PNC Financial (PNC) Risk Analysis

In some cases, we develop internally the intellectual property embedded in the technology we use. In others, we or our vendors license the use of intellectual property from others. Where we rely on access to third-party intellectual property, whether now or in the future, it may not be available to us on commercially reasonable terms or at all. If we fail to comply with any applicable obligations under our license agreements, or another person or entity were deemed to own intellectual property rights infringed, misappropriated or otherwise violated by our activities, we could be responsible for significant damages covering past activities and substantial fees to continue to engage in these types of activities. Our third-party licensors may also have the right to terminate the license, which may cause us to lose valuable rights, and could disrupt our operations. It also is possible that we could be prevented from using technology important to our business for at least some period of time. In such circumstances, there may be no alternative technology for us to use or it might be expensive to obtain. We could also suffer significant reputational damage in these circumstances. Protections offered by those from whom we license technology against these risks may be inadequate to cover any losses in full, and the measures we take to obtain, enforce and defend our intellectual property rights may not be successful in every jurisdiction or prevent infringement, misappropriation or other violation of our intellectual property rights. Over time, there have been and continue to be instances where technology used by PNC has been alleged to have infringed, misappropriated or otherwise violated intellectual property rights held by others, and, in some cases, we have suffered related losses. In certain situations, we may be compelled to engage in intellectual property-related litigation to enforce or defend our intellectual property rights, which may incur significant expenses and may be perceived negatively by customers or industry peers.

Most corporate and commercial financial transactions are now handled electronically, and our customers increasingly use online access as well as mobile and cloud technologies to access our products and services. The ability to conduct business with us in this manner depends on the gathering, maintenance, use, transmission and other processing of vast amounts of digital information in electronic form. As a result, in the ordinary course of business, we gather, maintain, use, transmit and otherwise process vast amounts of digital information about us, our customers and our employees. This information tends to be confidential or proprietary and much of it is highly sensitive and personal. Such confidential, proprietary, sensitive and personal information includes information sufficient to support identity theft and includes personal health information, as well as information regarding business plans and financial performance that has not been made public. As a result, efforts by bad actors to engage in various types of cyber attacks and breaches, including by way of computer viruses, hacking, ransomware and other malware, denial of service attacks, credential staffing, phishing, social engineering, account takeovers, insider threats and supply chain attacks pose serious risks to our business and reputation. We are faced with ongoing, nearly continual, efforts by others to breach data security at financial institutions or with respect to financial transactions. The effectiveness of these efforts may be enhanced using AI. These efforts may be to obtain access to confidential information, often with the intent of stealing from or defrauding us or our customers, or to disrupt our ability to conduct our business, including by destroying or impairing access to information gathered, maintained, used, transmitted or otherwise processed by us. Some of these involve efforts to enter our technology directly by going through or around our security protections. Others involve the use of social engineering schemes to gain access to confidential information from our employees, customers or vendors. The modernization of the payment systems, including near real-time movement solutions, increases the complexity of preventing and detecting these attacks and recovering fraudulent transactions. Our risk and exposure to cyber attacks and breaches is heightened because of our expanded digital products and services, geographic footprint and dispersed workforce, which results in more access points to our network. The same risks are presented by attacks potentially affecting information held by third parties on our behalf or accessed by third parties, including those offering financial applications, on behalf of our customers. These risks also arise when third parties with whom we do business, or their vendors or other entities with whom they do business, are themselves subject to cyber attacks and breaches, which has impacted our business and may do so in the future. Our ability to protect confidential information is even more limited with respect to such information gathered, maintained, used, transmitted or otherwise processed by these parties. For example, we are likely to be limited in our ability to identify and quickly resolve cyber attacks and breaches that may impact our business the further removed an entity is from our business, such as when a cyber attack or other data security breach occurs at vendors of our vendors. We may suffer reputational damage or legal liability for unauthorized access to customer information gathered, maintained, used, transmitted or otherwise processed by other parties, even if we were not responsible for preventing such access and had no reasonable way of preventing it. Our customers often