With Negative Rates, Homeowners In Europe Are Paid To Borrow

ISBON—Paula Cristina Santos has a dream mortgage: The bank pays her.

Her interest rate fluctuates, but right now it is around minus 0.25%. So every month, Ms. Santos’s lender, Banco BPI SA, deposits in her account interest on the 320,000-euro mortgage, equivalent to roughly $380,000, she took out in 2008. In March, she received around $45. She is still paying principal on the loan.

Ms. Santos’s upside-down relationship with her lender started years ago when the European Central Bank cut interest rates to below zero to reignite the continent’s frail economy in the midst of a sovereign-debt crisis. The negative rates helped everyone get cheap financing, from governments to small companies. It gave an incentive to households to borrow and spend. And it broke the basic rule of credit, allowing banks to owe money to borrowers.

Ms. Santos’s case was supposed to be rare and mostly over by now. After the ECB cut interest rates to below zero in 2014, economies in the eurozone improved and expectations were that rates would rise in a few years. But the coronavirus pandemic changed all that.

As economic pain in Europe drags on, the negative rates remain—and they are getting lower. As a result, more borrowers in Portugal as well as in Denmark, where interest rates turned negative in 2012, are finding themselves in the unusual position of receiving interest on their loans.

“When I took the mortgage, I never imagined this scenario, and neither did the bank,” said Ms. Santos, a 44-year-old business consultant.

Deco, a Lisbon-based consumer-rights group that in 2019 estimated that rates had turned negative on more than 30,000 mortgage contracts in Portugal, said the figure has likely more than doubled since then.

Many European borrowers have variable-rate mortgages tied to interest-rate benchmarks. Like most in Portugal, Ms. Santos’s is tied to Euribor, which is based on how much it costs European banks to borrow from each other. She pays a fixed 0.29% on top of the three-month Euribor rate. When she took out the mortgage in 2008, three-month Euribor was close to 5%. It has been falling in recent months and is now near a record low, at minus 0.54%.

Portugal’s state-owned Caixa Geral de Depósitos SA said about 12% of its mortgage contracts currently carry negative rates. The number of such contracts rose by 50% last year, according to a person familiar with the situation. Ms. Santos’s bank, BPI, said it has so far paid €1 million in interest on mortgage contracts to an undisclosed number of customers.

Spain, where most mortgages are also linked to Euribor, faced a similar situation. But the country passed a law that prevents rates from going below zero. Portugal did the opposite, passing a bill in 2018 that requires banks to reflect negative rates.

“In the event that the decline in interest rates exceeds the mortgage spread, the client would not pay interest, but in no case [would the bank] pay in favour of the borrower,” said a spokesman for Banco Bilbao Vizcaya Argentaria SA, one of Spain’s largest lenders.

There are no official figures available on how many mortgages are currently carrying a zero interest rate in Spain. Banks have declined to disclose their numbers.

In Denmark, more borrowers have seen their rates turn negative, although in most cases they are still paying their banks because of an administration fee charge.

There, mortgages aren’t directly financed by the banks, which don’t set their terms. Instead, they serve as a type of intermediary, selling bonds to investors at a specific rate, lending the same amount to the borrower for the same rate.

Nykredit, Denmark’s biggest mortgage lender, said more than 50% of its loans with an interest period of up to 10 years have a negative interest rate before the fee. That proportion is rising because mortgages tend to have their rates adjusted every few years.

That is the case for Claus Johansen, 41, who works in Nykredit’s mortgage department. In 2016, he took on a five-year adjustable-rate mortgage for 1.2 million Danish kroner, equivalent to roughly $190,000, to buy a house north of Copenhagen. His interest repayments for the first five years were set at 0.06%. In January of this year, the rate was revised to minus 0.26%, which is subtracted from a 0.6% administration fee he has to pay the bank.

“It’s odd, but negative rates have been around for so many years, we just got used to it,” Mr. Johansen said.

A flip side to borrowers receiving interest from their lenders is that banks in Denmark and elsewhere have started charging customers for their deposits, saying they can no longer absorb the negative rates their central bank charges them. Mr. Johansen said he keeps his account balance under the threshold at which his bank would start charging him.

