Risk Management · FINMA
May 2026
10 min read

FINMA Risk Monitor: focusing on sustainable bank operations

FINMA publishes its Risk Monitor annually, setting the supervisory agenda for the year ahead. For boards and management teams of Swiss private banks, this document is not background reading — it is a direct communication from the regulator about where supervisory scrutiny will fall. This article offers a practitioner's reading: what FINMA is signalling, what it means in practice, and what institutions should be doing in response.

Reading the Risk Monitor as a practitioner

The FINMA Risk Monitor is one of the most consequential documents a Swiss bank's board and senior management will encounter in any given year. Yet in many institutions it is treated as a compliance communications exercise — noted, circulated to the risk function, and filed. This is a significant misreading of the document's purpose and consequences.

The Risk Monitor is FINMA's public statement of supervisory intent. It tells supervised institutions, in plain terms, where the regulator sees risk accumulating in the Swiss financial system, which risk categories will receive intensified supervisory attention in the coming period, and — by implication — where institutions that have not adequately addressed these risks will face direct supervisory engagement. Boards that have not read and discussed the Risk Monitor are not exercising adequate oversight. Management teams that have not mapped their institution's position against the Monitor's risk categories are not managing risk effectively.

The document's language is measured and technical, as befits a regulatory publication. But behind the measured language, the Risk Monitor makes specific supervisory commitments. When FINMA identifies a risk category as a priority, on-site inspections, supervisory letters, and thematic reviews will follow. The institutions that are best prepared are those that have treated the Risk Monitor as an action document — not a reading document.

What the Risk Monitor is and is not

The FINMA Risk Monitor is a public document published annually, typically in the fourth quarter. It identifies the principal risks FINMA observes in the Swiss financial sector and sets out the regulator's supervisory priorities for the year ahead. It is not a list of FINMA's current enforcement actions, nor a comprehensive survey of all risks facing Swiss banks. It is a selective, forward-looking communication — and the risks it identifies for emphasis are exactly the risks that will receive disproportionate supervisory attention.

The principal risk categories: what FINMA is watching

While the specific content of the Risk Monitor evolves from year to year, several risk themes have been consistent supervisory priorities for Swiss private banks over recent years and remain at the core of FINMA's risk assessment. Understanding these not as a static list but as a dynamic and evolving set of concerns is the starting point for an intelligent institutional response.

Risk 01
Interest rate & credit risk
The interest rate normalisation of recent years has exposed significant valuation and duration mismatches in bank balance sheets. FINMA monitors whether institutions have adequately stress-tested their interest rate risk in the banking book (IRRBB) and adjusted their risk appetite accordingly.
Elevated priority
Risk 02
Cyber & operational risk
Cyber risk has become a top-tier supervisory concern. FINMA expects institutions to have mature cyber risk governance, tested incident response capabilities, and robust third-party ICT risk management — requirements that DORA now formalises for EU-connected institutions.
Elevated priority
Risk 03
AML & financial crime
Switzerland's position as a global wealth management centre makes AML compliance a perennial FINMA priority. The regulator has intensified scrutiny of correspondent banking relationships, PEP management, and the quality of suspicious activity reporting — particularly in private banking and cross-border wealth management.
Elevated priority
Risk 04
Real estate & concentration risk
Real estate lending remains a concentration risk concern for Swiss banks, particularly in the context of rising interest rates and valuation corrections. FINMA monitors sectoral concentration limits, collateral quality, and the adequacy of stress-testing assumptions for real estate portfolios.
Ongoing monitoring
Risk 05
Climate & ESG risk
FINMA has moved climate-related financial risk from an emerging concern to an active supervisory priority. Institutions are expected to have governance processes for identifying and managing climate-related risks, with disclosure expectations increasing in line with EU and TCFD frameworks.
Growing emphasis
Risk 06
Liquidity & funding risk
The Credit Suisse episode demonstrated that liquidity risk can materialise rapidly and with systemic consequences. FINMA's scrutiny of liquidity risk management frameworks — particularly at institutions with significant cross-border operations — has intensified significantly.
Under close watch

What sustainability means in FINMA's supervisory language

The concept of sustainable bank operations has become increasingly central to FINMA's supervisory philosophy — and it is worth unpacking what this means in practice, because the term carries more specific regulatory content than its everyday usage suggests.

