RISKS | RISK MANAGEMENT | KEY MILESTONES | |
TRANSVERSAL RISKS | |||
Business return | Obtaining results below market expectations or Group targets that, ultimately, prevent the company from reaching a level of sustainable returns greater than the cost of capital. | The management of this risk is supported by the financial planning process, which is continually monitored to assess the fulfilment of the strategy and budget. After quantifying the number of deviations and identifying their cause, conclusions are presented to the management and governing bodies to evaluate the benefits of making adjustments to ensure that the internal objectives are fulfilled. | Improved profitability and operating efficiency in 2025. The positive performance of fee and commission income (+5.4 %), together with the cost of risk remaining at low levels (0.22 %), made it possible to achieve a ROTE of 17.5%. In addition, the cost-to-income ratio stood at 39.4%, remaining at an all-time low. Profit attributable to the Group through to December 2025 was up 1.8 %, to 5,891 million euros, as interest rates steadily normalise. In 2025, the main milestones were the active management of liquidity remuneration, tight cost control in line with the containment target set out in the budget and the 2025ā2027 Strategic Plan, and the optimization of the composition of customer resources (growth in assets under management and insurance). |
Own funds and capital adequacy | Risk caused by a restriction of the CaixaBank Group's ability to adapt its level of capital to regulatory requirements or to a change in its risk profile. | The 2025ā2027 Strategic Plan sets a target range for the CET1 capital adequacy ratio of between 11.5 % and 12.5 % (with a transitional level of 12.25 % for 2025), implying a buffer of between 200 and 300 basis points above the SREP regulatory requirement. The upper end of the target range sets the threshold for potential extraordinary capital distributions. | The Common Equity Tier 1 (CET1) ratio at 31 December stood at 12.6% (12.25 % at regulatory level). Accordingly, CaixaBank had a buffer of 354 basis points, i.e. 8,662 million euros, above the Groupās MDA trigger (321 basis points at regulatory level (7,835 million euros)). The minimum requirements for December 2025 and those envisaged for January 2026 onwards are as follows: According to the 2025 Dividend Plan, the Board of Directors meeting on 30 October 2025 approved the distribution of an interim dividend of 40 % of the consolidated net profit for the first half of 2025, amounting to 1,181 million euros (16.79 cents gross per share). Moreover, on 29 January 2026 the Board of Directors agreed to propose to the General Meeting of Shareholders the distribution of a final cash dividend of 2,320 million euros, gross, equivalent to 33.21 euro cents, gross, per share, charged to 2025 profits and payable in April 2026. With this second dividend payment, the total amount of shareholder remuneration for 2025 will be equivalent to 59.4 % of consolidated net profit (50 euro cents, gross, per share). In addition, within the framework of the current Strategic Plan, two share buyback (SBB) programmes were carried out in 2025 (launched in June and November, SBB VI and VII), each for 500 million. |
Dec. 2025 | From January 2026 | |
Pillar 1 regulatory requirement | 4.50% | 4.50% |
Pillar 2R requirement | 0.98% | 0.98% |
Capital Conservation Buffer | 2.50% | 2.50% |
Systemic O-SII Buffer | 0.50% | 0.50% |
Sectoral systemic buffer 1 | 0.07% | 0.06% |
Countercyclical buffer 2 | 0.50% | 0.57% |
Minimum CET1 capital requirements | 9.05% | 9.12% |
Model | Potential adverse consequences for the Group that could arise from decisions based primarily on the results of models with errors or biases in their design, conception, application or use. | Model risk management is based on these pillars: | Identifying existing models, using the Corporate Inventory of Models as a key element to set the scope of the models, assessing the quality thereof and how they are used by the Group. | Governance and model control framework, with a proportional (based on tiering ) and homogeneous approach through the definition of standards and guidelines for the most relevant phases of the model lifecycle and a uniform reporting framework. | Ongoing monitoring based on a supervisory framework with a forward-looking approach to model risk, enabling the risk to be kept within the parameters defined in the Group Risk Appetite Framework through the periodic calculation of specific model risk metrics and indicators. | In 2025, model governance was strengthened in order to align the corporate inventory with artificial intelligence (AI) models. This change required the adaptation of the model risk tool to incorporate key elements of the EU Artificial Intelligence Act. Likewise, the corporate Policy and Methodology