Capital One Financial (COF) Risk Analysis

We operate in a highly competitive environment across all of our lines of business, whether in making loans, attracting deposits or in the global payments industry, and we expect competitive conditions to continue to intensify with respect to most of our products, particularly in our card, payment network and consumer banking businesses. We compete on the basis of the rates we pay on deposits and the rates and other terms we charge on the loans we originate or purchase, as well as the quality and range of our customer service, products, innovation and experience, and, with respect to our payment network businesses, the strength, reach, pricing and capabilities of our network offerings to merchants, acquirers and issuers. This competitive environment is a result of changes in technology, product delivery systems and regulation, as well as the emergence of new or significantly larger financial services providers, all of which may affect our customers' expectations and demands. In addition to offering competitive products and services, we invest in and conduct marketing campaigns to attract and inform customers. If our marketing campaigns are unsuccessful, it may adversely impact our ability to attract new customers and grow our business. Some of our competitors, including new and emerging competitors in the digital and mobile payments space and other financial technology providers and payment networks, are not subject to the same regulatory requirements or scrutiny to which we are subject, which also could place us at a competitive disadvantage, in particular in the development of new technology platforms or the ability to rapidly innovate. We compete with many forms of payments offered by both bank and non-bank providers, including a variety of new and evolving alternative payment mechanisms, systems and products, such as aggregators and web-based and wireless payment platforms or technologies, digital currencies or cryptocurrencies (including stablecoins and tokenized deposits), prepaid systems and payment services targeting users of social networks, communications platforms and online gaming. If we are unable to continue to keep pace with innovation and fail to reflect such technology in our payments offerings, do not effectively market our products and services, are unable to deliver them effectively and securely to our customers or are prohibited from or unwilling to enter emerging areas of competition, our business and results of operations could be adversely affected. Also, our competitors or other third parties may incorporate emerging technologies, such as AI, into their products or services more quickly or more successfully than we do, which could impair our ability to compete effectively. For example, our competitors may be more timely or successful in developing or integrating AI technologies to increase their productivity and reduce their costs or to provide better transaction execution or improved products or services to clients. In addition, government actions or initiatives by the federal and state governmental authorities, including the Federal Banking Agencies, may also provide competitors with increased opportunities to derive competitive advantages and may create new competitors. These actions or initiatives may include more accommodative positions on the processing and approval of traditional bank charters and deposit insurance, expanded access to the banking and payments systems through the approval of competitors, including competitors with novel business models, to hold specialized charters, or more accommodative positions on novel activities performed by banks or non-banks. For example, the Guiding and Establishing National Innovation for U.S. Stablecoins Act of 2025 (GENIUS Act) provides a legal framework for stablecoins to be issued in the United States, which may allow new and existing competitors to compete for funds that may have otherwise been deposited with banks, such as the Bank. Some of our competitors are substantially larger than we are, which may give those competitors advantages, including a more diversified product and customer base, the ability to reach more customers and potential customers, operational efficiencies, broad-based local distribution capabilities, lower-cost funding and larger existing branch networks. Many of our competitors are also focusing on cross-selling their products and developing new products or technologies, which could affect our ability to maintain or grow existing customer relationships or require us to offer lower interest rates or fees on our lending products or higher interest rates on deposits. Competition for loans could result in origination of fewer loans, earning less on our loans or an increase in loans that perform below expectations. We face strong and increasing competition in the direct banking market. Aggressive pricing throughout the industry may adversely affect the retention of existing balances and the cost-efficient acquisition of new deposit funds and may affect our growth and profitability. Customers could also close their online accounts or reduce balances or deposits in favor of products and services offered by competitors for other reasons. These shifts, which could be rapid, could result from general dissatisfaction with our products or services, including concerns over pricing, online security or our reputation. The potential consequences of this competitive environment are exacerbated by the flexibility of direct banking and the financial and technological sophistication of our online customer base. The increased pressure on transaction fees associated with card payments due to competition could create additional risk to growth for both our card issuing businesses and the Global Payment Network. This, in turn, could adversely affect the revenue for our network and card issuing businesses, as well as our ability to attract and retain Network Partners who may seek alternatives from both traditional and non-traditional payment service providers, which may limit our ability to maintain or grow revenues from the Global Payment Network. In addition, competitors' settlements with merchants and related actions, including pricing pressures and/or surcharging, could negatively impact our business practices. Competitor actions related to the structure of merchant and acquirer fees and merchant and acquirer transaction routing strategies may adversely affect our recently acquired PULSE Network's business practices, network transaction volume, revenue and prospects for future growth and entry into new product markets. Additionally, in our credit card business, competition for rewards customers may result in higher rewards expenses, or we may fail to attract new customers or retain existing rewards customers due to increasing competition for these consumers. The market for key business partners, especially in the credit card business, is very competitive, and we may not be able to grow or maintain these partner relationships or assure that these relationships will be profitable or valued by our customers. Additionally, partners themselves may face changes in their business, including market factors and ownership changes, that could impact the partnership, or they may make changes to the products and services they offer, which may lower the value of our products, such as the co-branded cards we issue to our customers. We face the risk that we could lose partner relationships, even after we have invested significant resources into acquiring and developing the relationships. The loss of any key business partner could