What has changed, what it means, and who it affects
FINMA’s November 2025 Risk Monitor places operational resilience, data integrity and cyber exposure firmly among the supervisory priorities for the coming year. The emphasis is sharper than in previous editions. Data is no longer framed only as an operational dependency. It is treated as a source of concentration risk, reputational exposure and supervisory escalation.
This shift does not create new principles. It tightens supervisory expectations around existing ones.
What is new following the FINMA Risk Monitor 2025
The FINMA Risk Monitor 2025 report highlights three developments relevant to critical data risk management:
-
Increased concern around interconnected systems and outsourcing dependencies. FINMA signals that weaknesses in data governance can amplify broader operational shocks.
-
Heightened attention to data integrity in automated and digital processes. Errors are no longer viewed solely as process failures. They are seen as governance failures if underlying data controls are weak.
-
Stronger emphasis on board accountability for operational and ICT risks. Supervisory dialogue is moving upward.
These themes align directly with FINMA Circular 2023/1 and are operationalised through the 2025 audit programme for Critical Data Risk Management. In 2026, institutions should expect supervisors and audit firms to apply these testing procedures more systematically.
The change lies in supervisory intensity and in how evidence is evaluated.
What this means for 2026
The audit programme defines detailed procedures around governance, inventory, access management, cross-border data exposure and incident handling. The direction for 2026 is clear.
Supervision will focus on operational effectiveness supported by traceable documentation. Sample-based testing of inventories and controls is explicitly embedded in the audit framework. Institutions should assume that auditors will select data elements, privileged accounts and incident records for validation.
Board oversight will also attract attention. Approval of risk tolerance and data strategy is expected to be documented and periodically reviewed.
The practical implication is that institutions must demonstrate:
-
Clear ownership of critical data across its lifecycle
-
Accurate and complete data inventories
-
Controlled and reviewed privileged access
-
Mitigation of risks where data is stored or accessed from abroad
-
Tested incident identification and reporting processes
Distinguishing between institution types
Supervisory intensity varies across categories, although expectations remain aligned in substance.
Larger banks and systemically relevant institutions
For larger banks, especially those in higher supervisory categories, expectations around formal governance and documentation are broader. Risk tolerance frameworks are expected to be integrated into enterprise risk management. Data inventories must reflect complex system landscapes and outsourcing chains. Cross-border access and concentration risks are likely to receive particular scrutiny.
Sample-based testing may be more extensive, and internal audit reliance will be examined closely.
Smaller banks
Smaller banks remain subject to Circular 2023/1 and the same audit programme. Proportionality applies to implementation depth rather than to principle.
For these institutions, supervisors are likely to focus on clarity and coherence. Inventories must be accurate. Access controls must be demonstrable. Board oversight must be visible. Simplicity is acceptable where it reflects the operating model. Informality is not.
Weaknesses often arise where smaller banks rely heavily on external IT providers without maintaining sufficient internal understanding of data ownership and risk tolerance.
Fund management companies and managers of collective assets
Fund management companies and managers of collective assets are supervised under FinIA and CISA and assessed through a dedicated cyber risk audit programme. Circular 2023/1 does not formally apply to them, yet supervisory expectations regarding data governance and resilience are aligned in practice.
For smaller fund managers, the key areas of scrutiny in 2026 are likely to include:
-
ICT asset inventories and completeness testing
-
Protection of sensitive portfolio and investor data
-
Oversight of outsourced administrators and cloud providers
-
Incident reporting and recovery testing
Complexity is usually lower than in banks. Outsourcing concentration is often higher. Supervisors will examine how well management understands that trade-off.
The supervisory direction
The FINMA Risk Monitor 2025 signals a supervisory stance grounded in data integrity, resilience and governance accountability. The 2025 audit programmes define how this stance is translated into testing procedures.
In 2026, the distinction will not lie in whether policies exist. It will lie in whether institutions can evidence that critical data risks are identified, owned and controlled in line with their size, structure and supervisory category.
FINMA has set the framework. The coming year will test its application.
