Check against delivery

Ladies and Gentlemen,

Happy New Year and welcome to our press briefing!

We see it every day: our world is moving faster, becoming more digital, more interconnected. At the same time, it is becoming increasingly vulnerable to disruptions.

Last February, thousands of passengers at Frankfurt airport experienced precisely that. Their flights were cancelled and they were stranded for hours. Why? Because fibre optic cables had been damaged during engineering works on a railway line several kilometres away.

The fact that such an accident underground could disrupt travel thousands of metres in the air is an example of how dependent we are on digital infrastructure. And how interconnected we are. Everything is interrelated, whether or not the connections are visible and regardless of physical proximity. It is therefore no longer possible to understand in advance the knock-on effects of an incident.

In the world of finance, operational interdependencies are growing with remarkable speed. The financial world has a highly complex nervous system, and countless new synapses have been formed in recent years.
This has also made it more vulnerable. Cyberattacks or the breakdown of internal IT systems can have severe consequences that reach far beyond the affected company.

Such technical disruptions pose risks even if they do not occur at banks or insurers themselves: sudden problems at third-party service providers can also compromise the system.

But technical interdependencies are not the only threat to financial stability. Growing political tensions are creating an increasingly unpredictable environment, particularly for export-driven companies. This also affects their banks and insurers. I will go into more detail here later.

For years now, companies have been fragmenting their value chains by outsourcing tasks and processes to third-party service providers. This is possible because many services and processes are based on IT applications. Data can be transferred quickly and easily. Banks are also entrusting numerous processes, such as account opening tasks, to third parties. This allows them to make use of economies of scale, reduce costs and increase profitability. A further advantage lies in the fact that IT service providers are able to perform many services more efficiently and sometimes more securely than would be possible within the outsourcing company.

But this fragmentation has also resulted in dependency and market concentration. The potential consequences of this have been included among the top risks in BaFin’s focus for this year.

In some sectors in Germany, a small number of specialised IT service providers serve a large proportion of banks. The situation is similar in the insurance industry. Disruptions at one of these multi-client service providers can immediately spark anxiety in the financial system. Numerous institutions could lose access to services at the same time. This could be especially problematic if it were to affect critical processes on which banks and insurers are heavily reliant, such as payment processing.

And it is made even more complex by the involvement of subcontractors that carry out tasks for the IT service providers. Disruptions at a subcontractor can impact the entire value chain. Such interdependencies and risks are particularly difficult to predict – making them all the more difficult to control.

Just think of the attack by cybercriminal group Clop last summer: the attackers exploited weaknesses in the data transfer program MOVEit. Around the world, thousands of companies and their customers were affected by data leaks. These include a large number of German financial institutions and insurance companies that work with third-party customer service providers that use this program.

At BaFin, we are monitoring this issue with increasing intensity. We are trying to understand outsourcing arrangements and their associated risks as comprehensively as possible. Only then can we take appropriate action to mitigate the risks. This analysis is aided by our outsourcing database, which we have been filling with data for a little over a year now. So far, around 1,900 companies in the financial sector have reported around 20,000 outsourcing arrangements. That’s an average of 10 outsourcing arrangements per company. Although there is considerable variation: some companies have reported over 100 outsourcing arrangements.

We want to ascertain which service providers are operating on the German financial market, and who they are working for. We have been closely monitoring certain critical service providers for several years.

The Digital Operational Resilience Act (DORA) provides an important opportunity. Thanks to DORA, supervisory authorities in Europe will be much better placed to identify interconnections and market concentrations at service providers.

But above all, companies themselves also have a role to play: they should have a Plan B to keep their processes running even if their service providers are down. They need to ask themselves whether, in a worst-case scenario, it would be possible to perform the outsourced processes internally. For a significant number of banks and insurers the honest answer would be no. Our database shows that for around half of the outsourcing arrangements reported, companies believe it would be difficult or impossible to reintegrate the outsourced processes into their own systems.

Would it be possible to transfer these processes to another third party at short notice? Many companies in the financial sector would have to answer no to this question too. Other providers would likely not have sufficient capacity to take on new customers. And even if they did, switching provider can often take a very long time. Particularly when it comes to cloud services.