have a negative impact on our results of operations, including lower returns, excess operating expense and excess funding capacity. We depend on our partners to effectively promote our co-brand and private label credit card products and integrate the use of our credit cards into their retail operations. The failure by our partners to effectively promote and support our products, as well as changes they may make in their business models, could adversely affect card usage and our ability to achieve the growth and profitability objectives of our partnerships. In addition, if our partners do not adhere to the terms of our program agreements and standards, or otherwise diminish the value of our brand, we may suffer reputational damage and customers may be less likely to use our products. Some of our competitors have developed, or may develop, substantially greater financial and other resources than we have, may offer richer value propositions or a wider range of programs and services than we offer, or may use more effective advertising, marketing or cross-selling strategies to acquire and retain more customers, capture a greater share of spending and borrowings, attain and develop more attractive co-brand card programs, obtain more favorable terms with merchants and maintain greater merchant acceptance than we have. Competition may also intensify as participants in the payments industry merge or enter into joint ventures or other business combinations that compete with our products and services. We may not be able to compete effectively against these threats or respond or adapt to changes in consumer spending habits as effectively as our competitors. In such a competitive environment, we may lose entire accounts or may lose account balances to competing firms, or we may find it more costly to maintain our existing customer base. Customer attrition from any or all of our lending products, together with any lowering of interest rates or fees that we might implement to retain customers, could reduce our revenues and therefore our earnings. Similarly, unexpected customer attrition from our deposit products, in addition to an increase in rates or services that we may offer to retain deposits, may increase our expenses and therefore reduce our earnings.

As a result of our recent acquisition of the Global Payment Network, we now face substantial and increasingly intense competition in the payments industry, both from traditional players and new, emerging alternative payment providers. For example, we now compete with other payment networks to attract Network Partners to issue credit and debit cards and other card products on the Global Payment Network. In addition, increased competition with certain network operators, such as Visa and Mastercard, could affect our existing partnerships and business relationships with these networks, which have historically played a significant role in facilitating our card-issuing and transaction processing services. Competition with other operators of payment networks is generally based on issuer fees, fees paid to networks (including switch fees), merchant acceptance and functionality, technological capabilities and other economic terms. Competition is also based on customer perception of service quality, merchant acceptance, brand image, reputation and market share. Further, we are now facing ongoing competition from emerging alternative payment providers who may create innovative networks or other arrangements with our primary competitors, large merchants or other industry participants, or provide stablecoins, other digital currencies or tokenized deposits, which could adversely impact our costs, transaction volume and ability to grow our business. In addition, we, along with our competitors, clients, network participants and others, are developing or participating in alternative payment systems or products such as mobile and ecommerce payment services, P2P payment services, real-time and faster payment initiatives, and payment services that could reduce our role in, or otherwise disintermediate us from, transaction processing or the value-added services we provide to support such processing. Many of our payment network and alternative payment provider competitors are well established and have significant financial resources and scale. These competitors have provided financial incentives to card issuers, such as large cash signing bonuses for new programs and funding for, and sponsorship of, marketing programs and other bonuses. We cannot be certain that we will be able to continue to increase international merchant acceptance, as well as the perception of merchant acceptance of the Global Payment Network, and we cannot be certain that we will achieve global market parity with Visa or Mastercard. In addition, Visa and Mastercard have entered into long-term arrangements with financial institutions, some of which are exclusive, or nearly exclusive, which has the effect of limiting our ability to conduct material amounts of business with these institutions. Moreover, American Express is also a strong competitor with international merchant acceptance, competitive transaction fees and an upscale brand image. Internationally, American Express competes in the same market segments as Diners Club. We may face challenges in increasing international merchant acceptance on our networks, particularly if third parties that we rely on to issue Diners Club cards, increase card acceptance and market our brands, do not perform to our expectations. In such a competitive environment, any disruption to our existing relationships with Visa or Mastercard or our ability to grow the Global Payment Network could affect our ability to remain competitive by adjusting issuer fees and incentives, and we may be unable to offer adequate pricing to Network Partners while maintaining sufficient net revenues. In addition, if we are unable to maintain sufficient network functionality to be competitive with other networks, or if our competitors develop better data security solutions or more innovative products and services than we do, our ability to retain and attract Network Partners and maintain or increase the revenues generated by the Global Payment Network or our proprietary card-issuing businesses could be materially and adversely affected. Our competitive position could also be affected if we are unable to deploy, in a cost-effective and competitive manner, technology such as generative AI. Additionally, competitors may develop ancillary products, which as a consequence of the competitors' size and scale, we may be forced to use. Such developments could adversely affect our business, as those competitors may be better positioned to absorb the costs of such data security solutions over higher volumes or a larger customer base. Our recently acquired network business depends upon relationships with card issuers, merchant acquirers, alternative payment providers and licensees, many of whom are financial institutions. The economic and regulatory environment and increased competition and innovation in the payments space could decrease our opportunities for new business and may result in the termination of existing business relationships. In addition, if as a result of this environment, financial institutions have decreased interest in engaging in new card issuance opportunities or expanding existing card issuance relationships, that would inhibit our ability to grow our network business. We will face substantial and intense competition in the payments industry, which may impact our revenue margins, transaction volume and business strategies.

