Citigroup (C) Risk Analysis

Citi's regulators have broad powers and discretion under their prudential and supervisory authority, and have pursued active inspection and investigatory oversight. At any given time, Citi is a party to a significant number of legal and regulatory proceedings and is subject to numerous governmental and regulatory examinations. Additionally, Citi remains subject to governmental and regulatory investigations, consent orders (see discussion below) and related compliance efforts, and other inquiries. Citi could also be subject to enforcement proceedings and negative regulatory evaluation or examination findings not only because of violations of laws and regulations, but also due to failures, as determined by its regulators, to have adequate policies and procedures, or to remedy deficiencies on a timely basis (see also the capital return and resolution plan risk factors above). Citi could face further scrutiny and consequences from regulators for failing to timely resolve open regulatory issues or having repeat regulatory issues. As previously disclosed, the 2020 FRB Consent Order and the 2020 OCC Consent Order require Citigroup and Citibank, respectively, to implement extensive targeted action plans and submit quarterly progress reports on a timely and sufficient basis detailing the results and status of improvements relating principally to various aspects of enterprise-wide risk management, compliance, data quality management related to governance, and internal controls. These improvements will result in continued significant investments by Citi during 2025 and beyond, as an essential part of Citi's broader transformation efforts to enhance its risk, controls, data and finance infrastructure and compliance (see the transformation, simplification and other priorities-related risk factor above). Additionally, on July 10, 2024, the FRB entered into a Civil Money Penalty Consent Order with Citigroup, and the OCC entered into a Civil Money Penalty Consent Order with Citibank. The OCC and Citibank also entered into an Amendment to the OCC's 2020 Consent Order (the Amendment). The FRB found that Citigroup had ongoing deficiencies related to its data quality management program and had inadequate measures for managing and controlling its data quality risks. The OCC found that Citibank had failed to make sufficient and sustainable progress toward achieving compliance with its 2020 Consent Order. The Amendment requires Citibank to formalize a process to determine whether sufficient resources are being appropriately allocated toward achieving timely and sustainable compliance with the OCC's 2020 Consent Order, including any requirements on which Citibank is not making sufficient and sustainable progress (such process, the Resource Review Plan). There can be no assurance that the Resource Review Plan and other efforts by Citi to address the deficiencies and resolve the OCC and FRB Consent Orders will occur in a manner satisfactory, in both timing and sufficiency, to the FRB and OCC. (For additional information, see "Citi's Multiyear Transformation" above.)Although there are no restrictions on Citi's ability to serve its clients, the OCC Consent Order requires Citibank to obtain prior approval of any significant new acquisition, including any portfolio or business acquisition, excluding ordinary course transactions.Moreover, the OCC Consent Order provides that the OCC has the right to assess future civil money penalties or take other supervisory and/or enforcement actions. Such actions by the OCC could include imposing business restrictions, including possible additional limitations on the declaration or payment of dividends by Citibank and changes in directors and/or senior executive officers. More generally, the OCC and/or the FRB could again take enforcement or other actions if the regulatory agency believes that Citi has not met regulatory expectations regarding compliance with the consent orders. The global judicial, regulatory and political environment has generally been challenging for large financial institutions, which have been subject to increased regulatory scrutiny. The complexity of the federal and state regulatory and enforcement regimes in the U.S., coupled with the global scope of Citi's operations, also means that a single event or issue may give rise to a large number of overlapping investigations and regulatory proceedings, either by multiple federal and state agencies and authorities in the U.S. or by multiple regulators and other governmental entities in foreign jurisdictions, as well as multiple civil litigation claims in multiple jurisdictions. Violations of law by other financial institutions may also result in regulatory scrutiny of Citi. Responding to regulatory inquiries and proceedings can be time consuming and costly, and divert management attention from Citi's businesses. U.S. and non-U.S. regulators have been increasingly focused on the culture of financial services firms, including Citi, as well as "conduct risk," a term used to describe the risks associated with behavior by employees and agents, including third parties, that could harm clients, customers, employees or the integrity of the markets, such as improperly creating, selling, marketing or managing products and services or improper incentive compensation programs with respect thereto, failures to safeguard a party's personal information or failures to identify and manage conflicts of interest. In addition to the greater focus on conduct risk, the general heightened scrutiny and expectations from regulators could lead to investigations and other inquiries, as well as remediation requirements, regulatory restrictions, structural changes, more regulatory or other enforcement proceedings, civil litigation and higher compliance and other risks and costs. For additional information, see the capital return and heightened regulatory scrutiny and ongoing interpretation of regulatory changes risk factors above. Further, while Citi takes numerous steps to prevent and detect conduct by employees and agents that could potentially harm clients, customers, employees or the integrity of the markets, such behavior may not always be deterred or prevented. Review Plan and other efforts by Citi to address the deficiencies and resolve the OCC and FRB Consent Orders will occur in a manner satisfactory, in both timing and sufficiency, to the FRB and OCC. (For additional information, see "Citi's Multiyear Transformation" above.) Although there are no restrictions on Citi's ability to serve its clients, the OCC Consent Order requires Citibank to obtain prior approval of any significant new acquisition, including any portfolio or business acquisition, excluding ordinary course transactions. Moreover, the OCC Consent Order provides that the OCC has the right to assess future civil money penalties or take other supervisory and/or enforcement actions. Such actions by the OCC could include imposing business restrictions, including possible additional limitations on the declaration or payment of dividends by Citibank and changes in directors and/or senior executive officers. More generally, the OCC and/or the FRB could again take enforcement or other actions if the regulatory agency believes that Citi has not met regulatory expectations regarding compliance with the consent orders. The global judicial, regulatory and political environment has generally been challenging for large financial institutions, which have been subject to increased regulatory scrutiny. The complexity of the federal and state regulatory and enforcement regimes in the U.S., coupled with the global scope of Citi's operations, also means that a single event or issue may give rise to a large number of overlapping investigations and regulatory proceedings, either by multiple federal and state agencies and authorities in the U.S. or by multiple regulators and other governmental entities in foreign jurisdictions, as well as multiple civil litigation claims in multiple jurisdictions. Violations of law by other financial institutions may also result in regulatory scrutiny of Citi. Responding to regulatory inquiries and proceedings can be time consuming and costly, and divert management attention from Citi's businesses. U.S. and non-U.S. regulators have been increasingly focused on the culture of financial services firms, including Citi, as well as "conduct risk," a term used to describe the risks associated with behavior by employees and agents, including third parties, that could harm clients, customers, employees or the integrity of the markets, such as improperly creating, selling, marketing or managing products and services or improper incentive compensation programs with respect thereto, failures to safeguard a party's personal information or failures to identify and manage conflicts of interest. In addition to the greater focus on conduct risk, the general heightened scrutiny and expectations from regulators could lead to investigations and other inquiries, as well as remediation requirements, regulatory restrictions, structural changes, more regulatory or other enforcement proceedings, civil litigation and higher compliance and other risks and costs. For additional information, see the capital return and heightened regulatory scrutiny and ongoing interpretation of regulatory changes risk factors above. Further, while Citi takes numerous steps to prevent and detect conduct by employees and agents that could potentially harm clients, customers, employees or the integrity of the markets, such behavior may not always be deterred or prevented. Moreover, the severity of the remedies sought in legal and regulatory proceedings to which Citi is subject has remained elevated. For example, U.S. and certain non-U.S. governmental entities have increasingly brought criminal actions against, or have sought and obtained criminal guilty pleas or deferred prosecution agreements from, financial institutions and individual employees. These types of actions by U.S. and other governments may, in the future, have significant collateral consequences for Citi, including loss of customers and business, operational loss and the inability to offer certain products or services and/or operate certain businesses. Citi may be required to accept or be subject to similar types of criminal remedies, consent orders, sanctions, substantial fines and penalties, remediation and other financial costs or other requirements in the future, including for matters or practices not yet known to Citi, any of which could materially and negatively affect Citi's businesses, business practices, financial condition or results of operations, require material changes in Citi's operations or cause Citi substantial reputational harm. Additionally, many large claims-both private civil and regulatory-asserted against Citi are highly complex, slow to develop and may involve novel or untested legal theories. The outcome of such proceedings is difficult to predict