Banco Santander SA (SAN) Risk Analysis

As a financial institution, we are subject to extensive regulation, which materially affects our businesses. In Spain and the other jurisdictions where we operate, there is continuing political, competitive and regulatory scrutiny of the banking industry. Political involvement in the regulatory process, in the behaviour and governance of the banking sector and in the major financial institutions in which the local governments have a direct financial interest, and in their products and services and the prices and other terms they apply to them, is likely to continue. Therefore, the statutes, regulations and policies to which we are subject may be therefore changed at any time. In addition, the interpretation and the application by regulators of the laws and regulations to which we are subject may also change from time to time. Extensive legislation and implementing regulation affecting the financial services industry has been adopted in regions that directly or indirectly affect our business, including Spain, the United States, the EU, the UK, Latin America and other jurisdictions, and further regulations are in the process of being implemented. The manner in which those laws and related regulations are applied to the operations of financial institutions is still evolving. Moreover, to the extent these regulations are implemented inconsistently in the various jurisdictions in which we operate, we may face higher compliance costs. Any legislative or regulatory actions and any required changes to our business operations resulting from such legislation and regulations, as well as any deficiencies in our compliance with such legislation and regulation, could result in significant loss of revenue, limit our ability to pursue business opportunities in which we might otherwise consider engaging and provide certain products and services, affect the value of assets that we hold, require us to increase our prices and therefore reduce demand for our products, impose additional compliance and other costs on us or otherwise adversely affect our businesses. In particular, legislative or regulatory actions resulting in enhanced prudential standards, in particular with respect to capital and liquidity, could impose a significant regulatory burden on us or on our subsidiaries and could limit the bank subsidiaries’ ability to distribute capital and liquidity to us, thereby negatively impacting us. Future liquidity standards could require us to maintain a greater proportion of assets in highly-liquid but lower-yielding financial instruments, which would negatively affect our net interest margin. Moreover, our regulatory and supervisory authorities, periodically review our allowance for loan losses. Such regulators may recommend us to increase our allowance for loan losses or to recognize further losses. Any such additional provisions for loan losses, as recommended by these regulatory agencies, whose views may differ from those of our management, could have an adverse effect on our earnings and financial condition. Accordingly, there can be no assurance that future changes in regulations or in their interpretation or application will not adversely affect us. The wide range of regulations, actions and proposals which most significantly affect us, or which could most significantly affect us in the future, relate to capital requirements, funding and liquidity and development of a fiscal and banking union in the EU, which are discussed in further detail below. Moreover, there is uncertainty regarding the future of financial reforms in the United States and the impact that potential financial reform changes to the U.S. banking system may have on ongoing international regulatory proposals. In general, regulatory reforms adopted or proposed in the wake of the financial crisis have increased and may continue to materially increase the Group's operating costs and negatively impact the Group's business model. Furthermore, regulatory authorities have substantial discretion in how to regulate banks, and this discretion, and the means available to the regulators, have been increasing during recent years. Regulation may be imposed on an ad hoc basis by governments and regulators in response to a crisis, and these may especially affect financial institutions such as us that are deemed to be a global systemically important institution (G-SII). The main regulations and regulatory and governmental oversight that can adversely impact us include but are not limited to the items below. See more details in 'Supplemental Information. Section10. Supervision and Regulation'. Capital requirements, liquidity, funding and structural reform Increasingly onerous capital requirements constitute one of our main regulatory challenges. Increasing capital requirements may adversely affect our profitability and create regulatory risk associated with the possibility of failure to maintain required capital levels. As a Spanish financial institution, we are subject to the Capital Requirements Regulation (Regulation (EU) No 575/2013) (CRR) and the Capital Requirements Directive (Directive 2013/36/EU) (CRD IV), through which the EU began implementing the Basel III capital reforms from 1 January 2014. While the CRD IV required national transposition, the CRR was directly applicable in all the EU member states. This regulation is complemented by several binding technical standards and guidelines issued by the European Banking Authority (EBA), directly applicable in all EU member states, without the need for national implementation measures either. The implementation of the CRD IV into Spanish law took place through Royal Decree Law 14/2013 and Law 10/2014, Royal Decree 84/2015, of 13 February, implementing Law 10/2014 (Royal Decree 84/2015), Bank of Spain Circular 2/2014 and Bank of Spain Circular 2/2016. On 27 June 2019, a comprehensive package of reforms amending CRR, CRD IV as well as the European Bank Recovery and Resolution Directive (Directive 2014/59/EU) (BRRD) and Regulation (EU) No 1093/2010 (SRM Regulation) came into force: (i) Directive (EU) 2019/878 of the European Parliament and of the Council of 20 May 2019 amending CRDIV as regards exempted entities, financial holding companies, mixed financial holding companies, remuneration, supervisory measures and powers and capital conservation measures (CRD V); (ii) Directive (EU) 2019/879 of the European Parliament and of the Council of 20 May 2019 amending BRRD as regards loss-absorbing and recapitalisation capacity of credit institutions and investment firms and Directive 98/26/EC (BRRD II); (iii) Regulation (EU) 2019/876 of the European Parliament and of the Council of 20 May 2019 amending CRR as regards the leverage ratio, the net stable funding ratio, requirements for own funds and eligible liabilities, counterparty credit risk, market risk, exposures to central counterparties, exposures to collective investment undertakings, large exposures, reporting and disclosure requirements, and Regulation (EU) 648/2012 (CRR II); and (iv) Regulation (EU) 2019/877 of the European Parliament and of the Council of 20 May 2019 amending the SRM Regulation as regards the loss-absorbing and recapitalisation capacity of credit institutions and investment firms (SRMR II, and together with CRD V, BRRD II and CRR II, the EU Banking Reforms). The EU Banking Reforms cover multiple areas, including the Pillar 2 framework, the leverage ratio, mandatory restrictions on distributions, permission for reducing own funds and eligible liabilities, macroprudential tools, a new category of "non-preferred" senior debt that should only be bailed-in after junior ranking instruments but before other senior liabilities, changes to the definitions of Tier 2 and Additional Tier 1 instruments, the MREL framework and the integration of the TLAC standard into EU legislation as mentioned above. With regards to the European Commission's proposal to create a new asset class of "non-preferred" senior debt, on 27 December 2017, Directive 2017/2399 amending Directive 2014/59/EU as regards the ranking of unsecured debt instruments in insolvency hierarchy was published in the Official Journal of the European Union and sets forth a harmonised national insolvency ranking of unsecured debt instruments to facilitate the issuance by credit institutions of senior "non-preferred" instruments. Before that, Royal Decree-Law 11/2017, of 23 June, approving urgent measures on financial matters created in Spain the new asset class of senior "non-preferred" debt. Most of the provisions of the EU Banking Reforms have started to apply. CRD V Directive and BRRD II have been partially implemented into Spanish law through Royal Decree-Law 7/2021, of 27 April, (RDL 7/2021) which has amended, amongst others, Law 10/2014 and Law 11/2015, of 18 June, on the Recovery and Resolution of Credit Institutions and Investment Firms (Law 11/2015). Despite the fact that RDL 7/2021 is generally enforceable since 29 April 2021, the Spanish Parliament decided on 19 May 2021 to process it as a Law and so RDL 7/2021 provisions may be subject to changes. Furthermore, Royal Decree 970/2021, of 8 November, amended Royal Decree 84/2015, and Circular 5/2021 of the Bank of Spain, of 22 December, amended Circular 2/2016, and continued the implementation into Spanish law of CRDV. In addition, Royal Decree 1041/2021, of 23 November, amended Royal Decree 1012/2015, of 6 November, which implemented Law 11/2015 (Royal Decree 1012/2015) and completed the implementation of CRD V and BRRD II. Of note, however, is the uncertainty regarding how the EU Banking Reforms will be applied by the relevant authorities. As further explained below, CRR and CRR II were modified by Regulation 2020/873 of the European Parliament and of the Council of 24 June 2020 amending CRR and CRR II regarding certain temporary or permanent adjustments in response to the covid-19 pandemic (CRR 2.5 or Quick Fix), applicable from 27 June 2020. On 27 October 2021, the European Commission published legislative proposals to amend CRR and the CRD IV, as well as a separate legislative proposal to amend CRR and BRRD in the area of resolution. Moreover, these legislative proposals include the following: (i) a directive of the European Parliament and of the Council amending CRD IV with respect to supervisory powers, sanctions, third-country branches, and environmental, social and governance risks, and amending BRRD; (ii) a regulation of the European Parliament and of the Council and its annex amending CRR with respect to requirements for credit risk, credit valuation adjustment risk, operational risk, market risk and the output floor; and (iii) a regulation of the European Parliament and of the Council amending CRR and BRRD with respect to the prudential treatment of global systemically important institutions with a multiple point of entry resolution strategy and a methodology for the indirect subscription of instruments eligible for meeting the minimum requirement for own funds and eligible liabilities. These legislative proposals will need to follow the ordinary legislative procedure to become binding EU law. The timing for the final implementation of these legislative proposals is unclear as of the date of this annual report on Form 20-F. The final package of new legislation may not include all elements currently set out in the proposal and new or amended elements may be introduced through the course of the legislative process. Credit institutions, such as the Bank, are required, on a standalone and consolidated basis, to hold a minimum amount of regulatory capital of 8% of risk weighted assets (of which at least 4.5% must be Common Equity Tier 1 (CET1) capital and at least 6% must be Tier 1 capital). In addition to the minimum regulatory capital requirements, the CRD IV also introduced five capital buffer requirements that must be met with CET1 capital: (1) the capital conservation buffer for unexpected losses, requiring additional CET1 of up to 2.5% of total risk weighted assets; (2) the institution-specific counter-cyclical capital