Overall, the financial system proved to be stable in 2024. In recent years, companies in the financial sector have had to deal with the challenges of a changing interest rate environment. For the most part, they have coped well with this. However, during this time, the economy weakened and geopolitical conflicts increased.

2025 could be even more challenging. Economic risks could place an even greater burden on banks' loan books and insurers' investment portfolios.

These challenges are compounded by growing political uncertainty and the increasingly digital nature of geopolitical tensions and conflicts. The number of government-initiated cyberattacks on critical infrastructure companies, which includes companies in the financial industry, is rising.

Such attacks can seriously jeopardise financial stability. This is in part because companies in the financial sector are increasingly outsourcing IT services – and are relying on only a small number of service providers. This results in risky dependencies and market concentration.

Companies must be prepared for these and other developments. BaFin is also preparing itself: it analyses the risks for all market participants and consumers on a continuous basis and reacts accordingly.

The present “Risks in BaFin’s Focus 2025” report is BaFin’s fourth annual compilation of the risks that are most capable of jeopardising the financial stability or the integrity of the financial markets in Germany. This year, we will be focusing our attention primarily on these risks.

In 2025, we will focus on six risks in particular:

• Risks arising from corrections on the real estate markets ⇨
• Risks arising from significant corrections on the international financial markets ⇨
• Risks arising from corporate loan defaults ⇧
• Risks arising from cyber incidents with serious consequences ⇧
• Risks arising from inadequate money laundering prevention ⇨
• Risks arising from market concentration due to the outsourcing of IT services ⇧

For the first time, we are not including interest rate risks in this list. This is because an upward interest rate shock has become less likely due to the current interest rate level at the beginning of 2025 and the development of inflation. The increased interest rate risks of the past have largely been minimised.

The order of the risks does not reflect their prioritisation. The trend arrows indicate the future development (increasing, constant, decreasing) BaFin is anticipating.
The specific steps BaFin will take to mitigate these six major risks are detailed in the individual risk descriptions.

In addition to the six major risks, the way in which the companies under BaFin’s supervision deal with longer-term trends will also be significant. These include digitalisation, geopolitical upheavals and sustainability.

As in previous years, it should be noted that not all of the scenarios described in this “Risks in BaFin’s Focus 2025” report will materialise, and new risks may emerge. BaFin looks to identify such emerging risks at an early stage and react quickly.

More articles

Risks in BaFin's Focus 2025

Main Risks in BaFin’s Focus

1. Risks arising from corrections on the real estate markets
2. Risks arising from significant corrections on the international financial markets
3. Risks arising from corporate loan defaults
4. Risks arising from cyber incidents with serious consequences
5. Risks arising from inadequate money laundering prevention
6. Risks arising from market concentration due to the outsourcing of IT services

Trends

1. Digitalisation
2. Sustainability
3. Geopolitical turmoil

The commercial and residential real estate markets have been under pressure since mid-2022. Some commercial real estate risks have materialised. In some cases, this has resulted in considerable value adjustments and write-downs on exposures at certain banks and insurers.

The strained situation on the German commercial real estate market, which includes commercial residential real estate, persisted in 2024. This was increasingly evident in the rising numbers of non-performing loans (NPLs) at German banks, at both significant institutions (SIs) and less significant institutions (LSIs). From mid-2024, there were clear signs of a decline in risk on the residential real estate market.

Commercial real estate

Overall, the risks to financial stability posed by the commercial real estate market remain elevated. While these risks alone are not expected to jeopardise the functioning of the financial system, individual institutions can be heavily burdened by major loan defaults in their portfolios. The German and US real estate markets are particularly important for companies supervised by BaFin.

Banks that are focused on financing commercial real estate and that may be unable to compensate for losses in this segment through other business areas, as well as project developers, are therefore exposed to increased risk due to their specific business models.

Price declines halted for now, new business continues to falter

Commercial real estate loans are highly important for the German banking sector. In 2024, they accounted for over 9% of the aggregate total assets of German banks. Prices for office and retail real estate, as measured by the vdp Property Price Index, fell by around 17% between mid-2022 and the third quarter of 2024, while prices for commercial residential real estate decreased by around 8%.

Since the beginning of 2024, the price trend has recovered somewhat from a very low level. However, a stable trend is yet to be observed and the commercial real estate market remained fragile at the end of 2024 (see Figure 1).

Figure 1 : Prices for commercial real estate in Germany by central property types

Source: BaFin diagram using data from the Association of German Pfandbrief Banks (Verband deutscher Pfandbriefbanken – vdp) e. V., as at 26 November 2024

Transaction volume and new lending business remain at a low level

In 2024, weak economic growth, high interest rates, high construction costs and persistently high core inflation placed a burden on the German commercial real estate market. In addition, the increase in working from home and the growth in online retail have been clouding the commercial real estate market for some time. These factors, which determine supply and demand on the commercial real estate market, alongside the low transaction volume, suggest that further price declines are possible.

In the US, prices on the commercial real estate market have fallen by around 19% since March 2022. Office real estate prices in particular are under pressure with an average vacancy rate of around 21%. The situation remains tense in particular as a result of persistently high core inflation and interest rates that – despite recent cuts – remain high.

These developments were also reflected in lending behaviour for commercial real estate. New lending business in the three central commercial real estate submarkets – office real estate, commercial residential real estate and retail real estate – had not yet recovered sustainably from the slump in the fourth quarter of 2022 and remained weak in 2024 by historical comparison (see Figure 2).

Figure 2: Development of new lending business for commercial real estate in Germany by central property types

Source: BaFin diagram using data from the Association of German Pfandbrief Banks (Verband deutscher Pfandbriefbanken – vdp) e. V., as at 26 November 2024

Further deterioration in credit quality

The main risks for banks are posed by a combination of loan defaults and decreases in the value of collateral. Since the end of 2022, the NPL ratio for loans collateralised by commercial real estate has risen noticeably, particularly among SIs due to their relatively high exposure to US commercial real estate. Within an 18-month period, the NPL ratio of all German institutions in this portfolio almost doubled from a low starting level. The rise in NPL ratios in the commercial real estate loan portfolios of all German banks continued: in the third quarter of 2024, the aggregate rate was 4.47%. In response to these developments, SIs and LSIs significantly increased risk provisioning for their commercial real estate loan portfolios, particularly towards the end of 2023. A slight increase was also observed in the first half of 2024.

Follow-up financing of (existing) loans poses a particular risk. More than half of the volume of current loans had interest rates below 3% at the end of 2024. In 2025 and 2026 alone, negotiations are pending for follow-up financing for commercial real estate loans totalling 100 billion euros. This accounts for around 10% of the total volume of commercial real estate loans.

Loans for project developers also harbour high risks for banks since project developers make their investments through advance payment. The factors weighing on the market, such as high interest rates, mean that properties are less in demand or that projects are not realised at all. This can result in lower returns or difficulties in the repayment of investment loans. As a result, lenders are exposed to a considerable credit default risk.

Even without taking collateral into account, the possible direct consequences of the Signa Group's insolvency are unlikely to lead to a breach of the “hard” capital requirements at any German bank.

The rise in non-performing loans reported and the higher risk provisioning show that risks in the commercial real estate market are increasingly materialising. The difficult market situation will continue to place a burden on banks’ earnings in this segment for some time to come.

Insurers and Pensionskassen

Insurers’ commercial real estate exposure has increased slightly in recent years – particularly in portfolios held indirectly via real estate funds. Insurers subject to Solvency II reported investments with a total commercial real estate exposure of just under 164 billion euros in the second quarter of 2024. Investments in commercial real estate thus accounted for around 8% of total capital invested. Pensionskassen were more heavily invested in commercial real estate with a share of around 12%.

