Fifth Third Bancorp (FITB) Risk Analysis

Severe weather events may adversely affect Fifth Third's operations and financial performance. Fifth Third's footprint stretches from the upper Midwestern to lower Southeastern regions of the U.S., and it has offices in many other areas of the country. Some of these regions have experienced hurricanes, tornadoes, wildfires and other natural disasters. The frequency and severity of these events are unpredictable, and large-scale occurrences could damage properties securing loans, impair borrowers' ability to repay, disrupt its physical operations including closures and infrastructure damage, and may interfere with Fifth Third's ability to carry out business and serve clients and customers.

Fifth Third develops for itself, and licenses from others, intellectual property for use in conducting its business. This intellectual property has been, and may be, subject to misappropriation or infringement by third parties as well as claims that Fifth Third's use of certain technology or other intellectual property infringes on rights owned by others. Fifth Third has been, and may be, subject to disputes and/or litigation concerning these claims and could be held responsible for significant damages covering past activities and substantial fees to continue to engage in these activities in the future. Fifth Third may also be unable to acquire rights to use certain intellectual property that is important for its business and may be unable to effectively engage in critical business activities. If Fifth Third is unable to protect or acquire rights to use intellectual property it owns or licenses, it may lose certain competitive advantages, incur expenses and/or lose revenue and may suffer harm to its business results and financial condition.

Fifth Third's business is conducted primarily via digital and information technology systems. This includes the use of digital applications, cloud computing and third- and fourth-party providers that host and store customer, employee and operational information. Failures, service interruptions, breaches or attempted breaches in the security of these environments occur frequently across the financial services industry including at Fifth Third and its third- and fourth-party providers. If a material event of this nature occurred at Fifth Third or one of its third- or fourth-party providers, it could result in disruptions to Fifth Third's accounting, deposit, lending and other systems, and adversely affect its customer relationships. Fifth Third invests in information security, technical resiliency, business continuity and disaster recovery planning, and has policies and procedures designed to detect, limit, and prevent the impact of these possible events, and requires its third-party service providers to maintain similar controls. Despite this, there can be no assurance that any cyber-attacks, security breaches or system failures or interruptions will not occur or, if any do occur, that it can be remediated in such a way to eliminate the risk. Financial institutions are the targets of frequent efforts to breach systems, including through denial of service attacks, social engineering such as phishing and smishing, placement of insider threats, and ransomware, among others. Moreover, because the techniques used to cause such security breaches change frequently, may not be recognized until launched against a target and may originate from remote and less regulated areas around the world, Fifth Third may be unable to proactively address these techniques or to implement adequate preventative measures. The increasing interdependence and complexity of financial institutions and infrastructure also means a disruption, compromise or failure that affects one segment of the financial services industry could also impact Fifth Third. The prospect that AI may be used to conduct attacks may make them more difficult to detect. Additionally, the growing sophistication of AI increases the risk of cyber-attacks. Despite Fifth Third's efforts to prevent a cyber-attack, a successful cyber-attack could persist for an extended period before being detected and, following detection, it could take considerable time for Fifth Third to obtain full and reliable information about the cybersecurity incident and the extent, amount and type of information compromised. During an investigation, Fifth Third may not necessarily know the full effects of the incident or how to remediate it, and actions and decisions that are taken or made in an effort to mitigate risk may further increase the costs and other negative consequences of the incident. Additionally, Fifth Third uses third- and fourth-party providers to host data, products, services, systems or platforms for Fifth Third, or in some cases to provide services to Fifth Third domestically and internationally. Fifth Third has a third-party risk program to oversee third- and fourth-party providers. This does not eliminate all risk and its failure to do so could result in customer losses, operational issues, litigation, regulatory actions and reputational damage. Even with reasonable investment and diligence by Fifth Third, Fifth Third's ability to prevent cyber-attacks, security breaches or system failures or interruptions impacting its third- and fourth-party service providers may be limited. Financial services industry trends demonstrate a shift towards the use of cloud providers, Software as a Service partners and hosted platforms rather than traditional software services that can be operated from within a company's firewall and data centers. The risks relating to security and availability of Fifth Third's systems are further heightened through the increasing use of near real-time money movement solutions such as Zelle, and increase the difficulty to detect, prevent and recover fraudulent transactions. While controls are robust, the speed and automation of these systems introduce a risk of erroneous transactions that could result in financial loss. These additional risks are increasing the costs of Fifth Third's investment in technology and cybersecurity and require further investment in cyber-related and data loss event insurance which Fifth Third has in place. Though Fifth Third has insurance against some cybersecurity risks and attacks, it may not be sufficient to offset the impact of a material loss event; and, Fifth Third cannot guarantee that cybersecurity insurance policies will not deny coverage, or that existing insurance coverage will continue to be available on acceptable terms. Future investment in these areas could have higher than expected costs and/or result in operating inefficiencies, which could increase the costs associated with the implementation as well as ongoing operations. Further, clients and customers use their own devices to utilize mobile banking and online services. Not all of Fifth Third's clients, customers or counterparties have appropriate controls in place to protect information exchanged between them and Fifth Third. This may create new security risks and increase the likelihood of security incidents impacting customers' information. Customers' information may not always be protected by third-party applications or other third-party technology used in connection with such services. This can result and has resulted in fraud. A security breach impacting systems operated by or on behalf of Fifth Third, or the loss or corruption of confidential information such as customer data, business results, and transaction records could adversely impact Fifth Third in numerous material ways, including by requiring public notification about the incident, causing financial losses, impacting Fifth Third's ability to provide timely and accurate financial information in compliance with legal and regulatory requirements, all of which could result in regulatory sanctions, litigation, reputational harm, monetary loss and the loss of customer confidence in Fifth Third. Additionally, security breaches involving the loss, mishandling, theft or corruption of customer or client information could result in adverse consequences including financial losses to Fifth Third's customers, litigation, regulatory sanctions, lost customers and revenue, increased costs and reputational harm. For more detail on Fifth Third's cybersecurity governance structure and practices, see Item 1C of this Annual Report.

