Check against delivery

Ladies and Gentlemen,

Ernest Hemingway is reputed to have said that “I never knew of a morning in Africa when I woke that I was not happy.”¹ And I certainly felt the same this morning, as I pushed aside the curtains in my hotel room. I would have loved to take a tour to Table Mountain or drunk a coffee on Llandudno Beach. But of course I know that I have an equally pleasurable meeting here with you today. The beauties of this wonderful city and this diverse country will have to wait.

Back home in Germany, we usually start the year by taking a look at the challenges facing us in the coming years. And I am sure most of you will do the same. This isn’t always easy when it comes to the financial markets. Often they’re too unpredictable, and again and again we find ourselves blindsided by unexpected new developments. Take 2007/2008, for example. Even most insiders and experts didn’t foresee the major crisis that befell almost the entire financial sector. And the few economists who did forecast what would happen more or less accurately were either laughed out of court or written off as notorious pessimists. Back then, after years of growth, hardly anyone could imagine that banks would fall over like dominoes. We are all wiser now. At the latest we learned our lesson on 15 September 2008, when the collapse of investment bank Lehman Brothers triggered dramatic turbulence on the global financial markets.

The regulatory response wasn’t long in coming: as early as November 2008, the G20 heads of state and government formulated a new regulatory framework. This was designed to help us supervisors better protect the public good of financial stability and mitigate the destructive power of crises. All financial markets, all products and all market participants should be regulated but – and this is the decisive point – as appropriate. Why? Because appropriate regulation leaves room for freedom and makes the play of economic forces and prosperity possible in the first place. The goal was for the new regulations to be efficient but not to stifle innovation.

Ten years have now passed since the last crisis – time enough for the reforms to take effect. No new major crises have occurred since then and it would be tempting to say post-crisis regulation was a complete success, and that we can lean back and leave the financial markets to look after themselves.

However, what we should actually be saying is that the financial markets have become safer – gaps in financial regulation have been closed and more powerful supervisors are now checking that laws and regulations are actually observed. Nevertheless, it would be fatal to let the markets off the leash again. It was precisely this laissez-faire attitude that was partly responsible for a financial crisis of such proportions arising back in 2007. And this is why we must avoid returning to such lax regulation at all costs. Nobody and nothing – neither the financial sector nor its clients nor financial stability as a public good – would be served by dismantling the regulatory and supervisory framework that we have so laboriously constructed. Otherwise, we will find ourselves right back in the regulatory hog cycle in which deregulation is followed by a crisis, which is followed by a new wave of re-regulation.

That having been said, it is perfectly acceptable and indeed necessary to continue reviewing and adapting regulatory and supervisory activities. In such a dynamically changing world, regulation is a never-ending process and adjustments have to be made all the time. This is true in particular in the field of substantive law – for example, following the financial crisis a large number of major frameworks were enhanced or developed to reflect the changes in market conditions. Key reform packages here include Basel III for banks and Solvency II for insurers. Increased equity ratios and liquidity requirements, and improved risk management are some of the key elements needed to ensure financial market security. They provide fundamental insights into the current situation at, and stability of, institutions. In addition to these prudential and balance sheet indicators, there has also been an increasing focus on the behaviour of financial market participants. Both these approaches are important, because psychological phenomena such as greed and ignorance were also partly responsible for the financial crisis; the crisis also showed a need to better protect consumer interest. This area of supervisory activity – conduct regulation – is just as important as solvency-based activities and is growing in significance as new rules and regulations come into force.

Codes of conduct, transparency and documentation requirements, and rules for product development and distribution are all needed to ensure fair conditions on the financial markets and to better protect investors and consumers. Recent examples in Europe include the Markets in Financial Instruments Directive, MiFID II, and the Markets in Financial Instruments Regulation, MiFIR.

It is right in principle to strengthen conduct supervision: particular attention should be paid to consumers since they are at a structural disadvantage in comparison to providers and professional investors. To put it another way: If you want to work with customers’ money, you have to earn the trust of individual consumers first. They do not have the same knowledge, nor do they have their own legal departments to help them make sense of the small print and assess promised returns. For example, a failure by providers to adopt a customer-centric approach to their products and services quickly reveals their management attitude. We can see this directly in our conduct supervision. It is also possible to spot trends thanks to our product governance activities, for example. This refers to the supervisory tasks we perform during the product design phase. For example, we consider the purpose and target customers for a financial product. Customer complaints are another source of insights. Customers generally react extremely sensitively to irregularities in business operations. Safeguarding consumer interests is therefore one of the key motives for conduct supervision.