A representative survey conducted by BaFin in 2024 on the investment behaviour of insurers and Pensionskassen showed that the companies surveyed negatively adjusted the value of their portfolios of (predominantly) commercially used real estate, above all office real estate, by around 7% as at 31 December 2023 compared to the year-end figure for 2022. In the financing of real estate (projects) the adjustment was 11.5%.

Even if risks materialise in individual cases, the overall risk appears to be manageable for the insurance industry. A key reason for this is the lesser significance, measured against total assets, of commercial property risk compared with other market risks, such as interest rate and spread risks for life insurers or underwriting risks for non-life insurers.

In the past, some insurers have invested directly or indirectly via funds in real estate project developers, including the insolvent Signa Group. Losses were incurred due to the insolvency of individual real estate companies. This experience showed that insurers need to adapt their risk management. More complex and riskier investments require risk management that is geared towards such investments, alongside adequate staffing.

Real estate funds

German asset managers (Kapitalverwaltungsgesellschaften) account for a large share – over 30% – of the European market for open-ended real estate funds. Retail funds have recorded sustained net liquidity outflows since the beginning of 2024. This could intensify the pressure to sell and thus further exacerbate the fall in prices for commercial real estate. To date, there have been no significant net liquidity outflows from special funds.

In 2024, there was sufficient liquidity for real estate funds in the market. It is not yet clear whether this will remain the case or whether individual funds will face liquidity bottlenecks. Where available for specific funds, German asset managers can use liquidity management tools such as redemption periods, redemption gates or minimum holding periods in order to better manage the liquidity of the open-ended investment funds for which they are responsible.

An annual BaFin survey on liquidity management tools as at 31 December 2023 revealed that around 80% of special real estate funds had rules regarding redemption periods and that the agreed redemption period was usually six months. For retail real estate funds there were statutory minimum holding periods (24 months) and redemption periods (12 months). The measures were intended to have a preventive effect before German asset managers were forced to completely suspend the redemption of unit certificates. However, by September of 2024 only three special funds had made use of this.

In order to compensate for the weak interest margin in the years of low interest rates, individual banks tapped into alternative sources of income, for example by significantly expanding their own investments in real estate. For savings banks (Sparkassen) and cooperatives (Genossenschaften), own investments in real estate accounted for over 3% of total assets in 2023. Real estate funds accounted for a significant proportion of institutions’ own investments: at the end of 2023, German banks held around 57 billion euros in real estate funds. In 2023, the ongoing downturn on the real estate markets in Germany and abroad increasingly led to value adjustments in real estate funds and the need for write-downs at the affected institutions.

Residential real estate

Prices on the residential real estate market have also been affected by rising interest rates and high inflation since 2022. This reduced some of the overvaluations that had arisen in previous years. Over the course of 2024, there were clear signs of a decline in risks on the residential real estate market.

Market stabilising, but there is still progress to be made

Following a relatively sharp drop in prices for owner-occupied residential real estate on a national average from 2022 onwards, the residential real estate market increasingly stabilised over the course of 2024. Prices have begun to rise slightly again (see Figure 3).

According to the vdp Property Price Index, this process was somewhat faster in the top seven cities – Berlin, Hamburg, Munich, Cologne, Frankfurt am Main, Stuttgart and Düsseldorf – compared to nationwide figures. Segment-specific data from the transaction platform Europace show a particularly positive trend for existing buildings. Although they had been particularly affected by price declines during the market downturn starting in 2022, existing buildings were overall around 3.9% more expensive in November 2024 than in January 2024 (market as a whole 2.9%). Prices for new builds remained stable. The more positive trend in existing buildings compared with new builds is partly due to the continuing rise in construction costs. This negatively impacted demand for new builds while existing buildings gradually became financially more attractive to buyers again.

Figure 3: Prices of residential real estate in Germany

1 Weighted by transactions. Calculations by the Deutsche Bundesbank on the basis of price data from bulwiengesa AG. Quarterly data. Source: BaFin diagram based on calculations by the Deutsche Bundesbank, as at 30 September 2024

By the end of 2022, new lending had slumped by up to 50%. Since then, there has been an incremental recovery, although levels remain low. From January to November 2024, around 22% more residential housing loans were granted to private households than in the same period in 2023. The annual growth rate for portfolios of housing loans to private households, which had fallen in previous years, stabilised in 2024 and amounted to 0.9% in each of the first two quarters and 1.0% in the third quarter.

Figure 4: Growth rates of housing loans granted by domestic banks*

* Data adjusted for statistical changes 1) Including self-employed and sole traders. 2) Excluding self-employed and sole traders. Source: BaFin diagram based on calculations by the Deutsche Bundesbank, as at 30 September 2024

Slightly stricter credit guidelines, low loss rates

As shown in the Bank Lending Survey (BLS) for Germany, which was published by the Deutsche Bundesbank in October 2024, banks slightly tightened their lending standards for private residential property loans in the first three quarters of 2024 compared to the preceding quarters.

The loss rates – i.e. the ratio of losses from lending business to outstanding loans collateralised by residential property – remained at a low level. Levels remained constant in 2023 compared to the previous year, while the picture was different for commercial real estate. Lenders’ value adjustments for current loans also remained at a moderate level: in the third quarter of 2024, loan loss provisions for loans to private households collateralised by residential real estate amounted to 1.16% and were thus slightly higher than the average for the previous quarter. The loan loss provision ratio describes the ratio of loan loss provisions to the loan portfolio. One reason for the slight increase in the loan loss provision ratio was the higher interest and principal repayments, which can lead to problems with follow-up financing.

The positive trend on the residential real estate market is based on latent excess demand. Earlier price reductions, increases in real wages and the recent fall in mortgage interest rates have already made residential property somewhat more affordable. If this trend continues and the situation on the labour market also remains stable, it is possible that the palpable demand on the rental market will also be felt in the market for residential real estate, which could stabilise the market in the long term. However, if the economy continues to weaken and unemployment rises significantly as a result, there is a risk of setbacks and increasing loan defaults.

More articles

Risks in BaFin's Focus 2025
Foreword by the President

Main Risks in BaFin’s Focus

2. Risks arising from significant corrections on the international financial markets
3. Risks arising from corporate loan defaults
4. Risks arising from cyber incidents with serious consequences
5. Risks arising from inadequate money laundering prevention
6. Risks arising from market concentration due to the outsourcing of IT services

Trends

1. Digitalisation
2. Sustainability
3. Geopolitical turmoil

While 2024 saw some volatile periods, the international financial markets proved stable overall. Various developments, especially if they arise in combination, could lead to corrections on the financial markets in 2025: rising geopolitical tensions and political uncertainties, the high sovereign debt ratios of many industrialised nations and the development of inflation and economic growth.

In view of falling inflation rates, the monetary policy of major central banks has been less restrictive since the second half of 2024. The European Central Bank (ECB) initiated its interest rate turnaround in the middle of the year, while the US Federal Reserve cut interest rates in September 2024. Market participants had expected the interest rate cuts; further interest rate adjustments have already been priced in. Depending on accounting methods, interest rate reductions will lead to valuation gains or to a reduction in hidden liabilities.

Slumps due to the unwinding of carry trades

At the beginning of August 2024, temporary slumps were observed on the global financial markets. This was triggered by a slight increase in key interest rates by the Bank of Japan in combination with labour market data from the US that was perceived as poor. These slumps were largely caused by the unwinding of carry trades.

