Supplier Shield logo vendor risk management solution

The Importance of third-party risk management in Switzerland's strict regulatory framework

the-importance-of-third-party-risk-management-in-switzerlands-strict-regulatory-framework

As you partner with more vendors and suppliers to increase your capabilities and gain a competitive advantage, your reputational and regulatory risks also increase. 

Forrester predicted that in 2022, 60% of all security incidents will result from third-party issues, highlighting the importance of third party relationship management. 

In a highly regulated environment like Switzerland, ensuring new and existing vendors and partners do not significantly threaten your operations and reputation is paramount. 

In this article, we explore the importance of third-party risk management (TPRM) in relation to the regulatory landscape in Switzerland. We’ll examine some key regulations in Switzerland, such as the Federal Act on Data Protection (FADP), Circular 2018/3, and the Anti-Money Laundering Act (AMLA), and explore their implications for managing third-party relationships.

Switzerland's regulatory framework

Switzerland’s approach to its regulatory framework emphasizes self-regulation (particularly in the banking sector) in parts, and flexibility and cooperation between government agencies and private businesses. 

This approach ensures regulations are tailored to specific risks unique to each industry, allowing flexibility while maintaining high regulatory standards without stifling innovation. 

Key regulations affecting third-party relationships include the Federal Act on Data Protection (FADP), which mandates stringent data handling and sharing requirements, particularly when engaging with external service providers. 

The Circular 2018/3 issued by the Swiss Financial Market Supervisory Authority (FINMA) outlines specific guidelines for outsourcing business functions for the Swiss financial sector.

The recent updates to the Anti-Money Laundering Act (AMLA) reflect the country’s commitment to combating financial crime, like money laundering and terrorism funding. 

Additionally, the Ordinance on Due Diligence and Transparency in relation to Minerals and Metals from Conflict-Affected Areas and Child Labour underlines the country’s commitment ethical supply chains and human rights.   

Below, we examine these regulations and highlight essential requirements focused on third-party relationships. 

Data protection and cybersecurity

Data protection and cybersecurity

The Federal Act on Data Protection (FADP) is the primary regulation guiding the processing and transfer of personal data in Switzerland to protect the data privacy act of legal entities. 

In addition to the law mentioned above, the Federal Data Protection and Information Commissioner (FDPIC) has released ordinances, particularly the Ordinance on Data Protection (ODP) and the Ordinance on Data Protection Certification, to clarify and concretize some of the stipulations in the FADP. 

The FADP applies to data processing that “have an effect in Switzerland, even if they were initiated abroad.” The law covers collecting, storing, altering, disclosing to third parties, archiving, or other personal data uses.

Here are the significant features of the FADP and ordinances, mainly as they concern third-party relationships:

Leverage Supplier Shield’s suite of cybersecurity and data privacy tools to keep user personal data safe and secure per Swiss regulations. 

Technology procurement or outsourcing

Technology procurement or outsourcing

Although Switzerland does not have a general law regarding procuring technology products and services for private businesses, industry-specific regulations guide outsourcing material business functions to third-party service providers. 

The Circular 2018/3 by the Swiss Financial Market Supervisory Authority (FINMA) provides the regulatory requirements financial market participants, including banks, insurance companies, and securities dealers, must meet while varying secrecy obligations bind industries like telecommunications and healthcare. 

Some of the highlights of Circular 2018/3 include:

Switzerland’s anti-money laundering framework

Switzerland’s anti-money laundering framework

The Anti-Money Laundering Act (AMLA) and the Anti-Money Laundering Ordinance (AMLO) are the bedrock of the anti-money laundering (AML) landscape for financial intermediaries in Switzerland. 

AMLA passed in 1997 and has undergone multiple modifications over the years. One of its most recent updates was in 2021, with changes specific to third-party relationships. 

The new update required Swiss banks and businesses like casinos to verify the ultimate beneficial ownership (UBO) of all organizations they work with. 

The UBO refers to “the natural person(s) who ultimately owns or controls a customer and/or the natural person on whose behalf a transaction is being conducted.” 

Swiss financial institutions must also meet other requirements, such as implementing necessary organizational measures to curb money laundering. 

There’s been much more scrutiny of the banking sector, with the Swiss National Bank and FINMA working together to create more stringent financial market laws in the wake of the Credit Suisse crisis. 

Supply chain due diligence

Companies exposed to potential child labor and conflict minerals must disclose these risks. 

Businesses that import or process tin, tantalum, tungsten, or gold coming from conflict areas are subject to the “Ordinance on Due Diligence and Transparency in relation to Minerals and Metals from Conflict-Affected Areas and Child Labour” if the total imports meet a specified threshold. 

More importantly, Swiss businesses with supply chain operations or partners in jurisdictions with a high risk of child labor are equally subject to due diligence and reporting obligations. Per the ordinance, high-risk countries have Enhanced or Heightened classification in the Children’s Rights in the Workplace Index report. 

There have also been mooted new regulations targeted at current non-financial reporting obligations, set to be modeled after the Corporate Sustainability Reporting Directive (CSRD) by the European Union. 

Importance of TPRM for Swiss companies

Importance of TPRM for Swiss companies

According to a survey by Gartner, 84% of respondents reported operational disruptions due to actions, activities, and incidents from a third-party provider. 

Furthermore, 64% and 60% reported adverse financial impact and increased regulatory scrutiny due to third-party incidents beyond their control. 

These survey responses underscore the increasing inherent risks associated with third-party vendors, suppliers, and service providers. While these partnerships undoubtedly bring operational value and competitive advantage, they also exacerbate existing risks and introduce new and significant ones.

Effective third-party risk management (TPRM) is crucial to mitigate these risks and unlock the benefits of third-party relationships.

