BRP tOPICS
DATA
PROTECTION
Data protection and confidentiality are core principles of Swiss banking
Banks and individuals have a strong interest in the protection of data. Information about the financial situation of a person is a sensitive form of personal data
Financial institutions need to implement a pragmatic, yet compliant program to respect both the Federal Data Protection Act and the banking legislation. Regular training of employees, careful review of internal processes and transparency of processing can lower the risks of misuse of valuable information

WHAT ARE YOUR Questions?
BRP SA is here to assist you in managing data protection matters related to the banking industry
click on the icon to discover the answers
Questions
you are asking yourself
BRP SA is here to assist you in managing data protection matters related to the banking industry
NEW FEDERAL ACT
ON DATA PROTECTION
The new Federal Act on Data Protection (Art. 14) requires companies located abroad to appoint a Swiss Data Protection Representative
Financial institutions can also decide to appoint voluntarily a Data Protection Representative to offer its clients a first point of contact in Switzerland
SWISS REPRESENTATIVE
- Do you have clients in Switzerland and your company is based abroad?
- Do you process their personal data?
- You don’t have a registered office in Switzerland?
-
- We act as the local, accessible point of contact for Swiss data subjects and for the FDPIC
- We offer our local languages skills
- We register before the FDPIC
- We provide our deep knowledge in the Swiss legislation
- We maintain your records of processing activities
Find out from us whether you need this solution to comply with Swiss legislation
Want to know more about Data Protection and Privacy?
Talk to our BRP experts
esg
The International ESG regulation and regulatory landscape is evolving at an incredible pace. The regulatory approach followed in the various regions is still very heterogeneous and does not (yet) always focus on the same subjects/aspects, which makes it difficult to understand and implement
The possible diversity of ESG and the high level of complexity of the issues make it difficult to address in a relevant way from a regulatory point of view. Sustainable finance faces a huge challenge for its evolution : the absence (yet) of commonly recognised international standards

ESG INVOLVEMENT
LISTED COMPANIES
&
FINANCIAL INTERMEDIARIES
Climate change
Emissions
Biodiversity
Energy efficiency
Resource depletion
FINANCIAL SERVICES
&
PRODUCTS
Human rights
Health and safety
Diversity, equity and inclusion (DEI)
Conflict zones and conflict minerals
Community engagement
GOVERNANCE
Executive independence and structure
Conflicts of interest
Anti-money laundering and corruption
Responsible tax strategy
Stakeholder engagement
global standard
Recently (on 26 June 2023), the ISSB, an independent board established by the International Financial Reporting Standards (IFRS) Foundation, released its first global sustainability disclosure standards. The ISSB standards are built on the concepts that underpin the IFRS Accounting Standards, which are used by more than 140 jurisdictions
EXAMPLES OF STRATEGIC CHALLENGES
for ESG implementation
- For both listed companies and financial intermediaries, particular emphasis is placed on the need for greater transparency on sustainable criteria with regard to the public and investors
- Financial services and products need to incorporate ESG (environmental, social and governance) criteria into their business and investment decisions
- Financial service providers needs to integrate ESG preferences and ESG risks into investment advice and portfolio management
- Among the key areas to be considered are the question of specific resources and their integration into management processes, information for target customers and employee training
- An effort to make the offers, processes and measures understandable for customers and regulators to avoid greenwashing
Want to know more about ESG?
Talk to our BRP experts

why cryptos?
In recent years, the sector of crypto-assets has experienced significant expansion, with tokens becoming increasingly integrated into global economies. The variety of crypto-assets is vast, ranging from well-known entities such as Bitcoin and Ethereum to a plethora of tokens that are being developed daily
Recent significant events, including the bankruptcy of FTX, have underscored the need for regulatory oversight in this rapidly growing sector. Recognizing the magnitude of this phenomenon, regulators and supervisors worldwide have begun to implement laws and regulations pertaining to the issuance and registration of crypto-assets. A prime example of this regulatory response is the European Union’s Markets in Crypto-Assets (MiCA) regulation
Consequently, businesses operating in this sector must familiarize themselves with the specific regulations of the countries in which they intend to offer their services and products. Furthermore, they must ensure they have the necessary resources to maintain compliance with these regulations
RELEVANT ISSUES
Classification of crypto-assets
qualify a crypto-asset in the correct class(es)
PAYMENT
TOKENS

SECURITY
TOKENS

UTILITY
TOKENS

STABLECOINS

N F T

DISTRIBUTION
Determine whether the crypto-asset itself
must be registered in order to be distributed to the public

LICENSE
Determine whether a crypto-service
is subject to a licence
and under which conditions
ADVERTISING

PROSPECTING

TRADING / EXCHANGE
PLATFORM

CUSTODY
SERVICES

STACKING

ADVISORY
AGREEMENT

DISCRETIONARY
ASSET MANAGEMENT

EXCEPTIONS TO LICENSE AND REGISTRATION
What current banking and investment practices are
recognized (or tolerated) by the authorities?

Reverse solicitation
&
Private placement rules
Want to know more about Cryptos?
Talk to our BRP experts
Confidential data or sensitive data
Data undergoes different levels of protection. According to the Swiss Data Protection Act, personal data can be used to identify a specific individual. Sensitive personal data is granted a higher level of protection due to the special (intimate) nature of it (health related data, biometric information, religious or political beliefs, etc)
(art. 5ss FDPA)
Confidential data processed by the bank may not be personal : e.g. when personal data is anonymised or when the data does not refer to an individual but to business secrets. Bank secrecy hence covers a larger scope of data
I can’t handle it, so I delegate?
Transmission of data is strictly regulated. Personal data can only be shared with third parties, or even subsidiaries if abroad, at certain conditions. The given processing must be subject to obligations, it shall be secure and the data subject must have been informed or has consented to it. The requirements also depend on the country to which the data is to be transmitted
I have to communicate about the processing, but what do I say?
Individuals can exercise control over their personal data if they are aware that data is being processed about them. They will be able to exercise their right if they are informed of the processing practices. It is therefore compulsory for banks to provide information on data processing, and they must ensure that this information is provided at the time of collection, in a clear and comprehensible format, and that the rights of individuals are clearly set out
Is “access to data” applicable to the access by the employees
or for the benefits of the data subjects?
The law grants a right of access to the data collected. The data controller is required to provide not only the categories of data processed, but also the sources, the length of time it is kept for, the recipients of the data and any international transfer
Based on the principles of data security, bank employees will be granted limited access to databases processing personal data. The principle is based on “need-to-know” and these measures must be regularly re-evaluated
(art. 8 FDPA)
Is consent always necessary?
There are several legal grounds for collecting personal data. Consent is one of them, and defines the individual’s explicit agreement to share his or her data. In the banking sector, institutions are often required by law to collect personal data. There is thus no need to obtain consent for this information
In order to ensure data security, the bank may also rely on its legitimate interest to process data. This, for example, enables the bank to monitor the use of tools. The legitimate interest is justified if the measures remain proportionate
Keeping personal data in case it may be needed?
Personal data is always linked to a purpose: managing an account, taking a decision on guarantees of irreproachable activity, assessing a credit application. When the purpose is no longer relevant, and there is no specific law requiring the data to be kept for an additional period of time, the data shall be deleted