FINMA surveyed 19 banks, found that 42 percent lack a dedicated digital-fraud policy, and published the results as a guidance that sets the audit benchmark for every supervised institution offering digital onboarding or online transactions.
What the Notice Contains, and What It Really Means
On 9 April 2026, the Swiss Financial Market Supervisory Authority (FINMA, the country’s integrated financial regulator) published Guidance 02/2026, titled “Digital fraud risks for banks and persons under Article 1b of the Banking Act.” The notice addresses banks and securities dealers licensed in Switzerland, a category that also captures online brokers such as Swissquote and Dukascopy, which Swiss law requires to hold a banking licence. The trigger: a survey of 19 banks across supervisory categories, conducted in late 2025.
The comfortable reading in many compliance departments will be: “No new rules, so no action required.” That reading is wrong, and dangerously so. FINMA has not introduced new formal provisions. It has, however, formalised supervisory expectations backed by hard findings. Any institution that dismisses this document as non-binding guidance in the next prudential review or supervisory dialogue will discover that the examiners disagree. The notice establishes a baseline. Baselines have a defining property: you cannot slip below them without consequences.
The asymmetry between perception (“guidance, not a circular, therefore soft”) and supervisory reality (“documented expectation against which auditors will test”) is the single most important thing decision-makers in Swiss banking need to grasp about this publication.
The Numbers: Findings from 19 Institutions
FINMA did not name the 19 banks surveyed and did not disclose the exact breakdown by supervisory category. The findings are sharp enough to serve as an industry mirror regardless.
Of the 19 institutions, 8 (42 percent) had no dedicated policy for digital fraud. Three institutions lacked any steering committee for digital fraud risks. Seven institutions, more than a third, had no standardised response plan for fraud incidents. Roughly a quarter conducted no systematic horizon scanning, meaning no formalised process to identify emerging fraud scenarios such as AI-driven deepfake attacks or novel social-engineering variants.
The most explosive figure concerns suspicious-activity reports filed with the Money Laundering Reporting Office Switzerland (MROS). SAR rates for online fraud, identity theft, and money mules varied between surveyed institutions by a factor of up to 10. The share of internally escalated cases that led to a formal MROS filing ranged from 12 percent to 78 percent. That spread cannot be explained by differences in business model. It signals that some institutions systematically under-report, either because detection mechanisms are inadequate or because escalation thresholds are set too high.
FINMA further noted that KYC information at the surveyed institutions was “generally rather limited” and that most did not feed this data into their transaction-monitoring systems. Monitoring thresholds for retail-client transactions at the majority of institutions sat at CHF 100,000 or CHF 200,000, levels the regulator flagged as problematic because fraud transactions typically fall far below those marks.
The Swiss Banking Ombudsman reported fraud as the single most frequent reason for enquiries in its 2024 annual report, a source FINMA itself cites. Globally, digital fraud as a named risk in the EY/IIF Global Bank Risk Management Survey jumped to 59 percent, up from 23 percent the previous year. The trend is not Swiss-specific, but the control gaps are.
Regulatory Framing: Not an Isolated Paper
Guidance 02/2026 sits within a supervisory line FINMA has built consistently since 2023. Understanding the cross-references matters for implementation.
FINMA Circular 2023/1 “Operational Risks and Resilience, Banks” has been in force since 1 January 2024. It requires comprehensive management of operational risks, including ICT and cyber risks, critical-data risks, and business-continuity management. Guidance 02/2026 extends that framework explicitly to digitally enabled fraud. Any institution that built its operational-risk framework under Circular 2023/1 without treating fraud risk as a distinct category now has a documented gap.
In June 2024, FINMA sharpened the cyber-risk focus through Supervisory Notices 03/2024 and 04/2024. Guidance 02/2026 continues that trajectory but shifts emphasis from attacks on institutions to fraud committed against and through customers. The regulator expects transaction monitoring, money-mule detection, and the handling of suspicious activity to sit within the same overarching framework as fraud prevention, not as fragmented tools spread across departments.
FINMA Circular 2016/7 on video and online identification is under revision; the consultation closed on 27 February 2026. The revision directly addresses secure digital onboarding, a core concern of Guidance 02/2026. The guidance describes the money-mule pattern in detail: individuals open accounts with valid documents, pass every due-diligence step cleanly, then hand account access to criminal third parties. The fraud occurs after onboarding, which standard KYC alone cannot catch.
From summer 2026, the Swiss government’s electronic identity (swiyu) will begin rollout, offering citizens a free state-issued e-ID via a dedicated wallet app. Banks redesigning onboarding processes now should factor e-ID integration in from the start rather than retrofitting later.
