Operational risks and resilience

General trends

Being operationally resilient is a key vulnerability in the banking sector, whose relevance and scope has continued to increase. They are elevated not least because of heightened geopolitical risks. Risks to operational resilience have become increasingly complex and include a range of aspects. While digitalisation and technological advances, with the related cyber risk, continue to be the key driver of operational risk, financial institutions and supervisors also closely monitor the risk of fraud, reputational challenges and the risk of financial crime, including AML risk, and further conduct-related and legal risks they are exposed to.

Risks to operational resilience have become increasingly systemic. Capital requirements for operational risk are the second most important component of banks’ risk weight after credit risk. They have increased to 10.5% of total capital requirements (10.2% in December 2023), with a rather low dispersion across jurisdictions. The scope and importance of operational risk are not least driven by digitalisation and technological advances. Technological progress and digitalisation significantly influence the scope of operational risk and highlight the necessity of ensuring operational resilience.

Geopolitical tensions impact operational risk

Geopolitical risks not only amplify or in some cases cause operational risk, for example by state sponsored malicious cyber activity against the banking sector, but they can also indirectly affect the banking sector, through increased risks of malicious behaviour, such as acts of sabotage potentially affecting the financial infrastructure. Cyber and digital risks are not contained by jurisdictional borders, and geopolitical tensions have increased risks significantly. A high dependency on ICT service providers, for example cloud service providers, and other financial service providers, for example payment systems, domiciled in third countries outside the EU/EEA might pose additional risks. Heightened geopolitical tensions are also contributing to AML risks, fraud risk, and sanctions compliance risk, and require close attention by financial institutions and supervisors.

The International Monetary Fund (IMF) in April pointed out that an increased risk of cyber-attacks can challenge the operational resilience of financial institutions[54]. Various European and international institutions have also continued to point this out. This is partly reflected in RAQ responses, according to which cyber risks and data security are considered the highest of the operational risks (82% agreement). Risk of ICT failures as a related risk also remains high. Fraud risk has grown sharply in the last two years and is now considered the second most relevant contributor to operational risk, at 52% agreement, and ahead of conduct and legal risks (45% agreement), which has been the second most relevant operational risk in previous RAQ iterations.

Outsourcing risks, AML and terrorist financing risk, and risk of non-compliance with sanctions, as further operational risks for banks, have decreased in banks’ perceptions. Risk related to organisational change has increased (13% agreement), after a steady decrease in previous RAQ iterations. This might partly reflect the growing impact digital transformation has on the organisation of banks.

Figure 64: Main drivers of operational risk as seen by banks*

Source: EBA Risk Assessment Questionnaire

[*] Agreement to up to three options was possible for respondents.

Fraud risk and payment fraud have become key operational risks

Fraud risk has grown sharply in the last two years, from 33% agreement in the March 2023 RAQ to 52% in March 2025, and is now considered the second most relevant operational risk, according to the RAQ. Risks related to further digitalisation and technical innovation, but also to financial crime, have contributed to a continuously growing risk of fraud. Theft or breach of customer credentials and social engineering are the main drivers of increased fraud risk (60% agreement), followed by online and cyber-fraudulent activities and payment fraud (each with 53% agreement). Growing usage of artificial intelligence (AI) in financial crime may have facilitated technology-driven fraudulent activities. A stocktake conducted by the EBA among NCAs, consumer associations and financial industry associations concluded that payment fraud is the topical issue most frequently mentioned as having arisen to consumers in 2024/2025[56]. The stocktake suggests that fraudsters have adopted more sophisticated techniques in response to the prevention of conventional attack vectors as a result of legislative initiatives and industry measures. Phishing appears to be the most frequently used technique by fraudsters, while social engineering was most frequently mentioned as new fraud type[57]. New types of fraud also include Authorised Push Payment (APP) fraud, where the payer is manipulated into making a payment to the fraudster.

As regards the total value of fraudulent transactions, credit transfer is the most affected payment service. Card-based transactions are impacted most in terms of volume of fraudulent transactions. The EBA stocktake also indicated an emerging trend of the use of AI to enable personalised scams to lure consumers into making payment transactions. To address payment fraud, the EBA supports the implementation of requirements of the new Payment Services and Electronic Money Services Directive (PSD3) and of the new Payment Services Regulation (PSR).

