FINMA Digital Fraud Guidance: What Swiss Banks Must Do Now
Switzerland's financial regulator has put digital fraud squarely at the top of its supervisory agenda. On 9 April 2026, FINMA published formal guidance following a survey of 19 banks, identifying significant gaps in operational risk management and anti-money laundering controls. For compliance officers, auditors, and the accounting firms that serve Swiss financial institutions, this is a clear signal: the regulator has done its diagnostic work and is now raising the bar on what it expects to see.
What Prompted the Guidance
A surge in digital fraud cases since 2022
Digital banking adoption accelerated sharply during the COVID period. FINMA's own supervisory data shows that fraud cases at banks have been climbing since 2022, tracking that growth in digital service delivery. The regulator conducted its survey at the end of 2025, covering banks across multiple supervisory categories, to understand how institutions are actually responding to this trend.
The picture that emerged was mixed. Banks are exposed to digital fraud on two distinct fronts: clients who become victims of fraud schemes, and bank accounts that are subsequently used to move and launder the proceeds. Both pathways carry regulatory consequences, and FINMA's guidance addresses both directly.
Core Supervisory Expectations
Risk management must cover the full business perimeter
FINMA's guidance is explicit that an adequate risk management framework is not optional for banks and persons falling under Article 1 of the Banking Act. That framework must span all business activities, not just those that have already produced incidents. Specifically, institutions are expected to identify, assess, manage, and monitor all material risks, with the guidance calling out two scenarios as priority areas:
- Digital client onboarding, where establishing a relationship online creates fraud and identity-verification risks that differ from in-branch processes.
- Unauthorised account access, where compromised credentials or social engineering can result in direct financial loss and subsequent money laundering exposure.
AML controls tied to fraud typologies
The guidance makes an important conceptual link that practitioners should take note of: digital fraud is not just an operational risk problem. When fraud proceeds flow through bank accounts, those institutions face AML exposure as well. FINMA is signalling that it expects banks to connect their fraud detection and AML monitoring functions, rather than treating them as separate compliance silos. For firms advising Swiss banks on their control frameworks, that integration challenge is now a supervisory expectation, not merely a best-practice aspiration.
Understanding how blockchain analytics data quality underpins AML controls is increasingly relevant here, particularly where digital asset flows intersect with traditional banking infrastructure.
Implications for Compliance Teams and Advisers
Gap analysis against the FINMA framework
The guidance is directed at banks and Article 1 Banking Act persons, but the practical work of assessing and closing gaps often falls to internal audit teams, external auditors, and the accounting or advisory firms embedded in those engagements. Three immediate questions are worth working through:
- Does the institution's current risk appetite statement explicitly address digital fraud as a named risk category, with defined tolerances?
- Are fraud risk controls documented at the business-line level, or are they handled through a generic operational risk register that may not reflect digital-channel specifics?
- Is there a documented process for escalating fraud-related suspicious activity to the AML function, and is that process tested?
Technology and recordkeeping considerations
Firms using digital asset accounting software or crypto bookkeeping software in a Swiss banking context should also consider how their systems capture and retain evidence of identity verification steps during onboarding. FINMA's emphasis on online client relationship establishment means that the audit trail for digital KYC decisions carries heightened supervisory relevance. Crypto accounting software that integrates with broader compliance workflows will be better positioned to support the kind of end-to-end documentation FINMA is now signalling it expects.
This connects to a broader pattern across Swiss regulatory activity. FINMA's recent sanctions obligations for Swiss financial intermediaries, covering Hamas and PIJ designations, showed the same integrated approach: a single supervisory action touching AML, sanctions, and operational controls together. Digital fraud guidance follows that same logic.
What the Survey Methodology Tells You
Nineteen banks, multiple categories, a sector-wide signal
The fact that FINMA surveyed institutions across different supervisory categories matters. It means the findings, and the resulting guidance, are not targeted only at large universal banks or only at smaller niche players. The expectation is sector-wide. Any bank operating digital channels in Switzerland should treat this guidance as directly applicable, regardless of size or business model.
FINMA has been explicit that its aim is both to raise awareness and to help institutions implement existing regulatory requirements more effectively. That framing is important: this is not new law, but it is a concrete statement from the regulator about where current implementation is falling short and what a robust system of protection looks like in practice.
Action Points for Accounting and Audit Firms
For accounting firms and auditors with Swiss bank clients, the guidance creates a timely hook for several conversations:
- Scope any upcoming regulatory review or internal audit cycle to include a specific digital fraud risk component, referencing FINMA's published framework.
- Review whether the institution's three lines of defence operate in a way that assigns clear ownership of digital fraud controls, separate from but connected to AML obligations.
- Consider whether digital asset accounting software in use across the institution produces records that would satisfy a FINMA examiner reviewing online onboarding decisions or account access monitoring.
- Engage clients early on documentation: if FINMA follows its survey with on-site reviews, institutions that cannot produce clear evidence of their risk management framework will face the most scrutiny.
The broader compliance landscape across Europe is moving in the same direction. Sweden's Finansinspektionen has expanded periodic AML reporting requirements for 2026, and the FCA in the UK has finalised its crypto regulatory framework with similar integration of fraud and AML expectations. Swiss institutions operating cross-border need to track these parallel developments, not just FINMA's guidance in isolation.
Frequently Asked Questions
Who does FINMA's digital fraud guidance apply to?
The guidance applies to banks and persons defined under Article 1 of the Swiss Banking Act. FINMA's survey covered institutions across multiple supervisory categories, so the expectations are broadly applicable across the Swiss banking sector, not limited to any single size or type of institution.
Is this guidance legally binding?
FINMA guidance clarifies how existing regulatory requirements should be implemented in practice. It does not create new law, but it does set out what the regulator considers adequate compliance with obligations that are already in force. Falling short of the standards described carries supervisory risk.
What specific fraud scenarios does FINMA flag as priority risks?
FINMA identifies two priority scenarios: fraud risks arising during digital client onboarding, and risks from unauthorised access to existing accounts. Both are treated as having AML implications, not just operational risk consequences.
How should firms connect fraud detection and AML monitoring?
FINMA's guidance implies that institutions should not treat these as separate silos. In practice, that means ensuring that suspicious activity identified by fraud teams is systematically reviewed for AML reporting obligations, and that AML transaction monitoring rules are calibrated to pick up patterns associated with fraud-proceed flows, not just traditional money laundering typologies.
What does this mean for digital asset accounting software used within a Swiss bank?
Any digital asset accounting software or crypto bookkeeping software operating within a Swiss bank's infrastructure should be able to produce an auditable record of onboarding decisions and account access events. FINMA's focus on online client relationship establishment means that the documentation produced at those touchpoints carries direct supervisory relevance. Firms should verify that their systems generate and retain that evidence in a format examiners can review.
Source: FINMA
