6 July 2026 | Guide

FinTech Laws and Regulations 2026 –
Switzerland: Regulatory Developments and
Legal Framework

6 July 2026 | Guide
FinTech Laws and Regulations 2026 –
Switzerland: Regulatory Developments and
Legal Framework
Switzerland continues to be one of the leading jurisdictions for fintech innovation, offering a stable legal framework, a sophisticated financial market and a technology-neutral regulatory approach. This publication provides an overview of the key Swiss laws and regulations relevant to fintech businesses in 2026, including licensing requirements, digital assets, blockchain and DLT, payments, artificial intelligence, anti-money laundering, data protection and financial market supervision.

The chapter is intended for fintech companies, financial institutions, investors and other market participants seeking practical guidance on the Swiss regulatory landscape and recent legal developments.


The Fintech Landscape

Please describe the types of fintech businesses that are active in your jurisdiction and the state of the development of the market. Are there any notable fintech innovation trends of the past year within particular sub-sectors (e.g. payments, asset management, peer-to-peer lending or investment, and insurance) including those relating to cryptoassets, tokenisation and artificial intelligence?

Switzerland offers a friendly environment for companies in the fintech sector. According to a market study, a total of 483 fintech companies were active in Switzerland by the end of 2024, the same number as in 2023 and a 10.5% increase from 2022. The number of companies active in the field of blockchain/distributed ledger technology (“DLT”) increased to 175 companies in 2023 vs. 135 in 2022 before declining slightly to 173 in 2024 in Switzerland and Liechtenstein (all data: IFZ Fintech Study 2025, An Overview of Swiss and Liechtenstein FinTech, pp 6 ff.). Overall, the Swiss fintech industry is very broadly diversified, and the distinction between fintech and traditional financial services continues to be blurred. Swiss regulation, in principle, takes a technology-neutral, principle-based approach, which has so far enabled the jurisdiction to deal with many innovations in the financial sector without major revisions of laws and regulations. It remains to be seen whether major developments such as the use of large language models and artificial intelligence (“AI”) in fintech or financial services more generally will require amendments to the legal framework in the future.

The fintech sector has faced multiple challenges. E.g. FlowBank, an online bank/trading platform based in Geneva, was declared bankrupt by the Swiss Financial Market Supervisory Authority (“FINMA”) in 2024 because it no longer had the minimum own funds required, although privileged client deposits are expected to be recovered in full (FINMA media release of 13 June 2024, see also https://www.flowbank-liquidato...). SWISS4.0 SA, a micro start-up licensed under the Swiss fintech regime, was also declared bankrupt by FINMA on 4 March 2025. The measure followed ongoing concerns of over-indebtedness and serious liquidity problems (FINMA media release of 4 March 2025). Furthermore, a number of Swiss fintech businesses were affected by the FTX scandal in 2022 and its enduring effects on the sector. However, the Swiss fintech market also benefits from Switzerland’s reputation as a stable and reliable jurisdiction.

Swiss-based fintech businesses are active in areas such as payments, investment and asset management services, exchange services, crowdfunding and crowdlending, insurance-related services (insurtech), regulation/compliance-related services (regtech) as well as in various platform services, e.g. for the purposes of fundraising and/or distribution of financial instruments. Many businesses with a focus on DLT are based in the so-called “Crypto Valley” in the Canton of Zug, Switzerland, which initially became known as a hub for initial coin offerings (“ICOs”). While cryptocurrencies and related services such as staking remain an active topic, security tokens and their issuance and trading infrastructures have in the more recent past received increasing attention. In November 2021, the Swiss stock exchange SIX (“SIX”) launched a separate, fully regulated digital platform under the name SIX Digital Exchange, which provides a fully integrated end-to-end trading, settlement and custody service for digital assets.

In recent years, the market’s focus has included decentralised finance (“DeFi”), which uses smart contracts to minimise the need for financial intermediaries. Although there are many open questions as to the legal and regulatory treatment of DeFi, it has been a rapidly growing sector (FINMA Risk Monitor 2022, p. 19). Further, FINMA has – similarly to the European standard-setter European Securities and Markets Authority (“ESMA”) – addressed the topic of AI, recognising that while most institutions are still experimenting with AI, many companies have advanced AI applications that require corresponding risk management processes. Key challenges identified by FINMA in the use of AI include governance and responsibility, robustness and reliability, transparency and explainability as well as non-discrimination (FINMA Risk Monitor 2023, p. 24; see also ESMA’s Public Statement – On the use of Artificial Intelligence (AI) in the provision of retail investment services of 30 May 2024, no. 5).

In March 2025, FINMA granted the first licence for a DLT trading facility to BX Digital AG, a subsidiary of BX Swiss, an authorised Swiss stock exchange. The platform enables regulated institutions to trade and settle DLT securities on Ethereum, with fiat settlement integrated via the Swiss Interbank Clearing system. In September 2025, the Swiss Bankers Association (“SBA”), together with UBS, PostFinance and Sygnum, completed a proof of concept for blockchain-based interbank payments. The project showed that tokenised deposits can be transferred between banks on a shared blockchain in compliance with Swiss financial regulation. The tokens were treated as digital payment instructions under Swiss contract law, rather than as cryptoassets, thereby confirming both the technical and legal feasibility of cross-bank programmable payments.

Generally speaking, the fintech market continues to see more mature projects, many of which are backed or launched by established financial institutions and technology companies. These well-funded start-ups more readily accept and embrace regulation, with several projects aiming to become licensed and supervised by FINMA.

Are there any types of fintech business that are at present prohibited or restricted in your jurisdiction (for example cryptoasset-based businesses)?

