Appearance
FINMA AI Governance — Guidance 08/2024 on Governance and Risk Management When Using AI
FINMA Guidance 08/2024, Governance and risk management when using artificial intelligence, is the supervisory publication this framework operationalizes. It was issued by the Swiss Financial Market Supervisory Authority (FINMA) on 18 December 2024. It reports what FINMA found across its supervised institutions and lays out the seven areas it assessed in supervisory reviews and on-site inspections — governance; inventory and risk classification; data quality; tests and ongoing monitoring; documentation; explainability; and independent review.
Switzerland has no AI-specific financial-market legislation; FINMA reads its existing technology-neutral, principle-based supervisory framework onto the use of AI, scaled to each institution and application. Modulos models the guidance as two paired templates: OFF-22 for institution-level governance and risk management, and MFF-22 for per-use-case execution.
Quick decision — is this framework for you?
- You are a FINMA-supervised institution — bank, insurer, asset manager, or fintech — using or planning AI → this is your framework. Start with Governance, inventory, and data quality to stand up the foundation FINMA assesses first.
- You already run ISO/IEC 42001, an EU AI Act, or a NIST AI RMF programme → treat FINMA AI Governance as a supervisory-readiness overlay. Thirty of its 34 mapped controls are ones you may already operate; only four are new. The operationalizing playbook is the fastest route in.
- You need to classify applications before scaling effort → proportionality drives everything here. Classify first (ORF-444 / MRF-407), then scale testing, documentation, and review to materiality — see Testing, monitoring, documentation, and review.
- You have no structured AI governance yet →
OFF-22/MFF-22can be your first structured AI programme in Modulos, deliberately compact at 14 requirements.
Primary source
FINMA, FINMA Guidance 08/2024: Governance and risk management when using artificial intelligence, published 18 December 2024, Swiss Financial Market Supervisory Authority. Official PDF and FINMA Guidance overview. Always verify claims against the current published edition.
Key facts
Publisher
FINMA (Swiss Financial Market Supervisory Authority)
Published
18 December 2024
Type
Supervisory guidance — technology-neutral existing framework applied to AI
Scope
FINMA-supervised institutions (banks, insurers, asset managers, fintechs) using AI
Structure
7 assessment areas, 7 source pages
Modulos templates
OFF-22 (org) + MFF-22 (app) — 14 requirements, 4 exclusive + 30 shared controls
What the guidance is
FINMA published Guidance 08/2024 to state, in one place, what it observed about AI use across its supervised population and what it assessed in supervisory reviews and on-site inspections. It is not a new law and not a new rulebook. Switzerland has no AI-specific financial-market legislation, so FINMA applies its existing, technology-neutral supervisory framework — effective governance and effective risk management — to the use of AI. The Outlook section states the direction plainly: FINMA "strives for a technology-neutral, proportional and standardised approach across all sectors, taking into account significant differences between the sectors and international standards."
The proportionality principle carries through every area. As the guidance puts it: "FINMA expects supervised institutions that use AI to actively consider the impact of this use on their risk profile and to align their governance, risk management and control systems accordingly." Depth scales along two axes — the institution's size, complexity, structure and risk profile, and each application's materiality and the probability that its risks materialise. AI is not treated as high-risk per se; risk depends on complexity, adaptivity, autonomy, area of application, and process integration.
What counts as in scope
FINMA supervises banks, insurers, asset managers, and fintechs among others, and the guidance reaches AI use across all of them. There is no separate scoping questionnaire; the proportionality principle sets how much each institution and application attracts.
| Boundary | In scope | Out of scope |
|---|---|---|
| Institution | FINMA-supervised financial institutions of any sector using AI | Entities not supervised by FINMA |
| AI definition | A sufficiently broad definition, benchmarked to the OECD definition of an AI system, so that not only "larger or new" uses are captured | Nothing is descoped by narrowing the AI definition — the guidance flags narrow definitions as a supervisory weakness |
| Depth of expectation | Scaled by proportionality — institution profile and per-application materiality and probability of risk | A blanket, one-size-fits-all bar; AI is not high-risk per se |
How the framework is structured in Modulos
Modulos splits the guidance into institution-level governance and risk management (OFF-22) and per-use-case execution (MFF-22).