BaFin has therefore been monitoring the resilience of large cloud service providers for some time now. DORA will make it easier for us to influence cloud service providers in future – in spite of their considerable market power.

This applies to all service providers that perform essential services and that cannot easily be substituted. They must get used to a very close monitoring. Which means they must be open, transparent and cooperative towards supervisors. In the recent past, supervisory authorities haven’t always had the best experiences in this regard. This has to change under DORA.

Disruptions at IT service providers are often caused by internal IT glitches. But that is not always the case. Cyberattacks are also a serious threat. The number of incidents has been increasing for years. According to the Federal Office for Information Security, the threat has never been so great in Germany.

We take this very seriously. In future, we intend to create a regular overview of cyberrisks specifically for the financial sector. And we are organising crisis and contingency planning exercises and simulations. We want to know precisely what cyber threats the financial industry is facing. And where the companies under our supervision, alongside their IT service providers, are most vulnerable.

We also want to make greater use of penetration tests: these tests simulate hacker attacks on companies’ critical systems and reveal possible weak points.

Companies must have their IT risks under control. In the past year alone, we carried out inspections to take a closer look at the IT systems of around 20 financial institutions, including insurers.

When our inspection team identifies shortcomings in a company’s IT security, we don’t hesitate to take action: for example, we impose capital add-ons until the problems are solved and institutions are able to better manage their risks.

Companies must also be aware that their geographical reach can – sometimes very suddenly – turn into a risk. This doesn’t only apply to cyberrisks and outsourcing.
It can also affect foreign subsidiaries and branches where a number of critical activities are concentrated, including underlying IT processes.

Some such companies and branches were in the past located in Russia. After the Russian invasion of Ukraine and due to the sanctions subsequently imposed, these companies were unable to continue their operations and had to relocate them.

Of course, the risks of sanctions for the financial system extend far beyond the IT infrastructures of individual institutions. They almost always target companies in the financial sector of the relevant countries – and therefore also impact the German subsidiaries of these companies. We have seen the possible effects of this at VTB Bank Europe. Sanctions were imposed on the bank’s Russian parent company immediately following the outbreak of the war.

At that point, the bank held deposits of around five billion euros, primarily from German retail customers. We isolated the bank from its Russian parent company and wound down its business step by step. Through this orderly process we were able to avert financial losses for depositors and avoid burdening the protection schemes.

Alongside armed conflicts, other political tensions are also increasing. Many governments now divide the world into two camps. In one camp are countries assumed to share their values. They want to work more closely with these countries and strengthen their ties. In contrast, they are cutting back or eliminating entirely trade relations with countries from the other camp. These divisions can change very quickly: friends can quickly become enemies – and vice versa.

This is a problem in particular for German companies, which have a strong international focus. Sales markets with a lot of promise can become unattractive from one day to the next. And supply chains once deemed stable have proven vulnerable.

This can also impact German financial institutions, for example when borrowers operate in an industry that is closely connected to a particular country. What happens when that country is suddenly no longer in our camp?

Companies in the financial sector cannot protect themselves entirely against events of this kind, or against other unforeseen developments. But they must manage their risks.

They should focus on identifying and mitigating their geopolitical concentration risks. It is not sufficient to simply include country risk in their loan or trading books. They should go further, thinking in terms of possible scenarios and taking account of second and third-round effects. And they must also have a Plan B at hand for operational risks. This comes at a cost.

But it is the only way to increase their resilience.

And the time to do that is now.

Many institutions in the financial industry are currently reporting strong to very strong profits. They are benefitting from a kind of temporary boom. Their interest income has increased, and at the same time not all negative effects of the interest rate increase have been felt yet. They should make use of this momentum.

These profits should not only benefit shareholders. They should also be used to build reserves for more difficult years. Institutions shouldn’t underestimate risk provisioning needs, and, more than ever, companies should be investing in their operational security and stability. The money is there.

But more difficult times lie ahead. Increasing financing costs and the weak economy are placing a strain on many companies, and on consumers. The effects of this will become clearer in the near future.

We have to expect that insolvencies will rise again and that real estate markets will not recover quickly.

Conditions will become more difficult for institutions than in 2023. It is therefore all the more important that they continue to strengthen their resilience.

And now I look forward to your questions.