Nevertheless, it is important that conduct supervision does not lead to so many and so complex regulations that they call the broad-based supply of financial products into question. That would not be a sensible regulatory objective. If offering certain forms of investment is no longer worth it or is associated with incalculable legal risks, then at some point supply of these products will dry up. This would definitely not be in consumers’ interests. Therefore, we should not stop walking the fine line of appropriateness in conduct regulation, either.

Incidentally, I am assuming that conduct regulation will become increasingly important in emerging markets, too, in the coming years – and not just because regulation will increase in general in these markets. Emerging markets are also pursuing the goal of financial inclusion, and this means that the conduct requirements to be met by financial services providers will play an increasingly important role here, as will supervision of compliance with rules of conduct. Not least because misconduct by market participants, which can happen in all markets, is increasing the significance of this issue.
Whether conduct supervision also takes on a more prominent role in the emerging markets, is, above all, a political decision. However, international standards setters such as the Basel Committee, the IAIS and IOSCO are key drivers and stakeholders of financial market regulation. In line with this, I warmly welcome the chance to regularly share information and views here as well.

Ladies and Gentlemen,

The recent crisis has led to supervisors revising their activities in another area as well: where micro- and macro-supervision meet. The goal here should be to allow us to assess risks well enough to avoid macroeconomic developments bringing nasty surprises on micro-supervisors again. The following questions needed answering, among others: what happens to bank loans if a property bubble bursts? What happens to banks’ and insurers’ own investments if stock or bond prices tank? What happens to maturity transformation in a low interest rate environment? What if political risks impact key focus markets?

We conducted a long search for suitable indicators, which we now use in the form of the countercyclical buffer (CCyB), the systemic risk buffer and other macroprudential tools. Many jurisdictions have already introduced a CCyB. In the EU, we can even use the systemic risk buffer for detailed sections of markets or product ranges. This corresponds to my philosophy of risk-based supervision.

Ladies and Gentlemen,

Allow me at this point to mention two megatrends that will continue to occupy us in 2020. One of these is climate change. The fact that its impact is not limited to global warming, but is also a potential threat to financial market stability, is now sufficiently well known. As supervisors – and this is where the link between macro and micro continues – we need to act here. After all, it is our job to guarantee the financial markets’ integrity, stability and ability to function. However, companies must also keep an eye on their sustainability risks, and manage them adequately.

Many companies are also ready to make capital available for sustainable, economically sensible projects. This is only right and proper, but should not blind them to the risks involved. Simply investing in something because it’s green most certainly does not automatically eliminate or reduce risk. After all, risks aren’t limited to brown investments – green ones have them, too. Risk must remain the decisive criterion for investments in all cases. If not, there is a danger not only of significant misallocations of capital, but also that we will be quietly sowing the seeds of the next financial crisis. Not only would that be negligent, it would also be the opposite of sustainable finance. As a result, I think that giving privileged status to green investments or loans – such as by relaxing capital requirements, as is being discussed in some places in Europe – is wrong, whereas including sustainability risks in banks’ risk management is highly advisable – actually it is necessary.

What I am also hearing time and again from European industry is the call for a coherent taxonomy, which would clarify what is to be regarded as “green” and what not. I can only second this demand. This is why, at the European level, the European Commission is systematically driving forward its work on such a taxonomy. What’s important to me is that we shouldn’t cast every last detail of any such taxonomy in stone. It is in the nature of this project that we shall have to make repeated changes in the future. A principles-based approach would be a good decision here.

It goes without saying that anyone talking about the challenges facing supervisors and the financial community also has to mention digitalization. This opens up promising opportunities for the financial sector and also offers access to financial services to people who previously had none. There are currently 1.8 billion people in the world with no access to banking services, many of them in Africa.

