Christine Lagarde: Macroprudential policy in Europe – the future depends on what we do today

Welcome speech by Christine Lagarde, President of the ECB and President of the European Systemic Risk Board, on the occasion of the fifth annual conference of the ESRB

Frankfurt am Main, December 8, 2021

I am pleased to welcome you to the fifth annual conference of the European Systemic Risk Board (ESRB).

Today’s conference marks the first decade of the ESRB – although the pandemic has delayed our celebration for a year.

This decade has been one of the significant achievements. In particular, the macroprudential policy of banks has gone from idea to reality. But this morning I would like to look ahead and ask: how can we prepare for the next decade?

There are known threats to financial stability that have always been on the ESRB’s radar, such as unbridled risk-taking, strained asset valuations, and excessive credit growth. But today we also face new kinds of threats that could profoundly affect financial stability.

Two of these threats stand out: climate change and cyber incidents. And the two have common models. Both are global phenomena that do not stop at borders. Both are cross-sectoral, potentially affecting banks, insurers, investment funds and the markets that connect them. And both are complex, depending on many factors and actors.

Tackling these threats is a challenge, but as Steve Jobs said, “if you define the problem right, you almost have the solution.” So, in my remarks today, I would like to explore the nature of these threats, the kind of responses we need to tackle them and where the ESRB can add value in the coming decade.

Threats of climate change

Climate change has become the major challenge of our generation. Meeting this challenge requires a collective effort in which the financial sector has a key role to play. We need the sector to channel resources to finance the transition to a more sustainable economy.

However, in order to play this role, the financial system must be resilient. And climate change itself threatens this resilience in two main ways.[1]

The first is the physical risks. Environmental disasters such as floods, droughts and heat stress can cause direct and indirect losses to financial institutions – and the intensity and likelihood of these disasters are clearly linked to climate change.[2] The catastrophic flooding this summer is estimated to have caused financial damage in excess of € 29 billion in Germany alone.[3]

The second threat to resilience is the risk of transition. A disorderly transition to a greener economy could also spell losses for the financial sector, as the business models of polluting industries become unsustainable and their assets end up stranded. If assets lose value before their expected economic lifespan and are revised abruptly, it could lead to systemic upheavals.

Such points of no return in financial markets are far from unrealistic. The ESRB analysis reveals that financial markets do not yet significantly differentiate their prices on the basis of climate risks.[4] Since physical and transition risks are clustered in individual banks, the effects of reaching a tipping point would be concentrated and could have larger effects than would otherwise be the case. This in turn could spill over into the financial system more broadly.

For example, 70% of the banking system’s credit exposures to companies subject to high or increasing physical risks are concentrated in the portfolios of only 25 banks in the euro area. For seven of these banks, these exposures represent more than 10% of their total assets.

However, the impact of climate change on financial stability is highly trajectory dependent: it depends on whether we avoid the most extreme climate scenarios and whether we are able to make an orderly transition. The path we are following is, for the moment, still in our hands.

If we are to contain the worst effects, the first line of defense requires governments to adapt their climate policies to the scale of the challenge. Effective climate policies would also benefit the financial sector.

But macroprudential decision-makers also have a role to play in identifying and mitigating the financial aspects of climate-related risks. We must not fall into the false logic of trade-offs, believing that policies that make the financial system more resilient will prevent it from financing the transformation of our economies. The strongest banks are the banks that lend more.[5]

Threats of cyber incidents

Now let me turn to the second threat: cyber incidents.

The financial sector relies on strong information and communications technologies. People’s trust in the industry in turn depends on the confidentiality, integrity and availability of the data and systems it uses. However, cyber incidents can corrupt information and destroy trust. They therefore present a systemic risk.

To date, we have not seen a systemic cyber incident affecting the financial system. But cyber attacks on hospitals in Europe during the COVID-19 crisis[6] and the attack on the Colonial Pipeline in the United States[7] gave us a taste of what might happen in the future. Such an attack is probably now a matter of when, not if. There are three reasons why.

First, digitization means that individual businesses have become more prone to cyber attacks – and COVID-19 has only accelerated this trend. Financial institutions have had to adapt their technological infrastructure to a sudden increase in remote working and remote client relationships, which increases efficiency but also vulnerability.

Second, the interconnection of information systems allows cyber incidents to spread rapidly. There are around 22,000 financial entities in the EU[8], and digitization has deepened the links between them and with third-party infrastructure and service providers. As a result, a cyber incident can quickly turn from an operational disruption to a systemic event.[9]

Third, cyber incidents are becoming more frequent and sophisticated. For example, between 2019 and 2020, the number of cyber incidents reported to the ECB increased by 54%, and many of them were malicious.[10] The SolarWinds incident, which affected Microsoft mail servers around the world, highlights the sophistication with which attackers can now exploit operational vulnerabilities.[11]

Collectively, we must be prepared to deal with the financial stability consequences of a major cyber incident. If such an event does occur, a coordinated and rapid response will be essential to preserve confidence and restore reliable information. This may require new forms and mechanisms of cooperation and communication. Financial authorities must adapt to this new environment, as the cyber threat landscape is also constantly evolving.

The role of the ESRB

So where can ESRB add value?

When threats are global, cross-sectoral and complex, no single institution can understand and tackle them alone. We need to see the big picture, connect the data and diverse perspectives.

This is where the ESRB comes in. It comprises around 80 member institutions, including the ECB and all of the EU’s national central banks. It includes banking, insurance and market supervisors, as well as the three European supervisory authorities and the European Commission. And it benefits from the expertise of the academic world through its Scientific Advisory Committee.

This diversity of perspectives helps to find solutions to complex problems – and this is already the case with climate change and cyber threats.

Five years ago, the ESRB Scientific Advisory Board provided a conceptual framework for addressing systemic risks associated with climate change. This required increased collection and disclosure of information, as well as weather resistance testing.[12] Since then, the ESRB has strived to develop the analytical toolbox needed for evidence-based policy making.

Using this toolkit, the ESRB can map the impact of climate risk on millions of companies and what this means for the exposures of our most important financial institutions. It can also assess the system-wide impacts of the different pathways that climate change or transition could take.[13] Based on this evidence, we now need to work on policy options.

For cyber incidents, the ESRB will soon present the stages of a framework ensuring a coordinated and rapid response from the public financial authorities. Such a framework is already provided for in the European Commission’s proposal on digital operational resilience for the financial sector.[14] The ESRB wants to ensure that it is fully operational and ready for use in the near future.

In particular, the ESRB seeks to create communication channels and classification of cyber incidents to ensure situational awareness and rapid response from the authorities. This includes the coordination of impact assessments and the exchange of information on planning and implementation.

We know the threats of climate change and cyber incidents will materialize. This means that we have to prepare now. As Mahatma Gandhi said: “The future depends on what you do today.

With this in mind, I now open the fifth ESRB conference.

Mary I. Bruner