buffer (consisting of the weighted average of the counter-cyclical capital buffer rates that apply in the jurisdictions where the relevant credit exposures are located), which may require as much as additional CET1 capital of 2.5% of total risk weighted assets or higher pursuant to the requirements set by the competent authority; (3) the G-SIIs buffer requiring additional CET1 which shall be not less than 1% of risk weighted assets; (4) the other systemically important institutions buffer, which may be as much as 2% of risk weighted assets; and (5) the CET1 systemic risk buffer to prevent systemic or macroprudential risks of at least 1% of risk weighted assets (to be set by the competent authority). Entities are required to comply with the 'combined buffer requirement' (broadly, the combination of the capital conservation buffer, the institution-specific counter-cyclical buffer and the higher of (depending on the institution) the systemic risk buffer, the G-SIIs buffer and the other systemically important institutions (O-SII) buffer, in each case as applicable to the institution). In addition, under the current framework, institutions must also comply with an additional capital requirement (Pillar 2) which is annually set for each institution on an individual basis. Under the CRD V, where an institution is subject to a systemic risk buffer, that buffer will be cumulative with the applicable G-SIIs buffer or the other systemically important institution buffer. While the capital conservation buffer and the G-SII buffer are mandatory, the Bank of Spain has greater discretion in relation to the counter-cyclical capital buffer, the O-SII buffer and the systemic risks buffer. The ECB also has the ability to provide certain recommendations in this respect. As of the date of this report, we are required to maintain a conservation buffer of additional CET1 capital of 2.5% of risk weighted assets, a G-SII buffer of additional CET1 capital of 1% of risk weighted assets and a counter-cyclical capital buffer of additional CET1 capital of 0.01% of risk weighted assets. Bank of Spain agreed on 27 December 2021 to maintain the countercyclical buffer applicable to credit exposures in Spain at 0% for the first quarter of 2022 (while percentages are to be revised each quarter, the Bank of Spain anticipated also the non-activation of the countercyclical capital buffer over a prolonged period, at least until the main economic and financial effects arising from the covid-19 outbreak have been dispelled). Moreover, article 104 of the CRD IV, as implemented by Article 68 of Law 10/2014, and similarly Article 16 of Council Regulation (EU) No 1024/2013 of 15 October 2013 conferring specific tasks on the ECB concerning policies relating to the prudential supervision of credit institutions (the SSM Regulation), also contemplate that in addition to the minimum Pillar 1 capital requirements and any applicable capital buffer, supervisory authorities may impose further Pillar 2 capital requirements to cover other risks, including those risks incurred by the individual institutions due to their activities not considered to be fully captured by the minimum capital requirements under the CRD IV and CRR. This may result in the imposition of additional capital requirements on us and/or the Group pursuant to this Pillar 2 framework. Any failure by us and/or the Group to maintain its Pillar 1 minimum regulatory capital ratios and any Pillar 2 additional capital requirements or TLAC/MREL Requirements (as defined below) could result in administrative actions or sanctions (including restrictions on discretionary payments), which, in turn, may have a material adverse impact on our results of operations. The European Central Bank clarified in its 'Frequently asked questions on the 2016 EU-wide stress test' (July 2016) and in accordance with articles 104a and b of the CRD V, as implemented in Spain by article 69 and 69bis of Law 10/2014, that the institutions specific Pillar 2 capital shall consist of two parts: Pillar 2 requirement and Pillar 2 guidance. Pillar 2 requirements are binding, and breaches can have direct legal consequences for banks, while Pillar 2 guidance is not directly binding and a failure to meet Pillar 2 guidance does not automatically trigger legal action, even though the ECB expects banks to meet Pillar 2 guidance. Failure to comply with the Pillar 2 guidance is not relevant for the purposes of triggering the automatic restriction of the distribution and calculation of the 'Maximum Distributable Amount' but, in addition to certain other measures, competent authorities are entitled to impose further Pillar 2 capital requirements where an institution repeatedly fails to follow the Pillar 2 capital guidance previously imposed. The ECB is required to carry out, at least on an annual basis, assessments under the CRD IV of the additional Pillar 2 capital requirements that may be imposed for each of the European banking institutions subject to the Single Supervisory Mechanism (the SSM) and accordingly requirements may change from year to year. Any additional capital requirement that may be imposed on us and/or the Group by the ECB pursuant to these assessments may require us and/or the Group to hold capital levels similar to, or higher than, those required under the full application of the CRD IV. There can be no assurance that the Group will be able to continue to maintain such capital ratios. In addition to the above, the EBA published on 19 December 2014 its final guidelines for common procedures and methodologies in respect of its supervisory review and evaluation process (SREP and the SREP EBA Guidelines). Included in this were the EBA's proposed guidelines for a common approach to determining the amount and composition of additional Pillar 2 capital requirements implemented on 1 January 2016. Under these guidelines, national supervisors must set a composition requirement for the Pillar 2 additional capital requirements to cover certain specified risks of at least 56% CET1 capital and at least 75% Tier 1 capital. In June 2021, the EBA launched a public consultation on its revised SREP EBA Guidelines which ran until 28 September 2021, and as a result, the SREP EBA Guidelines will be updated, with publication of the final text expected in March 2022. Under Article 104(a) of CRD V (implemented into Spanish law by Article 94.6 of Royal Decree 84/2015), EU banks are now allowed to meet Pillar 2 requirements with these minimum proportions of CET1 capital and tier 1 capital. In addition to the statements on using flexibility within accounting and prudential rules, such as those made by the Basel Committee, the EBA and the ECB, amongst others, the Quick Fix sets out exceptional temporary measures to alleviate the immediate impact of covid-19-related developments, by adapting the timeline of the application of international accounting standards on banks' capital, by treating more favourably public guarantees granted during this crisis, by postponing the date of application of the leverage ratio buffer, by setting a temporary prudential filter to mitigate the considerable negative impact of the volatility in central government debt markets during the covid-19 pandemic on institutions, by modifying the way of excluding certain exposures from the calculation of the leverage ratio, by advancing the date of application of several agreed measures that incentivise banks to finance employees, SMEs and infrastructure projects and by aligning the minimum coverage requirements for NPLs that benefit from public guarantees with those that benefit from guarantees granted by official export credit agencies. The SREP EBA Guidelines also contemplate that national supervisors should not set additional capital requirements in respect of risks which are already covered by capital buffer requirements and/or additional macroprudential requirements; and, accordingly, the above 'combined buffer requirement' is in addition to the minimum Pillar 1 capital requirement and to the additional Pillar 2 capital requirement. Therefore capital buffers would be the first layer of capital to be eroded pursuant to the applicable stacking order, as set out in the 'Opinion of the EBA on the interaction of Pillar 1, Pillar 2 and combined buffer requirements and restrictions on distributions' published on 16 December 2015. In this regard, under Article 141 of the CRD IV, Member States of the EU must require that an institution that fails to meet the 'combined buffer requirement' or the Pillar 2 capital requirements described above, be prohibited from paying any 'discretionary payments' (which are defined broadly by the CRD IV as payments relating to CET1, variable remuneration and discretionary pension benefits and distributions relating to Additional Tier 1 capital instruments), until it calculates its applicable restrictions and communicates them to the regulator. Thereafter, any such discretionary payments shall subject to such restrictions. The restrictions shall be scaled according to the extent of the breach of the 'combined buffer requirement' and calculated as a percentage of the profits of the institution since the last distribution of profits or 'discretionary payment'. Such calculation shall result in a Maximum Distributable Amount in each relevant period. As an example, the scaling is such that in the bottom quartile of the 'combined buffer requirement', no 'discretionary distributions' will be permitted to be paid. Articles 43 to 49 of Law 10/2014 and Chapter II of Title II of Royal Decree 84/2015 implement the above provisions in Spain. In particular, Article 48 of Law 10/2014 and Articles 73 and 74 of Royal Decree 84/2014 deal with restrictions on distributions. Furthermore, pursuant to the EU Banking Reforms, the calculation of the Maximum Distributable Amount, as well as consequences of, and pending, such calculation could also take place as a result of the breach of MREL (as defined below) and a breach of the leverage ratio buffer. CRD V further clarifies that Pillar 2 requirements should be positioned in the relevant stacking order of own funds requirements above the Pillar 1 capital requirements and below the "combined buffer requirement" or the leverage ratio buffer requirement, as applicable. In addition, CRD V also clarifies that Pillar 2 requirements should be set in relation to the specific situation of an institution excluding macroprudential or systemic risks, but including the risks incurred by individual institutions due to their activities (including those reflecting the impact of certain economic and market developments on the risk profile of an individual institution). We announced on 3 February 2022 that we received the ECB's decision regarding prudential minimum capital requirements effective as of 1 March 2022, following the results of SREP. The ECB decision required us to maintain a CET1 ratio of at least 8.85% on a consolidated basis. This 8.85% capital requirement includes: the minimum Pillar 1 requirement (4.5%); the Pillar 2 requirement (0.84%); the capital conservation buffer (2.5%); the requirement deriving from its consideration of us as a G-SII (1.0%) and the counter-cyclical buffer (0.01%). The ECB decision also requires that we maintain a CET1 capital ratio of at least 7.85% on an individual basis. As of 31 December 2021, on a consolidated basis, our total capital ratio was 16.81% while our CET1 ratio was 12.51%. If we do not apply the transitory IFRS 9 provisions, nor the subsequent amendments introduced by Regulation 2020/873 of the European Union, the fully-loaded CET1 ratio was 12.12%. In addition to the above, the CRR also contains a binding 3% Tier 1 leverage ratio (LR) requirement, and which institutions must meet in addition and separately to their risk-based requirements. The ECB announced on 18 June 2021 that institutions under its supervision may continue to exclude certain central bank exposures from the leverage ratio, as exceptional macroeconomic circumstances due to the covid-19 pandemic continue. The move extends until March 2022 the leverage ratio