In the low interest rate environment, yen borrowing at interest rates close to zero was attractive for international investors and foreign governments looking to invest in higher-yielding assets. As interest rates rose, investors increasingly liquidated their yen-denominated loans, causing the Japanese currency to appreciate. This led to sharp price drops in the asset classes in which investors had invested by means of carry trades.

Losses from these market movements were largely recouped within a short period of time. Nevertheless, this incident shows that the market is highly volatile, especially when high volumes are held and a herd instinct (even if irrational) sets in among investors. Although the available data is limited, the severity of the market turbulence that resulted from the unwinding of carry trades also suggests that some of the investments based on this investment structure are highly leveraged. This further increases volatility.

Risks due to high global sovereign debt

The high level of sovereign debt in many countries also harbours risks for the global financial system. Interest rate hikes in recent years have increased financing costs. For highly indebted countries in particular, this resulted in an increased default risk and reduced credit ratings. This was reflected on the markets in the rising risk premiums on government bonds from these countries. This also affected individual eurozone countries in 2024. In future, US government bonds could also come under pressure if doubts arise about their debt sustainability.

In a worst-case scenario, the high national debt of some countries could lead to considerable distortions on the bond and stock markets. The German financial system and the real economy could then potentially be affected by contagion effects, particularly due to the international interconnectedness of German banks and insurers.

Bond risks

The fair values of bonds stabilised at a low level in 2024 (see Figure 5). As a result of interest rate cuts and investors’ expectations of lower inflation, the prices of long-term bonds recovered slightly from the third quarter of 2024.

Figure 5: Development of market values of fixed-interest securities

Source: BaFin diagram using data from Refinitiv Datastream, as at 9 December 2024

Nevertheless, there are still price risks. Banks and Sparkassen hold significant bond positions. The 2024 stress test conducted by BaFin and the Deutsche Bundesbank at less significant institutions (LSIs) showed that losses in the market value of bonds would lead to capital depletion of almost 2.5 percentage points – based on a Common Equity Tier 1 capital ratio of 18.2% in 2023.

Insurers also have material exposures to corporate, bank and government bonds. For example, the proportion of bank bonds and bank deposits of German insurers that fall under Solvency II was around 16% in mid-2024. BBB-rated bonds accounted for around 8% of the total investments held by these insurers.

A slump on the stock markets can also directly affect banks and insurers

Stock market share prices rose across the board in the first half of 2024. In the third quarter, this movement levelled off to a sideways trend. In the fourth quarter, a positive development was recorded and the prevailing positive trend of 2024 continued. The German DAX benchmark index exceeded the 20,000-point mark for the first time, while in the US the S&P500 and Nasdaq 100 reached new all-time highs.

Significant corrections on the stock markets can pose a risk for insurers and banks. However, shares account for a relatively small portion of insurers’ investment portfolios. The industry average as at 30 June 2024 was around 4%.

In relation to their total assets, shares likewise account for a very small proportion of assets held by German banks in their own portfolios (Depot A). According to the 2024 LSI stress test, the volume of bonds held by German LSIs is almost 30 times higher than the volume of shares held. This can also be seen from the fact that, in the stress test, price slumps on the stock markets only had a minor impact on banks’ capitalisation.

Importance of non-bank financial intermediaries increasing further

Non-bank financial intermediaries (NBFIs), such as asset managers and investment companies, in addition to insurers and Pensionskassen, are becoming increasingly important compared to the banking sector. According to the Bundesbank’s Financial Stability Review 2024, NBFIs provide around 40% of financing for the real economy in the eurozone. They hold around half of the financial assets in the eurozone – this share has increased by 18 percentage points since the global financial crisis. In Germany, NBFIs hold around 40% of financial assets in the financial system, an increase of 15 percentage points since 2009.

At the same time, the risks associated with the NBFI sector remain relevant, particularly the risks arising from excessive debt and abrupt liquidity outflows, which can lead to fire sales. The level of debt in the NBFI sector is often opaque. Open-ended investment funds are particularly vulnerable, since the assets have significantly longer maturities than the liabilities. These maturity mismatches make fire sales more likely. There are holding and redemption periods for German open-ended property funds that mitigate this risk. Nonetheless, the redemption of fund units may be suspended, for example in the event of insufficient liquidity in the fund.

The strong interconnectedness between banks and the NBFI sector also brings the risk of mutual contagion effects. Moreover, the accelerated speed at which information is disseminated alongside the use of algorithms and artificial intelligence in trading increase the risk of unidirectional effects being amplified.

More articles

Risks in BaFin's Focus 2025
Foreword by the President

Main Risks in BaFin’s Focus

1. Risks arising from corrections on the real estate markets
3. Risks arising from corporate loan defaults
4. Risks arising from cyber incidents with serious consequences
5. Risks arising from inadequate money laundering prevention
6. Risks arising from market concentration due to the outsourcing of IT services

Trends

1. Digitalisation
2. Sustainability
3. Geopolitical turmoil

In 2024, the economic situation in Germany remained challenging. Economic output had already fallen by 0.3% in 2023. In 2024, economic activity fell by 0.2%. The German Council of Economic Experts (Sachverständigenrat) is expecting slight economic growth of 0.4% in 2025.

In view of the weak economic situation, there is a danger that the share of non-performing loans will increase.

The stress test conducted by BaFin and the Deutsche Bundesbank on less significant institutions (LSIs) in Germany shows that they are generally well positioned. However, institutions with low equity ratios that have furnished too few loan loss provisions up until now would be particularly at risk. In the event of a significant economic downturn, a mid double-digit number of institutions would fall below the regulatory capital requirement.

Economic sentiment gloomy

In 2024, geopolitical conflicts repeatedly had an impact on supply chains. While the acute risk of an energy crisis has been averted, the high energy costs compared with other countries continued to put a strain on German companies. This affected energy-intensive sectors in particular, such as the chemical industry and paper and glass production. At the same time, the industry underwent a structural change, which was primarily due to the transformation towards a climate-neutral economy in addition to changes in international trade relations. This was particularly evident in the automotive industry. These developments are likely to also be relevant in 2025.

In 2024, increasingly protectionist and isolationist tendencies could be observed worldwide. Export-dependent companies suffered as a result of increasing trade barriers and geopolitical tensions. In particular, an intensification of the trade dispute between the US and China would have considerable direct and indirect consequences for the global economy, but especially for Europe. The import tariffs on German and EU goods announced by the incoming US government would likewise have a direct impact on the economy.

Default risks for banks on the increase

There was an increase in company insolvencies (see Figure 6). At the end of the third quarter of 2024, the number of regular insolvencies applied for was 13.7% higher than in the previous year. The social and healthcare sector, the property and housing sector and the manufacturing industry were most strongly affected.

Figure 6: Company insolvencies in Germany

Source: BaFin diagram using data from LSEG Datastream, as at December 2024

There is therefore an increased risk that companies will partially or completely default on their loans. Effectively, the result of this will be a revaluation of credit risks. Value adjustments in banks’ loan portfolios rose sharply in the fourth quarter of 2023. This increase was in large part due to commercial real estate loans (see Risks in BaFin’s Focus 2024). Since then, the ratio of non-performing loans (NPLs) has risen slightly. This trend continued in the third quarter of 2024.

Loan loss provisions at German banks continued to rise, albeit at a low level. There was a stronger rise among LSIs compared with SIs (see Figure 7). The aggregate loan loss provision ratio was 1.41% in the third quarter of 2024.

