Citigroup (C) Risk Factors

Dividends, Changes to Directors and/or Officers and Collateral Consequences Arising from Such Outcomes.At any given time, Citi is a party to a significant number of legal and regulatory proceedings and is subject to numerous governmental and regulatory examinations. Additionally, Citi remains subject to governmental and regulatory investigations, consent orders (see discussion below) and related compliance efforts, and other inquiries. Citi could also be subject to enforcement proceedings and negative regulatory evaluationor examination findings not only because of violations of laws and regulations, but also due to failures, as determined by its regulators, to have adequate policies and procedures, or to remedy deficiencies on a timely basis (see also the capital return and resolution plan risk factors above). Citi's regulators have broad powers and discretion under their prudential and supervisory authority, and have pursued active inspection and investigatory oversight.As previously disclosed, the October 2020 FRB and OCC consent orders require Citigroup and Citibank to implement extensive targeted action plans and submit quarterly progress reports on a timely and sufficient basis detailing the results and status of improvements relating principally to various aspects of enterprise-wide risk management, compliance, data quality management and governance, and internal controls. These improvements will result in continued significant investments by Citi during 2024 and beyond, as an essential part of Citi's broader transformation efforts to enhance its risk, controls, data and finance infrastructure and compliance. There can be no assurance that such improvements will be implemented in a manner satisfactory, in both timing and sufficiency, to the FRB and OCC. Although there are no restrictions on Citi's ability to serve its clients, the OCC consent order requires Citibank to obtain prior approval of any significant new acquisition, including any portfolio or business acquisition, excluding ordinary course transactions. Moreover, the OCC consent order provides that the OCC has the right to assess future civil money penalties or take other supervisory and/or enforcement actions. Such actions by the OCC could include imposing business restrictions, including possible limitations on the declaration or payment of dividends and changes in directors and/or senior executive officers. More generally, the OCC and/or the FRB could take additional enforcement or other actions if the regulatory agency believes that Citi has not met regulatory expectations regarding compliance with the consent orders. For additional information regarding the consent orders, see "Citi's Consent Order Compliance" above.The global judicial, regulatory and political environment has generally been challenging for large financial institutions, which have been subject to increased regulatory scrutiny. The complexity of the federal and state regulatory and enforcement regimes in the U.S., coupled with the global scope of Citi's operations, also means that a single event or issue may give rise to a large number of overlapping investigations and regulatory proceedings, either by multiple federal and state agencies and authorities in the U.S. or by multiple regulators and other governmental entities in foreign jurisdictions, as well as multiple civil litigation claims in multiple jurisdictions. Violations of law by other financial institutions may also result in regulatory scrutiny of Citi. Responding to regulatory

Citi has experienced, and could experience in the future, negative impacts to its businesses, results of operations and financial condition as a result of various macroeconomic, geopolitical and other challenges, uncertainties and volatility. These include, among other things, government fiscal and monetary actions or expected actions, including continued high interest rates, reductions in central bank balance sheets, or other restrictive interest rate or other monetary policies; potential recessions in the U.S., Europe and other regions or countries; and elevated levels of inflation. For example, in 2023, the U.S., the U.K., the EU and other economies continued to experience elevated levels of inflation. As a result, the Federal Reserve Board (FRB) and other central banks substantially raised interest rates, reduced the size of their balance sheets and took other actions in an aggressive effort to curb inflation. These actions may continue to adversely impact certain sectors sensitive to interest rates and consumer discretionary spending. They may also slow economic growth, increase the risk of recession and increase the unemployment rate in the U.S. and other countries, all of which would likely adversely affect Citi's consumer and institutional clients, businesses and results of operations. In addition, inflation may continue to result in higher labor and other costs, thus putting further pressure on Citi's expenses. More recently, the FRB has signaled that it expects to reduce the benchmark U.S. interest rate in 2024. If the FRB were to reduce interest rates prematurely, inflation could resurge. Interest rates on loans Citi makes are typically based off or set at a spread over a benchmark interest rate and would likely decline or rise as benchmark rates decline or rise, respectively. For example, while a decline in interest rates would generally be expected to result in lower overall net interest income, it could improve Citi's funding costs. Although higher interest rates would generally be expected to increase overall net interest income, higher rates could adversely affect funding costs, levels of deposits in its consumer and institutional businesses and certain business or product revenues. In addition, Citi's net interest income could be adversely affected due to a flattening (a lower spread between shorter-term versus longer-term interest rates) or longer lasting or more severe inversion (shorter-term interest rates exceeding longer-term interest rates) of the interest rate yield curve, as Citi typically pays interest on deposits based on shorter-term interest rates and earns money on loans based on longer-term interest rates. For additional information on Citi's interest rate risk, see "Managing Global Risk-Market Risk-Banking Book Interest Rate Risk" below. Additionally, Citi's balance sheet includes interest-rate sensitive fixed-rate assets such as U.S. Treasuries, U.S. agency securities and residential mortgages, among others, whose valuation would be adversely impacted in a higher-rate environment and/or whose hedging costs may increase. Additional areas of uncertainty include, among others, geopolitical challenges, tensions and conflicts, including those related to Russia's war in Ukraine (see discussion below), as well as a persistent and/or escalating conflict in the Middle East, particularly if the conflict were to widen to involve additional combatants, countries or regions; economic and other geopolitical challenges related to China, including weak economic growth, related policy actions, challenges in the Chinese real estate sector, banking and credit markets, and tensions or conflicts between China and Taiwan and/or China and the U.S.; significant disruptions and volatility in financial markets, including foreign currency volatility and devaluations and continued strength in the U.S. dollar; protracted or widespread trade tensions; natural disasters; new pandemics, including new COVID-19 variants; and political polarization, election outcomes and the effects of divided government, such as with respect to any extended government shutdown in the U.S. For example, Citi's market-making businesses can suffer losses resulting from the widening of credit spreads due to unanticipated changes in financial markets. Moreover, adverse developments or downturns in one or more of the world's larger economies would likely have a significant impact on the global economy or the economies of other countries because of global financial and economic linkages.Russia's war in Ukraine has caused supply shocks in energy, food and other commodities markets, worsened inflation, increased cybersecurity risks, increased the risk of recession in Europe