Press Conference “Risks in BaFin’s Focus”, 28 January 2025
A warm welcome from me too!
The environment facing the German financial sector in 2025 will be challenging.
At the moment, there is no single key risk. The situation is multifaceted and complex. Companies are having to deal with a diverse range of risks. Risks that are sometimes closely interconnected. Many of these risks can have immediate impacts, while some will only materialise in the long term. This situation is described in the fourth edition of our "Risks in BaFin’s Focus”, which we are publishing today. The picture is also very dynamic. While some risks remain consistently high – for example the strained situation on the commercial real estate markets – the risk situation in market-driven areas can change rapidly. Since going to press, we have seen a kind of party mood develop in certain parts of the financial markets. And as we all know: the bigger the party, the bigger the hangover.
Over the next few minutes, I would like to discuss three topics. These three topics are very different, but they all make one thing clear: some of the challenges we are facing today are the result of new risk drivers. In other words, they are the result of developments that cannot be precisely gauged – in part because we lack relevant historical experience. This makes risk management more difficult. For the supervised entities, but also for us. The trend arrows for the risks I will address today are pointing in the wrong direction, symbolising a growing risk.
The first topic I would like to address today is sustainability. Or, to be more precise: the physical risks of climate change. Still fresh in all our minds are the images of the devastating fires around Los Angeles. A tragic disaster with thousands of destroyed buildings, tens of thousands of people evacuated and more than two dozen fatalities. It is estimated that the potential property damage and economic losses could be as high as 150 billion US dollars. This will of course have an impact on the financial sector, especially on insurers’ loss amounts. Rating agencies estimate that in Europe, too, more than 30 percent of reinsurers annual loss budget for natural disasters could already be used up – and that within the first few days of the year.
For disasters of this kind to occur, many factors have to come together. While regional weather patterns undoubtedly play a role, experts tell us that climate change is increasingly creating the conditions for these kinds of catastrophic fires. Conditions such as long periods of drought.
Companies in the financial sector must therefore continue to address the physical risks of climate change – and they need to address these risks more intensively. That is to say, the specific effects of global warming, such as extreme weather events like droughts and flooding. Of course, the transition risks posed by the journey to a sustainable, low-carbon economy will also remain relevant.
But I would say that in comparison, regulation and supervision have not paid sufficient attention to physical risks up to now. At BaFin, we will be putting a particular focus on these risks in 2025 – climate change is forging ahead. According to Copernicus, the EU’s Earth observation programme, the global average temperature in 2024 was more than 1.5 degrees above pre-industrial levels for the first time. Physical risks, which will have an impact on banks’ loan portfolios or insurers’ loss amounts, are continuing to rise. Think of the Spanish region of Valencia, where severe flooding last autumn caused extensive damage. According to estimates, the ratios of non-performing loans in Spanish banks’ portfolios will rise in the coming quarters.
We are therefore taking a close look at how physical risks are addressed at the companies we supervise – such as banks and insurers that are particularly at risk due to extreme weather, supply chain dependency or concentrated credit and market risks. We have found that the companies have generally made progress in managing their sustainability risks, but there is still room for improvement.
For example, when it comes to integrating and processing data on physical climate risks. This is important for banks and insurers to be able to assess individual natural hazards. And that means they need to draw on several sources of information. We have found that many companies lack important data. In the case of banks, this is often customer-related location data – combined with an allocation of the physical risks to an exact address, such as possible flooding due to heavy rain. Insurers have gaps in their data, for example, in terms of public flood protection measures or the building regulations of the respective cities and municipalities. It is our impression that banks, in particular, are still in the early stages in this regard. They are currently focusing on building up their data basis.
This is very important work. Supervised companies need to manage the increasing physical risks of climate change. Take regional banks, for example. If an extreme weather event were to occur in their home region, many of their customers could be affected at the same time. Not to mention numerous employees. This geographical concentration can be problematic. It can also particularly affect insurers and banks with specialised business models, for example in agriculture and forestry. The situation is made even more difficult by the sometimes very close links between banks and insurers through risk transfers. Just think of real estate loans and the protection of properties against natural disasters. These risks in particular are becoming increasingly difficult to assess: how likely are they to occur? How severe could potential damage be? And: will the property even be insurable for a reasonable price in future? In several areas of some US states, such as Florida or California, this is no longer a possibility . Climate change is one reason for this. Such insurance gaps not only raise political and social questions, but also questions about the financial viability and recoverability of real estate loans.
