FINMA Outsourcing Circular 2023/01

The circular sets expectations for governance, ICT and cybersecurity, business continuity, incident management and testing, as well as the protection and handling of “Critical Data.” While Circular 2023/01 complements rather than replaces Circular 2018/3, its principles apply wherever operational risks arise, particularly in relation to third parties and outsourced services.

This document outlines how Unique AI maintains compliance with these requirements in the context of its Swiss operations.

Purpose

Who?

• Financial Market Supervisory Authority / Finanzmarktaufsicht (FINMA)

What?

• Unique is not regulated or controlled by FINMA.

• Our clients are regulated, and we align to their compliance expectations.

Why?

• We aim to demonstrate adherence to high Compliance and IT security standards aligned with FINMA Circular 2023/01, especially for outsourced services involving Critical Data.

How Unique adheres to FINMA Circular 2023/01

Unique AI aligns Swiss operations to FINMA 2023/01 by hardwiring governance, cybersecurity, BCM, incident handling/testing, and “Critical Data” protections into our security framework. Our controls are audited and evidenced through the FINMA 2018/3 outsourcing assurance report (Reporting Year 2025), which underpins third‑party applicability and flow‑down.

• Governance (AI Governance Framework)

  • Senior accountability for operational risk and resilience; controls embedded in contracts and our ICS. Audited outsourcing controls cover inventory, selection/monitoring, security, audit rights, and agreements.

• Critical Data means (Identity and Access Management (IAM), Audit Logs)

  • Personnel: Background checks, NDAs, secrecy training; monitored compliance for roles with Critical Data access.

  • Access: Only authorized, trained staff; privileged access via PIM; RBAC/least privilege, MFA, and periodic recertification enforced.

  • Traceability: Register of privileged users with ≥12 months of access timestamps; tamper‑resistant logs; on request, we deliver current privileged access lists and related logs without delay.

• ICT/Cybersecurity (Certifications)

  • ISO 27001‑aligned ISMS, ISO 9001 for risk-based approach, SOC 2 Type 2; encryption in transit/at rest; backups; configuration/version control; SOC 24/7 monitoring; supplier security oversight.

• Incident and testing (Business Continuity Plan)

  • Formal incident lifecycle and regular control testing (privileged access, MFA, log integrity), with auditable evidence for clients and regulators.

• BCM

  • Security framework ensuring continuation of outsourced functions in emergencies; redundancy and recoverability tested, with remediation tracking.

• Third‑party flow‑down and transparency

  • Contracts bind sub‑processors to the same obligations (security, audit/inspection, continuity, information rights), with prior approval and visibility of involvement; audit rights enforceable, including abroad if applicable.

• Data location

  • Swiss data residency by default for single‑tenant deployments; cross‑border transfers only if contractually approved and audit rights are enforceable. Other set-ups and configurations possible and can be agreed during contract discussion.

• Evidence on request

  • We provide privileged access registers, access logs, recertification results, incident summaries, and audited contract controls.