Figure 7: Development of loan loss provisions of German banks

Source: Joint calculation by the Deutsche Bundesbank and BaFin based on FINREP, as at 30 September 2024

From the third quarter of 2023 to the third quarter of 2024, the aggregate ratio of non-performing loans (NPLs) at German institutions rose from 1.38% to 1.76% (see Figure 8) but remained at a relatively low level, also by international comparison. This trend was observed for both SIs and LSIs. Due to the persistently weak economy and poor market situation for commercial real estate, a further increase in non-performing loans is expected.

Figure 8: Development of NPL ratios of German banks

Source: Joint calculation by the Deutsche Bundesbank and BaFin based on FINREP, as at 30 September 2024

According to the Eurosystem's Bank Lending Survey (BLS), the German SIs and LSIs surveyed slightly relaxed their lending standards for corporate loans in the third quarter of 2024 despite poor economic projections, while for private households they tightened their guidelines. According to the BLS, however, the banks are planning to raise lending standards for corporate loans again in the future. On the demand side, banks recorded slight growth in the third quarter of 2024. They expect this trend to continue.

Insurers also affected by credit risks

Insurers are equally affected by credit default risks since they grant corporate loans themselves and invest in private debt funds (see Risks in BaFin’s Focus 2024). The share of private debt investments increased slightly in 2023. As at 31 December 2023, such investments accounted for 4.2% of insurers’ total investments.

Private debt investments place high demands on insurers’ risk management. It is of particular importance that insurers have a clear understanding of the business models of the companies to which the private debt funds are granting debt capital.

More articles

Risks in BaFin's Focus 2025
Foreword by the President

Main Risks in BaFin’s Focus

1. Risks arising from corrections on the real estate markets
2. Risks arising from significant corrections on the international financial markets
4. Risks arising from cyber incidents with serious consequences
5. Risks arising from inadequate money laundering prevention
6. Risks arising from market concentration due to the outsourcing of IT services

Trends

1. Digitalisation
2. Sustainability
3. Geopolitical turmoil

The global threat of cyber incidents is very high and is continuing to rise. This is due to advancing digitalisation, which is increasing the attack surface, as well as geopolitical tensions that are increasingly spilling over into cyberspace and affecting critical infrastructures. The German Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik – BSI) assessed the threat in cyberspace in spring 2024 as higher than ever before.

Almost a fifth of all global cyber incidents over the past twenty years affected companies in the financial sector. According to the International Monetary Fund (IMF), the damage has totalled almost 12 billion US dollars since 2004. The number of incidents, in particular cyberattacks, has risen steadily in recent years.

A cyber incident is an accidental or malicious incident that can have a negative impact on data confidentiality and the availability of IT systems or networks, or that violates security policies, security processes or terms of use. Such incidents can occur at the supervised entities themselves, but also at outsourcing providers.

Cyber incidents affecting companies in the financial market or infrastructures can significantly impair the functioning of the financial system and, in extreme cases, lead to systemic crises. This can occur in particular if, due to close links between companies in the financial sector and service providers, multiple companies are affected by an incident at the same time.

The inaccessibility of critical systems and functions, breaches of data confidentiality and high financial losses can damage trust and the reputation of the financial industry in the eyes of investors and consumers. Cyber incidents can trigger financial crises at the companies affected and undermine confidence in financial stability as a whole. This can lead to liquidity outflows, for example in the form of bank runs.

Cyberattacks have the potential to cause significant damage

Cyberattacks with serious consequences pose a risk with significant damage potential. However, the probability of successful cyberattacks is lower than for other IT incidents, such as system failures. Since they form part of the critical infrastructure, companies in the financial sector are an attractive target for cyberattacks. They provide an attack surface either directly or via their critical (IT) service providers. In particular vulnerabilities in software applications or software updates represent a major risk and serve as a gateway for cyberattacks.

Companies in the financial sector can also be affected through their business relationships with companies in the real economy whose continued existence is threatened following a cyberattack. In such situations, there is a risk of loan defaults. According to a study published by the digital association Bitkom in August 2024, 65% of the companies surveyed now fear that cyberattacks could put them in a situation that threatens their continued existence. This figure was 52% in the previous year.

More risks through outsourcing and artificial intelligence

Outsourcing to (IT) service providers increases the attack surface in the financial sector. IT service providers and in particular cloud environments are increasingly being targeted by cyberattacks. The risk of effective cyberattacks with serious consequences is also increased by the use of generative artificial intelligence.

For one thing, more and more companies in the financial sector are using generative AI, providing attackers with new potential vulnerabilities that can be exploited. Added to that, cybercriminals are also using generative AI to develop new and highly efficient methods of attack and malicious code. For example, high quality phishing messages can be created quickly using AI. This makes it more difficult to identify fraudulent information and queries.
Deepfakes, in which image, audio and video recordings are manipulated with the help of AI, can also be used to gain the trust of victims and trick them into handing over data. Such forms of attack based on digital deception will increase as generative AI is further developed.

Quantum computing: protective measures needed now

The use of powerful quantum computers threatens IT security since they can decrypt traditional encryption methods, such as tried-and-tested cryptographic systems (e.g. Rivest-Shamir-Adleman, RSA) and elliptic curve cryptography (ECC). Such encryption methods are fundamental elements of IT security in the financial industry. The “harvest now, decrypt later” method reinforces this threat, since data that is currently encrypted can be stored for later decryption by quantum computers.

However, many companies underestimate this threat: the BSI warned that operators of critical infrastructures, including banks, did not pay sufficient attention to these risks. Companies in the financial sector must take protective measures now to protect security-relevant data in the long term. Only then will they be equipped for the future. To achieve this, companies need to make sufficient investments now.

They should identify data at risk of being compromised through quantum computers and draw up a protection plan with a specific implementation timeframe. The protection plan should take into account existing technical possibilities and standards, such as the use of post-quantum cryptography. It must be designed in such a way that IT risk management can react flexibly to future developments and implement upcoming security recommendations and standards. In 2024, the US National Institute of Standards and Technology (NIST) set out for the first time clear post-quantum cryptography standards for the protection of organisations against quantum hacking. The G7 Cyber Expert Group also highlights the risks of quantum computing and refers to the NIST standards.

DDoS, ransomware and phishing still widespread

Distributed Denial of Service (DDoS) attacks are the most common form of attack: they overload data networks with a flood of data requests. Attackers have repeatedly succeeded in disrupting the availability of online services through DDoS attacks on companies in the financial sector.

However, the biggest threat to companies in the real economy and the financial sector comes from ransomware attacks. Companies in the financial sector have fallen victim to several successful ransomware attacks in recent years. In some cases, the attackers not only succeeded in encrypting and accessing data; through their attacks, criminals were also able to considerably disrupt the business operations of affected companies.

Customers also remain a target

Phishing and social engineering attacks are also still a common method of accessing sensitive data and login information. In June 2024, the addresses, account and tax data of tens of thousands of customers were stolen in a cyberattack on the subsidiary of a major German bank.

In a new variant of such attacks, criminals send fake letters with QR codes and use the links they contain to gain access to accounts. A major German bank warned its customers about this in September 2024.

Cyberattacks economically or politically motivated

Attacks can be economically or politically motivated. Government-initiated attacks are becoming more prominent. As part of critical infrastructure, companies in the financial sector are also increasingly the focus of such attacks.

According to a UN report, around 3.6 billion US dollars were stolen by cyberattackers, including a state hacker group, in attacks on crypto companies over the past seven years. At the end of 2023, 147.5 million US dollars were stolen from a cryptocurrency exchange in a single attack.

