BaFin publishes its 2026 Risks in Focus

RegCORE Client Alert | German Regulatory Developments

QuickTake

On 28 January 2026, Germany’s national competent authority (NCA) the Federal Financial Supervisory Authority (BaFin) published its 2026 edition of BaFin’s “Risks in Focus” (RiF),Available in English here and German here.Show Footnote identifying the key challenges for the German financial sector in the coming year. 

The publication reflects the impacts of geopolitical upheavals, ongoing digitalisation and the growing importance of sustainability and consumer protection. At its core are nine priority risks that affect both the stability of the financial market and the safety and interests of consumers. BaFin places particular emphasis on cybersecurity, market stability and the further development of regulatory measures. Additionally, the 2026 RiF expressly incorporates consumer risks alongside prudential risks, reflecting BaFin’s integrated supervisory model and indicating enhanced oversight of product governance, disclosure and distribution conduct in retail‑facing segments.

This Client Alert assesses the implications of the 2026 RiF, how that compares to the 2025 edition and the key considerations for regulated firms. Readers of this Client Alert may wish to consult thought leadership publications from our Risk & Regulatory colleagues.

How the 2026 RiF compares to the 2025 edition

What stays constant from 2025 to 2026

BaFin’s prudential focus on six core risks is largely unchanged: significant corrections in international financial markets; defaults in corporate lending; vulnerabilities in real estate (with emphasis on commercial real estate (CRE)); severe cyber incidents; deficiencies in anti-money laundering and countering the financing of terrorism (AML/CFT); and concentration risks in outsourced information and communication technology (ICT) services. These were already foregrounded in 2025 and remain central in 2026. BaFin continues to frame these against three structural trends: digitalisation, sustainability and geopolitical upheavals.

• International markets: Fragility due to high valuations, rates and geopolitical tensions.
• Corporate credit: Weak German macro, rising insolvencies and non-performing loans (NPLs) and tighter lending standards; spillovers via private debt exposures affecting banks and insurers.
• Real estate: CRE remains fragile with significant refinancing risks.
• Cyber and ICT: High cyber threat level; frequent ICT incidents often due to change/updates; heavy reliance on few ICT providers creates systemic third party risk.
• AML/CFT: Elevated market exposure and growing risks from new payment methods.
• Structural trends: Digitalisation, sustainability and geopolitics remain cross cutting themes.

What changes in 2026

• Scope expansion to consumer risks: For the first time, BaFin formally integrates consumer risks with dedicated chapters, reflecting an integrated prudential-consumer supervisory approach. New focus areas include consumer credit financing, crypto-asset investment (influenced by social media) and costs of life insurance policies.
• The implementation of the Digital Operational Resilience Act (DORA) matures, with BaFin functioning as the central incident reporting hub from 17 January 2025. This has led to notably higher volumes versus reporting under the second Payment Services Directive (PSD2) and involves broader in-scope entities. BaFin is also operationalising coordination with the EU Supervisory Coordination and Information Forum (EUSCICF), which facilitates cooperation among EU financial supervisors, and follow-up on threat-led penetration testing (TLPT).
• New oversight of critical ICT third parties: In a major development, the European Supervisory Authorities (ESAs – collectively the European Banking Authority (EBA), the European Insurance and Occupational Pensions Authority (EIOPA) and the European Securities and Markets Authority (ESMA)) have designated critical ICT third party providers under DORA and BaFin will now contribute to their EU-level supervision via Joint Examination Teams (JETs).
• New liquidity tools and buffer adjustments: A new requirement for investment fund managers (in Germany, Kapitalverwaltungsgesellschaften, or KVGs) to implement liquidity management tools (LMTs) by April 2026 is a key change. BaFin is also preparing for upcoming insurer liquidity risk plan requirements.
• Sharper focus on private debt and non-bank financial intermediary (NBFI) linkages: BaFin is escalating its analysis of bank and insurer exposures to the fast growing private debt market, indicating a deeper level of scrutiny than in prior years.
• Intensified CRE scrutiny: Supervisory focus on CRE is intensifying through targeted special examinations and deeper analysis of valuations and refinancing risk.
• New AML/CFT enforcement priorities: For 2026, BaFin announced specific enforcement priorities, including a plan for at least 75 special examinations and a focus on the implementation of the 'Travel Rule' (requiring crypto-asset service providers (CASPs) to transmit certain originator and beneficiary information alongside transactions) for CASPs.
• Preparing for new digital asset and AI rules: Reflecting market growth, BaFin flags the rapid expansion of stablecoins and is preparing for its new role as a market surveillance authority for certain high risk AI systems under the EU AI Act.
• Deeper sustainability supervision: While sustainability is not a new theme, BaFin's supervisory approach is evolving with deeper reviews of climate risk modelling, proactive anti-greenwashing actions and preparations for oversight under the Corporate Sustainability Reporting Directive (CSRD).
• Internalising geopolitics in stress testing: A new expectation for 2026 is that firms must explicitly incorporate geopolitical risk channels into their scenario and stress test analyses.