or estimate until late in the proceedings. Although Citi establishes accruals for its legal and regulatory matters according to accounting requirements, Citi's estimates of, and changes to, these accruals involve significant judgment and may be subject to significant uncertainty, and the amount of loss ultimately incurred in relation to those matters may be substantially higher than the amounts accrued (see the incorrect assumptions or estimates risk factor above). In addition, certain settlements are subject to court approval and may not be approved. Furthermore, regulators may be more likely to pursue investigations or proceedings against financial institutions, such as Citi, that have previously been the subject of other regulatory actions.For further information on Citi's legal and regulatory proceedings, see Note 30.OTHER RISKSCiti's Emerging Markets Presence Subjects It to Various Risks as well as Increased Compliance and Regulatory Risks and Costs.Citi's presence in the emerging markets subjects it to various risks. During 2024, emerging markets revenues accounted for approximately 28% of Citi's total revenues (based, beginning in 2024, on the IMF and FFIEC classifications, which resulted in the exclusion of certain countries that Citi previously classified as emerging markets). Emerging market risks include, among others, limitations or unavailability of hedges on foreign investments; foreign currency volatility, including devaluations and strength in the U.S. dollar; central bank interest rate and other monetary policies, including the impact of sustained high interest rates in the U.S.; unemployment, recessions or weak or slowing economic growth; elevated inflation and hyperinflation; foreign exchange controls, including an inability to access indirect foreign exchange mechanisms; macroeconomic, Moreover, the severity of the remedies sought in legal and regulatory proceedings to which Citi is subject has remained elevated. For example, U.S. and certain non-U.S. governmental entities have increasingly brought criminal actions against, or have sought and obtained criminal guilty pleas or deferred prosecution agreements from, financial institutions and individual employees. These types of actions by U.S. and other governments may, in the future, have significant collateral consequences for Citi, including loss of customers and business, operational loss and the inability to offer certain products or services and/or operate certain businesses. Citi may be required to accept or be subject to similar types of criminal remedies, consent orders, sanctions, substantial fines and penalties, remediation and other financial costs or other requirements in the future, including for matters or practices not yet known to Citi, any of which could materially and negatively affect Citi's businesses, business practices, financial condition or results of operations, require material changes in Citi's operations or cause Citi substantial reputational harm. Additionally, many large claims-both private civil and regulatory-asserted against Citi are highly complex, slow to develop and may involve novel or untested legal theories. The outcome of such proceedings is difficult to predict or estimate until late in the proceedings. Although Citi establishes accruals for its legal and regulatory matters according to accounting requirements, Citi's estimates of, and changes to, these accruals involve significant judgment and may be subject to significant uncertainty, and the amount of loss ultimately incurred in relation to those matters may be substantially higher than the amounts accrued (see the incorrect assumptions or estimates risk factor above). In addition, certain settlements are subject to court approval and may not be approved. Furthermore, regulators may be more likely to pursue investigations or proceedings against financial institutions, such as Citi, that have previously been the subject of other regulatory actions. For further information on Citi's legal and regulatory proceedings, see Note 30.

Citi has experienced, and could experience in the future, negative impacts to its businesses, results of operations and financial condition as a result of various macroeconomic, geopolitical and other challenges, uncertainties and volatility. These include, among other things, any resurgence in inflation; government fiscal and monetary actions or expected actions, including changes in interest rate policy, reductions in central bank balance sheets or other monetary policies; and increases in unemployment rates, recessions or weak or slowing economic growth in the U.S., Europe and other regions or countries. These impacts could adversely affect Citi's consumer and institutional clients, businesses, cost of credit and overall results of operations. For example, inflation could resurge if the FRB were to reduce interest rates prematurely and/or at too accelerated a pace, or if certain policies were further pursued in the U.S., including those related to trade, tariffs and immigration. Interest rates on loans Citi makes are typically based off or set at a spread over a benchmark interest rate and would likely decline or rise as benchmark rates decline or rise, respectively. A decline in interest rates would generally be expected to result in lower overall net interest income for Citi, although Corporate Treasury has various tools to manage Citi's total interest rate risk position (see "Managing Global Risk- Market Risk-Market Risk of Non-Trading Portfolios" below). In addition, Citi's net interest income could be adversely affected due to a flattening (a lower spread between shorter-term versus longer-term interest rates) or inversion (shorter-term interest rates exceeding longer-term interest rates) of the interest rate yield curve, as Citi typically pays interest on deposits based on shorter-term interest rates and earns money on loans based on longer-term interest rates. For additional information on Citi's interest rate risk, see "Managing Global Risk-Market Risk-Banking Book Interest Rate Risk" below. Additional areas of uncertainty include, among others, geopolitical challenges, tensions and conflicts, including those related to the Russia–Ukraine war (see below) and conflicts in the Middle East; potential policies and priorities resulting from the new U.S. administration; economic and geopolitical challenges related to China, including weak economic growth, related policy actions, challenges in the Chinese real estate sector, banking and credit markets, trade restrictions, and tensions or conflicts between China and Taiwan and/or China and the U.S.; high and rising government debt levels in the U.S. and other countries; significant volatility and disruptions in financial markets, including foreign currency volatility and devaluations; natural disasters; and pandemics. For example, the Russia–Ukraine war could have further negative impacts on regional and global energy and other commodities and financial markets and macroeconomic conditions, adversely impacting jurisdictions where Citi operates and its customers, clients or employees. In addition, Citi's remaining operations in Russia subject Citi to various other risks, including foreign currency volatility, such as appreciations or devaluations; restrictions arising from retaliatory Russian laws and regulations on the conduct of Citi's remaining businesses, including, without limitation, its provision of certain securities services to customers; sanctions or asset freezes; and other deconsolidation events. For additional information about these Russia-related risks, see the operational processes and systems, cybersecurity and emerging markets risk factors and "Managing Global Risk-Other Risks-Country Risk-Russia" below.STRATEGIC RISKSCiti's Ability to Return Capital to Common Shareholders Substantially Depends on Regulatory Capital Requirements, Including the Results of the CCAR Process and Dodd-Frank Act Regulatory Stress Tests, and Other Factors.Citi's ability to return capital to its common shareholders consistent with its capital planning efforts and targets, whether through its common stock dividend or through share repurchases, substantially depends, among other things, on its regulatory capital requirements, including the annual recalibration of the Stress Capital Buffer (SCB), which is based upon the results of the CCAR process required by the FRB, and recalibration of the GSIB surcharge, as well as the supervisory expectations and assessments regarding individual institutions.The FRB's annual stress testing requirements are integrated into ongoing regulatory capital requirements. Citi's SCB equals the maximum projected decline in its CET1 Capital ratio under the supervisory severely adverse scenario over a nine-quarter CCAR measurement period, plus four quarters of planned common stock dividends as a percentage of Citi's risk-weighted assets, subject to a minimum requirement of 2.5%. The SCB is calculated by the FRB using its proprietary data and modeling of each firm's results. Accordingly, Citi's SCB may go up, based on the supervisory stress test results, thus potentially resulting in an increase in Citi's required regulatory CET1 Capital ratio under the "Managing Global Risk-Market Risk-Banking Book Interest Rate Risk" below. Additional areas of uncertainty include, among others, geopolitical challenges, tensions and conflicts, including those related to the Russia–Ukraine war (see below) and conflicts in the Middle East; potential policies and priorities resulting from the new U.S. administration; economic and geopolitical challenges related to China, including weak economic growth, related policy actions, challenges in the Chinese real estate sector, banking and credit markets, trade restrictions, and tensions or conflicts between China and Taiwan and/or China and the U.S.; high and rising government debt levels in the U.S. and other countries; significant volatility and disruptions in financial markets, including foreign currency volatility and devaluations; natural disasters; and pandemics. For example, the Russia–Ukraine war could have further negative impacts on regional and global energy and other commodities and financial markets and macroeconomic conditions, adversely impacting jurisdictions where Citi operates and its customers, clients or employees. In addition, Citi's remaining operations in Russia subject Citi to various other risks, including foreign currency volatility, such as appreciations or devaluations; restrictions arising from retaliatory Russian laws and regulations on the conduct of Citi's remaining businesses, including, without limitation, its provision of certain securities services to customers; sanctions or asset freezes; and other deconsolidation events. For additional information about these Russia-related risks, see the operational processes and systems, cybersecurity and emerging markets risk factors and "Managing Global Risk-Other Risks-Country Risk-Russia" below.

