First Citizens BancShares (FCNCA) Risk Analysis

We are subject to litigation and other legal liability risks in the ordinary course of our business. Claims and legal actions, including supervisory actions by our regulators, that have been or may be initiated against us (including against entities that we acquire) or that involve matters for which we have indemnification obligations or other retained liabilities from time to time could involve large monetary sums and significant defense costs. During the last credit crisis, we saw the number of cases and our expenses related to those cases increase and we expect to see the same in future credit crises. The outcomes of such cases are always uncertain until finally adjudicated or resolved. In the course of our business, we may foreclose on and take title to real estate that contains or was used in the manufacture or processing of hazardous materials or that is subject to other environmental risks. In addition, we may lease equipment to our customers that is used to mine, develop, and process hazardous materials, and our railcars may be used to transport hazardous materials. As a result, we could be subject to environmental liabilities or claims for negligence, property damage or personal injury with respect to these properties or equipment. We may be held liable to a governmental entity or to third parties for property damage, personal injury, investigation and clean-up costs incurred by these parties in connection with environmental contamination, accidents or other hazardous risks, or may be required to investigate or clean up hazardous or toxic substances or chemical releases at a property. The costs associated with investigation or remediation activities could be substantial. In addition, if we are the owner or former owner of a contaminated site or equipment involved in a hazardous incident, we may be subject to common law claims by third parties based on damages and costs resulting from environmental contamination, property damage, personal injury or other hazardous risks emanating from the property or related to the equipment. We establish reserves for legal claims when payments associated with the claims become probable and our liability can be reasonably estimated. We may still incur legal costs for a matter even if we have not established a reserve. In addition, the actual amount paid in resolution of a legal claim may be substantially higher than any amounts reserved for the matter. The ultimate resolution of a legal proceeding, depending on the remedy sought and any relief granted, could materially adversely affect our results of operations and financial condition. Substantial legal claims or significant regulatory action against us or that involve matters for which we have indemnification obligations or other retained liabilities could have material adverse financial effects or cause significant reputational harm to us, which in turn could seriously harm our business prospects. We may be exposed to substantial uninsured legal liabilities and regulatory actions which could adversely affect our results of operations and financial condition. For additional information, refer to the Notes to the Consolidated Financial Statements contained in Item 8. Financial Statements and Supplementary Data, Note 23-Commitments and Contingencies.

Corporate tax rates affect our profitability and capital levels. We are subject to the income tax laws of the United States, its states and their municipalities and to those of the foreign jurisdictions in which we do business. These tax laws are complex and may be subject to different interpretations. We must make judgments and interpretations about the application of these tax laws when determining our provision for income taxes, our deferred tax assets and liabilities and our valuation allowance. Changes to the tax laws, administrative rulings or court decisions could increase our provision for income taxes and reduce our net income. The United States corporate tax code may be reformed by the U.S. Congress and additional guidance may be issued by the U.S. Treasury. Further changes in tax laws and regulations, and income tax rates in particular, could have an adverse impact on our financial condition and results of operations. These changes could also affect our Regulatory Capital Ratios as calculated in accordance with the Basel III standards as implemented.