These changes and continuing trends culminate in BaFin's nine priority risks for the year, which are outlined below.

Key takeaways from the 2026 RiF

BaFin’s RiF in 2026 identifies the following focus risks for the supervisory year ahead. The trend arrows indicate BaFin’s expected development of the respective risks and thus the supervisory scrutiny it may choose to apply:

1. Significant corrections in international financial markets (↑)
2. Default risks in corporate lending (→)
3. Risks from commercial real estate markets (→)
4. Cyber incidents with severe impacts (→)
5. Concentration risks in the outsourcing of ICT services (↑)
6. Inadequate prevention of money laundering and terrorist financing (→)
7. Consumer credit financing (↑)
8. Investments in crypto-assets and the influence of social media on investment behaviour (↑)
9. Costs of capital-forming life insurance policies (→)
   
   The 9 specific areas are then capstoned with common/cross-cutting themes of supervisory relevance namely:
   
   
10. Sustainability (→)
11. Geopolitics (↑)

The nine risk areas in detail – supervisory signals and EU context

1) Significant corrections in international financial markets

Despite headline market strength, BaFin identifies significant fragility in financial markets. Key drivers include high sovereign debt, stretched equity valuations (particularly in the US tech sector) and geopolitical tensions such as trade frictions, creating the potential for sharp market corrections.

This vulnerability is amplified by the sovereign-bank nexus and opaque interlinkages between banks and non-bank financial intermediaries (NBFIs), which could act as systemic transmission channels during stress events. In response, BaFin will continue targeted monitoring of capital market risks, including sovereign bond exposures, NBFI connections and sensitivity to US Dollar funding stress.

For firms, this signals a need for robust stress testing of USD liquidity and sovereign shock scenarios, while asset managers must ensure calibrated liquidity management tools (LMTs) are fully implemented by April 2026. Insurers should also prepare for new liquidity risk management plan requirements under the Solvency II amendments, effective January 2027.

2) Default risks in corporate lending

In the corporate lending sector, BaFin highlights elevated default risks driven by a weak macroeconomic environment and rising corporate insolvencies. While institutions are responding with increased provisioning and tighter underwriting, earnings pressure remains a concern.

The CRE market is a particular focal point, remaining fragile. Vulnerabilities are heightened by loan structures like non-recourse loans (where the borrower is not personally liable for the debt beyond the collateral) and bullet loans (where the entire principal amount is repaid at maturity, not amortised over the loan term), while open-ended real estate funds face liquidity pressures from outflows. BaFin will maintain the 0.75% countercyclical capital buffer (a macroprudential tool designed to ensure banks build up capital buffers during periods of excessive credit growth) and intensify scrutiny through cross‑sectional reviews and special audits.

Firms should anticipate close examination of sectoral concentrations, risk appetite and provisioning. It is critical to validate early warning indicators, ensure frequent and conservative collateral re-valuations and align the Internal Capital Adequacy Assessment Process (ICAAP) with stressed default scenarios. Asset managers must ensure their LMT governance can withstand outflow stress.

3) Risks from commercial real estate markets

The CRE market remains fragile. Rising non-performing loans (Q3 2025: Less Significant Institutions (LSIs) 4.4%, Significant Institutions (SIs) 6.4%), weak demand, valuation pressures and significant refinancing risk are key concerns. Vulnerabilities are further heightened by loan structures like non‑recourse and bullet loans.

Open‑ended real estate funds are experiencing significant outflows, leading some to suspend redemptions despite the availability of statutory LMTs. BaFin is closely monitoring the liquidity situation across these funds.

The implications for firms are significant. Banks should be prepared to evidence frequent and conservative collateral re‑valuations and demonstrate robust refinancing risk assessments. Asset managers must ensure their LMT governance and investor communication strategies can withstand severe outflow stress. Insurers should also carefully assess their indirect CRE exposures, particularly those held via investment funds.