Climate change presents both immediate and long-term risks to Citi and its customers and clients, with the risks expected to increase over time. Climate risks can arise from both physical risks (those risks related to the physical effects of climate change) and transition risks (risks related to regulatory, market, technological, stakeholder and legal changes from a transition to a low-carbon economy). Physical and transition risks can manifest themselves differently across Citi's risk categories in the short, medium and long terms. Physical risks from climate change include acute risks, such as wildfires, hurricanes, floods and droughts, as well as consequences of chronic changes in climate, such as rising sea levels, prolonged droughts and systemic changes to geographies and any resulting population migration. For example, physical risks could have adverse financial, operational and other impacts on Citi, both directly on its business and operations, and indirectly as a result of impacts to Citi's clients, customers, vendors and other counterparties. These impacts can include destruction, damage or impairment of owned or leased properties and other assets, destruction or deterioration of the value of collateral, such as real estate, disruptions to business operations and supply chains, and reduced availability or increase in the cost of insurance. Physical risks can also impact Citi's credit risk exposures, for example, in its mortgage and commercial real estate lending businesses. Transition risks may arise from changes in regulations or market preferences toward low-carbon industries or sectors, which in turn could have negative impacts on asset values, results of operations or the reputations of Citi and its customers and clients. For example, Citi's corporate credit exposures include oil and gas, power and other industries that may experience reduced demand for carbon-intensive products due to the transition to a low-carbon economy. Failure to adequately consider transition risk in developing and executing on its business strategy could lead to a loss of market share, lower revenues and higher credit costs. Transition risks also include potential increased operational, compliance and energy costs driven by government policies to promote decarbonization. Moreover, increasing legislative and regulatory changes and uncertainties regarding climate-related risk management and disclosures may result in increased regulatory, compliance, credit, reputational and other risks and costs for Citi. In addition, Citi could face increased regulatory scrutiny and reputation and litigation risks as a result of its climate risk, sustainability and other environmental and social commitments, disclosures, marketing and positioning. For example, any actual or perceived overstatement of the environmental benefits of Citi's actions may result in legal or regulatory actions and/or reputational harm. Even as some regulators seek to mandate additional disclosure of climate-related information, Citi's ability to comply with such requirements and conduct more robust climate-related risk analyses may be hampered by lack of information and reliable data. Data on climate-related risks is limited in availability, often based on estimated or unverified figures, collected and reported on a time-lag, and variable in quality. Modeling capabilities to analyze climate-related risks and interconnections continue to evolve.Additionally, if Citi is unable to achieve its objectives or commitments relating to climate change, its businesses, reputation, attractiveness to certain investors and efforts to recruit and retain employees may suffer. For example, Citi's approach to supporting client decarbonization in a gradual and orderly way, while promoting energy security, may lead to both continued exposure to carbon-intensive activity and increased reputation risks from stakeholders with divergent points of view. Citi may also face challenges and scrutiny from stakeholders with varied views on climate change that may impact its ability to conduct certain business.For information on Citi's climate and other sustainability initiatives, see "Net Zero and Sustainability" below. For additional information on Citi's management of climate risk, see "Managing Global Risk-Strategic Risk-Climate Risk" below.Citi's Ability to Utilize Its DTAs, and Thus Reduce the Negative Impact of the DTAs on Citi's Regulatory Capital, Will Be Driven by Its Ability to Generate U.S. Taxable Income.At December 31, 2024, Citi's net DTAs were $29.8 billion, net of a valuation allowance of $4.3 billion, of which $12.8 billion was deducted from Citi's CET1 Capital under the U.S. Basel III rules. Of this deducted amount, $11.6 billion related to net operating losses, foreign tax credit and general business credit carry-forwards, with $3.0 billion related to temporary differences in excess of the 10%/15% regulatory limitations, reduced by $1.8 billion of deferred tax liabilities, primarily associated with goodwill and certain other intangible assets that were separately deducted from capital.Citi's overall ability to realize its DTAs will primarily be dependent upon Citi's ability to generate U.S. taxable income in the relevant reversal periods. Failure to realize any portion of the net DTAs would have a corresponding negative impact on Citi's net income and financial returns.The accounting treatment for realization of DTAs is complex and requires significant judgment and estimates regarding future taxable earnings in the jurisdictions in which the DTAs arise and available tax planning strategies. Forecasts Moreover, increasing legislative and regulatory changes and uncertainties regarding climate-related risk management and disclosures may result in increased regulatory, compliance, credit, reputational and other risks and costs for Citi. In addition, Citi could face increased regulatory scrutiny and reputation and litigation risks as a result of its climate risk, sustainability and other environmental and social commitments, disclosures, marketing and positioning. For example, any actual or perceived overstatement of the environmental benefits of Citi's actions may result in legal or regulatory actions and/or reputational harm. Even as some regulators seek to mandate additional disclosure of climate-related information, Citi's ability to comply with such requirements and conduct more robust climate-related risk analyses may be hampered by lack of information and reliable data. Data on climate-related risks is limited in availability, often based on estimated or unverified figures, collected and reported on a time-lag, and variable in quality. Modeling capabilities to analyze climate-related risks and interconnections continue to evolve. Additionally, if Citi is unable to achieve its objectives or commitments relating to climate change, its businesses, reputation, attractiveness to certain investors and efforts to recruit and retain employees may suffer. For example, Citi's approach to supporting client decarbonization in a gradual and orderly way, while promoting energy security, may lead to both continued exposure to carbon-intensive activity and increased reputation risks from stakeholders with divergent points of view. Citi may also face challenges and scrutiny from stakeholders with varied views on climate change that may impact its ability to conduct certain business. For information on Citi's climate and other sustainability initiatives, see "Net Zero and Sustainability" below. For additional information on Citi's management of climate risk, see "Managing Global Risk-Strategic Risk-Climate Risk" below.