Natural or man-made disasters (including, but not limited to, earthquakes, hurricanes, tornadoes, floods, tsunamis, fires, pollution, and explosions), global pandemics, acts of war, terrorist activities, climate change or other adverse external events, as well as government actions or other restrictions in connection with such events, could hurt our financial performance (i) directly through damage to our facilities or other impacts to our ability to conduct business in the ordinary course, and (ii) indirectly through such damage or impacts to our customers, suppliers or other counterparties. In particular, a significant amount of our business is concentrated in North Carolina, South Carolina, California, Texas, New York, Massachusetts and Florida, including areas where our facilities and retail and commercial customers have been and, in the future, could be impacted by hurricanes and flooding, earthquakes, wildfires, and rising sea levels. We also do business in Georgia, Virginia, Nebraska, Arizona, New Jersey, Hawaii, Nevada, as well as in Canada and other international locations our clients are domiciled, all of which also include areas significantly exposed to the foregoing risks. We could also suffer adverse results to the extent that disasters, wars, terrorist activities, riots or civil unrest affect the broader markets or economy or our operations specifically. Our ability to minimize the consequences of such events is in significant measure reliant on the quality of our disaster recovery planning and our ability, if any, to forecast the events, and such quality and ability may be inadequate. There has been increasing regulatory, political and social attention to the issue of climate change and related environmental sustainability matters. Federal and state legislators and regulatory agencies have issued, proposed, and continue to advance numerous legislative and regulatory initiatives seeking to mitigate the negative effects of climate change. Refer to Item 1. Business-Regulatory Considerations-Climate for additional information. We would expect to experience increased compliance costs and other compliance-related risks associated with complying with all such laws and regulations, and guidance applicable to our operations. Moreover, this could result in increased management time and attention to ensure we are compliant with the regulations and expectations. Such climate change-related measures may also result in the imposition of taxes and fees, the required purchase of emission credits or the implementation of significant operational changes, each of which may require us to expend significant capital and incur compliance, operating, maintenance and remediation costs. Additionally, many of our suppliers and business partners may be subject to similar requirements, which may augment or create additional risks. As a banking organization, the physical effects of climate change may present certain unique risks to us, our customers, collateral, or third parties on which we rely. For example, an increase in the frequency or magnitude of natural disasters, shifts in local climates and other disruptions related to climate change may adversely affect the value of real properties securing our loans, which could diminish the value of our loan portfolio. Such events have in the past and may in the future cause reductions in regional and local economic activity that have had and in the future may have an adverse effect on our customers. Consumers and businesses in communities that we serve may change their behavior and preferences because of these issues and new climate change laws and regulations aimed at mitigating climate change. The impact on our customers will likely vary depending on their geographic location, specific attributes, including their reliance on or role in carbon intensive activities and therefore, we could experience a drop in demand for our products and services, particularly in certain sectors. We may also be subject to adverse action and scrutiny from our regulators or other third parties, such as environmental advocacy organizations or state governments, in relation to how our business relates to, has addressed or failed to address, or disclosed climate change-related risks. Each of these outcomes, in addition to other risks posed by climate change, could have a material adverse effect on our financial condition and results of operations and may require that additional expenses and resources be incurred as we evolve our strategy and internal policies with respect to these matters.

The Trump administration has signaled the potential imposition of tariffs and retaliatory tariffs against U.S. trading partners. During his campaign, President Trump indicated that he would seek to impose a 25% tariff against all goods imported from Canada and Mexico, a 60% tariff on goods from China and a blank tariff of 10% to 20% on other imports to the U.S. On February 1, 2025, President Trump issued an Executive Order imposing tariffs on imports from Canada, Mexico, and China in response to a declared national emergency to address the "extraordinary threat posed by illegal aliens and drugs." The newly imposed tariffs have resulted in immediate threats of retaliatory tariffs against U.S. goods and negotiations which have delayed the tariffs on Canada and Mexico for 30 days, and may result in other negotiated agreements with one or more of the countries affected. These and other potential tariffs and trade restrictions may cause the prices of our customers' products to increase, which could reduce demand for such products, or reduce our customers' margins, and adversely impact their revenues, financial results, and ability to service debt. This, in turn, could adversely affect our financial condition and results of operations. At this time, it remains unclear what the U.S. government or foreign governments will or will not do with respect to additional tariffs that may be imposed or international trade agreements and policies.

Third party vendors provide key components of our business infrastructure, including certain data processing and information services. Their services could be difficult to quickly replace in the event of failure or other interruption in service. Failures of certain vendors to provide services could adversely affect our ability to deliver products and services to our customers leading to non-compliance with regulatory requirements. Third party vendors also present information security risks to us, both directly and indirectly through our customers. While we monitor significant vendor risks, including the financial stability of critical vendors, our monitoring may be inadequate and incomplete. The failure of a critical third-party vendor to provide key components of our business infrastructure could substantially disrupt our business and cause us to incur significant expense while harming our relationships with our customers.

