FINMA ISAE 3000 Type 2 Report
Overview
Amazon Web Services (AWS) has completed the FINMA ISAE 3000 Type 2 Report. The International Standard on Assurance Engagements (ISAE) 3000 is a standard which is applied for audits of internal controls, sustainability, and compliance with laws and regulations, and completion of the ISAE 3000 Type 2 Report verifies that AWS’s control environment is appropriately designed and implemented to align with certain Swiss Financial Market Supervisory Authority (FINMA) requirements applicable to regulated financial services customers. AWS’s alignment with FINMA requirements demonstrates our continuous commitment to meeting the heightened expectations for cloud service providers set by Swiss financial services regulators and customers.
The FINMA ISAE 3000 Type 2 Report, conducted by an independent third party audit firm, provides Swiss financial industry customers with the assurance that AWS’s control environment is appropriately designed and implemented to address key operational risks and risks related to outsourcing and business continuity management. Additionally, the report provides customers with important guidance on complementary user entity controls (CUECs), which they should consider implementing as part of AWS’s Shared Responsibility Model to help them comply with FINMA’s control objectives. The report covers the five core FINMA circulars that are applicable to Swiss financial services institutions in the context of outsourcing arrangements to the cloud. These FINMA circulars are intended to assist regulated financial institutions in understanding approaches to due diligence, third party management, and key technical and organizational controls that should be implemented in cloud outsourcing arrangements, particularly for material workloads. The scope covers the requirements of the following FINMA circulars:
- 2023/01 “Operational risks and resilience – banks (07.12.2022)
- 2018/03 FINMA Circular “Outsourcing – banks and insurers” (31.10.2019);
- 2008/21 FINMA Circular “Operational Risks – Banks” (31.10.2019) – Principal 4 Technology Infrastructure;
- 2008/21 FINMA Circular “Operational Risks – Banks” (31.10.2019) – Appendix 3 Handling of electronic Client Identifying Data;
- 2013/03 “Auditing” (04.11.2020) - Information Technology (21.04.2020);
- Business Continuity Management (BCM) minimum standards proposed by the Swiss Insurance Association (01.06.2015) and Swiss Bankers Association (29.08.2013)
FAQs
-
What is FINMA?
The Swiss Financial Market Supervisory Authority (FINMA) is Switzerland’s independent financial-markets regulator. Its mandate is to supervise banks, insurance companies, financial institutions, collective investment schemes, and their asset managers and fund management companies. It also regulates insurance intermediaries. It is charged with protecting creditors, investors, and policyholders. FINMA is responsible for ensuring that Switzerland’s financial markets function effectively.
FINMA has published several requirements and guidelines for regulated financial services institutions in Switzerland when engaging with outsourced services providers.
-
What services are covered by the FINMA attestation?
The AWS services that are in scope of the FINMA attestation can be found within AWS Services in Scope by Compliance Program.
-
What does this mean to me as a customer?
The FINMA ISAE 3000 Type 2 Report, conducted by an independent third party audit firm, provides Swiss financial industry customers with the assurance that the AWS control environment is appropriately designed and implemented to address key operational risks and risks related to outsourcing and business continuity management. Additionally, the report provides customers’ important guidance on complementary user entity controls (CUECs), which they should consider implementing as part of AWS’s Shared Responsibility Model to help them comply with FINMA’s control objectives
-
Can I get a copy of the FINMA ISAE3000 Type 2 Report?
Yes. The audit report can be downloaded via AWS Artifact.
-
Is AWS FINMA regulated?
AWS is not a FINMA-regulated entity; however, AWS financial services customers in Switzerland may be regulated by FINMA. More information about the role of FINMA and its regulations are available on FINMA website.