CMS Expert Guide To Mandatory Reporting Of Criminal Offences For Companies And Their Responsible Persons in Switzerland

In Switzerland, there is no general legal obligation for companies to report criminal offences. Also, Swiss law does not contain a catalogue of offences requiring mandatory reporting when committed within or against a company.

For financial intermediaries, there is an obligation to report suspicious activities under the Anti-Money Laundering Act (AMLA). In this respect, specific suspected offences must be reported. Other reporting obligations have a strong connection to criminally relevant conduct, but the fact that a criminal offence might have occured is not in principle the direct reason for the obligation to report.

In light of the above, the following provides a brief overview of the reporting obligations applicable to companies, their executives or their employees that may arise in connection with criminal offences:

Obligation of financial intermediaries to report suspected money laundering:

Financial intermediaries (such as banks, portfolio managers, trustees, fund management companies, insurance institutions, etc.) as well as dealers (natural persons and legal entities that deal in goods commercially and in doing so accept cash) must file a report with the Money Laundering Reporting Office Switzerland (MROS) if they know or have reasonable grounds to suspect that, among others, assets involved in the business relationship respectively cash payments in the course of a commercial transaction (a) are connected to participation or supporting of a criminal or terrorist organisation or money laundering; (b) are the proceeds of a felony or an aggravated tax misdemeanour; (c) are subject to the power of disposal of a criminal or terrorist organisation; (d) or serve the financing of terrorism (art. 9 AMLA).

Obligation to report cyber-attacks:

Since April 2025, various entities being part of the critical infrastructure, for instance companies active in the areas of energy supply, energy trading, energy measurement and energy control, companies that are subject to banking, insurance or financial market infrastructure regulations, or companies that supply the population with essential everyday goods and whose failure or impairment would lead to significant supply bottlenecks, must report cyber-attacks to the Cyber Security Centre (NCSC) within 24 hours of their discovery (art. 74a-e Information Security Act [ISA]). Accordingly, a cyber-attack must be reported to the NCSC if it (a) jeopardises the functionality of the critical infrastructure affected, (b) has let to a manipulation or outflow of information, (c) remained undetected for a prolonged period of time, in particular if there are indications that it was carried out in preparation for further cyber-attacks, or (d) is associated with blackmail, threats or coercion (art. 74d ISA).

Companies active in the financial sector that are not considered critical infrastructures under the ISA may also be required to report cyber-attacks to the Financial Market Supervisory Authority (FINMA) (art. 29 para. 2 Financial Market Supervision Act [FINMASA]).

Obligation to report personal data security breaches:

Companies must notify the Federal Data Protection and Information Commissioner (FDPIC) of any breach of data security that is likely to lead to a high risk to the data subject's personality or fundamental rights as quickly as possible (art. 24 Data Protection Act [DPA]). The company shall also inform the data subject if this is required for their protection or if the FDPIC so requests.

Obligation to report to the Financial Market Supervisory Authority:

Persons and entities supervised by FINMA and audit companies conducting audits of them must immediately report to FINMA any incident that is of substantial importance to the supervision. The duty to report may concern, inter alia, criminal proceedings against the supervised entity or members of its board of directors or of its executive management but also holders of qualified participations (art. 29 para. 2 FINMASA).

Obligation to report on non-financial matters:

Larger companies (cf. art. 964a Swiss Code of Obligation [CO]) must report on certain non-financial matters each year, including the main risks related to combatting corruption and how the company is dealing with these risks (art. 964a, 964b, and 964l CO).

A distinction must be made between an internal reporting obligation and the obligation to report to the competent external authority.

Internally, a company's employees must report criminal offences committed within or against the company to the company's competent internal authority in accordance with their duty of loyalty under employment law (art. 321a para. 1 CO). However, employees are not required to make a report if doing so would expose them to the risk of criminal prosecution or civil liability. In addition, the external auditor of the company must report to the board of directors, infringements of the law (art. 728c para. 1 CO). In the event of significant violations of the law, or if the board of directors fails to act despite being notified in accordance with art. 728c para. 1 CO, it must inform the general meeting of the company (art. 728c para. 2 CO).

Externally, the responsibility to report to the authorities according to the reporting obligations mentioned above in question number 1 mostly depends on the internal organisation of the company. While, in principle, the board of directors represents the company externally, the authority to act on behalf of the company is often delegated to one or more of its members, to managing directors or other employees of the company.

From a regulatory perspective, when the relevant company is subject to the supervision of FINMA or in case of reporting under the AMLA, the responsibility to report, even if delegated to third parties, must be assumed vis-à-vis of the authorities by the delegating company and its directors or managers.

The report must be submitted to the competent authority mentioned above in question number 1. There may be overlaps between the reporting obligations, in particular to FINMA, NCSC, and FDPIC. In this case, separate reports must be submitted to the relevant authorities.

The risks are not addressed by a general criminal statute, but by specific provisions within individual laws. This section is an outline of some of the key risks commonly encountered in practice.

Any board member, managing director or employee of a financial intermediary who fails to comply with the obligation to report suspected cases of money laundering in terms of art. 9 AMLA shall be liable to a fine not exceeding CHF 500,000 (art. 37 para. 1 AMLA). Negligent violations are punishable by a fine of up to CHF 150,000 (art. 37 para. 2 AMLA).

