Appearance
Governance, Inventory and Risk Classification, and Data Quality
This page covers the three foundational areas FINMA looks at before execution: governance (§2.1), inventory and risk classification (§2.2), and data quality (§2.3). Together they establish the org-level footing on which per-application testing, documentation, explainability, and review then rest. It maps the org requirements ORF-439, ORF-440, ORF-442, ORF-443, ORF-444, and ORF-445, plus the two app requirements that belong to these areas — the per-use-case risk classification MRF-407 and the third-party assurance MRF-412.
FINMA published what it assessed, not new rules — a supervisory-readiness lens on its existing governance and risk-management framework, scaled by proportionality.
Primary source
FINMA, FINMA Guidance 08/2024: Governance and risk management when using artificial intelligence, 18 December 2024. This page draws on §2.1 (Governance), §2.2 (Inventory and risk classification), and §2.3 (Data quality), with the proportionality principle from §1 carried throughout. Official PDF.
The foundation at a glance
| Requirement | Area | What FINMA assessed | Exclusive control |
|---|---|---|---|
ORF-439 | Governance (§2.1) | Whether institutions with many or significant applications maintain a proportionate AI governance framework, including institution-wide model-testing and system-control requirements | — (reuses OCF-1, OCF-32) |
ORF-440 | Governance (§2.1) | Whether accountable ownership across development, implementation, monitoring, and use is defined and communicated, with top management owning oversight and reporting | — (reuses OCF-154, OCF-93) |
ORF-442 | Governance (§2.1) | Whether staff and others who develop, implement, monitor, or use AI have the necessary skills, via role-tiered training with tracked participation | — (reuses OCF-44) |
ORF-443 | Governance (§2.1) | Whether externally provided AI is identified and governed with additional tests, controls, contract clauses, and supplier-competence assurance | — (reuses OCF-131) |
ORF-444 | Inventory and classification (§2.2) | Whether a complete, centrally managed inventory on a broad AI definition exists, with consistent materiality and probability classification criteria | OCF-356 |
ORF-445 | Data quality (§2.3) | Whether internal rules keep AI data complete, correct, of integrity, with secured availability and access | OCF-357 |
MRF-407 | Inventory and classification (§2.2) | Whether each application is classified by materiality and probability against the institution's criteria, with rationale and re-classification on material change | — (reuses MCF-16) |
MRF-412 | Governance / outsourcing (§2.1) | Whether use cases dependent on outsourced AI apply additional tests and controls, allocate responsibilities and liability, and confirm supplier skills | — (reuses MCF-232, MCF-233) |
Governance (§2.1)
FINMA observed that institutions often focused on data-protection risk more than on model risk — robustness, correctness, bias, stability, explainability — and that AI development is frequently decentralised, which complicates consistent standards and clear role assignment. It also found that purchased AI or AI-enabled services sometimes left institutions unable to tell whether AI was involved at all, or which data and methods it used.
Against that, FINMA assessed whether institutions with many or significant applications maintain an AI governance framework. Modulos carries this across four org requirements.
ORF-439 — a proportionate AI governance framework. The institution actively considers AI's effect on its risk profile and aligns its governance, risk, and control systems, and — where it has many or significant applications — maintains an AI governance framework that includes institution-wide model-testing and system-control requirements.
ORF-440 — roles, responsibilities, and accountabilities. Accountable ownership is defined and communicated across development, implementation, monitoring, and use — including third-party activity — with matching authority. Top management explicitly owns oversight of the AI-management system and its reporting.
ORF-442 — competence and training. Staff and others who develop, implement, monitor, or use AI have the necessary skills, delivered through broad, role-tiered training with tracked participation and refreshed content.
ORF-443 — outsourcing and third-party AI governance. For externally provided AI applications and services, the institution establishes whether AI is included and which data and methods are used, applies additional tests, controls, and contract clauses on responsibility and liability, confirms provider skills and experience, and monitors performance on an ongoing basis. This requirement carries an explicit Applicability section: it applies where the organisation obtains any in-scope AI from an external provider, and is out of scope where all in-scope AI is developed and operated internally. ORF-443 is the org-level counterpart of the app-side MRF-412; the scoping evidence is the AI inventory, the external-provisions register, and the outsourcing reliance assessment.
Inventory and risk classification (§2.2)
FINMA found that some institutions defined AI narrowly, keeping only "larger or new" risks in scope, and that completeness was hard given how widely AI development is spread and how accessible generative AI has become. Not all institutions had consistent classification criteria.