As a large, global financial institution, adequate liquidity and sources of funding are essential to Citi's businesses. Citi's liquidity, sources of funding and costs of funding can be significantly and negatively impacted by factors it cannot control, such as general disruptions in the financial markets; changes in fiscal and monetary policies; regulatory requirements, including changes in regulations; negative investor or counterparty perceptions of Citi's creditworthiness; deposit outflows or unfavorable changes in deposit mix; unexpected increases in cash or collateral requirements; credit ratings; and the consequent inability to monetize available liquidity resources. In addition, Citi competes with other banks and financial institutions for both institutional and consumer deposits, which represent Citi's most stable and lowest cost source of long-term funding. The competition for deposits has continued to increase in recent years, including as a result of quantitative tightening by central banks and fixed income alternatives for customer funds.Citi's costs to obtain and access wholesale funding are directly related to changes in interest and currency exchange rates and its credit spreads. Changes in Citi's credit spreads are driven by both external market factors and factors specific to Citi, such as negative views by investors of the financial services industry or Citi's financial prospects, and can be highly volatile. For additional information on Citi's primary sources of funding, see "Managing Global Risk-Liquidity Risk" below. Citi's ability to obtain funding may be impaired and its cost of funding could also increase if other market participants are seeking to access the markets at the same time or to a greater extent than expected, or if market appetite for corporate debt securities declines, as is likely to occur in a liquidity stress event or other market crisis. In such circumstances, Citi's ability to sell assets may also be impaired if other market participants are seeking to sell similar assets at the same time or a liquid market does not exist for such assets. Additionally, unexpected changes in client needs due to idiosyncratic events or market conditions could result in greater than expected drawdowns from off-balance sheet committed facilities. A sudden drop in market liquidity could also cause a temporary or protracted dislocation of capital markets activity. In addition, clearing organizations, central banks, clients and financial institutions with which Citi interacts may exercise the right to require additional collateral during challenging market conditions, which could further impair Citi's liquidity. If Citi fails to effectively manage its liquidity, its businesses, results of operations and financial condition could be negatively impacted.Limitations on the payments that Citigroup Inc. receives from its subsidiaries could also impact its liquidity. As a holding company, Citigroup Inc. relies on interest, dividends, distributions and other payments from its subsidiaries to fund dividends as well as to satisfy its debt and other obligations. Several of Citi's U.S. and non-U.S. subsidiaries are or may be subject to capital adequacy or other liquidity, regulatory or contractual restrictions on their ability to provide such payments, including any local regulatory stress test requirements and inter-affiliate arrangements entered into in connection with Citigroup Inc.'s resolution plan. Citigroup Inc.'s broker-dealer and bank subsidiaries are subject to restrictions on their ability to lend or transact with affiliates, as well as restrictions on their ability to use funds deposited with them in brokerage or bank accounts to fund their businesses. A bank holding company is also required by law to act as a source of financial and managerial strength for its subsidiary banks. As a result, the FRB may require Citigroup Inc. to commit resources to its subsidiary banks even if doing so is not otherwise in the interests of Citigroup Inc. or its shareholders or creditors, reducing the amount of funds available to meet its obligations. and financial institutions for both institutional and consumer deposits, which represent Citi's most stable and lowest cost source of long-term funding. The competition for deposits has continued to increase in recent years, including as a result of quantitative tightening by central banks and fixed income alternatives for customer funds. Citi's costs to obtain and access wholesale funding are directly related to changes in interest and currency exchange rates and its credit spreads. Changes in Citi's credit spreads are driven by both external market factors and factors specific to Citi, such as negative views by investors of the financial services industry or Citi's financial prospects, and can be highly volatile. For additional information on Citi's primary sources of funding, see "Managing Global Risk-Liquidity Risk" below. Citi's ability to obtain funding may be impaired and its cost of funding could also increase if other market participants are seeking to access the markets at the same time or to a greater extent than expected, or if market appetite for corporate debt securities declines, as is likely to occur in a liquidity stress event or other market crisis. In such circumstances, Citi's ability to sell assets may also be impaired if other market participants are seeking to sell similar assets at the same time or a liquid market does not exist for such assets. Additionally, unexpected changes in client needs due to idiosyncratic events or market conditions could result in greater than expected drawdowns from off-balance sheet committed facilities. A sudden drop in market liquidity could also cause a temporary or protracted dislocation of capital markets activity. In addition, clearing organizations, central banks, clients and financial institutions with which Citi interacts may exercise the right to require additional collateral during challenging market conditions, which could further impair Citi's liquidity. If Citi fails to effectively manage its liquidity, its businesses, results of operations and financial condition could be negatively impacted. Limitations on the payments that Citigroup Inc. receives from its subsidiaries could also impact its liquidity. As a holding company, Citigroup Inc. relies on interest, dividends, distributions and other payments from its subsidiaries to fund dividends as well as to satisfy its debt and other obligations. Several of Citi's U.S. and non-U.S. subsidiaries are or may be subject to capital adequacy or other liquidity, regulatory or contractual restrictions on their ability to provide such payments, including any local regulatory stress test requirements and inter-affiliate arrangements entered into in connection with Citigroup Inc.'s resolution plan. Citigroup Inc.'s broker-dealer and bank subsidiaries are subject to restrictions on their ability to lend or transact with affiliates, as well as restrictions on their ability to use funds deposited with them in brokerage or bank accounts to fund their businesses. A bank holding company is also required by law to act as a source of financial and managerial strength for its subsidiary banks. As a result, the FRB may require Citigroup Inc. to commit resources to its subsidiary banks even if doing so is not otherwise in the interests of Citigroup Inc. or its shareholders or creditors, reducing the amount of funds available to meet its obligations. A Ratings Downgrade Could Adversely Impact Citi's Funding and Liquidity.The credit rating agencies, such as Fitch Ratings, Moody's Ratings and S&P Global Ratings, continuously evaluate Citi and certain of its subsidiaries. Their ratings of Citi and its rated subsidiaries' long-term debt and short-term obligations are based on firm-specific factors, including the financial strength of Citi and such subsidiaries, as well as factors that are not entirely within the control of Citi and its subsidiaries, such as the agencies' proprietary rating methodologies and assumptions, potential impact from negative actions on U.S. sovereign ratings and conditions affecting the financial services industry and markets generally.A ratings downgrade could result from, among other factors, delays or missteps in Citi's transformation efforts, including risk management and internal controls improvements, public statements by Citi's management or regulators, operational risk charges, control failures, substantial failure to meet cost targets, deterioration in Citi's funding structure or liquidity, declines in profitability, significant increases in risk appetite or material reductions in regulatory capitalization levels. Citi and its subsidiaries may not be able to maintain their current respective ratings and outlooks. Ratings downgrades could negatively impact Citi and its rated subsidiaries' ability to access the capital markets and other sources of funds as well as increase credit spreads and the costs of those funds. A ratings downgrade could also have a negative impact on Citi and its rated subsidiaries' ability to obtain funding and liquidity due to reduced funding capacity and the impact from derivative triggers, which could require Citi and its rated subsidiaries to meet cash obligations and collateral requirements or permit counterparties to terminate certain contracts. In addition, a ratings downgrade could have a negative impact on other funding sources such as secured financing and other margined transactions for which there may be no explicit triggers. Furthermore, a credit ratings downgrade could have impacts that may not be currently known to Citi or are not possible to quantify. Some of Citi's counterparties and clients could have ratings limitations on their permissible counterparties, of which Citi may or may not be aware. Certain of Citi's corporate customers and trading counterparties, among other clients, could re-evaluate their business relationships with Citi and limit the trading of certain market instruments, and limit or withdraw deposits placed with Citi in response to ratings downgrades. Changes in customer and counterparty behavior could impact not only Citi's funding and liquidity but also the results of operations of certain Citi businesses. For additional information on the potential impact of a reduction in Citi's or Citibank's credit ratings, see "Managing Global Risk-Liquidity Risk-Potential Impacts of Ratings Downgrades" below.

