The Bank Secrecy Act and the Patriot Act contain anti-money laundering and financial transparency provisions intended to detect and prevent the use of the U.S. financial system for money laundering and terrorist financing activities. The Bank Secrecy Act, as amended by the Patriot Act, requires depository institutions and their holding companies to undertake activities including maintaining an anti-money laundering program, verifying the identity of clients, monitoring for and reporting suspicious transactions, reporting on cash transactions exceeding specified thresholds, and responding to requests for information by regulatory authorities and law enforcement agencies. FinCEN, a unit of the Treasury Department that administers the Bank Secrecy Act, is authorized to impose significant civil money penalties for violations of those requirements and has recently engaged in coordinated enforcement efforts with the federal bank regulatory agencies, as well as the United States Department of Justice, Drug Enforcement Administration, and IRS. There is also increased scrutiny of compliance with the rules enforced by the OFAC. If our policies, procedures, and systems are deemed deficient or the policies, procedures, and systems of the financial institutions that we have already acquired or may acquire in the future are deficient, we would be subject to liability, including fines and regulatory actions such as restrictions on our ability to pay dividends and the necessity to obtain regulatory approvals to proceed with certain planned business activities, including acquisition plans, which would negatively impact our business, financial condition, and results of operations. Failure to maintain and implement adequate programs to combat money laundering and terrorist financing could also have serious reputational consequences for us. For more information regarding the Bank Secrecy Act, Patriot Act, anti-money laundering requirements and OFAC-administered sanctions, refer to Item 1: Business - “Regulatory Matters”.

There is an increasing concern over the risks of climate change and related environmental sustainability matters. The physical risks of climate change include discrete events, such as flooding and wildfires, and longer-term shifts in climate patterns, such as extreme heat, sea level rise, and more frequent and prolonged drought. Under medium or longer-term scenarios, such events, if uninterrupted or unaddressed, could disrupt our operations or those of our customers or third parties on which we rely, including through direct damage to assets and indirect impacts from supply chain disruption and market volatility. Additionally, transitioning to a low-carbon economy may entail extensive policy, legal, technology and market initiatives. Transition risks, including changes in consumer preferences and additional regulatory requirements or supervisory expectations or taxes, could increase our expenses and undermine our strategies. In addition, our reputation and client relationships may be damaged as a result of our practices related to climate change, including our involvement, or our customers’ involvement, in certain industries or projects, in the absence of mitigation and/or transition measures, associated with causing or exacerbating climate change, as well as any decisions we make to continue to conduct or change our activities in response to considerations relating to climate change. As climate risk is interconnected with all key risk types, we have developed and continue to enhance processes to embed climate risk considerations into our risk management strategies established for risks such as market, credit and operational risks; however, because the timing and severity of climate change may not be predictable, our risk management strategies may not be effective in mitigating climate risk exposure.

We are subject to intense competition from both other financial institutions and from non-bank entities, including FinTech companies. Technology has lowered the barriers to entry, with customers having a growing variety of traditional and nontraditional alternatives, including crowdfunding, digital wallets and money transfer services. The continuous widespread adoption of new technologies, including internet services and mobile applications, and advanced ATM functionality, is influencing how individuals and firms conduct their financial affairs and is changing the delivery channels for financial services. Our “People-First, Digitally-Powered” strategic plan considers the implications of these changes in technology. Additionally, these changes require us to adapt our product and services, as well as our distribution of them, to evolving industry standards and customer preferences. Failure to address competitive pressures could make it more difficult for us to attract and retain customers across our businesses. Our success depends, in part, on our ability to successfully implement our strategic plan as well as adapt existing products and services and develop competitive new products and services demanded by our customers. The widespread adoption of technologies will continue to require substantial investments to modify or adapt existing products and services and to develop new product or services. Additionally, we may not be successful in executing our strategic plan, introducing new products or services, achieving market acceptance of new product or services, anticipating or reacting to customers changing preferences or attracting and retaining loyal customers.