For FINMA, sustainability in banking operations refers to the capacity of an institution to maintain its regulatory compliance and risk management discipline across all phases of the business cycle — including periods of stress, market dislocation, and management change. An institution whose compliance programme functions adequately in normal conditions but degrades under pressure is not, in FINMA's assessment, operating sustainably. An institution that maintains adequate capital ratios in benign market conditions but has not stress-tested its position against severe but plausible scenarios is not managing risk sustainably.

This framing has direct implications for how FINMA evaluates the quality of compliance and risk management frameworks. The regulator is not satisfied by point-in-time compliance — it wants to see evidence that institutions have the governance structures, the risk culture, and the organisational resilience to maintain standards when conditions are difficult. This is a materially higher bar than many institutions have historically applied to their own self-assessment.

"FINMA is not asking whether your institution is compliant today. It is asking whether your institution is built to remain compliant when conditions make compliance difficult."

Translating the Risk Monitor into institutional action

The practical question for boards and senior management is how to convert the Risk Monitor from a document they have read into actions that genuinely reduce supervisory risk. The following framework offers a structured approach to this translation.

Five-step Risk Monitor response framework
1
Map institutional exposure to each priority risk
For each risk category identified in the Monitor, assess your institution's current exposure level, the maturity of your management framework, and any known gaps. This mapping should be conducted by the first and second lines jointly, with the output presented to the risk committee and board.
2
Prioritise remediation actions by supervisory risk
Not all gaps carry equal supervisory risk. Prioritise remediation actions based on the combination of gap severity and FINMA's stated supervisory emphasis. A moderate gap in a risk category FINMA has specifically highlighted warrants faster remediation than a larger gap in a lower-priority area.
3
Review board and risk committee reporting
Ensure that board and risk committee reporting gives adequate visibility into the risk categories the Monitor identifies as priorities. If the current management information pack does not give the board a clear view of the institution's position on cyber risk, AML quality, or IRRBB — restructure it. FINMA will look at board MI quality in any on-site review.
4
Update stress testing and scenario analysis
FINMA's risk priorities should inform the scenarios used in ICAAP and ILAAP stress testing. If the Monitor identifies climate risk or liquidity risk as elevated concerns, your stress testing programme should include scenarios that specifically test resilience against these risk categories — and the results should be presented to the board.
5
Document the institutional response
Maintain a documented record of how the institution has assessed and responded to the Risk Monitor. If FINMA conducts an on-site review and asks how the institution responded to a specific risk the Monitor identified, the ability to produce a clear, documented response is evidence of genuine governance engagement — and its absence is evidence of the opposite.

Risk-specific responses for Swiss private banks

The generic response framework above applies to all FINMA-supervised institutions. For Swiss private banks specifically, three risk categories from the Monitor warrant particular attention given the sector's structural characteristics.

AML and financial crime compliance

Swiss private banking's exposure to high-risk client categories — politically exposed persons, clients from elevated-risk jurisdictions, complex ownership structures and offshore vehicles — makes AML compliance a structural priority rather than a cyclical one. FINMA's supervisory expectations in this area have escalated materially over the past decade, and the enforcement track record demonstrates that the regulator will act decisively where it identifies systemic AML governance failures.

The most common deficiency FINMA identifies in private bank AML frameworks is not the absence of policies — most institutions have adequate written frameworks — but the gap between policy and practice. Transaction monitoring thresholds calibrated to past risk profiles rather than current client behaviour. Enhanced due diligence procedures that are applied inconsistently. Suspicious activity reporting that is delayed or qualified in ways that reduce its utility to FINMA and law enforcement. These operational deficiencies are the target of FINMA's AML supervisory programme, and they require operational remediation, not policy revision.

Cyber and operational resilience

The intersection of cyber risk and FINMA's sustainability concept is particularly sharp. An institution that suffers a significant cyber incident and demonstrates that its incident response capability was inadequate, its board was not informed promptly, and its recovery planning was untested has demonstrated, in FINMA's assessment, a fundamental governance failure — not merely an operational one.

Private banks have historically been slower than universal banks to invest in cyber risk governance, partly because their technology infrastructure is less complex and partly because their client-facing systems are less exposed than those of retail banks. This relative position has narrowed significantly as private banks have digitalised their client journeys and increased their reliance on third-party technology providers. The cyber risk profile of a modern Swiss private bank is materially different from what it was a decade ago — and the governance framework needs to reflect this.