Operational incidents far more common

Operational IT incidents at financial companies or their service providers are still far more common than successful cyberattacks. These incidents are usually caused by unintentional errors, for example in software or processes. The causes often lie in faulty updates or in companies’ change processes, for example when configuration errors occur during system customisations.

Operational IT incidents can also significantly impair the availability of services and thus jeopardise the financial market. This is especially critical when incidents affect major payment or IT service providers with a large number of customers in the financial sector.

Last year, problems at IT and payment service providers repeatedly led to disruptions in cashless payment transactions. Customers of affected companies were temporarily unable to make payments by card. The most prominent IT incident of last year affected the US company CrowdStrike in July and was due to a faulty update to an IT security tool.

Data from incident reporting under PSD2

Up until 17 January 2025, only payment service providers, i.e. banks and payment processors, had to report payment incidents to BaFin in accordance with the second Payment Services Directive (PSD2). Payment incidents are IT incidents that affect payment services. This enabled BaFin to identify and monitor payment security risks.

In the first three quarters of 2024, around 258 payment incidents were reported to BaFin (see Figure 9). This represents a significant increase in the number of reports compared to previous years, which is primarily attributable to numerous incidents at IT service providers and payment service providers. In several cases, these incidents affected multiple financial companies, which led to a large number of reports to BaFin from various institutions.

Figure 9: Total number of reports on payment incidents

*The figures for 2024 include incident reports from the first three quarters of 2024. Source: BaFin diagram, as at 30 September 2024

The incidents mainly resulted from system and process errors alongside human error. The large number of such incidents shows how important it is for companies to have resilient systems and processes in place.

The incidents reported also highlight the significance of outsourcing providers for the operational resilience of the financial sector. In around 67% of the reports in the first three quarters of 2024, the cause was not the bank itself, but one of its service providers. This shows that financial companies also need resilient service providers in order to achieve a high level of operational resilience.

The reported incidents mostly related to transaction processing and online and mobile banking. Most of the reports came from significant institutions (SIs) and multi-client IT service providers.

Around 2.3% of reports in the first three quarters of 2024 related to security incidents, including cyberattacks. As in previous years, security incidents thus only accounted for a small proportion of the reports. There are various possible explanations for this: for example, it might be that the institutions were able to successfully defend themselves against attacks, that the attacks did not have any effect on payment-related services, or that the effects did not cross the thresholds for submitting a report to BaFin. The low number of security incidents does not mean that there were not many attacks in 2024, or that the risk of being the victim of a cyberattack was low. On the contrary, the risk remains high.

New reporting obligation for ICT incidents under DORA

The Digital Operational Resilience Act (DORA) has been in force since 17 January 2025. DORA harmonises the reporting system for serious information and communication technology (ICT) incidents for all financial companies. In addition to banks and payment service providers, insurers and investment firms alongside all other financial companies falling within the scope of DORA must also report ICT-related incidents.

The new reporting obligation has a much stronger focus on cyberattacks. BaFin is therefore likely to register a higher number of security incidents. This will enable BaFin to obtain a more comprehensive picture of the cybersecurity situation in the financial sector and to better respond to developments and risks.

Risk awareness of companies in the financial sector

Companies in the financial sector largely take the risk of IT incidents into account in their risk management. Most of them have invested in IT security. However, they must continuously monitor current developments and threats, adapt their security measures and ensure they are prepared for crisis scenarios. BaFin believes that the favourable earnings situation of credit institutions in 2024 will provide a good basis for increased investment in IT security.

DORA imposes specific requirements on companies. The aim is to strengthen the resilience of the financial market against IT failures and cyberattacks and to improve companies’ ability to continue their operations following an IT incident. Companies should also establish standardised templates and communication channels for rapidly sharing information on attacks and threats with all relevant stakeholders.

More articles

Risks in BaFin's Focus 2025
Foreword by the President

Main Risks in BaFin’s Focus

1. Risks arising from corrections on the real estate markets
2. Risks arising from significant corrections on the international financial markets
3. Risks arising from corporate loan defaults
5. Risks arising from inadequate money laundering prevention
6. Risks arising from market concentration due to the outsourcing of IT services

Trends

1. Digitalisation
2. Sustainability
3. Geopolitical turmoil

The risk of financial market players being misused for money laundering and terrorist financing purposes is still high, also due to the geopolitical environment. Greater vigilance is required to prevent money laundering and terrorist financing. BaFin supervises over 9,400 entities in the German financial sector (see Table 1). They are obliged to take measures to prevent money laundering and to take appropriate and effective action against money laundering (see Risks in BaFin’s Focus 2024).

Table 1: Number of entities supervised by BaFin, by groups of obliged entities

Source: BaFin, as at November 2024

If there is suspicion of money laundering, obliged entities must inform the Financial Intelligence Unit (FIU). In 2023, the FIU received 310,956 such suspicious transaction reports from the financial sector (previous year: 326,123). A total of 322,590 suspected violations were reported to the FIU in 2023 from the financial and non-financial sectors and by other obliged entities (previous year: 337,186). This means that reports from the financial sector account for 96.39% of suspicious transaction reports. The percentage thus remains high.

Terrorist financing and illegal financial transfers

The risk of terrorist financing has again increased amid the world’s current crises. A major challenge in the prevention of terrorist financing is that funds often originate from legal sources and then flow into criminal networks. Obliged entities must take specific precautions to prevent this from happening. In these preventive measures, such as risk analysis and transaction monitoring, they must clearly differentiate between money laundering and terrorist financing.

In practice, it has been shown that companies that fail to differentiate in this respect either do not take the risks of terrorist financing into account at all or do not address them adequately. Among other things, it is important to carefully scrutinise transactions and the use of funds. Institutions should be particularly vigilant with regard to cash payments and if payments and transfers do not match the purpose of the account or the financial circumstances of the person making the payment.

Illegal financial transfers – the example of hawala banking

“Hawala” is an informal method of payment that has been used for many years. Its importance worldwide has increased in the wake of geopolitical conflicts. Hawala works on the basis of the “two-pot system” via intermediaries, called “hawaladars”, who operate without state authorisation or supervision (see Figure 10).

Figure 10: How hawala banking works

Source: BaFin diagram

The system does not involve any receipts, accounts or banks and is based on trust and confidentiality. The use of regulated money remitters is generally avoided, which makes it more difficult to expose the structures at work.
Hawaladars sometimes transfer large sums of money across national borders. For these reasons, hawala can easily be used to finance terrorists, human trafficking, illegal immigration networks and many other criminal activities.

Business models with particular vulnerabilities

There are also certain regulated business models that harbour a particularly high risk of money laundering and terrorist financing. One example of this is “loan fronting”, where a credit institution grants loans on behalf of third parties. In many cases, the money does not come from the bank itself, but from investors.

The risk of money laundering and terrorist financing is particularly high if the investors – and thus the origin of the funds or the origin of the loan collateral – are unknown.

Innovations with potential money laundering risks

Technological innovations in the financial market may increase the risk of money laundering. This is the case, for example, with cryptoassets: they are challenging to handle and can be structured in many ways, making transparency more difficult. As of 30 December 2024, obliged entities must meet specific obligations for cryptoasset transfers. These requirements are set out in the revised European Funds Transfer Regulation, which has replaced the German Crypto Asset Transfer Regulation (Kryptowertetransferverordnung).

Another factor that can make money laundering prevention more difficult is the intensified use of the virtual IBAN (vIBAN). In payment transactions with business customers, for example, it replaces the invoice number and payment reference and enables the automated processing of orders.

