Electronic processing of customer data: the Swiss banking market’s maturity in terms of FINMA (Swiss Financial Market Supervisory Authority) requirements

Eighteen months after the formal entry into force of the FINMA 2008/21 “Operational Risks – Banks” Circular, what is the status of the maturity of Swiss banks with regard to processing electronic customer data? Today we offer you a benchmark detailing the market maturity level in terms of the requirements of Annex 3.

On the whole, while large banks mainly have robust processes for maintaining the confidentiality of electronic customer data, the processes used by small banks generally demonstrate some weaknesses. However, we note many disparities between the various banks and between the level of compliance with each of the nine principles set out in Annex 3.

To find out more about the results of our study, for both large and small banks, and to see our recommendations for maintaining an adequate security level for electronic customer data over time, please click here.

If you would like to find out more or you have any questions, please contact one of our experts:

Yan Borboën, Partner, +41 58 792 8459, Avenue C.-F. Ramuz 45, 1001 Lausanne

Robert Metcalf, Director, +41 58 792 9242, Birchstrasse 160, 8050 Zurich

Marco SchurtenbergerManager, +41 58 792 2233, Birchstrasse 160, 8050 Zurich

Tech breakthroughs megatrend: how to prepare for its impact

With an ever growing number of technological breakthroughs disrupting businesses of all kinds, PwC understands companies need help developing their emerging technology strategies to get ahead of the changes. In our new report, Tech breakthroughs megatrend: how to prepare for its impact, we evaluated more than 150 technologies globally and developed a methodology for identifying those, which are most pertinent to individual companies and whole industries.


Sharing this guide to the “Essential Eight” technologies, which PwC believes will be the most influential on businesses worldwide in the very near future: Artificial intelligence, Augmented reality, Blockchain, Drones, Internet of Things, Robots, Virtual reality, and 3D printing. While not all of these technologies will have the same impact on your business, it’s important to consider the range of technologies together, because they will inevitably drive business models in both beneficial and quite challenging ways.

Download the full report here.

If you have any further questions please contact us:
Holger Greif, Digital Transformation Leader
Reto Häni, Cybersecurity Leader
Axel Timm, Technology Leader
Christian Westermann, Data Analytics Leader

On Passion and Robots

My overall ambition is to help people and organizations to reach their full potential. I believe that technology is an important aspect for that and I am passionate about security and privacy and how they play a crucial role in determining if and how we can take advantage of the seemingly endless potential of technology. But I also ask myself what the consequences of this technology is. It is visible already today that in the close future we will face a massive change in society. Entire job categories will disappear and robots (mostly software based) will take over many of today’s jobs. Take the transportation industry for example. While Tesla’s “autopilot” clearly still has it’s challenges in a couple of years cars, trucks and buses will be able to drive autonomous. What happens then to all the cab and truck drivers that are on our streets on a daily basis? And that is only the beginning. More and more sophisticated tasks will be done by Artificial Intelligence AI.

What does that mean for people that are studying or thinking about what kind of job should be in their future or where they should develop professionally? Is it physics, chemistry, sport or rather social studies or… How does one choose today a field so that chances are good that robots aren’t replacing you shortly out of university? It is an important subject as not everything that technology will bring will be good for everybody. The answer to this question is not easy as our understanding today is very limited what impact AI robots will have on our lives. But some aspects are in my view clearer than others and might be a start.

The first point where we can differentiate us from bots are morals, values and ethics. Our personalities can make a difference and I see that as a clear advantage over machines or for that matter towards other people as we will not just be competing against bots but against a relatively larger workforce for fewer jobs. While we can program behavior rules I don’t believe (or maybe hope) that we will achieve developing a moral artificial intelligence.

Second, what differentiates us are emotions. To be able and willing to show and feel passion and feeling for other people. Think about it as mentally or physically giving somebody a hug. Not everything happens at an intellectual level and looking ahead I believe that compassion will become again more important. Especially as in many places it seemed to have gotten lost.

The third element is creativity. Bots already today write short stories but creativity is something that I believe (or again maybe hope) is beyond programming. Be able to tell a story will be something that stays human still for a long time.

The fourth aspect is to solve new and hard challenges. I don’t believe that robots will be able to solve the really hard questions in the foreseeable future. To systematically and more important intuitively draw conclusions, to listen to a feeling/intuition and follow it up to find the solution to a hard problem. To have a dream and suddenly things fall into place in a way that one has not foreseen. To run through a massive amount of permutations is what computers do best but to see connections that are not clearly visible and be courageous to try out and find new paths is where humans shine.