and heightened geopolitical tensions. Actions by Russia, and any further measures taken by the U.S. or its allies, could continue to have negative impacts on regional and global energy and other commodities and financial markets and macroeconomic conditions, adversely impacting jurisdictions where Citi operates and has customers, clients or employees. Citi's remaining operations in Russia subject Citi to various other risks, among which are foreign currency volatility, including appreciations or devaluations; restrictions arising from retaliatory Russian laws and regulations on the conduct of its remaining businesses, including, without limitation, its provision to its customers of certain securities services; sanctions or asset freezes; and other deconsolidation events. In the event of a loss of control of AO Citibank, Citi would be required to write off its net investment increase overall net interest income, higher rates could adversely affect funding costs, levels of deposits in its consumer and institutional businesses and certain business or product revenues. In addition, Citi's net interest income could be adversely affected due to a flattening (a lower spread between shorter-term versus longer-term interest rates) or longer lasting or more severe inversion (shorter-term interest rates exceeding longer-term interest rates) of the interest rate yield curve, as Citi typically pays interest on deposits based on shorter-term interest rates and earns money on loans based on longer-term interest rates. For additional information on Citi's interest rate risk, see "Managing Global Risk-Market Risk-Banking Book Interest Rate Risk" below. Additionally, Citi's balance sheet includes interest-rate sensitive fixed-rate assets such as U.S. Treasuries, U.S. agency securities and residential mortgages, among others, whose valuation would be adversely impacted in a higher-rate environment and/or whose hedging costs may increase. Additional areas of uncertainty include, among others, geopolitical challenges, tensions and conflicts, including those related to Russia's war in Ukraine (see discussion below), as well as a persistent and/or escalating conflict in the Middle East, particularly if the conflict were to widen to involve additional combatants, countries or regions; economic and other geopolitical challenges related to China, including weak economic growth, related policy actions, challenges in the Chinese real estate sector, banking and credit markets, and tensions or conflicts between China and Taiwan and/or China and the U.S.; significant disruptions and volatility in financial markets, including foreign currency volatility and devaluations and continued strength in the U.S. dollar; protracted or widespread trade tensions; natural disasters; new pandemics, including new COVID-19 variants; and political polarization, election outcomes and the effects of divided government, such as with respect to any extended government shutdown in the U.S. For example, Citi's market-making businesses can suffer losses resulting from the widening of credit spreads due to unanticipated changes in financial markets. Moreover, adverse developments or downturns in one or more of the world's larger economies would likely have a significant impact on the global economy or the economies of other countries because of global financial and economic linkages. Russia's war in Ukraine has caused supply shocks in energy, food and other commodities markets, worsened inflation, increased cybersecurity risks, increased the risk of recession in Europe and heightened geopolitical tensions. Actions by Russia, and any further measures taken by the U.S. or its allies, could continue to have negative impacts on regional and global energy and other commodities and financial markets and macroeconomic conditions, adversely impacting jurisdictions where Citi operates and has customers, clients or employees. Citi's remaining operations in Russia subject Citi to various other risks, among which are foreign currency volatility, including appreciations or devaluations; restrictions arising from retaliatory Russian laws and regulations on the conduct of its remaining businesses, including, without limitation, its provision to its customers of certain securities services; sanctions or asset freezes; and other deconsolidation events. In the event of a loss of control of AO Citibank, Citi would be required to write off its net investment in the entity, recognize a CTA loss through earnings and recognize a loss on intercompany liabilities owed by AO Citibank to other Citi entities outside of Russia. In the sole event of a substantial liquidation, as opposed to a loss of control, Citi would be required to recognize the CTA loss through earnings and would evaluate its remaining net investment as circumstances evolve. For additional information about these risks, see the operational processes and systems, cybersecurity and emerging markets risk factors and "Managing Global Risk-Other Risks-Country Risk-Russia" below.STRATEGIC RISKSCiti's Ability to Return Capital to Common Shareholders Substantially Depends on Regulatory Capital Requirements, Including the Results of the CCAR Process and Dodd-Frank Act Regulatory Stress Tests, and Other Factors.Citi's ability to return capital to its common shareholders consistent with its capital planning efforts and targets, whether through its common stock dividend or through a share repurchase program, substantially depends, among other things, on its regulatory capital requirements, including the annual recalibration of the Stress Capital Buffer (SCB), which is based upon the results of the CCAR process required by the FRB, and recalibration of the GSIB surcharge,as well as thesupervisory expectations and assessments regarding individualinstitutions.The FRB's annual stress testing requirements are integrated into ongoing regulatory capital requirements. Citi's SCB equals the maximum projected decline in its CET1 Capital ratio under the supervisory severely adverse scenario over a nine-quarter CCAR measurement period, plus four quarters of planned common stock dividends as a percentage of Citi's risk-weighted assets, subject to a minimum requirement of 2.5%. The SCB is calculated by the FRB using its proprietary data and modeling of each firm's results. Accordingly, Citi's SCB may change annually, based on the supervisory stress test results, thus potentially resulting in variability in the calculation of Citi's required regulatory CET1 Capital ratio under the Standardized Approach. On October 1, 2023, Citi's required regulatory CET1 Capital ratio increased to 12.3% from 12% under the Standardized Approach, reflecting the increase in the SCB requirement to 4.3% from 4.0%. In addition, a breach of the SCB and other regulatory capital buffers may result in gradual limitations on capital distributions and discretionary bonus payments to executive officers. For additional information on the SCB, see "Capital Resources-Regulatory Capital Buffers" above.Moreover, changes in regulatory capital rules, requirements or interpretations could materially increase Citi's required regulatory capital. For example, the U.S. banking regulators have proposed a number of changes to the U.S. regulatory capital framework, including, but not limited to, significant revisions to the U.S. Basel III rules, known as the Basel III Endgame (capital proposal); changes to the method for calculating the GSIB surcharge; and changes to aspects of the total loss-absorbing capacity (TLAC) requirements. The capital proposal would replace the Advanced Approaches with a new Expanded Risk-based Approach for calculating risk-in the entity, recognize a CTA loss through earnings and recognize a loss on intercompany liabilities owed by AO Citibank to other Citi entities outside of Russia. In the sole event of a substantial liquidation, as opposed to a loss of control, Citi would be required to recognize the CTA loss through earnings and would evaluate its remaining net investment as circumstances evolve. For additional information about these risks, see the operational processes and systems, cybersecurity and emerging markets risk factors and "Managing Global Risk-Other Risks-Country Risk-Russia" below.

