The Importance of Third-Party Risk Management in Switzerland's Strict Regulatory Framework

As you partner with more vendors and suppliers to increase your capabilities and gain a competitive advantage, your reputational and regulatory risks also increase.

Forrester predicted that in 2022, 60% of all security incidents will result from third-party issues, highlighting the importance of third party relationship management.

In a highly regulated environment like Switzerland, ensuring new and existing vendors and partners do not significantly threaten your operations and reputation is paramount.

In this article, we explore the importance of third-party risk management (TPRM) in relation to the regulatory landscape in Switzerland. We’ll examine some key regulations in Switzerland, such as the Federal Act on Data Protection (FADP), Circular 2018/3, and the Anti-Money Laundering Act (AMLA), and explore their implications for managing third-party relationships.

Switzerland's regulatory framework

Switzerland’s approach to its regulatory framework emphasizes self-regulation (particularly in the banking sector) in parts, and flexibility and cooperation between government agencies and private businesses.

This approach ensures regulations are tailored to specific risks unique to each industry, allowing flexibility while maintaining high regulatory standards without stifling innovation.

Key regulations affecting third-party relationships include the Federal Act on Data Protection (FADP), which mandates stringent data handling and sharing requirements, particularly when engaging with external service providers.

The Circular 2018/3 issued by the Swiss Financial Market Supervisory Authority (FINMA) outlines specific guidelines for outsourcing business functions for the Swiss financial sector.

The recent updates to the Anti-Money Laundering Act (AMLA) reflect the country’s commitment to combating financial crime, like money laundering and terrorism funding.

Additionally, the Ordinance on Due Diligence and Transparency in relation to Minerals and Metals from Conflict-Affected Areas and Child Labour underlines the country’s commitment ethical supply chains and human rights.

Below, we examine these regulations and highlight essential requirements focused on third-party relationships.

Data protection and cybersecurity

The Federal Act on Data Protection (FADP) is the primary regulation guiding the processing and transfer of personal data in Switzerland to protect the data privacy act of legal entities.

In addition to the law mentioned above, the Federal Data Protection and Information Commissioner (FDPIC) has released ordinances, particularly the Ordinance on Data Protection (ODP) and the Ordinance on Data Protection Certification, to clarify and concretize some of the stipulations in the FADP.

The FADP applies to data processing that “have an effect in Switzerland, even if they were initiated abroad.” The law covers collecting, storing, altering, disclosing to third parties, archiving, or other personal data uses.

Here are the significant features of the FADP and ordinances, mainly as they concern third-party relationships:

Businesses do not need any legal basis to collect and process personal data. However, the FADP provides conditions under which companies may require user consent.
The consent must be freely given and specific to the exact processing activities the business intends to perform with the data.
Swiss businesses must also ensure that the personal data they receive from other companies conforms to the purposes communicated to the data owners during data collection.
Businesses require user consent to disclose “sensitive personal data” to third parties.
Organizations must inform users about third parties that will receive their personal data. This includes both Swiss-based and recipients outside of Switzerland.
The above disclosure must also include safeguards to protect the user’s personal data.
The FADP obligates businesses and third parties to ensure user data is safe and secure by protecting the integrity, confidentiality, and availability of the collected data.
In line with this requirement, both parties must assess potential risks to users and ensure they have the appropriate IT infrastructure and security measures.
The FADP allows data transfer abroad to jurisdictions with adequate protections and those without. The Federal Council provides a list of jurisdictions with adequate protections in Annex 1 of the Ordinance.
Transferring data to countries without adequate data protections requires businesses to set up appropriate safeguards such as standard contractual clauses (SCC), Binding Corporate Rules (BCRs), and contractual clauses in business-to-third-party agreements.
Swiss companies and third parties must maintain a log of all processing activities. This stipulation does not apply to businesses with over 250 employees, provided there’s negligible risk that users’ rights will be infringed.
Businesses must conduct a data protection impact assessment (DPIA), especially when data processing requires large-scale sensitive personal data.
Organizations are obligated to inform the FDIC of data breaches that pose high user risks. While no specific timeline was stated in the FADP, businesses are urged to do so “as quickly as possible.”
The report must include details such as the nature of the breach, its timeline, categories, and number of personal data and users affected, the impact of the breach and potential risks to the data subjects, and the measures taken to mitigate the possible effects on data subjects.
Under the FADP, Swiss businesses must erase or adequately render anonymous personal data when they no longer need it for the purpose for which they collected it.
Businesses and third parties must enter an agreement establishing two control objectives for Swiss organizations.
Firstly, the agreement must bind the third party to the processing functions the business can perform. Secondly, the agreement must ensure that the third-party processor provides state-of-the-art data security.

Leverage Supplier Shield’s suite of cybersecurity and data privacy tools to keep user personal data safe and secure per Swiss regulations.