As part of its multiyear transformation, Citi continues to make significant investments and undertake substantial actions across the Company to improve its risk and controls environment, modernize its data and technology infrastructure and further enhance safety and soundness (see "Executive Summary" and "Citi's Multiyear Transformation" above and the legal and regulatory proceedings risk factor below). Citi has also been pursuing overall simplification initiatives that have included management and operating model changes and actions to enhance focus on clients and reduce expenses. Citi's simplification actions also include completing its remaining divestitures, including the planned IPO of Mexico Consumer/SBMM. These simplification initiatives involve various execution challenges, may take longer than expected and may result in higher than expected expenses, CTA and other losses or other negative financial or strategic impacts, which could be material, and litigation and regulatory scrutiny (for information about potential CTA impacts, see the capital return risk factor above and the incorrect assumptions or estimates and emerging markets risk factors below). Additionally, Citi continues to make business-led investments, as part of the execution of its strategic priorities. For example, Citi has been making investments across the Company, including hiring front office employees in key strategic markets and businesses; enhancing product capabilities and platforms to grow key businesses, improve client digital experiences and add scalability; and implementing new capabilities and partnerships. These business-led investments are designed to reduce expenses and grow revenues as well as result in retention and efficiency improvements. Citi's transformation, as well as its simplification and business investment initiatives, involve significant complexities and uncertainties. In addition, there is inherent risk that these initiatives will not be as productive or effective as Citi expects, or at all. Conversely, failure to adequately invest in and upgrade Citi's technology and processes or properly implement its enterprise-wide simplification could result in Citi's inability to meet regulatory expectations, be sufficiently competitive, serve clients effectively and avoid disruptions to its businesses and operational errors (see the operational processes and systems and legal and regulatory proceedings risk factors below). Citi's ability to achieve its expected returns, including expense savings and revenue growth objectives, and operational improvements from these priorities depends, in part, on factors that it cannot control, including, among others, macroeconomic challenges and uncertainties; customer, client and competitor actions; and ongoing regulatory requirements or changes.Moreover, Citi's transformation, simplification and other priorities may continue to evolve as its business strategies, the market environment and regulatory expectations change, which could make the initiatives more costly and more challenging to implement, and limit their effectiveness. Climate Change Presents Various Financial and Non-Financial Risks to Citi and Its Customers and Clients.Climate change presents both immediate and long-term risks to Citi and its customers and clients, with the risks expected to increase over time. Climate risks can arise from both physical risks (those risks related to the physical effects of climate change) and transition risks (risks related to regulatory, market, technological, stakeholder and legal changes from a transition to a low-carbon economy). Physical and transition risks can manifest themselves differently across Citi's risk categories in the short, medium and long terms. Physical risks from climate change include acute risks, such as wildfires, hurricanes, floods and droughts, as well as consequences of chronic changes in climate, such as rising sea levels, prolonged droughts and systemic changes to geographies and any resulting population migration. For example, physical risks could have adverse financial, operational and other impacts on Citi, both directly on its business and operations, and indirectly as a result of impacts to Citi's clients, customers, vendors and other counterparties. These impacts can include destruction, damage or impairment of owned or leased properties and other assets, destruction or deterioration of the value of collateral, such as real estate, disruptions to business operations and supply chains, and reduced availability or increase in the cost of insurance. Physical risks can also impact Citi's credit risk exposures, for example, in its mortgage and commercial real estate lending businesses.Transition risks may arise from changes in regulations or market preferences toward low-carbon industries or sectors, which in turn could have negative impacts on asset values, results of operations or the reputations of Citi and its customers and clients. For example, Citi's corporate credit exposures include oil and gas, power and other industries that may experience reduced demand for carbon-intensive products due to the transition to a low-carbon economy. Failure to adequately consider transition risk in developing and executing on its business strategy could lead to a loss of market share, lower revenues and higher credit costs. Transition risks also include potential increased operational, compliance and energy costs driven by government policies to promote decarbonization. sufficiently competitive, serve clients effectively and avoid disruptions to its businesses and operational errors (see the operational processes and systems and legal and regulatory proceedings risk factors below). Citi's ability to achieve its expected returns, including expense savings and revenue growth objectives, and operational improvements from these priorities depends, in part, on factors that it cannot control, including, among others, macroeconomic challenges and uncertainties; customer, client and competitor actions; and ongoing regulatory requirements or changes. Moreover, Citi's transformation, simplification and other priorities may continue to evolve as its business strategies, the market environment and regulatory expectations change, which could make the initiatives more costly and more challenging to implement, and limit their effectiveness.

Citi's computer systems, software and networks are subject to ongoing attempted cyberattacks, such as unauthorized access, loss or destruction of data (including confidential client information), account takeovers, disruptions of service, phishing, malware, ransomware, computer viruses or other malicious code and other similar events. These threats can arise from external parties, including cyber criminals, cyber terrorists, hacktivists (individuals or groups using cyberattacks to promote a political or social agenda) and nation-state actors, as well as insiders who knowingly or unknowingly engage in or enable malicious cyber activities. For example, nation-state actors have recently targeted critical U.S. infrastructure with cyberattacks. Citi develops its own software and relies on third-party applications and software, which are susceptible to vulnerability exploitations. Software leveraged in financial services and other industries continues to be impacted by an increasing number of zero-day vulnerabilities, thus increasing inherent cyber risk to Citi. The increasing use of mobile and other digital banking platforms and services, cloud technologies, new and emerging technologies (such as AI) and connectivity solutions to facilitate remote working for Citi's employees all increase Citi's exposure to cybersecurity risks. Citi is also susceptible to cyberattacks given, among other things, its size and scale, high-profile brand, global footprint and prominent role in the financial system, as well as the ongoing wind-down of its businesses in Russia (see the emerging markets risk factor and "Managing Global Risk-Other Risks-Country Risk-Russia" below). Additionally, Citi continues to operate in multiple jurisdictions in the midst of geopolitical unrest or uncertainties, including the Russia–Ukraine war and the conflicts in the Middle East, which could expose Citi to heightened risk of insider threat, cyber threats from nation-state actors, hacktivism or other cyber incidents. Citi continues to experience increased exposure to cyberattacks through third parties, in part because financial institutions are becoming increasingly interconnected with central agents, exchanges and clearing houses. Third parties with which Citi does business, as well as retailers and other third parties with which Citi's customers do business, and any such third parties' downstream service providers, also pose cybersecurity risks, particularly where activities of customers are beyond Citi's security and control systems. For example, Citi outsources certain functions, such as processing customer credit card transactions, uploading content on customer-facing websites and developing software for new products and services. These relationships allow for the storage and processing of customer information by third-party hosting of, or access to, Citi websites. This could lead to compromise or the potential to introduce vulnerable or malicious code, resulting in security breaches or business disruptions impacting Citi customers, employees or operations. While many of Citi's agreements with third parties include indemnification provisions, Citi may not be able to recover sufficiently under these provisions, or at all, to adequately offset any losses and other adverse impacts Citi may incur from third-party cyber incidents. Citi and some of its third-party partners have been subjected to attempted and sometimes successful cyberattacks over the last several years, including (i) denial of service attacks, which attempt to interrupt service to clients and customers; (ii) hacking and malicious software installations intended to gain unauthorized access to information systems or to disrupt those systems and/or impact availability or privacy of confidential data, with objectives including, but not limited to, extortion payments or causing reputational damage; (iii) data breaches due to unauthorized access to customer account or other data; and (iv) malicious software attacks on client systems, in attempts to gain unauthorized access to Citi systems or client data under the guise of normal client transactions. While Citi's monitoring