Associated Banc-Corp (ASB) Risk Analysis

As a result of the 2024 Presidential and Congressional elections, Republicans are currently able to set the policy agenda both legislatively and in the regulatory agencies that have rulemaking and supervisory authority over the financial services industry generally and the Bank specifically. However, the Republican Party holds slim majorities in each of the Senate and the House of Representatives. Accordingly, the prospects for the enactment of major banking reform legislation under the new Congress are unclear at this time. The recent turnover of the Presidential Administration will result in certain changes in the leadership and senior staffs of the OCC, the FDIC, the CFPB, the SEC and the Treasury Department. These changes are expected to impact the rulemaking, supervision, examination and enforcement priorities and policies of the agencies, including the possible reversal of a number of final and proposed rules and policy statements promulgated under the Biden Administration. The potential impact of any changes in agency personnel, policies and priorities on the financial services sector, including the Bank, cannot be predicted at this time.

The SEC's Regulation Best Interest establishes a new standard of conduct for a broker-dealer to act in the best interest of a retail customer when making a recommendation of any securities transaction or investment strategy involving securities to such customer. The regulation required us to review and modify our compliance activities, including our policies, procedures, and controls, which caused us to incur additional costs. In addition, state laws that impose a fiduciary duty also may require monitoring, as well as require that we undertake additional compliance measures. In addition, the Bank's insurance agency subsidiary is also subject to regulation and supervision in the various states in which it operates. The administration by the SEC of Regulation Best Interest, as well as any new state laws that impose a fiduciary duty, may negatively impact our results of operation, as well as increase costs associated with legal, compliance, operations, and information technology.

The CFPB has broad rulemaking authority to administer and carry out the provisions of the Dodd-Frank Act with respect to financial institutions that offer covered financial products and services to consumers. As an independent bureau within the Federal Reserve System, the CFPB may impose requirements more severe than the previous bank regulatory agencies. The CFPB has also been directed to write rules identifying practices or acts that are unfair, deceptive or abusive in connection with any transaction with a consumer for a consumer financial product or service, or the offering of a consumer financial product or service. The CFPB has initiated enforcement actions against a variety of bank and non-bank market participants with respect to a number of consumer financial products and services that have resulted in those participants expending significant time, money and resources to adjust to the initiatives being pursued by the CFPB. The CFPB pursued a more aggressive enforcement policy with respect to a range of regulatory compliance matters under the Biden Administration, specifically including fair lending, credit reporting, loan servicing, financial institution sales and marketing practices, and financial institution consumer fee and account management practices. CFPB enforcement actions may serve as precedent for how the CFPB interprets and enforces consumer protection laws, including practices or acts that are deemed to be unfair, deceptive or abusive, with respect to all supervised institutions, which may result in the imposition of higher standards of compliance with such laws. In addition, with the recent change in Administration, there have been, and likely will continue to be, corresponding changes in the leadership and senior staff of the CFPB. This turnover could lead to changes in agency policies, tactics and interpretations. In addition, the new Administration and Congress may seek to limit the scope and reach of the CFPB's authority. The extent and timing of any such changes and any resulting impact on our business and financial results cannot be predicted at this time.

