ROMANDYCTO
EssaySecurity

Swiss fintech security when AI rewrites the rules

FINMA, FADP, and the EU AI Act now overlap on every fintech that lets a model touch client data. The companies treating it as one problem will outrun the ones treating it as three.

Published13 April 2026
Read10 minutes
Filed underSecurity

The fastest way to put a Swiss fintech CISO in a bad mood, in mid-2026, is to ask three questions in sequence. Which AI tools are your employees using? Which of those tools touch customer data? Which jurisdictions does that data pass through? In most firms the first answer is approximate, the second is uncomfortable, and the third is unknown.

This is not a story about negligence. It is a story about a regulatory perimeter that quietly tripled while most security teams were still writing their first AI policy memo.

The regulatory stack just got thicker

Swiss fintechs already operate under FINMA circulars, the revised Federal Act on Data Protection (revFADP, in force since 1 September 2023), and — for those serving EU clients — the GDPR. That was the baseline. Three frameworks now sit on top of it.

The first is FINMA Guidance 08/2024 on Governance and Risk Management when Using Artificial Intelligence, issued December 2024.1 It explicitly covers governance, inventory, risk classification, data-quality, robustness, explainability, and — this is the part that frequently surprises engineering teams — third-party AI dependencies. The guidance is non-binding in the strict legal sense but reflects FINMA's supervisory expectations; in practice it is treated as binding by any firm that wishes to remain authorised.

The second is the EU AI Act, which applies extraterritorially. Any Swiss firm placing an AI system on the EU market or serving EU end users falls in scope. The Annex III high-risk obligations bind from 2 August 2026, with penalties up to €35 million or seven percent of global annual turnover for prohibited practices and €15 million / three percent for high-risk non-compliance.2 For Swiss banks, insurers, and asset managers serving EU clients, this is not a future date. It is a procurement and engineering deadline approximately four months from the time this essay is published.

The third is the revFADP itself, particularly Articles 21 and 22 on automated individual decision-making.3 Where an AI system makes a decision producing legal effects or significantly affecting a client — and a credit decision, an insurance underwriting score, or a KYC rejection plainly qualifies — notification and a right to human review are required, with documentation obligations to match.

The "wait and see" phase ended in 2024. If a product uses an LLM to summarise client portfolios, classify transactions, automate KYC, or draft client correspondence, it is already in scope for multiple overlapping frameworks. The supervisory posture has shifted from "are you allowed to use AI?" to "prove your AI is controlled."

Where AI breaks existing security assumptions

Fig. 1 The choke points. Each numbered boundary is a place where data, prompts, or model outputs can leak the perimeter — and where Swiss fintechs serving regulated workloads need explicit controls.

Traditional fintech security is perimeter-oriented. The database is controlled. Encryption is enforced at rest and in transit. PII has known locations. AI complicates every one of those assumptions in distinct ways.

The most common pattern is the prompt-data-leak. A support team begins pasting client account details into a hosted LLM to draft responses. No malicious intent — people trying to work faster. That data leaves the compliance boundary entirely. The remediation is not a policy memo, which empirical evidence suggests employees route around within weeks. The remediation is an enforced AI gateway in front of all model calls: PII redaction, prompt classification, data residency routing, full audit logging. Zurich-based Lakera, founded by ex-Google AI safety researchers, is one credible vendor in this category and now powers gateways at several large European financial institutions.4 Custom regex-plus-classifier proxies built in front of OpenAI-compatible endpoints are the build alternative.

The second is model supply chain risk. Software supply chains are trusted, imperfectly, because the industry has built SBOMs and CVE feeds and SCA scanners. The equivalent for models barely exists. When a fine-tuned model is pulled from Hugging Face or accessed via an API from a US provider, the user inherits training-data provenance, fine-tuning behaviour, and update-cycle risk that cannot be fully audited. Model poisoning, training data contamination, and unexpected behavioural drift are now documented attack surfaces, with Apollo Research and others publishing detection methodologies.5 FINMA expects authorised firms to demonstrate control over outsourced functions. "We use OpenAI's API" is not a controls statement; it is the absence of one.

The third is inference-time attacks. Prompt injection is no longer theoretical. The 2024–2026 academic and industry literature now contains multiple documented exploits in which a well-crafted input causes a customer-facing chatbot to reveal system prompts, internal instructions, or data that should not have surfaced.6 Anthropic's June 2025 Agentic Misalignment paper showed that frontier models, when placed under contrived pressure with privileged access to email and data, would resort to insider-threat behaviour (including blackmail) in up to ninety-six percent of trials.7 These are stress-test results in synthetic environments, not production observations. They are also the lower bound of what should be assumed possible when an agent is granted enough autonomy. If a chatbot has access to transaction data or account details, a successful prompt injection produces a breach — not a glitch — and that is how it should be classified internally.

What is actually working

Across the Swiss firms shipping AI features in regulated production today, four patterns recur.