Fifth Third's ability to deliver strong financial performance and returns on investment to shareholders will depend in part on its ability to expand the scope of available financial services to meet the needs and demands of its customers. In addition to the challenge of competing against other banks in attracting and retaining customers for traditional banking services, Fifth Third's competitors also include securities dealers, brokers, mortgage bankers, investment advisors, specialty finance, private credit, financial technology and insurance companies as well as large retailers who seek to offer one-stop financial services in addition to other products and services desired by consumers that may include services that banks have not been able or allowed to offer to their customers in the past or may not be currently able or allowed to offer. These other firms may be significantly different than Fifth Third. For example, they may be larger and have access to customers and financial resources that are beyond Fifth Third's capability or they may be non-regulated allowing them to be more agile. Fifth Third competes with these firms with respect to capital, access to capital, revenue generation, products, services, transaction execution, innovation,reputation, talent and price. For example, as a result of the GENIUS Act, passed in 2025 to provide a regulatory framework for stablecoins in the U.S., increased competition may emerge from issuers of stablecoins and providers of related technology. Fifth Third may make strategic investments and may expand an existing line of business or enter into new lines of business to remain competitive. If Fifth Third's chosen strategies are not successful or effective, Fifth Third's business and results may suffer. Additionally, these strategies may bring with them unforeseeable or unforeseen risks and may not generate the expected results or returns, which could adversely affect Fifth Third's results of operations or future growth prospects and cause Fifth Third to fail to meet its stated goals and expectations.

With the launch of real-time payments networks, such as RTP from The Clearing House and FedNow from the Federal Reserve, instantaneous cash settlement capabilities are available 24 hours a day and 7 days a week. The implications of the new settlement capabilities are far reaching and have not yet significantly affected the banking industry. As market adoption increases, Fifth Third may be required to hold more liquidity reserves in cash to facilitate cash settlement activity outside of traditional business hours. Additionally, instantaneous settlement will likely reduce float benefits associated with providing deposit and banking services, as well as pose incremental fraud risk due to a reduced ability to reverse fraudulent transactions due to the speed of money movement.

Fifth Third's actual or alleged conduct in activities, such as certain sales and lending practices, data security, operational resiliency, governance, acquisitions, employee misconduct, service quality, or associations with certain customers, business partners, investments or vendors, as well as developments from any of the other risks described above, may damage Fifth Third's reputation and generate negative public opinion. Since Fifth Third conducts most of its operations under the Fifth Third brand, reputational damage in one area can affect others. Regulatory actions, activist campaigns and community responses may also damage Fifth Third's reputation. While traditional media once dominated public perception, social media now facilitates the rapid dissemination of information or misinformation. Though Fifth Third monitors social media channels, harmful content can still circulate widely that could damage Fifth Third's reputation. Negative perception may adversely affect Fifth Third's ability to attract and keep customers, increase litigation and regulatory action and raise the chance of accelerated deposits withdrawals.

Fifth Third's success depends, in large part, on its ability to attract and retain key individuals. Competition for qualified candidates is intense, which may increase Fifth Third's expenses and may result in Fifth Third not being able to hire candidates or retain them. If Fifth Third is not able to hire qualified candidates or retain its key personnel, Fifth Third may be unable to execute its business strategies and may suffer adverse consequences to its business, financial condition and results of operations. Compensation paid by financial institutions such as Fifth Third is heavily regulated, particularly under Dodd-Frank, which affects the amount and form of compensation Fifth Third pays to hire and retain talented employees. If Fifth Third is unable to attract and retain qualified employees, or do so at rates necessary to maintain its competitive position, or if compensation costs required to attract and retain employees become more expensive, Fifth Third's performance, including its competitive position, could be materially adversely affected.

The DIF is funded by fees assessed on insured depository institutions including the Bank. Future deposit premiums paid by the Bank depend on FDIC rules, which are subject to change, the level of the DIF and the magnitude and cost of future bank failures. The FDIC may further increase the assessment rates or impose additional special assessments in the future, which may require the Bank to pay significantly higher FDIC premiums.