relief granted in September 2020, which was set to expire on 27 June 2021. Moreover, the EU Banking Reforms include a LR buffer for G-SIIs to be met with Tier 1 capital and set at 50% of the applicable risk weighted G-SIIs buffer. Pursuant to new Article 141b of the CRD V and Article 48ter of Law 10/2014, G-SIIs shall also be obliged to determine their Maximum Distributable Amount and restrict discretionary payments where they do not meet the leverage ratio buffer under Article 92.1a of CRR. Due to the postponement of the application of the leverage ratio buffer by the Quick Fix restrictions on discretionary payments due to failure to meet the leverage ratio buffer will apply from 1 January 2023. On 9 November 2015, the Financial Stability Board (the FSB) published its final principles and term sheet containing an international standard to enhance the loss absorbing capacity of G-SIIs such as us. The final standard consists of an elaboration of the principles on loss absorbing and recapitalization capacity of G-SIIs in resolution and a term sheet setting out a proposal for the implementation of these proposals in the form of an internationally agreed standard on total loss absorbing capacity (TLAC) for G-SIIs. Once implemented in the relevant jurisdictions, these principles and terms will form a new minimum TLAC standard for G-SIIs, and in the case of G-SIIs with more than one resolution group, each resolution group within the G-SII. As of 2 July 2019, the FSB published its review of the technical implementation of the TLAC principles and term sheet concluding that, although further efforts are needed to implement the TLAC standard fully and effectively and to determine the appropriate group-internal distribution of TLAC resources across home and host jurisdictions, it sees no need to modify the TLAC standard at this time. The TLAC principles and term sheet established a minimum TLAC requirement to be determined individually for each G-SII at the greater of (a) 18% as of 1 January 2022, and (b) 6.75% of the Basel III Tier 1 LR exposure measure as of 1 January 2022. Under the FSB TLAC standard, capital buffers stack on top of TLAC. Furthermore, Article 45 of the BRRD provides that Member States shall ensure that institutions meet, at all times, a minimum requirement for own funds and eligible liabilities (MREL). On 14 December 2016, the EBA published its final report on the implementation and design of the MREL framework where it stated that, although there was no need to change the key principles underlying the MREL regulations, certain changes would be necessary with a view to improve the technical soundness of the MREL framework and implement the TLAC standard as an integral component of the MREL framework. One of the main objectives of the EU Banking Reforms was to implement the TLAC standard and to integrate the TLAC requirement into the general MREL rules (the TLAC/MREL Requirements) thereby avoiding duplication from the application of two parallel requirements. As mentioned above, although TLAC and MREL pursue the same regulatory objective, there are, nevertheless, some differences between them in the way they are constructed. The EU Banking Reforms integrate the TLAC standard into the existing MREL rules and to ensure that both requirements are met with largely similar instruments, with the exception of the subordination requirement, which will be partially institution-specific and determined by the resolution authority. Under the EU Banking Reforms, institutions such as the Bank would continue to be subject to an institution-specific MREL requirement, which may be higher than the Pillar 1 TLAC/MREL Requirements for G-SIIs contained in the EU Banking Reforms. According to new article 16.a) of the BRRD, any failure by an institution to meet the 'combined buffer requirement' when considered in addition to the applicable minimum TLAC/MREL Requirements is intended to be treated in a similar manner as a failure to meet the 'combined buffer requirement' on top of its minimum regulatory capital requirements, i.e. a resolution authority will have the power to impose restrictions or prohibitions on discretionary payments by the Bank. The referred article 16.a) of BRRD includes a potential nine month grace period, whereby the resolution authority will assess on a monthly basis whether to exercise its powers, after such nine-month period the resolution authority is compelled to exercise its power to restrict discretionary payments (subject to certain limited exceptions). These restrictions have been implemented in Spain by means of article 16bis of Law 11/2015. We announced on 14 December 2021 that we had received formal notification from the Bank of Spain of our binding minimum MREL requirement, both total and subordinated, for the resolution group of Banco Santander at a sub-consolidated level, as determined by the SRB. The requirement became effective on 1 January 2022 and replaced the previously applicable one. The total MREL requirement was set at 31.89% for 2024 and at 29.85% as intermediate target for 2022 of the resolution group’s total risk weighted assets. The subordination requirement was set at 9.04%. As of [31 December 2021] the structure of own funds and eligible liabilities of the resolution group of Banco Santander meets the intermediate target of the requirement determined by the SRB effective 1 January 2022, and our funding plan has been built to further strengthen MREL ration and to comply with the final requirement determined by the SRB. Future requirements are subject to ongoing review by the resolution authority. Additionally, the Basel Committee is currently in the process of reviewing and issuing recommendations in relation to risk asset weightings which may lead to increased regulatory scrutiny of risk asset weightings in the jurisdictions who are members of the Basel Committee. On 7 December 2017, the Basel Committee’s oversight body, the Group of Central Bank Governors and Heads of Supervision (GHOS) published the finalization of the Basel III post-crisis regulatory reform agenda. This review of the regulatory framework covers credit, operational and credit valuation adjustment (CVA) risks, introduces a floor to the consumption of capital by internal ratings-based methods (IRB) and the revision of the calculation of the LR. The main features of the reform are: (i) a revised standard method for credit risk, which will improve the soundness and sensitivity to risk of the current method; (ii) modifications to the IRB methods for credit risk, including input floors to ensure a minimum level of conservatism in model parameters and limitations to its use for portfolios with low levels of non-compliance; (iii) regarding the CVA risk, and in connection with the above, the removal of any internally modelled method and the inclusion of a standardized and basic method; (iv) regarding the operations risk, the revision of the standard method, which will replace the current standard methods and the advanced measurement approaches (AMA); (v) the introduction of a LR buffer for G-SIIs; and (vi) regarding capital consumption, it establishes a minimum limit on the aggregate results (output floor), which prevents the risk-weighted assets of the banks generated by internal models from being lower than the 72.5% of the risk-weighted assets that are calculated with the standard methods of the Basel III framework. In August 2019, the EBA advised the European Commission on the introduction of the output floor and concluded that the revised framework should be implemented by using the floored risk weighted assets as a basis for all the capital layers, including the systemic risk buffer and the Pillar 2 capital requirement. A draft proposal from the European Commission was issued during the fourth quarter of 2021. The GHOS have extended the implementation of the revised minimum capital requirements for market risk until January 2022, to coincide with the implementation of the reviews of credit, operational and CVA risks. More recently, on 27 March 2020, the GHOS informed that a set of measures to provide additional operational capacity for banks and supervisors to respond to the immediate financial stability priorities resulting from the impact of the coronavirus disease (Covid-19) on the global banking system have been endorsed. Among such measures, the implementation date of the revised market risk framework was deferred by one year to 1 January 2023. In addition to the above, the Group shall also comply with the liquidity coverage ratio (LCR) and the net stable funding ratio (NSFR) requirements provided in CRR. According to article 460.2 of CRR, the LCR was progressively introduced since 2015 with the following phasing-in: (a) 60% of the LCR in 2015; (b) 70% as of 1 January 2016; (c) 80% as of 1 January 2017; and (d) 100% as of 1 January 2018. As of 31 December 2021, the Group’s LCR was 163%, above the 100% minimum requirement. In relation to the NSFR, the institutions shall maintain from 28 June 2021 an NSFR (calculated in accordance with Title IV of the CRR) of at least 100%. As of 31 December 2021, the Group's NSFR was 126%, above the 100% minimum requirement. In this regard, there can be no assurance that the application of the existing regulatory requirements, standards or recommendations will not require us to issue additional securities that qualify as own funds or eligible liabilities, to maintain a greater proportion of its assets in highly-liquid but lower-yielding financial instruments, to liquidate assets, to curtail business or to take any other actions, any of which may have a material adverse effect on the Group's business, results of operations and/or financial position. EU fiscal and banking union The project of achieving a European banking union was launched in the summer of 2012. Its main goal is to resume progress towards the European single market for financial services by restoring confidence in the European banking sector and ensuring the proper functioning of monetary policy in the eurozone. The banking union is expected to be achieved through new harmonized banking rules (the single rulebook) and a new institutional framework with stronger systems for both banking supervision and resolution that will be managed at the European level. Its two main pillars are the SSM and the Single Resolution Mechanism (SRM). The SSM (comprised by both the ECB and the national competent authorities) is designed to assist in making the banking sector more transparent, unified and safer. In accordance with the SSM Regulation, the ECB fully assumed its new supervisory responsibilities within the SSM, in particular direct supervision of the largest European banks (including us), on 4 November 2014. The SSM represented a significant change in the approach to bank supervision at a European and global level, and resulted in the direct supervision by the ECB of the largest financial institutions, including us, and indirect supervision of around 3,500 financial institutions and is now one of the largest in the world in terms of assets under supervision. In the coming years, the SSM is expected to continue working on the establishment of a new supervisory culture importing best practices from the 19 national competent authorities that are part of the SSM and promoting a level playing field across participating Member States. Several steps have already been taken in this regard such as the publication of the Supervisory Guidelines; the approval of the Regulation (EU) No 468/2014 of the ECB of 16 April 2014, establishing the framework for cooperation within the SSM between the ECB and national competent authorities and with national designated authorities (the SSM Framework Regulation); the approval of a Regulation (Regulation (EU) 2016/445 of the European Central Bank of 14 March 2016 on the exercise of options and discretions available in Union law) and a set of guidelines on the application of CRR's national options and discretions, etc. In addition, the SSM represents an extra cost for the financial institutions that funds it through