The number of loss events is growing, while materialised losses have reduced

At approximately 3.1 million events according to EBA supervisory reporting data, the total number of loss events EU banks reported in 2024 continued on an increasing trend, rising by 3.7% compared to 2023 (Figure 65). The impact of losses related to operational risk has nevertheless decreased. Total materialised losses from new operational risk loss events and loss adjustments relating to previous periods reached EUR 15.9 bn in 2024 and decreased by approximately 9% compared to 2023. The decreasing volume of new operational risk losses amid an increasing number of loss events might indicate a lesser direct financial impact from rising operational risk. The amount of total losses from new operational risk loss events and loss adjustments relating to previous reporting periods as a share of CET1 capital decreased to 1.0% in 2024, from 1.1% in 2023 (Figure 65). The decrease in the ratio was largely driven by lower operational risk loss amounts reported in 2024 than in 2023.

Figure 65: Number of new operational risk events over time and total losses in operational risk as a share of CET1*

Source: EBA Supervisory Reporting data

[*] Gross loss amount from new events and loss adjustments relating to previous reporting periods.

Going forward, increased fraud risks, high cyber risk and continued high conduct risk may lead to additional materialising losses. Further future losses might arise and could add in the coming year to losses that have already been recognised. These might, for example, relate to ICT failures or successful cyber-attacks. A possible materialisation of an increasing fraud risk might further add to losses. The increasing number of operational risk events should therefore remain an issue of concern for the banking sector.

Digitalisation and ICT-related risks

Cyber and ICT related risk as well as data security are by far the most prominent driver of operational risk for banks as the digital transformation advances further. Reliance on digital and ICT solutions amid a constantly evolving cybersecurity threat landscape with further increasing sophistication of threats are resulting in a high risk exposure for banks, including vulnerability to sophisticated cyber-attacks. As a related risk, 38% of respondents in the RAQ also point to ICT failures as a main driver of operational risk. Reflecting ICT risk, supervisory reporting points to strongly increasing losses at banks in new IT risk events in 2024. Losses increased to approximately EUR 6.5 bn in 2024, compared to approximately EUR 2.8 bn in 2023. Reported losses in new IT risk events are at their highest level since 2020 (approximately EUR 6.7 bn), when risks where heightened in the pandemic.

Banks are a key target of cyber threats

The European Union Agency for Cybersecurity (ENISA) observes a notable escalation in cyber threats and attacks for the financial sector in the latter part of 2023 and the first half of 2024, during a time of rising geopolitical tensions. ENISA considers ongoing regional conflicts globally as a significant factor shaping the cybersecurity landscape. Banks were most frequently affected by publicly reported cyber incidents affecting the finance sector in Europe[59]. The financial sector saw peaks in distributed denial-of-service (DDoS) activity linked to geopolitical events, particularly Russia’s aggression against Ukraine. ‘Hacktivists’ targeted banks (58% of publicly reported incidents), notably causing operational disruptions[60]. Data breaches and leaks remained prominent issues, and threat actors exploited vulnerabilities for financial gain through fraud, supply chain attacks, and social engineering. European banks were the primary targets (39% of publicly reported incidents), with incidents leading to financial losses and reputational damage.

Regulators have responded to cyber risks with initiatives such as the Digital Operational Resilience Act (DORA) which started applying from January 2025, enhancing and harmonising requirements on operational resilience for financial entities. Within DORA, the effective management of ICT-related incidents is an essential component, as it can help identify threats and address vulnerabilities. Supervisors report the major ICT-incidents received by financial entities to the EBA and the other European Supervisory Authorities (ESAs), which assess them and then share them with authorities of other Member States in case the incident has a cross-border impact. During the first four months of reporting in 2025, the EBA received reports on more than 1 200 incidents, affecting mostly IT systems, payment services and online banking. The EBA and the other ESAs have also established a pan-European Systemic Cyber Incident Coordination Framework (EU-SCICF), as an operational framework set up to facilitate communication and coordination among EU authorities and to liaise with other key stakeholders at EU/international level, in case of cyber incidents posing a risk to financial stability.

Vulnerability to cyber-attacks is high

Observations of further increasing cyber threats in 2024 are highlighted by RAQ responses. 58% of banks noted that they had been victim of at least one cyber-attack in the second half of 2024, compared to 55% in the first half of 2024. While the share of banks having been victim to up to ten cyber-attacks slightly increased since 2023, to 48% now, the share of banks falling victim to more than 10 cyber-attacks has further increased to 10% in the second half of 2024 (from 8% in the first half), and confirms escalating cyber threats ENISA has observed.

RAQ responses also suggest that, amid a growing volume and frequency of cyber-attacks, the share of responding banks having faced at least one successful attack which resulted in an actual major ICT-related incident strongly increased (Figure 66). One third of banks faced at least one successful cyber-attack in the second half of 2024, compared to 24% in the first half. 3% of banks faced a high number of at least six successful attacks (2% in the first half of 2024). The share of banks which did not experience a successful attack also decreased from 75% in the first half of 2024 to 65% in the second half.

