Skip to content

FINMA AI Governance — Guidance 08/2024 on Governance and Risk Management When Using AI

FINMA AI Governance illustration

FINMA Guidance 08/2024, Governance and risk management when using artificial intelligence, is the supervisory publication this framework operationalizes. It was issued by the Swiss Financial Market Supervisory Authority (FINMA) on 18 December 2024. It reports what FINMA found across its supervised institutions and lays out the seven areas it assessed in supervisory reviews and on-site inspections — governance; inventory and risk classification; data quality; tests and ongoing monitoring; documentation; explainability; and independent review.

Switzerland has no AI-specific financial-market legislation; FINMA reads its existing technology-neutral, principle-based supervisory framework onto the use of AI, scaled to each institution and application. Modulos models the guidance as two paired templates: OFF-22 for institution-level governance and risk management, and MFF-22 for per-use-case execution.

Quick decision — is this framework for you?

  • You are a FINMA-supervised institution — bank, insurer, asset manager, or fintech — using or planning AI → this is your framework. Start with Governance, inventory, and data quality to stand up the foundation FINMA assesses first.
  • You already run ISO/IEC 42001, an EU AI Act, or a NIST AI RMF programme → treat FINMA AI Governance as a supervisory-readiness overlay. Thirty of its 34 mapped controls are ones you may already operate; only four are new. The operationalizing playbook is the fastest route in.
  • You need to classify applications before scaling effort → proportionality drives everything here. Classify first (ORF-444 / MRF-407), then scale testing, documentation, and review to materiality — see Testing, monitoring, documentation, and review.
  • You have no structured AI governance yet → OFF-22 / MFF-22 can be your first structured AI programme in Modulos, deliberately compact at 14 requirements.

Primary source

FINMA, FINMA Guidance 08/2024: Governance and risk management when using artificial intelligence, published 18 December 2024, Swiss Financial Market Supervisory Authority. Official PDF and FINMA Guidance overview. Always verify claims against the current published edition.

Key facts
Publisher
FINMA (Swiss Financial Market Supervisory Authority)
Published
18 December 2024
Type
Supervisory guidance — technology-neutral existing framework applied to AI
Scope
FINMA-supervised institutions (banks, insurers, asset managers, fintechs) using AI
Structure
7 assessment areas, 7 source pages
Modulos templates
OFF-22 (org) + MFF-22 (app) — 14 requirements, 4 exclusive + 30 shared controls

What the guidance is

FINMA published Guidance 08/2024 to state, in one place, what it observed about AI use across its supervised population and what it assessed in supervisory reviews and on-site inspections. It is not a new law and not a new rulebook. Switzerland has no AI-specific financial-market legislation, so FINMA applies its existing, technology-neutral supervisory framework — effective governance and effective risk management — to the use of AI. The Outlook section states the direction plainly: FINMA "strives for a technology-neutral, proportional and standardised approach across all sectors, taking into account significant differences between the sectors and international standards."

The proportionality principle carries through every area. As the guidance puts it: "FINMA expects supervised institutions that use AI to actively consider the impact of this use on their risk profile and to align their governance, risk management and control systems accordingly." Depth scales along two axes — the institution's size, complexity, structure and risk profile, and each application's materiality and the probability that its risks materialise. AI is not treated as high-risk per se; risk depends on complexity, adaptivity, autonomy, area of application, and process integration.

What counts as in scope

FINMA supervises banks, insurers, asset managers, and fintechs among others, and the guidance reaches AI use across all of them. There is no separate scoping questionnaire; the proportionality principle sets how much each institution and application attracts.

BoundaryIn scopeOut of scope
InstitutionFINMA-supervised financial institutions of any sector using AIEntities not supervised by FINMA
AI definitionA sufficiently broad definition, benchmarked to the OECD definition of an AI system, so that not only "larger or new" uses are capturedNothing is descoped by narrowing the AI definition — the guidance flags narrow definitions as a supervisory weakness
Depth of expectationScaled by proportionality — institution profile and per-application materiality and probability of riskA blanket, one-size-fits-all bar; AI is not high-risk per se

How the framework is structured in Modulos

Modulos splits the guidance into institution-level governance and risk management (OFF-22) and per-use-case execution (MFF-22).

TemplateProject typeHoldsRequirements
OFF-22 — FINMA AI Governance (org)OrganisationA proportionate AI governance framework, roles and accountabilities, documentation and competence standards, outsourcing and third-party oversight, a risk-classified AI inventory, data-quality standards, and an independent review function8 (ORF-439ORF-446)
MFF-22 — FINMA AI Governance (app)AI applicationPer-use-case risk classification, testing and ongoing monitoring, documentation of material applications, explainability, independent review of material applications, and third-party AI assurance6 (MRF-407MRF-412)

The 14 requirements cover the seven assessment areas. Three expectations are homed on both an org and an app requirement at the natural seam between setting policy and applying it — risk classification (ORF-444 / MRF-407), third-party AI (ORF-443 / MRF-412), and independent review (ORF-446 / MRF-411).

The seven assessment areas

Modulos groups the seven areas onto two topic pages.