During 2023, emerging markets revenues accounted for approximately 40% of Citi's total revenues (Citi generally defines emerging markets as countries in Latin America, Asia (other than Japan, Australia and New Zealand), and central and Eastern Europe, the Middle East and Africa). Citi's presence in the emerging markets subjects it to various risks. Emerging market risks include, among others, limitations or unavailability of hedges on foreign investments; foreign currency volatility, including devaluations and strength in the U.S. dollar; sustained elevated interest rates and quantitative tightening; elevated inflation and hyperinflation; foreign exchange controls, including an inability to access indirect foreign exchange mechanisms; macroeconomic, geopolitical and domestic political challenges, uncertainties and volatility, including with respect to Russia (see the macroeconomic and geopolitical risk factor above and "Managing Global Risk-Other Risks-Country Risk-Russia" and "-Ukraine" below); cyberattacks; restrictions arising from retaliatory laws and regulations; sanctions or asset freezes; sovereign debt volatility; fluctuations in commodity prices; election outcomes; regulatory changes, including potential conflicts among regulations with other jurisdictions where Citi does business; limitations on foreign investment; sociopolitical instability; civil unrest; crime, corruption and fraud; nationalization or loss of licenses; potential criminal charges; closure of branches or subsidiaries; and confiscation of assets; and these risks can be exacerbated in the event of a deterioration in the relationship between the U.S. and an emerging market country. For example, Citi operates in several countries that have, or have had in the past, strict capital controls, currency controls and/or sanctions, such as Argentina and Russia, that limit its ability to convert local currency into U.S. dollars and/or transfer funds outside of those countries. For instance, Citi may need to record additional translation losses due to currency controls in Argentina (see "Managing Global Risk-Other Risks-Country Risk-Argentina" below). Moreover, Citi may need to record additional reserves for expected losses for its credit exposures based on the transfer risk associated with exposures outside the U.S., driven by safety and soundness considerations under U.S. banking law (see "Managing Global Risk-Other Risks-Country Risk-Argentina" and "-Russia" and "Significant Accounting Policies and Significant Estimates" below). In addition, political turmoil and instability; geopolitical challenges, tensions and conflicts (including those related to Russia's war in Ukraine as well as a persistent and/or escalating conflict in the Middle East); terrorism; and other instabilities have occurred in various regions and emerging market countries across the globe, which impact Citi's businesses, results of operations and financial conditions in affected countries and have required, and may continue to require, management time and attention and other resources, such as managing the impact of sanctions and their effect on Citi's operations in certain emerging market countries. For additional information, see the macroeconomic challenges and uncertainties risk factor above. CLIMATE CHANGE AND NET ZEROIntroduction This section summarizes Citi's Operational Footprint goals and Net Zero commitment. Citi's annual ESG Report provides information on a broad set of ESG-related efforts. The upcoming Citi Climate Report, formerly named the Task Force on Climate-Related Financial Disclosures (TCFD) Report, provides information on Citi's continued progress to manage climate risk and its Net Zero plan, including information on financed emissions and 2030 interim emissions reduction targets. For information regarding Citi's management of climate risk, see "Managing Global Risk-Strategic Risk-Climate Risk" below. ESG and Climate-Related GovernanceCiti's Board of Directors (Board) provides oversight of Citi's management activities (see "Managing Global Risk-Risk Governance" below). - The Nomination, Governance and Public Affairs Committee of the Board provides oversight and receives updates on Citi's environmental and social policies and commitments.- The Risk Management Committee of the Board provides oversight of Citi's Risk Management Framework and risk culture and reviews Citi's key risk policies and frameworks, including receiving climate risk-related updates.- The Audit Committee of the Board provides oversight of controls and procedures pertaining to the ESG-related metrics and related disclosures in Citi's SEC filed reports and group-level voluntary ESG reporting, as well as management's evaluation of the effectiveness of Citi's disclosure controls and procedures for group-level ESG reporting.Additionally, Citi's ESG Council consists of senior members of the management team and certain subject matter experts who provide oversight of Citi's ESG goals and activities.Sustainable FinanceCiti's Sustainable Finance Goal, as previously disclosed, supports a combination of environmental and social finance activities. Delivering on the sustainable finance goal is an integrated effort across the organization with products and service offerings across multiple lines of business. additional information, see the macroeconomic challenges and uncertainties risk factor above.

Climate change presents both immediate and long-term risks to Citi and its customers and clients, with the risks expected to increase over time. Climate risks can arise from both physical risks (those risks related to the physical effects of climate change) and transition risks (risks related to regulatory, market, technological, stakeholder and legal changes from a transition to a low-carbon economy). Physical and transition risks can manifest themselves differently across Citi's risk categories in the short, medium and long terms. Physical risks from climate change include acute risks, such as hurricanes, floods and droughts, as well as consequences of chronic changes in climate, such as rising sea levels, prolonged droughts and systemic changes to geographies and any resulting population migration. For example, physical risks could have adverse financial, operational and other impacts on Citi, both directly on its business and operations, and indirectly as a result of impacts to Citi's clients, customers, vendors and other counterparties. These impacts can include destruction, damage or impairment of owned or leased properties and other assets, destruction or deterioration of the value of collateral, such as real estate, disruptions to business operations and supply chains and reduced availability or increase in the cost of insurance. Physical risks can also impact Citi's credit risk exposures, for example, in its mortgage and commercial real estate lending businesses. Transition risks may arise from changes in regulations or market preferences toward low-carbon industries or sectors, which in turn could have negative impacts on asset values, results of operations or the reputations of Citi and its customers and clients. For example, Citi's corporate credit exposures include oil and gas, power and other industries that may experience reduced demand for carbon-intensive products due to the transition to a low-carbon economy. Failure to adequately consider transition risk in developing and executing on its business strategy could lead to a loss of market share, lower revenues and higher credit costs. Transition risks also include potential increased operational, compliance and energy costs driven by government policies to promote decarbonization. Moreover, increasing legislative and regulatory changes and uncertainties regarding climate-related risk management and disclosures are likely to result in increased regulatory, compliance, credit, reputational and other risks and costs for Citi. New regulations have been enacted and/or are expected in several jurisdictions, including the EU's Corporate Sustainability Reporting Directive (CSRD), the SEC climate-related disclosures that could require disclosure of climate-related information and the State of California's legislation enacted in October 2023 requiring broad disclosure of greenhouse gas emissions and other climate-related information largely beginning in 2026. In addition, Citi could face increased regulatory scrutiny and reputation and litigation risks as a result of its climate risk, sustainability and other ESG-related commitments and disclosures. Even as some regulators seek to mandate additional disclosure of climate-related information, Citi's ability to comply with such requirements and conduct more robust climate-related risk analyses may be hampered by lack of information and reliable data. Data on climate-related risks is limited in availability, often based on estimated or unverified figures, collected and reported on a time-lag, and variable in quality. Modeling capabilities to analyze climate-related risks and interconnections are improving, but remain incomplete. U.S. and non-U.S. banking regulators and others are increasingly focusing on the issue of climate risk at financial institutions, both directly and with respect to their clients. For example, in October 2023, the FRB, FDIC and OCC jointly released principles that provide a high-level framework for the safe and sound management of exposures to climate-related financial risks, including physical and transition risks, for financial institutions with more than $100 billion in assets. Additionally, if Citi's response to climate change is perceived to be ineffective or insufficient or Citi is unable to achieve its objectives or commitments relating to climate change, its businesses, reputation, attractiveness to certain investors and efforts to recruit and retain employees may suffer. For example, Citi's approach to supporting client decarbonization in a gradual and orderly way, while promoting energy security, may lead to both continued exposure to carbon-intensive activity and increased reputation risks from stakeholders with divergent points of view. Citi also faces anti-ESG challenges from certain U.S. state and other governments that may impact its ability to conduct certain business within those jurisdictions.For information on Citi's climate and other sustainability initiatives, see "Climate Change and Net Zero" below. For additional information on Citi's management of climate risk, see "Managing Global Risk-Strategic Risk-Climate Risk" below. due to the transition to a low-carbon economy. Failure to adequately consider transition risk in developing and executing on its business strategy could lead to a loss of market share, lower revenues and higher credit costs. Transition risks also include potential increased operational, compliance and energy costs driven by government policies to promote decarbonization. Moreover, increasing legislative and regulatory changes and uncertainties regarding climate-related risk management and disclosures are likely to result in increased regulatory, compliance, credit, reputational and other risks and costs for Citi. New regulations have been enacted and/or are expected in several jurisdictions, including the EU's Corporate Sustainability Reporting Directive (CSRD), the SEC climate-related disclosures that could require disclosure of climate-related information and the State of California's legislation enacted in October 2023 requiring broad disclosure of greenhouse gas emissions and other climate-related information largely beginning in 2026. In addition, Citi could face increased regulatory scrutiny and reputation and litigation risks as a result of its climate risk, sustainability and other ESG-related commitments and disclosures. Even as some regulators seek to mandate additional disclosure of climate-related information, Citi's ability to comply with such requirements and conduct more robust climate-related risk analyses may be hampered by lack of information and reliable data. Data on climate-related risks is limited in availability, often based on estimated or unverified figures, collected and reported on a time-lag, and variable in quality. Modeling capabilities to analyze climate-related risks and interconnections are improving, but remain incomplete. U.S. and non-U.S. banking regulators and others are increasingly focusing on the issue of climate risk at financial institutions, both directly and with respect to their clients. For example, in October 2023, the FRB, FDIC and OCC jointly released principles that provide a high-level framework for the safe and sound management of exposures to climate-related financial risks, including physical and transition risks, for financial institutions with more than $100 billion in assets. Additionally, if Citi's response to climate change is perceived to be ineffective or insufficient or Citi is unable to achieve its objectives or commitments relating to climate change, its businesses, reputation, attractiveness to certain investors and efforts to recruit and retain employees may suffer. For example, Citi's approach to supporting client decarbonization in a gradual and orderly way, while promoting energy security, may lead to both continued exposure to carbon-intensive activity and increased reputation risks from stakeholders with divergent points of view. Citi also faces anti-ESG challenges from certain U.S. state and other governments that may impact its ability to conduct certain business within those jurisdictions. For information on Citi's climate and other sustainability initiatives, see "Climate Change and Net Zero" below. For additional information on Citi's management of climate risk, see "Managing Global Risk-Strategic Risk-Climate Risk" below. Citi's Ability to Utilize Its DTAs, and Thus Reduce the Negative Impact of the DTAs on Citi's Regulatory Capital, Will Be Driven by Its Ability to Generate U.S. Taxable Income.At December 31, 2023, Citi's net DTAs were $29.6 billion, net of a valuation allowance of $3.6 billion, of which $12.8 billion was deducted from Citi's CET1 Capital under the U.S. Basel III rules. Of this deducted amount, $12.1 billion related to net operating losses, foreign tax credit and general business credit carry-forwards, with $2.3 billion related to temporary differences in excess of the 10%/15% regulatory limitations, reduced by $1.6 billion of deferred tax liabilities, primarily associated with goodwill and certain other intangible assets that were separately deducted from capital.Citi's overall ability to realize its DTAs will primarily be dependent upon Citi's ability to generate U.S. taxable income in the relevant reversal periods. Failure to realize any portion of the net DTAs would have a corresponding negative impact on Citi's net income and financial returns.The accounting treatment for realization of DTAs is complex and requires significant judgment and estimates regarding future taxable earnings in the jurisdictions in which the DTAs arise and available tax planning strategies. Forecasts of future taxable earnings will depend upon various factors, including, among others, macroeconomic conditions. In addition, any future increase in U.S. corporate tax rates could result in an increase in Citi's DTAs, which may subject more of Citi's DTAs to exclusion from regulatory capital. Citi has not been and does not expect to be subject to the base erosion anti-abuse tax (BEAT), which, if applicable to Citi in any given year, would have a significantly adverse effect on both Citi's net income and regulatory capital. For additional information on Citi's DTAs, including FTCs, see "Significant Accounting Policies and Significant Estimates-Income Taxes" below and Notes 1 and 10.Citi's Interpretation or Application of the Complex Tax Laws to Which It Is Subject Could Differ from Those of Governmental Authorities, Which Could Result in Litigation or Examinations and the Payment of Additional Taxes, Penalties or Interest.Citi is subject to various income-based tax laws of the U.S. and its states and municipalities, as well as the numerous non-U.S. jurisdictions in which it operates. These tax laws are inherently complex, and Citi must make judgments and interpretations about the application of these laws to its entities, operations and businesses. For example, the Organization for Economic Cooperation and Development (OECD) Pillar 2 initiative contemplates a 15% global minimum tax with respect to earnings in each country. EU member states were required to adopt the OECD Pillar 2 rules in 2023, with an effective date of January 1, 2024 (unless an exception applied), and other non-U.S. countries have similarly adopted or are expected to adopt the rules. Under these rules, Citi will be required to pay a "top-up" tax to the extent that Citi's effective tax rate in any given country is below 15%. Beginning in 2024, countries that adopted the OECD Pillar 2 rules in 2023 can collect the top-up tax only with respect to earnings of entities in their jurisdiction or subsidiaries of such entities. Beginning in 2025, all countries

As a large, global financial institution, adequate liquidity and sources of funding are essential to Citi's businesses. Citi's liquidity, sources of funding and costs of funding can be significantly and negatively impacted by factors it cannot control, such as general disruptions in the financial markets (e.g., the failure of regional banks and other banking stresses in the first half of 2023); changes in fiscal and monetary policies and regulatory requirements; negative investor perceptions of Citi's creditworthiness; deposit outflows or unfavorable changes in deposit mix; unexpected increases in cash or collateral requirements; credit ratings; and the consequent inability to monetize available liquidity resources. In addition, Citi competes with other banks and financial institutions for both institutional and consumer deposits, which represent Citi's most stable and lowest cost source of long-term funding. The competition for deposits has continued to increase, including as a result of quantitative tightening by central banks, the current higher interest rate environment and fixed income alternatives for customer funds. Further, Citi's costs to obtain and access wholesale funding are directly related to changes in interest and currency exchange rates and its credit spreads. Changes in Citi's credit spreads are driven by both external market factors and factors specific to Citi, such as negative views by investors of the financial services industry or Citi's financial prospects, and can be highly volatile. For additional information on Citi's primary sources of funding, see "Managing Global Risk-Liquidity Risk" below. Citi's ability to obtain funding may be impaired and its cost of funding could also increase if other market participants are seeking to access the markets at the same time or to a greater extent than expected, or if market appetite for corporate debt securities declines, as is likely to occur in a