Switzerland has no specific prohibitions or restrictions in place with respect to fintech businesses or cryptoasset-related activities, but general Swiss laws and regulations for the financial sector apply. With few exceptions, Swiss financial regulation is technology-neutral and principle-based, which has so far allowed the market and the competent authorities to cope well with technological innovation. Depending on the nature and scope of their business activities, fintech operators may be subject to regulation and supervision by FINMA or by self-regulatory organisations. In accordance with the principle of “same business, same risks, same rules”, FINMA takes an economic approach when assessing the relevance and application of Swiss laws on cryptocurrency-focused businesses such as DeFi projects, e.g. to determine whether compliance with regulation on financial services, anti-money laundering (“AML”), collective investment schemes, financial market infrastructures, banks, insurance companies, securities firms and/or data protection is required (FINMA Risk Monitor 2022, p. 19). Therefore, each case needs to be assessed individually (see question 3.1). With regard to ICOs, stablecoins and cryptocurrencies in particular, FINMA published several guidance papers in which it emphasised the concept of an individual review of each business case regarding the regulatory impact. It is therefore prudent for fintech start-ups to seek clearance from the regulator before launching their project on the market.

Funding For Fintech

Broadly, what types of funding are available for new and growing businesses in your jurisdiction (covering both equity and debt)?

Switzerland has an active start-up scene and various funding opportunities are available for companies at every stage of development. There are seed and venture capital firms for early funding as well as mature debt and equity capital markets for companies at a later stage. In addition, there are many financial institutions that have a potential interest in buying an equity stake in fintech companies or in a full integration, e.g. to ensure new distribution channels. Foreign investment is also common and not specifically restricted.

Crowdfunding and crowdlending as alternative sources of funding had shown rapid growth rates in Switzerland in the last years, further driven by the COVID-19 pandemic (according to the 2021 Crowdfunding Monitor Study of the University of Lucerne, 14,984 projects were crowdfunded via crowdsupporting/crowddonating at a total amount of CHF 44.6 million in the course of 2020), both in terms of the number of platforms and the funds raised; however, since then, crowdfunding has decreased in 2021 and 2022. At the end of April 2025, 38 platforms were maintaining an active physical presence in Switzerland (compared to only four in 2014 and 35 in 2023) and several non-domestic platforms were active on the market on a cross-border basis (HSLU, Crowdfunding Monitor Schweiz 2025). The legislator has facilitated crowdfunding and crowdlending platforms by way of the introduction of fintech regulation in Switzerland as follows: (a) on 1 August 2017, the maximum holding period during which the acceptance of funds for the purpose of settlement of customer transactions does not yet qualify as taking deposits from the public (and therefore does not count towards a potential banking or fintech licence requirement) was extended from seven to 60 days; and (b) a so-called “regulatory sandbox” was introduced in the Banking Ordinance, according to which more than 20 deposits from the public can be accepted on a permanent basis without triggering a banking licence requirement, as long as (i) the deposits accepted do not exceed CHF 1 million, (ii) no interest margin business is conducted, and (iii) depositors are informed, before making the deposit, that the person accepting the deposits is not supervised by FINMA and that the deposits are not covered by the Swiss depositor protection scheme (see question 3.2 for further details). Furthermore, on 1 January 2019, a regulatory licence type geared towards fintech operators with a need to hold deposits from the public in limited amounts was introduced in the Banking Act (“BankA”).

Switzerland hosts a range of incubator and accelerator programmes for both Swiss-based and international fintech companies, either exclusively fintech-related (such as the association F10 or Thomson Reuters Labs – The Incubator) or focused on digital innovation in general including fintech (such as Kickstart Accelerator) or blockchain (CV Labs Blockchain Incubator). In addition, there are organised challenges aiming to support mainly fintech companies that generally involve a prize (such as the Swiss Innovation Challenge).

Are there any special incentive schemes for investment in tech/fintech businesses, or in small/medium-sized businesses more generally, in your jurisdiction, e.g. tax incentive schemes for enterprise investment or venture capital investment?

There are no specific tax or other incentives for the benefit of the tech or fintech industry only. However, depending on the tax domicile of the company and the residence of the shareholders, there are a variety of general tax benefits for start-up companies and tax schemes granting some relief to investors.

Generally speaking, depending on the tax domicile of the company, the ordinary profit tax rate in Switzerland can be as low as 11.09% (tax rates vary between the different Swiss cantons and municipalities). The canton of Zug (in the heart of the “Crypto Valley”) offers a low corporate income tax rate of 11.82% (municipality with lowest tax rate in the canton).

Further, there are various general special regimes for corporate income tax purposes available in Switzerland. Under the patent box regime, cantons tax profits from qualifying patents and comparable rights at a reduced rate for corporate income tax purposes. Cantons can also provide for special R&D “super deductions” from corporate income tax and/or exempt a part of the equity (to the extent attributed to qualifying participations, patents and loans to group companies) from the annual capital tax. Cantons with a statutory cantonal and communal tax rate of at least 13.5% at the cantonal capital may also provide for a notional interest deduction on so-called “security capital”. Only the Canton of Zurich introduced the deduction for equity financing. Certain cantons provide grants for sustainability-related projects and experimental research and innovation, e.g. the canton of Zug with a total budget of maximum CHF 150 million annually for such grants between 2026 and 2028.

Start-ups may benefit from a tax holiday on the cantonal and federal level if their tax domicile is located in defined regions of Switzerland. Furthermore, if a company sells a stake of at least 10% of the capital held in another company that has been held for at least one year prior to the sale, a participation deduction can be applied to the realised profit. In addition, Swiss resident individuals are not taxed on capital gains realised on privately held assets. Dividend payments to companies that hold a participation of at least 10% or with a fair market value of at least CHF 1 million in the dividend paying company also benefit from the participation deduction. Dividend payments to Swiss resident individuals on substantial participations of at least 10% are taxed at a reduced rate.

Switzerland levies annual wealth taxes. To lessen the tax burden for start-up investors, start-up companies are often valued at their substance value for wealth tax purposes (e.g. in the Canton of Zurich).

In terms of management/employee incentives, Switzerland offers attractive ways to structure participation schemes. If structured as an equity participation, such schemes generally aim to obtain a tax-exempt capital gain (instead of taxable salary) for the Swiss resident managers upon an exit. However, in case of an acquisition of employee shares for which a fair market value was unavailable or not accepted at the time of acquisition, part of the capital gain at exit might be taxed in case of a sale within five years after the acquisition. In any case, founder shares will not be regarded as employee shares and will as such generally provide for a tax-exempt capital gain.