Figure 66: Number of successful cyber-attacks resulting in ‘major ICT-related incidents’ in the last semi-annual assessment period *

Source: EBA Risk Assessment Questionnaire

[*] This relates to an ICT-related incident with a potentially high adverse impact on the network and information systems that support critical functions of the financial entity (Article 3(7) DORA).

These figures confirm that the scope, sophistication and impact of successful cyber-attacks across the banking system have increased further. Information of cyber-attacks might moreover not yet be fully reported to competent authorities concerned and my not reflect the full scope of threats. A shortage of adequate resources and skills at banks and supervisors to address cybersecurity challenges add to vulnerabilities and are not least driven by a more general shortage of such skilled resources on the labour market. Further investments in ICT, ICT security, and in related skills – including to increase attractiveness of related positions at banks – are very important while vulnerability to cyber-attacks remains high. Levels of sophistication of threats are expected to increase further, not least driven by growing use of AI. However, at the same time AI could also be a tool to for instance address cyber threats.

Financial crime risk

The high number of cases of money laundering (ML) and terrorist financing (TF) involving European banks in the past had caused reputational and financial damage to the banking sector and affected the integrity of the EU/EEA financial system. In response to these cases, and following the adoption of a comprehensive legislative package to aimed at strengthening the EU’s legal and institutional framework on AML and counter terrorist financing (CTF), financial institutions and competent authorities have stepped up their efforts to identify and address weaknesses to address ML/TF, and to apply appropriate supervisory measures[62]. This progress may be reflected in slightly lower significance that banks attribute to ML/TF risks when asked about key operational risks, with 11% agreement in spring 2025, compared to 16% two years ago. The number of reported serious deficiencies with regard to AML/CFT weaknesses is nevertheless high (Figure 67).

Risks related to the implementation of restrictive measures and sanctions continue to be a priority for banks. According to the RAQ, risks related to customers’ transactions received from, or sent to, jurisdictions that are subject to international sanctions remain the most relevant financial crime risks for 32% of banks, although with a decreasing trend. Also, risks related to customers’ transactions received from, or sent to, jurisdictions where groups committing terrorist offences are known to be sources of terrorist financing have strongly increased, with 29% agreement compared to 13% in autumn 2024. Risks related to customers whose activities or leadership are publicly known to be associated with extremism or terrorism have strongly increased, too.

Reporting of AML/CFT weaknesses through EuReCA

From 1 April 2024 to 31 March 2025, 36 national competent authorities and the ECB reported to EuReCA, the EU’s central database for AML/CFT, 1279 serious deficiencies, or ‘material weaknesses’, that they had detected in credit and financial institutions exposing them to ML/TF risks[63]. Most reports concerned credit institutions, followed by an increase in deficiencies detected in payment institutions and e-money institutions. Most relevant types of material weakness reported during the 12 months period ending in March 2025 were related to institutions’ approaches to customer due diligence (CDD), followed by situations related to system and controls, and by suspicious transaction reporting. The most common measures in response to material weaknesses reported by competent authorities were orders to correct the deficiencies, followed by fines and administrative pecuniary sanctions (Figure 67).

Figure 67: Financial crime risks, April 2024–March 2025
Figure 67: Financial crime risks, April 2023–March 2025

Source: European reporting system for material CFT/AML weaknesses (EuReCa)

Further legal and reputational risk

Conduct and legal risk beyond risks related to ML/TF and of non-compliance with sanctions is the third most relevant operational risk to RAQ respondents. 45% of RAQ respondents consider it as the main operational risk, a slightly decreasing share in the past two years (51% in spring 2023). Legal and reputational risks go beyond those related to digitalisation and ICT-related risks, and include, for example unethical business practices, and mis-selling of financial products. Going forward, litigation as well as reputational risks may also affect banks in breach of climate-related targets as agreed with competent authorities and as banks are integrating ESG factors in their business. For example, litigation risks related to greenwashing and to financing of ‘brown’ fossil sectors have increased. Looking ahead, concerns about potentially continuing unidentified misconduct persist. Misconduct costs come in addition to other operational risks and associated costs banks are facing and can indirectly affect banks’ ability to extend lending. At a systemic level, misconduct can, moreover, undermine trust in the banking system and the proper functioning of the financial system.

Increasing provisions for legal and conduct risk

Data indicate that banks continued to substantially increase their provisions for legal and conduct risk in 2024. Net changes in provisions due to pending legal issues and litigation measured as a share of total assets were at approximately 3.3 bps in December 2024, substantially higher than in December 2023 and December 2022 (at close to 1.9 bps and 1.3 bps, respectively). Considering the relevance of conduct and legal risk, such higher net changes in provisions due to pending legal issues and litigation appear adequate and may point to expectations of further arising redress costs (Figure 68).