Our computer systems and network infrastructure and those of third parties, on which we are highly dependent, are subject to security risks and could be susceptible to cyber-attacks, such as denial of service attacks, hacking, terrorist activities, or identity theft. Our business relies on the secure processing, transmission, storage, and retrieval of confidential, proprietary, and other information in our computer and data management systems and networks, and in the computer and data management systems and networks of third parties. In addition, to access our network, products, and services, our customers and other third parties may use personal mobile devices or computing devices that are outside of our network environment and are subject to their own cybersecurity risks. We, our customers, regulators, and other third parties, including other financial services institutions and companies engaged in data processing, have been subject to, and are likely to continue to be the target of, cyber-attacks. These cyber-attacks include computer viruses, malicious or destructive code, phishing attacks, denial of service or information, ransomware, improper access by employees or vendors, attacks on personal email of employees, ransom demands to not expose security vulnerabilities in our systems or the systems of third parties or other security breaches that could result in the unauthorized release, gathering, monitoring, misuse, loss, or destruction of confidential, proprietary, and other information of ours, our employees, our customers, or of third parties, damage our systems or otherwise materially disrupt our or our customers’ or other third parties’ network access or business operations. As cyber-threats continue to evolve, we may be required to expend significant additional resources to continue to modify or enhance our protective measures or to investigate and remediate any information security vulnerabilities or incidents. Despite efforts to ensure the integrity of our systems and implement controls, processes, policies, and other protective measures, we may not be able to anticipate all security breaches, nor may we be able to implement sufficient preventive measures against such security breaches, which may result in material losses or consequences for us. Cybersecurity risks for banking organizations have significantly increased in recent years in part because of the proliferation of new technologies, and the use of the internet and telecommunications technologies to conduct financial transactions. For example, cybersecurity risks may increase in the future as we continue to increase our mobile-payment and other internet-based product offerings and expand our internal usage of web-based products and applications. In addition, cybersecurity risks have significantly increased in recent years in part due to the increased sophistication and activities of organized crime affiliates, terrorist organizations, hostile foreign governments, disgruntled employees or vendors, activists, and other external parties, including those involved in corporate espionage. Even the most advanced internal control environment may be vulnerable to compromise. Due to increasing geopolitical tensions, nation state cyber-attacks and ransomware are both increasing in sophistication and prevalence. Targeted social engineering and email attacks (i.e. “spear phishing” attacks) are becoming more sophisticated and are extremely difficult to prevent. In such an attack, an attacker will attempt to fraudulently induce colleagues, customers, or other users of our systems to disclose sensitive information in order to gain access to our data or that of our clients. Persistent attackers may succeed in penetrating defenses given enough resources, time, and motive. The techniques used by cyber criminals change frequently, may not be recognized until launched, and may not be recognized until well after a breach has occurred. The speed at which new vulnerabilities are discovered and exploited often before security patches are published continues to rise. Remote work further increases the risk that we may experience cyber incidents as a result of our employees, vendors, and other third parties with which we interact working remotely on less secure systems and environments. The risk of a security breach caused by a cyber-attack at a vendor or by unauthorized vendor access has also increased in recent years. Additionally, the existence of cyber-attacks or security breaches at third-party vendors with access to our data may not be disclosed to us in a timely manner. Further, our ability to monitor our vendors’ cybersecurity practices is limited. Although we generally have agreements relating to cybersecurity and data privacy in place with our vendors, we cannot guarantee that such agreements will prevent a cyber-incident impacting our systems or information or enable us to obtain adequate or any reimbursement from our service providers in the event we should suffer any such incidents. Due to applicable laws and regulations or contractual obligations, we may be held responsible for cyber-incidents attributed to our vendors as they relate to the information we share with them. We also face indirect technology, cybersecurity, and operational risks relating to the customers, clients, and other third parties with whom we do business or upon whom we rely to facilitate or enable our business activities, including, for example, financial counterparties, regulators, and providers of critical infrastructure such as internet access and electrical power. As a result of increasing consolidation, interdependence, and complexity of financial entities and technology systems, a technology failure, cyber-attack, or other information or security breach that significantly degrades, deletes, or compromises the systems or data of one or more financial entities could have a material impact on counterparties or other market participants, including us. This consolidation, interconnectivity, and complexity increases the risk of operational failure. Any third-party technology failure, cyber-attack, or other information or security breach, termination, or constraint could, among other things, adversely affect our ability to effect transactions, service our clients, manage our exposure to risk, or expand our business. Cyber-attacks or other information or security breaches, whether directed at us or third parties, may result in a material loss or have material consequences. Furthermore, the public perception that a cyber-attack on our systems has been successful, whether or not this perception is correct, may damage our reputation with customers and third parties with whom we do business. Hacking of personal information and identity theft risks, in particular, could cause serious reputational harm. A successful penetration or circumvention of system security could cause us serious negative consequences, including our loss of customers and business opportunities, costs associated with maintaining business relationships after an attack or breach; significant business disruption to our operations and business, misappropriation, exposure, or destruction of our confidential information, intellectual property, funds, and/or those of our customers; or damage to our or our customers’ and/or third parties’ computers or systems, and could result in a violation of applicable privacy laws and other laws, litigation exposure, regulatory fines, penalties or intervention, loss of confidence in our security measures, reputational damage, reimbursement or other compensatory costs, additional compliance costs, and could adversely impact our results of operations, liquidity and financial condition. In addition, we may not have adequate insurance coverage to compensate for losses from a cybersecurity event.