FINMA Circular 2018/3 — Outsourcing for Swiss Banks and VDRs

FINMA Circular 2018/3 "Outsourcing — banks and insurers" sets the supervisory expectations for outsourcing arrangements by FINMA-regulated banks, securities firms, and insurers. A virtual data room used to handle regulated client data falls within scope as an outsourcing arrangement.

The Circular's distinctive feature is the third-party beneficiary audit-rights structure: the contract must allow the institution, FINMA, the institution's external auditor, and (where applicable) other group financial institutions to exercise audit rights. Swiss banking secrecy under Article 47 of the Banking Act adds a layer of criminal-law confidentiality that pushes Swiss banks toward Sealed-Cloud architectures or Switzerland-only hosting.

FINMA Guidance 02/2026 (April 2026) addresses digital fraud risks for banks and Article 1b FinTech licensees; while focused on customer-facing channels, it has knock-on effects for outsourced platforms.

Last updated: May 2026.

When Does Circular 2018/3 Apply?

The Circular applies when an institution outsources a service that materially supports its regulated business activities. A VDR used for due diligence on a regulated client portfolio, an internal audit, or an NPL sale qualifies as an outsourcing.

Core Contractual Requirements

  • Audit rights. Third-party beneficiary rights for the institution, FINMA, the external auditor, and group entities that share the cloud service.
  • Country of storage and sub-outsourcing. Specified in the contract; changes notified.
  • Continuity, exit, termination assistance. Documented.
  • Data scope and criticality assessment. Recorded in the outsourcing register.
  • Confidentiality and banking secrecy. Article 47 obligations flow through to the provider.

Banking Secrecy Under Article 47

Article 47 of the Banking Act criminalizes unauthorized disclosure of bank-client identity by bank employees and external service providers. A VDR that has access to plaintext client identity data is bound by Article 47. Sealed Cloud architectures (idgard) and self-hosted deployments on Swiss IaaS are common ways to avoid the provider holding plaintext client data.

Providers Aligned with FINMA Expectations

  • [Drooms](/providers/drooms) — Zug data centres for Switzerland-resident hosting.
  • [Sherpany](/providers/sherpany) — Zurich; Swiss hosting; FINMA-aligned controls.
  • [idgard](/providers/idgard) — Sealed Cloud; provider-inaccessible architecture.
  • [Papermark](/providers/papermark) — open-source self-hosting on Swiss IaaS gives the cleanest banking-secrecy posture.

Frequently Asked Questions

Does FINMA Circular 2018/3 require Switzerland-only hosting?

No — but combined with banking secrecy and the audit-rights framework, Switzerland or EU-with-Sealed-Cloud is the typical practice.

Are EU-hosted VDRs acceptable for Swiss banks?

For non-banking-secrecy data, often yes. For Article 47-protected data, Swiss residency or a Sealed Cloud architecture is preferred.

Further Reading