Depending on the business model, the use of vIBANs entails significant risk: vIBANs can make it more difficult to trace transactions because payment senders and recipients and their geographical location are more difficult to identify. For credit institutions that issue the vIBAN or for intermediary payment service providers, this can hinder the fulfilment of customer due diligence obligations and transaction monitoring.

It is also possible for a vIBAN to be given a country code different from the code that should actually be linked to the respective payment account. This would wrongly give the impression that the account is managed domestically and is therefore subject to the respective national regulation and control. As a consequence, customers could be misled.

More articles

Risks in BaFin's Focus 2025
Foreword by the President

Main Risks in BaFin’s Focus

1. Risks arising from corrections on the real estate markets
2. Risks arising from significant corrections on the international financial markets
3. Risks arising from corporate loan defaults
4. Risks arising from cyber incidents with serious consequences
6. Risks arising from market concentration due to the outsourcing of IT services

Trends

1. Digitalisation
2. Sustainability
3. Geopolitical turmoil

Companies within the financial sector are outsourcing more and more IT services to specialised providers. Outsourcings to cloud service providers in particular have become increasingly relevant. Outsourcing offers many advantages: companies that outsource activities and processes benefit from lower costs and can better concentrate on their core business. A further advantage lies in the fact that service providers, as specialists in their field, perform many services more efficiently and in some cases more securely than the outsourcing companies would be able to do themselves.

However, outsourcings give rise to increasing interconnectedness and thus to concentration risks, which can make the financial sector more vulnerable. This is particularly true when a small number of specialised IT service providers offer their services to a large number of companies in the financial sector. The problem may become more critical when these service providers themselves outsource activities and processes to a chain of other service providers.

Impact on a large number of companies

Due to this concentration on a small number of providers, even individual disruptions can have a serious impact on the financial sector. This would be especially problematic if it were to affect critical processes on which the companies of the financial sector depend, as it would restrict their ability to operate. A disruption occurring at a service provider may have a significant impact on a large number of supervised entities – regardless of the cause.
This can go so far as to render companies in the financial sector temporarily or permanently unable to use these services. It is often not possible to replace a service provider at short notice, particularly because the products offered by highly specialised IT service providers are not identical. Consequently, even if it is technically possible to switch service providers, it still takes some time to implement the change. Many companies are therefore effectively tied to their specialised IT service providers, especially if they use these providers’ software. Once dependencies have been created, it is difficult to dismantle them (see Risks in BaFin’s Focus 2024).

In addition, concentration risks can arise when service providers subcontract outsourced activities and processes to a chain of further service providers (sub-delegation). The outsourcing companies of the financial sector are often unaware of the dependencies and risks that result from sub-delegation. They are therefore hardly able to take any countermeasures.

Half of all outsourced activities cannot be reintegrated

These dependencies can also be seen in BaFin’s outsourcing database. Among other things, more than half of the companies subject to the notification requirement stated that they would not be able to provide their outsourced IT services themselves again.

More than two thirds of the companies that provided this information also stated that they would not be able to transfer the IT service to another IT service provider at all or would have great difficulty doing so. In general, financial entities draw on a range of services when they use IT service providers. The most common of these IT services are data storage, application services and services relating to software development (see Figure 11).

Figure 11: Categories of the most commonly used IT services

Source: BaFin diagram, as at 1 December 2024

Disruptions at CrowdStrike reveal vulnerabilities

In July 2024, the case of CrowdStrike showed the consequences that dependencies on IT service providers can have: a faulty update of an IT security tool at CrowdStrike, a US manufacturer of information security and cybersecurity technology, resulted in a worldwide IT disruption. The security tool was being used for numerous other IT services, such as Microsoft Windows, and led to crashes in these services.

Due to the global distribution of the tool, the incident affected many users, companies and systems and in some instances severely impaired business operations. Critical infrastructure such as airports, hospitals and energy companies were also affected; the German financial sector, on the other hand, was hardly affected at all.

The situation normalised within a few days, and the incident currently poses no risk to the financial market. In principle, however, such incidents can have serious consequences. For BaFin to be able to assess the extent of an incident, therefore, there must be transparency about the interconnectedness on the financial market.

Geopolitical risks exacerbate problems

The financial market for IT outsourcing in particular is dominated by a small number of providers, some of which are based outside Europe. If market-leading service providers concentrate their activities on particular industries or regions, this gives rise to additional risks. This can be the case, for example, if sanctions are imposed against a country, protectionist measures are taken by a country or there is political unrest in a region. All the companies that use services provided from there would be affected. The switch to an alternative provider, which would be difficult anyway, would not be possible. This could have negative consequences for the entire financial market.

The issue of data sovereignty is becoming increasingly important. In recent years, large cloud hyperscalers have started to offer financial entities the option of storing and processing data within certain geographical boundaries by means of the “sovereign cloud”. The objective is to achieve a stronger separation from parent companies based in third countries in terms of location, systems and staffing. This approach does not offer comprehensive protection against geopolitical risks in most cases, however.

Monitoring of systemically important IT service providers at national level

It is essential for BaFin to have an overall understanding of the interconnectedness in the outsourcing landscape of the German financial sector in order to strengthen the operational resilience of the financial market’s digital systems. Since the end of 2022, therefore, BaFin has been requesting information on (material) outsourcings from financial entities – regardless of the outsourced processes or products. Since then, approximately 2,200 supervised entities have notified BaFin of around 24,000 (material) outsourcings. This equates to about 11 material outsourcings per company. On average, one in every four or five cases involves IT outsourcing.

Figure 12: Average number of outsourcings reported to BaFin

Source: BaFin diagram, as at 1 December 2024

BaFin uses the data from the outsourcing database for cross-sectoral analyses – in particular to identify concentrations among individual service providers. Among other things, these analyses enable BaFin to visualise the relationships between financial entities and service providers on the German financial market. The resulting transparency makes irregularities visible. Moreover, BaFin can then focus on one individual service provider or one single financial entity and analyse its outsourcing activities.

BaFin analyses the outsourcing relationships with regard to certain aspects of risk. Such aspects include the replaceability of the outsourcing provider, the duration of the outsourcing , the processing of personal data and the use of outsourcing for time-critical processes in the financial entity (see Figure 14). BaFin’s overarching aim is to strengthen the operational stability and security of the entities it supervises and particularly their technology platforms – and thus also the entire financial market.

Figure 13 shows a network graph: here, the nodes and dots represent the supervised entities and the service providers. The edges connecting the nodes represent business relationships between these companies.

Figure 13: Analysis of interconnections in terms of risk

On the basis of the outsourcing notifications, BaFin has used a risk model to determine average risk categories for the business relationships. These categories are reflected in the colours of the edges: red indicates higher risk and green indicates lower risk. Source: BaFin diagram, as at 1 December 2024

Figure 13 shows, for example, that cooperative banks and savings banks are closely linked to the service providers in their respective networks. German asset managers, on the other hand, are closely interconnected; they outsourced processes and services to a relatively large number of different service providers.

However, BaFin can also focus on an individual service provider or financial institution and analyse its outsourcing activities.

Figure 14: Outsourcing relationships of individual companies in the financial sector

This diagram depicts not only supervised entities and service providers, but also subcontractors. Since the data reported does not allow an assessment of the risk of the business relationships between service providers and subcontractors, the affected edges are shown here in grey. Source: BaFin diagram, as at 1 December 2024

Good risk management is key

Companies in the financial sector are also focusing on concentration risks in their risk management (see Risks in BaFin’s Focus 2024). In particular, they are aware of the risks associated with IT outsourcing. Some companies, becoming more sensitised, are bringing their outsourced activities and processes back into their own organisations (insourcing). Others are considering a multi-vendor strategy.

