New Federal Act on Data Protection (nFADP) – What changes for financial intermediaries?
From the 1st September 2023, banks and other financial intermediaries will have to comply with the requirements of the new FADP and its ordinances. What is the specific impact on financial institutions and how can this be coordinated with the legal requirements applicable to the financial sector?
The new Federal Act on Data Protection (nFADP) improves the processing of personal data and grants new rights to Swiss citizens. This important legislative change is accompanied by a number of new obligations for businesses and a strengthening of existing requirements.
The completely revised Data Protection Act and the implementing provisions of the new Data Protection Ordinance (DPO) and Data Protection Certification Ordinances (DPCO) will enter into force on the 1st September 2023.
What is the impact on the financial sector?
Since the first Federal Act on Data Protection in 1992, fundamental societal changes in terms of digitalization and personal data management have occurred with the daily use of the Internet, smartphones, social networks and the Cloud.
Banks and the financial sector have widely adopted these new technologies in their service offerings, with personalization and accessibility as an essential added value. Moreover, along with banking secrecy, data protection has been part of the industry's DNA for many years. Therefore, this sector has a unique position: on the one hand, it has a clear lead over other companies in terms of data protection; on the other hand, it also has to cope with higher expectations from the public and regulators.
Some institutions have already anticipated many of the new requirements of the nFADP by voluntarily implementing a compliance system with the European Data Protection Regulation (GDPR). Other institutions, on the contrary, have chosen to wait for the Swiss requirements. Nevertheless, and in both cases, it will be from the 1st September 2023 that the robustness of internal control systems will be truly tested in practice.
What are the main changes for the financial sector?
The new data protection law introduces several major changes. The following will particularly impact companies in the financial sector:
- Introduction of the principles of "Privacy by Design" and "Privacy by Default". The principle of "Privacy by Design" implies integrating data protection and the protection of users' privacy into the very design of the financial product or service that collects personal data. The principle of "Privacy by Default" requires that the measures necessary to protect data and limit their use be activated by default, without user intervention, as soon as the product or service is made available. Particular attention should be paid to these requirements when proposing new financial services, especially if they are based on digital solutions.
- Impact analyses must be carried out where there is a high risk for the personality or for the fundamental rights of the persons concerned. The question will arise particularly when implementing a new service or an organizational change that significantly impacts the processing of customer data, especially in the event of an IT migration to a cloud.
- Keeping a record of processing activities is requested as a matter of principle and will in practice often be unavoidable for banks, as well as for many companies in the financial sector. Indeed, only SMEs whose data processing presents a limited risk of infringement of personality are exempt. In addition, the establishment of processing activities is generally a necessary step in any project to implement the nFADP since it makes it possible to clearly define the scope of the processes generating personal data and to carry out their analysis in an orderly manner. Finally, this approach should ideally be coordinated with the data governance systems foreseen by the new FINMA Circular on Operational Risks and Resilience.
- Setting up processes for rapid notification in the event of data breach to the Federal Data Protection and Information Commissioner (FDPIC) is a requirement. For banks, these announcements will naturally have to be coordinated with those to be made to FINMA.
- The notion of profiling, i.e. the automated processing of personal data, is now defined in the law. Financial sector institutions could be affected because of their use of sophisticated automated processes, in particular in the context of monitoring client transactions with regard to their AMLA profile.
How can Deloitte help?
Deloitte has a team of lawyers and legal experts in data protection matters. Through its consulting and auditing practice in the financial sector, Deloitte has a thorough knowledge of the business and regulatory context in which banks and financial intermediaries operate. This enables us to address the new requirements of the new Federal Act on Data Protection (nFADP) in coordination with the regulatory context, while integrating proven industry solutions. Deloitte is also a global leader in the digitalization and integration of Cloud solutions, which have an increasingly decisive impact on the management of personal data. We offer you the following approaches that can naturally be customized:
- Heathcheck nFADP – Together, we review your plan and the progress of the measures taken to implement the nFADP. Deloitte identifies possible deviations and offers practical measures to be ready for the 1st September 2023.
- nFADP Support Package – We offer you comprehensive support to implement nFADP in your institution, with an action plan, guidelines, and model documents to speed up the process.
- Swiss finish nFADP – For establishments that have already implemented the European GDPR, we offer a limited review and a pragmatic adaptation of certain key points.
- nFADP Consulting and Regulatory – Our data protection experts are of course also available to review documents or resolve specific issues from the point of view of the nFADP and ensure their consistency with the banking and financial regulatory framework.