There are certain cantons that offer additional tax benefits to investors in innovative start-ups (e.g. a separate taxation at 1% tax rate on the amount invested in the canton of Ticino) and innovative start-ups (e.g. gift tax exemption for donations to start-ups and/or reduced capital tax at 0.01‰ in the canton of Ticino). It is worth reviewing applicable relevant provisions for each relevant canton.

In Switzerland, it is common to discuss the tax consequences of an envisioned structure with the competent tax administration and there is an uncomplicated process of obtaining advance tax rulings.

In brief, what conditions need to be satisfied for a business to IPO in your jurisdiction?

The requirements for a listing on the SIX Swiss Exchange (the main Swiss stock exchange) are laid down in its Listing Rules (as revised on 1 September 2024). Essential listing prerequisites include, e.g., (i) that the issuer has existed as a company for at least three years (however, exemptions exist) and has a reported equity capital of at least CHF 25 million. Furthermore, (ii) the securities must meet the minimum free float requirements (at least 20% of all of the issuer’s outstanding securities in the same category have to be held in public ownership, and the capitalisation of those securities in public ownership has to amount to at least CHF 25 million).

The listing requirements of the BX Swiss (the second regulated Swiss stock exchange) are structured in a similar way as those of the SIX Swiss Exchange but are in some areas slightly less stringent, e.g. the issuer must only have existed as a company for at least one year and the share capital and the reported equity must only amount to at least CHF 2 million.

Have there been any notable exits (sale of business or IPO) by the founders of fintech businesses in your jurisdiction?

There have not been any recent IPOs in Switzerland in the area of fintech and IPO activity was generally low and exits equally subdued (Swiss VC Report 2026, p. 38 ff.). The following acquisition transactions in 2025 might be noteworthy: Elysium Lab, a digital asset company founded 2021 in Lugano, was acquired by Canadian blockchain and digital asset infrastructure company Blockstream; and ZWEI Wealth, a wealth management platform offering solutions from banks as well as asset and wealth managers, was acquired by Swiss Life. At the end of 2024, the Swiss Fintech Association and the Swiss Finance + Technology Association merged in an effort to enhance their services and collaboration with regulators and policy-makers.

Fintech Regulation

Please briefly describe the regulatory framework(s) for fintech businesses operating in your jurisdiction, and the type of fintech activities that are regulated.

Broadly speaking, the Swiss financial regulatory regime does not specifically address fintech. In fact, the recent new regulations addressing certain requirements for fintech companies in Switzerland have been designed according to the principle of technology-neutrality, meaning that business activities with substantially similar characteristics are subject to the same regulatory requirements irrespective of whether they are provided using advanced technology or in a more traditional format or irrespective of how they are labelled (notwithstanding, there is a regulatory licence type that is colloquially referred to as “fintech licence”; see further below and see also question 3.4). The intention is to provide a level playing field among innovators and traditional providers engaging in similar businesses with similar risks.

The Swiss legal and regulatory framework governing financial services consists of a number of federal acts and implementing ordinances as well as circulars and other guidance papers issued by FINMA. Fintech business models have to be assessed within this set of rules on a case-by-case basis (see question 1.2).

Specifically, based on their (intended) activities, fintech businesses may, in particular, fall within the scope of the BankA (if engaging in activities involving the professional acceptance of deposits from the public or the public solicitation of deposit-taking or engaging in collective custody of cryptocurrencies; see question 3.2), the Anti-Money Laundering Act (“AMLA”) (if active as a so-called “financial intermediary”, e.g. in connection with payment instruments, payment systems, individual portfolio management or lending activities; see question 4.5), the Collective Investment Schemes Act (if issuing or managing investment funds or engaging in other activities relating to collective investment schemes), the Financial Market Infrastructure Act (“FinMIA”) (if acting as a financial market infrastructure, e.g. a multilateral trading facility, or operating a DLT trading facility), the Financial Institutions Act (“FinIA”) (if acting as a securities firm, as an asset manager or trustee, see further below), the Financial Services Act (“FinSA”) (if engaging in so-called “financial services for clients”, e.g. investment advisory services) or the Insurance Supervision Act (“ISA”) (if acting as an insurer or insurance intermediary). Moreover, inter alia, the Consumer Credit Act, the Data Protection Act (“FADP”) as well as the National Bank Act may apply, as well as self-regulatory provisions or guidance papers by industry bodies (e.g. in the area of structured products with crypto underlyings).

Depending on the specific business model, regulatory requirements may include licence or registration requirements as well as ongoing compliance and reporting obligations, in particular relating to organisation, capital adequacy, liquidity and documentation, as well as general fit-and-proper requirements for key individuals, shareholders and the business itself. Certain types of regulated businesses are prudentially supervised by FINMA on an ongoing basis in a two-tier approach, whereby an audit firm (regulatory auditor) appointed by the supervised entity carries out regulatory audits that will be an important basis for the supervision by FINMA. The individual financial market laws provide for de minimis and other exemptions that can potentially be relevant for fintech businesses depending on the type and scale of their activities.

FINMA is the integrated supervisory authority for the Swiss financial market, ensuring a consistent approach to the qualification and regulatory treatment of fintech businesses and other financial institutions. Furthermore, Switzerland has an established system of industry self-regulation by private organisations such as the SBA, the Asset Management Association Switzerland as well as numerous professional self-regulatory and supervisory organisations for financial intermediaries, asset managers and trustees. Some of the regulations issued by self-regulatory organisations have been recognised by FINMA as minimum standards (e.g. in the area of money laundering prevention).

Are financial regulators and policy-makers in your jurisdiction receptive to fintech innovation and technology-driven new entrants to regulated financial services markets, and if so how is this manifested? Are there any regulatory ‘sandbox’ options for fintechs in your jurisdiction?