4) Cyber incidents with severe impacts

The threat from severe cyber incidents remains high, exacerbated by geopolitical tensions and new AI-enabled attack vectors. Since DORA came into force on 17 January 2025, BaFin has acted as the central reporting hub, observing a marked increase in reported events. A related major concern is the concentration risk in ICT outsourcing, particularly the dependency on a small number of non-EU hyperscalers, which creates systemic risk and vendor lock-in. While the ESAs have designated critical ICT third-party providers for direct oversight, firms remain fully responsible for managing their end-to-end third-party risks.

5) Concentration risks in the outsourcing of ICT services

The increasing dependency on a small number of ICT service providers, particularly non-EU hyperscalers, is a key concern for BaFin. This concentration creates significant systemic risk, as demonstrated by recent outages that caused cross-sector disruptions. It also leads to vendor lock-in, limiting firms' flexibility and negotiating power.

While the ESAs have designated critical ICT third-party providers for direct oversight by JETs, BaFin emphasises that firms remain fully responsible for managing their end-to-end third-party risks and ensuring compliance with all regulatory requirements.

From 17 January 2025 BaFin acts as national incident hub and contributes to EU‑SCICF and JETs; firms must complete the DORA build‑out across governance, risk management, incident reporting, TLPT, ICT TPRM and information registers. BaFin will leverage the register for system‑wide analysis and continue oversight of multi‑tenant providers in Germany’s financial groups and associations.

The implications for firms are significant. They must maintain a complete information register as required by DORA, conduct thorough pre-contract risk assessments and establish credible exit and portability strategies. Firms must also ensure that third-country providers meet all applicable EU entity requirements. BaFin is expected to use the data collected to perform system-wide analytics and may conduct deep-dive reviews into multi-tenant providers.

6) Inadequate prevention of money laundering and terrorist financing

Preventing money laundering and terrorist financing continues to pose a significant challenge, exacerbated by the fragmented nature of payment services and the growing prevalence of crypto-asset activities. BaFin highlights the need for distinct typologies and controls to identify lower-value transactions associated with terrorism financing. Due to persistent deficiencies identified at obliged entities, supervisory intensity will increase, particularly for high‑risk payment institutions and agents.

Firms are required to enhance their terrorism financing-specific risk assessments, bolster sanctions circumvention controls and refine typology libraries. This includes improving KYC/KYB processes and strengthening agent oversight frameworks, especially for firms subject to the Payment Services Directive (PSD) and E-Money Institutions (EMIs).

7) Consumer credit financing

BaFin explicitly elevates consumer risks as a core supervisory focus, reflecting its integrated model. This prioritisation addresses three key areas: escalating risks in consumer credit financing; retail investments in crypto-assets, particularly those influenced by social media 'finfluencers'; and concerns regarding the value and cost transparency of with-profits life insurance policies. The rise of crypto-assets also presents new market transmission channels, such as the potential de-pegging of dominant stablecoins. Firms operating in these sectors must reinforce product governance, enhance affordability assessments and improve value-for-money testing. For crypto-assets, this includes strengthened suitability and marketing oversight. Insurers are expected to provide evidence of fair value and ensure consistency between marketing materials and contract terms.

8) Investments in crypto-assets and the influence of social media on investment behaviour

The increasing retail exposure to crypto-assets, particularly those influenced by social media 'finfluencers' (individuals providing financial advice or content on social media platforms), elevates mis‑selling and fraud risks. The dominance of USD‑pegged stablecoins introduces potential de‑pegging and fire‑sale transmission channels into traditional markets. This is further complicated by large payment providers integrating blockchain rails outside the EU but with EU market impact and the growing retail penetration and market interlinkages illustrated by crypto-ETNs on Xetra.

Firms must enhance crypto appropriateness, suitability and marketing oversight, including social media, monitor stablecoin liquidity interactions and treasury exposures and calibrate market risk stress to de-peg scenarios.

9) Costs of capital-forming life insurance policies

BaFin has flagged consumer value concerns in capital-forming life insurance products. Scrutiny is expected to focus on cost transparency, performance net of fees and consistency between marketing materials and contract terms for insurance‑based investment products (IBIPs).

Insurers must be prepared to evidence fair value assessments, ensure consistency between prospectus and advertising materials and align product features with SFDR/SFAP claims where relevant.

Cross-Cutting Themes: Sustainability and Geopolitics

10) Sustainability

BaFin is deepening its reviews of physical climate risks (notably for non-life insurers and regionally concentrated banks), stepping up greenwashing controls and preparing to enforce sustainability reporting under the German CSRD implementation law. It may also update its Sustainability Risks Guidance.