Technology procurement or outsourcing

Although Switzerland does not have a general law regarding procuring technology products and services for private businesses, industry-specific regulations guide outsourcing material business functions to third-party service providers.

The Circular 2018/3 by the Swiss Financial Market Supervisory Authority (FINMA) provides the regulatory requirements financial market participants, including banks, insurance companies, and securities dealers, must meet while varying secrecy obligations bind industries like telecommunications and healthcare.

Some of the highlights of Circular 2018/3 include:

Certain functions cannot be outsourced, such as those related to strategic decisions, risk management, and regulatory compliance tasks, “other than those which are operational in nature.”
Per the circular, businesses willing to outsource functions must maintain an inventory of all outsourced functions, clearly indicating the department(s) responsible for the outsourced functions. Such inventory must also highlight the service provider.
The above inventory must also include whether the outsourced function will involve the transfer of mass client-identifying data to a foreign service provider.

Businesses in the financial sector must perform risk analysis along the lines of economic and operational considerations before agreeing with a third party.
In particular, the financial institution must assess potential concentration risks if multiple functions are outsourced to the same provider.
Additionally, the business must assess the third party’s professional capabilities and financial and human resources to know if the service provider can offer such services permanently.
Outsourcing companies must contractually define the security requirements of the arrangement and lay out a contingency plan for continued execution of the outsourced function in case of an emergency.
Outsourcing to foreign third-parties is permitted as long as auditors and FINMA can perform their regulatory function at any time.

Switzerland’s anti-money laundering framework

The Anti-Money Laundering Act (AMLA) and the Anti-Money Laundering Ordinance (AMLO) are the bedrock of the anti-money laundering (AML) landscape for financial intermediaries in Switzerland.

AMLA passed in 1997 and has undergone multiple modifications over the years. One of its most recent updates was in 2021, with changes specific to third-party relationships.

The new update required Swiss banks and businesses like casinos to verify the ultimate beneficial ownership (UBO) of all organizations they work with.

The UBO refers to “the natural person(s) who ultimately owns or controls a customer and/or the natural person on whose behalf a transaction is being conducted.”

Swiss financial institutions must also meet other requirements, such as implementing necessary organizational measures to curb money laundering.

There’s been much more scrutiny of the banking sector, with the Swiss National Bank and FINMA working together to create more stringent financial market laws in the wake of the Credit Suisse crisis.

Supply chain due diligence

Companies exposed to potential child labor and conflict minerals must disclose these risks.

Businesses that import or process tin, tantalum, tungsten, or gold coming from conflict areas are subject to the “Ordinance on Due Diligence and Transparency in relation to Minerals and Metals from Conflict-Affected Areas and Child Labour” if the total imports meet a specified threshold.

More importantly, Swiss businesses with supply chain operations or partners in jurisdictions with a high risk of child labor are equally subject to due diligence and reporting obligations. Per the ordinance, high-risk countries have Enhanced or Heightened classification in the Children’s Rights in the Workplace Index report.

There have also been mooted new regulations targeted at current non-financial reporting obligations, set to be modeled after the Corporate Sustainability Reporting Directive (CSRD) by the European Union.

Importance of TPRM for Swiss companies

According to a survey by Gartner, 84% of respondents reported operational disruptions due to actions, activities, and incidents from a third-party provider.

Furthermore, 64% and 60% reported adverse financial impact and increased regulatory scrutiny due to third-party incidents beyond their control.

These survey responses underscore the increasing inherent risks associated with third-party vendors, suppliers, and service providers. While these partnerships undoubtedly bring operational value and competitive advantage, they also exacerbate existing risks and introduce new and significant ones.

Effective third-party risk management (TPRM) is crucial to mitigate these risks and unlock the benefits of third-party relationships.

The high cost of neglecting TPRM

The consequences of not having or having an inadequate TPRM can be catastrophic.

Data breaches, cyberattacks, and operational failures within a third party can result in direct financial losses due to remediation costs, legal expenses, and lost revenue.

The recent outage due to Crowdstrike’s software glitch is a case in point, with the outage costing Fortune 500 companies over $5 billion in direct losses alone. Delta’s CEO claims the company lost over $500 million due to the IT outage. The same outage led to disruptions at many Swiss airports.

While it may be challenging to eliminate outages or disruptions like the above totally, a solid TPRM framework ensures you’ve conducted a comprehensive risk assessment and prepared a contingency plan for mitigating the identified risks.

Aside from revenue loss, other potential issues arising from poor TPRM include:

Reputational damage

A third-party incident can severely damage an organization’s brand and customer trust. This can lead to customer churn, decreased market share, and difficulty attracting new business.

Glencore was recently fined CHF 2 million for failing “to take the required and reasonable organizational measures with regard to the bribery of foreign public officials by a business partner.”

