The neighbor works for an insurance company. Although he has nothing to do with his acquaintances’ contracts, he knows how much damage was incurred from the car accident and what policies they have. The financial regulator Bafin believes that such a constellation should not exist. The reality is different. The IT systems of many insurers are outdated and have defects. Some programs make mistakes when customers receive their life insurance benefits, sometimes to the customer’s disadvantage and sometimes to their benefit. Others provide incorrect values in the contribution calculations.
In the eyes of the financial regulator BaFin, a main problem is the so-called “authorization management”, i.e. determining who has access to which data, i.e. whether employees can access documents that are not their concern. Frank Grund, head of insurance supervision at Bafin, called for action early on. “We have found that there is still room for improvement among insurers when it comes to IT security, especially in the areas of information risk and information security management,” he explained in June 2022.
BaFin is taking action
Nothing has fundamentally changed since then. Insurers have to replace old and very old systems, which were often self-programmed, with more modern software. That takes years rather than months. “The result is sobering,” said Grund when he drew a conclusion after checking the IT systems in February 2023. Grund himself is retiring at the end of this month, but not without first increasing the pressure on the insurer’s IT.
Since the beginning of the year, his authority has responded very concretely to the ongoing problems. It sets capital surcharges for companies that have additional risks due to IT deficiencies. The target is around five percent of the required solvency capital. This can range from double-digit millions to billions, depending on the size of the company. Above all, the supervisory authority has announced that it will name the insurers affected, a first for Bafin. This bothers companies even more than the capital surcharge.
At the beginning of the year, the authority targeted three insurers: Axa Krankenversicherung, Allianz SE and Signal Iduna. The supervisory authority has already set a surcharge for Axa health insurance. “The reason was deficiencies in the business organization,” the authority announced in May 2023. This was revealed by an IT audit. “The company must correct the deficiencies within a timely manner.” It is not yet known how high the capital surcharge required by Bafin is. At the beginning of 2024, Axa must publish this information itself.
At Allianz SE, the parent company of the largest German insurance group, there were two main problems. The first was identity and rights management, i.e. the question of who has access to which data. The second problem for the BaFin auditors was the IT business organization, which did not have a uniform management.
Allianz avoids capital surcharge for the time being, Signal Iduna still hopes
Allianz SE’s IT department is headed by board member Barbara Karuth-Zelle. But for a long time there was another IT department at a division called Allianz Re. Allianz Re is responsible for Allianz’s reinsurance business and is managed as a separate company, but is not a subsidiary financially or legally, but rather part of Allianz SE. This department had its own IT with 55 employees who did not report to Karuth-Zelle, but to board member Christopher Townsend, whose area of responsibility includes Allianz Re. In the SE there were two IT departments with different board members in charge. According to BaFin, this could have caused problems with management and control. Allianz has now changed that and the 55 employees now belong to the Karuth-Zelle department.
In addition, after long delays and another clear warning from the financial regulator, Allianz has committed to very quickly resolving the problems in identity and rights management. BaFin will therefore not set a capital premium for Allianz SE for the time being, according to company circles. This is good news for the group and its boss Oliver Bäte. After the Structured Alpha scandal in the USA, another billion-dollar burden due to higher risk capital requirements would not have been well received by investors.
According to SZ information, the Dortmund insurer Signal Iduna still has to fear that Bafin will charge a capital surcharge. The authority informed the insurer of this. He defends himself against this, the proceedings are not yet completed. So far there is no “final order”, as it is called in regulatory German.
The insurer confirmed the process briefly. A spokesman said: “There was a VAIT audit at the Signal Iduna Group. There are findings from the audit that have already largely been processed, for example on authorization management.” VAIT stands for “Insurance Supervisory Requirements for IT”. Signal Iduna now hopes that the supervisory authority will be as generous as Allianz when it deals with the problems quickly.
The fact that the Bafin announcements about possible capital surcharges affected precisely these three companies is not because everything is fine with the other insurers.
In fact, it is more related to the lack of testing capacity. But screening IT systems is now high on BaFin’s priority list. Therefore, other insurers must expect sanctions from Bafin.