use their own devices, such as computers, smartphones and tablets, to do business with us and may provide their customer information (including passwords and other confidential information) to a third party in connection with obtaining services from that third party, including those offering financial applications. Although we take steps to provide safety and security for our customers' transactions with us and their customer information, to the extent they utilize their own devices or provide third parties access to their accounts, our ability to assure such safety and security is necessarily limited. These risks are heightened as we and others continue to expand mobile applications, cloud solutions and other internet-based financial product offerings. For example, a number of our customers use financial applications to help manage their finances and investments, including through the aggregation of banking or other financial information that may require our customer to provide their secure banking credentials or account-identifying information to the financial application to aggregate this financial data. In some instances, third-party data aggregators are used by the financial application to access customers' accounts and obtain the customers' data and may be obtaining secure banking credentials or account-identifying information from our customers which has the potential to facilitate fraud if it is not properly protected. This has resulted in incidences of fraud, including automated clearing house fraud, credit card fraud and wire fraud, enabled through the use of synthetic identities and through account takeovers via these platforms. In addition, transactions by customers on financial applications that facilitate payments and fund transfers have also been fraudulently induced. These transactions occur when a customer authorizes payment to a recipient that fraudulently induced the customer into transferring a payment to such recipient. PNC has and may continue to face increased financial exposure due to activity associated with the increased use of these applications and data aggregators. Even where PNC does not have financial exposure for losses, PNC and the third parties with whom we do business could suffer increased reputational harm or regulatory scrutiny when such losses occur. As our customers regularly use PNC-issued credit and debit cards to pay for transactions with retailers and other businesses, there is also the risk of cyber attacks and other data security breaches at those other businesses covering PNC account information. When our customers use PNC-issued cards to make purchases from those businesses, card account information often is provided to such businesses. If a business's systems that gather, maintain, use, transmit and otherwise process card account information are subject to a cyber attack or other data security breach, holders of our cards who have made purchases from that business may experience fraud on their card accounts. We can be responsible for reimbursing our customers for such fraudulent transactions on customers' card accounts, as well as for other costs related to cyber attacks and breaches, such as replacing cards associated with compromised card accounts. In addition, we provide card transaction processing services to some merchant customers under agreements we have with payment networks such as Visa and Mastercard. Under these agreements, we may be responsible for certain losses and penalties if one of our merchant customers suffers a cyber attack or other data security breach. Moreover, to the extent more confidential information becomes available to bad actors through the cumulative effect of cyber attacks breaches at companies generally, bad actors may find it easier to use such information to gain access to our customer accounts. Other cyber attacks and data security breaches are not focused on gaining access to credit card or user credential information, but instead seek access to a range of other types of confidential information, such as internal emails and other forms of customer financial information, and this information may be used to support a ransomware attack. Ransomware attacks have sought to deny access to data and possibly shut down systems and devices maintained by target companies. In a ransomware attack, system data is encrypted, stolen or extorted, or access is otherwise denied, accompanied by a demand for ransom to restore access to the data or to prevent public disclosure of confidential information. Cyber attacks and data security breaches have also been conducted through business email compromise scams that involve using social engineering to cause employees to wire funds to the perpetrators in the mistaken belief that the requests were made by a company executive or established vendor. These types of phishing attacks have increased over time, and they have evolved to include other types of attacks like vishing (through voice messages) and smishing (through SMS text). Other cyber attacks and data security breaches have included distributed denial of service attacks, in which individuals or organizations flood commercial websites with extraordinarily high volumes of traffic with the goal of disrupting the ability of commercial enterprises to process transactions and possibly making their websites unavailable to customers for extended periods of time. Similarly, cyber attacks and breaches have been conducted through application program interfaces where bad actors seek to exploit the interfaces between mobile or web applications. We (as well as other financial services companies) have been subject to such cyber attacks and breaches. Recent cyber attacks and breaches have also included the insertion of malware into software updates and the infection of software while it is under assembly, known