The FDIC maintains the DIF to protect insured depositors in the event of bank failures. The DIF is funded by insurance premiums assessed on IDIs including FCB. Future insurance premiums paid by banks, including FCB, will depend on FDIC rules, which are subject to change, the level of the DIF and the magnitude and cost of future bank failures. For example, the FDIC began collecting a special assessment to recover the loss to the DIF associated with the bank failures in spring of 2023, beginning with the first quarterly assessment period of 2024. Refer to Item 1. Business-Regulatory Considerations-FDIC Insurance for additional information on insurance premiums, as well as payment of the special assessment. We may be required to pay significantly higher insurance premiums if market developments change such that the DIF balance is reduced or the FDIC changes its rules to require higher premiums.

Our businesses are highly dependent on the security and efficacy of our infrastructure, computer and data management systems, as well as those of third parties with whom we interact or on whom we rely. Our businesses rely on the secure processing, transmission, storage and retrieval of confidential, proprietary and other information in our computer and data management systems and networks, and in the computer and data management systems and networks of third parties. In addition, to access our network, products and services, our customers and other third parties may use personal mobile devices or computing devices that are outside of our network environment and are subject to their own cybersecurity risks, which may provide a point of entry for adverse effects on our own network environment. We, as well as our customers, regulators, third-party service providers, and other third parties with whom we do business, have been subject to, and are likely to continue to be the target of, cyberattacks. These cyberattacks include computer viruses, malicious or destructive code, ransomware, phishing attacks, denial of service or other security breaches that could result in the unauthorized release, gathering, monitoring, misuse, loss or destruction of confidential, proprietary or personal data. As cyber threats continue to evolve, we have been and will continue to be required to expend significant resources to continuously enhance our protective measures and may be required to expend significant resources to investigate and remediate any information security vulnerabilities or incidents. We could continue to experience cyberattacks, and we acknowledge that we cannot implement guaranteed preventive measures against all security threats. Additionally, a security breach may be difficult to detect, even after it occurs, which may compound the issue related to such breach. Continued geopolitical and geographical turmoil, including the ongoing conflicts in Ukraine and the Middle East, as well as increasing tensions in the South China Sea, has heightened the risk of cyberattacks and has created new risks for cybersecurity. For example, the U.S. government has warned that sanctions imposed against Russia by the United States in response to its conflict with Ukraine could motivate Russia to engage in malicious cyber activities against the United States. In addition, the U.S. government has warned that Iran may pose an increased cyber threat to U.S. critical infrastructure, such as the financial services sector, as the conflicts in the Middle East continue. If such cyberattacks occur, it could result in severe costs and disruptions to governmental entities and companies and their operations. The impact of the conflict and retaliatory measures is continually evolving and cannot be predicted with certainty. FCB has a higher risk of being impacted by geopolitical events due to FCB's expanded geographic footprint and increased prominence. Our Enterprise Cyber Security Office ("ECSO") continues in its efforts to closely monitor changes in the threat landscape. Cybersecurity risks for large banking institutions, such as FCB, have significantly increased in recent years in part because of the proliferation of new technologies, including generative AI, the use of the internet and mobile banking to conduct financial transactions, and the increased sophistication of criminal activities. In March 2024, the U.S. Treasury cautioned financial institutions with respect to AI vulnerabilities and threat-actor capabilities, and in September 2024, the DOJ updated guidance to prosecutors in their investigations of corporations, including an expectation of corporations having conducted risk assessments regarding use of new technologies like AI. Refer to Item 1. Business-Regulatory Considerations-Artificial Intelligence for additional information. Cyberattacks involving LFIs, including distributed denial of service attacks designed to disrupt external customer-facing services, nation state cyberattacks and ransomware attacks designed to deny organizations access to key internal resources or systems or other critical data, as well as targeted social engineering and phishing email and text message attacks designed to allow unauthorized persons to obtain access to an institution's information systems and data or that of its customers, are becoming more common and increasingly sophisticated. In particular, there has been an observed increase in the number of distributed denial of service attacks against the financial sector in recent years, which increase is believed to be partially attributable to politically motivated attacks as well as financial demands coupled with extortion. These risks are expected to continue and further intensify in the future. Even the most advanced control environment may be vulnerable to compromise given the possibility of employee error, failures to follow security procedures or malfeasance. Additionally, the increase of supply chain attacks, including potential attacks on third parties with access to our data or those providing critical services to us, remain an operational risk. As cyber threats continue to evolve, we may be required to expend significant additional resources to continue to modify or enhance our layers of defense or to investigate and remediate any information security vulnerabilities. Furthermore, past and future business transactions (such as acquisitions or integrations) could expose us to additional cybersecurity risks and vulnerabilities, as our systems could be negatively affected by vulnerabilities present in acquired or integrated entities' systems and technologies. We also face indirect technology, cybersecurity and operational risks relating to customers and other third parties with whom we do business or upon whom we rely to facilitate or enable our business activities, including financial counterparties; financial intermediaries such as clearing agents, exchanges and clearing houses; vendors and other external dependencies; regulators; and providers of critical infrastructure such as internet access and electrical power. As a result of increasing consolidation, interdependence and complexity of financial entities and technology systems, an event that materially degrades, or disrupts systems of one or more financial entities could have a material impact on counterparties or other market participants, including us. This consolidation interconnectivity and complexity increases the risk of operational failure, for both individual and industry-wide bases, as disparate systems need to be integrated, often on an accelerated basis. Any third-party technology failure, cyberattack or other information or security breach, termination or constraint could, among other things, adversely affect our ability to effect transactions, service our customers, manage our exposure to risk or expand our businesses. Cyberattacks or other information or security breaches, whether directed at us or third parties, may result in a material loss or have material consequences. Furthermore, the public perception that a cyberattack on our systems has been successful, correct or not, may damage our reputation with customers and third parties. A successful penetration or circumvention of system security could cause us negative consequences, including loss of customers and business opportunities, disruption to our operations and business, misappropriation or destruction of our confidential information and that of our customers, or damage to our customers' and third parties' computers or systems. In addition, such penetration or circumvention could result in a violation of applicable data privacy and protection laws and other laws, litigation exposure, regulatory fines, penalties or intervention, loss of confidence in our security measures, reputational damage, reimbursement or other compensatory costs and additional compliance costs. The consequences and results of any such penetration or circumvention could adversely impact our results of operations, liquidity and financial condition. Although to date we are not aware of any material losses or other material consequences relating to technology failure, cyberattacks or other information or security breaches, whether directed at us or third parties, we may suffer such losses or other consequences in the future. Additionally, insurance coverage may not be available for such losses or, where available, such losses may exceed insurance limits.

