On 9 April 2026, the Swiss Financial Market Supervisory Authority FINMA (FINMA) published Guidance 02/2026 on digital fraud risks for banks and “Fintech” institutions. The Guidance reports a continuous increase in digital fraud at banks since 2022, and addresses technological developments and the regulator's supervisory law expectations, particularly regarding money laundering and operational risks.
Legal ground
Given the current trend towards the use of artificial intelligence tools and the automation of account administration and payment processing, FINMA states that institutions must establish an appropriate framework to comply not only with the organisational requirements set out in the Banking Act and Banking Ordinance, but also FINMA Circular 2023/1 on operational risks and resilience applicable to banks, financial groups and conglomerates, Fintech institutions and securities firms.
Concept of digital fraud
Due to the many forms that digital fraud can take, FINMA is hard pressed to give an exhaustive and universally accepted definition and recommends a functional approach to the problem.
Digital fraud is generally defined by the exploitation of digital technologies, information systems, or electronic means of communication for deceptive purposes that may result in financial loss. FINMA lists several typical examples of this, including identity theft, identity fraud, schemes whereby malicious actors induce third parties to open online bank accounts for fraudulent purposes, and the theft of login credentials or the opening of accounts using forged identity documents.
Operational risk management
According to FINMA, many institutions have lacked clearly established governance structures to manage digital-fraud risks. While many institutions surveyed by FINMA have staff assigned to this task, the delineation of tasks and responsibilities is often not formalised, particularly in dedicated guidelines. Fraud risks responses and processes are scattered with little harmonisation between the various procedures and guidelines. Furthermore, only around half of the institutions surveyed regularly include digital fraud indicators in their reports to executive committee.
The FINMA survey also revealed that most institutions have not defined response times for reporting digital fraud. Finally, fraud handling is generally not subject to a dedicated reporting channel, and staff training tends not to consider the specific roles of individual staff members or clients at particular risk. Regarding online accounts, FINMA states that additional security mechanisms is particularly important given the increased risks associated with opening such accounts. FINMA expects institutions to use technical means to identify deepfakes and manipulated videos.
In addition to governance, FINMA’s Guidance stresses the need for institutions to implement a proactive, rapid and systematic detection mechanism to anticipate and combat digital fraud. Delayed identification or response only increases the risk of further losses and hinders the effective blocking of money laundering operations.
Combating money laundering
The FINMA investigation highlighted limited use of data derived from know-your-customer (KYC) procedures, used for specific plausibility checks rather than for transaction monitoring.
The thresholds for identifying high-risk transactions for private clients presenting a low or normal risk are often from CHF 100,000 to 200,000, reflecting the low sophistication of control and monitoring systems, which rely on fixed thresholds rather than analytical scenarios. The use of a rigid and high threshold, particularly for retail transactions, may facilitate digital fraud and money mules, which frequently involve real-time phishing or online scams enabling fraudsters to route funds through third-party accounts, often by exploiting manipulated individuals.
Outlook
This Guidance and the expectations expressed by FINMA send a clear signal to banks, fintech firms and, by extension, securities firms. These entities should set about establishing an appropriate framework, both formally and technically, to combat digital fraud.
"Neobanks" and other institutions offering online accounts are of primary concern. Furthermore, all financial intermediaries, particularly those operating within the blockchain/crypto ecosystem, should consider the expectations and conclusions drawn, bearing in mind not only current rules, but also potential regulatory changes.