liquidity stress event or other market crisis. Citi's ability to sell assets may also be impaired if other market participants are seeking to sell similar assets at the same time or a liquid market does not exist for such assets. Additionally, unexpected changes in client needs due to idiosyncratic events or market conditions could result in greater than expected drawdowns from off-balance sheet committed facilities. A sudden drop in market liquidity could also cause a temporary or protracted dislocation of capital markets activity. In addition, clearing organizations, central banks, clients and financial institutions with which Citi interacts may exercise the right to require additional collateral during challenging market conditions, which could further impair Citi's liquidity. If Citi fails to effectively manage its liquidity, its businesses, results of operations and financial condition could be negatively impacted.Limitations on the payments that Citigroup Inc. receives from its subsidiaries could also impact its liquidity. As a holding company, Citigroup Inc. relies on interest, dividends, distributions and other payments from its subsidiaries to fund dividends as well as to satisfy its debt and other obligations. Several of Citi's U.S. and non-U.S. subsidiaries are or may be subject to capital adequacy or other liquidity, regulatory or contractual restrictions on their ability to provide such payments, including any local regulatory stress test requirements and inter-affiliate arrangements entered into in connection with Citigroup Inc.'s resolution plan. Citigroup Inc.'s broker-dealer and bank subsidiaries are subject to restrictions on their ability to lend or transact with affiliates, as well as restrictions on their ability to use funds deposited with them in brokerage or bank accounts to fund their businesses. A bank holding company is also required by law to act as a source of financial and managerial strength for its subsidiary banks. As a result, the FRB may require Citigroup Inc. to commit resources to its subsidiary banks even if doing so is not otherwise in the interests of Citigroup Inc. or its shareholders or creditors, reducing the amount of funds available to meet its obligations. In addition, Citi competes with other banks and financial institutions for both institutional and consumer deposits, which represent Citi's most stable and lowest cost source of long-term funding. The competition for deposits has continued to increase, including as a result of quantitative tightening by central banks, the current higher interest rate environment and fixed income alternatives for customer funds. Further, Citi's costs to obtain and access wholesale funding are directly related to changes in interest and currency exchange rates and its credit spreads. Changes in Citi's credit spreads are driven by both external market factors and factors specific to Citi, such as negative views by investors of the financial services industry or Citi's financial prospects, and can be highly volatile. For additional information on Citi's primary sources of funding, see "Managing Global Risk-Liquidity Risk" below. Citi's ability to obtain funding may be impaired and its cost of funding could also increase if other market participants are seeking to access the markets at the same time or to a greater extent than expected, or if market appetite for corporate debt securities declines, as is likely to occur in a liquidity stress event or other market crisis. Citi's ability to sell assets may also be impaired if other market participants are seeking to sell similar assets at the same time or a liquid market does not exist for such assets. Additionally, unexpected changes in client needs due to idiosyncratic events or market conditions could result in greater than expected drawdowns from off-balance sheet committed facilities. A sudden drop in market liquidity could also cause a temporary or protracted dislocation of capital markets activity. In addition, clearing organizations, central banks, clients and financial institutions with which Citi interacts may exercise the right to require additional collateral during challenging market conditions, which could further impair Citi's liquidity. If Citi fails to effectively manage its liquidity, its businesses, results of operations and financial condition could be negatively impacted. Limitations on the payments that Citigroup Inc. receives from its subsidiaries could also impact its liquidity. As a holding company, Citigroup Inc. relies on interest, dividends, distributions and other payments from its subsidiaries to fund dividends as well as to satisfy its debt and other obligations. Several of Citi's U.S. and non-U.S. subsidiaries are or may be subject to capital adequacy or other liquidity, regulatory or contractual restrictions on their ability to provide such payments, including any local regulatory stress test requirements and inter-affiliate arrangements entered into in connection with Citigroup Inc.'s resolution plan. Citigroup Inc.'s broker-dealer and bank subsidiaries are subject to restrictions on their ability to lend or transact with affiliates, as well as restrictions on their ability to use funds deposited with them in brokerage or bank accounts to fund their businesses. A bank holding company is also required by law to act as a source of financial and managerial strength for its subsidiary banks. As a result, the FRB may require Citigroup Inc. to commit resources to its subsidiary banks even if doing so is not otherwise in the interests of Citigroup Inc. or its shareholders or creditors, reducing the amount of funds available to meet its obligations. A Ratings Downgrade Could Adversely Impact Citi's Funding and Liquidity.The credit rating agencies, such as Fitch Ratings, Moody's Investors Service and S&P Global Ratings, continuously evaluate Citi and certain of its subsidiaries. Their ratings of Citi and its rated subsidiaries' long-term debt and short-term obligations are based on firm-specific factors, including the financial strength of Citi and such subsidiaries, as well as factors that are not entirely within the control of Citi and its subsidiaries, such as the agencies' proprietary rating methodologies and assumptions, potential impact from negative actions on U.S. sovereign ratings and conditions affecting the financial services industry and markets generally.Citi and its subsidiaries may not be able to maintain their current respective ratings and outlooks. Rating downgrades could negatively impact Citi and its rated subsidiaries' ability to access the capital markets and other sources of funds as well as increase credit spreads and the costs of those funds. A ratings downgrade could also have a negative impact on Citi and its rated subsidiaries' ability to obtain funding and liquidity due to reduced funding capacity and the impact from derivative triggers, which could require Citi and its rated subsidiaries to meet cash obligations and collateral requirements or permit counterparties to terminate certain contracts. In addition, a ratings downgrade could have a negative impact on other funding sources such as secured financing and other margined transactions for which there may be no explicit triggers. Furthermore, a credit ratings downgrade could have impacts that may not be currently known to Citi or are not possible to quantify. Some of Citi's counterparties and clients could have ratings limitations on their permissible counterparties, of which Citi may or may not be aware. Certain of Citi's corporate customers and trading counterparties, among other clients, could re-evaluate their business relationships with Citi and limit the trading of certain market instruments, and limit or withdraw deposits placed with Citi in response to ratings downgrades. Changes in customer and counterparty behavior could impact not only Citi's funding and liquidity but also the results of operations of certain Citi businesses. For additional information on the potential impact of a reduction in Citi's or Citibank's credit ratings, see "Managing Global Risk-Liquidity Risk" below.COMPLIANCE RISKSSignificantly Heightened Regulatory Expectations and Scrutiny in the U.S. and Globally and Ongoing Interpretation and Implementation of Regulatory and Legislative Requirements and Changes Have Increased Citi's Compliance, Regulatory and Other Risks and Costs.Large financial institutions, such as Citi, face significantly heightened regulatory expectations and scrutiny in the U.S. and globally, including with respect to, among other things, governance, infrastructure, data and risk management practices and controls. These regulatory expectations extend to their employees and agents and also include, among other things, those related to customer and client protection, market practices, anti-money laundering, increasingly complex sanctions and disclosure regimes and various regulatory

This section summarizes Citi's Operational Footprint goals and Net Zero commitment. Citi's annual ESG Report provides information on a broad set of ESG-related efforts. The upcoming Citi Climate Report, formerly named the Task Force on Climate-Related Financial Disclosures (TCFD) Report, provides information on Citi's continued progress to manage climate risk and its Net Zero plan, including information on financed emissions and 2030 interim emissions reduction targets. For information regarding Citi's management of climate risk, see "Managing Global Risk-Strategic Risk-Climate Risk" below.

