivatives subject to clearing during the recognition and licensing process of central counterparties. It has also confirmed that on July 7, 2016 FINMA has not yet licensed or recognized a central counterparty under FMIA.

If you have any further questions, please feel free to contact Günther Dobrauz, Martin Liebi, Michael Taschner or Simon Schären.