In Lisbon, Ms. Santos said that while it is great to receive interest from her bank, her situation overall isn’t better off because BPI has sharply cut the interest it offered on her business deposit account in recent years, to close to zero, from around 3%. Her plans to buy a new house are on hold because BPI is now charging a much higher spread on new mortgages, to avoid falling into the negative-rates trap again.

“We wanted to move out of the city centre, but it is hard to leave such a good mortgage deal behind,” Ms. Santos said.

As tech leaders race to bring Windows systems back online after Friday’s software update by cybersecurity company CrowdStrike crashed around 8.5 million machines worldwide, experts share with CIO Journal their takeaways for preparing for the next major information technology outage.

Be familiar with how vendors develop, test and release their software

IT leaders should hold vendors deeply integrated within IT systems, such as CrowdStrike , to a “very high standard” of development, release quality and assurance, said Neil MacDonald , a Gartner vice president.

“Any security vendor has a responsibility to do extensive regression testing on all versions of Windows before an update is rolled out,” he said.

That involves asking existing vendors to explain how they write software, what testing they do and whether customers may choose how quickly to roll out an update.

“Incidents like this remind all of us in the CIO community of the importance of ensuring availability, reliability and security by prioritizing guardrails such as deployment and testing procedures and practices,” said Amy Farrow, chief information officer of IT automation and security company Infoblox.

Re-evaluate how your firm accepts software updates from ‘trusted’ vendors

While automatically accepting software updates has become the norm—and a recommended security practice—the CrowdStrike outage is a reminder to take a pause, some CIOs said.

“We still should be doing the full testing of packages and upgrades and new features,” said Paul Davis, a field chief information security officer at software development platform maker JFrog . undefined undefined Though it’s not feasible to test every update, especially for as many as hundreds of software vendors, Davis said he makes it a priority to test software patches according to their potential severity and size.

Automation, and maybe even artificial intelligence-based IT tools, can help.

“Humans are not very good at catching errors in thousands of lines of code,” said Jack Hidary, chief executive of AI and quantum company SandboxAQ. “We need AI trained to look for the interdependence of new software updates with the existing stack of software.”

Develop a disaster recovery plan

An incident rendering Windows computers unusable is similar to a natural disaster with systems knocked offline, said Gartner’s MacDonald. That’s why businesses should consider natural disaster recovery plans for maintaining the resiliency of their operations.

One way to do that is to set up a “clean room,” or an environment isolated from other systems, to use to bring critical systems back online, according to Chirag Mehta, a cybersecurity analyst at Constellation Research.

Businesses should also hold tabletop exercises to simulate risk scenarios, including IT outages and potential cyber threats, Mehta said.

Companies that back up data regularly were likely less impacted by the CrowdStrike outage, according to Victor Zyamzin, chief business officer of security company Qrator Labs. “Another suggestion for companies, and we’ve been saying that again and again for decades, is that you should have some backup procedure applied, running and regularly tested,” he said.

Review vendor and insurance contracts

For any vendor with a significant impact on company operations , MacDonald said companies can review their contracts and look for clauses indicating the vendors must provide reliable and stable software.

“That’s where you may have an advantage to say, if an update causes an outage, is there a clause in the contract that would cover that?” he said.

If it doesn’t, tech leaders can aim to negotiate a discount serving as a form of compensation at renewal time, MacDonald added.

The outage also highlights the importance of insurance in providing companies with bottom-line protection against cyber risks, said Peter Halprin, a partner with law firm Haynes Boone focused on cyber insurance.

This coverage can include protection against business income losses, such as those associated with an outage, whether caused by the insured company or a service provider, Halprin said.

Weigh the advantages and disadvantages of the various platforms

The CrowdStrike update affected only devices running Microsoft Windows-based systems , prompting fresh questions over whether enterprises should rely on Windows computers.

CrowdStrike runs on Windows devices through access to the kernel, the part of an operating system containing a computer’s core functions. That’s not the same for Apple ’s Mac operating system and Linux, which don’t allow the same level of access, said Mehta.

Some businesses have converted to Chromebooks , simple laptops developed by Alphabet -owned Google that run on the Chrome operating system . “Not all of them require deeper access to things,” Mehta said. “What are you doing on your laptop that actually requires Windows?”