as a "supply chain attack." Cyber attacks and breaches affecting our customers may put these relationships at risk, particularly if customers' ability to continue operations is impaired due to the losses suffered. The techniques used in cyber attacks and breaches change rapidly and are increasingly sophisticated, including through the use of generative AI and deepfakes, and we expect in the future through the use of quantum computing, and we may not be able to anticipate cyber attacks or other data security breaches. Additionally, cyber attacks and breaches in some cases appear to be supported by foreign governments or other well-financed entities and often originate from less regulated and remote areas of the world. We have seen a higher volume and complexity of attacks during times of increased geopolitical tensions. In addition to threats from external sources, insider threats represent a significant risk to us. Insiders, including those having legitimate access to our information, communications systems and other technology and the information contained therein, have the easiest opportunity to make inappropriate use of their access. Addressing that risk requires understanding not only how to protect us from unauthorized use and disclosure of data, but also how to engage behavioral analytics and other tools to identify potential internal threats before any damage is done. As more work is conducted outside of PNC's facilities, the risk of improper access to PNC's network or confidential information has increased, including for reasons such as a failure by an employee or contractor to secure a device with PNC access. Cyber attacks and breaches often are not recognized until launched against a target and may go undetected for a period of time (or remain undetected), with the adverse consequences likely greater the longer it takes to discover the problem. As a result, we may be unable to implement adequate preventative measures to address these methods in advance of such cyber attacks and breaches. We have been and expect to continue to be the target of some of these types of cyber attacks and breaches. To date, none of these types of cyber attacks or other data security breaches has had a material impact on us. Nonetheless, we cannot entirely block efforts by bad actors to harm us, and there can be no assurance that future cyber attacks or other data security breaches will not be material. Attacks on others, some of which have led to serious adverse consequences, demonstrate the risks posed by new and evolving types of cyber attacks and breaches.

Many aspects of our business involve substantial risk of legal liability. We have been named or threatened to be named as defendants in various lawsuits arising from our business activities. In addition, we are regularly the subject of governmental investigations and other forms of regulatory inquiry. We also are at risk when we have agreed to indemnify others for losses related to legal proceedings they face, such as in connection with the sale of a business or assets by us. The results of these legal proceedings could lead to significant monetary damages or penalties, restrictions on the way in which we conduct our business or reputational harm. Although we establish accruals for legal proceedings when information related to the loss contingencies represented by those matters indicates both that a loss is probable and that the amount of loss can be reasonably estimated, we do not have accruals for all legal proceedings where we face a risk of loss. In addition, due to the inherent subjectivity of the assessments and unpredictability of the outcome of legal proceedings, amounts accrued often do not represent the ultimate loss to us from the legal proceedings in question. Thus, our ultimate future losses may be higher, and possibly significantly so, than the amounts accrued for legal loss contingencies. We discuss further the unpredictability of legal proceedings and describe certain of our pending legal proceedings in Note 20 Legal Proceedings.

Legislative and regulatory efforts to protect the privacy and enhance the portability of personal data have evolved over time. Individuals whose personal information may be protected by law may include our customers, prospective customers, job applicants, employees and third parties. These initiatives, among other things, limit how companies can gather, maintain, use, transmit and otherwise process personal data and impose obligations on companies in their management of such data, including requiring companies like PNC to make available to consumers and authorized third parties certain data relating to transactions and accounts and establishing obligations for accessing such data. Financial services companies such as PNC necessarily gather, maintain, use, transmit and otherwise process a significant amount of personal data. These types of initiatives increase compliance complexity and related costs, may result in significant financial penalties for compliance failures, and may limit our ability to develop new products or respond to technological changes. This is particularly true as we expand our business and operations into new markets. Also, we are, or may become, subject to evolving and developing data privacy and security laws and regulations in other jurisdictions, including foreign jurisdictions even where our presence in such jurisdictions is minimal. Such legal and regulatory requirements also could heighten the reputational impact of actual or perceived misuses of personal data by us, our vendors or others who gain unauthorized access to our personal data. Other jurisdictions may adopt similar requirements that impose different and potentially inconsistent compliance burdens. The impacts will be greater to the extent requirements vary across jurisdictions.

