Skip to content

Operationalizing FINMA AI Governance in Modulos

This is the rollout playbook for FINMA Guidance 08/2024 in Modulos. It assumes you are already oriented on the framework — the seven assessment areas, proportionality, and the structure (see the framework overview).

FINMA Guidance 08/2024 is a supervisory publication, not a new law. In the Modulos catalogue the templates carry the Guidance label, which reflects the instrument type. The guidance reads FINMA's existing effective-governance and risk-management framework onto AI and creates no new obligations; institutions remain fully responsible for their own legal and regulatory compliance.

Most rollouts use the following structure:

  • One organisation project with the OFF-22 framework template attached. This holds the institution-level governance and risk-management set once and reused across every AI use: the proportionate governance framework, roles and accountabilities, documentation and competence standards, outsourcing and third-party oversight, the risk-classified AI inventory and classification criteria, data-quality directives, and the independent-review function.
  • One AI-application project per in-scope AI use case with the MFF-22 framework template attached. Each application project holds the per-use-case execution evidence: the application's risk classification, testing and ongoing monitoring, documentation for material applications, explainability, independent review for material applications, and third-party assurance where the use case depends on external AI.

OFF-22 carries 8 requirements (ORF-439ORF-446); MFF-22 carries 6 requirements (MRF-407MRF-412) — 14 in total. The framework adds only 4 FINMA-exclusive controls and reuses 30 shared controls. The two templates operate together — the app-side risk classification, third-party assurance, and independent review each reference their org-side companion rather than restating it.

Primary source

FINMA, FINMA Guidance 08/2024: Governance and risk management when using artificial intelligence, 18 December 2024, Swiss Financial Market Supervisory Authority. Official PDF.

The 14 requirements mapped to assessment areas

Assessment areaOrg requirements (OFF-22)App requirements (MFF-22)
Governance (§2.1)ORF-439 (governance framework), ORF-440 (roles and accountabilities), ORF-442 (competence and training), ORF-443 (outsourcing and third-party AI, conditional)MRF-412 (third-party AI assurance, conditional)
Inventory and risk classification (§2.2)ORF-444 (inventory, scope, classification criteria)MRF-407 (per-use-case risk classification)
Data quality (§2.3)ORF-445 (data-quality directives)
Tests and ongoing monitoring (§2.4)MRF-408 (testing and ongoing monitoring)
Documentation (§2.5)ORF-441 (documentation standards)MRF-409 (documentation of material applications, conditional)
Explainability (§2.6)MRF-410 (explainability)
Independent review (§2.7)ORF-446 (independent-review function)MRF-411 (independent review of material applications, conditional)

Four requirements carry an explicit Applicability section: MRF-409 and MRF-411 apply to material applications only; ORF-443 and MRF-412 apply where the institution or use case depends on externally provided AI. In each case the scoping evidence is named in the requirement text — the risk-classification record for materiality, and the AI inventory and outsourcing reliance assessment for third-party dependency.

Where in Modulos (requirements, controls, evidence, comments)

SurfaceUse
Project dashboard Add FrameworkAttach OFF-22 to the organisation project; attach MFF-22 to each in-scope AI-use-case project
Project → Settings → FrameworksManage attached frameworks — list, freeze, and update
Project → RequirementsTrack the OFF-22 / MFF-22 requirements; status Not fulfilledFulfilled, with Out of scope for conditional duties that do not apply (for example MRF-411 for a non-material application)
Project → ControlsDocument implemented measures — the governance framework, inventory and classification methodology, data-quality directives, testing and monitoring, documentation, explainability artefacts, and independent-review records — and map them to requirements; control status changes are routed through review requests
Project → EvidenceStore supporting artefacts (the AI inventory and per-application classifications, data-quality directives, test plans and results, drift and override analyses, model documentation, explainability records, and independent-review reports) and link them to controls
Comments and logs on each requirementCapture the rationale for fulfilment attestation, conditional-scoping (material / non-material, internal / outsourced) decisions, and residual-risk acceptance

The control library: 4 exclusive, 30 reused

The framework was built reuse-first: FINMA's seven areas map almost entirely onto controls the platform already carries, and only four genuinely new controls were minted.

FINMA-exclusive controls. The four controls that carry the FINMA-specific expectations:

ControlNameScopeAnchored requirementWhy not reused
OCF-356AI risk classification methodologyOrganisationORF-444OCF-14 records inventory existence only; MCF-16 classifies a single application. Neither sets the org-wide methodology.
OCF-357Set data quality directives for AIOrganisationORF-445OCF-105 documents data; it does not set institution-wide directives.
OCF-358Independently review the AI model development processOrganisationORF-446OCF-140 is generic audit objectivity, not model-development-specific.
MCF-643Analyze overridden and ignored AI outputsProjectMRF-408The nearest control targets agentic-oversight metrics, not general manual-override analysis.