Key representatives of FINMA have repeatedly expressed their openness in principle to innovation in financial services. At the organisational level, FINMA, inter alia, established a dedicated fintech desk to interact with fintech start-ups, and revised several of its circulars, which specify the practice of the regulator under the current legislation, to render them technology-neutral (e.g. by refraining from physical written form requirements relating to certain documentations or by enabling video and online identification for client onboarding purposes). In the context of AML, FINMA has also revised its respective ordinance, introducing simplified organisational requirements for small fintech companies (see question 4.5).

In order to make it easier for fintech start-ups to set up shop and to ease regulatory hurdles, a three-pillar legal reform programme was initiated by Swiss policy-makers (including the Federal Council) back in 2016, with the first two pillars (see first and second bullets below) taking effect on 1 August 2017. The third pillar of the legislative reform package refers to the introduction of a fintech licence category to the Swiss framework for financial market supervision and became effective on 1 January 2019 (see third bullet below).

  • Maximum holding period for settlement accounts: The revision of the framework for banking legislation extended the time period for which third-party monies accepted on interest-free accounts for the purpose of settlement of customer transactions do not qualify as “deposits from the public” (and therefore do not count towards a potential banking licence requirement) to a maximum of 60 days (instead of only seven days). Crowdfunding platforms in particular, but also payment service providers, the business model of which typically requires holding third-party funds for a certain period of time, benefit from this broadened exemption. It must be noted that settlement accounts of foreign exchange dealers generally do not fall within the scope of the exception for settlement accounts. In the context of fintech, this may in particular affect cryptocurrency traders, which are subject to the same limitation if their business is conducted in a manner comparable to a traditional foreign exchange dealer.
  • Regulatory sandbox: The Swiss regulatory sandbox provides an innovation space for fintech but also for other emerging businesses and other undertakings to test their business models. It allows any person, without the prior approval or review by the regulator (i.e. no licence requirement), to accept deposits from the public or engage in collective custody of cryptocurrencies in an amount or value of up to CHF 1 million, regardless of the number of depositors. This exemption is, however, available only if the deposits are neither interest-bearing nor invested (or alternatively used for the purpose of financing a primarily commercial or industrial activity). As a mitigating measure, the deposit-taker must inform the depositors – before accepting any of their monies – that it is not supervised by FINMA and that the deposits are not covered by the depositor protection regime. On 1 April 2019, new rules entered into force explicitly prohibiting the interest margin business while at the same time enabling deposits received under the sandbox to be used for private purposes (i.e. not for commercial or industrial purposes).
  • Fintech licence: Under this licence category (sometimes also referred to as “banking licence light”), FINMA may authorise companies that do not carry out traditional banking activities to accept deposits from the public up to a maximum threshold of CHF 100 million as long as the deposits are not invested and no interest is paid on them. Hence, companies that merely accept and hold public deposits up to the threshold amount and do not engage in the commercial banking business with maturity transformation are eligible for the fintech licence. Compared to a fully-fledged banking licence, the fintech licence is subject to less onerous requirements in the areas of minimum capital, capital adequacy and liquidity, governance, risk management, compliance, depositor protection as well as accounting and auditing. Irrespective of the reliefs granted, AML regulation continues to apply to fintech firms if they qualify as financial intermediaries (the same applies to data protection law (see question 4.5)). We note that currently only four companies are holding a fintech licence as the application scope of the fintech licence is, in practice, limited to certain business models. By way of the Federal Act on the Adaptation of Federal Law to Developments in the Technology of Distributed Electronic Registers (“DLT Act”), in 2021, the licence was expanded to, and is therefore required for, the business of collective custody of cryptocurrencies. Ongoing legislative initiatives aim to modernise the regulatory regime and, inter alia, replace the fintech licence (see below and question 3.4).

In addition, the DLT Act established a separate regulatory licence type under the FinMIA for the operation of a DLT trading facility, defined as a professionally operated venue for the multilateral trading of DLT securities. According to Swiss law, DLT securities (from a regulatory point of view) include (a) register value rights in the meaning of art. 973d of the Swiss Code of Obligations, and (b) other value rights that are held on electronic registers and enable the creditors, but not the debtor, to dispose over their rights using technological processes.

Building on the existing fintech and DLT framework, the Swiss Federal Council launched a public consultation on 22 October 2025 on proposed amendments to the FinIA aimed at modernising the regulatory regime for stablecoins and crypto-related services, and aligning Swiss regulation with evolving international standards. The draft bill proposes two new licence categories: (i) so-called “payment instrument institutions”, intended to replace the existing fintech licence under the BankA and to allow the issuance of value-stable, crypto-based payment instruments (i.e. stablecoins) subject to enhanced prudential safeguards; and (ii) so-called “crypto institutions”, designed for service providers that safeguard or trade cryptoassets falling outside the scope of traditional financial instruments (see question 3.4).

In the insurance sector, the recently revised ISA, which entered into force in 2024, provides for a competence of FINMA to exempt small insurance undertakings with innovative business models under certain conditions from insurance supervision if this serves the sustainability of the Swiss financial market and the interests of the insured are safeguarded (regulatory sandbox in the insurance/insurtech sector).

What, if any, regulatory hurdles must fintech businesses (or financial services businesses offering fintech products and services) which are established outside your jurisdiction overcome in order to access new customers in your jurisdiction?

The introduction of the fintech legislation (see question 3.2) reduced certain regulatory hurdles for fintech businesses in Switzerland. In general, it can also be said that the Swiss inbound cross-border regulatory regime for financial services is fairly liberal in comparison to international regulation. Many Swiss financial market regulatory laws do not apply to fintech (and other) businesses that are domiciled abroad and serve customers in Switzerland on a pure cross-border basis, i.e. without employing persons permanently on the ground in Switzerland or by frequent travel to Switzerland. Notably, the BankA, FinIA and AMLA apply only to foreign operators that have established a relevant physical presence in Switzerland, e.g. a branch or representative office. That said, cross-border operators that are not regulated in Switzerland should refrain from creating an (inaccurate) appearance of “Swissness”, e.g. by using a “.ch” domain or referring to Swiss contact numbers or addresses (or such factors in combination). However, the Swiss financial services regulation pursuant to the FinSA also captures foreign financial service providers that service clients in Switzerland from abroad on a pure cross-border basis; a significant departure from the otherwise liberal regulatory inbound regime, albeit limited to certain defined types of financial services such as investment advice, investment management, the receipt and transmission of orders and the purchase and sale of financial instruments, as well as specific lending activities in this context. Separately, it must be noted that some areas of Swiss financial regulation are more restrictive with regard to cross-border activities, notably the regulation of collective investment schemes as well as insurance regulation and consumer credit regulation.