The high cost of neglecting TPRM

The consequences of not having or having an inadequate TPRM can be catastrophic. 

Data breaches, cyberattacks, and operational failures within a third party can result in direct financial losses due to remediation costs, legal expenses, and lost revenue. 

The recent outage due to Crowdstrike’s software glitch is a case in point, with the outage costing Fortune 500 companies over $5 billion in direct losses alone. Delta’s CEO claims the company lost over $500 million due to the IT outage. The same outage led to disruptions at many Swiss airports

While it may be challenging to eliminate outages or disruptions like the above totally, a solid TPRM framework ensures you’ve conducted a comprehensive risk assessment and prepared a contingency plan for mitigating the identified risks. 

Aside from revenue loss, other potential issues arising from poor TPRM include:

Reputational damage 

A third-party incident can severely damage an organization’s brand and customer trust. This can lead to customer churn, decreased market share, and difficulty attracting new business.   

Glencore was recently fined CHF 2 million for failing “to take the required and reasonable organizational measures with regard to the bribery of foreign public officials by a business partner.”

Because of its soiled reputation, the Switzerland Department of Foreign Affairs ended its sponsorship agreement with Glencore. 

Reduce exposure to vendors and suppliers that can damage your hard-earned reputation with Supplier Shield, the leading TPRM solution designed for speed and precision. 

Regulatory penalties 

Non-compliance with data privacy, security, or industry-specific regulations due to third-party failures can result in hefty fines, legal repercussions, and an inability to operate in certain jurisdictions.

In Switzerland, companies and third-party processors may face fines of up to CHF 250,000 ($280,000) if they are found to have intentionally violated data protection laws.

Business disruption 

Operational disruptions caused by third-party issues can impact supply chains, customer service, and overall business continuity. 

Just recently, in August 2024, Swiss company Schlatter Group couldn’t access parts of its IT network after a ransomware attack. 

The benefits of adopting TPRM 

The benefits of adopting TPRM 

A well-thought-out TPRM can mitigate the above risks and deliver substantial benefits like: 

Improved efficiency

By centralizing and automating many aspects of the TPRM process, you can streamline vendor assessment, onboarding, and monitoring, freeing up resources and allowing more proactiveness.

Additionally, third-party monitoring is both tedious and continuous, and having the ability to automate such a process increases your efficiency. 

Enhanced regulatory compliance

With many complex and interwoven regulations and laws both domestically and internationally, it is pretty easy for things to slip through the cracks. 

A robust TPRM program helps you stay ahead of current and evolving regulatory requirements by ensuring that third parties meet the necessary standards.

When respondents in a survey by EY were asked to what extent TPRM has improved their ability to meet regulatory requirements, 44% of respondents chose “some,” 29% chose “moderately,” and 8% chose “high.” Only 2% of respondents chose “not at all,” emphasizing how TPRM helps with regulatory compliance.  

Resilience and adaptability to an ever-changing regulatory Environment

A proactive approach to TPRM empowers you to identify potential disruptions early and develop contingency plans, enhancing your ability to withstand the threats posed by these risks.  

Building contingency plans for critical business processes ensures you suffer little to no disruptions even when third parties suffer the same. 

Additionally, new laws and regulations are emerging regularly. If you’re operating in multiple jurisdictions, keeping up with these changes adds another complicated layer to an already complex challenge. 

Third-party risk management provides the tools and processes needed to navigate this complex environment effectively. When asked how much TPRM has improved their resiliency, 41% of respondents answered “moderately” or “very high.” 

Ability to do business with entities in other countries

An effective TPRM program can facilitate business expansion by enabling you to confidently partner with new vendors, including those in regulated markets like the EU. 

The Digital Operational Resilience Act (DORA), for example, emphasizes the importance of third-party risk management for financial institutions operating in the EU.

Ensuring you and your partners comply with regulations like DORA, GDPR, and NIS2 enables you to engage with European entities, providing returns on your TPRM investments.

About 77% of respondents reported gaining at least “some” return on their TPRM investments. 

Supplier Shield ensures your vendors or suppliers comply with DORA, GDPR, and NIS2 regulations. 

Cost savings

Implementing a TPRM framework and technology can reduce the costs associated with third-party incidents, regulatory fines, and reputational damage.

Beyond avoiding direct financial loss from fines and business disruptions, effective TPRM can also lower operational costs by streamlining vendor management processes and ensuring that third-party relationships are managed more efficiently.

Additionally, safeguarding your company’s reputation through continuous risk management can help you avoid the long-term financial repercussions of lost business and diminished customer trust. 

Leveraging technology for effective TPRM

Leveraging technology for effective TPRM like Supplier Shield

Technology plays an integral role in facilitating an effective TPRM. Advanced platforms and tools like Supplier Shield can automate time-consuming tasks, improve data accuracy, and provide real-time insights into third-party risk.

Key benefits of TPRM technology include:

Takeaway: Protecting your business through effective third-party risk management

Switzerland's complex regulatory landscape and businesses' increasing reliance on third parties underscores the critical importance of having a robust TPRM for your business.

A well-structured TPRM strategy and framework, coupled with advanced technology, is essential for navigating the challenges posed by third-party relationships. 

Investing in a comprehensive approach and technology can build resilience, enhance operational efficiency, jealously guard your reputation, and streamline the vendor assessment and onboarding process.

Take control of your vendor relationships today. Start your journey with Supplier Shield and ensure your business stays compliant, secure, and ahead of risks. Sign up now for a free trial and experience simplified Third-Party Risk Management.

If you want to simplify your Third Party Risk Management, click here for a free consultation.

Book Now
window.lintrk('track', { conversion_id: 18991738 });