Our ability to attract and retain customers is highly dependent upon the perceptions of consumer and commercial borrowers and deposit holders and other external perceptions of our products, services, business practices, workplace culture, compliance practices or our financial health. Capital One's brands, including Discover, PULSE and Diners Club, are some of our most important assets. Maintaining and enhancing our brands depends largely on our ability to continue to provide high-quality products and services. Adverse perceptions regarding our reputation in the consumer, commercial and funding markets could lead to difficulties in generating, maintaining and financing accounts. In particular, negative public perceptions regarding our reputation, including negative perceptions regarding our ability to maintain the security of our technology systems and protect customer data, could lead to decreases in the levels of deposits that current and potential consumer and commercial customers choose to maintain with us. In addition, we operate across a number of different businesses, and negative publicity with respect to one business could have negative consequences across all of our businesses. Negative perceptions may also significantly increase the costs of attracting and retaining customers, increase susceptibility to litigation and enforcement actions or other adverse effects on our business, results of operations and financial condition. Negative public opinion or damage to our brand could also result from actual or alleged conduct in any number of activities or circumstances, including lending and payment network practices, regulatory compliance, cyber-attacks or other security incidents, accounting issues, corporate governance and sales and marketing, and from actions taken by regulators or other persons in response to such conduct. Such conduct could fall short of our customers' and the public's heightened expectations of companies of our size with rigorous privacy, data protection, data security and compliance practices, and could further harm our reputation. We strategically license our trademarks to business partners and network participants, some of whom have contractual obligations to promote and develop our brands. In addition, our co-brand and private label credit card partners or other third parties with whom we have important relationships may take actions over which we have limited control that could negatively impact perceptions about us or the financial services industry. The proliferation of social media and its rapid and broad dissemination of information (or misinformation and disinformation) may increase the likelihood that negative public opinion from any of the actual or alleged events discussed above may trigger a loss of trust or confidence on the part of clients, counterparties, shareholders, investors, debt holders, market analysts or other relevant parties, including regulators, and could impact our reputation and business. In addition, a variety of economic or social factors may cause changes in borrowing activity, including credit card use, payment patterns and the rate of defaults by account holders and borrowers domestically and internationally. These economic and social factors include changes in consumer confidence levels, the public's perception regarding the banking industry and consumer debt, including credit card use, and changing attitudes about the stigma of bankruptcy. If consumers develop or maintain negative attitudes about incurring debt, or consumption trends decline or if we fail to maintain and enhance our brand, or we incur significant expenses to do so, our reputation and business and financial results could be materially and negatively affected. Environmental, social and corporate governance policies may create competing stakeholder, legislative and regulatory scrutiny that may impact our reputation or operations. As a result, we may not be able to meet the full range of expectations and demands of all our stakeholders. Any failure to meet our stakeholders full range of expectations and demands could result in reputational damage, a loss of customer and investor confidence, increased legal and operational risks and other adverse effects on our results of operations and prospects. For example, as part of our acquisition of Discover, we have committed to a $265 billion Community Benefits Plan ("CBP") over five years. Failure to adequately deliver on, or material revisions to, this commitment, whether due to financial constraints, operational inefficiencies or external economic factors, may lead to public criticism, which may expose us to significant reputational risks. Also, some stakeholders may object to the scope or nature of the CBP initiative, which could give rise to negative responses by governmental actors (e.g., litigation, retaliatory legislation) or by customers and advocates (e.g., boycotts) that could adversely affect our brand value.

