Ethics and compliance
As a responsible banking institution, BCF does more than respond to legal and regulatory requirements, it also commits to implementing its own sustainable development directives.
In 2025, the Bank developed its Sustainability policy addressing in detail business ethics, customer protection, data and information protection, access to financing and the environmental impact of financing.
BCF also adopted a Code of conduct and ethics in 2025, which defines the principles and rules guiding staff conduct with regard to integrity, transparency, loyalty and respect.
Compliance with legal standards
BCF recognises international human rights standards and is fully committed to the values and aspirations they embody. Protecting the integrity of its employees is a key priority. The Personnel Guidelines prohibit all forms of discrimination, whether direct or indirect. Line managers are responsible for ensuring that, within their area of responsibility, the working environment is healthy, conducive to work and free from any form of harassment.
A confidential and secure communication channel (platform dedicated to whistleblowing) has been available to employees for several years to report any violations of personal rights or irregularities, such as infringements of laws, regulations or guidelines. Persons using this communication channel are protected.
The Personnel Regulations and Personnel Guidelines are an integral part of the employment contract. They include rules of conduct to be followed in the fight against corruption and money laundering. Each employee is required to confirm in writing that they are aware of these policies and undertake to comply with them. These issues are also discussed during the induction day for new employees and as part of ongoing training.
More generally, BCF invests considerable resources to effectively combat money laundering and terrorist financing. It also complies with tax requirements. Customers are responsible for complying with the legal and regulatory provisions applicable to them, in particular those relating to the obligation to file tax returns and pay taxes. Customers release the Bank from any liability in this regard.
Ensuring compliance
Compliance and respect for ethical rules are fundamental values at BCF. As a responsible bank, BCF places loyalty, integrity and professional ethics at the heart of its stakeholder relationships. Acting in compliance means ensuring that all the Bank’s actions are strictly in compliance with the provisions applicable to banking and financial activities. This includes applicable laws and regulations, professional and ethical standards and internal policies. Strict application of these principles is both a duty to customers and an essential foundation of BCF’s reputation and reliability.
All customer complaints are centralised within the Legal, Risk, and Compliance Division. This division is responsible for handling them and reporting them to the appropriate bodies, depending on their nature and severity: the Executive Board, the Board of Directors.
In the event of specific questions or complaints concerning banking and financial transactions by the Bank, customers can contact a neutral mediator: the Swiss Banking Ombudsman. The Swiss Banking Ombudsman acts as an information and mediation body, without any legal authority to impose decisions, for customers of SBA member institutions. Further information can be found at: https://bankingombudsman.ch/en/.
Combating tax fraud
BCF applies the various regulations relating to the automatic exchange of tax information to combat tax fraud. These include, in particular, the OECD Automatic Exchange of Information (AEOI) standard and the FATCA (Foreign Account Tax Compliance Act) agreement between Switzerland and the United States.
These initiatives enable the tax authorities of partner countries to obtain financial information on the accounts and assets held abroad by their taxpayers. There are two main legal bases for their implementation in Switzerland: the Swiss Federal Act on the International Automatic Exchange of Information on Tax Matters (AEIA) and the FATCA Act.
These obligations apply to both individuals and legal entities. Customer data, including information on their assets, will only be transferred if Switzerland has signed a bilateral agreement with the country in question.
The updated list of partner countries with which Switzerland applies the AEOI can be found on the BCF website (in French and German) at www.bcf.ch/fr/la-bcf/propos-de-nous/informations-juridiques/fiscalite and on the website of the State Secretariat for International Finance (SIF), which also provides detailed information on the terms and conditions of the automatic exchange of information.
Combating corruption and money laundering
BCF has implemented strict measures to prevent any form of corruption within the Bank. To this end, its internal regulations formally prohibit the acceptance of money, gifts or any other direct or indirect advantage in connection with its professional activities. Only customary gifts of modest commercial value, as defined by the internal regulations, are permitted.
BCF is subject to the supervision of the Swiss Financial Market Supervisory Authority (FINMA) and thus meets all the requirements of the financial sector. It has a Legal, Risk and Compliance division whose remit falls within the scope of FINMA Circular 2017/1, “Corporate Governance – Banks”, particularly the responsibilities under the second line of defence. This framework ensures the separation of control functions and independence in decision-making. The division is made up of five structural units, including the Compliance unit, which is responsible for ensuring compliance with legal, regulatory and internal requirements and adherence to the ethical standards and rules applicable in the market in question.