and protection services have historically generally succeeded in detecting, thwarting and/or responding to attacks targeting its systems before they become significant, certain past incidents resulted in limited losses, as well as increases in expenditures to monitor against the threat of similar future cyber incidents. There can be no assurance that such cyber incidents will not occur again, and they could occur more frequently, via novel tactics, including leveraging of tools made possible by emerging technologies, and on a more significant scale. Despite the significant resources Citi allocates to implement, maintain, monitor and regularly upgrade its systems and networks with measures such as intrusion detection and prevention systems and firewalls to safeguard critical business applications, there is no guarantee that these businesses in Russia (see the emerging markets risk factor and "Managing Global Risk-Other Risks-Country Risk-Russia" below). Additionally, Citi continues to operate in multiple jurisdictions in the midst of geopolitical unrest or uncertainties, including the Russia–Ukraine war and the conflicts in the Middle East, which could expose Citi to heightened risk of insider threat, cyber threats from nation-state actors, hacktivism or other cyber incidents. Citi continues to experience increased exposure to cyberattacks through third parties, in part because financial institutions are becoming increasingly interconnected with central agents, exchanges and clearing houses. Third parties with which Citi does business, as well as retailers and other third parties with which Citi's customers do business, and any such third parties' downstream service providers, also pose cybersecurity risks, particularly where activities of customers are beyond Citi's security and control systems. For example, Citi outsources certain functions, such as processing customer credit card transactions, uploading content on customer-facing websites and developing software for new products and services. These relationships allow for the storage and processing of customer information by third-party hosting of, or access to, Citi websites. This could lead to compromise or the potential to introduce vulnerable or malicious code, resulting in security breaches or business disruptions impacting Citi customers, employees or operations. While many of Citi's agreements with third parties include indemnification provisions, Citi may not be able to recover sufficiently under these provisions, or at all, to adequately offset any losses and other adverse impacts Citi may incur from third-party cyber incidents. Citi and some of its third-party partners have been subjected to attempted and sometimes successful cyberattacks over the last several years, including (i) denial of service attacks, which attempt to interrupt service to clients and customers; (ii) hacking and malicious software installations intended to gain unauthorized access to information systems or to disrupt those systems and/or impact availability or privacy of confidential data, with objectives including, but not limited to, extortion payments or causing reputational damage; (iii) data breaches due to unauthorized access to customer account or other data; and (iv) malicious software attacks on client systems, in attempts to gain unauthorized access to Citi systems or client data under the guise of normal client transactions. While Citi's monitoring and protection services have historically generally succeeded in detecting, thwarting and/or responding to attacks targeting its systems before they become significant, certain past incidents resulted in limited losses, as well as increases in expenditures to monitor against the threat of similar future cyber incidents. There can be no assurance that such cyber incidents will not occur again, and they could occur more frequently, via novel tactics, including leveraging of tools made possible by emerging technologies, and on a more significant scale. Despite the significant resources Citi allocates to implement, maintain, monitor and regularly upgrade its systems and networks with measures such as intrusion detection and prevention systems and firewalls to safeguard critical business applications, there is no guarantee that these measures or any other measures can provide sufficient security. Because the techniques used to initiate cyberattacks change frequently or, in some cases, are not recognized until launched or even later, Citi may be unable to implement effective preventive measures or otherwise proactively address these methods. In addition, cyber threats and cyberattack techniques change, develop and evolve rapidly, including from emerging technologies such as AI, cloud computing and quantum computing. Given the frequency and sophistication of cyberattacks, the determination of the severity and potential impact of a cyber incident may not become apparent for a substantial period of time following detection of the incident. Also, while Citi strives to implement measures to reduce the exposure resulting from outsourcing risks, such as performing security control assessments of third-party vendors and limiting third-party access to the least privileged level necessary to perform job functions, these measures cannot prevent all third-party-related cyberattacks or data breaches. In addition, the risk of insider threats may continue to be elevated in the near term due to Citi's recent overall simplification initiatives, including streamlining its global staff functions. Cyber incidents can result in the disclosure of personal, confidential or proprietary customer, client or employee information; damage to Citi's reputation with its clients, other counterparties and the market; customer dissatisfaction; and additional costs to Citi, including expenses such as repairing or replacing systems, replacing customer payment cards, credit monitoring or adding new personnel or protection technologies. Cyber incidents can also result in regulatory penalties, loss of revenues, deposit flight, exposure to litigation and regulatory action and other financial losses, including loss of funds to both Citi and its clients and customers, and disruption to Citi's operational systems (see the operational processes and systems risk factor above). Moreover, the increasing risk of cyber incidents has resulted in increased legislative and regulatory action on cybersecurity, including, among other things, scrutiny of firms' cybersecurity protection processes and services, laws and regulations to enhance protection of consumers' personal data and mandated disclosure on cybersecurity matters.While Citi maintains insurance coverage that may, subject to policy terms and conditions including significant self-insured deductibles, cover certain aspects of cyber risks, such insurance coverage may be insufficient to cover all losses and may not take into account reputational harm, the costs of which are impossible to quantify. For additional information about Citi's management of cybersecurity risk, see "Managing Global Risk-Operational Risk-Cybersecurity Risk" below. Changes or Errors in Accounting Assumptions, Judgments or Estimates, or the Application of Certain Accounting Principles, Could Result in Significant Losses or Other Adverse Impacts.U.S. GAAP requires Citi to use certain assumptions, judgments and estimates in preparing its financial statements, including, among other items, the estimate of the ACL; reserves related to litigation, regulatory and tax matters; valuation of DTAs; the fair values of certain assets and liabilities; and the assessment of goodwill and other assets for measures or any other measures can provide sufficient security. Because the techniques used to initiate cyberattacks change frequently or, in some cases, are not recognized until launched or even later, Citi may be unable to implement effective preventive measures or otherwise proactively address these methods. In addition, cyber threats and cyberattack techniques change, develop and evolve rapidly, including from emerging technologies such as AI, cloud computing and quantum computing. Given the frequency and sophistication of cyberattacks, the determination of the severity and potential impact of a cyber incident may not become apparent for a substantial period of time following detection of the incident. Also, while Citi strives to implement measures to reduce the exposure resulting from outsourcing risks, such as performing security control assessments of third-party vendors and limiting third-party access to the least privileged level necessary to perform job functions, these measures cannot prevent all third-party-related cyberattacks or data breaches. In addition, the risk of insider threats may continue to be elevated in the near term due to Citi's recent overall simplification initiatives, including streamlining its global staff functions. Cyber incidents can result in the disclosure of personal, confidential or proprietary customer, client or employee information; damage to Citi's reputation with its clients, other counterparties and the market; customer dissatisfaction; and additional costs to Citi, including expenses such as repairing or replacing systems, replacing customer payment cards, credit monitoring or adding new personnel or protection technologies. Cyber incidents can also result in regulatory penalties, loss of revenues, deposit flight, exposure to litigation and regulatory action and other financial losses, including loss of funds to both Citi and its clients and customers, and disruption to Citi's operational systems (see the operational processes and systems risk factor above). Moreover, the increasing risk of cyber incidents has resulted in increased legislative and regulatory action on cybersecurity, including, among other things, scrutiny of firms' cybersecurity protection processes and services, laws and regulations to enhance protection of consumers' personal data and mandated disclosure on cybersecurity matters. While Citi maintains insurance coverage that may, subject to policy terms and conditions including significant self-insured deductibles, cover certain aspects of cyber risks, such insurance coverage may be insufficient to cover all losses and may not take into account reputational harm, the costs of which are impossible to quantify. For additional information about Citi's management of cybersecurity risk, see "Managing Global Risk-Operational Risk-Cybersecurity Risk" below.