payment of supervisory fees. The other main pillar of the EU banking union is the SRM, the main purpose of which is to ensure a prompt and coherent resolution of failing banks in Europe at minimum cost for the taxpayers and the real economy. The SRM Regulation establishes uniform rules and a uniform procedure for the resolution of credit institutions and certain investment firms in the framework of the SRM and a Single Resolution Fund (SRF). Under the intergovernmental agreement (IGA) signed by 26 EU member states on 21 May 2014, contributions by banks raised at national level were transferred to the SRF. The new Single Resolution Board (SRB), which is the central decision-making body of the SRM, started operating on 1 January 2015 and has fully assumed its resolution powers on 1 January 2016. The SRB is responsible for managing the SRF and its mission is to ensure that credit institutions and other entities under its remit, which face serious difficulties, are resolved effectively with minimal costs to taxpayers and the real economy. From that date onwards, the SRF is also in place, funded by contributions from European banks in accordance with the methodology approved by the Council of the EU. The SRF is intended to reach a total amount of EUR 55 billion by 2024 and to be used as a separate backstop only after an 8% bail-in of a bank's liabilities has been applied to cover capital shortfalls (in line with the BRRD). In order to complete such banking union, a single deposit guarantee scheme is still needed, which may require a change to the existing European treaties. This is the subject of continued negotiation by European leaders to ensure further progress is made in European fiscal, economic and political integration. Regulations adopted towards achieving a banking and/or fiscal union in the EU and decisions adopted by the ECB in its capacity as our main supervisory authority may have a material impact on our business, financial condition and results of operations. Moreover, regulations adopted on structural measures to improve the resilience of EU credit institutions may have a material impact on our business, financial condition, results of operations and prospects. These regulations, if adopted, may also cause us to invest significant management attention and resources to make any necessary changes. Global Minimum Tax On 22 December 2021, the European Commission proposed a Directive ensuring a minimum effective tax rate for the global activities of large multinational groups. The proposal follows closely the OECD/G20 Inclusive Framework on Base Erosion and Profit Shifting and sets out how the principles of the 15% effective tax rate – agreed by 137 countries – will be applied in practice within the EU. It includes a common set of rules (GloBe - Global Anti-Base Erosion - Rules) on how to calculate this effective tax rate, so that it is properly and consistently applied across the EU. If the Directive proposal is finally approved at the EU level, it is expected that the inclusion rule will be applicable in the Member States from 1 January 2023 Banking Reform in the UK In accordance with the provisions of the Financial Services (Banking Reform) Act 2013, UK banking groups that hold significant retail deposits, including Santander UK, were required to separate or ‘ring-fence’ their retail banking activities from their wholesale banking activities by 1 January 2019. However, given the complexity of the ringfencing regulatory regime and the material impact on the way Santander UK conducts its business operations in the UK, there is a risk that Santander UK may be found to be in breach of one or more ring-fencing requirements. This might occur, for example, if prohibited business activities are found to be taking place within the ring-fence, mandated retail banking activities are found being carried on in a UK entity outside the ring-fenced part of the group or Santander UK breached a PRA ring-fencing rule. If Santander UK were found to be in breach of any of the ring-fencing requirements placed upon it under the ring-fencing regime, it could be subject to supervisory or enforcement action by the PRA, the consequences of which might include substantial financial penalties, imposition of a suspension or restriction on Santander UK’s UK activities or, in the most serious of cases, forced restructuring of the UK group, entitling the PRA (subject to the consent of the UK government) to require the sale of a Santander ring-fenced bank or other parts of the UK group. United States significant regulation The financial services industry continues to experience significant financial regulatory reform in the United States, including from capital, leverage, funding, liquidity, and tax regulation, fiscal and monetary policies established by central banks and financial regulators, changes to global trade policies, and other legal and regulatory actions. Many of these reforms significantly affected and continue to affect our revenues, costs and organizational structure in the United States and the scope of our permitted activities. We continue to monitor the changing political, tax and regulatory environment in the United States. We believe that it is likely that there will be further material changes in the way major financial institutions like us are regulated in the United States. The scope of regulation and the intensity of supervision will likely remain higher under the Biden Administration, including increased scrutiny and supervision by our regulators. Although it remains difficult to predict the exact impact these changes will have on our business, financial condition, results of operations and cash flows for a particular future period, further reforms could result in loss of revenue, higher compliance costs, additional limits on our activities, constraints on our ability to enter into new businesses and other adverse effects on our businesses. The full spectrum of risks that result from pending or future U.S. financial services legislation or regulations cannot be fully known; however, such risks could be material and we could be materially and adversely affected by them. See “Supplemental Information. Section 10. Supervision and Regulation” for a summary of certain significant U.S. financial regulations applicable to our business. Enhanced prudential standards As a large foreign banking organization ('FBO') with significant U.S. operations, we are subject to enhanced prudential standards that required Banco Santander to, among other things, establish or designate a U.S. intermediate holding company (an 'IHC') and to hold its entire ownership interest in substantially all of its U.S. subsidiaries under such IHC. The Bank designated its wholly-owned subsidiary, Santander Holdings USA, as its U.S. IHC. As a U.S. IHC, Santander Holdings USA is subject to an enhanced supervision framework that includes enhanced risk-based and leverage capital requirements, liquidity requirements, risk management and governance requirements, stress-testing and capital planning requirements, and resolution planning requirements. Collectively, the enhanced prudential standards impose a significant regulatory burden on Santander Holdings USA, in particular with respect to capital and liquidity, which could limit its ability to distribute capital and liquidity to the Bank, thereby negatively affecting the Bank. Banco Santander is classified as a Category IV FBO, and Santander Holdings USA is classified as a Category IV IHC, though this categorization may change depending on the scope and composition of our activities. Category IV institutions are subject to the least exacting level of enhanced prudential standards. Both Banco Santander and Santander Holdings USA are now generally subject to less restrictive enhanced prudential standards and capital and liquidity requirements than under previously applicable regulations, as described in more detail in the relevant sections below. Resolution planning We are required to prepare and submit periodically to the Federal Reserve Board and the Federal Deposit Insurance Corporation ('FDIC') a plan, commonly called a living will (the '165(d) plan'), for the orderly resolution of our subsidiaries and operations that are domiciled in the United States in the event of future material financial distress or failure. We, on behalf of our insured depository institution ('IDI') subsidiary, Santander Bank, N.A. (“Santander Bank”), must also submit a separate IDI resolution plan ('IDI plan') to the FDIC. The 165(d) plan and the IDI plan require substantial effort, time and cost to prepare and are subject to review by the Federal Reserve Board and the FDIC, in the case of the 165(d) plan, and by the FDIC only, in the case of the IDI plan. If, after reviewing our 165(d) plan and any related re-submissions, the Federal Reserve Board and the FDIC jointly determine that we failed to cure identified deficiencies, they may jointly impose on our U.S. operations more stringent capital, leverage or liquidity requirements, or restrictions on our growth, activities or operations, or even divestitures, which could have an adverse effect on our business. Banco Santander filed its most recent 165(d) plan on 19 December 2018, and its most recent IDI plan on 28 June 2018. As a result of the Economic Growth, Regulatory Relief, and Consumer Protection Act and following changes to applicable regulations, Banco Santander is now a triennial reduced filer that is required to submit its next 165(d) plan in the form of a reduced resolution plan by July 1, 2022. With respect to our IDI plan, the FDIC announced in November 2018 that the agency planned to revise the IDI plan rule and that the next IDI plan submissions would not be required until the rulemaking process was complete. While the FDIC lifted this moratorium for IDIs with $100 billion or more in assets under the IDI rule, the moratorium remains in place for covered IDIs below this asset threshold, such as Santander Bank. OTC derivatives regulation Title VII of the Dodd-Frank Act amended the U.S. Commodity Exchange Act and the Securities Exchange Act of 1934, among other statutes, to establish an extensive framework for the regulation of over-the-counter ('OTC') derivatives, including mandatory clearing of certain standardized OTC derivatives and the trading of such instruments through regulated trading venues, subject to exceptions, and transaction reporting. In addition, Title VII requires the registration of swap dealers and major swap participants with the Commodity Futures Trading Commission ('CFTC') and of security-based swap dealers and major security-based swap participants with the SEC, and requires the CFTC and SEC to adopt regulations imposing capital, margin, business conduct, record keeping and other requirements on such entities. The CFTC and the SEC have completed the majority of their regulations in this area, most of which are in effect. Banco Santander is provisionally registered as a non-U.S. swap dealer with the CFTC and expects to be conditionally registered as a non-U.S. security-based swap dealer with the SEC by the end of March 2022. These rules, and similar rules being considered by regulators in other jurisdictions that may also apply to us, and the potential conflicts and inconsistencies between them, increase our costs for engaging in swaps and other derivatives activities and present compliance challenges. Volcker Rule Section 13 of Bank Holding Company Act and its implementing rules (collectively, the 'Volcker Rule') prohibits 'banking entities' from engaging in certain forms of proprietary trading or from sponsoring, or investing in 'covered funds,' in each case subject to certain exceptions. The Volcker Rule also limits the ability of banking entities and their affiliates to enter into certain transactions with covered funds with which they or their affiliates have certain relationships. Banking entities such as Banco Santander were required to bring their activities and investments into compliance with the requirements of the Volcker Rule by the end of the conformance period