How is your regulator approaching the challenge of regulating the traditional financial sector alongside the regulation of big tech players entering the fintech space?

On 22 October 2025, the Swiss Federal Council launched a public consultation on proposed amendments to the FinIA (“revFinIA”), aimed at strengthening the framework for innovative financial technologies, enhancing the attractiveness and competitiveness of the Swiss financial centre, and aligning Swiss regulation with evolving international standards. The proposal builds on the existing fintech licence under the BankA and the DLT reforms implemented in 2021 and introduces two new licence categories for (i) payment instrument institutions (Zahlungsmittelinstitute), and (ii) crypto institutions (Krypto-Institute):

  • Payment instrument institutions: The proposed payment instrument institution licence under the revFinIA is intended to replace the fintech licence (art. 1b BankA) (see questions 3.2 and 3.3). It allows the holding, but not the interest payment on or onwards lending, of client funds, which must remain segregated in bank deposits or high-quality liquid assets. A key novelty is that licensed payment instrument institutions may issue currency-pegged stablecoins (“value-stable crypto-based payment instruments”). Issuers are required to publish an appropriate whitepaper, notify FINMA and ensure redemption at nominal value at any time. Reserves must be fully covered, diversified and denominated in the currency of the redemption claim. In the event of insolvency, the relevant assets are segregated for the benefit of clients and token holders and do not form part of the bankruptcy estate. The Swiss National Bank may designate systemically important payment instrument institutions as “significant payment instrument institutions”, triggering additional regulatory requirements.
  • Crypto institutions: The proposed crypto institution licence under the revFinIA applies to entities that custody or trade cryptoassets. Licensed crypto institutions may, in particular, custody stablecoins and other cryptoassets, execute trades for clients or on own account, and offer staking services. They are subject to capital, liquidity, segregation and record-keeping requirements and must enter into written agreements with clients and provide specific risk disclosures in relation to staking. The regulatory framework broadly follows the model applicable to securities firms, albeit in a more limited form, as crypto institutions do not deal in “financial instruments” within the meaning of the FinSA. Nonetheless, certain conduct and organisational obligations under the FinSA will still apply.

According to the explanatory report, the reform aims to implement Financial Stability Board and Financial Action Task Force standards, and align Switzerland with the EU Markets in Cryptoassets Regulation.

Other Regulatory Regimes / Non-Financial Regulation

Does your jurisdiction regulate the collection/use/transmission of personal data, and if yes, what is the legal basis for such regulation and how does this apply to fintech businesses operating in your jurisdiction?

For the processing of personal data (i.e. any information directly or indirectly identifying an individual) by private persons, Swiss data protection law is set forth in the FADP and the implementing Data Protection Ordinance (“DPO”). The revised FADP and DPO entered into force on 1 September 2023. The main goal of the revision was to adapt Swiss data protection legislation to the changed technological and social conditions and, in particular, to improve the transparency of data processing and strengthen the rights and self-determination of data subjects. Furthermore, the revision served to align Swiss data protection legislation with the requirements of the General Data Protection Regulation (EU) 2016/679 of the EU (“GDPR”), as this was a key element to ensure continued EU recognition of Switzerland as a third country with an adequate level of data protection in order to allow cross-border data transfers to continue without further protective measures. Fintech firms are subject to the FADP if they process personal data of natural persons in Switzerland. In this context, the mere storage of personal data on a server in Switzerland is sufficient to trigger the applicability of the FADP. In addition, the FADP applies, by virtue of its extraterritorial scope (which is broader than that of the GDPR) where there is a sufficient nexus to Switzerland – for example, if the processed personal data relates to data subjects in Switzerland or if a data breach could affect data subjects in Switzerland. Recently and following the expansion of AI-supported data processing, the Federal Data Protection and Information Commissioner (“Commissioner”) stated that the FADP is also directly applicable to its use (Commissioner, Current data protection legislation is directly applicable to AI, 9 November 2023). In March 2025, Switzerland ratified the Council of Europe’s AI Convention and is currently working on drawing up a bill on AI regulation to be submitted for consultation, expected by the end of 2026.

A fintech firm (as with other businesses) processing personal data in Switzerland must do so in accordance with the following data processing principles: good faith; proportionality; purpose limitation; transparency; accuracy; data security; and lawfulness. This means personal data may only be processed for a specified and legitimate purpose (it is not permitted to collect personal data for unknown future purposes in bulk), the purposes, controller and recipients of the data must be transparent upon collection of the personal data (under the revised FADP, companies have a duty to inform data subjects of all processing activities; the FADP sets out the minimum information that must be provided) and only the personal data necessary to achieve the purpose may be processed. The personal data should only be accessed on a strict need-to-know basis and deleted once it is no longer required for the purpose for which it was collected (subject to statutory retention duties). The revised FADP introduces additional duties that impact fintech firms processing personal data in Switzerland, similar to the duties under the GDPR. Fintech firms (as with other businesses) have to (i) maintain a register of all data processing activities (with certain exemptions), (ii) report certain data breaches to the Commissioner and, in certain cases, the affected data subjects, (iii) inform all data subjects of all data processing activities (i.e. through a detailed privacy policy) and, in certain circumstances, and (iv) conduct a so-called “data protection impact assessment” (i.e. a risk assessment) for high-risk processing activities (e.g. in the case of large-sale processing of sensitive data). Furthermore, the processing of personal data by third-party service providers (as a processor) on behalf of a fintech firm (as a controller) is subject to the conclusion of a data processing agreement (“DPA”). The DPA should, in particular, ensure that the third-party service provider may only process the personal data for the same purposes as the fintech firm and that the third-party service provider ensures at least the same level of data security (by implementation of appropriate technical and organisational data security measures). The parties should also ensure strict confidentiality, where possible and necessary. In particular, a fintech firm must ensure that consent of the affected customers is obtained if the fintech firm is subject to statutory or contractual duties of confidentiality that would otherwise prevent the engagement of third-party service providers. Under the FADP, third-party services providers are, furthermore, required to obtain the fintech firm’s prior consent if the third-party service provider wants to engage sub-processors for the processing activities it is carrying out on behalf of the respective fintech firm (this is typically addressed in the DPA, which also usually includes a list of approved sub-processors). For the requirements regarding cross-border data transfers, see question 4.2 below.