If I look at the African continent, the first thing that comes to mind is a digital financial technology that is already well established on the market and that has improved the lives of millions of people – Safaricom’s M-Pesa mobile payments system² is certainly an example. Launched in Kenya in 2007, M-Pesa is now active in many other African countries as well. I don’t have to explain to you how this electronic payments system works. But let me say that mobile phones and smartphones are the key to financial inclusion, as well as being the driver for further financial innovations in Africa. There's a well-known saying that Africa has “more phones than toothbrushes”. The potential offered by this and other technologies is far from exhausted. Africa is leapfrogging the first stage of digitalisation and is increasingly focused on the new mobile telecommunications standard, 5G. Fintechs and start-ups are both driving this new mobile telecommunications standard and profiting from it – for example from the exponential growth opportunities resulting from the enhanced scalability of digitalised business models and processes. As we all know, it's difficult to make predictions, especially about the future. Nevertheless, it's safe to assume that some of the fastest-growing future start-ups will come out of Africa.

Digitalisation brings many benefits – particularly financial inclusion for many people – but the downsides should also not be ignored. Even with the M-Pesa mobile payments system, criminals try again and again to hack into users’ phones and then siphon off their money illegally.

The dangers that can face financial institutions as a result of both internal IT problems and external cyberattacks are a real challenge. Not only for individual institutions but also, depending on their extent, for financial stability as a whole. Anyone – be they a mere criminal or a terrorist – who wants to damage an economy will have the banking sector firmly in their sights.

M-Pesa is only one example – and overall financial markets are becoming more and more attractive for cybercriminals due to their high level of digitalisation. Banks are exposed to the biggest cyber-risks. They can lose millions within minutes. A successful attack could raise serious questions for a bank and its customers alike – and can threaten overall financial stability.

One well-known example is the cyberattack on the central bank of Bangladesh in 2016, which ultimately led to losses of 81 million dollars. Although this particular amount did not pose an existential threat to the bank, it could have been much higher, which would have been very dangerous. In other successful attacks on European banks, the Bank of Valletta (Malta’s second-largest bank) had to go offline for several days, while a medium-sized northern German bank, the Oldenburgische Landesbank, lost 1.5 million euros in an attack by cybercriminals from Brazil.

The moral of the story for us as supervisors and regulators is that we should be prepared. And we have to accept that we are vulnerable. IT security will never be absolute; technical progress is much too rapid for that. But to conclude that we therefore shouldn’t do anything at all would be a grave mistake. Especially since such attacks normally do not stop at national boundaries. The more integrated and global the financial sector becomes, the greater the risks are that a potential cyberattack can pose.

This is all the more reason why we must address the issue at a global level as well. And I am glad that there is awareness of the problem at this international level. One good example is the cyber exercise conducted last summer by the G7 nations, which demonstrated impressively how important cross-sector, international cooperation in this area is. Well-functioning crisis management and crisis resolution processes are an absolute must when crises hit. Regular drills and tests should therefore be a matter of course – including at international level. Prevention is still the best form of defence.

In the case of the European financial market, the European Central Bank (ECB) has developed a dedicated framework for such cyber exercises: the TIBER-EU framework. This allows banks to test their cyber resilience under quasi-realistic conditions. It simulates cyberattacks on a company by ethically motivated hackers under controlled conditions.

In addition to prevention, supervisory requirements are another tool in our arsenal that we should use to improve our cybersecurity. And here, too, we should think beyond borders wherever possible. In Europe, we published guidelines at the end of 2019³ establishing information security and IT governance requirements for European banks that are as consistent as possible. In addition, in Germany BaFin published its Supervisory Requirements for IT in Financial Institutions (known in German for short as BAIT), plus equivalent versions for insurers and asset management companies known as VAIT and KAIT respectively. These are designed to raise awareness of the risks run as well as strengthening security standards in the enterprises concerned.

I also know that the Bank of Ghana published a Cyber & Information Security Directive for financial institutions in October 2018. This requires senior managers and boards of management to play an active role in enhancing cybersecurity. In addition, all banks in the country are required to appoint a cyber- and information security officer (CISO). The Central Bank of Nigeria (CBN) has also announced that it will be developing a risk-based cybersecurity framework for banks and financial institutions.

Ladies and Gentlemen,

I hope this little tour d’horizon has given you a good impression of the challenges facing us in 2020.

With many of the challenges we shall be dealing with, we should not lose sight of the fact that close cooperation across national borders is a key driving force for, and guarantee of, financial market stability. Bodies such as the BCBS-FSI are therefore a crucial platform for mastering financial market challenges in the future, too. Thank you very much.

Footnote: