Capitol Federal Financial (CFFN) Risk Factors

Information systems are essential to the conduct of our business, as we use such systems to manage our customer relationships, our general ledger, our deposits and our loans. In the normal course of our business, we collect, process, retain and transmit (by email and other electronic means) sensitive and confidential information regarding our customers, employees and others. We also outsource certain aspects of our data processing, data processing operations, remote network monitoring, engineering and managed security services to third-party service providers. In addition to confidential information regarding our customers, employees and others, we, and in some cases a third party, compile, process, transmit and store proprietary, non-public information concerning our business, operations, plans and strategies. Information security risks for financial institutions continue to increase in part because of evolving technologies, the use of the internet and telecommunications technologies (including mobile devices) to conduct financial and other business transactions and the increased sophistication and activities of organized crime, perpetrators of fraud, hackers, terrorists and others. Cyber criminals use a variety of tactics, such as ransomware, denial of service, and theft of sensitive business and customer information to extort payment or other concessions from victims. In some cases, these attacks have caused significant impacts on other businesses' access to data and ability to provide services. We are not able to anticipate or implement effective preventive measures against all incidents of these types, especially because the techniques used change frequently and because attacks can originate from a wide variety of sources, including attacks on third-party vendors and their applications and products used by the Bank. We use a variety of physical, procedural and technological safeguards to prevent or limit the impact of system failures, interruptions and security breaches and to protect confidential information from mishandling, misuse or loss, including detection and response mechanisms designed to contain and mitigate security incidents. However, there can be no assurance that such events will not occur or that they will be promptly detected and adequately addressed if they do, and early detection of security breaches may be thwarted by sophisticated attacks and malware designed to avoid detection. If there is a failure in or breach of our information systems, or those of a third-party service provider, the confidential and other information processed and stored in, and transmitted through, such information systems could be jeopardized, or could otherwise cause interruptions or malfunctions in our operations or the operations of our customers, employees, or others. Our business and operations depend on the secure processing, storage and transmission of confidential and other information in our information systems and those of our third-party service providers. Although we devote significant resources and management focus to ensuring the integrity of our information systems through information security measures, risk management practices, relationships with threat intelligence providers and business continuity planning, our facilities, computer systems, software and networks, and those of our third-party service providers, may be vulnerable to external or internal security breaches, acts of vandalism, unauthorized access, misuse, computer viruses or other malicious code and cyberattacks that could have a security impact. In addition, breaches of security may occur through intentional or unintentional acts by those having authorized or unauthorized access to our confidential or other information or the confidential or other information of our customers, employees or others. While we regularly conduct security and risk assessments on our systems and those of our third-party service providers, there can be no assurance that their information security protocols are sufficient to withstand a cyberattack or other security breach. Across our industry, the cost of minimizing these risks and investigating incidents has continued to increase with the frequency and sophistication of these threats. The occurrence of any of the foregoing could subject us to litigation or regulatory scrutiny, cause us significant reputational damage or erode confidence in the security of our information systems, products and services, cause us to lose customers or have greater difficulty in attracting new customers, have an adverse effect on the value of our common stock or subject us to financial losses that may not be covered by insurance, any of which could have an adverse effect on our business, financial condition and results of operations. As information security risks and cyber threats continue to evolve, we may be required to expend significant additional resources to further enhance or modify our information security measures and/or to investigate and remediate any information security vulnerabilities or other exposures arising from operational and security risks. Furthermore, there continues to be heightened legislative and regulatory focus on privacy, data protection and information security. New or revised laws and regulations may significantly impact our current and planned privacy, data protection and information security-related practices, the collection, use, sharing, retention and safeguarding of consumer and employee information, and current or planned business activities. Compliance with current or future privacy, data protection and information security laws could result in higher compliance and technology costs and could restrict our ability to provide certain products and services, which could have an adverse effect on our business, financial condition and results of operations. Our customers are also targets of cyberattacks and identity theft. There continues to be instances involving financial services and consumer-based companies reporting the unauthorized disclosure of client or customer information or the destruction or theft of corporate data. Large scale identity theft could result in customers' accounts being compromised and fraudulent activities being performed in their names. We have implemented certain safeguards against these types of activities, but they may not fully protect us from financial losses. The occurrence of a security breach involving our customers' information, regardless of its origin, could damage our reputation and result in a loss of customers and business, subject us to additional regulatory scrutiny, and expose us to litigation and possible financial liability. Any of these events could have an adverse effect on our business, financial condition and results of operations. See "Part I, Item 1C. Cybersecurity" for additional discussion related to cybersecurity.