Reused shared controls. The 30 controls pulled from the platform's ISO 42001, EU AI Act, NIST AI RMF, and MAS FEAT estates, carrying no FINMA-specific text:

RequirementReused controls
ORF-439OCF-1, OCF-32
ORF-440OCF-154 (ISO 42001 Annex A.3.2-derived), OCF-93
ORF-441OCF-47
ORF-442OCF-44
ORF-443OCF-131 (ISO 27001/27701/42001 clause 8.1-derived)
ORF-444OCF-14
ORF-445OCF-105
ORF-446OCF-140
MRF-407MCF-16
MRF-408MCF-215, MCF-55, MCF-58, MCF-49, MCF-65, MCF-67
MRF-409MCF-53, MCF-24, MCF-30, MCF-38, MCF-39, MCF-142, MCF-28, MCF-16
MRF-410MCF-40, MCF-41
MRF-411MCF-237, MCF-61
MRF-412MCF-232, MCF-233 (ISO 42001 Annex A.10.2/A.10.3-derived)

This reuse is realised at the control layer, not as any assertion of clause-level equivalence.

Rollout sequence (proportionality first)

The order follows the framework's own logic: classify first, then scale everything else to materiality.

  1. Set the AI definition and inventory (org). Adopt a sufficiently broad AI definition (OECD benchmark), stand up the centrally managed inventory, and define institution-wide materiality and probability classification criteria (ORF-444, control OCF-356).
  2. Classify each application (app). Classify every in-scope application against those criteria, recording tier, rationale, and decision-makers (MRF-407). This record justifies the depth of every downstream duty.
  3. Establish org governance (org). Fulfil the governance framework, roles and accountabilities, competence and training, documentation standards, and data-quality directives (ORF-439, ORF-440, ORF-442, ORF-441, ORF-445).
  4. Stand up the review and outsourcing functions (org). Fulfil the independent-review function (ORF-446) and, where the institution obtains external AI, outsourcing and third-party AI governance (ORF-443).
  5. Run per-application execution (app), scaled to materiality. For each application, fulfil testing and ongoing monitoring (MRF-408) and explainability (MRF-410); for material applications, add documentation (MRF-409) and independent review (MRF-411) at the depth their classification warrants.
  6. Apply the conditional third-party duties where relevant. Where a use case depends on outsourced or externally provided AI, fulfil third-party assurance (MRF-412); mark it out of scope with rationale for fully in-house use cases.

Each step is fulfilled through controls plus evidence plus a readiness signal plus owner-attested fulfilment.

Evidencing requirements: readiness signal + owner-attested fulfilment

Requirements in Modulos use a two-step pattern, not a review:

  • when all linked controls reach a final state, the requirement becomes ready for review — a signal to the requirement owner;
  • the requirement owner attests fulfilment by marking the requirement Fulfilled, with rationale captured in the requirement's comments and logs.

Review requests in Modulos apply to control status changes (and other reviewable objects), not to the requirements themselves. A conditional requirement can be marked Out of scope with rationale — MRF-411 for a non-material application, or MRF-412 for a fully in-house use case, are the canonical examples.

A defensible FINMA AI Governance evidence package usually includes: the AI inventory and each application's classification with rationale; the governance framework, roles, and training records; the data-quality directives; test plans, results, and drift and override analyses; model documentation for material applications; explainability records scaled to the audience owed justification; and independent-review reports showing separation from development and feedback into it.

Common pitfalls

  • Skipping the classification step. Proportionality only works if applications are classified first. Without ORF-444 / MRF-407, there is no defensible basis for scaling testing, documentation, and review — and the material-application gates on MRF-409 and MRF-411 cannot be applied.
  • Over-scoping low-materiality use cases. Non-material applications do not need the full documentation and independent-review treatment; forcing it wastes effort and misreads proportionality. Mark the material-application requirements out of scope with rationale.

Source attribution

The authoritative source is FINMA Guidance 08/2024, Governance and risk management when using artificial intelligence, published 18 December 2024 by the Swiss Financial Market Supervisory Authority. This page describes how Modulos maps the guidance's seven assessment areas to platform surfaces through the OFF-22 and MFF-22 framework templates; the expectations themselves are in the FINMA publication. Requirement and control codes are Modulos template identifiers, not FINMA references.

Disclaimer

This page is for general informational purposes and does not constitute legal advice. FINMA Guidance 08/2024 reads FINMA's existing technology-neutral supervisory framework onto AI and creates no new obligations; the Guidance label on the Modulos templates reflects the instrument type. Institutions remain fully responsible for their own legal and regulatory compliance. Verify against the current published edition and consult qualified advisers.