Climate and ESG risk

FINMA's escalating focus on climate-related financial risk is not primarily driven by ESG conviction — it is driven by the recognition that physical and transition climate risks represent material financial exposures that are not yet adequately reflected in most institutions' risk frameworks. For Swiss private banks, the most immediate practical implications relate to the climate risk profile of lending portfolios (particularly real estate and lombard lending collateral), the governance of ESG-linked investment products, and the growing disclosure obligations under Swiss and EU frameworks.

Institutions that have not yet conducted a structured climate risk assessment — mapping their exposures to physical and transition risks across asset classes — are behind the supervisory curve. FINMA's expectations will only increase in this area, and the gap between current practice and regulatory expectation is narrowing faster than many institutions' implementation timelines allow.

The board's role: from recipient to respondent

The FINMA Risk Monitor is addressed, in a meaningful sense, to the board. It is the board that bears ultimate accountability for the institution's risk management framework, and it is the board that FINMA will hold accountable if supervisory engagement reveals that priority risks were not adequately managed.

This accountability requires boards to move from being passive recipients of the Risk Monitor — receiving a management summary and noting it — to being active respondents. In practice, this means the board's risk committee should formally consider the Risk Monitor at the meeting following its publication, should receive a management assessment of the institution's position against each priority risk, should challenge that assessment where appropriate, and should satisfy itself that the institution's response is adequate.

The minutes of this discussion matter. FINMA's on-site examiners will review board and risk committee minutes as part of their governance assessment. Evidence that the board substantively engaged with the Risk Monitor is qualitative evidence of governance maturity. Its absence — a one-line note that the Monitor was circulated — is the opposite signal.

Supervisory intelligence

FINMA's on-site supervisory teams use the Risk Monitor as a reference framework when evaluating institutions' governance and risk management. Examiners will ask senior management how the institution assessed its position against the Monitor's priority risks, what actions were taken, and whether the board was engaged. Institutions that can demonstrate a structured, documented response to the Monitor are in a materially better position than those that treated it as background reading.

Sustainable operations as a competitive discipline

The concept of sustainable bank operations, as FINMA articulates it, is not only a regulatory concept. It is a competitive discipline. Institutions that maintain governance and risk management standards across all market conditions — that do not cut compliance investment when margins are under pressure, that do not expand risk appetite when business development targets are missed, that maintain consistent standards in their highest-risk client relationships — these institutions build the regulatory capital that matters most in the long run: FINMA's confidence.

That confidence translates directly into commercial value. An institution with a clean supervisory track record can pursue business opportunities — new client categories, new products, cross-border expansion — that an institution under FINMA's remediation focus cannot. It can attract senior talent that prefers working in a well-governed institution. It can develop relationships with correspondent banks and custodians that require demonstrated governance quality. The return on investment in sustainable operations is real — it is simply distributed across time horizons that are longer than many management incentive structures accommodate.

This is ultimately the message that boards of Swiss private banks need to internalise from the FINMA Risk Monitor: not merely that these are the risks FINMA is watching, but that managing them well — consistently, over time, through the discipline of genuine governance rather than the performance of compliance — is one of the most strategically valuable things an institution can do.

SB
Stanislav Bogomolov
Governance & Compliance Leader · Swiss Private Banking & Wealth Management
Senior GRC professional with extensive experience in Swiss private banking and wealth management. Writing on governance, risk management, compliance, board leadership and digital transformation — for practitioners, board members and senior management navigating the Swiss and EU regulatory environment.
Continue reading

Related articles

Swiss Private Banking · Governance
Group consolidated supervision in Swiss private banking: challenges and practical approach
12 min read
Risk Management · Cyber
Cyber-security risk management in the Swiss banking industry
9 min read
Compliance · Digital Regulation
Introduction of DORA: expectations management for Swiss financial institutions
7 min read
All content on this website is the intellectual property of Stanislav Bogomolov and is protected under Swiss copyright law (URG) and applicable international conventions. Reproduction, republication or commercial use of any content without prior written consent is prohibited. Content is provided for informational purposes only and does not constitute legal, financial, regulatory or compliance advice. No liability is accepted for any reliance on content published herein. Personal data is processed in accordance with the Swiss Federal Act on Data Protection (nFADP) and, where applicable, EU GDPR.  ·  Legal Notice & Privacy Policy