Citi operates in an increasingly evolving and competitive business environment, which includes both financial and non-financial services firms, such as traditional banks, online banks, private credit and financial technology companies and others. These companies compete on the basis of, among other factors, size, reach, quality and type of products and services offered, price, technology and reputation. Certain competitors may be subject to different and, in some cases, less stringent legal, regulatory and supervisory requirements, whether due to size, jurisdiction, entity type or other factors, placing Citi at a competitive disadvantage. Moreover, new or rapidly developing technologies with the potential to have significant economic or social effects (emerging technologies) also pose competitive challenges for Citi. For example, Citi competes with other financial services companies in the U.S. and globally that have grown rapidly over the last several years or have introduced new products and services. Potential mergers and acquisitions involving traditional financial services companies, such as regional banks or credit card issuers, as well as networks and merchant acquirers, may also increase competition and impact Citi's ability to offer competitive pricing and rewards. Non-traditional financial services firms, such as private credit, financial technology and digital asset companies, are less regulated and supervised and continue to expand their offerings of services traditionally provided by financial institutions. In addition, emerging technologies have the potential to intensify competition and accelerate disruption in the financial services industry. Clients and investors have shown increased interest in these technologies, prompting financial services firms and other market participants to develop related products and services. As blockchain and digital assets continue to evolve, customer demand for enhanced offerings may increase. Failure to strategically embrace the potential of emerging technologies may result in a competitive disadvantage to Citi. The new U.S. administration has stated its support for the growth and use of digital assets and blockchain technology, including a more favorable regulatory approach to crypto assets. Citi may not be able to provide the same or similar products and services for legal or regulatory reasons, which may be exacerbated by rapidly evolving and conflicting regulatory requirements, as well as increased compliance and other risks. Further, the introduction of mobile platforms and emerging technologies, such as artificial intelligence (AI) and digital assets, and changes in the payments space (e.g., instant and 24/7 payments) are accelerating, and, as a result, certain of Citi's products and services could become less competitive. Increased competition and emerging technologies have required and could require Citi to change or adapt its products and services, as well as invest in and develop related infrastructure, to attract and retain customers or clients or to compete more effectively with competitors, including new market entrants. Simultaneously, as Citi develops new products and services leveraging emerging technologies, new risks may emerge that, if not designed and governed adequately, may result in control gaps and in Citi operating outside of its risk appetite. For example, the use or development of emerging technologies, such as AI or digital assets, without sufficient controls, governance and risk management may result in increased risks across various risk categories (for additional information, see the operational processes and systems risk factor below).As another example, instant and 24/7 payments products could be accompanied by challenges to forecasting and managing liquidity, as well as increased operational and compliance risks. Additionally, the growth of certain competitors has increased market and counterparty credit risks, with such risks particularly heightened in the case of a challenging macroeconomic environment (see the risk factor on credit and concentrations of risk below).Moreover, Citi relies on third parties to support certain of its product and service offerings, which may put Citi at a disadvantage to competitors who may directly offer a broader array of products and services. Also, Citi's businesses, results of operations and reputation may suffer if any third party is unable to provide adequate support for such product and service offerings, whether due to operational incidents or otherwise (see the operational processes and systems, cybersecurity and emerging markets risk factors below).To the extent that Citi is not able to compete effectively with other financial services companies, including private credit and financial technology companies, and non-financial services firms, or adequately assess the competitive landscape, Citi could be placed at a competitive disadvantage, which could result in loss of customers and market share, and its businesses, results of operations and financial condition could suffer. For additional information on Citi's competitors, see the co-brand and private label cards and qualified employees risk factors above and "Supervision, Regulation and Other-Competition" below. blockchain technology, including a more favorable regulatory approach to crypto assets. Citi may not be able to provide the same or similar products and services for legal or regulatory reasons, which may be exacerbated by rapidly evolving and conflicting regulatory requirements, as well as increased compliance and other risks. Further, the introduction of mobile platforms and emerging technologies, such as artificial intelligence (AI) and digital assets, and changes in the payments space (e.g., instant and 24/7 payments) are accelerating, and, as a result, certain of Citi's products and services could become less competitive. Increased competition and emerging technologies have required and could require Citi to change or adapt its products and services, as well as invest in and develop related infrastructure, to attract and retain customers or clients or to compete more effectively with competitors, including new market entrants. Simultaneously, as Citi develops new products and services leveraging emerging technologies, new risks may emerge that, if not designed and governed adequately, may result in control gaps and in Citi operating outside of its risk appetite. For example, the use or development of emerging technologies, such as AI or digital assets, without sufficient controls, governance and risk management may result in increased risks across various risk categories (for additional information, see the operational processes and systems risk factor below). As another example, instant and 24/7 payments products could be accompanied by challenges to forecasting and managing liquidity, as well as increased operational and compliance risks. Additionally, the growth of certain competitors has increased market and counterparty credit risks, with such risks particularly heightened in the case of a challenging macroeconomic environment (see the risk factor on credit and concentrations of risk below). Moreover, Citi relies on third parties to support certain of its product and service offerings, which may put Citi at a disadvantage to competitors who may directly offer a broader array of products and services. Also, Citi's businesses, results of operations and reputation may suffer if any third party is unable to provide adequate support for such product and service offerings, whether due to operational incidents or otherwise (see the operational processes and systems, cybersecurity and emerging markets risk factors below). To the extent that Citi is not able to compete effectively with other financial services companies, including private credit and financial technology companies, and non-financial services firms, or adequately assess the competitive landscape, Citi could be placed at a competitive disadvantage, which could result in loss of customers and market share, and its businesses, results of operations and financial condition could suffer. For additional information on Citi's competitors, see the co-brand and private label cards and qualified employees risk factors above and "Supervision, Regulation and Other-Competition" below. OPERATIONAL RISKSA Failure or Disruption of Citi's Operational Processes or Systems Could Negatively Impact Its Reputation, Customers, Clients, Businesses or Results of Operations and Financial Condition.Citi's global operations rely heavily on its technology systems and infrastructure, including the accurate, complete, timely and secure processing, management, storage and transmission of data, including confidential transactions, and other information, as well as the monitoring of a substantial amount of data and complex transactions in real time. Citi obtains and stores an extensive amount of personal and client-specific information for its consumer and institutional customers and clients, and must accurately record and reflect their account transactions. Citi's operations must also comply with complex and evolving laws, regulations and heightened regulatory expectations in the jurisdictions in which it operates (see the implementation and interpretation of regulatory changes and legal proceedings risk factors below). With the proliferation of emerging technologies, including AI, and the use of the internet, mobile devices and cloud services to conduct financial transactions, and customers' and clients' increasing use of online banking and trading systems and other platforms, large global financial institutions such as Citi have been, and will continue to be, subject to an ever-increasing risk of operational loss, failure or disruption.Citi has been working with AI and machine learning for a period of time and has more recently begun using Generative AI, a type of artificial intelligence that uses generative models to create text and other content. Generative AI tools are available to employees within parts of the Company, and in the future Citi may more broadly use, develop and incorporate Generative AI within its technology platform and services, systems and its businesses and functions. While Citi has policies which govern the use of emerging technologies, ineffective, inadequate or faulty Generative AI development or deployment practices by Citi or third parties could result in unintended consequences, such as AI algorithms that produce inaccurate or incomplete output or output based on biased, incomplete and/or inaccurate datasets, or cause other issues, concerns or deficiencies. Moreover, the use of increasingly sophisticated AI technologies by malicious actors and others has increased the risk of fraud, including identity theft and bypassing of verification controls, and failure to effectively manage such risks could result in misappropriation of funds, unauthorized transactions, exposure of sensitive client or Company information, reputational harm and increased litigation and regulatory risk. In addition, compliance with new or changing laws, regulations or industry standards relating to AI may impose additional operational risks and costs.Although Citi has continued to upgrade its technology, including systems to automate processes and gain efficiencies, operational incidents are unpredictable and can arise from numerous sources, not all of which are fully within Citi's control. These include, among others, operational or execution failures or deficiencies by third parties and third parties that provide products or services to Citi (e.g., cloud service

