Bank of America (BAC) Risk Analysis

A number of our products expose us to credit risk, including loans, letters of credit, derivatives, debt securities, trading account assets and assets held-for-sale. Deterioration in the financial condition of our consumer and commercial borrowers, counterparties or underlying collateral could adversely affect our results of operations and financial condition. Our credit portfolios may be impacted by U.S. and global macroeconomic and market conditions, events and disruptions, including declines in GDP, consumer spending or property values, asset price corrections, increasing consumer and corporate leverage, increases in corporate bond spreads, government shutdowns or policies such as tax changes, changes in international trade policy including tariff rates, rising or elevated unemployment levels, elevated inflation or cost of living expenses, fluctuations in foreign exchange or interest rates, as well as the emergence of widespread health emergencies or pandemics, extreme weather events and the impacts of climate change, including acute and/or chronic extreme weather events and efforts to transition to a low-carbon economy. Significant economic or market stresses and disruptions typically have a negative impact on the business environment and financial markets, which could impact the underlying credit quality of our borrowers, counterparties and assets. Property value declines or asset price corrections could increase the risk of borrowers or counterparties defaulting or becoming delinquent in their obligations to us, and could decrease the value of the collateral we hold, which could increase credit losses. Credit risk could also be magnified by lending to leveraged borrowers or declining asset prices, including property or collateral values, unrelated to macroeconomic stress. Simultaneous drawdowns on lines of credit and/or an increase in a borrower’s leverage in a weakening economic environment, or otherwise, could result in deterioration in our credit portfolio, should borrowers be unable to fulfill competing financial obligations. Increased delinquency and default rates could adversely affect our credit portfolios and increase charge-offs and provisions for credit losses. A recessionary environment and/or a rise in unemployment could adversely impact the ability of our consumer and/or commercial borrowers or counterparties to meet their financial obligations and negatively impact our credit portfolio. Consumers have been and may continue to be negatively impacted by inflation and/or a higher cost of living, resulting in drawdowns of savings or increases in household debt. Elevated interest rates, which have increased debt servicing costs for some businesses and households, may adversely impact credit quality, particularly in a recessionary environment. Certain sectors also remain at risk (e.g., commercial real estate, particularly office) as a result of shifts in demand and tight financial and credit conditions. Globally, conditions of slow growth or recession could further contribute to weaker credit conditions. If the macroeconomic environment or certain sectors worsen, our credit portfolio, net charge-offs, provision and allowance for credit losses could be adversely impacted. We establish an allowance for credit losses, which includes the allowance for loan and lease losses and the reserve for unfunded lending commitments, based on management's best estimate of lifetime expected credit losses (ECL) inherent in our relevant financial assets. The process to determine the allowance for credit losses uses models and assumptions that require us to make difficult and complex judgments that are often interrelated, including forecasting how borrowers or counterparties may perform in changing economic conditions. The ability of our borrowers or counterparties to repay their obligations may be impacted by changes in future economic conditions, which in turn could impact the accuracy of our loss forecasts and allowance estimates. There is also the possibility that we have failed or will fail to accurately identify the appropriate economic indicators or accurately estimate their impacts to our borrowers or counterparties, which could impact the accuracy of our loss forecasts and allowance estimates. If the models, estimates and assumptions we use to establish reserves or the judgments we make in extending credit to our borrowers or counterparties, which are more sensitive due to the current uncertain macroeconomic and geopolitical environment, prove inaccurate in predicting future events, we may suffer losses in excess of our ECL. In addition, changes to external factors can negatively impact our recognition of credit losses in our portfolios and allowance for credit losses. The allowance for credit losses is our best estimate of ECL, but there is no guarantee that it will be sufficient to address credit losses, particularly if the economic outlook deteriorates significantly, quickly or unexpectedly. As circumstances change, we may increase our allowance, which would reduce earnings. If economic conditions worsen, impacting our consumer and commercial borrowers, counterparties or underlying collateral, and credit losses are unexpectedly worse, we may increase our provision for credit losses, which could adversely affect our results of operations and financial condition.