Firms must strengthen physical risk data usage (geo-datasets, hazard maps) and modelling, ensure SFDR, fund names and MiFID II sustainability preference processes are consistent end-to-end and prepare for governance, controls and assurance pathways under the CSRD and its associated European Sustainability Reporting Standards (ESRS).

11) Geopolitics

In 2026, BaFin will intensify its supervisory activities across all identified risk areas. Market participants are called upon to continuously review their risk management systems and preventive measures, adapting them to this dynamic environment. BaFin will continue to rely on close cooperation with national and international authorities to strengthen the resilience of the financial sector and address new risks at an early stage.

These supervisory priorities translate into a range of practical implications for regulated firms, which are detailed in the following section.

Key considerations for regulated firms

BaFin’s supervisory priorities for 2026 will have distinct implications across different sectors of the financial industry. Regulated firms should anticipate targeted scrutiny in the following areas:

Banks

For banks, expect sustained intensity on credit risk (corporate and CRE), collateral valuation and provisioning adequacy, with a focus on ICAAP stress linkages, USD funding contingencies and sovereign rate shocks.

DORA readiness will be tested via incident trends, TLPT scoping and ICT third-party risk management, particularly concentration risk from hyperscalers. AML/CFT expectations will also intensify, focusing on terrorism financing typologies, sanctions evasion, agent oversight and crypto-related touch-points.
Insurers and pension institutions

Insurers and pension institutions

For insurers and pension institutions, key priorities include preparing liquidity risk management plans, strengthening governance over alternative asset valuations (including indirect private debt) and enhancing physical climate risk modelling. Greenwashing controls will extend to all product documentation and marketing, while valuation uncertainty from geopolitical volatility must be reflected in risk appetite and the Own Risk and Solvency Assessment (ORSA), an internal assessment of overall solvency needs.

Asset managers and funds

For asset managers and funds, the mandatory implementation of LMTs by April 2026 and preparedness for real estate fund liquidity stress remain central. Crypto‑linked ETNs and associated marketing practices will face enhanced conduct scrutiny, while sustainability naming and disclosures must align with ESMA guidance and SFDR to avoid greenwashing.

Payments/e‑money and crypto-asset service providers

For payments, e-money and crypto service providers, there are heightened AML/CFT expectations regarding fragmented payment flows, agent networks and self‑hosted wallets. Operational resilience will be scrutinised due to incident trends and third-party dependencies. Firms with stablecoin exposure must conduct robust treasury, liquidity and redemption stress analysis.

Anticipating BaFin's supervisory approach

• Special examinations and cross sectional analyses: corporate credit, CRE, real estate funds, NBFI linkages, ICT multi tenant providers and AML/CFT at higher risk payment institutions.
• Stress testing: SI/LSI supervisory stress emphasising default risk and CRE sensitivities feeding into own funds guidance.
• DORA execution: incident hub operations, cyber “Lagebild,” EU SCICF participation and JET contributions on critical ICT providers; data driven system wide analysis from the DORA information register.
• Sustainability and reporting enforcement: intensified physical risk reviews, greenwashing probes in funds/prospectuses/ads and CSRD/ESRS checks within accounting enforcement once implemented nationally.

Immediate action checklist for boards

• Governance and risk appetite: Revalidate risk tolerances for market corrections, USD funding, sovereign rate shocks and CRE. Ensure scenario analyses integrate geopolitical and cyber escalation channels.
• Credit and collateral: Tighten early warning triggers, refresh CRE valuations and refinancing risk reviews and align provisioning overlays with observed NPL dynamics.
• DORA: Finalise incident taxonomies and reporting playbooks, map critical functions to ICT dependencies and harden exit strategies for hyperscaler concentration.
• ICT TPRM: Maintain the register of information and evidence due diligence, portability and data location assessments, especially for third country providers.
• AML/CFT: Refresh enterprise wide risk assessments for TF typologies and sanctions circumvention. Uplift monitoring for small value patterns and crypto interfaces and remediate agent oversight gaps.
• Conduct, products and sustainability: Reinforce suitability for crypto/thematic products and ensure marketing consistency with disclosures. Prepare for CSRD/ESRS assurance and align with SFDR and MiFID sustainability preference processes.