for model risk management were updated, highlighting the evolution of the āModel Risk Ratingā, achieving greater sensitivity in the tiering and assessment of residual risk, as well as the model management framework, which was redefined based on the new inherent risk. The rollout of corporate first and second line of defence roles within the corporate inventory was also initiated, as roles with a global view aimed at harmonising methodologies and materiality criteria for the same types of models, in line with the project launched this year to harmonise materialities and materiality criteria for uses that are transversal across the Group. Finally, data quality was redesigned, adapting it to the inventory and adopting an agile approach in order to improve the management of the Corporate Model Inventory and thus remain within the Groupās risk appetite. With regard to the Validation function, highlights included the move towards greater automation in generating reports, covering an increasingly broad range of models. This progress made it possible to increase value added and the level of thorough challenge, and facilitated closing 2025 having issued 100 % of the opinions planned for the year. |
Reputational | Potential financial loss or lower income for the Group as a result of events that negatively affect the perception that interest groups have of the CaixaBank Group. | Reputational risk management aims to preserve and strengthen the positive perception of the CaixaBank Group among its stakeholders, ensuring a satisfactory level in the main reputation indicators and taking a proactive approach to prevent, minimise and mitigate potential negative reputational impacts. Given its cross-cutting nature, the management and measurement of reputational risk are embedded in key processes such as service outsourcing and the design of new products or services. The Bankās corporate reputational risk management model focuses on the following areas of action: | Governance: A governance model based on the Three Lines of Defence, supported by specific policies, procedures and committees. | Control: Processes to identify, assess and mitigate reputational risks, assigning those responsible. | Crisis management and communication: Initiatives to strengthen reputation and mechanisms to manage and resolve crises with reputational impact. | Measurement and reporting: Ongoing monitoring and reporting to committees and supervisors, supporting informed decision- making. | Economic quantification: Estimation of the capital impact of reputational risk. | In 2025, CaixaBank consolidated its corporate reputational risk management model through initiatives aimed at strengthening the Bankās positive recognition and at the prevention, control and agile, cross-cutting response to crisis events: | Strengthening of institutional positioning through strategic campaigns aimed at enhancing the values of improved customer service, the Bankās social responsibility and connection with stakeholders through the personalisation of campaigns and content. | In the area of prevention, noteworthy developments included the incorporation of predictive AI solutions for the early detection of crises and fake news in the media and on social networks, as well as the strengthening of risk control and assessment through the implementation of second line of defence Testing Plans. | Expansion of the reputational risk control and management framework to subsidiaries, consolidating the corporatisation of the model, together with the strengthening of the role of the risk first line of defence within the Bankās Transparency Committee. | The rollout of new methodologies for non-financial risks, strengthening the control environment and ensuring alignment with current regulation and international standards. These projects reflect a comprehensive and coordinated approach to managing and mitigating reputational risks at Group level, ensuring effective coordination in all areas of management and an agile and efficient response to potential incidents with reputational impact. See section "Reputation". |
FINANCIAL RISKS | |||
Credit | Loss of value of the assets of Caixa Bank Group through a customer due to the impairment of the capacity of this customer to meet their commitments to the Group. Includes the risk generated by operations in the financial markets (counterparty risk). | This is the most significant risk for the Group's balance sheet. It is derived from its banking and insurance activity, cash flow operations, and its investee portfolio, encompassing the entire management cycle of the operations. The principles and policies that underpin credit risk management are: | A prudent approvals policy based on: (i) an appropriate relationship between income and the expenses borne by consumers; (ii) documentary proof of the information provided by the borrower and