applicable to each requirement. Banco Santander has assessed how the Volcker Rule affects its businesses and subsidiaries, and has brought its activities into compliance. Banco Santander has adopted processes to establish, maintain, enforce, review and test the compliance program designed to achieve and maintain compliance with the Volcker Rule. The Volcker Rule contains exclusions and certain exemptions for market-making, hedging, underwriting, trading in U.S. government and agency obligations and certain foreign government obligations, and trading solely outside the United States, and also permits certain ownership interests in certain types of funds to be retained. In June 2019, the five regulatory agencies charged with implementing the Volcker Rule finalized amendments that primarily affect the proprietary trading aspects of the Volcker Rule. These amendments tailor the Volcker Rule’s compliance requirements to the amount of a firm’s trading activity, revise the definition of trading account, clarify certain key provisions in the Volcker Rule, and modify the information companies are required to provide to the federal agencies. Under the revised rule, firms that do not have significant trading activities, such as Banco Santander, have simplified and streamlined compliance requirements. In June 2020, the five federal agencies finalized additional amendments to the Volcker Rule, related to the restrictions on ownership interests in, sponsorship of and relationships with covered funds. Banco Santander will continue to monitor Volcker Rule-related developments and assess their impact on its operations, as necessary. United States Capital, Liquidity and Related Requirements and Supervisory Actions As a U.S. IHC and bank holding company, Santander Holdings USA is subject to the U.S. Basel III capital rules, which implement in the United States the capital components of the Basel Committee’s international capital and liquidity standards known as Basel III. Under the Tailoring Rules, Santander Holdings USA is not subject to the liquidity coverage ratio (“LCR”) or the net stable funding ratio (“NSFR”) requirements, since it is a Category IV IHC with less than $50 billion in weighted short-term wholesale funding. Total Loss-Absorbing Capacity and Long-Term Debt requirements In addition to the above mentioned capital and liquidity requirements, Santander Holdings USA is subject to the Federal Reserve Board’s final rule implementing the FSB’s international Total Loss Absorbing Capital ('TLAC') standard, which establishes certain TLAC, long-term debt ('LTD') and clean holding company requirements for U.S. IHCs of non-U.S. G-SIIs, including Santander Holdings USA. Santander Holdings USA is compliant with all applicable requirements under the final rule as of 31 December 2019. Compliance with the final TLAC rule has resulted in increased funding expenses for Santander Holdings USA and, indirectly, the Bank. Stress testing and capital planning Certain of our U.S. subsidiaries, including Santander Holdings USA, are subject to supervisory stress testing and capital planning requirements in the United States. The Federal Reserve Board expects companies subject to stress testing and capital planning processes, such as Santander Holdings USA, to have sufficient capital to withstand a highly adverse operating environment and to be able to continue operations, maintain ready access to funding, meet obligations to creditors and counterparties, and serve as credit intermediaries. In addition, the Federal Reserve Board evaluates the planned capital actions of these bank holding companies, including planned capital distributions such as dividend payments or stock repurchases. In October 2019, the Federal Reserve Board finalized the Tailoring Rules for stress testing and capital actions that a company is required to perform based on the company’s asset size, cross-jurisdictional activity, reliance on short-term wholesale funding, non-bank assets, and off-balance sheet exposure. As a Category IV IHC under the Tailoring Rules, Santander Holding USA is required to submit a capital plan to the Federal Reserve on an annual basis. Santander Holding USA is also subject to supervisory stress testing on a two-year cycle. Santander continues to evaluate planned capital actions in its annual capital plan and on an ongoing basis. The Federal Reserve Board has the authority to limit the capital distributions of bank holding companies, including Santander Holding USA. For example, in June 2020, the Federal Reserve Board announced that it would bar share repurchases and limit common stock dividend payments in the third quarter of 2020 for all large bank holding companies, and subsequently extended the restrictions into the first half of 2021 with certain modifications to permit resumptions of share repurchases. Although the temporary capital action supervisory restrictions previously applicable to Santander Holdings USA ended on June 30, 2021, it is possible that the Federal Reserve Board could impose similar restrictions in the future. In March 2020, the Federal Reserve Board finalized the Stress Capital Buffer (“SCB”) rule. Under the SCB rule, the Federal Reserve Board uses the results of its supervisory stress test to establish the size of a firm’s SCB requirement, subject to a floor of 2.5 percent. Beginning 1 October 2020, the SCB replaced the previously effective 2.5 percent capital conservation buffer. Santander Holdings USA must maintain capital ratios above the sum of the minimum capital requirements and any applicable capital buffers, including the SCB, in order to avoid restrictions on the distribution of capital, including in the form of dividends or share repurchases. As a Category IV IHC, Santander Holdings USA was not subject to the supervisory stress testing processes for the 2021 cycle. Santander Holdings USA’s current SCB, calibrated based on the results of the 2020 supervisory stress tests, is 2.5 percent, although this amount could increase in future years based on the results of the Federal Reserve Board’s periodic supervisory stress tests and capital planning requirements applicable to Santander Holdings USA. Single counterparty credit limits The U.S. operations of the Bank are subject to single counterparty credit limits, which impose percentage limitations on net credit exposures to individual counterparties (aggregated based on affiliation), generally as a percentage of tier 1 capital. Under the amendments to the U.S. single counterparty credit limits rule made by the Tailoring Rules, Santander Holdings USA is not subject to the single counterparty credit limits rule at the IHC level. In addition, although the Bank remains subject to the U.S. single counterparty credit limit rules with respect to its U.S. operations, it has elected to use substituted compliance by certifying that it complies with its home-country single counterparty credit limits, instead of separately complying with the Federal Reserve Board's implementation of these requirements. Other supervisory actions and restrictions on U.S. activities In addition to the foregoing, U.S. bank regulatory agencies from time to time take supervisory actions under certain circumstances that restrict or limit a financial institution’s activities. In some instances, we are subject to significant legal restrictions on our ability to publicly disclose these actions or the full details of these actions. Furthermore, as part of the regular examination process, U.S. banking regulators may advise our U.S. banking subsidiaries to operate under various restrictions as a prudential matter. Currently, under the U.S. Bank Holding Company Act, we and our U.S. banking and bank holding company subsidiaries may not be able to engage in certain categories of new activities in the U.S. or acquire shares or control of other companies in the U.S. Any such actions or restrictions, if and in whatever manner imposed, could adversely affect our costs and revenues. Moreover, efforts to comply with non-public supervisory actions or restrictions could require material investments in additional resources and systems, as well as a significant commitment of managerial time and attention. As a result, such supervisory actions or restrictions could have a material adverse effect on our business and results of operations; and we may be subject to significant legal restrictions on our ability to publicly disclose these matters or the full details of these actions. In addition to such confidential actions and restrictions, we may from time to time be subject to public supervisory actions in the United States. For example, in March 2017, Santander Holdings USA and SCUSA entered into a written agreement with the Federal Reserve Bank of Boston (“FRB Boston”) pursuant to which Santander Holdings USA and SCUSA agreed to submit written plans acceptable to the FRB Boston to strengthen board oversight of the management and operations of SCUSA and to strengthen board and senior management oversight of SCUSA’s risk management program, SCUSA agreed to submit a written revised compliance risk management program acceptable to the FRB Boston and Santander Holdings USA agreed to submit written revisions to its firm-wide internal audit program of SCUSA’s compliance risk management program. The written agreement between Santander Holdings USA, SCUSA and the FRB Boston dated 21 March 2017 was terminated on 4 February 2021. Anti-Money Laundering and economic sanctions A major focus of U.S. governmental policy relating to financial institutions is aimed at preventing money laundering and terrorist financing. The Bank Secrecy Act, as amended by the USA PATRIOT Act of 2001 and the Anti-Money Laundering Act of 2021, contains provisions intended to detect and prevent the use of the U.S. financial system for money laundering and terrorist financing activities. Under the Bank Secrecy Act, U.S. financial institutions, including U.S. branches and subsidiaries of non-U.S. banks, are required to, among other things, maintain an anti-money laundering ('AML') program, verify the identity of clients, identify and verify the beneficial owners of certain legal entity clients, conduct ongoing customer due diligence, monitor for and report suspicious transactions, report on cash transactions exceeding specified thresholds, and respond to requests for information by regulatory authorities and law enforcement agencies. The Financial Crimes Enforcement Network of the U.S. Department of the Treasury and U.S. federal and state bank regulatory agencies, as well as the U.S. Department of Justice, have the authority to impose significant civil money penalties for violations of those requirements. There is also scrutiny of compliance with applicable U.S. economic sanctions administered by the Office of Foreign Assets Control ('OFAC') of the U.S. Department of the Treasury against certain foreign countries, governments, individuals and entities to counter threats to U.S. national security, foreign policy, or the economy. OFAC-administered sanctions take many different forms. For example, sanctions may include: (1) restrictions on U.S. persons’ trade with or investment in a sanctioned country, including prohibitions against direct or indirect imports from and exports to a sanctioned country and prohibitions on U.S. persons engaging in financial transactions relating to, making investments in, or providing investment-related advice or assistance to, a sanctioned country; and (2) blocking of assets of targeted governments or 'specially designated nationals,' by prohibiting transfers of property subject to U.S. jurisdiction, including property in the possession or control of U.S. persons. Blocked assets, such as property and bank deposits, cannot be paid out, withdrawn, set off or transferred in any manner without a license from OFAC. In addition, non-U.S. persons can be liable for “causing” a sanctions violation by a U.S. person or can violate U.S. sanctions by exporting services from the United States to a sanctions target, for example by engaging in transactions with targets