Biometric Access Override In Fiduciary Systems in SWITZERLAND

1. Conceptual Framework

In Switzerland, fiduciary systems (trust companies, asset managers, banks, and wealth administration entities) are governed by a strict combination of:

  • Swiss Code of Obligations (fiduciary duty, mandate law)
  • Swiss Financial Institutions Act (FINIA)
  • Swiss Banking Act (BankG)
  • Federal Data Protection Act (FADP)
  • Criminal Code (unauthorised access, fraud, data misuse)

A biometric access override system refers to a security mechanism where:

  • Fingerprint, face ID, iris scan, or voice authentication controls access to fiduciary systems, AND
  • An override function exists allowing:
    • Emergency administrative access
    • Compliance access (regulators, auditors)
    • Disaster recovery access
    • Multi-factor supervisory override (dual control)

In Switzerland, the legal tension arises between:

  • Security necessity (fiduciary duty of care)
    vs
  • Data protection + proportionality requirements

2. Legal Position in Switzerland

Swiss law does NOT explicitly regulate “biometric override systems” in fiduciary systems, but their legality is derived from:

(A) Data Protection Law (FADP)

Biometric data is treated as sensitive personal data requiring strict proportionality and necessity principles.

Key requirements:

  • Must be strictly necessary
  • Must follow data minimisation
  • Must ensure high technical protection
  • Prefer decentralised storage (avoid central biometric databases)

(B) Fiduciary Duty Standards

Fiduciaries must:

  • Prevent unauthorised access
  • Ensure operational continuity
  • Maintain audit trails for override access

(C) Banking Secrecy + Criminal Law

Unauthorized override or access can trigger:

  • Breach of banking secrecy
  • Unauthorised access offences (Art. 143bis SCC) 

3. How Biometric Override is Treated in Practice

Swiss fiduciary institutions typically allow biometric override only under:

  • Dual authorization (2-person rule)
  • Hardware security modules (HSM)
  • Audit logging with immutable records
  • Emergency regulator access protocols
  • No centralized raw biometric storage (hash-based templates only) 

4. Case Law (6 Key Swiss Decisions & Related Jurisprudence)

Below are relevant Swiss Federal Supreme Court (FSC/BGer) and regulatory decisions that shape how biometric override and fiduciary access control systems are interpreted.

CASE 1 — ATF 146 III 121 (2019)

Fraudulent banking orders & system responsibility

  • Court developed a three-step liability test
  • Determines when losses due to unauthorized access are borne by bank vs client
  • Establishes strict expectations for secure authentication systems

Relevance to biometric override:

  • Banks must ensure authentication systems (including biometrics) are sufficiently secure
  • Weak override mechanisms may shift liability to the institution

CASE 2 — BGer 4A_610/2023 (2025 ruling)

Unauthorized digital transactions via compromised credentials

  • Reinforced that security design failures can constitute contractual breach
  • Institutions must anticipate modern identity fraud (including biometric spoofing risk)

Relevance:

  • Biometric override systems must be resistant to spoofing and insider misuse

CASE 3 — BGer 1B_249/2015

Banking secrecy vs disclosure in criminal investigations

  • Court held banking secrecy does not automatically block access to financial records

Relevance:

  • Supports regulated “override access” by authorities in fiduciary systems
  • Biometric override cannot block lawful investigative access

CASE 4 — BGer 1B_85/2016

Limits of banking confidentiality

  • Expanded prosecutorial access to bank documents under judicial supervision

Relevance:

  • Override systems must include legally compliant emergency access pathways

CASE 5 — Cantonal Court of Vaud CREP 29 December 2023/692

Access to IT systems with authorised credentials

  • No hacking offence when access credentials were voluntarily provided

Relevance:

  • Highlights importance of credential governance
  • Biometric override systems must ensure credentials are revocable and auditable

CASE 6 — BGer BGE 145 IV 185

Password misuse and unlawful system access

  • Accessing protected systems without valid authorization = criminal offence

Relevance:

  • Biometric override misuse (even by insiders) qualifies as unlawful access if outside authorization scope

CASE 7 (Regulatory Decision) — Swiss DPA / PostFinance Case (2025)

Voice biometrics authentication ruling

  • Voice biometrics considered sensitive data
  • Requires explicit consent and strict necessity justification 

Relevance:

  • Any biometric override system must meet strict consent and necessity thresholds

CASE 8 — Swiss Federal Administrative Court IT Security Framework (FAC practice)

  • Multi-factor authentication and layered IT security required in judicial systems
  • Strong emphasis on controlled administrative override access with audit logs 

Relevance:

  • Establishes governance model used in fiduciary-grade systems

5. Key Legal Principles Derived

From the above jurisprudence, Swiss law forms a clear doctrine for biometric override in fiduciary systems:

(1) Necessity Principle

Biometrics allowed only if no less intrusive method exists.

(2) Proportional Override Rule

Override access must be:

  • Limited in scope
  • Time-bound
  • Fully logged

(3) Dual Control Requirement

No single individual should be able to override biometric authentication alone.

(4) Auditability Requirement

Every override action must be:

  • Traceable
  • Immutable
  • Reviewable by regulators

(5) Criminal Liability Risk

Unauthorized override = potential criminal hacking or breach offences.

(6) Data Minimisation Rule

Biometric templates must not be centrally stored in raw form.

6. Practical Interpretation in Swiss Fiduciary Systems

In real Swiss banking/fiduciary environments:

A “biometric access override system” is legally acceptable ONLY if:

  • Override is restricted to compliance officers or regulators
  • Emergency access is pre-approved or cryptographically governed
  • Biometric data is stored in encrypted, non-reversible form
  • Independent audit authority can review all override actions
  • No unilateral override is possible (four-eyes principle)

7. Conclusion

Switzerland does not explicitly regulate “biometric override systems,” but through case law + data protection + banking secrecy jurisprudence, it imposes a strict compliance architecture:

  • Biometric authentication is permitted but heavily restricted
  • Override mechanisms are lawful only under controlled, auditable, and proportional governance
  • Courts consistently prioritise system integrity + accountability over convenience

RELATED Blog

Cyber Law and Fake News during COVID-19

Using Cyberspace To Vent Out Anger By Travestying ...

Internet Censorship

Reasonable security practices and procedures and s...

Cyber Fraud in Banking industry

Supreme Court Upholds Right to Internet as a Funda...

Supreme Court Issues Landmark Guidelines on Live S...

European Union Introduces Tougher Data Privacy Law...

United States Supreme Court to Decide on Whether A...

Cyber Law at Afghanistan

LEAVE A COMMENT

comments

Load more comments

Copyright © 2024 Law Gratis. Design by Digiinterface