Capital One Financial (COF) Risk Factors

Our industry is subject to rapid and significant technological changes and our ability to meet our customers' needs and expectations is key to our ability to grow revenue and earnings. We expect digital technologies to continue to have a significant impact on banking over time. Consumers expect robust digital experiences from their financial services providers. The ability for customers to access their accounts and conduct financial transactions using digital technology, including mobile applications, is an important aspect of the financial services industry and financial institutions are rapidly introducing new digital and other technology-driven products and services that aim to offer a better customer experience and to reduce costs. We continue to invest in digital technology designed to attract new customers, facilitate the ability of existing customers to conduct financial transactions and enhance the customer experience related to our products and services. Our continued success depends, in part, upon our ability to assess and address the needs of our customers by using digital technology to provide products and services that meet their expectations. The development and launch of new digital products and services depends in large part on our ability to invest in and build the technology platforms that can enable them, in a cost effective and timely manner. We expect that new technologies in the payments industry will continue to emerge, and these new technologies may be superior to our existing technology. See "We face intense competition in all of our markets" and "We face risks related to our operational, technological and organizational infrastructure." Some of our competitors are substantially larger than we are, which may allow those competitors to invest more money into their technology infrastructure and digital innovation than we do. In addition, smaller competitors may experience lower cost structures and different regulatory requirements and scrutiny than we do, which may allow them to innovate more rapidly than we can. See "We face intense competition in all of our markets." Further, our success depends on our ability to attract and retain strong digital and technology leaders, engineers and other specialized personnel. The competition is intense and the compensation costs continue to increase for such talent. If we are unable to attract and retain digital and technology talent, our ability to offer digital products and services and build the necessary technology infrastructure could be negatively affected, which could negatively impact our business and financial results. A failure to maintain or enhance our competitive position with respect to digital products and services, whether because we fail to anticipate customer expectations or because our technological developments fail to perform as desired or are not implemented in a timely or successful manner, could negatively impact our business and financial results.

We rely on a variety of measures to protect and enhance our intellectual property, including copyrights, trademarks, trade secrets, patents and certain restrictions on disclosure, solicitation and competition. We also undertake other measures to control access to and distribution of our other proprietary and confidential information. These measures may not prevent misappropriation of our proprietary or confidential information or infringement, misappropriation or other violations of our intellectual property rights and a resulting loss of competitive advantage. In addition, our competitors or other third parties may obtain patents for innovations that are used in our industry or allege that our systems, processes or technologies infringe, misappropriate or violate their intellectual property rights. Given the complex, rapidly changing and competitive technological and business environments in which we operate, if our competitors or other third parties are successful in obtaining such patents or prevail in intellectual property-related litigation against us, we could lose significant revenues, incur significant license, royalty, technology development or other expenses, or pay significant damages.