of U.S. sanctions denominated in U.S. dollars that clear through U.S. financial institutions (including through U.S. branches or subsidiaries of non-U.S. banks). In addition, the U.S. government has implemented various sanctions that target non-U.S. persons, including non-U.S. financial institutions that engage in certain activities undertaken outside the United States and without the involvement of any U.S. persons (“secondary sanctions”) that involve Hong Kong, Iran, North Korea, Russia, Syria, or Hezbollah. If a non-U.S. financial institution were determined to have engaged in activities targeted by certain secondary U.S. sanctions, it could lose its ability to open or maintain correspondent or similar accounts with U.S. financial institutions, among other potential consequences. Failures to comply with applicable U.S. AML laws or regulations or economic sanctions could have severe legal and reputational consequences, including significant civil and criminal penalties, and certain AML violations could result in a termination of U.S. banking licenses. The lack of certainty on possible requirements arising from any new AML laws or sanctions could pose risks given the possible penalties for financial crime compliance failings. If such penalties are incurred, then they could have a material adverse effect on our operations, financial condition and prospects. In addition, U.S. regulators have taken actions against non-U.S. bank holding companies requiring them to improve their oversight of their U.S. subsidiaries’ Bank Secrecy Act programs and compliance. Further, U.S. federal banking agencies are required, when reviewing bank and bank holding company acquisition or merger applications, to take into account the effectiveness of the AML compliance record of the applicant. See also “Supplemental Information. Section 10. Supervision and Regulation” Data privacy and cybersecurity We receive, maintain, transmit, store and otherwise process proprietary, sensitive and confidential data, including public and non-public personal information of our customers, employees, counterparties and other third parties, including, but not limited to, personally identifiable information and personal financial information. The collection, sharing, use, retention, disclosure, protection, transfer and other processing of this information is governed by stringent federal, state, local and foreign laws, rules and regulations, and the regulatory framework for data privacy and cybersecurity is in considerable flux and evolving rapidly. As data privacy and cybersecurity risks for banking organizations and the broader financial system have significantly increased in recent years, data privacy and cybersecurity issues have become the subject of increasing legislative and regulatory focus. Internationally, virtually every jurisdiction in which we operate has established its own data privacy and cybersecurity legal framework with which we must comply. For example, on 25 May 2018, the Regulation (EU) 2016/279 of the European Parliament and of the Council of 27 April 2016, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (the 'General Data Protection Regulation' or 'GDPR') became directly applicable in all member states of the EU. To align the Spanish legal regime with the GDPR, Spain enacted the Organic Law 3/2018, of 5 December, on Data Protection and the safeguarding of digital rights which repealed the Spanish Organic Law 15/1999, of 13 December, on data protection. Additionally, following the United Kingdom’s withdrawal from the EU, we also are subject to the U.K. General Data Protection Regulation ('U.K. GDPR') (i.e., a version of the GDPR as implemented into U.K. law). Although a number of basic existing principles have remained the same, the GDPR and U.K. GDPR introduced extensive new obligations on both data controllers and processors, as well as rights for data subjects. The GDPR and U.K. GDPR, together with national legislation, regulations and guidelines of the EU member states governing the processing of personal data, impose strict obligations and restrictions on the ability to collect, use, retain, protect, disclose, transfer and otherwise process personal data. In particular, the GDPR includes obligations and restrictions concerning the consent and rights of individuals to whom the personal data relates, the transfer of personal data out of the European Economic Area ('EEA'), security breach notifications and the security and confidentiality of personal data. The GDPR and U.K. GDPR also impose significant fines and penalties for non-compliance of up to the higher of 4% of annual worldwide turnover or EUR 20 million (or GBP 17.5 million under the U.K. GDPR), whichever is greater. The implementation of the GDPR, U.K. GDPR and other data protection regimes has required substantial amendments to our procedures and policies. The changes have impacted, and could further adversely impact, our business by increasing our operational and compliance costs. We expect the number of jurisdictions adopting their own data privacy and cybersecurity laws to increase, which will likely require us to devote additional significant operational resources for our compliance efforts and incur additional significant expenses. It is also likely to increase our exposure to risk of claims that we have not complied with all applicable data privacy and cybersecurity laws, rules and regulations. Recent legal developments in the EEA, including recent rulings from the Court of Justice of the European Union and from various EU member state data protection authorities, have created complexity and uncertainty regarding transfers of personal data from the EEA to the United States and other so-called third countries outside the EEA. Similar complexities and uncertainties also apply to transfers from the United Kingdom to third countries. While we have taken steps to mitigate the impact on us, such as implementing the supplementary measures applicable in accordance with the regulatory risk of the country of destination of the personal data, the efficacy and longevity of these mechanisms remains uncertain. In the United States, there are numerous federal, state and local data privacy and security laws, rules, and regulations governing the collection, sharing, use, retention, disclosure, protection, transfer and other processing of personal information, including federal and state data privacy laws, data breach notification laws, and data disposal laws. For example, at the federal level, among other laws, rules and regulations, we are subject to the Gramm-Leach-Bliley Act ('GLBA'), which requires financial institutions to, among other things, periodically disclose their privacy policies and practices relating to sharing non-public personal information and enables retail customers to opt out of our ability to share such personal information with unaffiliated third parties under certain circumstances. The GLBA also requires financial institutions to implement a comprehensive information security program that includes administrative, technical and physical safeguards to ensure the security and confidentiality of customer records and information. Like other lenders, Santander Bank and other of our U.S. subsidiaries also use credit bureau data in their underwriting activities, and the use of such data is regulated under the Fair Credit Reporting Act ('FCRA'). Santander Bank and our U.S. subsidiaries are also subject to the rules and regulations promulgated under the authority of the Federal Trade Commission, which regulates unfair or deceptive acts or practices, including with respect to data privacy and cybersecurity. Moreover, the United States Congress has recently considered, and is currently considering, various proposals for more comprehensive data privacy and cybersecurity legislation, to which we and our U.S. subsidiaries may be subject if passed. Data privacy and cybersecurity are also areas of increasing state legislative focus, and states are increasingly proposing or enacting legislation that relates to data privacy and cybersecurity. For example, the California Consumer Privacy Act ('CCPA'), which took effect on January 1, 2020, gives California residents the right to, among other things, request disclosure of information collected about them, and whether that information has been sold or shared with others, the right to request deletion of personal information (subject to certain exceptions), the right to opt out of the sale of their personal information, and the right not to be discriminated against for exercising their rights. Further, effective in most material respects starting on January 1, 2023, the California Privacy Rights Act ('CPRA') (which was passed via a ballot initiative as part of the November 2020 election) will significantly modify the CCPA, including by expanding California residents’ rights with respect to certain sensitive personal information. Other states where we do business, or may in the future do business, or from which we otherwise collect, or may in the future otherwise collect, personal information of residents have adopted or are considering adopting similar laws. For example, Virginia and Colorado have recently adopted comprehensive data privacy laws similar to the CCPA, which will go into effect in January and July of 2023, respectively. In addition, laws in all 50 U.S. states generally require businesses to provide notice under certain circumstances to consumers whose personal information has been disclosed as a result of a data breach, and we may be required to report events related to data privacy or cybersecurity issues, events where customer information may be compromised, unauthorized access to our systems and other security breaches, to affected individuals or the relevant regulatory authorities. Additionally, our New York branch is supervised by the New York State Department of Financial Services ('NYDFS'). The NYDFS issued Cybersecurity Requirements for Financial Services Companies, which took effect in 2017, and which require banks, insurance companies and other financial services institutions regulated by the NYDFS to establish and maintain a cybersecurity program designed to protect consumers and ensure the safety and soundness of New York State’s financial services industry. The cybersecurity regulation adds specific requirements for these institutions’ cybersecurity compliance programs and imposes an obligation to conduct ongoing, comprehensive risk assessments. Further, on an annual basis, each institution is required to submit a certification of compliance with these requirements. Data privacy and cybersecurity laws, rules and regulations continue to evolve and may result in ever-increasing public scrutiny and escalating levels of enforcement and sanctions. We may become subject to new legislation or regulations concerning data privacy or cybersecurity, which could require us to incur significant additional costs and expenses in an effort to comply. We could also be adversely affected if new legislation or regulations are adopted or if existing legislation or regulations are modified or interpreted such that we are required to alter our systems or require changes to our business practices, processes or privacy policies. If cybersecurity, data privacy, data protection, data transfer or data retention laws, rules or regulations are implemented, interpreted or applied in a manner inconsistent with our current practices or policies, or if we fail to comply (or are perceived to have failed to comply) with applicable laws, rules and regulations relating to data privacy and cybersecurity, we may be subject to substantial fines, civil or criminal penalties, costly litigation (including class actions), claims, proceedings, judgments, awards, penalties, sanctions, regulatory enforcement actions, government investigations or inquiries, or other adverse impacts, or be ordered to change our business practices, policies or systems in a manner that adversely impacts our operating results, any of which could have a material adverse effect on our business.