Liquidity is essential to our businesses. We fund our assets primarily with globally sourced deposits in our bank entities, as well as secured and unsecured liabilities transacted in the capital markets. We rely on certain secured funding sources, such as repo markets, which are typically short-term and credit-sensitive. We also engage in asset securitization transactions, including with the government-sponsored enterprises (GSEs), to help fund a portion of our consumer lending activities. Our liquidity could be adversely affected by any inability to access the capital markets, illiquidity or volatility in the capital markets, the decrease in value of eligible collateral or increased collateral requirements (including as a result of credit concerns for short-term borrowing), changes to our relationships with our funding providers based on real or perceived changes in our risk profile, prolonged federal government shutdowns, or uncertainties regarding the impact of GSE privatization, should it occur. Also, our liquidity or cost of funds may be negatively impacted by the unwillingness or inability of the Federal Reserve to act as lender of last resort, unexpected simultaneous draws on lines of credit or deposits, slower client payment rates, restricted access to the assets of prime brokerage clients, the withdrawal of or failure to attract client deposits or invested funds (e.g., from attrition driven by clients seeking higher yielding deposits or securities products, desiring to utilize an alternative financial institution perceived to be safer, changing spending behavior due to inflation, decline in the economy or other drivers resulting in an increased need for cash), increased regulatory liquidity, capital and margin requirements for our U.S. or international banks and their nonbank subsidiaries, which could result in the inability to transfer liquidity internally, changes in patterns of intraday liquidity usage resulting from a counterparty or technology failure or other idiosyncratic event or failure, the default by a significant market participant or third party (including clearing agents, custodians, central banks or central counterparty clearinghouses (CCPs)) or the inability to sell assets due to illiquid markets (e.g., no market exists or market saturation). These factors may increase our borrowing costs and negatively impact our liquidity. Several of these factors may arise due to circumstances beyond our control, such as general market volatility, disruption, shock or stress, stress in sovereign debt markets, the emergence of widespread health emergencies or pandemics and geopolitical events and/or turmoil (including military conflicts, such as the Russia/Ukraine conflict and the conflicts in the Middle East, or any potential escalation of such conflicts). Federal Reserve policy decisions (including fluctuations in interest rates or Federal Reserve balance sheet composition), negative views or loss of confidence about us or the financial services industry generally or due to a specific news event (e.g., regional bank failures), changes in the regulatory environment or governmental fiscal or monetary policies, actions by credit rating agencies or an operational problem that affects third parties or us. The impact of these potentially sudden events, whether within our control or not, could include an inability to sell assets or redeem investments, unforeseen outflows of cash, the need to draw on liquidity facilities, the reduction of financing balances and the loss of equity secured funding, debt repurchases to support the secondary market or meet client requests, the need for additional funding for commitments and contingencies and unexpected collateral calls, among other things, the result of which could be increased costs, a liquidity shortfall and/or impact on our liquidity coverage ratio. Our liquidity and cost of funds may be impacted by our reputation risk, investor behavior and confidence, debt market disruption, firm specific concerns or prevailing market conditions, including changes in interest and currency exchange rates, significant fluctuations in equity and futures prices, lower trading volumes and prices of securitized products and our credit spreads. Increases in interest rates and our credit spreads can increase the cost of our funding and result in mark-to-market or credit valuation adjustment exposures. Changes in our credit spreads are market driven and may be influenced by market perceptions of our creditworthiness, including changes in our credit ratings or changes in broader financial market and macroeconomic conditions. Changes to interest rates and our credit spreads occur continuously and may be unpredictable and highly volatile. We may also experience net interest margin compression from offering higher than expected deposit rates in order to attract and maintain deposits. Concentrations within our funding profile, such as maturities, currencies or counterparties, can also reduce our funding efficiency.