the borrowerās solvency; (iii) pre-contractual information and information protocols that are appropriate to the personal circumstances and characteristics of each customer and operation. | Monitoring the quality of assets throughout their life cycle based on preventive management and early recognition of impairment. | Up-to-date and accurate assessments of the impairment at any given time and diligent management of non-performingloans and recoveries. | At year-end 2025, the non-performing loan ratio stood at 2.1% (2.6 % at December 2024), revealing a reduction of 1,611 million in non-performing loans during the year, thanks to active NPL management. The NPL coverage ratio remains robust, standing at 77% at year-end 2025, versus 69 % in December 2024. The cost of risk is 22 basis points over 12 months. It is also worth highlighting the increase in new lending while maintaining credit quality levels across all segments. In the retail segment, an increase of 29.6 % was recorded compared with the previous year (40.1 % in mortgages), while in the corporate segment growth stood at 5.9 %. |
Actuarial | Risk of a loss or adverse change to the value of the commitments assumed through insurance or pension contracts with customers or employees due to the differences between the estimate for the actuarial variables used in the tariffmodel and reserves and the actual performance of these. | This risk is managed in order to ensure the Group has the capacity to meet commitments to its insured parties, to optimise the technical margin and to keep balances within the limits established in the risk appetite framework. | In 2025, the main milestones focused on: | The monitoring of asset and liability management strategies. | The analysis and monitoring of actuarial risk, with a particular focus on longevity and demographic changes, and progress in modelling assumptions on biometric risks based on the Bankās own experience. | The strengthening of the actuarial risk perspective within the new product design process. |
Rate risk in the banking book | Negative impact on the economic value of balance sheet items or on the net interest margin due to changes in the structure of interest rates over time and the impact thereof on asset and liability instruments and off-balance sheet items not held in the trading book. | Management focused on optimising and protecting net interest income in scenarios of interest rate cuts and on preserving the economic value of the balance sheet within the limits established under the risk appetite framework. | During the first half of 2025, the trend seen in 2024 continued, with four consecutive interest rate cuts, bringing the deposit facility rate to 2 % (from 3 %). In June, the ECB paused the rate cuts, keeping the deposit facility rate unchanged. The market is pricing in stability and does not expect any further rate cuts in 2026. In this context, the Group has actively managed its balance sheet to mitigate the potential adverse impact of falling interest rates on net interest income and economic value. These actions, together with stronger momentum in lending activity and efficient management of deposit costs, helped to minimize the impact of interest rates on net interest income. In addition, the demand deposits model was updated, designed from the outset on a prudent basis and fully aligned with EBA guidelines. This model reinforces the need for a conservative modelling of the characteristics of demand deposit accounts. |
Liquidity and funding | Risk of insufficient liquid assets or limited access to market financing to meet the contractual maturities of liabilities, regulatory requirements, or the investment needs of the Group. | The management approach is based on a decentralised system with the segregation of functions aiming to maintain an efficient level of liquid assets; the active management of liquidity and the sustainability and stability of funding sources in both normal and stress scenarios. | Total liquid assets amounted to ā¬ 171,830 million at 31 December 2025, an increase of ā¬462 million during the year. The Group continues to show a comfortable liquidity position. The Group's LCR stands at 202% and the NSFR stands at 146% as at 31 December 2025. Institutional funding amounted to ā¬ 51,016 million, following the concentration of maturities in the year. The performance in 2025 was driven by consistently heavy use of the capital markets, with active efforts to diversify investments, instruments and geographies. See section "Shareholders and investors". |
Market | Loss of value, with impact on results and solvency, of a portfolio (set of assets and liabilities), due to adverse movements in prices or market rates. | Risk management is based on maintaining risk low, stable, and within the established risk appetite limits. The market risk of the trading book is measured daily using an internal model subject to regulatory supervision. | Enhancements have been made to the calculation of capital requirements under the new SA-FRTB framework (Standardised Approach for the Fundamental Review of the Trading Book), aimed at achieving a more accurate and risk-sensitive measurement. |