We are required to comply with applicable AML, anti-terrorism, anti-bribery and corruption, sanctions and other laws and regulations. These laws and regulations require us, among other things, to conduct full customer due diligence (including sanctions and politically-exposed person screening), keep our customer, account and transaction information up to date and have financial crime policies and procedures in place detailing what is required from those responsible. We are also required to conduct AML training for our employees and to report suspicious transactions and activity to appropriate law enforcement following full investigation by our local AML team. Financial crime continues to be the subject of enhanced regulatory scrutiny and supervision by regulators globally. AML, anti-bribery and corruption and sanctions laws and regulations are increasingly complex and detailed. Key standard-setting and regulatory bodies continue to provide guidelines to strengthen the interaction and cooperation between prudential and AML/CFT supervisors. Compliance with these laws and regulations requires automated systems, sophisticated monitoring and skilled compliance personnel. For example, Santander UK plc is cooperating with an FCA civil regulatory investigation which commenced in July 2017 regarding its compliance with the 2007 Money Laundering Regulations and potential breaches of FCA principles and rules relating to anti-money laundering and financial crime systems and controls. The FCA’s investigation focuses primarily on the period of 2012 to 2017 and includes consideration of high risk customers including Money Service Businesses. At this point, we are unable to predict any potential liability resulting from the investigation including any financial penalty. We maintain updated policies and procedures aimed at detecting and preventing the use of our banking network for money laundering and other financial crime related activities. However, emerging technologies, such as cryptocurrencies and innovative payment methods, could limit our ability to track the movement of funds. Our ability to comply with the legal requirements depends on our ability to improve detection and reporting capabilities and reduce variation in control processes and oversight accountability. These require implementation and embedding within our business effective controls and monitoring, which in turn requires on-going changes to systems and operational activities. Financial crime is continually evolving and, as noted, is subject to increasingly stringent regulatory oversight and focus. This requires proactive and adaptable responses from us so that we are able to deter threats and criminality effectively. As a global bank, we are particularly exposed to this risk. Even known threats can never be fully eliminated, and there will be instances where we may be used by other parties to engage in money laundering and other illegal or improper activities. In addition, we rely heavily on our employees to assist us by spotting such activities and reporting them, and our employees have varying degrees of experience in recognizing criminal tactics and understanding the level of sophistication of criminal organizations. Where we outsource any of our customer due diligence, customer screening or anti financial crime operations, we remain responsible and accountable for full compliance and any breaches. If we are unable to apply the necessary scrutiny and oversight of third parties to whom we outsource certain tasks and processes, there remains a risk of regulatory breach. If we are unable to comply fully with applicable laws, regulations and expectations, our regulators and relevant law enforcement agencies have the ability and authority to impose significant fines and other penalties on us, including requiring a complete review of our business systems, day-to-day supervision by external consultants and ultimately the revocation of our banking license. The reputational damage to our business and global brand would be severe if we were found to have breached AML, anti-bribery and corruption or sanctions requirements. Our reputation could also suffer if we are unable to protect our customers’ bank products and services from being used by criminals for illegal or improper purposes. The Brazilian Federal Public Prosecutor’s Office, or 'MPF' has charged one of our officers in connection with the alleged bribery of a Brazilian tax auditor to secure favourable decisions in tax cases resulting in a claimed R$83 million (approximately U.S.$15 million) benefit to us. On 23 October 2018, the officer was formally indicted and asked to present his defence. On 5 November 2018 the officer in question presented his defence. The proceedings is currently in course. We are not a party to these proceedings. We have voluntarily provided information to the Brazilian authorities and have relinquished the benefit of certain tax credits to which the allegations relate in order to show good faith. In addition, while we review our relevant counterparties’ internal policies and procedures with respect to such matters, we expect our relevant counterparties to maintain and properly apply their own appropriate compliance procedures and internal policies. Such measures, procedures and internal policies may not be completely effective in preventing third parties from using our (and our relevant counterparties’) services as a conduit for illicit purposes (including illegal cash operations) without our (and our relevant counterparties’) knowledge. If we are associated with, or even accused of being associated with, breaches of AML, anti-terrorism, or sanctions requirements our reputation could suffer and/or we could become subject to fines, sanctions and/or legal enforcement (including being added to ‘watch lists' that would prohibit certain parties from engaging in transactions with us), any one of which could have a material adverse effect on our operating results, financial condition and prospects. Any such risks could have a material adverse effect on our operating results, financial condition and prospects. See also risk factor '2.1.2 We are subject to extensive regulation and regulatory and governmental oversight which could adversely affect our business, operations and financial condition - United States Significant Regulation - Anti-Money Laundering and economic sanctions'.

The preparation of our tax returns requires the use of estimates and interpretations of complex tax laws and regulations and is subject to review by tax authorities. We are subject to the income tax laws of Spain and the other jurisdictions in which we operate. These tax laws are complex and subject to different interpretations by the taxpayer and relevant governmental tax authorities, which are sometimes subject to prolonged evaluation periods until a final resolution is reached. In establishing a provision for income tax expense and filing returns, we must make judgements and interpretations about the application of these inherently complex tax laws. If the judgement, estimates and assumptions we use in preparing our tax returns are subsequently found to be incorrect, there could be a material adverse effect on our results of operations. In some jurisdictions, the interpretations of the tax authorities are unpredictable and frequently involve litigation, which introduces further uncertainty and risk as to tax expense.

On 31 January 2020, the UK ceased to be a member of the EU, on withdrawal terms that established a transition period until 31 December 2020. During the transition period, the UK continued to be treated as an EU member state and applicable EU legislation continued to be in force. A trade deal was agreed between the UK and the EU prior to the end of the transition period and the new regulations came into force on 1 January 2021. The trade deal, however, did not include agreements on certain areas, such as financial services and data adequacy. As a result, Santander UK has, and will continue to have, a limited ability to provide cross-border services to EU customers and to trade with EU counterparties. The wider impact of Brexit on financial markets through market fragmentation, reduced access to finance and funding, and lack of access to certain financial market infrastructure, may affect our operations, financial condition and prospects and those of our customers. Uncertainty also remains around the effect of Brexit on the UK’s economic recovery from the covid-19 pandemic, as Brexit exacerbated global pandemic-related supply and labour market constraints and reduced economic output and exports as businesses attempt to adapt the new cross-border procedures and rules applicable in the UK and in the EU to their activities, products, customers and suppliers. While the longer term effects of the UK’s withdrawal from the EU are difficult to assess, there is ongoing political and economic uncertainty, such as: (i) increased friction with the EU and EU countries; (ii) the possibility of a second referendum on Scottish independence from the UK; and (iii) instability in Northern Ireland derived from the UK proposal to replace the current Northern Ireland protocol agreed with the EU, which could negatively affect Santander UK’s customers and counterparties and have a material adverse effect on our operations, financial condition and prospects. We considered these circumstances in our assessment of the recoverability of the cash-generating unit that supports Santander UK's goodwill, which was impaired during 2020 and 2019. In 2021, there was no impairment of Santander UK's goodwill. See note 17 to our consolidated financial statements included in Part 2 of this annual report on Form 20-F.