We are highly regulated and subject to evolving and comprehensive regulation under federal and state laws in the U.S. and the laws of the various foreign jurisdictions in which we operate. These laws and regulations significantly affect and have the potential to increase our compliance costs, restrict the scope of our existing businesses, require changes to our employment practices, business strategies and controls and procedures, limit our ability to pursue certain business opportunities, including the products and services we offer, reduce certain fees and rates and/or make our products and services more expensive for our clients. We are also required to file various financial and nonfinancial regulatory reports to comply with LRRs in the jurisdictions in which we operate, which results in additional compliance and operational risk. We continue to adjust our business and operations, legal entity structure, systems, disclosure, policies, procedures, processes, controls and governance, including with regard to capital and liquidity management, risk management and data management, in an effort to comply with LRRs, and evolving expectations, guidance and interpretation by regulatory authorities, including the Department of Treasury (including the Internal Revenue Service (IRS) and OFAC), Financial Crimes Enforcement Network, Federal Reserve, OCC, CFPB, Financial Stability Oversight Council, FDIC, Department of Labor, SEC and CFTC in the U.S., foreign regulators, other government authorities and self-regulatory organizations. Further, we expect to become subject to future LRRs, including beyond those currently proposed, adopted or contemplated in the U.S. or abroad, and evolving interpretations of existing and future LRRs, which may include policies and rulemaking related to FDIC assessments, loss allocations between financial institutions and clients regarding the use of our products and services, including electronic payments, emerging technologies, such as the development and use of AI (including machine learning and generative AI), cybersecurity and data, employment practices and further climate and environmental risk management and sustainability reporting and disclosure, including emissions. The cumulative effect of all of the current and possible future legislation and regulations, as well as related interpretations, on our litigation and regulatory exposure, businesses, operations, including our ability to compete, and profitability remains uncertain and necessitates that we make certain assumptions with respect to the scope and requirements of existing, prospective and proposed LRRs in our business planning and strategies. If these assumptions prove incorrect, we could be subject to increased regulatory, legal and compliance risks and costs, and potential reputational harm. Also, regulatory initiatives in the U.S. and abroad may overlap, and non-U.S. regulations and initiatives may be inconsistent or conflict with current or proposed U.S. regulations or with each other, which could lead to compliance risks and higher costs. Our regulators’ prudential and supervisory authority gives them broad power and discretion to direct our actions, and they have assumed an active oversight, inspection and investigatory role across the financial services industry. Regulatory focus is not limited to LRRs applicable to the financial services industry, but includes other significant LRRs that apply across industries and jurisdictions, including those related to anti-money laundering, anti-bribery, anti-corruption know-your-customer requirements, embargo programs and economic sanctions. We are also subject to LRRs in the U.S. and abroad, including the GDPR and CCPA, and a number of additional jurisdictions enacting or considering similar laws or amendments to existing laws, regarding privacy and the disclosure, collection, use, sharing and safeguarding of personally identifiable information, including our employees, clients, suppliers, counterparties and other third parties, the violation of which could result in litigation, regulatory fines, enforcement actions and operational loss. Also, we are and will continue to be subject to new and evolving data privacy laws in the U.S. and abroad, which could result in additional costs of compliance, litigation, regulatory fines and enforcement actions. There remains complexity and uncertainty, including potential suspension or prohibition, regarding data transfer because of concerns over compliance with LRRs for cross-border flows and transfers of personal data from the European Economic Area (EEA) to the U.S. and other jurisdictions outside of the EEA, resulting from judicial and regulatory guidance. Other jurisdictions, including China and India, have commenced consultation efforts or enacted new legislation or regulations to establish standards for personal data transfers. If cross-border personal data transfers are suspended or restricted or we are required to implement distinct processes for each jurisdiction’s standards, this could result in operational disruptions to our businesses, additional costs, increased enforcement activity, new contract negotiations with third parties, and/or modification of such data management. As part of their enforcement authority, our regulators and other government authorities have the authority to, among other things, conduct investigations and assess significant civil or criminal monetary fines, penalties or restitution, issue cease and desist orders, suspend or withdraw licenses and authorizations, initiate injunctive action, apply regulatory sanctions or cause us to enter into consent orders. The amounts paid by us and other financial institutions to settle proceedings or investigations have, in some instances, been substantial and may increase. In some cases, governmental authorities have required criminal pleas or other extraordinary terms as part of such resolutions, which could have significant consequences, including reputational harm, loss of clients, restrictions on the ability to access capital markets, and the inability to operate certain businesses or offer certain products. Our responses to regulators and other government authorities have been and may continue to be time-consuming and expensive and divert management attention from our business. The outcome of any matter, which may last years, may be difficult to predict or estimate. The terms of settlements, orders and agreements that we have entered into with government entities and regulatory authorities have also imposed, or could impose, significant operational and compliance costs on us with respect to enhancements to our procedures and controls, losses with respect to fraudulent transactions perpetrated against our clients, expansion of our risk and control functions within our lines of business, investment in technology and the hiring of significant numbers of additional risk, control and compliance personnel. For example, in December 2024, the OCC issued a Consent Order against BANA relating to certain aspects of BANA’s BSA, anti-money laundering and economic sanctions compliance programs, and we continue to respond to requests for information about similar aspects of such programs from other regulators. If we fail to meet the requirements of the regulatory settlements, orders or agreements to which we are subject, or, more generally, fail to maintain risk and control procedures and processes that meet the heightened standards established by our regulators and other government authorities, we could be required to enter into further settlements, orders or agreements and pay additional fines, penalties or judgments, or accept material regulatory restrictions on our businesses. Improper actions, behaviors or practices by us, our employees or representatives that are illegal, unethical or contrary to our core values, including the handling of fiduciary obligations, conflicts of interest and the misuse of confidential information, could harm us, our shareholders or clients or damage the integrity of the financial markets, and are subject to increasing regulatory scrutiny across jurisdictions. The complexity of the regulatory and enforcement regimes in the U.S., coupled with the global scope of our operations and the regulatory environment worldwide, also means that a single event or practice or a series of related events or practices may give rise to a significant number of overlapping investigations and regulatory proceedings, either by multiple federal and state agencies in the U.S. or by multiple regulators and other governmental entities in different jurisdictions. Actions by other members of the financial services industry related to business activities in which we participate may result in investigations by regulators or other government authorities. While we believe that we have an appropriate approach to developing and implementing risk management and compliance programs, compliance risks will continue to exist, particularly as we anticipate and adapt to new and evolving LRRs and evolving interpretations, and potential misconduct by bad actors globally. We also rely upon third parties who may expose us to compliance and legal risk. Future legislative or regulatory actions, and any required changes to our business or operations or strategy, or those of third parties upon whom we rely, resulting from such developments and actions could result in a significant loss of revenue, impose additional compliance and other costs or otherwise reduce our profitability, limit the products and services that we offer or our ability to pursue certain businesses and business opportunities, require us to dispose of certain businesses or assets, affect the value of assets held, require changes in training, testing, governance, controls and procedures and compensation practices, require us to increase prices and therefore reduce demand for our products, or otherwise adversely affect our businesses.

Our business is highly dependent on the security, controls and efficacy of our information systems, and the information systems of our clients, third parties, the financial services industry and financial data aggregators with whom we interact, on whom we rely or who have access to our clients’ personal or account information. We rely on effective access management and the secure collection, processing, maintenance, use, transmission, storage, dissemination and disposition of information in our and our third parties’ information systems. Our cybersecurity risk and exposure remains heightened because of, among other things, our prominent size and scale, high-profile brand, geographic footprint and international presence and role in the financial services industry and the broader economy. The proliferation of third-party financial data aggregators and emerging technologies, including AI (such as machine learning and generative AI) and robotics, increases our cybersecurity risks and exposure, including by making fraud detection and authentication more difficult. We, our employees, customers, regulators and third parties are ongoing targets of an increasing number of cybersecurity threats and cyberattacks. The tactics, techniques and procedures used in cyberattacks are pervasive, sophisticated, evolving and designed to evade security measures, including computer viruses, malicious or destructive code (such as ransomware), social engineering (including phishing, vishing and smishing), real and virtual impersonation, denial of service or information or other security breach tactics that have and in the future are likely to result in disruptions to our businesses and operations and the loss of funds, including from attempts to defraud us and/or our customers, and impact the confidentiality, integrity or availability of our information, including intellectual property, or the personal and/or confidential information of our employees, clients and third parties. Cyberattacks are carried out on a worldwide scale and by a growing number of actors, including organized crime groups, hackers, terrorist organizations, extremist parties, hostile foreign governments and their proxies, state-sponsored actors, activists, disgruntled employees and other persons or entities, including for corporate espionage. Cybersecurity threats and the tactics, techniques and procedures used in cyberattacks change, develop and evolve rapidly and continuously, including from growth in third-party services that facilitate or carry out cyberattacks and from emerging technologies, such as AI (including machine learning and generative AI) and quantum computing, which may be used to enhance the tactics, techniques and procedures described above and facilitate new cyber threats. Despite substantial efforts to protect the integrity and resilience of our information systems and implement controls, processes, policies, employee training and other protective measures, we cannot anticipate and detect all cybersecurity threats and incidents and/or develop or implement effective preventive or defensive measures designed to prevent, respond to or mitigate all cybersecurity threats and incidents. Internal access management or other technology failures could impact the confidentiality, integrity or availability of data and information. Our vulnerability increases if employees fail to exercise sound judgment and vigilance when targeted with social engineering or other cyberattacks increases our vulnerability. Our risk from and exposure to cybersecurity threats and incidents, information and security breaches and technology failures continues to increase due to the acceptance and use of digital banking and other digital products and services, including mobile banking