Our industry is subject to rapid and significant technological changes, including due to the increasing development and use of AI, and our ability to meet our customers' needs and expectations is key to our ability to grow revenue and earnings. We expect digital technologies to continue to have a significant impact on banking over time. Consumers expect robust digital experiences from their financial services providers. The ability for customers to access their accounts and conduct financial transactions using digital technology, including mobile applications, is an important aspect of the financial services industry, and financial institutions are rapidly introducing new digital and other technology-driven products and services that aim to offer a better customer experience and to reduce costs. We continue to invest in digital technology designed to attract new customers, facilitate the ability of existing customers to conduct financial transactions and enhance the customer experience related to our products and services. Our continued success depends, in part, upon our ability to assess and address the needs of our customers by using digital technology to provide products and services that meet their expectations. The development and launch of new digital products and services depends in large part on our ability to invest in and build the technology platforms that can enable them, in a cost-effective and timely manner. We expect that new technologies in the payments industry will continue to emerge, and these new technologies may be superior to our existing technology. See "We face intense competition in all of our markets, which could have a material adverse effect on our business and results of operations" and "We face risks related to our operational, technological and organizational infrastructure." Furthermore, any new technology could have a significant impact on the effectiveness of the Company's system of internal controls. Failure to successfully manage these risks in the development and implementation of new lines of business, new products or services and/or new technologies could have a material adverse effect on our business, financial condition and results of operations. Some of our competitors are substantially larger than we are, which may allow those competitors to invest more money into their technology infrastructure and digital innovation than we do. In addition, smaller competitors may experience lower cost structures and different regulatory requirements and scrutiny than we do, which may allow them to innovate more rapidly than we can. See "We face intense competition in all of our markets, which could have a material adverse effect on our business and results of operations." Further, our success depends on our ability to attract and retain strong digital and technology leaders, engineers and other specialized personnel. The competition is intense, and the compensation costs continue to increase for such talent. If we are unable to attract and retain digital and technology talent, our ability to offer digital products and services and build the necessary technology infrastructure could be negatively affected, which could negatively impact our business and financial results. A failure to maintain or enhance our competitive position with respect to digital products and services, whether because we fail to anticipate customer expectations or because our technological developments fail to perform as desired or are not implemented in a timely or successful manner, could negatively impact our business and financial results.

We rely on a variety of measures to protect and enhance our intellectual property rights, including copyrights, trademarks, trade secrets, patents, licenses and certain restrictions on disclosure, solicitation and competition. We also undertake other measures to control access to and distribution of our other proprietary and confidential information. These measures may not be successful in protecting or enforcing our rights in every jurisdiction or preventing infringement or misappropriation of our proprietary or confidential information, resulting in loss of competitive advantage. In certain situations, we may be compelled to engage in intellectual property-related litigation to enforce our intellectual property rights, which may incur significant expense and may be perceived negatively by customers or industry partners, thus potentially resulting in reputational harm and may adversely impact our business, financial position and results of operations. In addition, our competitors or other third parties may obtain patents for innovations that are used in our industry, or allege that our operations, marketing, trademarks, systems, processes or technologies infringe, misappropriate or violate their intellectual property rights. Given the complex,rapidly changing and competitive technological and business environments in which we operate, if our competitors or other third parties are successful in obtaining such patents or prevail in intellectual property-related litigation or demands against us, we could lose significant revenues, incur significant license, royalty, technology development or other expenses, or pay significant damages. Furthermore, given intellectual property ownership and license rights surrounding AI, such as generative AI, are currently not fully addressed by courts or regulators, any output created by us using AI may not be subject to copyright or other intellectual property protection, which may adversely affect our intellectual property or other proprietary rights in, or ability to commercialize or use, any such output, and our use or adoption of AI may result in exposure to claims by third parties. We license certain intellectual property and technology that are important to our business, and in the future, we may enter into additional agreements that provide us with licenses to valuable intellectual property or technology. If we fail to comply with any of these obligations under our license agreements, we may be required to pay damages and the licensor may have the right to terminate the license. Termination by the licensor (or other applicable counterparty) may cause us to lose valuable rights, and could disrupt our operations and harm our reputation. In the future, we may identify additional third-party intellectual property and technology we need, including to develop and offer new products and services. However, such licenses may not be available on acceptable terms or at all. While we believe that we have all the necessary licenses from third parties for any intellectual property, including technology and software, that we use in the operations of our business but do not own, a third party could nonetheless allege that we are infringing its rights, which may deter our ability to obtain licenses on commercially reasonable terms from the third party, if at all, or cause the third party to commence litigation against us. Our failure to obtain necessary licenses or other rights, or litigation or claims arising out of intellectual property matters, may adversely impact our business, financial position and results of operations.