It is important to realise that historical data is only of limited value – the risk situation is changing rapidly. Depending on the scenario one takes , one neighbouring country might be almost completely under water by the end of the century. It also seems plausible to me that climate change could become a driver of another highly charged geopolitical issue: migration.
For BaFin, one thing is certain: supervised companies must continue to address in detail the physical risks of climate change and, especially, integrate these risks into all areas of their risk management. We should not wait for the next disaster. A forward-looking approach will not only protect the solvency of insurers and banks, but also be able to drive prevention measures forward. If risks are properly priced, it is more likely that they will be mitigated. The more trouble we have getting climate change under control, the more we will have to accept that physical risks are increasing and that prevention and risk avoidance are becoming more and more essential.
The second topic I would like to address today is the risk arising from the profound technological change taking place in the financial industry. Here, too, historical experience is not particularly helpful. New technologies – such as generative artificial intelligence or, in future, quantum computing – are driving the transformation of the industry forward. These technologies have tremendous potential. For companies. And for customers. But they also entail very significant risks.
At the top of the list are potential cyber incidents or major IT failures. Large banks, insurers and clearing houses play an extremely important role and have highly sensitive and therefore valuable data. This makes them particularly susceptible to cyber incidents. Data presented by the International Monetary Fund (IMF) also confirms this. According to the IMF report, almost a fifth of all global cyber incidents over the past 20 years affected companies in the financial sector. The damage amounts to almost 12 billion US dollars.
The threat of cyber incidents is globally very high. And it is continuing to rise. This is also due to the tense geopolitical situation. Many companies in the financial sector and their key service providers form part of the critical infrastructure. They are thus an attractive target for state-initiated attacks. But the threat is also rising due to the many new technological possibilities.
For example, through generative AI. More and more companies in the financial sector are using generative AI or testing its use. And of course, criminals are also using such technologies – to develop new attack methods or malicious code, for example. High quality phishing messages can be created quickly using AI, which makes it much more difficult to identify fraudulent messages.
Many companies are aware of all these risks and have invested in their IT security. That’s good news. But we cannot become complacent. It is important to us that companies continuously monitor current developments and threats. That they adapt their security measures. And that they prepare for crisis situations. They are currently well positioned to do so: the financial institutions reported strong earnings in 2024. They should use these earnings to invest further in their IT security. This is what we expect of them. It is also what their customers expect of them.
It goes without saying that our work as a supervisory authority is increasingly being defined by the risks arising from technological change. Just to give one example: in the first three quarters of 2024, we received 258 reports of IT incidents in payment services. This is a significant increase compared to previous years. In two out of three incidents, the cause was not at a supervised financial institution, but at one of its service providers.
We are also continuing to identify numerous serious IT shortcomings in our IT inspections at supervised companies.
This is why the topics of IT security, cybersecurity and outsourcing remain high on our agenda. This year, we are planning more than 30 IT inspections, including follow-up inspections and inspections focusing on IT security.
We will also be more closely monitoring multi-client service providers that offer services to a significant extent in the European financial market, service providers that this market also relies on. In addition, we are preparing to participate in joint examination teams led by the European Supervisory Authorities; these teams monitor critical IT service providers. Among others, the focus here will be on cloud hyperscalers.
We need strong and effective supervision in the IT sector. At the same time, we need to keep an eye on emerging technologies. Technologies that are not yet available today, but which we know could have a very significant impact on the future of the financial sector. One such technology is quantum computing.
Some people might argue that there aren’t yet any mass-produced quantum computers. Maybe so. There are still a few technological hurdles to overcome. But research and development are making rapid progress. You may remember that a few weeks ago, in December, Google presented a new quantum chip. In less than five minutes, this chip performed a calculation that would take one of today’s fastest supercomputers 10 quadrillion years. That is a one with 25 zeros. An unimaginable number that far exceeds the age of the universe.
We don’t yet know when powerful quantum computers will be widely available. But there is much to suggest that we will see a breakthrough happen.
Companies in the financial sector need to get ready for this development. They need to get ready today.
Why do I emphasise this so strongly? Because quantum computers will be able to overcome conventional encryption technologies. Current cryptography methods such as RSA1 , which form the basis of IT security in the financial sector today, will no longer be an obstacle for quantum computers. This will pose a massive threat to data security in the financial industry. The cryptography currently used for the largest cryptoassets is probably not quantum-resistant either. Now, please be aware that this is not only some future scenario we are talking about. This risk is already relevant today. Data can already be stolen and stored today, to be decrypted later.