All in all, however, the use of outsourcing – especially to IT multi-client service providers – is continuing to rise. This is understandable, given the numerous advantages of IT outsourcing in particular. However, it also means a rise in risks for the financial market. It will be crucial that financial entities protect themselves through targeted risk management and that they minimise risks as far as possible.

For this reason, the European Digital Operational Resilience Act (DORA) requires the assessment and monitoring of third-party risks arising from the use of information and communication technology (ICT) – over the entire life cycle of such use.

Financial entities intending to procure IT services from third parties are required to carry out a risk assessment before concluding a contract. In this risk assessment, they must consider for example the extent to which they are dependent on the respective ICT third-party service provider and the risks that could arise from the contractual relationship. To ensure that they can manage ICT third party risks in a structured manner, financial entities must enter their ICT contracts in a register of information.

More articles

Risks in BaFin's Focus 2025
Foreword by the President

Main Risks in BaFin’s Focus

1. Risks arising from corrections on the real estate markets
2. Risks arising from significant corrections on the international financial markets
3. Risks arising from corporate loan defaults
4. Risks arising from cyber incidents with serious consequences
5. Risks arising from inadequate money laundering prevention

Trends

1. Digitalisation
2. Sustainability
3. Geopolitical turmoil

Innovative business models and the use of new technologies in the financial sector offer promising opportunities, but also risks – for supervised entities and for consumers.

Artificial intelligence and machine learning

Companies in the financial sector are increasingly using artificial intelligence (AI), especially generative AI. This is true of the entire value chain. Many initiatives regarding the use of generative AI are still in the testing or pilot phase.

In actual practice, testing is focused in particular on large language models (LLMs). LLMs are used mainly as assistance systems. Common applications include GPT-based internal chatbots for employees, AI systems for the preparation of documents and AI assistance systems for developers (coding). Generative AI also offers potential in terms of customer contact. To date, however, its use in this area has been relatively limited.

Banks and insurers, on the other hand, are already using more traditional forms of AI and machine learning (ML) to detect money laundering and fraud as well as in back-office processes. One example is “dark processing ”, which is used by insurers in claims processing. In risk management, AI and ML are increasingly being used to process data and validate risk models. In the highly automated securities industry, AI and ML are primarily used to improve processes in trading, advice, risk management and compliance.

Limits and risks in practice

The use of AI also has its risks: AI models are often not explainable and are difficult to verify. There is also a risk that AI models are based on data imbalances or prejudices. This can lead to a distortion of the results (bias) and may have unintended consequences, such as discrimination against customers. In addition to the damage they can cause to customers, discriminatory actions on the part of AI can result in liability and reputational risks for AI system providers and operators.

Risks to financial stability may arise from new dependencies on third parties, in particular on large cloud and AI model providers. The reason for this is a strong market concentration on a small number of providers. Furthermore, AI could give rise to herd behaviour. The risk is that general use of the same AI information processing and automated trading strategies will result in a very large number of market participants behaving in a similar way.

Quantum computing: early protective measures necessary

For there to be a breakthrough in powerful and stable quantum computers, technological hurdles still need to be overcome. There must be sufficient computing power available, for example, and the complex physical framework conditions necessary for state-of-the-art quantum computing (QC) must be met. Common quantum computer concepts require cooling at temperatures close to absolute zero, for example.
Various applications are already being researched in the financial services sector, in areas such as risk management and portfolio optimisation. In future, the industry will be dependent on the services of large technology providers for such applications.

A breakthrough in quantum computing will pose risks for the financial sector. Now is the time for companies in the financial sector to take appropriate IT security measures. One example for the urgency of this situation is the “harvest now, decrypt later” problem.

Cryptoassets: upward trend after scandals

Following scandals and the collapse of major providers in 2023, the crypto market had shrunk to a tenth of its 2021 trading volume. By the end of October 2024, total market capitalisation had doubled compared to the previous year (see Figure 15). This growth was largely due to the rise in the price of Bitcoin, which was spurred by the introduction of spot Bitcoin ETFs in the US in January 2024. Other cryptoassets also achieved significant price gains in the same period.

Following the presidential elections in the US, the crypto market has continued to grow and has since reached new all-time highs, most recently at the beginning of December at approximately 3.6 trillion euros (see Figure 15). Investors’ expectations that the legal framework for crypto trading in the US would be relaxed in future, which could lead to stronger demand, have had a significant impact on this price performance.

Bitcoin remains the dominant cryptoasset. At the end of 2024, the Bitcoin price reached a new record high of just under 103 thousand euros. This constitutes a 2.7-fold increase compared to the previous year. Among the key trends in the crypto market are the growth of liquid staking
With liquid staking, users receive alternative derivative tokens in return for the tokens they have deposited. They can then use these alternative tokens and thus, for example, generate returns on their staked assets. and the increasing tokenisation of both traditional financial instruments and real-world assets (RWAs).

Figure 15: Market capitalisation (all cryptoassets)

Source: BaFin diagram using data from coingecko, as at 1 December 2024

Cryptoassets can influence the traditional financial market if they are used as collateral for loans or if the reserves of stablecoins tie up significant portions of the available short-term money market instruments. Despite the high trading volume of cryptoassets, there was no systemic risk to the German financial market at the end of 2024 (see Figure 16).

Figure 16: Development of trading volumes in cryptoassetsn

Source: BaFin diagram using data from coingecko, as at 1 December 2024

More articles

Risks in BaFin's Focus 2025
Foreword by the President

Main Risks in BaFin’s Focus

1. Risks arising from corrections on the real estate markets
2. Risks arising from significant corrections on the international financial markets
3. Risks arising from corporate loan defaults
4. Risks arising from cyber incidents with serious consequences
5. Risks arising from inadequate money laundering prevention
6. Risks arising from market concentration due to the outsourcing of IT services

Trends

2. Sustainability
3. Geopolitical turmoil

Environmental, social and governance (ESG) risks continued to be important for companies in the financial sector in 2024. This trend will continue in 2025. The challenges of implementing effective measures to limit climate change will play a key role here, as will the increase in physical risks. BaFin will therefore focus in particular on how supervised entities deal with physical risks.

Climate risks: impact via two channels

On the one hand, climate change is affecting the financial sector through physical risks. These risks arise from the specific impact of climatic changes, such as extreme weather events. Physical risks give rise to enormous financial losses and personal injuries and can have an impact on banks’ loan portfolios or insurers’ loss amounts, for example. There is an upward trend in physical risks due to factors such as unabated global warming. This was most recently demonstrated by the devastating rainfall and flooding in Spain in the autumn of 2024.

On the other hand, climate change has an impact by way of transition risks. Sudden market price corrections can result from changes in social requirements, climate policy decisions and technological innovations. A specific example of this is the new version of the German Building Energy Act (Gebäudeenergiegesetz), which sets out higher requirements for the energy performance of buildings. These requirements could potentially have consequences for the valuation of properties and therefore also for their value as collateral in the real estate loan business.

Various priorities at banks and insurers

According to the 2024 stress test conducted by BaFin and the Deutsche Bundesbank at less significant institutions (LSIs) and a BaFin survey conducted in 2024 on how LSIs and insurance companies were dealing with the financial consequences of climate risks, banks are already considering physical and transition ESG risks as risk drivers in their risk inventory. However, banks have not yet seen any material impact on the main types of risk.

