Germany’s next financial-AI test is not only in banks. It is in insurance claims desks, underwriting teams and pricing models, where BaFin is telling firms that artificial intelligence can speed up service only if the control file is ready first.
That was the practical message in a 21 May speech by Julia Wiens, BaFin’s executive director for insurance and pension funds supervision, at InsureNXT in Cologne. BaFin’s headline was deliberately consumer-facing: AI needs the trust of customers. But the substance was supervisory. Insurers are being encouraged to use AI, while being told that the material use cases are underwriting, pricing and automated claims handling, not harmless back-office experiments.
The distinction matters for international readers because Germany is building the AI Act into an already dense financial-supervision stack. BaFin said in the same speech that the current German legislative draft would give it market-surveillance responsibility for certain financial-market AI applications, likely covering prohibited practices, high-risk AI applications and transparency duties. That makes insurance AI a first-order compliance topic, even before every EU AI Act deadline has settled.
BaFin’s tone was not anti-innovation. Wiens described near-real-time claims settlement, AI-assisted customer service and fraud prevention as plausible benefits for insurers and policyholders. She also said many insurers already use AI across the value chain, mostly to cut costs and accelerate processes, while more sensitive use in pricing and risk assessment remains less common for now. Her warning was that this is unlikely to stay marginal: agentic systems and large language models are moving from answer engines toward tools that can plan and execute tasks across interfaces.
For insurers, that changes the compliance question from “are we using AI?” to “which AI systems touch core insurance decisions, who owns the risks, and how quickly can we prove that?” BaFin explicitly pointed to the need for clear rules and procedures for AI use, regular governance updates and a categorised view of use cases. It also said bundling those details in an AI register would help management, and that concrete supervisory requirements on this point would follow in the coming months.
The risk list is familiar but sharper in insurance. BaFin cited unjustified discrimination, limited explainability, unreliable outputs, bias and hallucination. Those issues are not abstract in a sector where automated tools may influence access to cover, price a risk or recommend a claims outcome. A model that excludes under-represented groups from its training data can turn a technical weakness into a customer-access problem. A model that cannot explain its result can make it harder for a firm to detect discrimination or operational fragility before the supervisor asks.
The cyber angle is equally important. BaFin linked AI adoption to AI-assisted attackers, including more advanced phishing, malware and faster vulnerability discovery. It also highlighted concentration risk from dependence on hyperscalers for infrastructure and models. That maps directly onto the broader German supervisory agenda. In the national supervisory programme for 2026-28, BaFin and the Bundesbank identify IT security as a 2026 priority for nationally supervised banks, with attention to cyber and IT risk, third-party concentration, cloud providers and DORA implementation. The programme is bank-focused, but the supervisory logic is the same: digital resilience is now part of the financial-sector control perimeter.
The BSI has also drawn a clean boundary between DORA and the wider NIS-2 regime. In a DORA and NIS-2 explainer, the agency says DORA regulates digital operational resilience in the financial sector and applies from 17 January 2025, with BaFin as the supervisory authority for affected financial entities. For German insurers, that means AI governance is not separate from operational resilience. If AI depends on a cloud provider, a model vendor or a critical data pipeline, the evidence file belongs in the same risk conversation as outsourcing, incident response and cyber hygiene.
There is also a timing trap. BaFin noted that the European Commission’s Digital Omnibus proposal would push full application of parts of the AI Act, especially for high-risk AI, toward December 2027. But Wiens’ message was not to wait. BaFin expects firms to implement the AI Act “vorausschauend”, as far as possible today, and to use any extra time to prepare pragmatic definitions and workable implementation. The practical reading is that a delayed legal date does not delay supervisory questioning about governance, data quality or customer fairness.
That is why the German insurance angle is more interesting than a generic AI Act update. BaFin is not only waiting for an EU compliance calendar. It is translating AI into familiar supervisory controls: model purpose, data basis, explainability, outsourcing concentration, board visibility and customer fairness. Firms that treat AI as a technology programme alone will have to retrofit the control layer later.
For Germany’s insurers, the competitive prize is obvious: faster claims, better fraud detection and more personalised service. The supervisory price is also becoming clearer. AI can move fast in German insurance, but BaFin wants it to stay auditable, resilient and fair while it does.
Discussion
Sign in to join the discussion.
No comments yet. Be the first to share your thoughts.