Reflecting the above in policy documentation and client-facing materials

To demonstrably manage the prudential and consumer risks identified by BaFin, regulated firms should prioritise targeted updates across their contractual documentation, internal policies, governance artefacts and controls. The following provides a structured checklist of key legal and documentation priorities:

• ICT & Outsourcing Contracts: Update outsourcing and ICT templates to meet DORA minimums, including audit/access for authorities, subcontracting, exit strategies, support for threat-led penetration testing (TLPT) and incident reporting.
• Cybersecurity & incident response: Align incident definitions and notification clauses with DORA and the Directive on measures for a high common level of cybersecurity across the Union (NIS2). Secure contractual rights for threat-led penetration testing.
• Credit & lending documentation: Tighten lending/CRE terms for valuations, covenants, refinancing milestones and early warning triggers, aligning them with provisioning and collateral policies.
• Liquidity management: Implement LMTs in fund documents and align depositary and distribution contracts to support their activation and related communications.
• AML/CFT & sanctions: Refresh AML/CFT policies and agency/CASP agreements for the Travel Rule, TF typologies, sanctions controls and agent oversight.
• Consumer protection & distribution: Re-paper influencer and distribution agreements with conduct, approval and takedown controls. Hard-wire product governance MI and fair value attestations.
• Sustainability & disclosures: Align sustainability disclosures and marketing with SFDR, CSRD and MiFID sustainability preference processes. Strengthen greenwashing controls and data/vendor rights.
• Data, AI & GDPR: Standardise data/AI clauses addressing residency, transfer, regulator access, security and AI Act-aligned responsibilities. Ensure GDPR compliance for data transfers.
• Stress testing & geopolitics: Embed geopolitical and cyber channels into board-approved stress testing policies and link outcomes to contractual triggers with critical counterparties.
• Governance & records: Mandate contractual MI deliverables from vendors to support regulatory reporting (e.g., DORA, AML). Maintain readiness packs for BaFin thematic reviews.

By prioritising contractual and policy enhancements, certain firms will be better placed to evidence that governance, risk management and disclosures are not only compliant on paper but effective under the stress profiles highlighted by BaFin for 2026.

Outlook and next steps

The 2026 RiF signals a significant supervisory pivot by BaFin, moving beyond a pure compliance-checking approach towards data-driven, cross-sectoral assessments of firms' practical resilience. The priorities are closely aligned with major EU-level initiatives such as DORA, the CSRD and the forthcoming anti-money laundering legislative package (which establishes the new Anti-Money Laundering Authority, or AMLA), but with a distinctly German focus on real economy credit risks, particularly in CRE and systemic ICT concentration risks. Firms must prepare for a more intrusive and evidence-based supervisory style, where the effectiveness of governance, risk management frameworks and disclosures will be rigorously tested against plausible stress scenarios.

In response, firms should move beyond siloed, project-based implementation of new regulations. The immediate priority is to embed these supervisory themes – from geopolitical risk scenario analysis to fair value assessments in consumer products – into board-level risk appetite, day-to-day controls and strategic planning. This requires a holistic approach, connecting the dots between DORA's operational resilience mandates, AML/CFT enhancements and sustainability disclosure obligations. Proactively demonstrating this integrated approach, backed by robust data and clear accountability, will be critical in navigating BaFin's intensified scrutiny in the year ahead.

About us

PwC Legal is assisting a number of financial services firms and market participants in forward planning for changes stemming from relevant related developments. We have assembled a multi-disciplinary and multijurisdictional team of sector experts to support clients navigate challenges and seize opportunities as well as to proactively engage with their market stakeholders and regulators.  

Moreover, we have developed a number of RegTech and SupTech tools for supervised firms, including PwC Legal’s Rule Scanner tool, backed by a trusted set of managed solutions from PwC Legal Business Solutions, allowing for horizon scanning and risk mapping of all legislative and regulatory developments as well as sanctions and fines from more than 2,500 legislative and regulatory policymakers and other industry voices in over 170 jurisdictions impacting financial services firms and their business. 

Equally, in leveraging our Rule Scanner technology, we offer a further solution for clients to digitise financial services firms’ relevant internal policies and procedures, create a comprehensive documentation inventory with an established documentation hierarchy and embedded glossary that has version control over a defined backward plus forward looking timeline to be able to ensure changes in one policy are carried through over to other policy and procedure documents, critical path dependencies are mapped and legislative and regulatory developments are flagged where these may require actions to be taken in such policies and procedures.   

The PwC Legal Team behind Rule Scanner are proud recipients of ALM Law.com’s coveted “2024 Disruptive Technology of the Year Award” and the “2025 Regulatory, Governance and Compliance Technology Award in 2025”.  

If you would like to discuss any of the developments mentioned above, or how they may affect your business more generally, please contact any of our key contacts or PwC Legal’s RegCORE Team via de_regcore@pwc.com or our website.