Our ability to provide our products and services and communicate with our customers and network participants depends upon the management and safeguarding of information systems and infrastructure, networks, software, data, technology, methodologies and business secrets, including those of our service providers. Our products and services involve the collection, authentication, management, usage, storage, transmission and destruction of sensitive and confidential information, including personal information, regarding our customers and their accounts, our employees, our partners and other third parties with which we do business. We also have arrangements in place with third-party business partners through which we share and receive information about their customers who are or may become our customers. The financial services industry, including Capital One, is particularly at risk because of the increased use of and reliance on digital banking products and other digital services, including mobile banking products, such as mobile payments, and other internet- and cloud-based products and applications, and the development of additional remote connectivity solutions, which increase cybersecurity risks and exposure. In addition, global events and geopolitical instability may lead to increased nation-state targeting us and other financial institutions in the U.S. and abroad, particularly given our expanded global footprint. Technologies, systems, networks and other devices of Capital One, as well as those of our employees, service providers, insiders, customers, partners, network participants, including merchants, and other third parties with whom we interact, have been and may continue to be the subject of cyber-attacks and other security incidents, including computer viruses, hacking,malware, ransomware, denial of service attacks, supply chain attacks, exploitation of vulnerabilities, credential stuffing, account takeovers, insider threats, business email compromise scams or the use of phishing, vishing (through voice messages), smishing (through SMS text), "deep fakes," or other forms of social engineering. Such cyber-attacks and other security incidents are designed to lead to various harmful outcomes, such as unauthorized transactions in Capital One accounts, unauthorized or unintended access to or release, gathering, monitoring, disclosure, loss, destruction, corruption, disablement, encryption, misuse, modification or other processing of confidential or sensitive information (including personal information), intellectual property, software, methodologies or business secrets, disruption, sabotage or degradation of service, systems or networks, an attempt to extort Capital One, its third-party service providers or its business partners or other damage. Cyber-attacks and other security incidents that occur in the supply chain of third parties with which we interact could also negatively impact Capital One. These threats may derive from, among other things, error, fraud or malice on the part of our employees, service providers, insiders, customers, partners, network participants, including merchants, or other third parties with whom we interact or may result from accidental technological failure or design flaws. Any of these parties may attempt to fraudulently induce employees, service providers, insiders, customers, partners, network participants, including merchants, or other third-party users of our systems or networks to disclose confidential or sensitive information (including personal information) in order to gain access to our systems, networks or data or that of our customers, partners, network participants, including merchants, or other third parties with whom we interact, or to unlawfully obtain monetary benefit through misdirected or otherwise improper payment. For instance, any party that obtains our confidential or sensitive information (including personal information) through a cyber-attack or other security incident may use this information for ransom, to be paid by us or a third party, as part of a fraudulent activity that is part of a broader criminal activity, or for other illicit purposes. Additionally, the failure of our employees, service providers, insiders, customers, partners, network participants, including merchants, or other third parties with whom we interact, or their respective supply chains, to exercise sound judgment and vigilance when targeted with social engineering or other cyber-attacks may increase our vulnerability. For example, on July 29, 2019, we announced that on March 22 and 23, 2019 an outside individual gained unauthorized access to our systems (the "2019 Cybersecurity Incident"). This individual obtained certain types of personal information relating to people who had applied for our credit card products and to our credit card customers. While the 2019 Cybersecurity Incident has been remediated, it resulted in fines, litigation, consent orders, settlements, government investigations and other regulatory enforcement inquiries. Cyber and information security risks for large financial institutions like us continue to increase due to the proliferation of new technologies, the industry-wide shift to reliance upon the internet to conduct financial transactions, the increased sophistication and activities of malicious actors, organized crime, perpetrators of fraud, hackers, terrorists, activists, extremist parties, formal and informal instrumentalities of foreign governments, state-sponsored or nation-state actors and other external parties and the growing use of AI by threat actors. In addition, our customers access our products and services using personal devices that are necessarily external to our security control systems. There has also been a significant proliferation of consumer information available on the internet resulting from breaches of third-party entities, including personal information, log-in credentials and authentication data. These third-party breach events could create a threat for our customers if their Capital One log-in credentials are the same as or similar to the credentials that have been compromised on other internet sites. This threat could include the risk of unauthorized account access, data loss and fraud. The use of AI, "bots" or other automation software can increase the velocity and efficacy of these types of attacks and such use by companies has resulted in, and may continue to result in, cyber-attacks and other security incidents that implicate the sensitive and confidential information, including personal information, of AI users. As our employees and contractors are operating under our hybrid work model, our remote interaction with employees, service providers, partners and other third parties on systems, networks and environments over which we have less control (such as through employees' personal devices) increases our cybersecurity risk exposure. We will likely face an increasing number of attempted cyber-attacks as we expand our mobile and other internet-based products and services, expand our usage of mobile, cloud and other internet-based technologies, increase international