CivicBondCivicBond

Security

Security & Compliance

CivicBond is built on a foundation of trust. Swiss municipalities, pension funds, and insurance companies rely on us to handle sensitive financial data and transactions with the highest standards of security and regulatory compliance.

Swiss data residency guaranteedISO 27001-certified infrastructureFINMA-aligned regulatory framework

1.Regulatory Status & Compliance Framework

CivicBond AG is headquartered in St. Gallen, Switzerland and operates within the Swiss financial market regulatory framework.

AreaCivicBond Status
SRO AffiliationAffiliated with a Swiss Self-Regulatory Organisation
FINMA SandboxActively engaging with FINMA's regulatory sandbox programme
Banking LicenceNot a licensed bank — no deposits accepted
Securities DealerNot a licensed securities dealer — instruments structured by licensed partners
AML / KYCFull AML and KYC procedures applied to all platform participants
CISA (Qualified Investors)Platform restricted to FINMA-classified Qualified Investors on the demand side
Swiss nDSGFull compliance with Swiss Federal Act on Data Protection (nDSG, 2023)
GDPRGDPR-aligned practices applied for EEA-connected participants
All instruments facilitated through the CivicBond platform are structured and settled by licensed complementor partners. CivicBond acts as the neutral platform orchestrator, not as a financial intermediary.

2.The 10/20 Non-Bank Rule — Resolved

Swiss withholding tax law (Art. 13 VStG) triggers a 35% withholding tax when more than 10 non-bank entities participate in a single debt instrument. CivicBond resolves this automatically by converting the loan into a registered security before auction.

Without CivicBond

  • Direct multi-party lending
  • 35% withholding tax triggered
  • Pension funds excluded at scale
  • Municipalities forced into bilateral bank relationships

With CivicBond

  • Loan converted to registered security
  • Exempt from the 10/20 rule
  • Any number of Qualified Investors can participate
  • Full tax compliance, automatic, on every deal

3.Data Security

Encryption

  • All data encrypted in transit using TLS 1.3.
  • All data encrypted at rest using AES-256.
  • End-to-end encryption for deal-specific financial data.

Infrastructure

  • ISO 27001-certified cloud infrastructure.
  • All servers located in Switzerland — Swiss data residency guaranteed.
  • No data transferred outside Switzerland without explicit legal basis.
  • Regular third-party penetration testing.

Access Controls

  • Role-based access control — principle of least privilege.
  • Multi-factor authentication required for all platform users.
  • Audit logs maintained for all platform activity.
  • Strict data separation between issuer, investor, and complementor accounts.

Incident Response

  • Documented incident response plan in place.
  • Breach notification aligned with nDSG Art. 24 requirements.
  • FDPIC notification within 72 hours for qualifying incidents.
  • Affected participants notified without undue delay.

4.Participant Verification & KYC

Participant TypeVerification RequirementsOngoing Obligations
Municipalities (Issuers)Identity verification, public register check, minimum credit ratingAnnual financial disclosure, rating renewal per deal
Institutional InvestorsFINMA Qualified Investor classification, AML/KYC screening, signed platform agreementOngoing eligibility confirmation, investment mandate disclosure
Complementor PartnersProfessional licence verification, professional indemnity insurance, signed participation agreementAnnual compliance attestation, audit rights granted to CivicBond

5.Instrument Security & Settlement

  • All instruments are structured as registered securities under Swiss financial market law before listing.
  • Instruments are held in custody by a licensed Swiss custodian bank — not by CivicBond AG.
  • Settlement processed through the custodian bank's regulated payment infrastructure.
  • Full audit trail maintained from credit rating through to final coupon repayment.
  • Smart contract-based documentation produced by our legal-tech partner for each deal.
  • In the event of a platform failure, instruments and custody arrangements remain legally intact and independent of CivicBond AG's operational continuity.

6.Governance & Rulebook

CivicBond operates under a documented governance rulebook reviewed annually by a multi-stakeholder governance board.

  • Neutral ownership structure — no single bank controls the rulebook.
  • All auctions follow a standardised Dutch auction protocol — no bilateral side-deals permitted.
  • Dispute resolution via independent arbitration panel.
  • Default and recovery procedures pre-agreed with custodian bank partners before any deal is listed.
  • Complementors are contractually bound to quality and compliance standards via Participation Agreements.

7.Responsible Disclosure

If you discover a security vulnerability, please report it responsibly before public disclosure. Report to: security@civicbond.ch. We acknowledge all reports within 2 business days and provide an initial assessment within 5 business days.

8.Compliance Contact

Compliance & Regulatory Enquiries

Email: compliance@civicbond.ch

Data protection: privacy@civicbond.ch

Security disclosures: security@civicbond.ch

Address: CivicBond AG, St. Gallen 9000, Switzerland

Contact Compliance Team