We are subject to intense competition both from other financial institutions and from non-bank entities, including financial technology companies (often referred to as "fintech"). In many cases, non-bank entities can engage in many activities similar to ours or offer products and services desirable to our customers without being subject to the same types of regulation, supervision and restrictions that are applicable to banks, which could place us at a competitive disadvantage. Developments in the regulatory landscape relating to emerging financial technologies, including with respect to payment services and systems, lending, digital wallets, non-fungible tokens and digital currencies and cryptocurrencies (including stablecoins), may affect our customers' needs and expectations for products and services. New technologies have required and could require us to spend more to modify or adapt our products and services to attract and retain customers or to match products and services offered by competitors, including fintech companies. The failure of PNC to develop and market products and services that meet evolving customer needs or demands, or deliver them effectively and securely to our customers, or a decision not to offer a particular product or service because we deem it to be speculative or risky, could affect PNC's ability to attract or retain customers. Any such impact could, in turn, reduce PNC's revenues. The competition we face is described in Item 1 of this Report under "Competition." Consolidation in our industry, including among smaller banks combining to form more competitive larger ones and between banks and non-bank entities, could result in PNC facing more intense competition, particularly in impacted regions or with respect to particular products. As we expand into new markets, we may face competitors with more experience and established relationships in these markets, which could adversely affect our ability to compete. A failure to adequately address the competitive pressures we face could make it harder for us to attract and retain customers across our businesses. On the other hand, meeting these competitive pressures could require us to incur significant additional expense or to accept risk beyond what we would otherwise view as desirable under the circumstances. In addition, in our interest rate sensitive businesses, competitive pressures to increase rates on deposits or decrease rates on loans could reduce our net interest margin, negatively impacting our net interest income.

Our ability to compete effectively, to attract and retain customers and employees, and to grow our business is dependent on maintaining our reputation and having the trust of our customers, employees, the communities that we serve and other stakeholders. Many types of developments, if publicized, can negatively impact a company's reputation with adverse consequences to its business. Financial services companies are highly vulnerable to reputational damage when they are found to have harmed customers, particularly retail customers, through conduct that is seen as illegal, unfair, deceptive, abusive, manipulative or otherwise wrongful. There also may be reputational damage from human error or systems failures viewed as having harmed customers without involving misconduct, including service disruptions or negative perceptions regarding our ability to maintain the security of our technology systems and protect client data. For example, we may suffer reputational harm to the extent that we are unable to successfully detect, prevent and remedy fraud that harms our clients. Our reputation may also be harmed by failing to deliver products and services of the quality expected by our customers and support the communities that we serve. Significant acquisitions by large banks also often attract public scrutiny, which may result in negative publicity that adversely affects our reputation if we engage in such transactions. We are also subject to the risk of reputational harm resulting from conduct of persons identified as our employees but acting outside of the scope of their employment, including through their misconduct, unethical behavior, or activities on personal social media. The reputational impact is likely greater to the extent that the bad conduct, errors or failures are pervasive, long-standing or affect a significant number of customers, particularly retail consumers. The negative impact of such reputational damage on our business may be disproportionate to the actual harm caused to customers. It may be severe even if we fully remediate any harm suffered by our customers. Furthermore, because we conduct most of our businesses under the "PNC" brand, negative public opinion about one business could also affect our other businesses. In addition, we could suffer reputational harm and a loss of customer trust as a result of the conduct of others in our industry even if we have not engaged in such conduct. We use third parties to help in many aspects of our business, with the risk that their conduct can affect our reputation regardless of the degree to which we are responsible for it. The speed with which information spreads through social media and other news sources on the internet means that negative information about PNC can rapidly have a broadly adverse impact on our reputation. This applies regardless of whether or not the information is accurate. False information can also be spread from unaffiliated or parody social media accounts pretending to be official company communications channels. Once information has gone viral, it can be difficult to counter it effectively, either by correcting inaccuracies or communicating remedial steps taken for actual issues. The potential impact of negative information going viral means that material reputational harm can result from a single discrete or isolated incident. To an increasing extent, financial services companies, including PNC, are facing criticism with accompanying reputational risk from activists, investors and stakeholders who believe companies should be focusing more or less on environmental, social and governance matters. Companies in our industry are targeted for engaging in business with specific customers or with customers in particular industries, where the customers' activities, even if legal, are perceived as having harmful impacts on matters such as the environment, consumer health and safety, or society at large. At the same time, financial services firms are also facing criticism and reputational harm if they are perceived as declining to provide, ceasing to provide, or otherwise restricting, banking and other services to businesses engaged in lawful activities or individuals due to their political or social viewpoints. These matters can incur legal and regulatory risk, which is discussed further in the Risk Factor headed "We are at risk for the impact of adverse results in legal proceedings." In addition, some stakeholders are seeking increased transparency and action from financial services companies with respect to environmental, social and governance activities, political activities and activities that are or may be perceived to be politically partisan in nature. Criticism has come in many forms, including protests at PNC facilities and social media campaigns. In some circumstances, our stakeholders have held and continue to hold conflicting views on the role PNC and other financial services companies should play in continuing to or refraining from financing certain sectors. In some cases, we are subject to potentially conflicting proposed and enacted state and local laws affecting our industry that regulate the manner in which or whether we may finance or service certain clients, industries or sectors. The potential for conflict may increase in instances where federal law is silent or is found not to preempt state law. Many of these issues are divisive without broad agreement as to the appropriate steps a company such as PNC should take. As a result, however we respond to such criticism, we expose ourselves to the risks that current or potential customers decline to do business with us (or encourage others to do so) or current or potential employees refuse to work for us. This can be true regardless of whether we are perceived by some as not having done enough to address these concerns or by others as having inappropriately yielded to these pressures. These pressures can also be a factor in decisions as to which business opportunities and customers we pursue, potentially resulting in foregone profit opportunities.