Like most financial institutions, the Bank significantly depends on technology to deliver its products and services and to otherwise conduct business. To remain technologically competitive and operationally efficient, the Bank invests in system upgrades, new technological solutions, and other technology initiatives. Many of these solutions and initiatives have a significant duration, are tied to critical information systems, and require substantial resources. Although the Bank takes steps to mitigate the risks and uncertainties associated with these solutions and initiatives, there is no guarantee that they will be implemented on time, within budget, or without negative operational or customer impact. The Bank also may not succeed in anticipating its future technology needs, the technology demands of its customers, or the competitive landscape for technology. If the Bank were to falter in any of these areas, it could have an adverse effect on our business, financial condition and results of operations.

We are subject to extensive regulation, supervision, and examination by the OCC, the FRB, and the FDIC. These regulatory authorities exercise broad discretion in connection with their supervisory and enforcement activities, including the ability to impose restrictions on a bank's operations, reclassify assets, determine the adequacy of a bank's ACL, and determine the level of deposit insurance premiums assessed. The CFPB has broad powers to supervise and enforce consumer protection laws, including a wide range of consumer protection laws that apply to all banks and savings institutions, like the authority to prohibit unfair, deceptive or abusive acts and practices. The CFPB also has examination and enforcement authority over all banks with regulatory assets exceeding $10 billion at four consecutive quarter-ends. There are increased direct costs, additional regulatory burdens with indirect costs, and lost revenue, mainly related to interchange fees, associated with the Bank being over $10 billion in regulatory assets at certain points in time and for four consecutive quarter-ends. As long as the Bank does not exceed $10 billion in regulatory assets for four consecutive quarter ends, it will continue to be examined for compliance with consumer protection laws and the regulations of the CFPB by the Bank's primary bank regulator, the OCC. The Dodd-Frank Act also weakens the federal preemption rules that have been applicable for national banks and federal savings associations and gives state attorneys general the ability to enforce federal consumer protection laws. Any change in such regulation and oversight, whether in the form of regulatory policy, regulations, legislation, interpretation or application, could have an adverse impact on our operations. Moreover, bank regulatory agencies have been active in responding to concerns and trends identified in examinations and have issued formal enforcement orders requiring capital ratios in excess of regulatory requirements and/or assessing monetary penalties. Bank regulatory agencies, such as the OCC, the FRB and the FDIC, govern the activities in which we may engage, primarily for the protection of depositors' funds, the DIF and the safety and soundness of the banking system as a whole, and not for the protection or benefit of investors. The CFPB enforces consumer protection laws and regulations for the benefit of consumers and not the protection or benefit of investors. In addition, new laws and regulations, including those related to environmental, social, and governance initiatives, may continue to increase our costs of regulatory compliance and of doing business, and otherwise affect our operations. New laws and regulations may significantly affect the markets in which we do business, the markets for and value of our loans and securities, the products we offer, the fees we can charge and our ongoing operations, costs, and profitability. The Company is also directly subject to the requirements of entities that set and interpret accounting standards such as the Financial Accounting Standards Board, and indirectly subject to the actions and interpretations of the Public Company Accounting Oversight Board, which establishes auditing and related professional practice standards for registered public accounting firms and inspects registered firms to assess their compliance with certain laws, rules, and professional standards in public company audits. These regulations, along with existing tax, accounting, securities, and monetary laws, regulations, rules, standards, policies and interpretations, control the methods by which financial institutions and their holding companies conduct business, engage in strategic and tax planning, implement strategic initiatives, and govern financial reporting. The Company's failure to comply with laws, regulations or policies could result in civil or criminal sanctions and money penalties by state and federal agencies, and/or reputational damage, which could have an adverse effect on the Company's business, financial condition and results of operations. See "Part I, Item 1. Business - Regulation and Supervision" for more information about the regulations to which the Company is subject.