Because of its soiled reputation, the Switzerland Department of Foreign Affairs ended its sponsorship agreement with Glencore.

Reduce exposure to vendors and suppliers that can damage your hard-earned reputation with Supplier Shield, the leading TPRM solution designed for speed and precision.

Regulatory penalties

Non-compliance with data privacy, security, or industry-specific regulations due to third-party failures can result in hefty fines, legal repercussions, and an inability to operate in certain jurisdictions.

In Switzerland, companies and third-party processors may face fines of up to CHF 250,000 ($280,000) if they are found to have intentionally violated data protection laws.

Business disruption

Operational disruptions caused by third-party issues can impact supply chains, customer service, and overall business continuity.

Just recently, in August 2024, Swiss company Schlatter Group couldn’t access parts of its IT network after a ransomware attack.

The benefits of adopting TPRM

A well-thought-out TPRM can mitigate the above risks and deliver substantial benefits like:

Improved efficiency

By centralizing and automating many aspects of the TPRM process, you can streamline vendor assessment, onboarding, and monitoring, freeing up resources and allowing more proactiveness.

Additionally, third-party monitoring is both tedious and continuous, and having the ability to automate such a process increases your efficiency.

Enhanced regulatory compliance

With many complex and interwoven regulations and laws both domestically and internationally, it is pretty easy for things to slip through the cracks.

A robust TPRM program helps you stay ahead of current and evolving regulatory requirements by ensuring that third parties meet the necessary standards.

When respondents in a survey by EY were asked to what extent TPRM has improved their ability to meet regulatory requirements, 44% of respondents chose “some,” 29% chose “moderately,” and 8% chose “high.” Only 2% of respondents chose “not at all,” emphasizing how TPRM helps with regulatory compliance.

Resilience and adaptability to an ever-changing regulatory Environment

A proactive approach to TPRM empowers you to identify potential disruptions early and develop contingency plans, enhancing your ability to withstand the threats posed by these risks.

Building contingency plans for critical business processes ensures you suffer little to no disruptions even when third parties suffer the same.

Additionally, new laws and regulations are emerging regularly. If you’re operating in multiple jurisdictions, keeping up with these changes adds another complicated layer to an already complex challenge.

Third-party risk management provides the tools and processes needed to navigate this complex environment effectively. When asked how much TPRM has improved their resiliency, 41% of respondents answered “moderately” or “very high.”

Ability to do business with entities in other countries

An effective TPRM program can facilitate business expansion by enabling you to confidently partner with new vendors, including those in regulated markets like the EU.

The Digital Operational Resilience Act (DORA), for example, emphasizes the importance of third-party risk management for financial institutions operating in the EU.

Ensuring you and your partners comply with regulations like DORA, GDPR, and NIS2 enables you to engage with European entities, providing returns on your TPRM investments.

About 77% of respondents reported gaining at least “some” return on their TPRM investments.

Supplier Shield ensures your vendors or suppliers comply with DORA, GDPR, and NIS2 regulations.

Cost savings

Implementing a TPRM framework and technology can reduce the costs associated with third-party incidents, regulatory fines, and reputational damage.

Beyond avoiding direct financial loss from fines and business disruptions, effective TPRM can also lower operational costs by streamlining vendor management processes and ensuring that third-party relationships are managed more efficiently.

Additionally, safeguarding your company’s reputation through continuous risk management can help you avoid the long-term financial repercussions of lost business and diminished customer trust.

Leveraging technology for effective TPRM

Technology plays an integral role in facilitating an effective TPRM. Advanced platforms and tools like Supplier Shield can automate time-consuming tasks, improve data accuracy, and provide real-time insights into third-party risk.

Key benefits of TPRM technology include:

Centralized vendor information: A single source of truth for vendor data and documentation, making managing vendors and third parties more manageable.
Automated risk assessments: TPRM solutions streamline the risk assessment process, allowing you to evaluate vendors quickly and efficiently based on predefined criteria and potential red flags.
Continuous monitoring: Real-time monitoring dashboards of vendor performance and external threats enable you to address emerging risks proactively.
Reporting and analytics: Comprehensive reporting and analytics capabilities provide valuable insights into your third-party risk exposure and trends.

Takeaway: Protecting your business through effective third-party risk management

Switzerland's complex regulatory landscape and businesses' increasing reliance on third parties underscores the critical importance of having a robust TPRM for your business.

A well-structured TPRM strategy and framework, coupled with advanced technology, is essential for navigating the challenges posed by third-party relationships.

Investing in a comprehensive approach and technology can build resilience, enhance operational efficiency, jealously guard your reputation, and streamline the vendor assessment and onboarding process.

Take control of your vendor relationships today. Start your journey with Supplier Shield and ensure your business stays compliant, secure, and ahead of risks. Sign up now for a free trial and experience simplified Third-Party Risk Management.

‍