merchant acceptance of credit cards issued on the Discover Network, acquire new business operations or outsource certain business operations and otherwise attempt to keep pace with rapid technological changes in the financial services industry. The methods and techniques employed by malicious actors continue to develop and evolve rapidly, including from emerging technologies, such as AI and quantum computing, are increasingly sophisticated and often are not fully recognized or understood until after they have occurred, and some techniques could occur and enable persistent access for an extended period of time before being detected and remediated, if at all. We and our service providers and other third parties with which we interact may be unable to anticipate or identify certain attack methods or techniques in order to implement effective preventative or detective measures or mitigate or remediate the damages caused in a timely manner. Similarly, any cyber-attack or other security incident, information or security breach or technology failure that significantly exposes, degrades, destroys or compromises our information systems or networks could adversely impact third parties and the critical infrastructure of the financial services industry, thereby creating additional risk for us. We may also be unable to hire, develop and retain talent that keeps pace with the rapidly changing cyber threat landscape, and which are capable of preventing, detecting, mitigating or remediating these risks. Although we seek to maintain a robust suite of authentication and layered information security controls, any one or combination of these controls could fail to prevent, detect, mitigate, remediate or recover from these risks in a timely manner. An actual, suspected, threatened or alleged disruption or breach, including as a result of a cyber-attack, or media (including social media) reports of alleged or perceived security vulnerabilities or incidents at Capital One or at our service providers, could result in significant legal and financial exposure, regulatory intervention, litigation, enforcement actions, remediation costs, card reissuance, inability to timely pay our debts (and consequently limit our access to future funding), operational disruptions, supervisory liability, damage to our reputation or loss of confidence in the security of our systems, products and services that could adversely affect our business. Moreover, we are subject to varied cybersecurity laws and regulations and incident reporting requirements, and may in the future be subject to new cybersecurity laws and regulations and incident reporting requirements, which could require us to publicly disclose certain information about certain cybersecurity incidents before they have been resolved or fully investigated, and any delays in receiving timely information from impacted service providers and business partners can affect our ability to fully meet applicable disclosure requirements for a given incident. There can be no assurance that unauthorized access or cyber incidents will not occur or that we will not suffer material losses in the future. If future attacks are successful or if customers are unable to access their accounts online for other reasons, it could adversely impact our ability to service customer accounts or loans, complete financial transactions for our customers or otherwise operate any of our businesses or services. In addition, a breach or attack affecting one of our service providers or other third parties with which we interact could harm our business even if we do not control the service that is attacked. Further, our ability to monitor our service providers' and other business partners' cybersecurity practices is inherently limited. Although the agreements that we have in place with our service providers and other business partners generally include requirements relating to privacy, data protection and data security, we cannot guarantee that such agreements will prevent a cyber incident impacting our systems or information or enable us to obtain adequate or any reimbursement from our service providers or other business partners in the event we should suffer any such incidents. However, due to applicable laws and regulations or contractual obligations, we may be held responsible for cyber incidents attributed to our service providers and other business partners as they relate to the information we share with them. In addition, we continue to incur increased costs with respect to preventing, detecting, investigating, mitigating, remediating and recovering from cybersecurity risks, as well as any related attempted fraud. In order to address ongoing and future risks, we must expend significant resources to support protective security measures, investigate and remediate any vulnerabilities of our information systems and infrastructure and invest in new technology designed to mitigate security risks. Further, high-profile cyber incidents at Capital One or other large financial institutions could undermine our competitive advantage and divert management attention and resources, lead to a general loss of customer confidence in financial institutions that could negatively affect us, including harming the market perception of the effectiveness of our security measures or the global financial system in general, which could result in reduced use of our financial products. We have insurance against some cyber risks and attacks; nonetheless, our insurance coverage may not be sufficient to offset the impact of a material loss event (including if our insurer denies coverage as to any particular claim in the future), and such insurance may increase in cost or cease to be available on commercially reasonable terms, or at all, in the future. In addition, in the case of any cyber-attack or other security incident, information or security breach or technology failure arising from third-party systems impacting us, any third-party indemnification may not be applicable or sufficient to address the impact of such incidents. Furthermore, the Transaction exposes us to additional cybersecurity risks, which we expect to continue until the integration of Discover is completed. These risks include the possibility of previously undetected cybersecurity threats in Discover's operations, systems and networks, as well as risks related to the cybersecurity posture of Discover and its third-party service providers. The materialization of such risks could lead to the degradation or disruption of our operations and services; unauthorized access; breach of confidentiality; and misuse or modification of systems, networks and data. Additionally, in connection with the integration of Discover, failures or difficulties in retaining new personnel, including those with access to our confidential or sensitive information (including personal information), and other difficulties in the organizational,technological and cultural integration process may heighten the risk of cyber-attacks and other security incidents, including as a result of human error, fraud or malice on the part of current or former employees.