The Corporation is subject to a variety of risks arising from ESG/DEI matters, which include, among other things, climate change, human capital, and human rights. Risks arising from such matters may adversely affect, among other things, our reputation and the market price of our securities. While we engage in various initiatives to help manage our ESG profile and respond to stakeholder expectations, which continue to evolve, such initiatives can be costly and may not have the desired effect. For example, many of these initiatives leverage methodologies, standards, and data that continue to evolve. As with other companies, our approach to such matters also evolves, and we cannot guarantee that our approach will align with the expectations or preferences of any particular stakeholder. Moreover, stakeholder expectations are not uniform, and both opponents and proponents of various ESG-related matters have increasingly resulted in a range of activism to advocate for their positions. For example, in the last several years, certain state attorneys general, treasurers, and legislators have taken various actions to impact the extent to which ESG principles are considered by financial institutions, including to require or prohibit the consideration of various ESG matters in certain contexts. In addition to the potential for broader "anti-ESG/DEI" policies and laws, on January 21, 2025, President Trump issued an Executive Order requiring all federal agencies to terminate any policies, programs, mandates, guidance, regulations, and other actions and orders establishing DEI-based preferences, and to enforce federal civil rights laws to combat such preferences, mandates, policies, programs and activities of entities operating in the private sector. Further, the Executive Order directs federal agencies to take appropriate action to discourage private sector DEI-based initiatives. To this end, federal agencies are required to submit recommendations to the Trump Administration identifying, among other things, (i) proposed plans or measures to deter DEI-based programs in the private sector, (ii) publicly-traded corporations and other private sector entities that could be considered for civil compliance investigations, (iii) appropriate sources of litigation, and (iv) potential regulatory action or guidance. While the enforceability of the Executive Order and the steps that various federal agencies may take in response to it are uncertain at this time, the Executive Order signals a material shift in federal DEI policy that reasonably can be expected to have implications for the private sector, including the banking industry. In this regard, any scrutiny by federal government authorities of the Corporation's human capital and strategic businesses practices, or those of the banking sector generally, may have a material adverse effect on us. Please refer to Item 1 – Business – Human Capital Matters. Additionally, certain disclosure rules that had been advanced or were under consideration by the SEC in the last few years (e.g., disclosure rules regarding climate risk, human capital management, and board diversity) may be abandoned by new leadership at the SEC, new regulations might be implemented that limit ESG shareholder proposals that may be considered, and Congress may continue to conduct investigations into corporations' ESG initiatives and priorities. In response to potential "anti-ESG/DEI" regulations, investigations, and sentiment, it is possible that proponents of ESG/DEI measures will become galvanized and increase their efforts to compel or pressure corporations to advance such initiatives both at the state level and the private investor level. For example, states may enact laws requiring enhanced ESG/DEI disclosures, and there may be a rise in pro-ESG/DEI shareholder activism or public relations campaigns aimed at influencing corporations to adopt ESG/DEI initiatives. Navigating varying expectations of policymakers and other stakeholders has inherent costs, and any failure to successfully navigate such expectations may expose the Corporation to negative publicity, shareholder activism, and litigation or other engagement from pro- and anti-ESG/DEI stakeholders, as well as the potential for civil investigations and enforcement by federal governmental authorities. The Corporation could be required to incur significant costs responding to any such activity and the Corporation's relationships and reputation with its existing and prospective customers and third parties with which we do business could be affected as well. This, in turn, could have an adverse effect on our ability to attract and retain customers and employees and could have a negative impact on the market price for the Corporation's securities. Certain of our customers, suppliers, or other stakeholders are also subject to such expectations and risks, which may result in additional or augmented risks to us.

Our business increasingly relies on AI, machine learning and automated decision making to improve our services and our customer's experience. The regulatory framework around the development and use of these emerging technologies is rapidly evolving, and many federal, state and foreign government bodies and agencies have introduced and/or are currently considering additional laws and regulations. For example, in July 2024, the federal banking agencies, including the OCC and the FDIC, issued a final rule that requires, among other things, financial institutions to ensure that their automated valuation models for property valuation follow certain quality control standards, including a requirement that such valuation models comply with nondiscrimination laws. The implementation standards and enforcement practices are likely to remain uncertain for the foreseeable future, and we cannot yet determine the impact future laws, regulations, standards, or perception of their requirements may have on our business. Any of the foregoing, together with developing guidance and/or decisions in this area, may affect our use of AI and our ability to provide and improve our services, require additional compliance measures and changes to our operations and processes, and result in increased compliance costs and potential increases in civil claims against us. Any actual or perceived failure to comply with evolving regulatory frameworks around the development and use of AI, machine learning and automated decision making could adversely affect our business, results of operations, and financial condition.

We may be involved from time to time in a variety of litigation arising out of our business. Our insurance may not cover all claims that may be asserted against us, and any claims asserted against us, regardless of merit or eventual outcome, may harm our reputation. Should the ultimate judgments or settlements in any litigation exceed our insurance coverage, they could have a material adverse effect on our financial condition and results of operation for any period. In addition, we may not be able to obtain appropriate types or levels of insurance in the future, nor may we be able to obtain adequate replacement policies with acceptable terms, if at all.

We are subject to changes in tax law that could increase our effective tax rates. These law changes may be retroactive to previous periods and as a result could negatively affect our current and future financial performance. For example, legislation enacted in 2017 resulted in a reduction in our federal corporate tax rate from 35% in 2017 to 21% in 2018, which had a favorable impact on our earnings and capital generation abilities. However, this legislation also enacted limitations on certain deductions, such as the deduction of FDIC deposit insurance premiums, which partially offset the anticipated increase in net earnings from the lower tax rate. The current Administration may further reduce the federal corporate tax rate, but the extent and timing of any tax reform, as well as any corresponding effect on our business and financial results, are uncertain at this time. On the other hand, any increase in the corporate tax rate or surcharges that may be adopted by Congress would adversely affect our results of operations in future periods. In addition, the Bank's customers experienced and likely will continue to experience varying effects from both the individual and business tax provisions of the Tax Act. The new Administration and Congress are expected to pursue extensions of many of the temporary provisions of the Tax Act, which are scheduled to expire at the end of 2025. Future changes in tax law and such effects, whether positive or negative, may have a corresponding impact on our business and the economy as a whole.

