Bankaufsicht Deep Dive
Innenraum einer Schweizer Bank, in dem die Betrugsakten vom verlassenen AML-Schreibtisch zum besetzten Organisations-Arbeitsplatz wandern, im Hintergrund die FINMA-Aufsichtsmitteilung 02/2026.

FINMA 02/2026: Fraud Prevention Belongs in Art. 12 BankV, Not Art. 9 GwG

FINMA supervisory communication 02/2026 of 9 April 2026 locates digital fraud within operational risk management under Art. 12 BankV and FINMA-RS 2023/1 — not under the suspicious activity reporting obligation in Art. 9 GwG. Banks that arrive at the next audit cycle armed with MROS statistics are answering the wrong question.

Dr. iur. Servatius von Tatzenberg

FINMA supervisory communication 02/2026 of 9 April 2026 reframes the diagnosis. Phishing, authorised push payments, account takeover, CEO fraud: what banks have until now treated as a downstream money-laundering problem, the regulator now places squarely within operational risk management under Art. 12 BankV and the comprehensively revised FINMA-RS 2023/1 “Operational Risks and Resilience — Banks”. Banks that arrive at the next audit cycle armed with their suspicious activity report statistics under Art. 9 GwG are answering the wrong question.

The communication draws on a survey conducted in late 2025 among 19 banks across different supervisory categories. Eight of the institutions surveyed had no dedicated digital fraud policy — 42 per cent of the sample. Seven had no standardised incident response plan, three had no steering committee, and roughly one quarter had no process for anticipating new fraud typologies. These are distribution figures from a routine supervisory sample.

Art. 12 BankV requires banks to embed risk management and segregation of functions in internal regulations and to identify, limit, and monitor operational risks. When supervisory communication 02/2026 calls for “appropriate risk management” against digital fraud risks, it anchors that requirement in this provision — not in Art. 9 GwG, which only operates once a suspicion already exists. The communication applies expressly to banks and persons under Art. 1b BankG. Fintech licence holders and payment service providers in that licence category are therefore equally in scope. FINMA-RS 2023/1, in force since 1 January 2024, extended the catalogue of obligations to cover ICT risks, critical data, and operational resilience; the supervisory communication now expressly maps phishing, account takeover, and CEO fraud onto those vectors.

Until now, an institution could consider the answer “we filed a report” sufficient. Art. 9 para. 1 GwG requires the financial intermediary to notify the reporting office when there are reasonable grounds to suspect money laundering or a predicate offence. That obligation kicks in once the damage has already passed through the system. The supervisory communication now requires banks to intervene earlier — at the point of digital customer onboarding, at the pattern of an account takeover, at the manipulated identity document. The regulator is no longer asking “did you report it?” but “why did you not detect it?”

The survey provides the empirical basis. The rate at which internal fraud suspicions were converted into formal MROS reports varied across institutions by a factor of ten — from 12 to 78 per cent. Most institutions were working with fixed transaction thresholds between CHF 100,000 and CHF 200,000 for retail customers with a low or standard risk classification, rather than scenario-based monitoring. FINMA found that KYC information at the surveyed institutions was generally kept lean and decoupled from transaction monitoring. That dispersion documents arbitrariness, and arbitrariness does not satisfy Art. 12 BankV.

One specific finding sharpens the shift. FINMA describes cases in which a customer relationship was opened using valid identity documents by a legitimate person, only for account access to be transferred to third parties afterwards — without FINMA treating accounts opened online as inherently more fraud-prone than those opened in person. This pattern defeats the standard KYC filter, because the filter operates precisely at the moment of formally correct identification. Manipulated videos and AI-generated identity documents make retrospective forensics laborious and push the detection point forward in time. FINMA-RS 2023/1 had already addressed such vectors under “ICT risks”; the supervisory communication now makes them explicit as fraud risks that Art. 12 BankV also covers.

A Swiss bank examiner sits at a document table reviewing the printed FINMA supervisory communication 02/2026, beside it the open FINMA-RS 2023/1 and a folder labelled "Organisational Regulations Art. 12 BankV"; on a sticky note the handwritten line "digital fraud = OpRisk, not GwG".

FINMA also sets out the escalation path: temporary restrictions on services where fraud cases are clustering. This is not a new power — Art. 31 FINMAG has permitted the restoration of proper order since the authority was established. What is new is the hook: the communication expressly ties this tool to an organisational deficiency within the meaning of Art. 12 BankV. A bank running digital onboarding without an anti-fraud layer risks, depending on the findings, a temporary suspension of digital onboarding (cf. supervisory communication, section on measures).

Three steps can be operationalised within a week. First, review the risk inventory under Art. 12 BankV to determine whether digital fraud is tracked as a standalone category or subsumed under “operational risk — other”. Second, document the MROS conversion rate by channel and branch: significant dispersion indicates that the institution is operating without a consistent detection methodology. Third, stress-test the onboarding procedure against the scenario FINMA describes in its findings and embed a two-stage verification step following formal account opening in the internal regulations.

Art. 12 BankV and FINMA-RS 2023/1 provide the framework. Supervisory communication 02/2026 sets out how FINMA applies that framework to digital fraud risks: as a material operational risk that must be managed before losses occur. Whether this reading survives a concrete supervisory measure will become clear in the 2026 audit cycle — the first internal audits conducted after 9 April are the material against which FINMA will calibrate its expectations. Until then, the question is simple: does the organisational regulations document include the sentence “digital fraud is an operational risk under Art. 12 BankV”, or is it still missing?