And the final thought but maybe the most important is passion in what you do and to challenge, enable and inspire others. If you truly want to make a difference then finding out what you do with a passion is the best way to show that you are making a difference. There are the people that are lucky to already know from very early on where their passion is and what they want to do and then there are the majority where it takes longer to find out. Too many though give up in that process and focus on doing what gets them through the day. But will that be enough in the future? I fear not. And with inspiring and enabling others brings the possibility to act as a multiplier for all aspects above and with that truly solve the important problems together.

So if you make a choice in what to do and in what direction to evolve wherever you are in your career stage – take into account the rapidly changing technology and that robots are advancing. Focus on the things that are hard and that not everybody can do, be passionate about it and don’t forget about empathy and caring about people. Then I am convinced that you are successful also in a world where robots are everywhere.

If you have any questions or you wanna know more, please do not hesitate to contact me.

Cybersecurity: new EU directive published

 New European directive

EU’s directive “concerning measures for a high common level of security of network and information systems across the Union” (aka “Cybersecurity directive” or “NIS directive”) has been published in the official Journal of the EU on 19 July 2016.

What does this mean?

EU member states have to adopt and publish their country-specific laws and regulations to comply with the directive until 9 May 2018 at the latest. On the next day – 10 May 2018 – these country-specific laws and regulations are fully applicable and compliance with the cybersecurity regulation is mandatory for “operators of essential services” and “digital service providers”.

Moreover, member states are obliged to introduce a national strategy which is defining the objectives to achieve a high level of security including a governance framework. They also have to designate a competent national authority and a single point of contact on the security of network and information systems. These authorities monitor the application of the directive and thus have the required powers and means to assess compliance. Furthermore, member states have to designate Computer Security Incident Response Teams (CSIRT) as well as define the cooperation between the different parties involved.

Who is affected and what has to be fulfilled?

“Operators of essential services”

Member states are obliged to identify their operators of essential services by 9 November 2018. The operators have to be identified in the following sectors: energy, transport, banking, financial market infrastructures, health, drinking water supply and distribution, and digital infrastructure. The regulation lists in particular IXPs, DNS service providers, and TLD name registrars as digital infrastructure operators.

These identified operators are obliged to:

  • take appropriate and proportionate technical and organisational measures to manage the security risks;
  • take appropriate measures to prevent and minimise the impact of security incidents;
  • notify, without undue delay, the authorities or CSIRT about significant incidents on the provision of the essential service.

Authorities have the powers and means with respect to these operators to:

  • request information to assess the security;
  • request evidence of effective implementation such as results of a security audit carried out by the competent authority or a qualified auditor;
  • issue binding instructions based on the assessment results.

“Digital service providers”

Digital service providers are providers of online marketplaces, search engines, or cloud computing services, which provide their services within the EU, independent of whether their establishment is in the EU or outside. In the latter case, they have to designate a representative in the EU. Micro- and small enterprises are exempted from the following requirements, which are:

  • identify and take appropriate and proportionate technical and organisational measures to manage the security risks;
  • take appropriate measures to prevent and minimise the impact of security incidents;
  • notify, without undue delay, the authorities or CSIRT about significant incidents on the provision of the essential service.

Authorities have the following powers and means to take action at these digital service providers:

  • request information to assess the security;
  • remedy any failure to meet requirements.

However, these actions can only be taken in case the authorities have been provided with evidence that the digital service provider does not meet the requirements (“ex post supervisory”).

Voluntary notifications

On a voluntary basis, entities beyond the scope of this regulation can notify authorities on significant incidents on their provided services.

Are Swiss entities affected?

Yes, Swiss entities are in scope of the regulation in case they are offering digital services within the EU or member states have identified them as operators of essential services within the EU.


The Cybersecurity directive is demanding an appropriate framework to protect offered services, to be prepared to timely respond and recover from significant security incidents, and to timely notify the authorities. These requirements are mandatory for the entities in scope. However, these minimal requirements are key requirements for any entity to be ready for potential cybersecurity incidents and can also be used by any Swiss entity as a reference and minimal standard.

We at PwC are helping our clients to get ready for preventing and countering cybersecurity threats, but as well to test and assess an entity’s cybersecurity framework.

See also our last blog entries in relation to the Cybersecurity directive as well.


Reto Häni, Partner and Leader Cybersecurity, PwC Digital Services, reto.haeni@ch.pwc.com, +41 58 792 75 12

Robert Metcalf, Director Cybersecurity, robert.metcalf@ch.pwc.com, +41 58 792 92 42

Marco Schurtenberger, Specialist Cybersecurity & IT Compliance, marco.schurtenberger@ch.pwc.com, +41 58 792 22 33


Data Protection: EU Data Protection Law Has Changed

In May 2016 the official texts of the General Data Protection Regulation (“GDPR”) have been published in the EU Official Journal in all the official languages. The GDPR entered into force on 24 May 2016 and it shall apply from 25 May 2018.

