FINMA 2025 Supervision Report: What It Means for Crypto Custody and DLT Trading
Switzerland's Financial Market Supervisory Authority has published its 2025 annual supervision report, and the findings carry direct implications for any institution touching digital assets. FINMA licensed the country's first DLT trading facility during the year, while simultaneously putting crypto custody risk, outsourcing deficiencies, and cyber resilience at the centre of its enforcement agenda. For accounting firms, auditors, and CFOs advising Swiss-regulated entities, the report is a blueprint for where supervisory pressure is heading next.
Supervision Intensity: By the Numbers
On-site inspections and stress tests
FINMA conducted 113 on-site inspections at banks in 2025, with 42 of those directed at UBS alone. A further 43 inspections covered insurance companies, and 20 targeted asset managers. Critically, the authority ran liquidity stress tests at Swiss investment funds for the first time, acting on unsatisfactory results where they arose. Capital planning dialogues were tailored to each institution's size and risk profile, and systemically important banks had to demonstrate credible capital mitigation strategies under specified stress scenarios.
Enforcement outcomes
Where inspections uncovered serious deficiencies, FINMA moved quickly. It imposed institution-specific capital add-ons in 14 cases and applied business activity restrictions combined with acquisition bans in 7 cases. Enforcement proceedings were opened in 15 cases, and the authority concluded 55 proceedings across all supervisory areas during the year. Separately, FINMA opened roughly 450 investigations into suspected unauthorised financial market activity, drawing on tips from the public, other authorities, and its own supervisory intelligence.
Crypto and DLT: Licensing, Custody Risk, and Client Protection
Switzerland's first DLT trading facility
The licensing of the country's first DLT trading facility marks a concrete step in Switzerland's positioning as a regulated digital asset hub. FINMA's willingness to issue this licence reflects its stated openness to financial innovation, but the regulator was equally explicit that innovation does not come with a reduced compliance burden. Any institution holding or facilitating the transfer of crypto-based assets must identify and mitigate the operational risks that come with it.
Custody risk as a supervisory priority
FINMA's report singles out the custody of crypto-based assets as a specific area where supervised institutions must demonstrate adequate risk controls. This is not merely a technical observation. From a stablecoin accounting and digital asset accounting software perspective, the implication is clear: custody arrangements must be fully documented, the underlying assets properly classified on the balance sheet, and associated operational risks captured in risk management frameworks. Institutions relying on third-party custodians face a harder question, discussed below under outsourcing.
Supporting legislative reform for creditor and investor protection
FINMA also signalled its support for an amendment to Swiss law designed to strengthen protections for crypto creditors and investors. The regulator has not published the draft text as part of this report, but its public backing indicates that tighter statutory rules around crypto client protection are a near-term legislative priority. Firms involved in stablecoin accounting or broader crypto bookkeeping should track this legislative process closely, as any new obligations will feed directly into compliance workflows and client disclosures.
Outsourcing and Cyber Risk: The Supply Chain Problem
Third-party exposure and documentation failures
One of the more striking findings in the 2025 report is the concentration of cyber incidents at service providers and outsourcing partners. In nearly half of all cyberattacks reported to FINMA by supervised institutions, the initial point of compromise was an external provider rather than the supervised institution itself. FINMA found that some institutions were not adequately capturing, documenting, or monitoring outsourced functions, which is precisely the gap that attackers exploit.
For firms advising institutions that outsource elements of their crypto operations, whether custody, transaction monitoring, or digital asset accounting software provision, this finding has direct relevance. Outsourcing arrangements must be mapped, governed by clear contractual obligations, and subject to ongoing monitoring. FINMA went further than reviewing institutions in isolation: it conducted targeted on-site inspections at outsourcing partners themselves to assess supply chain management practices. Understanding what strong blockchain analytics data quality due diligence looks like at the third-party level is therefore part of the operational risk picture, not an optional extra.
ICT crisis scenarios
FINMA requires supervised institutions to maintain robust crisis scenarios for information and communications technology. The 2025 report makes clear this expectation extends to cyber defences capable of withstanding supply chain attacks. Institutions that have not stress-tested their ICT crisis plans against third-party failure scenarios are likely to attract supervisory attention in the coming year.
Asset Management, Greenwashing, and Conduct Obligations
Intensified portfolio manager oversight
A growing number of portfolio managers were placed under intensive supervision in 2025, with deficiencies frequently related to compliance with conduct rules on suitability. This trend is relevant for any asset manager with digital asset allocations: the same suitability obligations that apply to traditional portfolios apply to crypto holdings, and FINMA has demonstrated it will act where those obligations are not met.
Greenwashing enforcement
FINMA's anti-greenwashing work continued through 2025, with the authority focused on ensuring investors are not misled by sustainability claims. While the report does not specify crypto-linked ESG products, the supervisory principle applies equally: if a product is marketed with sustainability characteristics, those claims must be substantiated and documented.
What Accounting Firms and CFOs Should Do Now
Audit and advisory priorities
The FINMA 2025 report gives accounting firms and CFOs a clear read on supervisory intent. Several action areas stand out. First, institutions offering crypto custody or crypto-based services need documented operational risk frameworks that cover both internal controls and third-party dependencies. Second, where stablecoin accounting or USDC accounting sits inside a supervised institution's balance sheet, the classification methodology must be defensible under Swiss accounting rules and consistent with any applicable FINMA guidance. Third, outsourcing registers need to be current and complete: FINMA's willingness to inspect outsourcing partners directly means that gaps in documentation will not stay hidden.
The stablecoin AML risk and illicit marketplace enforcement landscape, already shaping supervisory thinking globally, adds a further layer: stablecoin positions held by Swiss institutions need to be assessed not just for accounting treatment but for the counterparty and transaction risk they carry. Separately, firms should ensure their crypto bookkeeping software or digital asset accounting software produces audit-ready records that can support an on-site review without delay.
Source: FINMA
FAQ
FINMA highlighted the operational risks associated with the custody of crypto-based assets and the purchase, trading, and transfer of cryptocurrencies. It required supervised institutions offering these services to have adequate controls in place, and it supported legislative reform to strengthen creditor and investor protections in the crypto sector.
The licence demonstrates that FINMA will authorise DLT-based trading infrastructure where applicants meet regulatory requirements. It does not reduce the compliance burden. Licensed DLT trading facilities remain subject to the full range of FINMA supervisory expectations, including conduct rules, AML obligations, and operational risk management.
FINMA expects supervised institutions to fully capture, document, and monitor all outsourced functions, including those involving crypto custody or transaction processing. In 2025 the authority conducted on-site inspections at outsourcing partners directly. Institutions with undocumented or poorly governed third-party arrangements face a heightened risk of supervisory intervention.
While the report does not prescribe specific stablecoin accounting rules, it reinforces the expectation that institutions must identify and mitigate operational risks tied to crypto-based assets, including stablecoins. That means balance sheet classifications must be defensible, custody arrangements documented, and any associated AML or counterparty risks assessed and recorded.
FINMA opened enforcement proceedings in 15 cases arising from serious rule breaches identified during supervision, and it concluded 55 enforcement proceedings in total across all supervisory areas and institution categories during the year. It also opened approximately 450 investigations into suspected unauthorised financial market activities.