Citi's computer systems, software and networks are subject to ongoing attempted cyberattacks, such as unauthorized access, loss or destruction of data (including confidential client information), account takeovers, disruptions of service, phishing, malware, ransomware, computer viruses or other malicious code and other similar events. These threats can arise from external parties, including cyber criminals, cyber terrorists, hacktivists (individuals or groups using cyberattacks to promote a political or social agenda) and nation-state actors, as well as insiders who knowingly or unknowingly engage in or enable malicious cyber activities. Citi develops its own software and relies on third-party applications and software, which are susceptible to vulnerability exploitations. Software leveraged in financial services and other industries continues to be impacted by an increasing number of zero-day vulnerabilities, thus increasing inherent cyber risk to Citi. The increasing use of mobile and other digital banking platforms and services, cloud technologies and connectivity solutions to facilitate remote working for Citi's employees all increase Citi's exposure to cybersecurity risks. Citi is also susceptible to cyberattacks given, among other things, its size and scale, high-profile brand, global footprint and prominent role in the financial system, as well as the ongoing wind-down of its businesses in Russia (see the macroeconomic and geopolitical risk factor above and "Managing Global Risk-Other Risks-Country Risk-Russia" below). Additionally, Citi continues to operate in multiple jurisdictions in the midst of geopolitical unrest, including active conflicts in Ukraine and the Middle East, which could expose Citi to heightened risk of insider threat, politically motivated hacktivism or other cyber threats. Citi continues to experience increased exposure to cyberattacks through third parties, in part because financial institutions are becoming increasingly interconnected with central agents, exchanges and clearing houses. Third parties with which Citi does business, as well as retailers and other third parties with which Citi's customers do business, and any such third parties' downstream service providers, also pose cybersecurity risks, particularly where activities of customers are beyond Citi's security and control systems. For example, Citi outsources certain functions, such as processing customer credit card transactions, uploading content on customer-facing websites and developing software for new products and services. These relationships allow for the storage and processing of customer information by third-party hosting of, or access to, Citi websites. This could lead to compromise or the potential to introduce vulnerable or malicious code, resulting in security breaches or business disruptions impacting Citi customers, employees or operations. While many of Citi's agreements with third parties include indemnification provisions, Citi may not be able to recover sufficiently, or at all, under these provisions to adequately offset any losses and other adverse impacts Citi may incur from third-party cyber incidents. Citi and some of its third-party partners have been subjected to attempted and sometimes successful cyberattacks over the last several years, including (i) denial of service attacks, which attempt to interrupt service to clients and customers; (ii) hacking and malicious software installations intended to gain unauthorized access to information systems or to disrupt those systems and/or impact availability or privacy of confidential data, with objectives including, but not limited to, extortion payments or causing reputational damage; (iii) data breaches due to unauthorized access to customer account or other data; and (iv) malicious software attacks on client systems, in attempts to gain unauthorized access to Citi systems or client data under the guise of normal client transactions. While Citi's monitoring and protection services have historically generally succeeded in detecting, thwarting and/or responding to attacks targeting its systems before they become significant, certain past incidents resulted in limited losses, as well as increases in expenditures to monitor against the threat of similar future cyber incidents. There can be no assurance that such cyber incidents will not occur again, and they could occur more frequently, via novel tactics, including leveraging of tools made possible by emerging technologies, and on a more significant scale. Despite the significant resources Citi allocates to implement, maintain, monitor and regularly upgrade its systems and networks with measures such as intrusion detection and prevention systems and firewalls to safeguard critical business applications, there is no guarantee that these measures or any other measures can provide sufficient security. Because the techniques used to initiate cyberattacks change frequently or, in some cases, are not recognized until launched or even later, Citi may be unable to implement effective preventive measures or otherwise proactively address these methods. In addition, cyber threats and cyberattack techniques change, develop and evolve rapidly, including from emerging technologies such as artificial intelligence, cloud computing and quantum Citi continues to experience increased exposure to cyberattacks through third parties, in part because financial institutions are becoming increasingly interconnected with central agents, exchanges and clearing houses. Third parties with which Citi does business, as well as retailers and other third parties with which Citi's customers do business, and any such third parties' downstream service providers, also pose cybersecurity risks, particularly where activities of customers are beyond Citi's security and control systems. For example, Citi outsources certain functions, such as processing customer credit card transactions, uploading content on customer-facing websites and developing software for new products and services. These relationships allow for the storage and processing of customer information by third-party hosting of, or access to, Citi websites. This could lead to compromise or the potential to introduce vulnerable or malicious code, resulting in security breaches or business disruptions impacting Citi customers, employees or operations. While many of Citi's agreements with third parties include indemnification provisions, Citi may not be able to recover sufficiently, or at all, under these provisions to adequately offset any losses and other adverse impacts Citi may incur from third-party cyber incidents. Citi and some of its third-party partners have been subjected to attempted and sometimes successful cyberattacks over the last several years, including (i) denial of service attacks, which attempt to interrupt service to clients and customers; (ii) hacking and malicious software installations intended to gain unauthorized access to information systems or to disrupt those systems and/or impact availability or privacy of confidential data, with objectives including, but not limited to, extortion payments or causing reputational damage; (iii) data breaches due to unauthorized access to customer account or other data; and (iv) malicious software attacks on client systems, in attempts to gain unauthorized access to Citi systems or client data under the guise of normal client transactions. While Citi's monitoring and protection services have historically generally succeeded in detecting, thwarting and/or responding to attacks targeting its systems before they become significant, certain past incidents resulted in limited losses, as well as increases in expenditures to monitor against the threat of similar future cyber incidents. There can be no assurance that such cyber incidents will not occur again, and they could occur more frequently, via novel tactics, including leveraging of tools made possible by emerging technologies, and on a more significant scale. Despite the significant resources Citi allocates to implement, maintain, monitor and regularly upgrade its systems and networks with measures such as intrusion detection and prevention systems and firewalls to safeguard critical business applications, there is no guarantee that these measures or any other measures can provide sufficient security. Because the techniques used to initiate cyberattacks change frequently or, in some cases, are not recognized until launched or even later, Citi may be unable to implement effective preventive measures or otherwise proactively address these methods. In addition, cyber threats and cyberattack techniques change, develop and evolve rapidly, including from emerging technologies such as artificial intelligence, cloud computing and quantum computing. Given the frequency and sophistication of cyberattacks, the determination of the severity and potential impact of a cyber incident may not become apparent for a substantial period of time following detection of the incident. Also, while Citi strives to implement measures to reduce the exposure resulting from outsourcing risks, such as performing security control assessments of third-party vendors and limiting third-party access to the least privileged level necessary to perform job functions, these measures cannot prevent all third-party