Reported instances of fraud and related financial crimes are rising nationwide. Like all financial institutions, the Company is vulnerable to increasing fraud losses as fraud schemes perpetrated against the Company and its customers continue to evolve and become more sophisticated. While the Company has procedures and systems in place to detect, prevent, and mitigate fraud losses, fraud losses may still occur and could be material to the Company's results of operations.

The Company's success depends, in large part, on its ability to attract and retain key people. Competition for the best people can be intense, and the Company spends considerable time and resources attracting and hiring qualified people for its operations. The unexpected loss of the services of one or more of the Company's key personnel could have an adverse impact on the Company's business because of their skills, knowledge of the Company's market, and years of industry experience, as well as the difficulty of promptly finding qualified replacement personnel.

Third-party vendors are sources of operational and information security risk to the Company, including risks associated with operations errors, information system interruptions or breaches, and unauthorized disclosures of sensitive or confidential customer information. The Company requires third-party vendors to maintain certain levels of information security; however, vendors may remain vulnerable to breaches, unauthorized access, misuse, computer viruses, and/or other malicious attacks that could ultimately compromise sensitive information. We have developed procedures and processes for selecting and monitoring third-party vendors, but ultimately are dependent on these third-party vendors to secure their information. If these vendors encounter any of these types of issues, or if we have difficulty communicating with them, we could be exposed to disruption of operations, loss of service or connectivity to customers, reputational damage, and litigation risk that could have an adverse effect on our business, financial condition and results of operations. The failure of an external vendor to perform in accordance with the contracted arrangements under service level agreements, because of changes in the vendor's organizational structure, financial condition, support for existing products and services or strategic focus or for any other reason, could be disruptive to our operations, which could have an adverse effect on our business and, in turn, our financial condition and results of operations. Additionally, replacing certain third-party vendors could also entail significant delay and expense.

While we are one of the largest mortgage loan originators in the state of Kansas, we compete in the same market areas as local, regional, and national banks, savings institutions, credit unions, mortgage brokerage firms, investment banking and brokerage firms, mortgage bankers and online competitors. We also compete with online investment and mortgage brokerages and online banks that are not confined to any specific market area.  Many of these competitors operate on a national or regional level, are a conglomerate of various financial services providers housed under one corporation, or otherwise have substantially greater financial or technological resources than the Bank. We compete primarily on the basis of the interest rates offered to depositors, the terms of loans offered to borrowers, and the benefits afforded to customers as a local institution and portfolio lender. Should we face competitive pressure to increase deposit rates or decrease loan rates, our net interest income could be adversely affected. Additionally, our competitors may offer products and services that we do not or cannot provide, as certain deposit and loan products fall outside of our accepted level of risk.  Our profitability depends upon our ability to compete in our local market areas.

As we have grown our commercial real estate lending portfolio, we have continued to maintain relationships not only in our local markets but in geographically diverse markets. As a result, we are particularly exposed to downturns in regional housing and commercial real estate markets and, to a lesser extent, housing and commercial real estate markets nationwide, along with changes in the levels of unemployment or underemployment. We monitor the current status and trends of local and national employment levels and trends and current conditions in the real estate and housing markets, as well as commercial real estate markets, in our local market areas and certain areas where we have commercial real estate loans and correspondent loans. Decreases in local real estate values could adversely affect the value of the property used as collateral for our loans, which could cause us to realize a loss in the event of a foreclosure. Additionally, if insurance obtained by our borrowers is insufficient to cover any losses sustained to the collateral, the decreases in the value of collateral securing our loans as a result of natural disasters or other related events could adversely impact our financial condition and results of operations. If insurance coverage is unavailable to our borrowers due to the reluctance of insurance companies to renew policies covering the collateral or due to other factors, the resulting increase in cost of home ownership could affect the ability of borrowers to repay loans. In addition, a decline in commercial real estate values would likewise adversely affect the value of collateral securing commercial real estate loans. Adverse conditions in our local economies and in certain areas where we have commercial real estate loans and correspondent loans, such as inflation, unemployment, supply chain disruptions, recession, natural disasters or pandemics, or other factors beyond our control, could adversely impact the ability of our borrowers to repay their loans. Declines in collateral values and adverse economic conditions could result in increased delinquencies, non-performing assets, loan losses, and future loan loss provisions.