| Template | Project type | Holds | Requirements |
|---|---|---|---|
OFF-22 — FINMA AI Governance (org) | Organisation | A proportionate AI governance framework, roles and accountabilities, documentation and competence standards, outsourcing and third-party oversight, a risk-classified AI inventory, data-quality standards, and an independent review function | 8 (ORF-439–ORF-446) |
MFF-22 — FINMA AI Governance (app) | AI application | Per-use-case risk classification, testing and ongoing monitoring, documentation of material applications, explainability, independent review of material applications, and third-party AI assurance | 6 (MRF-407–MRF-412) |
The 14 requirements cover the seven assessment areas. Three expectations are homed on both an org and an app requirement at the natural seam between setting policy and applying it — risk classification (ORF-444 / MRF-407), third-party AI (ORF-443 / MRF-412), and independent review (ORF-446 / MRF-411).
The seven assessment areas
Modulos groups the seven areas onto two topic pages.
Foundational areas — Governance, inventory, and data quality:
- Governance (§2.1). Whether institutions with many or significant applications maintain an AI governance framework — a centrally managed risk-classified inventory, defined life-cycle responsibilities, model-testing and system-control requirements, documentation standards, and training, plus additional tests, controls, contract clauses, and supplier-competence assurance for outsourcing. Requirements:
ORF-439,ORF-440,ORF-442,ORF-443, and the app-side third-party assuranceMRF-412. - Inventory and risk classification (§2.2). Whether a sufficiently broad AI definition is used (OECD benchmark) and a complete, centrally managed inventory exists, with consistent institution-wide materiality and probability classification. Requirements:
ORF-444(org) andMRF-407(per-application). - Data quality (§2.3). Whether internal rules define completeness, correctness, and integrity of AI data, and secured availability of and access to it. Requirement:
ORF-445.
Evidentiary and operational areas — Testing, monitoring, documentation, and review:
- Tests and ongoing monitoring (§2.4). Whether tests for data quality and functionality are scheduled, experts set expectations and indicators in advance, thresholds are defined, drift is monitored, and overridden or ignored outputs are analysed. Requirement:
MRF-408. - Documentation (§2.5). Whether institution-wide documentation standards exist and, for material applications, documentation covers purpose, data, model, testing, and fallback. Requirements:
ORF-441(org standards) andMRF-409(material applications). - Explainability (§2.6). Whether results can be understood, explained, and reproduced — with depth rising where decisions must be justified to investors, clients, employees, the supervisor, or the audit firm. Requirement:
MRF-410. - Independent review (§2.7). Whether development and independent review are structurally separate and, for material applications, a qualified reviewer gives an objective, informed, unbiased opinion fed back into development. Requirements:
ORF-446(org function) andMRF-411(material applications).
How FINMA AI Governance compares to other frameworks
Cross-framework mapping (preview)
Thirty of the 34 mapped controls are shared with frameworks institutions commonly run:
- ISO/IEC 42001 — the AI management-system standard. FINMA's governance, inventory, and life-cycle expectations correspond to the management-system leadership and operational-control clauses; the third-party AI controls
MCF-232/MCF-233are Annex A.10.2/A.10.3-derived. See ISO 42001. - EU AI Act — product-safety-style obligations with a risk-classification spine that maps onto FINMA's materiality and probability classification. See EU AI Act.
- NIST AI RMF — the govern/map/measure/manage functions align with FINMA's governance, inventory, testing, and monitoring areas. See NIST AI RMF.
- MAS FEAT — the Monetary Authority of Singapore's fairness, ethics, accountability, and transparency principles for financial-sector AI; several of the shared controls are already used there. See MAS FEAT.