Our businesses are subject to increased litigation, government investigations and other regulatory enforcement risks as a result of a number of factors and from various sources, including the highly regulated nature of the financial services industry, the focus of state and federal prosecutors on banks and the financial services industry and the structure of the credit card industry. Given the inherent uncertainties involved in litigation, government investigations and regulatory enforcement decisions, and the very large or indeterminate damages sought in some matters asserted against us, there can be significant uncertainty as to the ultimate liability we may incur from these kinds of matters. The finding, or even the assertion, of substantial legal liability against us could have a material adverse effect on our business and financial condition and could cause significant reputational harm to us, which could seriously harm our business. In addition, financial institutions, such as ourselves, face significant regulatory scrutiny, which can lead to public enforcement actions or nonpublic supervisory actions. We and our subsidiaries are subject to comprehensive regulation and periodic examination by, among other regulatory bodies, the Federal Banking Agencies, the SEC, the CFTC and the CFPB. We have been subject to enforcement actions by many of these and other regulators and may continue to be involved in such actions, including governmental inquiries, investigations and enforcement proceedings. In December 2025, the OCC issued a report of preliminary findings of its ongoing supervisory review, in accordance with Executive Order 14331 "Guaranteeing Fair Banking for All Americans," of the nine largest OCC-regulated banks, including the Bank, to determine whether those banks may have debanked or discriminated against customers or potential customers on the basis of their political or religious beliefs or lawful business activities. In the report, the OCC states that its review is ongoing and, once its supervisory review has concluded, it intends to hold the banks reviewed accountable for any unlawful debanking activities, including by making referrals to the Attorney General. Over the last several years, federal and state regulators have focused on risk management, compliance with anti-money laundering ("AML") and sanctions laws, privacy, data protection and data security, use of service providers, fair access and lending, unfair or deceptive practices, and other consumer protection issues and new technologies. Regulators have indicated the potential for escalating consequences for banks that do not timely resolve open issues or have repeat issues. Regulatory scrutiny is expected to continue in these areas, including as a result of implementation of the AML Act of 2020. We expect that regulators and governmental enforcement bodies will continue taking public enforcement actions against financial institutions in addition to addressing supervisory concerns through nonpublic supervisory actions or findings, which could involve restrictions on our activities, or our ability to make acquisitions or otherwise expand our business, among other limitations that could adversely affect our business. In addition, a violation of law or regulation by another financial institution is likely to give rise to supervisory review or an investigation by regulators and other governmental agencies of the same or similar practices by us. Furthermore, a single event may give rise to numerous and overlapping investigations and proceedings. These and other initiatives from governmental authorities and officials may subject us to further customer remuneration, judgments, settlements, fines or penalties, or cause us to restructure our operations and activities or to cease offering certain products or services, all of which could harm our reputation or lead to higher operational costs. Litigation, government investigations and other regulatory actions could generally subject us to significant fines, increased expenses, restrictions on our activities, including product offerings, and damage to our reputation and our brand, and could adversely affect our business, financial condition and results of operations. For additional information regarding legal and regulatory proceedings to which we are subject, see "Part II-Item 8. Financial Statements and Supplementary Data-Note 19-Commitments, Contingencies, Guarantees and Others." As a result of the Transaction, we have assumed the contingencies and liabilities of Discover, for which we have incurred and may continue to incur financial risk, compliance obligations, litigation risk, or reputational risk, including as a result of assuming ongoing litigation disputes, claims, government agency investigations and enforcement actions and other proceedings associated with Discover's actions prior to the Transaction. For additional information regarding legal and regulatory proceedings in connection with the Transaction, refer to "Part II-Item 8. Financial Statements and Supplementary Data-Note 19-Commitments, Contingencies, Guarantees and Others." We continue to face significant uncertainty regarding the contingencies and liabilities we have assumed from Discover, and any significant or unanticipated liability we may incur from these matters may adversely impact our business, financial condition and results of operations.