Anti-Money Laundering Act (GwG) and FINMA AML Ordinance (GwV-FINMA) obligations apply directly. FINMA states that institutions’ AML rules and processes “must be sufficiently effective to detect cases of digital fraud and money muling as quickly as possible.” The guidance does not invent new AML duties; it clarifies that existing duties already cover digital fraud, and that the regulator will test accordingly.
What Banks Must Do Now
The action fields below follow a sequence that mirrors how FINMA examiners will approach the topic: governance basics first, then detection capability, then forward-looking controls.
Immediate: establish governance foundations. Forty-two percent without a digital-fraud policy means almost every other bank cannot produce a board-approved document that governs its approach to digital fraud. Such a policy must define accountabilities, name risk categories, set escalation paths, and carry sign-off from the board of directors or executive management. Institutions still lacking a steering committee for digital fraud risks must create one, modelled on the cyber committees that Circular 2023/1 already implies as standard. The three institutions found without such a committee are exposed in any upcoming review.
Immediate: standardise fraud incident-response plans. Seven of 19 banks without a standardised fraud-response plan is a finding that will generate pointed questions from auditors. A fraud-response plan is not the same as a cyber-incident-response plan. It must specifically address: detection and confirmation of a fraud event, immediate blocking of affected accounts, evidence preservation for law enforcement, MROS filing, customer communication, and (where the fraud involves a significant cyber component) reporting to the Federal Office of Cyber Security (BACS) under the Information Security Act (ISG). Banks that already maintain a cyber playbook can build on it, but the fraud-specific steps must be added explicitly.
Short-term: integrate KYC data into transaction monitoring and lower thresholds. FINMA has made clear that retail monitoring thresholds of CHF 100,000 or CHF 200,000 are too high to catch typical fraud patterns. Enriching transaction monitoring with KYC data restores the context needed to surface suspicious activity. This requires technical integration between CRM, onboarding, and transaction-monitoring platforms, not a trivial project, but one with an unambiguous supervisory mandate behind it.
Short-term: analyse MROS filing rates and recalibrate escalation processes. A conversion rate of 12 percent between internally flagged cases and formal MROS filings is difficult to justify as conservative risk management. Every institution should know its own rate, benchmark it against the 12-to-78-percent range FINMA disclosed, and review the thresholds at which front-line staff escalate to compliance. If internal filters are set too tightly, reportable cases never reach the function responsible for filing.
Medium-term: formalise horizon scanning and strengthen post-onboarding monitoring. FINMA expects institutions to identify emerging fraud scenarios systematically, particularly AI-enabled attacks, deepfake-based identity deception, and new social-engineering variants. That requires a defined process with named sources, clear ownership, and a regular reporting cadence. For the money-mule problem specifically, banks need behavioural analytics that detect suspicious account-access patterns after onboarding: location changes, device changes, atypical transaction patterns in the first weeks after account opening.
Pitfalls and Misconceptions
“We were not among the 19, so this does not apply to us.” Wrong. FINMA deliberately did not restrict its findings to the surveyed sample. The guidance addresses every bank and every person under Article 1b of the Banking Act. If you offer digital onboarding or online transactions, you are in scope, whether or not a survey invitation reached your inbox.
“No deadlines, so no urgency.” The guidance contains no explicit implementation deadlines. That does not mean time is available. It means FINMA expects banks to act of their own accord. The next supervisory cycle is already being planned. Institutions that cannot demonstrate measures by the time examiners arrive will not be able to cite the absence of a deadline as a defence.
“This is a compliance matter.” Guidance 02/2026 explicitly demands institution-wide controls rather than fragmented point solutions. If fraud detection sits in compliance, transaction monitoring in operations, and cyber-incident response in IT, the common framework the regulator expects is missing. The notice requires these strands to converge, organisationally and technically.
“Our existing AML infrastructure covers it.” The findings say otherwise. KYC data disconnected from transaction monitoring, retail thresholds set above typical fraud amounts, and SAR conversion rates as low as 12 percent demonstrate that legacy AML systems are not calibrated for digital fraud. AML and fraud prevention overlap, but they are not identical.
What Supervisors Now Expect
FINMA Guidance 02/2026 is neither a circular nor an enforcement instrument. It is something more operationally potent: a documented expectation, anchored in concrete numbers that show where the industry stands and where it should stand. FINMA states that in the event of a “clustering of fraud cases,” institutions must “immediately review the effectiveness of their existing measures and, if necessary, supplement them with additional measures.” That is not a recommendation. It is an expectation whose non-fulfilment will surface in supervisory dialogues, audit reports, and, in serious cases, formal measures.
Any institution that treats Guidance 02/2026 as compliance housekeeping misreads the dynamics. Any institution that reads it for what it is, a test baseline for the coming audit cycles, and acts accordingly, builds an advantage that will count the next time a FINMA examiner opens the conversation.
