Popular (BPOP) Risk Analysis

Our businesses are highly regulated, and the laws and regulations that apply to us have a significant impact on our

investigations. As a federally regulated financial institution, we must comply with regulations and economic and trade sanctions and embargo programs administered by the Office of Foreign Assets Control ("OFAC") of the U.S. Treasury, as well as anti-money laundering laws and regulations, including those under the Bank Secrecy Act. Economic and trade sanctions regulations and programs administered by OFAC prohibit U.S.-based entities from entering into or facilitating unlicensed transactions with, for the benefit of, or in some cases involving the property and property interests of,persons, governments or countries designated by the U.S. government under one or more sanctions regimes, and also prohibit transactions that provide a benefit that is received in a country designated under one or more sanctions regimes. We are also subject to a variety of reporting and other requirements under the Bank Secrecy Act, including the requirement to file suspicious activity and currency transaction reports, that are designed to assist in the detection and prevention of money laundering, terrorist financing and other criminal activities. In addition, as a financial institution we are required to, among other things, identify our customers, adopt formal and comprehensive anti-money laundering programs, scrutinize or altogether prohibit certain transactions of special concern, and be prepared to respond to inquiries from U.S. law enforcement agencies concerning our customers and their transactions. Failure by the Corporation, its subsidiaries, affiliates or third-party service providers to comply with these laws and regulations could have serious legal and reputational consequences for the Corporation, including the possibility of regulatory enforcement or other legal action, including significant civil and criminal penalties. We also incur higher costs and face greater compliance risks in structuring and operating our businesses to comply with these requirements. The markets in which we operate heighten these costs and risks. We have established risk-based policies and procedures and employed software designed to assist us and our personnel in complying with these applicable laws and regulations. Even if the appropriate controls are in place, there can be no assurance that our policies and procedures will prevent us from blocking and rejecting all applicable transactions of our customers or our customers' customers that may involve a sanctioned person, government or country. Any failure to detect and prevent any such transaction could result in a violation of applicable laws and regulations and adversely affect our reputation, business, financial condition and results of operations. From time to time we have identified and voluntarily self-disclosed to OFAC transactions that were not timely identified,blocked or rejected by our policies, controls and procedures for screening transactions that might violate the regulations and economic and trade sanctions programs administered by OFAC. For example, during the second quarter of 2022, BPPR entered into a settlement agreement with OFAC with respect to certain transactions processed on behalf of two employees of the Government of Venezuela, in apparent violation of U.S. sanctions against Venezuela. Popular agreed to pay $256,000 to settle the apparent violations, which had been self-disclosed to OFAC. There can be no assurances that any failure to comply with U.S. sanctions and embargoes, or with anti-money laundering laws and regulations, will not result in material fines, sanctions or other penalties being imposed on us. Furthermore, if the policies, controls, and procedures of one of the Corporation's third-party service providers, together with our third-party oversight of such providers, do not prevent it from violating applicable laws and regulations in transactions in which it engages, such violations could adversely affect its ability to provide services to us.

operational risks that could have a material adverse effect on us. Third parties provide key components of our business operations, such as data processing, information security, recording and monitoring transactions, online banking interfaces and services, Internet connections and network access. The most important of these third-party service providers for us is Evertec due in large part to its role as a service provider to BPPR, our principal banking subsidiary. We are dependent on Evertec for the provision of essential services to our business, including certain of BPPR's core financial transaction processing and information technology and security services. As a result, we are particularly exposed to the operational risks of Evertec, including those related to its security architecture and potential breakdowns or failures of Evertec's systems or internal controls environment. Over the course of our relationship with Evertec, we have experienced interruptions and delays in key services provided by Evertec, as well as cyber events, as a result of system breakdowns, their exposure to zero-day vulnerabilities, misconfigurations,human error, application obsolescence and dependency on shared infrastructure components and shared environments, which have in certain cases also led to exposure of Popular information and BPPR customer information. In particular, the current level of obsolescence in the hardware and software used by Evertec to service us exposes us to heightened operational and cybersecurity risks, including system outages. Our ability to cure legacy obsolescence in the hardware and software we procure from Evertec, to expand our oversight over security services being provided by Evertec, as well as to effect the segregation of our shared infrastructure, is expected to be lengthy and complex, which exacerbates our exposure to resulting operational, including cybersecurity, risks. See "The transition to new financial services technology providers, and the replacement of services currently provided to us by Evertec, will be lengthy and complex" in the Operational Risks section of Item 1A in this Form 10-K below. While we select third-party vendors carefully and have increased our oversight of these relationships, our oversight is constrained by the level of our ongoing visibility into our vendor's systems and operations, and we do not have direct control over their actions, assets or services. Any problems caused by these vendors, including those resulting from disruptions in the services provided, vulnerabilities in or breaches of the vendor's systems or environments, failure of the vendor to handle current or higher volumes, failure of the vendor to provide services for any reason or poor performance of services, failure of the vendor to notify us of a reportable event in a timely manner, or our vendors' misuse of artificial intelligence and other automatic decision making technologies, could adversely affect our ability to deliver products and services to our customers and otherwise conduct our business, disrupt our operations, result in potential liability to customers and counterparties, result in the imposition of fines,penalties or judgments by our regulators, lead to exposure of our information or that of our customers or harm to our reputation, any of which could materially and adversely affect us. The inability of our third-party service providers to timely address cybersecurity threats may further exacerbate these risks. Financial or operational difficulties of a third-party vendor could also hurt our operations if those difficulties interfere with the vendor's ability to serve us. Replacing these third-party vendors, when possible, could also create significant delay and expense. Accordingly, the use of third parties creates an unavoidable inherent risk to our business operations.