The GDPR will replace the currently still applicable EU data protection directive 95/46/EC and is imposing a much tougher data protection regulatory framework across the EU on the processing of personal data.

Please see our short flyer on the GDPR essentials, which is outlining the most crucial changes and innovations of the new regulation.

Who is affected?

The GDPR is impacting lots of different entities based on its defined scope – even entities outside of the EU territory. In fact, GDPR is applicable to

  • all companies, organisations, etc. of controllers or processors in the EU if they are processing personal data, and
  • all controllers or processors based outside the EU who are targeting, offering or selling goods or services to persons in the EU. It also applies to controllers/processors who are monitoring the behaviour of persons within the EU.

Thus, based on the second point above, organisations based in Switzerland will also have to comply with the GDPR provisions.


We recommend to early assess whether and how you are affected by the upcoming GDPR. If the territorial scope is applicable to your company, initiate an analysis of your data flows and types, processing purposes, and processing operations and take a risk-based approach to appropriately close gaps to get compliant with the GDPR.

PwC can support you in different stages of your “GDPR Compliance Journey”. For example, PwC developed a Readiness Assessment Tool (short “R.A.T.”) which consists of approximately 60 key questions with pre-populated answers linked to a maturity matrix. In a R.A.T. session we will guide you and the relevant key stakeholders (e.g. Legal, Compliance, IT, Data Protection Officer, etc.) through the questionnaire. With the interview we will obtain an understanding of your current level of readiness to comply with the new GDPR requirements. The result will then be a risk-weighted report about your GDPR maturity. See also our flyer on R.A.T.


Susanne Hofmann, Legal Compliance Leader Switzerland, susanne.hofmann@ch.pwc.com, +41 58 792 17 12

Marco Schurtenberger, Specialist Cyber security & IT compliance, marco.schurtenberger@ch.pwc.com, +41 58 792 22 33

DDoS mitigation

The recent spate of distributed denial of service (DDoS) attacks on Swiss organisations has highlighted the severe impact that such attacks can have on business, with many businesses reporting losses running into the millions.

DDoS attacks are nothing new, however successful mitigation measures to protect against serious attacks of the scale we have seen recently can be very expensive and many firms don’t have such measures in place. Even organisations with no online service vital to their business are threatened by DDoS attacks, because these attacks are often only a prelude to, or a distraction from, other more advanced attacks. So it is crucial for organisations to make preparations to minimise the time to detect and respond to any potential attack.

Bear in mind that the source of DDoS attacks is hidden by the method of distribution, e.g. via a Botnet – and DoS attacks – which are not covert – are usually a more violent statement by someone prepared to reveal the source of the attack. But we use the term DDoS here because the protections work the same way. Attacks against you are also – sadly – incredibly cheap to generate and simple to launch.

What can you do?

Here are some strategies organisations can follow to protect themselves against DDoS attacks. The right combination of strategies will depend on the nature of your online business, and should start with a thorough assessment of the risks and the potential financial impact of attacks of various levels of intensity and duration.

Advanced Threat and Vulnerability Management

Cyber-attacks are serious everyday threats for all organisations that connected to the internet and rely on IT to facilitate their business. The security of those businesses depends on their understanding of the threats and vulnerabilities that could lead to a breach in their defences, and allow access to information systems and data. Due to the high complexity of IT-networks organizations often struggle to effectively detect dangerous vulnerabilities in time, or understand the potential impact of those exploits.

As highlighted in this statement made by a CIO of large financial services organisation, often the sheer number of vulnerabilities that organizations have to manage represents a huge challenge.

“We have approximately 6,000 vulnerabilities in our applications. Every year we fix about 1,000 and we find another 1,000. The question is: are we finding and fixing the right ones?”

How can organisations prioritise their limited resources to identify and address the most urgent vulnerabilities and threats to their crown jewel assets?

PwC´s Threat and Vulnerability Management (TVM) Framework

PwC provides an innovative, cost effective and business focused Threat and Vulnerability Management (TVM) service, allowing our clients to focus on the key risks to their business operations and their information assets that matter. Based on our profound knowledge and experience and supported by our global threat intelligence services we support organizations to effectively prioritise and manage their threats and vulnerabilities.

If you are interested in learning more about our market leading TVM service and the joint business relationship that provides our clients with access to the innovative continuous web security monitoring platform ImmuniWeb® from our business partner High-Tech Bridge, please find more details here.

