By Lynn Räbsamen, CFA | COO, Global Swiss Learning | Advisory Board Member, CFA Institute | Author, Artificial Stupelligence
The Pilot Looks Impressive. The Audit File Does Not.
The demo always goes well. The relationship manager types a question, the model produces a fluent paragraph about a structured product, the innovation committee nods, and a press release follows shortly afterwards. Somewhere in Bern, a FINMA supervisor pours another coffee.
By spring 2026, generative AI is no longer a curiosity in Swiss private banking. FINMA’s April 2025 survey found that around half of supervised institutions already use AI, and 91% of those institutions use generative AI such as chatbots. On average, respondents had five applications in production and nine in development. The direction is set. The question is whether what is being built will survive contact with a supervisory review.
In most cases, it will not.
The uncomfortable truth is that most pilots are designed to impress an innovation committee, not to satisfy an examiner.
“The demo always goes well. Somewhere in Bern, a FINMA supervisor pours another coffee.”
What FINMA Actually Scrutinizes
The regulator has been unusually explicit. FINMA Guidance 08/2024, published on December 18, 2024, does not create new substantive law. It operationalizes existing governance, risk management, and outsourcing duties for AI-driven processes. There is no horizontal Swiss AI Act, and there will not be one soon. The regime is principle-based and technology-neutral. That is not laxity. It is leverage.
Read Guidance 08/2024 the way a supervisor reads it, and seven topics jump off the page: governance, inventory and risk classification, data quality, testing and ongoing monitoring, documentation, explainability, and independent review. Each of these has been a source of supervisory findings during on-site reviews. None of them are technical curiosities. All of them are where pilots tend to be weakest.
Governance: Who Actually Owns the Model?
FINMA has observed that AI development inside supervised institutions is often decentralized, making it hard to assign clear responsibilities or apply consistent standards. With externally purchased tools, banks often cannot say with confidence whether AI is even included, what data is used, or whether due diligence is sufficient.
The translation: a Microsoft Copilot deployment scattered across three business units, two procurement contracts, and one enthusiastic head of digital is not governance. It is an org chart with a chatbot bolted on. FINMA has made clear that responsibility for decisions cannot be delegated to AI or third parties. Someone has to own the model. By name. With a signature.
“A Microsoft Copilot deployment scattered across three business units and two procurement contracts is not governance. It’s an org chart with a chatbot bolted on.”
Inventory: The Trap of Narrow Definitions
Some institutions have defined AI narrowly in order to focus on supposedly larger or newer risks. This is the regulatory equivalent of losing weight before the doctor’s appointment. FINMA expects a sufficiently broad definition, since traditional applications can present the same risks and must be addressed in the same way.
Your inventory should include the RM-assistance plug-in nobody flagged because it lives inside an existing CRM. Especially that one.
Data Quality and Explainability: The Heart of the Matter
FINMA has observed that results often cannot be understood, explained, or reproduced — and therefore cannot be critically assessed. Where decisions need to be justified to investors, clients, employees, the supervisory authority, or the audit firm, FINMA assesses explainability in detail.
This is the clause that should haunt every head of wealth management currently piloting an LLM-assisted advisory tool. A private banking relationship is built on suitability and traceability. If a model recommends a structured note to a Swiss-resident retail client, the bank must be able to reconstruct, with documentation, why that recommendation was made, on what data, under which assumptions, and within which limitations.
“Most generative AI pilots cannot explain their recommendations. Not because the technology cannot — but because the project never asked.”
Outsourcing: The Cloud Problem the Board Forgot About
Almost every meaningful generative AI deployment in Swiss private banking is, in regulatory terms, an outsourcing arrangement. FINMA has flagged that smaller institutions often rely exclusively on externally developed applications, and outsourcing risk features prominently in the 2024 Risk Monitor.
The relevant text remains FINMA Circular 2018/3, which sets out supervisory requirements covering monitoring, due diligence, audit rights, security, business continuity, sub-outsourcing, cross-border arrangements, and the right to issue instructions. Add Circular 2023/1 on operational risks and resilience, layer in the revised FADP, and the picture becomes clear. A frontier-model API call sending client-identifying data to a server in Virginia is not a procurement decision. It is a regulatory event.
“A frontier-model API call sending client-identifying data to a server in Virginia is not a procurement decision. It is a regulatory event.”
The 2026 Problem Nobody Is Pricing In
From January 1, 2026, every supervised institution — regardless of size or category — must demonstrate the ability to withstand and recover from disruptions to critical functions. FINMA’s review of 267 institutions found significant gaps in how critical functions, disruption tolerances, and resilience frameworks are defined and integrated.
If a generative AI tool becomes embedded in client-facing workflows, the question becomes uncomfortable: is it a critical function? And if it is, what is the disruption tolerance, the recovery point, the fallback mechanism the moment the API returns a 503 error?
What FINMA-Ready Actually Looks Like
Practitioners do not need a ninety-page framework. They need a short checklist that survives a Friday afternoon supervisory meeting.
First, narrow the use case before broadening it. Pilots that promise to “transform the client experience” fail. Pilots that draft suitability rationales, summarize research, or pre-fill account opening documentation succeed. Materiality is everything.
Second, build the inventory before the use case. Every AI-touched workflow, including the ones embedded in vendor tools, belongs in a central register with a risk classification. FINMA expects institutions to systematically identify, assess, and manage these risks — not to discover them during the review.
Third, document as if the file will leave the building. Purpose, data sources, model selection, performance measures, assumptions, limitations, testing, fallback. FINMA assesses whether supervised institutions address all of these for material applications. If the file would embarrass the institution in front of the audit firm, it is not ready.
Fourth, separate the builder from the reviewer. Independent review of the model development process is still rare, and FINMA has noticed. The same team cannot ship and audit.
Fifth, treat the cloud contract as a regulatory artifact. Audit rights, sub-processor lists, jurisdictional clauses, exit terms. The contract is the control.
“If the file would embarrass the institution in front of the audit firm, it is not ready.”
A Closing Observation
The institutions that will absorb the next supervisory cycle without drama are not the ones with the most ambitious AI strategies. They are the ones whose pilots were boring enough to document, narrow enough to govern, and modest enough to explain. In private banking, as in compliance, the right kind of dullness is a competitive advantage.
The innovation committee will get over it.
For more insights about what AI can or cannot do, check out my book “Artificial Stupelligence: The Hilarious Truth About AI“.
Subscribe here to be the first to receive my insights.