Deterioration in the values of real properties securing our commercial, mortgage loan and construction portfolios have in

goals of the transformation project, the inability to maintain expenses related to our transformation program within current

cyber-attacks could cause substantial harm and have an adverse effect on our business and results of operations. Cybersecurity risks for large financial institutions such as Popular have increased significantly in recent years in part because of the proliferation of new technologies, such as mobile banking, cloud hosting, artificial intelligence and the ability to conduct instant financial transactions anywhere globally, as well as due to geopolitical conflicts and the increased sophistication and activities of organized crime, hackers, terrorists, nation-states, hacktivists and other parties. Cybersecurity threats are constantly evolving, especially given the advances in, and the rise of the use of, artificial intelligence and quantum computing, thereby increasing the difficulty of preventing, detecting and successfully defending against them. In the ordinary course of business, we rely on electronic communications and information systems to conduct our operations and to transmit and store sensitive data. Notwithstanding our defensive measures and the significant resources we devote to protecting the security of our systems, there is no assurance that all of our security measures will be effective at all times,especially as the threats from cyber-attacks are continuous and severe. The risk of a security breach due to a cyber-attack is expected to increase as we continue to expand our digital capabilities, mobile banking and other internet-based product offerings,the use of the cloud for system development and hosting and internal use of internet-based products and applications. We continue to detect and identify attacks that are becoming more sophisticated and increasing in volume, as well as attackers that respond rapidly to changes in defensive countermeasures. The most significant cyber-attack risks that we or our critical service providers may face include, but are not limited to, e-fraud, denial-of-service (DDoS), ransomware, computer intrusion and the exploitation of software zero-day vulnerabilities that might result in disruption of services, in the exposure or loss of customer or proprietary data, and significant financial loss. These types of cyber-attacks have in the past resulted and may continue to result in the compromise of sensitive customer data, such as account numbers, credit cards and social security numbers, and could present significant reputational, legal and regulatory costs to Popular if successful. Our customer-facing platforms are also routinely targeted by threat actors aiming to gain unauthorized access to our clients' accounts. Although we have implemented defensive measures designed to protect against such attacks, there is no assurance that these defensive measures will keep pace with threats that are continuous and growing in severity. For example, in 2022, certain customers were affected by brute force attacks on one of our platforms, which resulted in certain of our customers log-in credentials and information being exposed, resulting in fraudulent transfers or withdrawals. Popular customers have also been impacted by card skimming events in our ATM terminals. As a result, we have notified, and conducted additional remediation for,customers identified as affected by these incidents. Cyber-security risks have also been exacerbated by the discovery of zero-day vulnerabilities in widely distributed third party software, which have in the past affected and in the future could affect Popular's or any of its service provider's systems, as further detailed below. The increased use of remote access and third-party video conferencing solutions to enable work-from-home arrangements for employees has also increased our exposure to cyber-attacks, including through the use of deep fakes and brand impersonation. We expect the rise and use of artificial intelligence to exacerbate this risk. In addition, a third party could misappropriate confidential information obtained by intercepting signals or communications from mobile devices used by Popular's customers or employees. Recent geopolitical conflicts have also exacerbated the risks related to supply-chain compromises and de-stabilizing activities of nation-state sponsored actors. A material compromise or circumvention of the security of our systems could have serious negative consequences for us,including significant disruption of our operations and those of our clients, customers and counterparties, misappropriation of confidential information of Popular or that of our clients, customers, counterparties or employees, or damage to computers or systems used by us or by our clients, customers and counterparties, and could result in violations of applicable privacy and other laws, financial loss to us or to our customers, increased regulatory scrutiny and enforcement actions, customer dissatisfaction,significant litigation exposure and harm to our reputation, all of which could have a material adverse effect on us. Banking regulators increasingly scrutinize third-party relationships supporting critical activities. If our regulators determine that our oversight, contractual protections, or the performance and controls of our third-party providers (including critical providers) are inadequate, we could be required to implement enhanced controls, conduct independent reviews, restrict or terminate relationships, or undertake costly remediation or conversion activities, any of which could disrupt operations, increase expenses, or adversely affect our reputation and results of operations. The extent of a particular cyber-attack and the steps that we may need to take to investigate the attack may not be immediately clear, and it may take a significant amount of time before such an investigation