Compliance
4 min read
Our independent certifications make us the trusted partner for FSI.
Certification Coverage Matrix
Controls | SOC 2 Type 2 | ISO 27001 | ISO 9001 | ISO 42001 | 🇪🇺-GDPR |
|---|---|---|---|---|---|
Data Security Controls | ✅ Strong | ✅ Strong | 🔷Complementary | 🔷Complementary | ✅ Strong |
AI Model Governance | 🔷Complementary | 🔷Complementary | 🔷Complementary | ✅ Strong | ⚪️n/a |
Business Continuity & Disaster Recovery | ✅ Strong | ✅ Strong | 🔷Complementary | ⚪️n/a | 🔷Complementary |
Financial Data Privacy | ✅ Strong | ✅ Strong | ⚪️n/a | ⚪️n/a | ✅ Strong |
Risk Assessment | ✅ Strong | ✅ Strong | 🔷Complementary | ⚪️n/a | ✅ Strong |
Third-Party Risk Mgmt | ✅ Strong | ✅ Strong | 🔷Complementary | 🔷Complementary | ✅ Strong |
Access Controls | ✅ Strong | ✅ Strong | 🔷Complementary | 🔷Complementary | ✅ Strong |
Audit Trails & Logging | ✅ Strong | ✅ Strong | 🔷Complementary | 🔷Complementary | ✅ Strong |
Change Management | ✅ Strong | ✅ Strong | ✅ Strong | 🔷Complementary | 🔷Complementary |
AI Explainability | ⚪️n/a | ⚪️n/a | ⚪️n/a | ✅ Strong | ⚪️n/a |
Data Retention & Disposal | 🔷Complementary | ✅ Strong | 🔷Complementary | ⚪️n/a | ✅ Strong |
Incident Response & Breach Notification | ✅ Strong | ✅ Strong | ⚪️n/a | ⚪️n/a | ✅ Strong |
Data Classification | ✅ Strong | ✅ Strong | 🔷Complementary | 🔷Complementary | ✅ Strong |
Asset Management | ✅ Strong | ✅ Strong | 🔷Complementary | 🔷Complementary | ✅ Strong |
Country Specific Requirements
While Unique operates as a technology provider rather than a regulated financial institution, we've intentionally designed our compliance framework to align with the regulatory requirements our financial services clients face. Although we don't fall directly under the authority of most financial regulators (such as the SEC, FCA, MAS, or FINMA), we've built our security standards, data protection protocols, and AI governance systems to meet or exceed these regulatory expectations. This proactive approach ensures that working with Unique presents minimal regulatory friction for banks and other financial institutions. Our comprehensive certifications (ISO 27001, ISO 9001, ISO 42001, and SOC 2 Type 2) serve as independent validation that our controls satisfy or even exceed the requirements financial regulators impose on our clients. The following matrices map our existing compliance frameworks to specific regulatory considerations in each of our key markets, to demonstrate how our purpose-built approach enables smooth collaboration with heavily regulated financial institutions worldwide.
🇺🇸 United States
Regulatory Focus | Primary Certification | Explanation |
|---|---|---|
ISO 42001 | Focuses on transparency and risk controls. | |
SOC 2 Type 2 | Banking regulator requirements for managing technology vendor risks and ensuring proper due diligence. | |
ISO 42001 | Federal Reserve guidelines for model validation, requiring testing and documentation of AI models. | |
SOC 2 Type 2 | Requires banks to notify regulators about service providers; Unique support their compliance obligations | |
| Financial privacy law requiring protection of customer financial information and privacy notices | |
| New York's cybersecurity law requiring robust security programs and specific breach notifications | |
ISO 27001 + SOC 2 | Allows US authorities to request data stored on US servers, even if for non-US customers |
🇬🇧 United Kingdom
Regulatory Focus | Primary Certification | Explanation |
|---|---|---|
| The primary legislation for financial services regulation in the UK; FS must ensure technology solutions comply with their obligations under this Act | |
SOC 2 Type 2 | FCA rules governing how financial firms outsource critical functions to vendors like Unique. It focuses on operational resilience. | |
UK GDPR |
| UK version of GDPR with specific implications for handling financial customer data and ensuring proper consent. |
ISO 42001 | FCA expectations for transparency in AI decision-making. | |
| Bank of England's Prudential Regulation Authority requirements for resilience of outsourced services | |
| Rules for prudential regulation of banks and insurers; impacts the operational resilience and third-party risk management requirements of FS |
🇸🇬Singapore
Regulatory Focus | Primary Certification | Explanation |
|---|---|---|
Monetary Authority of Singapore (MAS) Technology Risk Management Guidelines |
| MAS's expectations for technology risk management; includes AI systems used by financial institutions |
MAS Fairness, Ethics, Accountability & Transparency (FEAT) Principles | ISO 42001 | MAS guidelines specifically for AI and data analytics in financial services; focuses on responsible AI use |
| Requirements for financial institutions when outsourcing technology services to third parties like us | |
SOC 2 Type 2 | Requires banks to manage risks from technology service providers | |
| National voluntary framework for responsible AI development; demonstrates ethical AI practices | |
| Singapore's data protection framework governing the collection, use, and disclosure of personal data; less stringent than GDPR but similar principles |
Compliance
We are fully compliant with all major regulatory bodies in Switzerland, EU, UK, US, and Singapore.
Unique was built on the principles of Privacy by Design and Privacy by Default. The two principles are grounded on the new Act on Federal Data Protection (nFADP) that has been in the legislature from 1. September 2023 with the first one requiring developers to integrate the protection and respect of user’s privacy into the very structure of the products or services that collect personal data. The latter ensures the highest level of security as soon as the products or services are released, by activating by default which means that all software, hardware, and services must be configured to protect data and respect the privacy of users (Art. 7 para. 1 FADP).
Read more about our Compliance Layer: Compliance Layer 3.0
FINMA
As Unique operates in the banking sector, we comply with relevant FINMA Circulars at all times. We have established verifiable internal controls, organisational and technical measures to protect data against unauthorised processing, and dedicated policies covering segregation of duties, risk management, and internal controls — ensuring data accessibility, confidentiality, safety, availability, and integrity. For all FINMA-relevant outsourced functions, a full inventory is maintained including the provider, any sub-contractors, the recipient, and the responsible party.
Read the circulars: