F.N.B. (FNB) Risk Analysis

We are subject to legislative tax rate changes that could increase our effective tax rates. Depending on enactment dates, these law changes may be retroactive to previous periods which could negatively affect our current and future financial performance. Our future effective tax rates could be affected by additional changes in the federal tax rates and in tax rates in jurisdictions where our income is earned, by changes in or our interpretation of tax rules and regulations in the jurisdictions in which we do business, by unexpected negative changes in business and market conditions that could reduce certain tax benefits, or by changes in the valuation of our DTAs and DTLs. Changes in statutory tax rates or DTAs and DTLs may adversely affect our profitability and results of operations in future periods.

The economy of the markets in our footprint is affected, from time to time, by adverse weather events and other disruptions, including as a result of public health issues. We cannot predict whether, or to what extent, damage caused by future weather conditions or other disruptions will affect our operations, customers or the economies in our markets. Weather events could cause a disruption in our day-to-day business activities in branches within our markets, a decline in loan originations, destruction or decline in the value of properties securing our loans, or an increase in the risks of delinquencies, foreclosures, and loan losses. Even if a weather event does not cause any physical damage in our markets, it could affect the market value of property within our footprint.

The banking and financial services industry continually undergoes technological changes, with frequent introductions of new technology-driven products and services, including recent and rapid developments in AI. The effective use of technology increases efficiency and enables financial institutions to better compete for and serve customers and reduce costs. Our future success will depend, in part, on our ability to conveniently address customer needs by using secure technology to provide products and services that will satisfy customer demands, as well as create additional efficiencies in our operations. Many of our larger competitors have greater resources to invest in technological improvements, and we may not effectively implement new technology-driven products and services or do so as quickly as our competitors. Failure to successfully keep pace with technological change affecting the banking and financial services industry could negatively affect our revenue and profitability. In addition, transactions utilizing digital assets, including cryptocurrencies, stablecoins and other similar assets, have increased over the course of the last several years. Certain characteristics of digital asset transactions, including their speed and anonymity are appealing to certain consumers notwithstanding the various risks posed by such transactions. Accordingly, digital asset service providers - which, at present are not subject to the same extensive regulation as banking organizations and other financial institutions - have become active competitors for our customers' banking business. The process of eliminating banks as intermediaries, known as "disintermediation," could result in the loss of fee income, as well as the loss of customer deposits and the related income generated from those deposits. On July 18, 2025, the Guiding and Establishing National Innovation for U.S. Stablecoins Act, or the "GENIUS Act," was signed into U.S. law, establishing a federal licensing and supervisory framework for payment stablecoins and their issuers. Compliance with these requirements involves maintaining adequate asset reserves, extensive reporting obligations, independent audits, and increased supervisory oversight. The GENIUS Act may accelerate and increase the competition that non-traditional financial institutions pose to banks' payment services, but may also create opportunities for banks to hold stablecoin reserve assets, custody stablecoins, or issue stablecoins. Any potential involvement in issuing or supporting payment stablecoins could expose us to regulatory compliance risks, increased operational costs, and evolving legal uncertainties.

As part of our business, we collect, process and retain sensitive and confidential client and customer information in both paper and electronic form and rely heavily on communications and information systems for these functions. This information includes non-public, personally-identifiable information that is protected under applicable federal and state laws and regulations. Additionally, certain of these data processing functions are not handled by us directly, but are outsourced to third-party providers. We have experienced cyber-attacks in the past, none of which have had a material impact on our business or operations, and expect to continue to be the target of cyber-attacks. Our current facilities and systems, as well as those of our third-party service providers, may be vulnerable to security breaches, acts of vandalism and other physical security threats, computer viruses or compromises, ransomware attacks, social engineering attacks, misplaced or lost data, programming and/or human errors or other similar events, any of which could be enhanced or facilitated by AI. While we have policies, procedures and practices designed to prevent or limit the effect of the failure, interruption, or security breach of our communications and information systems, we cannot ensure that any such failures, interruptions, or security breaches will not occur or, if they do occur, that they will be adequately addressed. Any security breach involving the misappropriation, loss or other unauthorized disclosure of our confidential business, employee or customer information, whether originating with us, our vendors or retail businesses, could severely damage our reputation, expose us to the risks of civil litigation and liability, require the payment of regulatory fines or penalties or undertaking of costly remediation efforts with respect to third parties affected by a security breach, disrupt our operations, and have a material adverse effect on our business, financial condition and results of operations. The cost of our day-to-day cybersecurity monitoring and protection systems and controls may increase over time. We may also need to expend substantial resources to comply with the data security breach notification requirements adopted by banking regulators and the states, which have varying levels of individual, consumer, regulatory or law enforcement notification and remediation requirements in certain circumstances in the event of a security breach. Cybersecurity risks continue to grow and, as a result, the cyber-resilience of banking organizations is of increased importance to federal and state banking agencies and other regulators. New or revised laws and regulations may significantly impact our current and planned privacy, data protection and information security-related practices, the collection, use, sharing, retention and safeguarding of consumer and employee information, and current or planned business activities. Compliance with current, proposed, or future privacy, data protection and information security laws to which we are subject could result in higher compliance and technology costs and could restrict our ability to provide certain products and services, which could materially and adversely affect our profitability. As technology advances, the ability and speed to initiate transactions and access data has also become more widely distributed among mobile devices, personal computers, automated teller machines, remote deposit capture sites and similar access points, some of which are not controlled or secured by us. It is possible that we could have exposure to liability and suffer losses as a result of a security breach or cyber-attack that occurred through systems that are not controlled by us. Although we maintain specific "cyber" insurance coverage, the amount or form of coverage may not be adequate in any particular case. As cyber threats continue to evolve and increase, we may be required to spend significant additional resources to continue to modify or enhance our protective and preventative measures or to investigate and remediate any information security vulnerabilities.

Our continued success and future growth depend heavily on our ability to attract and retain highly skilled and motivated banking professionals. We compete against many institutions with greater financial resources both within our industry and in other industries to attract these qualified individuals. Our failure to recruit and retain adequate talent could reduce our ability to compete successfully and adversely affect our business and profitability.

The losses incurred by the DIF in connection with the resolution of large bank failures are required by law to be recovered through one or more special assessments on depository institutions and, potentially, their holding companies if the FDIC determines such action to be appropriate and the Secretary of the UST concurs with the FDIC's determination. For example, special assessments were imposed in connection with the failures of SIVB and SBNY. FNBPA recognized and expensed an initial special assessment of $29.9 million and $5.2 million in 2023 and 2024, respectively. On December 16, 2025, the FDIC indicated that the special assessment would be fully recovered in the eighth assessment quarter and issued an interim final rule amending the special assessment to reduce the special assessment rate for the eighth and final collection quarter, resulting in a $5.6 million reduction to the FDIC special assessment for FNBPA in 2025. Any additional increase in our assessment fees could have a materially adverse effect on our results of operations and financial condition.

Our brand and our reputation are our key assets. Our ability to attract and retain banking, insurance, wealth management and corporate clients and employees is highly dependent upon external perceptions of our culture, level of service, security, trustworthiness, business practices and financial condition. Negative perceptions or publicity regarding these matters could damage our reputation among existing customers and corporate clients and employees, which could make it difficult for us to attract new clients and employees and retain existing ones. Adverse developments with respect to our financial services activities, the financial services industry or sociopolitical events and circumstances may also, by association, negatively impact our reputation, or result in greater regulatory or legislative scrutiny or litigation against us. Although we monitor developments for areas of potential risk to our reputation and brand, negative perceptions or publicity could materially and adversely affect our revenues and profitability.