can be completed. While such an investigation is ongoing, Popular may not necessarily know the full extent of the harm caused by the cyber-attack, and that damage may continue to spread. These factors may inhibit our ability to provide rapid, full and reliable information about the cyber-attack to our clients, customers, counterparties and regulators, as well as the public. Moreover, we may be required under SEC rules or bank regulations to disclose information about a cybersecurity event before it has been resolved or fully investigated. Furthermore, it may not be clear how best to contain and remediate the potential harm caused by the cyber-attack, and certain errors or actions could be repeated or compounded before they are discovered and remediated. Cyber-attacks could also cause interruptions in our operations and result in the incurrence of significant costs, including those related to forensic analysis and legal counsel. We also rely on third parties for the performance of a significant portion of our information technology functions and the provision of information security, technology and business process services. As a result, a successful compromise or circumvention of the security of the systems of these third-party service providers could have serious negative consequences for us, including compromise of our systems, misappropriation of our confidential information or that of our clients, customers, counterparties or employees, or other negative implications identified above with respect to a cyber-attack on our systems. The most important of these third-party service providers for us is Evertec. As a result, we depend on Evertec to identify and remediate certain of our cybersecurity vulnerabilities. Cyber-attacks at third-party service providers are also becoming increasingly common, and, as a result,cybersecurity risks relating to our vendors, including Evertec have increased. Certain risks particular to Evertec and our dependence on third parties are discussed under "We rely on other companies to provide key components of our business infrastructure,including certain of our core financial transaction processing and information technology and security services, which exposes us to a number of operational risks that could have a material adverse effect on us" in the Operational Risks section of Item 1A in this Form 10-K. During 2023, personal information of Popular customers' data was compromised in a data breach incident that impacted MOVEit, the third-party file transfer platform used by one of our service providers. Popular notified, as required or otherwise deemed appropriate, customers identified as affected by the incident. Furthermore, during 2024, threat actors exploited a zero-day vulnerability in the Fortinet enterprise management server software used by Evertec, which migrated to one of Popular's domain controllers due to a shared network environment. While Evertec eventually determined that no BPPR customer information was exfiltrated as a result of this incident, the event underscores the risks inherent in Popular's dependency on Evertec. Although these incidents did not have a material effect on Popular, including its business strategy, results of operations or financial condition, and our third-party service providers agreed to cover external remediation costs associated therewith, a compromise of Popular information or the personal information of our customers maintained by third party vendors could result in significant regulatory consequences, reputational damage and financial loss to us. The success of our business depends in part on the continuing ability of these (and other) third parties to perform these functions and services in a timely and satisfactory manner, which performance could be disrupted or otherwise adversely affected due to failures or other information security events originating at the third parties or at the third parties' suppliers or vendors (so-called "fourth party risk"). We may not be able to effectively directly monitor or mitigate fourth-party risk, in particular as it relates to the use of common suppliers or vendors by the third parties that perform functions and services for us. As cyber threats continue to evolve, we also expect to expend significant additional resources to continue to modify or enhance our layers of defense or to investigate and remediate additional information security vulnerabilities or incidents. The obsolescence in our hardware or software limits our ability to mitigate vulnerabilities. System enhancements and updates also create risks associated with implementing new systems and integrating them with existing ones, including risks associated with supply chain compromises and the software development lifecycle of the systems used by us and our service providers. In addition,addressing certain information security vulnerabilities, such as hardware-based vulnerabilities, may affect the performance of our information technology systems. The ability of our hardware and software providers to deliver patches and updates to mitigate vulnerabilities in a timely manner can introduce additional risks, particularly when a vulnerability is being actively exploited by threat actors. Moreover, our efforts to timely mitigate vulnerabilities and manage such risks, given the rise in number and urgency of required patches and third-party software, as well as the obsolescence in some of our hardware and software, may impact our day-to-day operations, the availability of our systems and delay the deployment of technology enhancements and innovation. If Popular's operational systems, or those of external parties on which Popular's businesses depend, are unable to meet the requirements of our businesses and operations or the standards of our regulators or other applicable data protection and privacy laws, or if they fail, have other significant shortcomings or are impacted by cyber-attacks, Popular could be materially and adversely affected.