We rely on computer systems, hardware, software, technology infrastructure and online sites and networks for both internal and external operations that are critical to our business. Operational risk related to cyber-attacks is increasing as cyber-attacks evolve and have a greater and more pervasive economic impact. In addition to cyber-attacks or other security breaches involving the theft of sensitive and confidential information, hackers have engaged in attacks against large financial institutions, designed to disrupt key business services, such as customer-facing web sites. Critical infrastructure sectors, including financial services, increasingly have been the targets of cyber-attacks, including attacks emanating from foreign countries. Cyber-attacks involving large financial institutions, including distributed denial of service attacks designed to disrupt external customer-facing services, nation state cyber-attacks and ransomware attacks designed to deny organizations access to key internal resources or systems or other critical data, as well as targeted social engineering and phishing email and text message attacks designed to allow unauthorized persons to obtain access to an institution's information systems and data or that of its customers, are becoming more common and increasingly sophisticated. Cyber-attacks continue to evolve and become more pervasive throughout the financial services sector. In particular, there has been an observed increase in the number of distributed denial of service and ransomware attacks against the financial sector, for which the increase is believed to be partially attributable to politically motivated attacks as well as financial demands coupled with extortion. Further, threat actors continue to exploit publicly known software vulnerabilities and weak authentication controls used by large numbers of banking organizations in order to conduct malicious cyber activities. These types of attacks have resulted in increased supply chain and third-party risk. Because the methods of cyber-attacks change frequently or, in some cases, are not recognized until launch, we are not able to anticipate or implement effective preventive measures against all possible security breaches and the probability of a successful attack cannot be predicted. Although we employ detection and response mechanisms designed to contain and mitigate security incidents, early detection may be thwarted by persistent sophisticated attacks and malware designed to avoid detection. We also face risks related to cyber-attacks and other security breaches in connection with card transactions that typically involve the transmission of sensitive information regarding our customers through various third parties. Some of these parties have in the past been the target of security breaches and cyber-attacks, and because the transactions involve third parties and environments that we do not control or secure, future security breaches or cyber-attacks affecting any of these third parties could impact us, and in some cases we may have exposure and suffer losses for breaches or attacks relating to them. We also rely on numerous other third-party service providers to conduct other aspects of our business operations and face similar risks relating to them. We cannot be sure that such third-party information security protocols are sufficient to withstand a cyber-attack or other security breach. Cybersecurity risks for financial institutions also have evolved as a result of the increased interconnectedness of operating environments and the use of new technologies, devices and delivery channels to transmit data and conduct financial transactions. The adoption of new products, services and delivery channels contribute to a more complex operating environment, which enhances operational risk and presents the potential for additional structural vulnerabilities. As such, a single cyber-attack is now able to compromise hundreds of organizations and affect a significant number of consumers. In addition, the adoption of hybrid and remote work environments following the COVID-19 pandemic presents institutions with additional cybersecurity vulnerabilities and risks. The Corporation regularly evaluates its systems and controls and implements upgrades as necessary. The additional cost to the Corporation of our cybersecurity monitoring and protection systems and controls includes the cost of hardware and software, third party technology providers, consulting and forensic testing firms, insurance premium costs and legal fees, in addition to the incremental cost of our personnel who focus a substantial portion of their responsibilities on cybersecurity. Any successful cyber-attack or other security breach involving the misappropriation, loss, leak or other unauthorized disclosure of sensitive or confidential customer information, confidential and proprietary information relating to our bank and operations, unauthorized access to our information systems or that of our third-party service providers, or unauthorized access to other data that compromises our ability to function could severely damage our reputation, erode confidence in the security of our systems, products and services, expose us to the risk of litigation and liability, disrupt our operations and have a material adverse effect on our business. Any successful cyber-attack may also subject the Corporation to regulatory investigations, litigation (including class action litigation) or enforcement, or require the payment of regulatory fines or penalties or undertaking costly remediation efforts with respect to third parties affected by a cybersecurity incident, all or any of which could adversely affect the Corporation's business, financial condition or results of operations and damage its reputation. Finally, we cannot guarantee that any costs and liabilities incurred in relation to an attack or incident will be covered by our existing insurance policies or that applicable insurance will be available to us in the future on economically reasonable terms or at all.

A significant portion of our loan portfolio is secured by real property. During the ordinary course of business, we may foreclose on and take title to properties securing certain loans. In doing so, there is a risk that hazardous or toxic substances could be found on these properties. If hazardous or toxic substances are found, we may be liable for remediation costs, as well as for personal injury and property damage. Environmental laws may require us to incur substantial expenses which may materially reduce the affected property's value or limit our ability to use or sell the affected property. In addition, future laws or more stringent interpretations or enforcement policies with respect to existing laws may increase our exposure to environmental liability. Although we have policies and procedures to perform an environmental review before lending against or initiating any foreclosure action on real property, these reviews may not be sufficient to detect all potential environmental hazards. The remediation costs and any other financial liabilities associated with an environmental hazard could have a material adverse effect on our financial condition and results of operations.