Citi has co-branding and private label relationships with various retailers and merchants through its Branded Cards and Retail Services credit card businesses in USPB, whereby in the ordinary course of business Citi issues credit cards to consumers, including customers of the retailers or merchants. The five largest relationships across both businesses in USPB constituted an aggregate of approximately 12% of Citi's revenues in 2024 (see "U.S. Personal Banking" above). Citi's co-branding and private label agreements often provide for shared economics between the parties and generally have a fixed term. Competition among credit card issuers, including Citi, for these relationships is significant, and Citi may not be able to maintain such relationships on existing terms or at all. Citi's co-branding and private label relationships could also be negatively impacted by, among other things, the general economic environment, including the impacts stemming from potential increases in unemployment, inflation or interest rates or lower economic growth rates, as well as a risk of recession; changes in consumer sentiment, spending patterns and credit card usage behaviors; a decline in sales and revenues, partner store closures, any reduction in air and business travel, or other operational difficulties of the retailer or merchant; changes in partner business strategies, including changes in products and services offered; termination or non-renewal of partner agreements, including early termination due to a contractual breach or exercise of other early termination right; or other factors, including bankruptcies, liquidations, restructurings, consolidations or other similar events, whether due to a challenging macroeconomic environment or otherwise. These events, particularly early termination and bankruptcies or liquidations, could negatively impact the results of operations or financial condition of Branded Cards, Retail Services or Citi as a whole, including as a result of loss of revenues, increased expenses, higher cost of credit, impairment of purchased credit card relationships and contract-related intangibles or other losses (see Note 17 for information on Citi's credit card related intangibles generally). The Application of U.S. Resolution Plan Requirements May Pose a Greater Risk of Loss to Citi's Debt and Equity Securities Holders, and Citi's Inability in Its Resolution Plan Submissions to Address Any Shortcomings or Deficiencies or Guidance Could Subject Citi to More Stringent Capital, Leverage or Liquidity Requirements, or Restrictions on Its Growth, Activities or Operations, and Could Eventually Require Citi to Divest Assets or Operations.Title I of the Dodd-Frank Act requires Citi to prepare and submit a plan to the FRB and the FDIC for the orderly resolution of Citigroup (the bank holding company) and its significant legal entities under the U.S. Bankruptcy Code in the event of future material financial distress or failure. Under Citi's preferred "single point of entry" resolution plan strategy, only Citigroup, the parent holding company, would enter into bankruptcy, while Citigroup's material legal entities (as defined in the public section of its 2023 resolution plan, which can be found on the FRB's and FDIC's websites) would remain operational outside of any resolution or insolvency proceedings. As a result, Citigroup's losses and any losses incurred by its material legal entity subsidiaries would be imposed first on holders of Citigroup's equity securities and thereafter on its unsecured creditors, including holders of eligible long-term debt and other debt securities. In addition, a wholly owned, direct subsidiary of Citigroup serves as a resolution funding vehicle (the intermediate holding company, or IHC) to which Citigroup has transferred, and has agreed to transfer on an ongoing basis, certain assets. The obligations of Citigroup and of the IHC, respectively, under the amended and restated secured support agreement, are secured on a senior basis by the assets of Citigroup (other than shares in subsidiaries of the parent company and certain other assets), and the assets of the IHC, as applicable. As a result, claims of the operating material legal entities against the assets of Citigroup with respect to such secured assets are effectively senior to unsecured obligations of Citigroup. Citi's single point of entry resolution plan strategy and the obligations under the amended and restated secured support agreement may result in the recapitalization of and/or provision of liquidity to Citi's operating material legal entities, and the commencement of bankruptcy proceedings by Citigroup at an earlier stage of financial stress than might otherwise occur without such mechanisms in place.In line with the FRB's total loss-absorbing capacity (TLAC) rule, Citigroup's shareholders and unsecured creditors-including its unsecured long-term debt holders-would bear any losses resulting from Citigroup's bankruptcy. Accordingly, any value realized by holders of its unsecured long-term debt may not be sufficient to repay the amounts owed to such debt holders in the event of a bankruptcy or other resolution proceeding of Citigroup. For additional information on Citi's single point of entry resolution plan strategy and the IHC and secured support agreement, see "Managing Global Risk-Liquidity Risk" below.On November 22, 2022, the FRB and FDIC issued feedback on the resolution plans filed on July 1, 2021 by the eight U.S. GSIBs, including Citigroup. The FRB and FDIC jointly identified one shortcoming in Citigroup's 2021 resolution plan. The shortcoming related to data integrity and

Citi's performance and the performance of its individual businesses largely depend on the talents and efforts of its diverse and highly qualified employees. Specifically, Citi's continued ability to compete in each of its lines of business, to manage its businesses effectively and to execute its transformation, simplification and other priorities, including, for example, hiring employees to grow businesses or hiring employees to support Citi's priorities, depends on its ability to hire new employees and to retain and motivate its existing employees. If Citi is unable to continue to hire, retain and motivate highly qualified employees, Citi's performance, including its competitive position, the execution of its transformation, simplification and other priorities and its results of operations could be negatively impacted. Citi's ability to attract, retain and motivate employees depends on numerous factors, some of which are outside of Citi's control. For example, the competition for talent continues to be particularly intense due to various factors, such as changes in worker expectations, concerns and preferences, including demands for remote work options and other job flexibility. Also, the banking industry generally is subject to more comprehensive regulation of employee compensation than other industries, including deferral and clawback requirements for incentive compensation, which can make it unusually challenging for Citi to compete in labor markets against businesses, including, for example, technology companies, that are not subject to such regulation. In addition, Citi recently completed a significant organizational simplification initiative, which included reducing management layers and significant reductions in functional roles that could continue to impact its ability to attract and retain employees. Other factors that could impact Citi's ability to attract, retain and motivate employees include, among other things, Citi's presence in a particular market or region, the professional and development opportunities it offers, its reputation and its diversity. For information on Citi's employee and workforce management, see "Human Capital Resources and Management" below.Citi Faces Increased Competitive Challenges, Including from Financial Services and Other Companies and Emerging Technologies.Citi operates in an increasingly evolving and competitive business environment, which includes both financial and non-financial services firms, such as traditional banks, online banks, private credit and financial technology companies and others. These companies compete on the basis of, among other factors, size, reach, quality and type of products and services offered, price, technology and reputation. Certain competitors may be subject to different and, in some cases, less stringent legal, regulatory and supervisory requirements, whether due to size, jurisdiction, entity type or other factors, placing Citi at a competitive disadvantage. Moreover, new or rapidly developing technologies with the potential to have significant economic or social effects (emerging technologies) also pose competitive challenges for Citi.For example, Citi competes with other financial services companies in the U.S. and globally that have grown rapidly over the last several years or have introduced new products and services. Potential mergers and acquisitions involving traditional financial services companies, such as regional banks or credit card issuers, as well as networks and merchant acquirers, may also increase competition and impact Citi's ability to offer competitive pricing and rewards. Non-traditional financial services firms, such as private credit, financial technology and digital asset companies, are less regulated and supervised and continue to expand their offerings of services traditionally provided by financial institutions. In addition, emerging technologies have the potential to intensify competition and accelerate disruption in the financial services industry. Clients and investors have shown increased interest in these technologies, prompting financial services firms and other market participants to develop related products and services. As blockchain and digital assets continue to evolve, customer demand for enhanced offerings may increase. Failure to strategically embrace the potential of emerging technologies may result in a competitive disadvantage to Citi. The new U.S. administration has stated its support for the growth and use of digital assets and flexibility. Also, the banking industry generally is subject to more comprehensive regulation of employee compensation than other industries, including deferral and clawback requirements for incentive compensation, which can make it unusually challenging for Citi to compete in labor markets against businesses, including, for example, technology companies, that are not subject to such regulation. In addition, Citi recently completed a significant organizational simplification initiative, which included reducing management layers and significant reductions in functional roles that could continue to impact its ability to attract and retain employees. Other factors that could impact Citi's ability to attract, retain and motivate employees include, among other things, Citi's presence in a particular market or region, the professional and development opportunities it offers, its reputation and its diversity. For information on Citi's employee and workforce management, see "Human Capital Resources and Management" below.