Finally, companies must ensure that they have implemented processes to allow data subjects to exercise their rights in accordance with the FADP (in particular, the right to information/access, the right to correction of inaccurate/wrong personal data and the right to deletion of inaccurate/wrong personal data). The revised FADP introduces the right to data portability, similar to the GDPR.

Do your data privacy laws apply to organisations established outside of your jurisdiction? Do your data privacy laws restrict international transfers of data?

Swiss data privacy laws apply to any natural or legal person who processes personal data of natural persons, if the processing takes effect in Switzerland or impacts individuals in Switzerland, respectively (e.g. if personal data is collected or stored in Switzerland or the fintech firm offers products or services to data subjects in Switzerland). Therefore, the activity of processing of personal data on equipment located in Switzerland is, in principle, within the scope of the FADP (see question 4.1). This is particularly relevant for foreign fintech firms that are processing personal data in Switzerland through branch offices or third-party service providers.

The FADP prohibits cross-border disclosure of personal data if such a disclosure could seriously endanger the privacy of the data subjects concerned. This could be the case particularly if personal data is disclosed to a country where the local legislation does not guarantee an adequate level of data protection, e.g. India, China or the U.S. (for the U.S. only in case of non-certified companies under the U.S.-Swiss Data Privacy Framework). The Swiss Federal Council is the competent authority to issue binding decisions on the adequacy of a foreign country’s data protection laws. The Federal Council has published a binding list of countries that provide an adequate level of data protection in annex 1 of the DPO. In particular, all EU Member States are deemed to meet the requirement of adequate data protection rules for the processing of personal data of individuals. If personal data is disclosed to a company in a country that does not provide an adequate level of data protection, other guarantees must be implemented to justify such a disclosure.

After the revision of the FADP, in January 2024, the EU confirmed that Switzerland offers an adequate level of data protection, meaning that personal data will continue to be transferred from the EU and the EEA to Switzerland without further need for guarantees. Similarly, later in August 2024, the Swiss-U.S. Data Privacy Framework was approved by the Federal Council. Consequently, Switzerland can disclose personal data to self-certified U.S.-based companies without any additional guarantees.

An important guarantee to secure adequate protection for transfers to third countries is the use of standard contractual clauses (“SCCs”) issued by the European Commission, adapted to Swiss law requirements as required by the Commissioner, or other contractual clauses explicitly recognised by the Commissioner. In June 2021, the European Commission published the revised SCCs, which were recognised by the Commissioner for Switzerland some weeks later. Before signing these new SCCs, Swiss companies need to implement the requirements published by the Commissioner (e.g. in a Swiss appendix) and they need to assess on a case-by-case basis whether the SCCs are actually suitable for ensuring appropriate protection of the transferred personal data or whether supplementary measures need to be in place in addition to the SCCs (a so-called “data transfer impact assessment”). In particular, Swiss companies exporting data need to evaluate on a case-by-case basis whether the laws in the receiving country relating to lawful data access by foreign public authorities (e.g. for national security or criminal investigation purposes) and data subject rights are compatible with Swiss data protection law and Swiss constitutional principles. Furthermore, cross-border disclosure of personal data between entities of the same group are permitted if so-called “binding corporate rules” have been adopted by the entities and approved by the Commissioner. Under the FADP, the Commissioner must be notified of the use of model contracts (except if SCCs are used) for cross-border disclosure and binding corporate rules need to be approved by the Commissioner or another competent authority domiciled in a country that provides an adequate level of data protection prior to any disclosure. Another option is to obtain explicit consent for the disclosure from the data subject whose data is being disclosed for individual cases. Companies are also permitted to disclose personal data abroad if it is necessary, for the respective company to establish, exercise or enforce legal claims before a foreign court or authority in a specific case, or if the disclosure is directly connected to the conclusion or performance of a contract. The direct collection of personal data from a data subject in Switzerland by a fintech company based outside of Switzerland is not considered a cross-border disclosure of personal data, as there is no Swiss data exporter.

Please briefly describe the sanctions that apply for failing to comply with your data privacy laws.

The sanctions pursuant to the old FADP were moderate but have since been extended significantly pursuant to the revision of the FADP in 2023:

  • Civil law sanctions: As under the old FADP, if the personality of a data subject has been violated (e.g. if personal data is not processed in compliance with the general data protection principles, personal data is disclosed to a third party without consent, a legal basis or an overriding interest, or if personal data is processed despite the data subject’s objection), then the data subject can lodge a civil claim. A data subject can file a request for an interim injunction against unlawful data processing. It is, inter alia, also possible to lodge a claim for correction or deletion of data or a prohibition on the disclosure of data to third parties. In addition, a data subject is entitled to compensation for actual damages caused by unlawful processing or other breaches of the FADP.
  • Criminal law sanctions: Under the revised FADP, the catalogue of criminal offences that can lead to a fine in case of wilful conduct has been extended (e.g. non-compliance with the requirements to engage a data processor or cross-border disclosure, intentionally providing wrong or incomplete information, failure to comply with the minimum data security standards defined in the DPO, or if a company does not comply with the minimum standards of data security defined by the Federal Council) and the fines that can be imposed have been increased to up to CHF 250,000 (previously CHF 10,000). Unlike the GDPR, the FADP provides for criminal fines imposed personally on the company’s members of the board of directors or senior management. The Commissioner will still not have the competence to issue such fines but will be entitled to file a criminal complaint. The cantonal criminal law enforcement agencies are competent for issuing fines and they typically become active in case they receive a complaint (e.g. by the Commissioner or a data subject). In practice, the publicly available cases of criminal investigations and fines imposed to date concern criminal investigations and fines imposed in instances of systematic violations of data subject access requests. The fines in Switzerland disclosed so far do not exceed CHF 1,000.