The Compliance department is also responsible for the annual assessment of compliance risks, particularly with regard to combating money laundering and the financing of terrorism. On this basis, it draws up a risk-based action plan. It implements policies that aim to define the organisational rules and rules of conduct necessary to ensure effective prevention.
A specific policy, applicable to all employees, sets out best practice and the rules for preventing money laundering risks within the Bank. Upon joining the Bank, all employees receive mandatory training on the regulations in force to prevent and combat money laundering and terrorist financing. Online training is regularly organised to keep knowledge up to date. If money laundering is suspected, the Bank, in accordance with applicable regulations, informs the Money Laundering Reporting Office Switzerland (MROS). The MROS is Switzerland’s central Financial Intelligence Unit (FIU), attached to the Federal Office of Police (fedpol). It receives and analyses reports of money laundering or terrorism financing, then passes on the relevant cases to the criminal authorities, acting as an essential filter.
The Board of Directors, Executive Board and all Bank staff are informed of internal anti-corruption and anti-money laundering policies. There have been no proven incidents of corruption or money laundering, and no employees have been sanctioned or dismissed for engaging in such activity.
In addition, the Bank is audited annually to ensure that its processes are in line with the legal and regulatory framework.
Public policies
As an institution under public law engaged in responsible governance, BCF recognises that its practices in support of democracy may influence the perception of independence and transparency of its relations with political players in the canton. The Bank makes a contribution earmarked for the cantonal electoral process, shared between the parties in proportion to their representation in the Cantonal Parliament. This support is only provided in the event of cantonal or federal elections. As there was no such election in 2025, no contribution was made.
By means of this approach, BCF promotes democratic fairness and supports the smooth running of elections, applying an objective and checkable criterion that avoids any political preference or intervention by the Executive Board. No party benefits from any support based on partisan affinities. Strict internal rules enforcing neutrality and transparency uphold this practice to prevent any risk of conflicts of interest and to guarantee an approach consistent with the Bank’s principles of responsible governance.
Physical security measures
BCF works with companies specialising in physical security, especially Certas for alarm management and handling and Securitas for onsite service, in support of the cantonal police. These companies are trained to the high standards required in Switzerland with regard to respect for basic rights and proportionate management of security situations. All personnel present on Bank premises have been trained in policies and procedures with regard to human rights and their specific application in the context of their work. Training requirements apply in full to staff provided by this external service provider. This approach guarantees that security interventions performed in the BCF environment systematically uphold the principles of due diligence, risk prevention and personal protection, in keeping with the commitments made by the Bank with respect to responsible governance and human rights.
General Terms and Conditions
BCF customers have online access to the Bank’s General Terms and Conditions, and to various useful documents and information, in particular:
- the brochure published by the Swiss Bankers Association (SBA) “ Risks involved in trading financial instruments” providing general information on the main financial services and the risks involved in trading in financial instruments;
- a description of the financial services offered by BCF and the measures taken to protect investors;
- an information notice concerning the policy for managing conflicts of interest at BCF;
- an information notice concerning commissions and retrocessions, explaining the scope of Article 31 of the General Terms and Conditions of Banque Cantonale de Fribourg.
Data confidentiality and cybersecurity
Personal data protection is essential at BCF. The Bank undertakes to rigorously apply the Swiss Federal Act on Data Protection (FADP) which, in conjunction with banking secrecy, protects customers against all unauthorised access to their personal data. It has implemented governance principles as well as technical, organisational and infrastructure-related measures to ensure a high level of data security.
Protecting personal data
The Bank processes the data of its customers and business partners to fulfil its contractual, legal and regulatory obligations, and to pursue its legitimate interests, such as the development and consolidation of business relationships.
In order to meet the above obligations, BCF may outsource certain services to third parties, particularly in the areas of IT and administration. These third parties are contractually bound to protect data confidentiality and security. In addition, the Bank takes all reasonable measures necessary to secure data transfers to third parties. These third parties may only use subcontractors with the Bank’s prior consent.
In particular, the customer has the following rights, subject to applicable legal restrictions:
- Right of access to personal data, and to information about how the Bank processes said data;
- Right to rectify inaccurate or incomplete data;
- Right to withdraw consent at any time;
- Right to portability, i.e. the right to request, within the limits provided for by law, the return of data provided to the Bank or its transfer to a third party;
- Right to restrict the processing of personal data, in particular by opposing its use for marketing purposes;
- Right to erasure when the data is no longer necessary for the purposes for which it was collected or processed, subject to the applicable retention periods.
BCF retains personal data for as long as necessary to fulfil its legal and contractual obligations. As a general rule, documents are destroyed ten years after the end of the business relationship or after the completion of the transaction.