OPERATIONAL RISK | |||
Conduct and Compliance | The application of criteria that run contrary to the interests of its customers and stakeholders, or acts or omissions by the Group that are not compliant with the legal or regulatory framework, or with internal policies, regulations or procedures, or with codes of conduct, ethical standards and good practice. | Conduct and compliance risk management is a cross- cutting responsibility across the Group. Each individual actively helps to ensure regulatory compliance by applying procedures that integrate applicable regulations into day-to-day activities and by fostering a culture of integrity and good practices. | The Group also continued to entrench a culture and awareness of compliance within the organisation in 2025, targeting all employees with training programmes, conduct indicators in corporate challenges and awareness sessions. The compliance target set for the year in this respect was met. Moreover, ongoing processes were established to monitor the proper marketing of products and services based by tracking a set of indicators and conducting ad hoc reviews as and when needed. During the 2025 financial year, CaixaBank successfully passed the audits for the following certifications: | UNE/ISO 37301 Compliance Management Systems | UNE 19601 Criminal Compliance Systems | UNE/ISO 37001 on Anti-Bribery Management Systems | UNE 19602 on Tax Compliance Further progress was also made in relation to digitalisation and the use of artificial intelligence for the early detection of risks. The Groupās supervision model was further strengthened during the year by monitoring adherence to the defined framework for coordination of subsidiaries and by implementing improvements to enhance the effectiveness of the implementation of the compliance programme at Group level. See section "Governance". |
Legal and regulatory | Potential losses or decreases in the CaixaBank Group's profitability as a result of legislative changes, the incorrect implementation of said legislation in the CaixaBank Groupās processes, the misinterpretation of legislation applied to operations, incorrect handling of court or administrative rulings or of claims or complaints received. | Legal and regulatory risks are managed so as to safeguard the Groupās legal integrity and to anticipate and mitigate future economic harm by monitoring regulatory changes, participating in public consultation processes, helping to build a predictable, efficient and sound legal framework, and interpreting and implementing regulatory changes. Its aim is to ensure the proper and timely implementation of regulatory changes. This implementation process includes the creation or adaptation of contracts, processes and systems. Along these lines, mechanisms for centralised coordination, regulatory development and control are established across the CaixaBank Group, enabling sound management of legal and regulatory risk. | During 2025, key legislative proposals with an impact on the entity have been monitored. With regard to those published in 2025, legal and impact analysis has been carried out for the implementation of the regulations. Key considerations: (i) simplification of the EU securitisation framework in the context of the Savings and Investments Union (SIU) Strategy, aimed at channelling savings towards capital markets; (ii) postponement of the application of the Delegated Regulation on the Fundamental Review of the Trading Book (FRTB) until January 2027; (iii) agreement on the Bank Crisis Management Framework (CMDI), which includes a mandate to address temporary liquidity shortfalls in resolution; (iv) Omnibus I package introducing adjustments to the Corporate Sustainability Reporting Directive (CSRD) and the Corporate Sustainability Due Diligence Directive (CSDDD), together with extensions to implementation deadlines; (v) review of the Sustainable Finance Disclosure Regulation (SFDR) to simplify obligations and reduce administrative burden; (vi) launch of the European Anti- Money Laundering and Counter-Terrorist Financing Authority (AMLA), which will begin direct supervision in 2027 and become fully operational in 2028; and (vii) progress in payments: EuroPA/EPI agreement, negotiations on the Digital Euro and the new European framework for payment services (PSR/PSD3); (viii) negotiations on access to financial data under the proposed Regulation (FiDA); (ix) the Draft Artificial Intelligence Act in Spain, adapting the national framework to the European Regulation (AI Act); (x) the European Digital Omnibus, which