FINMA assessed whether a sufficiently broad AI definition was used — benchmarked to the OECD definition of an AI system — and then assessed inventory existence and completeness and the risk classification applied. The guidance is explicit that AI is not high-risk per se: risk depends on complexity, adaptivity, autonomy, area of application, and process integration.
ORF-444 — inventory, scope, and risk classification (org). The institution maintains a centrally managed, complete inventory built on a broad AI definition, and defines consistent institution-wide materiality and probability classification criteria. This is the one place in the framework that needs a FINMA-exclusive control: OCF-356 ("AI risk classification methodology") documents the org-wide criteria — the materiality and probability factors, the tiers and thresholds, and the "AI not high-risk per se" stance. It is not reused, because the inventory-existence control OCF-14 records that the inventory exists and the project-scope MCF-16 classifies a single application; neither sets the org-wide methodology.
MRF-407 — per-use-case risk classification (app). Each application is classified by materiality and probability against the institution's own criteria, recording its tier, the rationale, and the decision-makers, and is re-classified on material change. It reuses MCF-16. The two sides connect at the classification seam: ORF-444 sets the criteria; MRF-407 applies them per application.
The guidance names the factors each classification weighs, non-exhaustively:
| Axis | Factors (§1, footnote 2) |
|---|---|
| Materiality | significance for compliance with financial-market legislation; financial impact; legal and reputational risk; relevance of the product for the company; number and type of clients or investors affected; importance of the product for them; consequences of errors or failure |
| Probability of risk | complexity (explainability, predictability); type and amount of data (unstructured data, integrity, appropriateness, personal data); unsuitable development or monitoring processes; degree of autonomy and process integration; dynamics (short calibration cycles); linkage of several models; potential for attacks or failures (raised by outsourcing) |
Data quality (§2.3)
Some institutions had defined no data-quality requirements or controls at all. FINMA's point is direct: because AI often learns automatically from data, data quality frequently matters more than the choice of model. Data can be incorrect, inconsistent, incomplete, unrepresentative, or outdated; historical bias can carry forward; purchased solutions obscure the underlying data; and unstructured data such as text and images is harder to quality-check.
FINMA assessed whether institutions had defined requirements — in internal rules and directives — for the completeness, correctness, and integrity of the data used by AI, and for secured availability of and access to it.
ORF-445 — data-quality standards for AI. The institution maintains internal rules and directives keeping AI data complete, correct, of integrity, and with secured availability and access, covering representativeness and historical bias, purchased-data blind spots, and unstructured-data quality. This carries the FINMA-exclusive control OCF-357 ("Set data quality directives for AI"), which sets institution-wide directives — distinct from controls such as OCF-105 that document data but do not establish the directives.
Cross-framework mapping (preview)
Preview
The foundational areas sit adjacent to frameworks Swiss institutions commonly run, at a high level only:
- ISO/IEC 42001 — the AI governance framework, roles, and life-cycle responsibilities correspond to the management-system leadership and planning clauses; the inventory and classification align with context-of-organisation and operational-planning clauses (clause 8).
- EU AI Act — the materiality-and-probability classification maps onto the Act's risk-classification spine, though FINMA's is institution-defined rather than a fixed statutory tiering.
- NIST AI RMF — governance, inventory, and data quality align with the Govern and Map functions.
These are framework-level adjacencies; cross-framework reuse is realised at the control layer, not as clause-by-clause equivalence.
Related pages
FINMA AI Governance overview
Framework structure, scope, proportionality, and the OFF-22 / MFF-22 split
Testing, monitoring, documentation, and review
The four evidentiary and operational areas that build on this foundation — ORF-441/446, MRF-408–411
Operationalizing in Modulos
The OFF-22 / MFF-22 rollout sequence, control split, and evidence model
Source attribution
The authoritative source is FINMA Guidance 08/2024, Governance and risk management when using artificial intelligence, published 18 December 2024 by the Swiss Financial Market Supervisory Authority. This page draws on §2.1 (Governance), §2.2 (Inventory and risk classification), and §2.3 (Data quality), with the proportionality principle from §1. The OECD definition of an AI system (OECD, Explanatory Memorandum on the Updated OECD Definition of an AI System, March 2024) is the inventory-breadth benchmark FINMA cites. Requirement and control codes are Modulos template identifiers, not FINMA references.
Disclaimer
This page is for general informational purposes and does not constitute legal advice. FINMA Guidance 08/2024 applies FINMA's existing supervisory framework to AI and creates no new obligations; institutions remain fully responsible for their own compliance. Verify against the current published edition and consult qualified advisers.