Appearance
Operationalizing FINMA AI Governance in Modulos
This is the rollout playbook for FINMA Guidance 08/2024 in Modulos. It assumes you are already oriented on the framework — the seven assessment areas, proportionality, and the structure (see the framework overview).
FINMA Guidance 08/2024 is a supervisory publication, not a new law. In the Modulos catalogue the templates carry the Guidance label, which reflects the instrument type. The guidance reads FINMA's existing effective-governance and risk-management framework onto AI and creates no new obligations; institutions remain fully responsible for their own legal and regulatory compliance.
Recommended project structure
Most rollouts use the following structure:
- One organisation project with the
OFF-22framework template attached. This holds the institution-level governance and risk-management set once and reused across every AI use: the proportionate governance framework, roles and accountabilities, documentation and competence standards, outsourcing and third-party oversight, the risk-classified AI inventory and classification criteria, data-quality directives, and the independent-review function. - One AI-application project per in-scope AI use case with the
MFF-22framework template attached. Each application project holds the per-use-case execution evidence: the application's risk classification, testing and ongoing monitoring, documentation for material applications, explainability, independent review for material applications, and third-party assurance where the use case depends on external AI.
OFF-22 carries 8 requirements (ORF-439–ORF-446); MFF-22 carries 6 requirements (MRF-407–MRF-412) — 14 in total. The framework adds only 4 FINMA-exclusive controls and reuses 30 shared controls. The two templates operate together — the app-side risk classification, third-party assurance, and independent review each reference their org-side companion rather than restating it.
Primary source
FINMA, FINMA Guidance 08/2024: Governance and risk management when using artificial intelligence, 18 December 2024, Swiss Financial Market Supervisory Authority. Official PDF.
The 14 requirements mapped to assessment areas
| Assessment area | Org requirements (OFF-22) | App requirements (MFF-22) |
|---|---|---|
| Governance (§2.1) | ORF-439 (governance framework), ORF-440 (roles and accountabilities), ORF-442 (competence and training), ORF-443 (outsourcing and third-party AI, conditional) | MRF-412 (third-party AI assurance, conditional) |
| Inventory and risk classification (§2.2) | ORF-444 (inventory, scope, classification criteria) | MRF-407 (per-use-case risk classification) |
| Data quality (§2.3) | ORF-445 (data-quality directives) | — |
| Tests and ongoing monitoring (§2.4) | — | MRF-408 (testing and ongoing monitoring) |
| Documentation (§2.5) | ORF-441 (documentation standards) | MRF-409 (documentation of material applications, conditional) |
| Explainability (§2.6) | — | MRF-410 (explainability) |
| Independent review (§2.7) | ORF-446 (independent-review function) | MRF-411 (independent review of material applications, conditional) |
Four requirements carry an explicit Applicability section: MRF-409 and MRF-411 apply to material applications only; ORF-443 and MRF-412 apply where the institution or use case depends on externally provided AI. In each case the scoping evidence is named in the requirement text — the risk-classification record for materiality, and the AI inventory and outsourcing reliance assessment for third-party dependency.
Where in Modulos (requirements, controls, evidence, comments)
| Surface | Use |
|---|---|
Project dashboard Add Framework | Attach OFF-22 to the organisation project; attach MFF-22 to each in-scope AI-use-case project |
Project → Settings → Frameworks | Manage attached frameworks — list, freeze, and update |
Project → Requirements | Track the OFF-22 / MFF-22 requirements; status Not fulfilled → Fulfilled, with Out of scope for conditional duties that do not apply (for example MRF-411 for a non-material application) |
Project → Controls | Document implemented measures — the governance framework, inventory and classification methodology, data-quality directives, testing and monitoring, documentation, explainability artefacts, and independent-review records — and map them to requirements; control status changes are routed through review requests |
Project → Evidence | Store supporting artefacts (the AI inventory and per-application classifications, data-quality directives, test plans and results, drift and override analyses, model documentation, explainability records, and independent-review reports) and link them to controls |
| Comments and logs on each requirement | Capture the rationale for fulfilment attestation, conditional-scoping (material / non-material, internal / outsourced) decisions, and residual-risk acceptance |
The control library: 4 exclusive, 30 reused
The framework was built reuse-first: FINMA's seven areas map almost entirely onto controls the platform already carries, and only four genuinely new controls were minted.
FINMA-exclusive controls. The four controls that carry the FINMA-specific expectations:
| Control | Name | Scope | Anchored requirement | Why not reused |
|---|---|---|---|---|
OCF-356 | AI risk classification methodology | Organisation | ORF-444 | OCF-14 records inventory existence only; MCF-16 classifies a single application. Neither sets the org-wide methodology. |
OCF-357 | Set data quality directives for AI | Organisation | ORF-445 | OCF-105 documents data; it does not set institution-wide directives. |
OCF-358 | Independently review the AI model development process | Organisation | ORF-446 | OCF-140 is generic audit objectivity, not model-development-specific. |
MCF-643 | Analyze overridden and ignored AI outputs | Project | MRF-408 | The nearest control targets agentic-oversight metrics, not general manual-override analysis. |
Reused shared controls. The 30 controls pulled from the platform's ISO 42001, EU AI Act, NIST AI RMF, and MAS FEAT estates, carrying no FINMA-specific text:
| Requirement | Reused controls |
|---|---|
ORF-439 | OCF-1, OCF-32 |
ORF-440 | OCF-154 (ISO 42001 Annex A.3.2-derived), OCF-93 |
ORF-441 | OCF-47 |
ORF-442 | OCF-44 |
ORF-443 | OCF-131 (ISO 27001/27701/42001 clause 8.1-derived) |
ORF-444 | OCF-14 |
ORF-445 | OCF-105 |
ORF-446 | OCF-140 |
MRF-407 | MCF-16 |
MRF-408 | MCF-215, MCF-55, MCF-58, MCF-49, MCF-65, MCF-67 |
MRF-409 | MCF-53, MCF-24, MCF-30, MCF-38, MCF-39, MCF-142, MCF-28, MCF-16 |
MRF-410 | MCF-40, MCF-41 |
MRF-411 | MCF-237, MCF-61 |
MRF-412 | MCF-232, MCF-233 (ISO 42001 Annex A.10.2/A.10.3-derived) |
This reuse is realised at the control layer, not as any assertion of clause-level equivalence.