Figure 68a: Net provisions for pending legal issues and tax litigation as a share of total assets by country (2024)

Source: EBA supervisory reporting data

Figure 68b: Net provisions for pending legal issues and tax litigation as a share of total assets for the EU (2018-2024)

Source: EBA Supervisory Reporting data

Box 5: Links between EU/EEA banks and digital assets

In recent periods, the cryptocurrency markets have undergone a rapid evolution. Concurrent with this development, the underlying technology has emerged as a potential opportunity for financial institutions to facilitate transactions through distributed ledger technology (DLT), offer tokenised products, or provide services related to these assets. EU/EEA banks have made advancements with regard to their engagement with digital assets, which at the same time requires a proper reflection in their risk management going forward. Different banks formulated various strategies for incorporating these assets into their business models as well as service and product offerings. This encompasses the potential to offer a variety of services and to provide traditional banking –institutional and retail – clients with access to the emerging landscape of digital assets.

Some sorts of digital assets fall in scope of long-standing EU financial services regulation. For instance, activities involving tokenised financial assets continue to be regulated by MiFID and associated regulatory measures applicable to the securities markets sector. Other types of digital assets are more novel and relevant activities, such as issuance and service provision, are now regulated pursuant to the markets in crypto assets regulation (MiCA). These include so-called stablecoins in the form of electronic money tokens (EMTs) and asset-reference tokens (ARTs). EMTs are crypto assets that are designed to maintain a stable value by referencing a single official currency. A number of EU/EEA banks have already begun offering their own EMTs.

Other banks are exploring options to internally develop/utilise tokens to facilitate settlements of wholesale payments between institutional clients under private enterprise-focused blockchain platforms[64]. In the current financial landscape, some banks are also collaborating with digital enterprises to cultivate and disseminate specialised knowledge in the domains of cryptocurrency management, tokenised assets, and digital currencies. These collaborative endeavours encompass the facilitation of the issuance, custody, and redemption of tokens.

Some banks have begun to offer consumer-facing services, such as custodian wallet provision and facilitating customer cryptocurrency trading. These applications have the potential to be widely utilised by retail customers. The EBA's 2025 spring edition of the RAQ shows that banks are prioritising more crypto-related services for their clients, with custody and administration topping the list, followed by receiving and executing trading orders on behalf of their clients, whereas issuance and placing of crypto assets tends to be of less relevance.

Currently a de minimis number of banks are engaged in activities that result in direct exposure to digital assets, including in derivative format[65]. As the markets for crypto assets continue to expand, there is an increasing probability of greater interconnection with the traditional financial sector. As evidenced by the recent developments in the EU/EEA banking sector, traditional market participants are developing close relationships and new business lines with/in the digital assets market.

Such new services and products also entail risks for banks, which vary depending on the type of digital asset, and type of activities involved. This could also bring potential implications for both individual and institutional investors as well as banks themselves, depending on their level of involvement. Two major risks related to these new services and products are market and operational risks. While EMTs and ARTs demonstrate stability, some digital assets prices exhibit volatility because their values are not backed by any underlying assets. Their values follow supply and demand dynamics which can result in significant volatility. Data show that a period of heightened volatility ensued at the onset of 2020, with Ethereum surpassing Bitcoin while from the second quarter of 2023 the volatility for both digital assets declined (Figure 69).

Figure 69a: Evolution of Bitcoin and Ethereum daily prices

Source: Reuters

Figure 69b: Bitcoin and Ethereum 10 days rolling volatility

Source: Reuters

On the operational risk side, both digital assets and the providers of them are for instance subject to infrastructure related risk – blockchain unexpected failure, smart contract bugs; cybersecurity risk such as hacks and data breaches or private keys management. A recent big event which is estimated to be the largest crypto loss in history concerns a cryptocurrency exchange which reported in February an unauthorised activity within one of the Ethereum Wallets resulting to a loss of over USD 1.4 bn worth of Ethereum[66]. If these or other operational incidents happen at banks, they can have a negative impact on their reputation, including clients’ and investors’ confidence.

In conclusion, few European banks seem to be beyond the exploratory phase in terms of digital asset activities. However, it should be noted that this activity also entails certain risks. The overall impact on the risk of the EU/EEA banking system of any uptick in their engagement in digital assets will depend on the nature of banks’ activities undertaken and the nature of digital assets to which institutions gain any direct or indirect exposures. Therefore, a diligent approach by banks and supervisors is needed, to ensure that banks follow robust risk management practices.


 

[57] Social engineering refers to techniques used by criminals to exploit a person’s trust in order to make the payment services users authorising the payment orders issued.

[60] Hacktivists would, for instance, include individuals hacking or breaking into computer and data systems for politically or socially motivated purposes.