Furthermore, the Commissioner now has the competence to issue binding orders against companies processing personal data in breach of the revised FADP. The Commissioner will, inter alia, have the power to restrict, suspend or terminate processing activities or to require companies to comply with their duties under the revised FADP. If companies do not comply with such binding orders, they can face a fine of up to CHF 250,000.

Does your jurisdiction have cyber security laws or regulations that may apply to fintech businesses operating in your jurisdiction?

Switzerland does not provide for comprehensive cyber security legislation. However, specific objects and specific industries are regulated with regard to cyber security by way of a number of provisions in different acts and initiatives, inter alia:

  • Under the revised FADP, the Federal Council has issued minimum standards of data security in the revised DPO that companies processing personal data will at least have to meet. Furthermore, the revised FADP provides for an obligation to notify the Commissioner and, where necessary, the affected data subjects of certain personal data breaches.
  • Fintech firms subject to the supervision of FINMA also have a duty to report certain cyber security incidents to FINMA in accordance with art. 29 para. 2 of the Financial Market Supervision Act (see also FINMA guidance paper 05/2020). Further, on 7 June 2024, FINMA published guidance paper 03/2024 regarding findings from FINMA’s cyber risk supervision, clarification of FINMA guidance paper 05/2020 and scenario-based cyber risk exercises.
  • The Criminal Code provides for statutory offences, which protect IT infrastructure against cyber crime (i.e. against the unauthorised obtaining of data, unauthorised access to a data processing system, data corruption, etc.).
  • The National Cyber Security Centre (“NCSC”) is Switzerland’s competence centre for cyber security and thus the first contact point for businesses, public administrations, educational institutions and the general public for cyber issues. It is responsible for the coordinated implementation of the National Cyberstrategy (https://www.ncsc.admin.ch/ncsc...), which was adopted by the Federal Council on 5 April 2023.
  • The Federal Department of Defence, Civil Protection and Sport established a Cyber Defence Campus that commenced operations in January 2019, focusing on early detection and observation of current developments in the cyber world and on the development of action strategies in this respect.
  • On 5 April 2022, the Swiss Financial Sector Cybersecurity Center was founded. It aims to enhance the financial sector’s ability to withstand cyber security risks – its cyber resilience – and promote a partnership between financial institutions and authorities on strategic and operational issues. The 55 founding members include banks, insurers and industry associations.
  • The Federal Act on Information Security (“ISG”) “Bundesgesetz über die Informationssicherheit beim Bund”) was adopted on 18 December 2020 and entered into force on 1 January 2024. The ISG requires federal authorities subject to the ISG to report security incidents to the competent authority (“Fachstelle BS”). As of 1 April 2025, operators for critical infrastructures (including companies in the financial sector such as banks and other regulated financial service providers falling within the scope of the relevant financial market legislation) are obliged to report cyber attacks to the NCSC within 24 hours of discovery.
  • In 2011, Switzerland ratified the Budapest Convention (Council of Europe Convention on Cybercrime of 2001), which fosters increased and rapid international cooperation in the fight against cyber crime.

Please describe any AML and other financial crime requirements that may apply to fintech businesses in your jurisdiction.

The Swiss rules on prevention of money laundering and terrorist financing are set forth in the AMLA, the Anti-Money Laundering Ordinance, ordinances and circulars of FINMA as well as the rulebooks of recognised self-regulatory organisations. Generally speaking, AML regulation applies to so-called “financial intermediaries” (and partially to merchants if they accept large sums in cash, i.e. more than CHF 100,000, as payment in commercial transactions). On the one hand, certain prudentially regulated entities, such as banks, securities firms, fund management companies, life insurance undertakings and, with the introduction of the DLT Act, DLT trading systems, qualify as financial intermediaries based on their regulatory status (per se financial intermediaries). On the other hand, any otherwise unregulated person or entity can qualify as a financial intermediary by virtue of its professional activities. In general, this refers to any person that, on a professional basis, accepts or holds on deposit third-party assets or that assists in the investment or transfer of such assets (e.g. money transmitters or crypto exchanges, but also, depending on the particulars of the case, issuers of cryptocurrencies). The DLT Act also closed potential loopholes in the area of money laundering.

Many fintech business models include elements that lead to their operators qualifying as financial intermediaries in the meaning of the AMLA. If this is the case and no exemptions are available, the fintech firm is required to join a recognised Swiss AML self-regulatory organisation. In this context, the firm is required to comply with certain duties on an ongoing basis, in particular the duty to verify the identity of customers and the beneficial ownership in the relevant assets as well as documentation, reporting and audit requirements. In a push to eliminate barriers for technology-based business models, FINMA introduced a circular that enables onboarding of customers via digital channels, e.g. by means of video transmission and other forms of online identification. This model has also been replicated in the rulebooks of recognised AML self-regulatory organisations.

The AMLA includes specific criminal provisions sanctioning the violation of duties under AML regulation. In addition, certain offences in the area of corruption and money laundering are set forth in general criminal law, meaning that they apply to fintech (and other) firms regardless of their qualification as a financial intermediary.

Are there any other regulatory regimes that may apply to fintech businesses operating in your jurisdiction (for example, AI)?

Aside from financial regulation in various areas (see questions 3.1 et seqq.) and the data protection regime (see questions 4.1 et seqq.), fintech firms have to comply with general corporate and civil law provisions as well as with Swiss competition law on the basis of the Unfair Competition Act (“UCA”). Furthermore, depending on the specific business model, the Telecommunications Act may apply.