simplifies rules on AI, cybersecurity and data, and rolls out European Business Wallets; and (xi) publication of MiCA delegated acts, development of EMIR 3.0 technical standards and the update of MiFID/MiFIR and the Listing Package. Additionally, several ongoing initiatives are under surveillance, including: (i) national legislative initiatives on financial consumer protection and alternative dispute resolution; (ii) the EU financial education strategy and the Consumer Agenda 2025ā2030; (iii) measures envisaged under the SIU to strengthen competitiveness, financial integration and resilience; (iv) the European housing strategy and the Affordable Housing Plan; and (v) the Consumer Agenda 2025ā2030, aimed at reinforcing confidence and legal certainty. See section "Political lobbying". |
Technology | Risks of losses due to hardware or software inadequacies or failures in technical infrastructure, due to cyber attacks or other circumstances, that could compromise the availability, integrity, accessibility and security of infrastructure and data. | Managing this risk involved identifying, measuring, assessing, mitigating, monitoring and reporting the risk levels and potential operational losses involved in the governance and management of Information Technology. Furthermore, the risk control and management frameworks developed have been designed in accordance with internationally renowned standards and prevailing law and regulations, and evolve as potential emerging risks are captured and managed. | During 2025, CaixaBank Group maintained a robust risk control and management framework on the technology risks, especially in the light of external threats linked to cybersecurity. Likewise, the risk control framework continued to be enhanced in order to support the increasing use of cloud computing and artificial intelligence services, while ensuring it remains aligned with the requirements arising from the DORA Regulation (digital operational resilience). Highlights include the ongoing progress made in overseeing these risks through new risk management methodologies that the Group is rolling out for non-financial risks. In relation to risks, the control environment is being continuously fortified in order to meet the expectations of regulators and supervisors, while also achieving greater alignment with international best practices, recent regulation such as the DORA Regulation, and a balance with more agile and efficient processes. See section "Cybersecurity". |
Other operational risks | Risk of loss or damage caused by errors or shortcomings in processes, due to external events or due to the accidental or intentional actions of third parties outside the Group. This includes risk factors related to outsourcing, business continuity and external fraud. | Management consists of the identification, measurement, assessment, mitigation, monitoring and reporting of risk levels and potential operational losses arising from the governance and management of outsourcing, external fraud, business continuity, etc., seeking to avoid or mitigate negative impacts on the Group, either directly or indirectly by affecting relevant stakeholders (e.g. customers), arising from the inadequate functioning of processes or the actions of third parties. | During 2025, further progress was made in addressing these risks through the specialised second line of defence function for āother operational risksā, with a continued focus on prevention. An advanced non-financial risk supervision model is being consolidated through the adoption of specific methodologies that strengthen comprehensive risk management. This approach continuously strengthens the internal control framework, ensuring compliance with regulatory and supervisory expectations and promoting convergence with international standards and recent regulation, such as the DORA Regulation. All of this is implemented while maintaining operational efficiency and process agility. |
01 | It allows us to answer: | ||||
How are we seen? | Which aspects might become a risk for CaixaBank due to their negative perception? | ||||
02 | It is based on: | ||||
Shareholders | |||||
300 indicators | Society | ||||
Analysts | |||||
Measurement of perceptions or opinions | Media | ||||
Regulator | |||||
GRI as a synthesis metric | Employees | ||||
External Audit | Customers | ||||
Non- customers | |||||
It leads us to: | |||||
Diagnose reputational problems | Set targets in this area | ||||
Measuring the Bank's performance | Establishing comparisons | ||||
+ | 10% | = | Group GRI metrics | |
WEIGHT | WEIGHT | |||
GRI CaixaBank ā ESP | GRI BPI ā PT |
n | 8% |
Transparency Committee | |
n | 30% |
Other enquiries | |
n | 44% |
ESG sectors (defence and ESG policies) | |
n | 10% |
Persons under investigation / companies with sanctions | |
n | 4% |
Protocol offshore | |
n | 4% |
Controversial sectors |