Companies must not underestimate the risks that this poses. They must take protective measures – now. Especially for security-relevant data designed to have long-term validity. This is the only way they can protect this data in the long term.
This may remind some of you, at least the older ones among us, of the millennium bug. That was a major issue at the end of the 90s. And the situation is similar today. Only this time we don’t have a target date we can work towards.
So what exactly needs to be done? Companies must identify the data that could be jeopardised by quantum computing. And then develop a protection plan that takes existing technical possibilities and standards for post-quantum cryptography into account. A protection plan must of course be flexible by design. To ensure that IT risk management can react to future developments. And to ensure that it is in a position to implement future safety recommendations and standards.
The fact that quantum computing is jeopardising data security is nothing new. The BSI pointed this out a good five years ago. The German government has also addressed the topic in its cybersecurity strategy. So today, I would like to emphasise once again: the time to act is now. When the first powerful quantum computers are for sale, it will be too late.
Ladies and gentlemen,
In addition to the physical risks associated with climate change and the risks arising from technological changes in the financial sector, we also need to talk about the current economic situation – and the risks that this situation is giving rise to.
As you all know, the German economy is stagnating. Last year, GDP fell by 0.2%. For 2025, the German Council of Economic Experts (Sachverständigenrat) is expecting slight economic growth of 0.4%. This shows that the economic situation remains difficult.
Geopolitical risks are currently a key factor clouding the growth prospects of the German economy. This is because the German financial system is highly susceptible to geopolitical shocks. And the risk of such shocks is currently high. For example in the area of trade policy. We are seeing a global trend towards more protectionism. In particular, an intensification of the trade dispute between the US and China would have considerable consequences for the global economy, but especially for Europe. US import tariffs on German and European goods would also have direct impacts on the German economy.
The number of corporate insolvencies in Germany rose significantly in 2024 – by 16.8% compared to the previous year. As a consequence, the risk that companies will partially or completely default on their loans also rose. The ratio of non-performing loans at German banks rose sharply in the third quarter of 2023 and has continued to increase since then. The aggregate NPL ratio increased from 1.38% to 1.76% in the third quarter of 2024 compared with the same period in 2023. We have seen this trend in both large and less significant institutions. And we expect the proportion of problematic loans to continue rising – in part due to the weak economy. In all probability, the impact of higher value adjustments will also become evident in institutions’ earnings in the foreseeable future. Banks’ loan books are a reflection of the health of the economy.
Loan loss provisions at German banks likewise continued to rise, but have remained at a low level. In the third quarter of 2024, the loan loss provision ratio, i.e. the ratio of cumulative loan loss provisions to the loan portfolio, was 1.41%.
The increased credit default risks are not only relevant for banks. Insurers also have to deal with these risks. After all, insurers also grant loans to companies. And they invest in private debt funds.
BaFin will be taking a particularly close look at the risks arising from corporate loan defaults in 2025 – at banks and at insurance companies. In particular, we will be keeping a close eye on institutions that are heavily involved in sectors that could be significantly affected by an economic downturn or by geopolitical tensions. We will also be monitoring the investment behaviour of insurers, with a particular focus on the risk management of alternative investments such as private debt.
Macroprudential measures also remain important for the resilience of the German financial sector. These measures include instruments such as the countercyclical capital buffer, which currently stands at 0.75% of domestic risk exposure. In December 2024, the Financial Stability Committee assessed this level and once again deemed it appropriate.
Ladies and gentlemen,
As you can see, the financial sector is operating in a very challenging environment. This is in part because, for many risk drivers, we cannot draw on past experience. Physical climate risks, quantum computing, deglobalisation, geopolitical upheavals – the proverbial look in the rear-view mirror doesn’t help much when it comes to such developments. This makes it all the more important for companies in the financial sector to manage their risks wisely and to think in terms of scenarios. They must ask themselves: What can the risk situation mean for us? Where are we vulnerable? And how can we prepare for this? And, of course, they need to be highly resilient to potential shocks. More than anything else, this means keeping well-stocked capital and liquidity buffers. That is what we expect of them – and we will be paying particularly close attention to this over the course of the year.
Now I look forward to your questions!
1.1Rivest-Shamir-Adleman method
First, please LoginComment After ~