Bankenaufsicht Deep Dive
Drei aufgefächerte FINMA-Aufsichtsmitteilungen und ein Inspektionsklemmbrett auf einem dunklen Aufsichtspult in Bern

FINMA Annual Press Conference 2026: Those Who Read the Press Release Miss the Inspection Agenda

The FINMA annual press conference of 21 April 2026 consolidates supervisory notices 05/2025, 01/2026 and 02/2026 into a single inspection axis for the current supervisory year. What reads in the balance-sheet section as a backward look is in fact the playbook for the next on-site inspection.

Dr. iur. Servatius von Tatzenberg

On 21 April 2026, FINMA stepped up to the microphone for its annual press conference. In places, the 2025 annual report reads like a self-reassurance about resilience achieved. For the legal department of a supervised institution, it is something else entirely: the agenda for the next on-site inspection.

Three axes emerge from the document as immediate inspection items, not programmatic intentions: operational resilience under supervisory notice 05/2025, digital fraud under 02/2026, and crypto-based asset segregation under 01/2026. Anyone who files 21 April away as a communications date misses the point: each of these three supervisory notices hands examiners a reference date, a verifiable obligation, and an inspection path already rehearsed.

Operational Resilience: 1 January Is Not Done and Dusted

Supervisory notice 05/2025 of 10 November 2025 set 1 January 2026 as the implementation deadline for the resilience package under FINMA Circular 2023/1 “Operational Risks and Resilience – Banks”. Four building blocks: identify critical functions, set recovery time tolerances for disruptions, test effectiveness, and integrate third parties. FINMA treats these four requirements as binding under supervisory law; they are directly testable at the next on-site inspection.

FINMA measured the state of implementation before the deadline. Its survey, according to AM 05/2025, covered 267 banks, securities dealers, financial groups, and market infrastructures, with a reference date of 31 December 2024. The average number of identified critical functions stood at 3.5. In supervisory categories 1 to 3, 85% of institutions had not yet conducted any tests. Only 12 to 15% had a coherently integrated framework covering BCM, ICT, third-party management, and crisis organisation.

The 113 bank inspections conducted in 2025 — 42 of them at UBS alone — were not a random distribution. FINMA notes that service providers and outsourcing partners were themselves the target of nearly half of the cyberattacks reported in 2025 — with direct consequences for the supervised institutions — and responded with targeted on-site inspections at those third parties. Institutions that set up their outsourcing perimeter under Circular 2023/1 on paper but never tested it will be caught at the next inspection precisely where the 2025 Risk Monitor survey already identified gaps back in November 2025.

Supervisory notice 05/2025 does not say “expected”: it lists the findings that an inspection will record if implementation is missing — undocumented dependencies on the ICT provider, absent tabletop exercises under realistic stress durations, critical functions with no tolerance threshold expressed in hours. This chain of findings was applied systematically across the 42 UBS inspections in 2025; it is likely to reach the ongoing supervisory programme for categories 2 and 3 once the UBS inspection round concludes.

Eine Lupe schwebt über dem aufgeschlagenen Notizbuch eines FINMA-Inspektors mit drei handschriftlichen Befunden — kritische Funktionen unklar, Tabletop-Test fehlt, Drittparteivertrag ohne Reporting — daneben ein Laptop mit FINMA-Siegel

Fraud Is Operational Risk, Not an Anti-Money-Laundering Precursor

Supervisory notice 02/2026 of 9 April 2026 locates digital fraud operationally: Art. 12 BankV, not Art. 9 GwG — a shift we covered on 19 May here. Art. 9 GwG obliges institutions to report suspicion of money laundering — reactively, tied to customer transactions. Art. 12 BankV requires the institution actively to limit operational risks through adequate internal controls; digital fraud is treated there as a distinct risk type, not as a money-laundering predicate offence. Institutions that assess fraud indicators solely within their anti-money-laundering process have neither the required operational monitoring in place nor the prescribed reports to the audit committee.

Crypto Custody: The Key Counts, Not the Ledger Entry

Supervisory notice 01/2026 grounds the segregation of crypto-based assets in an operational finding: who holds the private key, who controls the wallet in practice. Its connection to the annual press conference lies not in the statistics but in the grant of authorisation to the first DLT trading infrastructure of the reporting year. FINMA’s signal is clear: even a new technical architecture leaves the old private-law anchor unchanged. Operationally, this means that a client claim cannot be segregated under Art. 37d BankG upon the opening of insolvency proceedings against the institution if the service provider controls the private key — even if the accounts show segregation. Sound practice requires a technical architecture that demonstrably keeps that power of disposal with the institution: multi-sig setups or custody agreements that amount to more than commercial SLAs.

Three Steps for the Coming Days

First: review your institution’s inventory of critical functions against Circular 2023/1, not against the BCM practices established in-house. FINMA’s survey makes clear that the two diverge. Second: review outsourcing agreements for verifiable reporting obligations on the part of the third party, with FINMA’s question in mind — what can you actually know about the state of your service provider? Third: extract the digital fraud dossier from the anti-money-laundering track and feed it in parallel into the operational risk report to the audit committee.

What Remains Open

What remains open is how the Bundesrat’s dispatch on the BankG revision of 22 April 2026 — which reshapes individual accountability for senior management — will interact with the operational resilience regime. FINMA speaks at the annual press conference of a strengthening of its powers; parliamentary deliberation will determine whether this produces an enforceable senior manager regime or an extension of the existing organisational supervision framework. The next parliamentary clarification point is likely to be the Council of States’ debate on whether to enter deliberations.

FINMA closed a total of 55 enforcement proceedings in 2025. In the large majority of those cases, the statutory conditions for public disclosure of outcomes under Art. 22 FINMAG were not met — the inspection agenda is active, but largely silent to the outside world. Institutions that actively document their own implementation status are better placed than those waiting for the next public signal.

Read the three reference dates — 1 January 2026 (Circular 2023/1), AM 02/2026 of 9 April, AM 01/2026 — as an inspection programme, and you are one step ahead of the examiner. File them away as communications events, and you are one step behind.