As of 1 October 2025, any board member, managing director or employee of an entity subject to the duty to report cyber-attacks under ISA who fails to comply with the reporting obligation, may face fines of up to CHF 100,000 after two deadlines set by NCSC have passed without result. If a fine not exceeding CHF 20,000 is envisaged, the law enforcement authority may refrain from prosecuting these persons and instead impose the fine directly on the company (Art. 74g-74h ISA).

Failure to immediately report a materially important incident to financial market supervision, as required by Art. 29 para. 2 FINMASA, does not lead to criminal liability. However, in serious cases, such failure may give rise to regulatory measures against the supervised entity and/or directors and/or the persons in charge of the management pursuant to art. 31 et seq. FINMASA (enforcement proceeding).

Failure to report a personal data security breach to the FDPIC according to art. 24 DPA does not lead to criminal liability. Yet, the FDPIC may initiate a formal investigation under Art. 49 et seq. DPA, in which it may utilise various procedural and criminal enforcement tools (Art. 50 para. 1 lit. a, and para. 3, and Art. 60 para. 2 DPA). Subsequently, failure to comply with an administrative measure of the FDPIC may result in a fine of up to CHF 250,000 for the employees of the company who are responsible for enforcing it (art. 63 DPA).

Art. 325^ter of the Swiss Criminal Code (SCC) imposes fines for intentionally or negligently making false statements or omitting information in non-financial reports required by art. 964a, 964b, and 964l CO or for failing to comply with the statutory obligation to retain and document the reports. Intentional violations are punishable by fines of up to CHF 100,000, while negligence can result in fines of up to CHF 50,000. The board of directors is responsible for these reports, making its members primarily liable under this article. If no report is filed, only this body is considered the perpetrator. However, if a report contains inaccuracies, individuals tasked with its preparation may also be held liable.  

Reporting obligations can conflict with the principle against self-incrimination. Of the above-mentioned reporting duties, only the DPA expressly addresses this conflict. Accordingly, a report made pursuant to art. 24 DPA may be used in criminal proceedings against the reporting person only with their consent.

A criminal investigation may be initiated if there is reasonable suspicion that a criminal offence has been committed. In this case, the company may be affected by investigative measures taken by law enforcement authorities, such as the obligation to produce documents, house searches, or the interrogation of employees, regardless of whether it is itself accused.

Reporting criminal offences or fulfilling the above-mentioned reporting obligations may also result in regulatory proceedings against the company, particularly in the area of financial market supervision. Thus, if a report concerning an incident that is of substantial importance to the supervision (art. 29 para. 2 FINMASA) provides evidence of violations of regulatory law, FINMA may initiate proceedings to ensure the restoration of compliance with the law (art. 31 para. 1 FINMASA). Such proceedings can be very time- and resource-intensive for the supervised company and may also pose significant reputational risks. Furthermore, during or after a regulatory investigation FINMA may file a report with the competent law enforcement authorities if it becomes aware of criminal acts or violations of financial market laws (art. 38 para. 3 FINMASA).

Moreover, Art. 305ter para. 2 SCC explicitly provides that financial intermediaries are entitled to report to the MROS any observations that indicate that assets originate from a felony or an aggravated tax misdemeanour. This also means that they are liable to prosecution for violation of banking secrecy pursuant to art. 47 Banking Act (to the extent they are bound by it) if they report facts that do not indicate such origination. However, the risk of criminal liability is not substantial, because the threshold for holding that there are relevant clues of such origination is low.

A company can be held criminally liable if its inadequate organisation prevents a felony or misdemeanour from being attributed to a specific natural person (art. 102 para. 1 SCC). In such cases, the company is not accused of committing the offence or failing to prevent it, but of inadequate organisation, which resulted in the offence not being traceable to any specific natural person.

Art. 102 para. 2 SCC establishes a direct liability of companies for those cases in which they failed to take appropriate measures which could have avoided the commission of the following crimes: organised crime (art. 260ter SCC), financing of terrorism (art. 260quinquies SCC), money laundering (art. 305bis SCC), active bribery of Swiss public officials (art. 322ter SCC), granting of an unfair advantage to Swiss public officials (art. 322quinquies SCC), active bribery of foreign public officials (art. 322septies para. 1 SCC) and active bribery in the private sector (art. 322octies SCC). This type of liability is cumulative with the liability of the natural person that committed the crime.

In case of criminal liability according to art. 102 SCC the company may face a fine of up to CHF 5 million.

Under certain conditions, it is possible for the competent prosecution authority to impose a fine exclusively on the company if it is subject to supervision by FINMA (art. 49 FINMASA). However, this option is not available if the planned fine exceeds CHF 50,000. Board members, managing directors and senior executives can be held criminally liable for offences committed within the company's operations if they are aware of the offences but fail to act (art. 11 SCC). The sentence is generally based on the main offence, but the court may reduce the sentence due to the offence being committed by omission (art. 11 para. 3 and 4 SCC).

A similar provision exists in administrative criminal law, which applies in particular to cases of non-compliance with the reporting obligation for suspected money laundering (art. 37 AMLA). Accordingly, board members, managing directors and senior executives who intentionally or negligently fail to prevent an offence committed by a subordinate employee, or to nullify its effects, can be held criminally liable (art. 6 para. 2 of the Administrative Criminal Law Act).

Finally, any individual who assists another to evade prosecution or the execution of a sentence is liable to a custodial sentence not exceeding three years or to a monetary penalty (Art. 305 para. 1 SCC).