Our use of third parties to support our business needs typically means that we do not directly control the activities we are having them perform. Any disruption in services provided by these third parties could adversely affect our ability to conduct our business. Replacing third parties could also entail significant delay and expense. Risks can arise through inadequate performance by a third party (including by its downstream service providers), specifically where that performance could affect us or our customers, and even when the result of factors or events are beyond such third party's control. Many of the kinds of risks presented by activities performed by third parties are described elsewhere in these Risk Factors. Enhanced regulatory and other standards for the oversight of our use of third-party vendors and other service providers can result in higher costs and other potential exposures. We are also vulnerable, including to regulatory penalties, if an outside company fails to comply with legal requirements relevant to its work on our behalf. We may in any such circumstance suffer financial losses, legal consequences and injury to our reputation. Even if the other company makes us whole for financial losses, which is not necessarily the case, it is unlikely that it would be able to restore any injury to our reputation. As a result, the use of third parties to assist in our business activities heightens the risks to us inherent in those activities.

Our business and overall financial performance are affected to a significant extent by economic conditions, primarily in the U.S. Declining or adverse economic conditions and adverse changes in investor, consumer and business sentiment generally result in reduced business activity, which may decrease the demand for our products and services or reduce the number of creditworthy borrowers. The ability of borrowers to repay loans is often weakened as a result of economic downturns, higher inflation and unemployment. In addition, adverse economic conditions may limit the availability of, or increase the costs of, capital and labor, erode customer purchasing power, confidence and spending and may also reduce our tolerance for extending credit. Increases in costs or expenses impacting our customers' operations and financial performance, such as the interest rates payable on their debt obligations, could increase our credit risk or decrease the demand for our products and services. We operate in an uncertain economic environment due to sustained inflationary pressures, including higher prices and lower housing affordability, and fluctuating trade policies (including tariffs), combined with geopolitical tensions. These conditions have led and may continue to lead to turmoil and volatility in financial markets, often with at least some financial asset categories losing value. Financial market volatility could also result from uncertainty about the timing and extent of rate cuts by the Federal Reserve. Any of these effects would likely have an adverse impact on our operations and financial performance, with the significance of the impact generally depending on the nature and severity of the adverse economic conditions. Even when economic conditions are relatively good or stable, specific economic factors can negatively affect our business and performance. This can be especially true when the factors relate to particular segments of the economy and impact our customers whose operations or financial conditions directly or indirectly depend on good or stable conditions in those segments. For example, underutilization of commercial real estate space, combined with higher interest rates, has harmed some customers' creditworthiness and ability to refinance maturing loans, and decreased the demand for financial services in that sector. Our foreign business activities and operations continue to be a relatively small part of our overall business. As a result, the direct impact on our business and financial performance from economic conditions outside the U.S. is not likely to be significant, although the impact would increase if we expanded our foreign business and operations more than nominally. We are, however, susceptible to the risk that foreign economic conditions, trade policies (including tariffs) and geopolitical tensions could negatively affect our business and financial performance. Primarily, this risk results from the possibility that poor economic conditions or financial market disruptions affecting other major economies would also affect the U.S.