Framework mapping
Four layers, one reusable spine.
Frameworks
EU AI Act
ISO 42001
Requirements
Art. 9.1Risk management
Art. 10.2Data governance
6.1.1Risk assessment
Components
Risk identification
Impact analysis
Evidence
Risk register
Test results
Controls
The reusable spine
One control satisfies many requirements across many frameworks, and groups the components and evidence beneath them.
Risk assessment process
Data validation checks
Edge from any layer card crosses into the Controls spine — the same control may serve a regulatory article, a standards clause, a downstream component, and the evidence that closes it.
Rollout sequence (proportionality first)
The order follows the framework's own logic: classify first, then scale everything else to materiality.
- Set the AI definition and inventory (org). Adopt a sufficiently broad AI definition (OECD benchmark), stand up the centrally managed inventory, and define institution-wide materiality and probability classification criteria (
ORF-444, controlOCF-356). - Classify each application (app). Classify every in-scope application against those criteria, recording tier, rationale, and decision-makers (
MRF-407). This record justifies the depth of every downstream duty. - Establish org governance (org). Fulfil the governance framework, roles and accountabilities, competence and training, documentation standards, and data-quality directives (
ORF-439,ORF-440,ORF-442,ORF-441,ORF-445). - Stand up the review and outsourcing functions (org). Fulfil the independent-review function (
ORF-446) and, where the institution obtains external AI, outsourcing and third-party AI governance (ORF-443). - Run per-application execution (app), scaled to materiality. For each application, fulfil testing and ongoing monitoring (
MRF-408) and explainability (MRF-410); for material applications, add documentation (MRF-409) and independent review (MRF-411) at the depth their classification warrants. - Apply the conditional third-party duties where relevant. Where a use case depends on outsourced or externally provided AI, fulfil third-party assurance (
MRF-412); mark it out of scope with rationale for fully in-house use cases.
Each step is fulfilled through controls plus evidence plus a readiness signal plus owner-attested fulfilment.
Evidencing requirements: readiness signal + owner-attested fulfilment
Requirements in Modulos use a two-step pattern, not a review:
- when all linked controls reach a final state, the requirement becomes ready for review — a signal to the requirement owner;
- the requirement owner attests fulfilment by marking the requirement
Fulfilled, with rationale captured in the requirement's comments and logs.
Review requests in Modulos apply to control status changes (and other reviewable objects), not to the requirements themselves. A conditional requirement can be marked Out of scope with rationale — MRF-411 for a non-material application, or MRF-412 for a fully in-house use case, are the canonical examples.
A defensible FINMA AI Governance evidence package usually includes: the AI inventory and each application's classification with rationale; the governance framework, roles, and training records; the data-quality directives; test plans, results, and drift and override analyses; model documentation for material applications; explainability records scaled to the audience owed justification; and independent-review reports showing separation from development and feedback into it.
Common pitfalls
- Skipping the classification step. Proportionality only works if applications are classified first. Without
ORF-444/MRF-407, there is no defensible basis for scaling testing, documentation, and review — and the material-application gates onMRF-409andMRF-411cannot be applied. - Over-scoping low-materiality use cases. Non-material applications do not need the full documentation and independent-review treatment; forcing it wastes effort and misreads proportionality. Mark the material-application requirements out of scope with rationale.
Related pages
FINMA AI Governance overview
Framework structure, scope, proportionality, and the OFF-22 / MFF-22 split
Governance, inventory, and data quality
The three foundational areas — ORF-439/440/442/443/444/445, MRF-407/412
Testing, monitoring, documentation, and review
The four evidentiary and operational areas — ORF-441/446, MRF-408–411
Governance operating model
How projects, requirements, controls, and evidence fit together
Source attribution
The authoritative source is FINMA Guidance 08/2024, Governance and risk management when using artificial intelligence, published 18 December 2024 by the Swiss Financial Market Supervisory Authority. This page describes how Modulos maps the guidance's seven assessment areas to platform surfaces through the OFF-22 and MFF-22 framework templates; the expectations themselves are in the FINMA publication. Requirement and control codes are Modulos template identifiers, not FINMA references.
Disclaimer
This page is for general informational purposes and does not constitute legal advice. FINMA Guidance 08/2024 reads FINMA's existing technology-neutral supervisory framework onto AI and creates no new obligations; the Guidance label on the Modulos templates reflects the instrument type. Institutions remain fully responsible for their own legal and regulatory compliance. Verify against the current published edition and consult qualified advisers.