Our profitability depends on our ability to compete successfully. We operate in a highly competitive industry, and we expect competition to intensify. We compete with other banks and specialized financial services providers in our market areas for customers, sources of revenue, capital, services, qualified employees and other essential business resources. Our primary competitors include local, regional and national banks; credit unions; commercial finance companies; leasing companies; various wealth management providers; private equity firms; hedge funds; independent and captive insurance agencies; mortgage companies; and other non-bank providers of financial services. Some of our larger competitors, including certain banks with a significant presence in our market areas, have the capacity to offer products and services we do not offer, which may enable them to be more aggressive than us in competing for loans and deposits. Some of our non-bank competitors operate in less stringent regulatory environments, and certain competitors are not subject to federal or state income taxes. The fierce competitive pressures that we face adversely affect pricing and other terms for many of our products and services, and we could lose business to competitors or be forced to price products and services on less advantageous terms to retain or attract clients, either of which would adversely affect our profitability. We also compete with banks and other financial services companies for deposits. If competitors raise the rates they pay on deposits, our funding costs may increase, either because we raise rates to avoid losing deposits or because we lose deposits and must rely on more expensive sources of funding. In addition, checking and savings account balances and other forms of customer deposits may decrease when customers perceive alternative investments, such as the stock market, as providing a better risk/return trade-off. Our bank customers could take their money out of FCB and put it in alternative investments, causing us to lose a lower-cost source of funding. Additionally, technology and other changes are allowing parties to complete financial transactions that historically have involved banks through alternative methods without involving banks. For example, consumers can now maintain funds that would have historically been held as bank deposits in brokerage accounts, mutual funds or virtual accounts. Consumers can also complete transactions, such as paying bills or transferring funds directly without the assistance of banks. Transactions utilizing digital assets, including cryptocurrencies, stablecoins and other similar assets, have increased substantially. Certain characteristics of digital asset transactions, such as the speed with which such transactions can be conducted, the ability to transact without the involvement of regulated intermediaries, the ability to engage in transactions across multiple jurisdictions, and the anonymous nature of the transactions, are appealing to certain consumers. Accordingly, digital asset service providers, which, at present, are not subject to as extensive regulation as banking organizations and other financial institutions, have become active competitors for our customers' banking business and may have greater flexibility in competing for business. A recent Executive Order issued by President Trump states that the policy of the Administration will be to support the responsible growth of digital assets, blockchain technology and related technologies across the U.S. economy. The Executive Order includes a prohibition on the creation of a central bank digital currency and states a policy of promoting the development of dollar denominated stablecoins. Further, new leadership of the SEC and FDIC has indicated that each agency will pursue initiatives to promote innovation and technology adoption by institutions under their supervision, including by establishing a more transparent supervisory framework for digital assets and digital asset-related activities. The process of eliminating banks as intermediaries, known as "disintermediation," could result in the loss of fee income, as well as the loss of customer deposits and the related income generated from those deposits. Further, the CFPB's Open Banking rule is designed to facilitate the transfer of customer information at the direction of the customer to other financial institutions as further detailed in Item 1. Business-Regulatory Considerations-Privacy, Data Protection, and Cybersecurity, which could lead to greater competition for products and services among banks and nonbanks. The loss of these revenue streams and the lower cost deposits as a source of funds could have a material adverse effect on our financial condition and results of operations. Our financial performance is subject to risks associated with the loss of customer confidence and demand. A fragile, weakening or changing economy, or ambiguity surrounding the economic future, may lessen the demand for our products and services. Our performance may also be negatively impacted if we fail to attract and retain customers because we are not able to successfully anticipate, develop and market products and services that satisfy market demands. Such events could impact our performance through fewer loans, reduced fee income and fewer deposits, each of which could result in reduced net income.