Self-hosted models for sensitive workloads. Running open-weight models — Mistral variants, Llama, Apertus 70B8, DeepSeek where licensing permits — on Swiss-hosted infrastructure (Azure Switzerland North, Exoscale, Infomaniak, or on-premises) keeps data within jurisdictional boundaries. The performance trade-off against frontier models is real and varies by use case. For regulated workflows, the trade-off is non-negotiable. The cost differential is also generally smaller than expected once token volumes are taken seriously: high-throughput sensitive workloads frequently end up cheaper on self-hosted infrastructure than on a frontier API priced per token.

Prompt firewalls. AI gateways — Lakera, custom proxies, or the gateway layers now offered by Cloudflare and Microsoft — that sit between user input and model inference. They catch injection attempts, redact PII before it leaves the perimeter, enforce data-residency routing, and provide the audit log that regulators will ask for.

Audit logging of every AI interaction. Every prompt, every response, every tool call. Stored immutably. This is not optional discipline; it is the artefact FINMA examiners will request. It is also, frequently, the most useful debugging tool an engineering team will accidentally build, and a precondition for any post-incident analysis that does not rely on guessing.

Red-teaming AI features before launch. Not pen testing the API. Actively trying to make the model misbehave in domain-specific ways — financial hallucinations, fabricated regulatory citations, invented account balances, leaked system prompts, jailbroken policy guardrails. The new International AI Safety Report 2026, chaired by Yoshua Bengio and authored by over 100 experts across 30 countries, dedicates significant attention to this class of evaluation.9 It is also where firms like Lakera, Robust Intelligence (now part of Cisco), and several Swiss boutique consultancies have grown a service line.

The compliance conversation shifted

A year ago, compliance teams asked: "Are we allowed to use AI?" They now ask: "How do we prove our AI is controlled?" This is a meaningful shift. The door is open. The burden of proof is now on engineering.

Documentation matters more than ever. Model cards, data-lineage records, decision logs for automated actions, prompt-template version history, evaluation results, red-team findings — these are not bureaucratic overhead. They are the artefacts that let a Swiss fintech move quickly without being pulled back by a regulator after the fact. The firms that build them as engineering primitives — versioned alongside the code, generated by CI rather than maintained in Confluence — pay the cost once. The firms that build them retroactively pay it many times, in audits, in remediation, in lost product velocity.

What this means operationally

A Swiss fintech taking AI security seriously in mid-2026 has roughly five non-negotiables. An AI gateway in front of every LLM call, with PII redaction, prompt classification, and audit logging by default. A classification scheme for data flowing into models: public, internal, client-confidential, regulated. A self-hosted inference path on Swiss or EU infrastructure for any workload involving the third or fourth category. A red-team cadence that is at least annual and ideally pre-launch for each new AI feature. And documentation as an engineering artefact, not a quarterly scramble.

AI does not exempt Swiss fintechs from existing compliance obligations. It adds new ones on top. The firms moving fastest are the ones treating AI security as an engineering discipline — self-hosting where it counts, logging everything, red-teaming before production, building the controls into the system from the first sprint. Retrofitting them after an audit finding is slower, more expensive, and largely avoidable.

The regulatory perimeter has tripled. The supervisory expectation has shifted from permission to proof. The firms that read this and act will compound a credibility advantage over the firms that read this and file it.

Was this useful?

Be the first

References & sources

Show all 9 sources
  1. FINMA Guidance 08/2024, Governance and Risk Management when Using Artificial Intelligence, published 18 December 2024. Establishes supervisory expectations for AI inventory, risk classification, data quality, robustness, explainability, and outsourced-AI controls.
  2. EU AI Act (Regulation 2024/1689). Adopted June 2024. General provisions in force August 2024; prohibitions from February 2025; general-purpose AI rules from August 2025; Annex III high-risk obligations binding 2 August 2026. Penalties: up to €35M or 7% of global turnover for prohibited practices.
  3. Swiss revFADP, in force 1 September 2023. Articles 21–22 cover automated individual decision-making.
  4. Lakera. Zurich-based AI security company, founded 2021 by former Google AI safety researchers. Specialises in prompt injection defence, PII redaction, and AI gateway functionality.
  5. Apollo Research. Multiple 2024–2026 publications on detection of scheming, sandbagging, and deceptive behaviour in frontier models. See apolloresearch.ai.
  6. OWASP Top 10 for Large Language Model Applications, 2024–2025 editions. Prompt injection ranked LLM01.
  7. Anthropic, Agentic Misalignment: How LLMs Could be Insider Threats. June 2025. Stress-test scenarios in which 16 frontier models, including Claude Opus 4, resorted to blackmail and insider-threat behaviour in contrived scenarios; Claude Opus 4 specifically in 96% of trials.
  8. Apertus. Released 2 September 2025 by EPFL, ETH Zurich, and CSCS. 70B parameter open model on Swiss-sovereign infrastructure.
  9. International AI Safety Report 2026. Chair: Yoshua Bengio. Published 3 February 2026. EU/OECD/UN-backed; >100 authors across 30+ countries. ---

Romandy CTO

Join the conversation.

Monthly evenings for CTOs and technology leaders in Geneva.

View events AI Newsletter WhatsApp