Detailed information on the processing of personal data and customer rights can be found in the “Personal data protection statement“ available on the Bank’s website.Customers are also informed of the data protection provisions in the BCF General Terms and Conditions, the terms and conditions of use of the website, the terms and conditions of use of Mobile Banking, the terms and conditions of use of One, the terms and conditions of use of the financial assistant and the terms and conditions of use of Twint.
Internally, the obligation to maintain confidentiality, and in particular banking secrecy, is formally enshrined in employment contracts, the Personnel Regulations and various internal policies. The Bank’s employees are regularly made aware of the importance of following these rules, particularly through internal training.
Ensuring data security
All personal and sensitive data is protected by a multi-level security system. Consequently, all of the Bank’s non-public areas are protected by an access control system, and only duly authorised persons have access.
Similarly, access to BCF’s IT systems is only possible with a personal login and password specific to each employee. Each individual computer is protected by a personal password.
Access to data is restricted to employees of the Bank or duly authorised persons on a need-to-know basis.
Raising employee awareness is key to ensuring data security. Training on this subject has been available for several years. In 2025, new training was provided by the head of the Bank’s security team. In a banking environment where confidence is based on security and confidentiality, protection of critical data is an absolute priority. This training has strengthened the security culture within the Bank by raising awareness of the risks connected to handling sensitive data, with the dual goal of:
- Cultivating good habits to prevent leaks, losses and unauthorised access;
- Making each employee responsible as a party involved in information security.
Through specific cases, role plays and practical advice, this training has allowed for:
- Identification of critical data in everyday activities;
- Recognition of threats (phishing, human errors, non-secure access);
- Adoption of simple yet efficient behaviours.
The Bank’s aim with these awareness-building tools is to:
- Take upstream action to limit fraud risks by disseminating clear, accessible and targeted messages;
- Reinforce collective vigilance against fraud by developing employee skills, sharing feedback on specific experiences and favouring a culture of collaboration;
- Reinforce the capacity for rapid and coordinated intervention in the event of attempted fraud through effective tools and agile processes.
There were no substantiated complaints about violations of client data confidentiality or lost client data, nor were there any cases of data leakage, theft or loss.
Cybersecurity
With regard to cybersecurity in particular, the robustness of the system is assessed regularly, and tests are conducted to verify its resilience to cyberthreats. BCF has a detailed business continuity plan designed to ensure that when an event occurs leading to business interruption or having a significant impact on the Bank, all the required contact persons are informed and that appropriate measures have been identified and will be implemented. An IT failure or cyberattack belong to the scenarios outlined in this plan.
BCF regularly conducts business continuity exercises:
- A business continuity and disaster recovery test is performed annually;
- A crisis management scenario is simulated every year to train the staff used in this type of exercise and thus improve operational procedures. A test of the crisis cell performed in 2025 showed the maturity of the crisis management processes within BCF as well as staff’s ability to act in a rapid, structured and collaborative way. It has also implemented advanced practices in terms of anticipation, proactive communication proactive and coordination among the different actors.
BCF’s IT infrastructure is mainly outsourced to Swisscom (Switzerland) Ltd, which applies its own security standard, ITSLB (IT Security Level Basic). This standard is based on recognised best practices in the technical, organisational and infrastructure fields. Swisscom’s security approach covers all the IT layers used by BCF: applications, databases, services, storage, workstations, networks and servers. At each level, Swisscom ensures optimal security through rigorous management of configurations, protection systems, identities, access and control and reporting processes.
In cases where hosting is not organised at Swisscom, the Bank’s IT and security teams apply strict rules when selecting suppliers. The suppliers must always conform to strict specifications. The Bank takes account of recognised security certifications (e.g. ISO 27,001) or any other certificates from a third party considered to be reliable (e.g. SOC 2). The Bank applies the recommendations of the SBA (Swiss Bankers Association – Swiss Banking) in this field, especially the recommendations outlined in the “Guide Cloud” and its annexes.
Preparation also involves raising awareness. Communications and regular reminders on preventing data leakage are sent to employees to ensure their vigilance against cyber risks. Moreover, as one of the favourite means of attack of cybercriminals is to send malicious e-mails, BCF is continually reinforcing its preventive campaigns among its staff, by:
- continually testing the vigilance of message recipients with the help of social engineering (sending real-false message tests);
- organising extra training for those who would have been fooled.
The aim of the Bank is to be able to take upstream action to limit risks by disseminating clear, accessible and targeted messages.