Although there is currently no particular legislation concerning AI in place in Switzerland, the Swiss Federal Council has recognised the potential and risks of the technology and has commissioned an overview over possible regulatory approaches to AI based on current Swiss law, the EU’s AI Act and the Council of Europe’s AI Convention. In February 2025, the Federal Council published its approach to AI regulation, rejecting the adopting of a general cross-sector AI law (such as the EU AI Act) and instead opting for a sector-specific regulatory framework. In March 2025, Switzerland ratified the Council of Europe’s AI Convention and is currently working on drawing up a bill on AI regulation to be submitted for consultation, expected by the end of 2026. The bill will implement the Council of Europe’s AI Convention by specifying the necessary legal measures, particularly in relation to transparency, data protection, non-discrimination and supervision. At the supervisory level, FINMA, on 18 December 2024, published a guidance paper on governance and risk management for financial institutions using AI.

Technology

Please briefly describe how innovations and inventions are protected in your jurisdiction.

The IP protection afforded to fintech innovations depends on the subject matter and nature of the innovation in question.

If the innovation takes the form of a computer program, it may be eligible for copyright protection. For a program to qualify, it must exhibit individual character. A computer program lacks individuality if it is banal or trivial – for example, if it consists solely of material in the public domain or relies entirely on conventional, standardised programming practices. Note that, according to a widely held view in Switzerland, Application Programming Interfaces as such typically do not exhibit individual character. Where a computer program is protected by copyright, the protection extends to both the source code and the object code. The ideas and principles behind the computer program are, however, not subject to copyright protection. Where the requirements for protection are met, copyright arises automatically, without the need for any registration. Copyright protection for computer programs expires 50 years after the creator’s death.

Insofar as the design of a graphical user interface (“GUI”) possesses an individual character, such design is, in principle, also protected by copyright. Moreover, if the layout of the GUI is new and distinctive, it can, in principle, also be registered as a design. Registered designs are protected for a maximum period of 25 years.

Inventions underlying a fintech product or service are generally eligible for patent protection, provided they are of a technical nature, novel, involve an inventive step and are capable of industrial application. As a general rule, computer programs as such do not possess a technical character and, therefore, do not qualify for patent protection. However, under Swiss law, so-called “computer-implemented inventions” may be patented. Such inventions require the use of a computer, a computer network or another programmable device for their execution, and include at least one feature that is fully or partially realised through a computer program. Patent protection lasts for a maximum of 20 years from the date of the patent application.

Furthermore, innovations are indirectly protected to the extent that certain conduct, such as the slavish imitation of a competitor’s products or the unauthorised use of entrusted work results, is prohibited under unfair competition law, with a view to upholding fair market practices. Further protection is afforded to manufacturing or trade secrets under unfair competition law as well as under criminal law.

Please briefly describe how ownership of IP operates in your jurisdiction.

In the case of copyright, ownership automatically vests in the author of the protected work (so-called “Schöpferprinzip”). Such author is necessarily a natural person. Legal entities can only acquire ownership derivatively, through the assignment of the copyright. Where a work is created by multiple individuals according to a shared concept, the copyright in such work is jointly held by those individuals.

When a patent is granted for an innovation, the patent right originally vests in the person who applied for the patent. As a general rule, it is the inventor who is entitled to file for a patent. If multiple inventors have jointly made an invention, the right to the patent is held jointly. The same principles apply under design law. Thus, a design right is originally owned by the person who registered the design. In principle, the right to register a design belongs to the designer or the collective of designers involved in the creation of the design.

Special rules apply to innovations made within the scope of an employment relationship. Under statutory law, copyright pertaining to a computer program created by an employee in the course of their discharging professional duties and in fulfilment of contractual obligations vests in the employer. Similarly, inventions and designs produced by an employee in the course of their employment and in performance of their contractual duties belong to the employer. With regard to innovations made by an employee in the course of their employment but not in performance of their contractual obligations, such employee may agree to grant the employer a right to acquire the rights to the innovations. In the case of an invention or a design, such agreement must be made in writing.

In order to protect or enforce IP rights in your jurisdiction, do you need to own local/national rights or are you able to enforce other rights (for example, do any treaties or multi-jurisdictional rights apply)?

Where a Swiss court has jurisdiction in an IP dispute, it applies the law of the state for which protection of the IP right in question is sought. On this basis, it is therefore possible for an IP right existing under foreign law to be enforced before Swiss courts. Such cases typically concern alleged acts of infringement that took place abroad but which nonetheless fall within the jurisdiction of the Swiss courts – for example, by virtue of the defendant’s domicile in Switzerland.

How do you exploit/monetise IP in your jurisdiction and are there any particular rules or restrictions regarding such exploitation/monetisation?

IP rights may be exploited/monetised by means of assignment or licensing. Moreover, IP rights may be made subject of a pledge or a usufruct.

The assignment of patent and design rights must be effected in writing and signed by the assignor. Swiss law draws a distinction between the underlying obligation (so-called “Verpflichtungsgeschäft”), which constitutes the legal basis for the transfer (for example, the sale of an IP right), and the act of disposition (so-called “Verfügungsgeschäft”), which effects the actual transfer of title. The mentioned formalities apply only to the act of disposition. Registration of the assignment in the patent register or design register is possible but is not a prerequisite for the valid transfer of the respective IP right. No such formalities apply in the case of copyright assignment. It is, however, common for the parties to expressly require a written form. Where this is the case, execution in writing is generally a prerequisite for the validity of the transfer.

The conclusion of licence agreements is not subject to any statutory formal requirements. Nevertheless, it is common practice for the parties to agree that the contract be concluded in writing. Licence agreements concerning patents and design rights may be recorded in the respective register. Such registration, however, does not as such affect the validity or enforceability of the contract. The primary effect of the entry in the register is that, if the IP right is assigned by the licensor to a third party, the licensee’s interest in the continued subsistence of the licence is protected within certain limits.


International Comparative Legal Guides, Fintech Laws and Regulations: Switzerland 2026