As technology continues to evolve, criminals are using increasingly more sophisticated techniques to commit fraud, hide fraudulent activity, and proliferate effective techniques through social media. Fraudulent activity that we have been and are likely to continue to be exposed to can come in many forms, including debit card/credit card fraud, check fraud, wire fraud, electronic scanning devices attached to automated teller machines, use of AI to facilitate the perpetration of social engineering and impersonation schemes and identity theft, peer-to-peer payment fraud, social engineering, digital fraud, malware, and phishing, smishing, or vishing attacks to obtain personal information and fraudulent impersonation of our customers through the use of falsified documents, fake identification, or stolen credentials. We expect that combating fraudulent activities as they evolve will require continued ongoing investments and attention in the future as significant fraud could cause us direct losses for which insurance coverage may not be available, or where available, that exceed insurance limits, result in potential legal actions as a result of operational deficiency or noncompliance with regulatory standards, or impair our customer relationships, among other potential consequences, adversely impacting our reputation or results of operation.

Maintaining our reputation is important to our business and our brand. We are subject to reputational risks that could harm our business and prospects and arise from numerous sources, including those discussed further in this Annual Report on Form 10-K. Sources of reputational risks have included and may in the future include, among others, cyberattacks, legal claims and regulatory action, fraudulent activities aimed at us or parties with whom we do business, inaccurate or incomplete data, insufficient operational infrastructure or oversight, employee misconduct, non-compliance with applicable law or regulatory policies by us or parties with whom we do business, any inability to provide reliable financial reports or maintain effective internal controls, failure of our environmental, social and governance ("ESG") practices to meet investor or stakeholder expectations, or public perceptions of our business practices, including our deposit pricing and acquisition activity. Our reputation may also be damaged by adverse publicity or negative information regarding us, whether or not true, that may be published or broadcast by the media or posted on social media, non-mainstream news services or other parts of the internet. This risk can be magnified by the speed and pervasiveness with which information is disseminated through those channels. Because we conduct most of our businesses under the "First Citizens" brand, negative public opinion about one business could affect our other businesses. Reputational harm may lead to, among other things, a decline in our deposit balances and an increased risk that we become subject to litigation and regulatory action. Such reputational harm could have a material adverse impact on our business, financial condition and results of operations.