In Modulos this reuse is realised at the control layer: the same control objects behind OFF-22 / MFF-22 are reused by other framework templates, so evidence recorded once can serve multiple frameworks. This preview does not assert clause-by-clause equivalence to any instrument.
Full side-by-side: AI governance frameworks comparison.
How Modulos operationalizes FINMA AI Governance
The two templates run together: OFF-22 sets institution-level policy and posture once, and each MFF-22 project produces the per-use-case execution evidence that shows the policy is met for a given AI application.
Each requirement is evidenced through a readiness signal plus owner-attested fulfilment — not through reviews, which are reserved for control status changes. All FINMA-specific language is anchored in the requirement text; the reused shared controls carry no FINMA-specific wording.
Framework mapping
Four layers, one reusable spine.
Frameworks
EU AI Act
ISO 42001
Requirements
Art. 9.1Risk management
Art. 10.2Data governance
6.1.1Risk assessment
Components
Risk identification
Impact analysis
Evidence
Risk register
Test results
Controls
The reusable spine
One control satisfies many requirements across many frameworks, and groups the components and evidence beneath them.
Risk assessment process
Data validation checks
Edge from any layer card crosses into the Controls spine — the same control may serve a regulatory article, a standards clause, a downstream component, and the evidence that closes it.
→ Full rollout: Operationalizing FINMA AI Governance in Modulos — project structure, the requirement-to-area mapping, the control-library split, the proportionality-ordered rollout sequence, and the evidence model.
Getting started
Governance, inventory, and data quality
The three foundational areas — governance, the risk-classified inventory, and data-quality standards. ORF-439/440/442/443/444/445, MRF-407/412
Testing, monitoring, documentation, and review
The four evidentiary and operational areas — testing and monitoring, documentation, explainability, and independent review. ORF-441/446, MRF-408–411
Operationalizing in Modulos
The OFF-22 / MFF-22 rollout: project structure, mapping, control split, sequence, and evidence
Frequently asked questions about FINMA AI Governance
Is the guidance mandatory, and does it create new obligations?
The guidance creates no new obligations — Switzerland has no AI-specific financial-market law, so FINMA reads its existing effective-governance and risk-management expectations onto the use of AI. What it does is make those supervisory expectations explicit: FINMA published what it assessed whether institutions do. For a FINMA-supervised institution the practical bar is therefore higher than a purely voluntary framework, because the expectations trace back to existing obligations under Swiss financial-market law; in the Modulos catalogue the templates carry the Guidance label, which reflects the instrument type.
How does FINMA AI Governance relate to an ISO 42001 or EU AI Act programme already in place?
It reuses most of what those programmes already produce. Thirty of the 34 mapped controls are shared with ISO/IEC 42001, the EU AI Act, NIST AI RMF, or MAS FEAT, so an institution running one of those largely evidences FINMA AI Governance from artefacts it already holds; only the four FINMA-exclusive controls are new. Cross-framework reuse in Modulos happens at the control layer, not as any assertion of clause-level equivalence.
Source attribution
This page summarises FINMA Guidance 08/2024, Governance and risk management when using artificial intelligence, published 18 December 2024 by the Swiss Financial Market Supervisory Authority (official PDF). The guidance applies FINMA's existing technology-neutral supervisory framework; the operational-risk provisions of the Capital Adequacy Ordinance (Art. 89 CAO), which FINMA cites, provide the legal backdrop and are not themselves requirement sources. The guidance itself references no FINMA circular. Requirement and control codes (OFF-22, MFF-22, ORF-, MRF-, OCF-, MCF-) are Modulos template identifiers, not FINMA references.
Disclaimer
This page is for general informational purposes and does not constitute legal advice. FINMA Guidance 08/2024 supplements — it does not replace — applicable Swiss law and FINMA requirements, and it creates no new obligations; the Guidance label on the Modulos templates reflects the instrument type. Institutions remain fully responsible for their own legal and regulatory compliance. Always verify against the current published edition and consult qualified advisers.