In the same BaFin survey, insurers stated that their predominant focus was on physical risks. This is consistent with empirical evidence: claims incurred due to natural disasters have been on the rise for several years. Insurers also indicated that they considered transition risks to be particularly relevant in the context of capital investment. In contrast to banks, insurers’ self-assessments generally consider physical risks to have a material impact on the main types of risk.

BaFin gives more weight to physical risks in supervision

BaFin has intensively analysed physical risks on the German financial market (see Figure 17). For example, it has analysed selected banks and insurers that are particularly at risk due to extreme weather, supply chain dependency or concentrated credit and market risks. According to BaFin’s findings, supervised entities have generally made progress in managing their sustainability risks. However, there is still room for improvement.

Challenges include the integration and processing of more granular data on physical climate risks. Banks and insurers have to draw on several sources of information in order to assess individual natural hazards, for example. Banks in particular are still in the early stages in this regard and are currently focusing on building up their data basis. Some of the ESG scores they use when granting loans are of relatively little informative value.

Figure 17: Physical risks mean risks for the financial sector

Source: BaFin diagram, as at December 2024

Banks and insurers are sometimes closely linked through risk transfers, particularly in the area of real estate loans and the protection of collateralised properties against natural disasters. It remains difficult to assess the probability of occurrence and potential losses as well as the future insurability of climate risks, since the risk situation is changing and historical data is only of limited value. To put this in context: banks often transfer risks to insurers and reinsurers. Insurers sometimes also pass on the risks to the capital market. In such cases, it is difficult to understand who ultimately bears the risks.
From BaFin’s perspective, supervised entities must deal extensively with the physical risks, since these can result in high costs in the short term, including for banks and insurers.

Greenwashing: information often not comprehensible

Greenwashing can damage trust in a functioning market. The risk of greenwashing is still high because there are as yet no clear definitions for sustainability characteristics. There is currently a heated debate about whether certain investments are suitable for sustainable products. This is the case, for example, with investments in military equipment. BaFin recommends clearly highlighting such investments in products that are advertised as sustainable. This would prevent misleading information from being passed on to consumers.

At present, the information published regarding the sustainability impact of products and services is not always easy enough to understand. This was reflected in a non-representative sample of disclosures made in accordance with the EU Sustainable Finance Disclosure Regulation (SFDR), which BaFin conducted in 2024: the supervised entities often formulated the pre-contractual information in general language and used unspecified terms to describe the sustainability characteristics.

They also frequently used ESG ratings to assess the suitability of the companies in which they invested. However, these ratings often assess a company’s financial climate risks – such as the extent to which climate change could harm the company itself. The question of whether such a company itself has a positive impact on sustainability aspects – i.e. whether it is itself making efforts to protect the climate, for example – sometimes plays no more than a subordinate role in the ratings.

Financial market participants should therefore give ESG ratings careful consideration before deciding to adopt them. They need to understand what these ratings represent and to what extent they are suitable for appropriately assessing the sustainability characteristics of a financial product.

More articles

Risks in BaFin's Focus 2025
Foreword by the President

Main Risks in BaFin’s Focus

1. Risks arising from corrections on the real estate markets
2. Risks arising from significant corrections on the international financial markets
3. Risks arising from corporate loan defaults
4. Risks arising from cyber incidents with serious consequences
5. Risks arising from inadequate money laundering prevention
6. Risks arising from market concentration due to the outsourcing of IT services

Trends

1. Digitalisation
3. Geopolitical turmoil

The current economic, political and military tensions are giving rise to significant economic costs, such as higher energy prices and supply chain problems due, for example, to sanctions. Geopolitical risks have again increased in recent years, as shown in the corresponding index (see Figure 18).

Figure 18: Index for geopolitical risks

100=Average from 1985 to 2019; 30-day moving average

Geopolitical developments: drivers of known risks

Geopolitical upheavals can have far-reaching effects on the entire financial system. Although they are not an independent type of risk, they can influence and even exacerbate the risks relevant to supervision. For example, geopolitical upheavals are key risk drivers for the credit and liquidity risk of supervised entities.

The German financial system is highly vulnerable to geopolitical shocks. One reason for this is Germany’s strong international trade links – the export ratio was 43.4% in 2023. Another reason is that the financial sector itself is highly interconnected internationally.

In 2024, protectionist and isolationist tendencies could be observed worldwide. This trend may continue. An aggravation of the geopolitical situation could have a noticeably negative impact on the German economy and therefore also on the financial sector entities under BaFin’s supervision. This could happen, for example, in the event of a major trade dispute between leading economic powers or military conflict between countries that are important for global supply chains.

Growing geopolitical conflicts have also led to a further increase in the risk of terrorist financing .

Conflicts also shifting to the digital world

For some years now, geopolitical conflicts have been increasingly shifting to cyberspace, with a growing number of state-initiated attacks. The financial sector, other companies and critical infrastructure such as energy utilities were repeatedly targeted by cyberattacks worldwide in 2024. Other measures have also been aiming at unsettling and misinforming the population – by spreading false reports on social media, for example.

Another means of exerting pressure geopolitically would be for state players to increasingly assert influence over cloud infrastructure providers and payment service providers. There is a risk that these services would no longer be available if a conflict were to escalate. This would have a significant negative impact on the international transfer of data and funds.

Direct effects on the financial sector

Geopolitical upheavals can have a direct operational impact on companies in the financial sector – for example, if they become the target of state-initiated cyberattacks. This could involve the leaking of business secrets and customer data. Attacks on internet hubs or the power grid can also inflict damage on companies.

If sanctions are imposed on a particular country, companies are obliged to comply with them. This may also directly affect the activities and processes that supervised entities have outsourced to the respective countries. Geopolitical conflicts could also impact the liquidity situation of companies in the financial sector, for example if access to international financial markets were to be restricted by (de facto) capital controls.

In 2024, the risks for German banks due to the granting of loans to countries such as China, Taiwan and Russia were, in the aggregate, relatively low.

Indirect effects on the financial sector

Geopolitical turmoil can also have indirect effects on companies in the financial sector by causing the economic environment to deteriorate and volatility on the financial markets to increase.

There is also a risk that assets held by supervised entities could lose value as a result of geopolitical conflicts. This could be the case, for example, where loans and bonds are issued to companies that are encumbered by protective tariffs or import restrictions.
These indirect effects are more difficult to quantify and predict, but can have more dire consequences than the direct effects. It is therefore important that supervised entities have good risk management in place and conduct scenario analyses.

New risks due to structural adjustments

Geopolitical tensions often lead to structural adjustments in the economy, the financial system and political structures, resulting in de-risking and even decoupling. In economic terms, these measures are aimed at reducing dependencies and reorganising supply chains. Political measures include increasing defence spending, forming security alliances and stepping up the expansion of cybersecurity. In the medium term, this can reduce vulnerability to geopolitical shocks.

However, such adjustments will also give rise to new dependencies. If entire regions or business sectors become less attractive in terms of risk, trade and investment flows will shift – and concentrate on fewer countries. This may result in reduced risk diversification and elevate the risks to financial stability in the long term.

More articles

Risks in BaFin's Focus 2025
Foreword by the President

Main Risks in BaFin’s Focus

1. Risks arising from corrections on the real estate markets
2. Risks arising from significant corrections on the international financial markets
3. Risks arising from corporate loan defaults
4. Risks arising from cyber incidents with serious consequences
5. Risks arising from inadequate money laundering prevention
6. Risks arising from market concentration due to the outsourcing of IT services

Trends

1. Digitalisation
2. Sustainability