We are subject to a variety of continuously evolving and developing laws and regulations in the United States at the federal, state and local level regarding privacy, data protection and data security, including those related to the collection, storage, handling, use, disclosure, transfer, security and other processing of personal information. These laws and regulations, and similar laws and regulations in other jurisdictions, impose strict requirements regarding the collection, storage, handling, use, disclosure, transfer, security and other processing of personal information, which may have adverse consequences, including significant compliance costs and severe monetary penalties for non-compliance. For further discussion of applicable privacy, data protection and data security laws and regulations, see "Part I-Item 1. Business-Supervision and Regulation" under the headings "Privacy, Data Protection and Data Security" and "Regulation by Authorities Outside the United States." Significant uncertainty exists as privacy, data protection and data security laws may be interpreted and applied differently from country to country and may create inconsistent or conflicting requirements. In connection with the integration of Discover, we expect to continue to integrate Discover data, including personal information, into our systems and networks, which may subject us to increased regulatory and compliance risks, including at the international level. Further, we make public statements about our use, collection, disclosure and other processing of personal information through our privacy policies, information provided on our website and press statements. Although we endeavor to comply with our public statements and documentation, we may at times fail to do so or be alleged to have failed to do so. The publication of our privacy policies and other statements that provide promises and assurances about privacy, data protection and data security can subject us to potential government or legal action if they are found to be deceptive, unfair or misrepresentative of our actual practices. We have been subject to these types of claims in the past, and there can be no assurance that we will not be subject to these types of claims in the future. Additional risks could arise in connection with any failure or perceived failure by us, our service providers or other third parties with which we do business to provide adequate disclosure or transparency to individuals, including our customers, about the personal information collected from them and its use, to receive, document or honor the privacy preferences expressed by individuals, to protect personal information from unauthorized disclosure, misuse or mishandling or to maintain proper training on privacy practices for all employees or third parties who have access to personal information in our possession or control. Furthermore, the increased risk of inadvertent disclosure of confidential information or personal data in connection with the utilization of AI technologies may result in stronger regulatory scrutiny, leading to legal and regulatory investigations and enforcement actions that may negatively affect our business, even if unfounded. Our efforts to comply with the GLBA, the FCRA, the CCPA, the PIPEDA and provincial privacy laws, EU GDPR, U.K. GDPR and other privacy, data protection and data security laws and regulations, as well as our posted privacy policies, and related contractual obligations to third parties, entail substantial expenses, may divert resources from other initiatives and projects, and could limit the services we are able to offer. Furthermore, enforcement actions and investigations by regulatory authorities related to data security incidents and privacy, data protection and data security violations continue to increase. The enactment of more restrictive laws or regulations, or future enforcement actions, litigation or investigations, could impact us through increased costs or restrictions on our business, and any noncompliance or perceived noncompliance could result in monetary or other penalties, harm to our reputation, distraction to our management and technical personnel and significant legal liability.

Changes or instability in the macroeconomic environment may impact payment patterns, consumer spending and credit losses. Because we offer a broad array of financial products and services to consumers, small businesses and commercial clients, our financial results are impacted by the level of consumer and business activity and the demand for our products and services. A prolonged period of economic weakness, volatility, slow growth or a significant deterioration in economic conditions, in the countries in which we operate, could have a material adverse effect on our financial condition and results of operations as customers or commercial clients default on their loans, maintain lower deposit levels or, in the case of credit card accounts, carry lower balances and reduce credit card purchase activity. Some of the factors that could disrupt capital markets, reduce consumer and business activity and weaken the labor market include the following: - Monetary policy actions, such as changes to interest rates, taken by the Federal Reserve and other central banks, such as the central banks in the U.K. and Canada, and a growing fiscal deficit and increase in the U.S. debt-to-gross domestic product ratio;- Fiscal policy actions, such as changes to applicable tax codes and programs supported by government funding (e.g., Medicaid, Medicare, Social Security);- Geopolitical conflicts or instabilities, such as the war in Ukraine, the ongoing conflict in the Middle East and the political instability in Venezuela and increased geopolitical tensions between the U.S. and China;- Trade wars, trade barriers, tariffs, economic sanctions, labor shortages and disruptions of global supply chains, including their impacts on the auto industry;- The effects of stalemates in the U.S. government, including government shutdowns whether recurring, prolonged or otherwise, developments related to the U.S. federal debt ceiling, default by the U.S. government on its debt obligations, or related credit-rating downgrades;- Inflation and deflation, including the effects of related governmental responses;- Concerns over a potential recession, which may lead to adjustments in spending patterns;- Technology-driven disruption of certain industries, such as those due to advances in AI, robotics and cryptocurrency;- Adverse developments impacting the U.S. or global banking industry, including bank failures, the failure of non-bank financial institutions and liquidity concerns and fluctuations or other significant changes in both debt and equity capital markets and currencies;- Changes in immigration policies and their impact to the labor market;- Lower demand for credit such as loans and shifts in consumer behavior, including shifts away from using credit cards or deposits, other changes in deposit practices and changes in payment patterns; and - Changes in usage of commercial real estate, which may have a sustained negative impact on utilization rates and values. Decreases in overall business activity and changes in customer behavior (such as the increased use of debt settlement companies) may lead to increases in our charge-off rate caused by bankruptcies and may reduce our ability to recover debt that we have previously charged off. Such changes may also decrease the reliability of our internal processes and models, including those we use to estimate our allowance for credit losses, particularly if unexpected variations in key inputs and assumptions cause actual losses to diverge from the projections of our models and our estimates become increasingly subject to management's judgment. See "We face risks resulting from the extensive use of models and data, as well as from our evolving use of AI." Additionally, we have and may in the future implement measures to tighten credit access in response to certain consumer and economic indicators that have or may in the future impact our financial performance, such as purchase volume and new accounts.