Federal budget deficit concerns and the potential for political conflict over legislation to fund U.S. government operations and raise the U.S. government's debt limit may increase the possibility of a default by the U.S. government on its debt obligations, related credit-rating downgrades, or an economic recession in the United States. Many of our investment securities are issued by the U.S. government and government agencies and sponsored entities. As a result of uncertain domestic political conditions,including potential future federal government shutdowns, the possibility of the federal government defaulting on its obligations for a period of time due to debt ceiling limitations or other unresolved political issues, investments in financial instruments issued or guaranteed by the federal government pose liquidity risks. In connection with prior political disputes over U.S. fiscal and budgetary issues leading to the U.S. government shutdown in 2011, S&P lowered its long term sovereign credit rating on the U.S. from AAA to AA+. In 2023, Congress narrowly averted two separate government shutdowns by passing continuing resolutions. Again in 2024, Congress averted two more government shutdowns at the last minute. In part due to repeated debt-limit political standoffs and last-minute resolutions, in 2023 Fitch downgraded the U.S. long-term foreign-currency issuer default rating to AA+ from AAA, and the rating remained unchanged as of December 31, 2024. A further downgrade, or a downgrade by other rating agencies, as well as sovereign debt issues facing the governments of other countries, could have a material adverse impact on financial markets and economic conditions in the U.S. and worldwide.

Our success depends on the general economic conditions of the specific local markets in which we operate, particularly Wisconsin, Illinois and Minnesota. Local economic conditions have a significant impact on the demand for our products and services, as well as the ability of our customers to repay loans, on the value of the collateral securing loans, and the stability of our deposit funding sources. A significant decline in general local economic conditions caused by inflation, recession, unemployment, changes in securities markets, changes in housing market prices, or other factors could have a material adverse effect on our financial condition and results of operations.

Our operations and profitability are impacted by general business and economic conditions in the United States and abroad. These conditions include short-term and long-term interest rates, inflation, money supply, political issues, ramifications of conflicts including the Russia-Ukraine conflict, Israeli-Palestinian conflict, the recent coup in Syria and other conflicts and government turmoil in the Middle East and Europe, legislative and regulatory changes, fluctuations in both debt and equity capital markets, broad trends in industry and finance, the strength of the United States economy, and uncertainty in financial markets globally, all of which are beyond our control. A deterioration in economic conditions, including those arising from government shutdowns, defaults, anticipated defaults or rating agency downgrades of sovereign debt (including debt of the U.S.), or increases in unemployment, could result in an increase in loan delinquencies and NPAs, decreases in loan collateral values, and a decrease in demand for our products and services, among other things, any of which could have a material adverse impact on our financial condition and results of operations.

The Trump Administration has commenced efforts to implement significant changes to the size and scope of the federal government and reform its operations to achieve stated goals that include reducing the federal budget deficit and national debt, improving the efficiency of government operations, and promoting innovation and economic growth. To date, these efforts have been carried out through a mix of executive actions aimed at eliminating or modifying federal agency and federal program funding, reducing the size of the federal workforce, reducing or altering the scope of activities conducted by, and possibly eliminating, various federal agencies and bureaus, and encouraging the use of AI and other advanced technologies within the public and private sectors. These changes, if implemented and taken as a whole, may have varied effects on the economy that are difficult to predict. For instance, the delivery of government services and the distribution of federal program funds and benefits may be disrupted or, in some cases, eliminated as a result of funding cuts or recasting of federal agency mandates. Further, a substantial reduction of the federal workforce could adversely affect regional and local economies, both directly and indirectly, in geographies with significant concentrations of federal employees and contractors. It is possible that such comprehensive changes to the federal government may be materially adverse to the regional and local economies where we conduct business and to our customers, which, in turn, could be materially adverse to our business, financial condition and results of operations.

From time to time, we may implement new lines of business or offer new products and services within existing lines of business. There are substantial risks and uncertainties associated with these efforts, particularly in instances where the markets are not fully developed. In developing and marketing new lines of business and/or new products and services, we may invest significant time and resources. Initial timetables for the introduction and development of new lines of business and/or new products or services may not be achieved and price and profitability targets may not prove feasible. External factors, such as competitive alternatives and shifting market preferences, may also impact the successful implementation of a new line of business and/or a new product or service. Furthermore, strategic planning remains important as we adopt innovative products, services, and processes in response to the evolving demands for financial services and the entrance of new competitors, such as out-of-market banks and financial technology firms. Any new line of business and/or new product or service could have a significant impact on the effectiveness of our system of internal controls, so we must responsibly innovate in a manner that is consistent with sound risk management and is aligned with the Bank's overall business strategies. Failure to successfully manage these risks in the development and implementation of new lines of business and/or new products or services could have a material adverse effect on our business, results of operations and financial condition.