related cyberattacks or data breaches. In addition, the risk of insider threat may be elevated in the near term due to Citi's overall simplification initiatives, including streamlining its global staff functions. Cyber incidents can result in the disclosure of personal, confidential or proprietary customer, client or employee information; damage to Citi's reputation with its clients, other counterparties and the market; customer dissatisfaction; and additional costs to Citi, including expenses such as repairing or replacing systems, replacing customer payment cards, credit monitoring or adding new personnel or protection technologies. Cyber incidents can also result in regulatory penalties, loss of revenues, deposit flight, exposure to litigation and other financial losses, including loss of funds to both Citi and its clients and customers, and disruption to Citi's operational systems (see the operational processes and systems risk factor above). Moreover, the increasing risk of cyber incidents has resulted in increased legislative and regulatory action on cybersecurity, including, among other things, scrutiny of firms' cybersecurity protection services, laws and regulations to enhance protection of consumers' personal data and mandated disclosure on cybersecurity matters. For example, in July 2023, the SEC finalized new rules requiring timely disclosure of material cybersecurity incidents as well as other annual cyber-related disclosures (see "Managing Global Risk-Operational Risk-Cybersecurity Risk" below). While Citi maintains insurance coverage that may, subject to policy terms and conditions including significant self-insured deductibles, cover certain aspects of cyber risks, such insurance coverage may be insufficient to cover all losses and may not take into account reputational harm, the costs of which are impossible to quantify. For additional information about Citi's management of cybersecurity risk, see "Managing Global Risk-Operational Risk-Cybersecurity Risk" below. Changes or Errors in Accounting Assumptions, Judgments or Estimates, or the Application of Certain Accounting Principles, Could Result in Significant Losses or Other Adverse Impacts.U.S. GAAP requires Citi to use certain assumptions, judgments and estimates in preparing its financial statements, including, among other items, the estimate of the ACL; reserves related to litigation, regulatory and tax matters; valuation of DTAs; the fair values of certain assets and liabilities; and the assessment of goodwill and other assets for impairment. These assumptions, judgments and estimates are inherently limited because they involve techniques, including the use of historical data in many circumstances, that cannot anticipate every economic and financial outcome in the markets in which Citi operates, nor can they anticipate the computing. Given the frequency and sophistication of cyberattacks, the determination of the severity and potential impact of a cyber incident may not become apparent for a substantial period of time following detection of the incident. Also, while Citi strives to implement measures to reduce the exposure resulting from outsourcing risks, such as performing security control assessments of third-party vendors and limiting third-party access to the least privileged level necessary to perform job functions, these measures cannot prevent all third-party related cyberattacks or data breaches. In addition, the risk of insider threat may be elevated in the near term due to Citi's overall simplification initiatives, including streamlining its global staff functions. Cyber incidents can result in the disclosure of personal, confidential or proprietary customer, client or employee information; damage to Citi's reputation with its clients, other counterparties and the market; customer dissatisfaction; and additional costs to Citi, including expenses such as repairing or replacing systems, replacing customer payment cards, credit monitoring or adding new personnel or protection technologies. Cyber incidents can also result in regulatory penalties, loss of revenues, deposit flight, exposure to litigation and other financial losses, including loss of funds to both Citi and its clients and customers, and disruption to Citi's operational systems (see the operational processes and systems risk factor above). Moreover, the increasing risk of cyber incidents has resulted in increased legislative and regulatory action on cybersecurity, including, among other things, scrutiny of firms' cybersecurity protection services, laws and regulations to enhance protection of consumers' personal data and mandated disclosure on cybersecurity matters. For example, in July 2023, the SEC finalized new rules requiring timely disclosure of material cybersecurity incidents as well as other annual cyber-related disclosures (see "Managing Global Risk-Operational Risk-Cybersecurity Risk" below). While Citi maintains insurance coverage that may, subject to policy terms and conditions including significant self-insured deductibles, cover certain aspects of cyber risks, such insurance coverage may be insufficient to cover all losses and may not take into account reputational harm, the costs of which are impossible to quantify. For additional information about Citi's management of cybersecurity risk, see "Managing Global Risk-Operational Risk-Cybersecurity Risk" below.

Citi operates in an increasingly evolving and competitive business environment, which includes both financial and non-financial services firms, such as traditional banks, online banks, private credit and financial technology companies and others. These companies compete on the basis of, among other factors, size, reach, quality and type of products and services offered, price, technology and reputation. Certain competitors may be subject to different and, in some cases, less stringent legal and regulatory requirements, whether due to size, jurisdiction, entity type or other factors, placing Citi at a competitive disadvantage. For example, Citi competes with other financial services companies in the U.S. and globally that have grown rapidly over the last several years or have developed and introduced new products and services. Potential mergers and acquisitions involving traditional financial services companies such as regional banks or credit card issuers, as well as networks and merchant acquirers, may also increase competition and impact Citi's ability to offer competitive pricing and rewards. Non-traditional financial services firms, such as private credit and financial technology companies, are less regulated and continue to expand their offerings of services traditionally provided by financial institutions. The growth of certain of these competitors has increased market and counterparty credit risks, particularly in a more challenging macroeconomic environment (see the risk factor on credit and concentrations of risk below). In addition, emerging technologies have the potential to intensify competition and accelerate disruption in the financial services industry. For example, despite difficulties and turmoil faced by the digital asset market in recent years, clients and investors have exhibited a sustained interest in digital assets. Financial services firms and other market participants have begun to offer services related to those assets. Citi may not be able to provide the same or similar services for legal or regulatory reasons, which may be exacerbated by rapidly evolving and conflicting regulatory requirements, and due to increased compliance and other risks. Further, changes in the payments space (e.g., instant and 24x7 payments) are accelerating, and, as a result, certain of Citi's products and services could become less competitive. Increased competition and emerging technologies have required and could require Citi to change or adapt its products and services, as well as invest in and develop related infrastructure, to attract and retain customers or clients or to compete more effectively with competitors, including new market entrants. Simultaneously, as Citi develops new products and services leveraging emerging technologies, new risks may emerge that, if not designed and governed adequately, may result in control gaps and in Citi operating outside of its risk appetite. For example, failure to strategically embrace the potential of artificial intelligence (AI) may result in a competitive disadvantage to Citi. At the same time, as a new technology, use of AI without sufficient controls, governance and risk management may result in increased risks across all of Citi's risk categories. As another example, instant and 24x7 payments products could be accompanied by challenges to forecasting and managing liquidity, as well as increased operational and compliance risks. Moreover, Citi relies on third parties to support certain of its product and service offerings, which may put Citi at a disadvantage to competitors who may directly offer a broader array of products and services. Also, Citi's businesses, results of operations and reputation may suffer if any third party is unable to provide adequate support for such product and service offerings, whether due to operational incidents or otherwise (see the operational processes and systems, cybersecurity and emerging markets risk factors