There is an increasing concern over the risks of climate change and related environmental sustainability matters. Climate change may imply three primary drivers of financial risk that could adversely affect us: •Transition risks associated with the move to a low-carbon economy, both at idiosyncratic and systemic levels, such as through policy, regulatory and technological changes , which could increase our expenses and impact our strategies. •Physical risks related to discrete events, such as flooding and wildfires, and extreme weather impacts and longer term shifts in climate patters, such as extreme heat, sea level rise and more frequent and prolonged drought, which could result in financial losses that could impair asset values and the creditworthiness of our customers. Such events could disrupt our operations or those of our customers or third parties on which we rely and do business with, including through direct damage to assets and indirect impacts from supply chain disruption and market volatility. •Liability risks derived from parties who may suffer losses from the effects of climate change and may seek compensation from those they hold responsible such as state entities, regulators, investors and lenders. These primary drivers could materialize, among others, in the following financial risks: •Credit risks: Physical climate change could lead to increased credit exposure and companies with business models not aligned with the transition to a low-carbon economy may face a higher risk of reduced corporate earnings and business disruption due to new regulations or market shifts. •Market risks: Market changes in the most carbon-intensive sectors could affect energy and commodity prices, corporate bonds, equities and certain derivatives contracts. Increasing frequency of severe weather events could affect macroeconomic conditions, weakening fundamental factors such as economic growth, employment and inflation. •Operational risks: Severe weather events could directly impact business continuity and operations both of customers and ours. •Reputational risk: our reputation and client relationships may be damaged as a result of our practices and decisions related to climate change and the environment, or to the practices or involvement of our clients, in certain industries or projects associated with causing or exacerbating climate change. As climate risk is interconnected with all key risk types, we have developed and continue to enhance processes to embed climate risk considerations into our risk management strategies established for risks; however, because the timing and severity of climate change may not be predictable, our risk management strategies may not be effective in mitigating climate risk exposure. Any of the conditions described above could have a material adverse effect on our business, financial condition and results of operations.

Liquidity risk is the risk that we either do not have sufficient financial resources available to meet our obligations as they are due, or we can only secure them at excessive cost. This risk is inherent in any banking business and can be heightened by a number of enterprise-specific factors, including over-reliance on a particular source of funding, changes in credit ratings or market-wide phenomena such as market dislocation, including as a result of the covid-19 pandemic. While we have in place liquidity management processes to mitigate and control these risks, as well as an organizational model based on autonomous subsidiaries in terms of capital and liquidity which limits the possibility of contagion between them, systemic market factors make it difficult to eliminate these risks completely. Constraints in the supply of liquidity, including in inter-bank lending, could materially and adversely affect the cost of funding of our business, and extreme liquidity constraints may affect our current operations and our ability to fulfil regulatory liquidity requirements, as well as limit growth possibilities. Our cost of obtaining funding is directly related to prevailing interest rates and to our credit spreads. Increases in interest rates and/or in our credit spreads could significantly increase the cost of our funding. Credit spreads variations are market-driven and may be influenced by market perceptions of our creditworthiness. Changes to interest rates and our credit spreads may occur frequently and could be unpredictable and highly volatile. We rely, and will continue to rely, primarily on retail deposits to fund lending activities. The ongoing availability of this type of funding is sensitive to a variety of factors beyond our control, such as general economic conditions and the confidence of retail depositors in the economy and in the financial services industry, and the availability and extent of deposit guarantees, as well as competition for deposits between banks or with other products, such as mutual funds. Any of these factors could increase the amount of retail deposit withdrawals in a short period of time, thereby reducing our ability to access retail deposit funding on appropriate terms, or at all, in the future. If these circumstances were to arise, this could have a material adverse effect on our operating results, financial condition and prospects. Central banks took extraordinary measures to increase liquidity in the financial markets as a response to the financial crisis and the covid-19 crisis. If these facilities, which are starting to be progressively reduced, were to be rapidly removed, this could have an adverse effect on our ability to access liquidity and on our funding costs. Additionally, our activities could be adversely impacted by liquidity tensions arising from generalized drawdowns of committed credit lines to our customers. We cannot assure that in the event of a sudden or unexpected shortage of funds in the banking system, we will be able to maintain levels of funding without incurring high funding costs, a reduction in the term of funding instruments or the liquidation of certain assets. If this were to happen, we could be materially adversely affected. Finally, the implementation of internationally accepted liquidity ratios might require changes in business practices that affect our profitability. The LCR is a liquidity standard that measures if banks have sufficient high-quality liquid assets to cover expected net cash outflows over a 30-day liquidity stress period. At 31 December 2021, our LCR ratio was 163%, above the 100% minimum requirement. The NSFR provides a sustainable maturity structure of assets and liabilities such that banks maintain a stable funding profile in relation to their activities. At the end of 2021, this ratio stands at 126% for the Group and over 100% for all our main subsidiaries.

The success of our operations and our profitability depends, in part, on the success of new products and services we offer our clients and our ability to offer products and services that meet the customers’ needs during all their life cycle. However, our clients’ needs or desires may change over time, and such changes may render our products and services obsolete, outdated or unattractive and we may not be able to develop new products that meet our clients’ changing needs. Our success is also dependent on our ability to anticipate and leverage new and existing technologies that may have an impact on products and services in the banking industry. Technological changes may further intensify and complicate the competitive landscape and influence client behaviour. If we cannot respond in a timely fashion to the changing needs of our clients, we may lose clients, which could in turn materially and adversely affect us. In addition, the cost of developing products is likely to affect our results of operations. As we expand the range of our products and services, some of which may be at an early stage of development in the markets of certain regions where we operate, we will be exposed to new and potentially increasingly complex risks, such as the conduct risk in the relationship with customers, and development expenses. Our employees and risk management systems, as well as our experience and that of our partners may not be sufficient to enable us to properly manage such risks. Any or all of these factors, individually or collectively, could have a material adverse effect on us. While we have successfully increased our customer service levels in recent years, should these levels ever be perceived by the market to be materially below those of our competitor financial institutions, we could lose existing and potential business. If we are not successful in retaining and strengthening customer relationships, we may lose market share, incur losses on some or all of our activities or fail to attract new deposits or retain existing deposits, which could have a material adverse effect on our operating results, financial condition and prospects.

Our ability to remain competitive depends in part on our ability to upgrade our information technology in an effective, timely and cost-effective manner. We must continually make significant investments in, and improvements to, our information technology infrastructure and information management systems in order to meet the needs of our customers. We cannot guarantee that in the future we will be able to maintain the level of capital expenditures necessary to support the continuous improvement and upgrading of our information technology infrastructure and information management systems. To the extent we are dependent on any particular technology or technological solution, we may be harmed if such technology or technological solution becomes non-compliant with existing industry standards or applicable laws, rules or regulations, fails to meet or exceed the capabilities of our competitors’ equivalent technologies or technological solutions, becomes increasingly expensive to service, retain and update, becomes subject to third-party claims of intellectual property infringement, misappropriation or other violation, or malfunctions or functions in a way we did not anticipate. Additionally, new technologies and technological solutions are continually being released. As such, it is difficult to predict the problems we may encounter in improving our technologies’ functionality. There is no assurance that we will be able to successfully adopt new technology as critical systems and applications become obsolete and better ones become available. Any failure to effectively improve or upgrade our information technology infrastructure and information management systems in an effective, timely and cost-efficient manner could have a material adverse effect on us.

We provide retirement benefits for many of our former and current employees through a number of defined benefit pension plans. We calculate the amount of our defined benefit obligations using actuarial techniques and assumptions, including mortality rates, the rate of increase of salaries, discount rates, inflation, the expected rate of return on plan assets, and others. The accounting and disclosures are based on IFRS-IASB and on those other requirements defined by the local supervisors. Given the nature of these obligations, changes in the assumptions that support valuations, including market conditions, can result in actuarial losses which would in turn impact the financial condition of our pension funds. Because pension obligations are generally long term obligations, fluctuations in interest rates have a material impact on the projected costs of our defined benefit obligations and therefore on the amount of pension expense that we accrue. Any increase in the current size of the funding deficit in our defined benefit pension plans could result in our having to make increased contributions to reduce or satisfy the deficits, which would divert resources from use in other areas of our business. Any such increase may be due to certain factors over which we have no or limited control. Increases in our pension liabilities and obligations could have a material adverse effect on our business, financial condition and results of operations. At 31 December 2021, our provision for pensions and other obligations amounted to EUR 4,427 million. See more information in note 25.c) to our consolidated financial statements included in Part 2 of this annual report on Form 20-F.