products, and reliance on remote access tools and other technology, which have increased our reliance on virtual or digital interactions and a growing number of access points to our information systems that must be secured, and results in greater amounts of information being available for access. Greater demand on our information systems and security tools and processes will likely continue. We also face significant third-party technology, cybersecurity and operational risks relating to the large number of clients and third parties with whom we do business, the financial services industry, upon whom we rely to facilitate or enable our business activities or upon whom our clients rely, including the secure collection, processing, maintenance, use, sharing, dissemination and disposition of client and other sensitive information, providers of products and services, financial counterparties, financial data aggregators, financial intermediaries, such as clearing agents, exchanges and clearing houses, regulators, federal and state governments, providers of outsourced software, services and infrastructure, such as internet access, cloud service providers and electrical power, and retailers for whom we process transactions. Such third-party information systems extend beyond our security and control systems, and such third parties have varying levels of security and cybersecurity resources, expertise, safeguards, controls and capabilities. Threat actors may actively seek to exploit third-party security and cybersecurity weaknesses, and the relationships of our third parties with us may increase the risk that they are targeted by the same threats we face, and such third parties may be less prepared for such threats. Also, we are at risk from critical third-party information security and open-source or proprietary software defects and vulnerabilities. We must rely on our third parties to adequately detect and promptly report cybersecurity incidents. Their failure could adversely affect our ability to report or respond to cybersecurity incidents effectively or timely. Due to increasing consolidation, interdependence and complexity of financial entities and technology and information systems, a cybersecurity threat or incident, information or security breach or technology failure that significantly exposes, degrades, destroys, renders unavailable or compromises the information systems or information of one or more financial entities or third parties could adversely impact us and increase the risk of operational failure and loss, as disparate information systems need to be integrated, often on an accelerated basis. Similarly, any cybersecurity threat or incident, information or security breach or technology failure that significantly exposes, degrades, destroys, renders unavailable or compromises our information systems or information could adversely impact third parties and the critical infrastructure of the financial services industry, thereby creating additional risk for us. Cybersecurity incidents or information or security breaches could persist for an extended period of time prior to detection, and it often takes additional time to determine the scope, extent, amount and type of impact, including the information altered, destroyed, accessed or otherwise compromised, following which the measures to recover and restore to a business-as-usual state may be difficult to assess and require notification to our clients, government officials and regulators. We have spent and expect to continue to spend significant resources to modify and enhance our protective measures and our capabilities to respond and recover, investigate and remediate software and network defects and vulnerabilities, and defend against, detect and respond to cybersecurity threats and incidents, whether to us, third parties, the industry or businesses generally. While we and our third parties have experienced cybersecurity incidents, information and security breaches and technology failures, as well as adverse impacts from such events, including as described in this risk factor, we have not experienced material losses or other material consequences relating to cybersecurity incidents, information or security breaches or technology failures, whether directed at us or our third parties. However, we expect to continue to experience such events and impacts ourself and at our third parties with increased frequency and severity due to the evolving threat environment, and there can be no assurance that future cybersecurity incidents, information and security breaches and technology failures, including as a result of cybersecurity incidents, information and security breaches and technology failures experienced by our third parties, will not have a material adverse impact on us, including our businesses, results of operations and financial condition. Future cybersecurity incidents, information or security breaches or technology failures suffered by us or our third parties could result in disruption to our day-to-day business activities and an inability to effect transactions, execute trades, service our clients, safeguard information, manage our exposure to risk, expand our businesses, detect and prevent fraudulent or unauthorized transactions, including transactions impacting our clients, maintain information systems access and business operations and client services, in the U.S. and/or globally. Also, we could experience the loss of clients and business opportunities, the withdrawal of client deposits, the misappropriation, alteration or destruction of our or our third parties’ intellectual property or confidential information, the unauthorized access to or temporary or permanent loss or theft of information, including of our employees and clients, significant lost revenue, increased risk of fraudulent transactions, losses and claims brought by third parties, violations of applicable privacy, cybersecurity and other LRRs, litigation exposure, economic sanctions, enforcement actions, government fines, penalties or intervention and other negative consequences. Although we maintain cyber insurance, there can be no assurance that liabilities or losses we may incur will be covered under such policies or that the amount of insurance will be adequate. In the case of any cybersecurity incident, information or security breach or technology failure arising from third-party systems impacting us, any third-party indemnification may not be applicable or sufficient to address the impact of such cybersecurity incidents, information or security breaches or technology failures, including monetary losses of the Corporation. The occurrence of any of the events described above could adversely impact our businesses, results of operations, liquidity and financial condition, and cause reputational harm, whether such events are actual or perceived.