Read the press release here.

If you have any questions, please do not hesitate to contact us.

Video onboarding – why or why not to jump on the bandwagon

Everybody knows the “traditional banking” industry faces not only challenges in some parts of its business model, FINTECS and technology companies try to take on the big old economy in many ways. As if it were not enough, regulators constantly increase burdens and make it even more difficult to extend margins.

However, the recent announcement to lift the regulation for “video verification” is a good example to fight back and it opens opportunities to:

  • streamline processes and to reduce costs
  • improve customer experience
  • expand market share beyond traditional reach


Cost reduction

First of all, video onboarding gives the opportunity to review the existing KYC process and to reduce non value add activities. The idea is to allocate the advisor’s time better on customer activities, such as sales. Moreover, the future outlook will be to rethink the traditional branch network. Hence, a scalable onboarding solution can help to shift efforts and reduce impact of a branch network reorganisation on market share. On the other hand, costs to manage the additional video onboarding process will initially occur, e.g. specific training, and it will also be necessary to scale up online onboarding to realise benefits.

Customer experience

The traditional onboarding requires face time of the client to existing opening times. An online process can help to create a positive response from users and can strengthen the perception of a bank to be “digital savvy”. It saves time and matches in an increasing convenience driven digital world. Additionally, responsiveness towards a customer request might make the difference when a client decides for an offer. On the contrary, if the process is not thought through, it might create a negative experience and could lead to frustration of the user/prospect. Hence, one of the focus area of such solutions should be the “digital journey” and to incorporate feedback around that journey via KPIs.

Expand market share

Furthermore, first learnings can be applied down the line in areas such as mortgage advice. The current process to get an appointment for mortgage advice can be a pain as resources are limited. Video onboarding might help here to scope discussions and balance the load, while keeping the experience at the same level.

Cultural shift

The digitalisation of advisors is currently shaped by many trends, e.g. tablets, but only a few are able to really use the whole tool kit as it is simply unknown what type of problems can be solved with technology. Hence, little things such as video onboarding can help shape awareness and open their minds and hearts to really understand personal benefits of technology. However, new change also creates resistance and a need for communication which is nowadays a big hurdle for big organisations. Not many companies spent enough time and effort to take their employees on the journey of digitalisation, which can result in frustration and finally the exit of experienced and well educated staff.

When to act

As previously highlighted, the introduction of video onboarding shows many benefits. It improves convenience for people who are not able to visit a branch within its opening hours. Nevertheless there is no full digital experience, as a customer is still required to send physically signed paper documents to the branch. However, this might be soon replaced with e-signing. Hence, an early step by step introduction of parts of the process can ease implementation efforts and support a positive customer perception of the bank’s digital presence.

Competition/ first movers

Front runners such as UBS and LGT have already leveraged the opportunity to use the online onboarding as a chance to test potential benefits. Looking on a global scale, banks, e.g. Lloyds, have already announced services to include video advice and try to think of it as a useful tool in the overall customer experience.

Integrate service (process and landscape)

Video onboarding can be integrated as SaaS (Software as a Service) or fully fledged managed service. The tricky bit is to integrate the solution not as stand-alone, but rather in an ecosystem to reduce manual efforts.


In conclusion, the opportunities outnumber the risks and efforts to introduce such a solution and it will soon become normal to verify an account via video onboarding. The earlier you get onto such incremental digital changes, the better you can outrun your competition and be on the sunny side of being digital!


Find more information here.


Digital client identification – your optimisation strategy

As you might have heard FINMA recently announced to allow “Video Identification” for banks in Switzerland.

This change in regulatory restriction is an opportunity to lift benefits in the Digital Onboarding process and reduce your costs by

  • Making a strategic choice how digitalization will be part of the business model
  • Evaluating further cost reduction within the onboarding process
  • Achieving better user experience and service to reduce churn rate

Some industry players have already tapped into this opportunity to either drive early adoption or start to digitize and streamline part of the processes.

In a short presentation PwC will brief you on the situation, opportunity and our tools to lift those benefits. We would like to offer meetings to discuss your specific situation and goals reflecting disruptive changes in the banking environment.

Let us jointly work out your solution.


Please contact our experts:

Holger Greif
Partner Digital
Phone: +41 58 792 13 86

Alexander Schultz-Wirth
Partner Business Technology Consulting
Phone: +41 58 792 47 97

Marc Achhammer
Phone: +41 58 792 21 04

Andrin Bernet
Partner Regulatory & Compliance
Phone: +41 58 792 24 44