Foundational areas — Governance, inventory, and data quality:

  • Governance (§2.1). Whether institutions with many or significant applications maintain an AI governance framework — a centrally managed risk-classified inventory, defined life-cycle responsibilities, model-testing and system-control requirements, documentation standards, and training, plus additional tests, controls, contract clauses, and supplier-competence assurance for outsourcing. Requirements: ORF-439, ORF-440, ORF-442, ORF-443, and the app-side third-party assurance MRF-412.
  • Inventory and risk classification (§2.2). Whether a sufficiently broad AI definition is used (OECD benchmark) and a complete, centrally managed inventory exists, with consistent institution-wide materiality and probability classification. Requirements: ORF-444 (org) and MRF-407 (per-application).
  • Data quality (§2.3). Whether internal rules define completeness, correctness, and integrity of AI data, and secured availability of and access to it. Requirement: ORF-445.

Evidentiary and operational areas — Testing, monitoring, documentation, and review:

  • Tests and ongoing monitoring (§2.4). Whether tests for data quality and functionality are scheduled, experts set expectations and indicators in advance, thresholds are defined, drift is monitored, and overridden or ignored outputs are analysed. Requirement: MRF-408.
  • Documentation (§2.5). Whether institution-wide documentation standards exist and, for material applications, documentation covers purpose, data, model, testing, and fallback. Requirements: ORF-441 (org standards) and MRF-409 (material applications).
  • Explainability (§2.6). Whether results can be understood, explained, and reproduced — with depth rising where decisions must be justified to investors, clients, employees, the supervisor, or the audit firm. Requirement: MRF-410.
  • Independent review (§2.7). Whether development and independent review are structurally separate and, for material applications, a qualified reviewer gives an objective, informed, unbiased opinion fed back into development. Requirements: ORF-446 (org function) and MRF-411 (material applications).

How FINMA AI Governance compares to other frameworks

Cross-framework mapping (preview)

Thirty of the 34 mapped controls are shared with frameworks institutions commonly run:

  • ISO/IEC 42001 — the AI management-system standard. FINMA's governance, inventory, and life-cycle expectations correspond to the management-system leadership and operational-control clauses; the third-party AI controls MCF-232/MCF-233 are Annex A.10.2/A.10.3-derived. See ISO 42001.
  • EU AI Act — product-safety-style obligations with a risk-classification spine that maps onto FINMA's materiality and probability classification. See EU AI Act.
  • NIST AI RMF — the govern/map/measure/manage functions align with FINMA's governance, inventory, testing, and monitoring areas. See NIST AI RMF.
  • MAS FEAT — the Monetary Authority of Singapore's fairness, ethics, accountability, and transparency principles for financial-sector AI; several of the shared controls are already used there. See MAS FEAT.

In Modulos this reuse is realised at the control layer: the same control objects behind OFF-22 / MFF-22 are reused by other framework templates, so evidence recorded once can serve multiple frameworks. This preview does not assert clause-by-clause equivalence to any instrument.

Full side-by-side: AI governance frameworks comparison.

How Modulos operationalizes FINMA AI Governance

The two templates run together: OFF-22 sets institution-level policy and posture once, and each MFF-22 project produces the per-use-case execution evidence that shows the policy is met for a given AI application.

Each requirement is evidenced through a readiness signal plus owner-attested fulfilment — not through reviews, which are reserved for control status changes. All FINMA-specific language is anchored in the requirement text; the reused shared controls carry no FINMA-specific wording.

→ Full rollout: Operationalizing FINMA AI Governance in Modulos — project structure, the requirement-to-area mapping, the control-library split, the proportionality-ordered rollout sequence, and the evidence model.

Getting started

Frequently asked questions about FINMA AI Governance

Is the guidance mandatory, and does it create new obligations?

The guidance creates no new obligations — Switzerland has no AI-specific financial-market law, so FINMA reads its existing effective-governance and risk-management expectations onto the use of AI. What it does is make those supervisory expectations explicit: FINMA published what it assessed whether institutions do. For a FINMA-supervised institution the practical bar is therefore higher than a purely voluntary framework, because the expectations trace back to existing obligations under Swiss financial-market law; in the Modulos catalogue the templates carry the Guidance label, which reflects the instrument type.

How does FINMA AI Governance relate to an ISO 42001 or EU AI Act programme already in place?

It reuses most of what those programmes already produce. Thirty of the 34 mapped controls are shared with ISO/IEC 42001, the EU AI Act, NIST AI RMF, or MAS FEAT, so an institution running one of those largely evidences FINMA AI Governance from artefacts it already holds; only the four FINMA-exclusive controls are new. Cross-framework reuse in Modulos happens at the control layer, not as any assertion of clause-level equivalence.

Source attribution

This page summarises FINMA Guidance 08/2024, Governance and risk management when using artificial intelligence, published 18 December 2024 by the Swiss Financial Market Supervisory Authority (official PDF). The guidance applies FINMA's existing technology-neutral supervisory framework; the operational-risk provisions of the Capital Adequacy Ordinance (Art. 89 CAO), which FINMA cites, provide the legal backdrop and are not themselves requirement sources. The guidance itself references no FINMA circular. Requirement and control codes (OFF-22, MFF-22, ORF-, MRF-, OCF-, MCF-) are Modulos template identifiers, not FINMA references.

Disclaimer

This page is for general informational purposes and does not constitute legal advice. FINMA Guidance 08/2024 supplements — it does not replace — applicable Swiss law and FINMA requirements, and it creates no new obligations; the Guidance label on the Modulos templates reflects the instrument type. Institutions remain fully responsible for their own legal and regulatory compliance. Always verify against the current published edition and consult qualified advisers.