below).To the extent that Citi is not able to compete effectively with financial services companies, including private credit and financial technology companies, and non-financial services firms, Citi could be placed at a competitive disadvantage, which could result in loss of customers and market share, and its businesses, results of operations and financial condition could suffer. For additional information on Citi's competitors, see the co-brand and private label cards and qualified colleagues risk factors above and "Supervision, Regulation and Other-Competition" below.OPERATIONAL RISKSA Failure or Disruption of Citi's Operational Processes or Systems Could Negatively Impact Its Reputation, Customers, Clients, Businesses or Results of Operations and Financial Condition.Citi's global operations rely heavily on its technology systems and infrastructure, including the accurate, timely and secure processing, management, storage and transmission of data, including confidential transactions, and other information, as well as the monitoring of a substantial amount of data and complex transactions in real time. Citi obtains and stores an extensive amount of personal and client-specific information for its consumer and institutional customers and clients, and must accurately record and reflect their account transactions. Citi's operations must also comply with complex and evolving laws, regulations and heightened regulatory expectations in the countries in which it operates (see the implementation and interpretation of regulatory changes and legal proceedings risk factors below). With the evolving proliferation of new technologies and the increasing use of the internet, mobile devices and cloud services to conduct financial transactions and customers' and clients' increasing use of online banking and trading systems and other platforms, large global financial institutions such as Citi have been, and will continue to be, subject to an ever-increasing risk of operational loss, failure or disruption. market entrants. Simultaneously, as Citi develops new products and services leveraging emerging technologies, new risks may emerge that, if not designed and governed adequately, may result in control gaps and in Citi operating outside of its risk appetite. For example, failure to strategically embrace the potential of artificial intelligence (AI) may result in a competitive disadvantage to Citi. At the same time, as a new technology, use of AI without sufficient controls, governance and risk management may result in increased risks across all of Citi's risk categories. As another example, instant and 24x7 payments products could be accompanied by challenges to forecasting and managing liquidity, as well as increased operational and compliance risks. Moreover, Citi relies on third parties to support certain of its product and service offerings, which may put Citi at a disadvantage to competitors who may directly offer a broader array of products and services. Also, Citi's businesses, results of operations and reputation may suffer if any third party is unable to provide adequate support for such product and service offerings, whether due to operational incidents or otherwise (see the operational processes and systems, cybersecurity and emerging markets risk factors below). To the extent that Citi is not able to compete effectively with financial services companies, including private credit and financial technology companies, and non-financial services firms, Citi could be placed at a competitive disadvantage, which could result in loss of customers and market share, and its businesses, results of operations and financial condition could suffer. For additional information on Citi's competitors, see the co-brand and private label cards and qualified colleagues risk factors above and "Supervision, Regulation and Other-Competition" below.

Citi has co-branding and private label relationships through its Branded Cards and Retail Services credit card businesses with various retailers and merchants, whereby in the ordinary course of business Citi issues credit cards to consumers, including customers of the retailers or merchants. The five largest relationships across both businesses in USPB constituted an aggregate of approximately 11% of Citi's revenues in 2023 (see "U.S. Personal Banking" above). Citi's co-branding and private label agreements often provide for shared economics between the parties and generally have a fixed term. Competition among card issuers, including Citi, for these relationships is significant, and Citi may not be able to maintain such relationships on existing terms or at all. Citi's co-branding and private label relationships could also be negatively impacted by, among other things, the general economic environment, including the impacts of continued elevated interest rates and inflation, and lower economic growth rates, as well as a continuing risk of recession; changes in consumer sentiment, spending patterns and credit card usage behaviors; a decline in sales and revenues, partner store closures, any reduction in air and business travel, or other operational difficulties of the retailer or merchant; early termination due to a contractual breach or exercise of other early termination right; or other factors, including bankruptcies, liquidations, restructurings, consolidations or other similar events, whether due to a challenging macroeconomic environment or otherwise. These events, particularly early termination and bankruptcies or liquidations, could negatively impact the results of operations or financial condition of Branded Cards, Retail Services or Citi as a whole, including as a result of loss of revenues, increased expenses, higher cost of credit, impairment of purchased credit card relationships and contract-related intangibles or other losses (see Note 17 for information on Citi's credit card related intangibles generally). The Application of U.S. Resolution Plan Requirements May Pose a Greater Risk of Loss to Citi's Debt and Equity Securities Holders, and Citi's Inability in Its Resolution Plan Submissions to Address Any Shortcomings or Deficiencies or Guidance Could Subject Citi to More Stringent Capital, Leverage or Liquidity Requirements, or Restrictions on Its Growth, Activities or Operations, and Could Eventually Require Citi to Divest Assets or Operations.Title I of the Dodd-Frank Act requires Citi to prepare and submit a plan to the FRB and the FDIC for the orderly resolution of Citigroup (the bank holding company) and its significant legal entities under the U.S. Bankruptcy Code in the event of future material financial distress or failure. Under Citi's preferred "single point of entry" resolution plan strategy, only Citigroup, the parent holding company, would enter into bankruptcy, while Citigroup's material legal entities (as defined in the public section of its 2023 resolution plan, which can be found on the FRB's and FDIC's websites) would remain operational outside of any resolution or insolvency proceedings. As a result, Citigroup's losses and any losses incurred by its material legal entity subsidiaries would be imposed first on holders of Citigroup's equity securities and thereafter on its unsecured creditors, including holders of eligible long-term debt and other debt securities. In addition, a wholly owned, direct subsidiary of Citigroup serves as a resolution funding vehicle (the IHC) to which Citigroup has transferred, and has agreed to transfer on an ongoing basis, certain assets. The obligations of Citigroup and of the IHC, respectively, under the amended and restated secured support agreement, are secured on a senior basis by the assets of Citigroup (other than shares in subsidiaries of the parent company and certain other assets), and the assets of the IHC, as applicable. As a result, claims of the operating material legal entities against the assets of Citigroup with respect to such secured assets are effectively senior to unsecured obligations of Citigroup. Citi's single point of entry resolution plan strategy and the obligations under the amended and restated secured support agreement may result in the recapitalization of and/or provision of liquidity to Citi's operating material legal entities, and the commencement of bankruptcy proceedings by Citigroup at an earlier stage of financial stress than might otherwise occur without such mechanisms in place.In line with the FRB's TLAC rule, Citigroup's shareholders and unsecured creditors-including its unsecured long-term debt holders-would bear any losses resulting from Citigroup's bankruptcy. Accordingly, any value realized by holders of its unsecured long-term debt may not be sufficient to repay the amounts owed to such debt holders in the event of a bankruptcy or other resolution proceeding of Citigroup. For additional information on Citi's single point of entry resolution plan strategy and the IHC and secured support agreement, see "Managing Global Risk-Liquidity Risk" below.On November 22, 2022, the FRB and FDIC issued feedback on the resolution plans filed on July 1, 2021 by the eight U.S. GSIBs, including Citi. The FRB and FDIC identified one shortcoming, but no deficiencies, in Citi's 2021 resolution plan. The shortcoming related to data integrity and data quality management issues, specifically, weaknesses in