result of our continued dependence on Evertec, we may be unable to enhance our current services and introduce new

financial condition will be adversely affected. Under regulatory capital adequacy requirements, and other regulatory requirements, Popular and our banking subsidiaries must meet requirements that include quantitative measures of assets, liabilities and certain off-balance sheet items, subject to qualitative judgments by regulators regarding components, risk weightings and other factors. If we fail to meet these minimum capital requirements and other regulatory requirements, our business and financial condition will be materially and adversely affected. If a financial holding company fails to maintain well-capitalized status under the regulatory framework, or is deemed not well managed under regulatory exam procedures, or if it experiences certain regulatory violations, its status as a financial holding company and its related eligibility for a streamlined review process for acquisition proposals, and its ability to offer certain financial products, may be compromised and its financial condition and results of operations could be adversely affected. The failure of any depository institution subsidiary of a financial holding company to maintain well-capitalized or well-managed status could have similar consequences. See "Our businesses are highly regulated, and the laws and regulations that apply to us have a significant impact on our business and operations" in the Legal and Regulatory Risks section of Item 1A in this Form 10-K.

impact us in the future. A significant portion of our business involves lending money, which exposes us to credit risk and risk of loss if borrowers do not repay their loans, leases, credit cards or other credit obligations. The performance of these credit portfolios significantly affects our financial condition and results of operations. We have in the past been adversely affected by negative changes in the financial condition of our clients due to weakness in the Puerto Rico and U.S. economy. If the current economic environment were to deteriorate, more customers may have difficulty in repaying their credit obligations, which may result in higher levels of credit losses and reserves for credit losses.

the adoption of new technologies such as artificial intelligence which may put us at a competitive disadvantage. We operate in a highly competitive environment, in which we compete on the basis of a number of factors, including customer service, quality and variety of products and services, price, interest rates on loans and deposits, innovation, technology,ease of use, reputation, and transaction execution. While our main competition continues to come from other Puerto Rico banks and financial institutions, we face increased competition from non-Puerto Rico institutions, as emerging technologies and the growth of e-commerce have significantly reduced geographic barriers. These technologies have also made it easier for non-depositary institutions to offer products and services that were traditionally considered banking products and allowed non-traditional financial service providers and technology companies to provide electronic and internet-based financial solutions and services. In addition,nonbank firms may have a competitive advantage over traditional banks and bank holding companies such as Popular due to factors such as differences in regulation, funding models and tax treatment. We may also be unable to adopt or integrate new technologies that could reduce expenses and simplify our operations, including artificial intelligence, automation and algorithmic tools, at the pace of such competitors due to operational and compliance challenges and risks relating to data quality, internal controls, privacy and consumer protection, among others. Our failure to successfully adopt and integrate these new technologies in a timely and effective manner may impair our ability to compete effectively or to attract or retain business. Moreover, increased competition could create pressure to lower prices, fees, commissions or credit standards on our products and services, which could adversely affect our financial condition and results of operations. Increased competition could also create pressure to raise interest rates on deposits or increase deposit attrition, which could negatively impact our business, financial condition, liquidity results of operations or capital position.

or type of client. Our credit risk and credit losses can increase to the extent our loans are concentrated in borrowers engaged in the same or similar activities or in borrowers who as a group may be uniquely or disproportionately affected by certain economic or market conditions. We have significant exposure to borrowers in certain economic sectors, such as residential and commercial real estate,hospitality and healthcare. Challenging economic or market conditions that affect the industries or types of clients to which we have significant exposure could result in higher credit losses and adversely affect our business, financial condition, liquidity, results of operations or capital position. We also have direct lending and investment exposure to Puerto Rico government entities, which have faced significant fiscal challenges. At December 31, 2025, our exposure to the Puerto Rico government consisted of $391 million in direct lending exposure to Puerto Rico municipalities and $209 million in loans insured or securities issued by Puerto Rico governmental entities but for which the principal source of repayment is non-governmental. We also have indirect lending exposure to the Puerto Rico government in the form of loans to private borrowers who are service providers, lessors, suppliers or have other relationships with the Puerto Rico government. While the overall fiscal situation of the Puerto Rico government has improved in recent years, including as a result of the government and certain of its instrumentalities having restructured their debt obligations, some Puerto Rico government entities, including certain municipalities, still face significant fiscal challenges. A deterioration in the fiscal situation of the Puerto Rico government and its instrumentalities, and in particular the fiscal situation of the Puerto Rico municipalities to which we have direct lending exposure, could result in higher credit losses and reserves for credit losses. For a discussion of risks related to the Corporation's credit exposure to the Puerto Rico and USVI governments, see the Geographic and Government Risk section in the MD&A section of this Form 10-K.