Our ability to provide our products and services and communicate with our customers, depends upon the management and safeguarding of information systems and infrastructure, networks, software, data, technology, methodologies and business secrets, including those of our service providers. Our products and services involve the collection, authentication, management, usage, storage, transmission and destruction of sensitive and confidential information, including personal information, regarding our customers and their accounts, our employees, our partners and other third parties with which we do business. We also have arrangements in place with third-party business partners through which we share and receive information about their customers who are or may become our customers. The financial services industry, including Capital One, is particularly at risk because of the increased use of and reliance on digital banking products and other digital services, including mobile banking products, such as mobile payments, and other internet- and cloud-based products and applications, and the development of additional remote connectivity solutions, which increase cybersecurity risks and exposure. In addition, global events and geopolitical instability (including, without limitation, the war between Israel and Hamas, the war between Ukraine and Russia and the related sanctions imposed by the U.S. and other countries, and increased geopolitical tensions between the U.S. and China) may lead to increased nation state targeting of financial institutions in the U.S. and abroad. Technologies, systems, networks and other devices of Capital One, as well as those of our employees, service providers, partners and other third parties with whom we interact, have been and may continue to be the subject of cyber-attacks and other security incidents, including computer viruses, hacking, malware, ransomware, supply chain attacks, vulnerabilities, credential stuffing, account takeovers, insider threats, business email compromise scams or phishing or other forms of social engineering. Such cyber-attacks and other security incidents are designed to lead to various harmful outcomes, such as unauthorized transactions in Capital One accounts, unauthorized or unintended access to or release, gathering, monitoring, disclosure, loss, destruction, corruption, disablement, encryption, misuse, modification or other processing of confidential or sensitive information (including personal information), intellectual property, software, methodologies or business secrets, disruption, sabotage or degradation of service, systems or networks, an attempt to extort Capital One, its third-party service providers or its business partners or other damage. Cyber-attacks and other security incidents that occur in the supply chain of third parties with which we interact could also negatively impact Capital One. These threats may derive from, among other things, error, fraud or malice on the part of our employees, insiders, or third parties or may result from accidental technological failure or design flaws. Any of these parties may also attempt to fraudulently induce employees, service providers, customers, partners or other third-party users of our systems or networks to disclose confidential or sensitive information (including personal information) in order to gain access to our systems, networks or data or that of our customers, partners, or third parties with whom we interact, or to unlawfully obtain monetary benefit through misdirected or otherwise improper payment. For instance, any party that obtains our confidential or sensitive information (including personal information) through a cyber-attack or other security incident may use this information for ransom, to be paid by us or a third party, as part of a fraudulent activity that is part of a broader criminal activity, or for other illicit purposes. Additionally, the failure of our employees, third-party service providers or business partners, or their respective supply chains, to exercise sound judgment and vigilance when targeted with social engineering or other cyber-attacks may increase our vulnerability. For example, on July 29, 2019, we announced that on March 22 and 23, 2019 an outside individual gained unauthorized access to our systems (the "2019 Cybersecurity Incident"). This individual obtained certain types of personal information relating to people who had applied for our credit card products and to our credit card customers. While the 2019 Cybersecurity Incident has been remediated, it resulted in fines, litigation, consent orders, settlements, government investigations and other regulatory enforcement inquiries. Cyber and information security risks for large financial institutions like us continue to increase due to the proliferation of new technologies, the industry-wide shift to reliance upon the internet to conduct financial transactions, the increased sophistication and activities of malicious actors, organized crime, perpetrators of fraud, hackers, terrorists, activists, extremist parties, formal and informal instrumentalities of foreign governments, state-sponsored or nation-state actors and other external parties and the growing use of AI by threat actors. In addition, our customers access our products and services using personal devices that are necessarily external to our security control systems. There has also been a significant proliferation of consumer information available on the internet resulting from breaches of third-party entities, including personal information, log-in credentials and authentication data. These third-party breach events could create a threat for our customers if their Capital One log-in credentials are the same as or similar to the credentials that have been compromised on other internet sites. This threat could include the risk of unauthorized account access, data loss and fraud. The use of AI, "bots" or other automation software can increase the velocity and efficacy of these types of attacks. As our employees are operating under our hybrid work model, our remote interaction with employees, service providers, partners and other third parties on systems, networks and environments over which we have less control (such as through employees' personal devices) increases our cybersecurity risk exposure. We will likely face an increasing number of attempted cyber-attacks as we expand our mobile and other internet-based products and services, as well as our usage of mobile and cloud technologies and as we provide more of these services to a greater number of retail banking customers. The methods and techniques employed by malicious actors develop and evolve rapidly, including from emerging technologies, such as advanced forms of AI and quantum computing, are increasingly sophisticated and often are not fully recognized or understood until after they have occurred, and some techniques could occur and persist for an extended period of time before being detected and remediated. For example, although we immediately fixed the configuration vulnerability that was exploited in the 2019 Cybersecurity Incident once we discovered the unauthorized access, a period of time elapsed between the occurrence of the unauthorized access and the time when we discovered it. In other circumstances, we and our service providers and other third parties with which we interact may be unable to anticipate or identify certain attack methods or techniques in order to implement effective preventative or detective measures or mitigate or remediate the damages caused in a timely manner. We may also be unable to hire, develop and retain talent that keeps pace with the rapidly changing cyber threat landscape, and which are capable of preventing, detecting, mitigating or remediating these risks. Although we seek to maintain a robust suite of authentication and layered information security controls, any one or combination of these controls could fail to prevent, detect, mitigate, remediate or recover from these risks in a timely manner. An actual, suspected, threatened or alleged disruption or breach, including as a result of a cyber-attack such as the 2019 Cybersecurity Incident, or media (including social media) reports of alleged or perceived security vulnerabilities or incidents at Capital One or at our service providers, could result in significant legal and financial exposure, regulatory intervention, litigation, enforcement actions, remediation costs, card reissuance, supervisory liability, damage to our reputation or loss of confidence in the security of our systems, products and services that could adversely affect our business. Moreover, new regulations may require us to publicly disclose certain information about certain cybersecurity incidents before they have been resolved or fully investigated. There can be no assurance that unauthorized access or cyber incidents similar to the 2019 Cybersecurity Incident will not occur or that we will not suffer material losses in the future. If future attacks are successful or if customers are unable to access their accounts online for other reasons, it could adversely impact our ability to service customer accounts or loans, complete financial transactions for our customers or otherwise operate any of our businesses or services. In addition, a breach or attack affecting one of our service providers or other third parties with which we interact could harm our business even if we do not control the service that is attacked. Further, our ability to monitor our service providers' and other business partners' cybersecurity practices is inherently limited. Although the agreements that we have in place with our service providers (and other business partners) generally include requirements relating to privacy, data protection and data security, we cannot guarantee that such agreements will prevent a cyber incident impacting our systems or information or enable us to obtain adequate or any reimbursement from our service providers or other business partners in the event we should suffer any such incidents. However, due to applicable laws and regulations or contractual obligations, we may be held responsible for cyber incidents attributed to our service providers and other business partners as they relate to the information we share with them. In addition, we continue to incur increased costs with respect to preventing, detecting, investigating, mitigating, remediating, and recovering from cybersecurity risks, as well as any related attempted fraud. In order to address ongoing and future risks, we must expend significant resources to support protective security measures, investigate and remediate any vulnerabilities of our information systems and infrastructure and invest in new technology designed to mitigate security risks. Further, high profile cyber incidents at Capital One or other large financial institutions could undermine our competitive advantage and divert management attention and resources, lead to a general loss of customer confidence in financial institutions that could negatively affect us, including harming the market perception of the effectiveness of our security measures or the global financial system in general, which could result in reduced use of our financial products. We have insurance against some cyber risks and attacks; nonetheless, our insurance coverage may not be sufficient to offset the impact of a material loss event (including if our insurer denies coverage as to any particular claim in the future), and such insurance may increase in cost or cease to be available on commercially reasonable terms, or at all, in the future.

Our businesses are subject to increased litigation, government investigations and other regulatory enforcement risks as a result of a number of factors and from various sources, including the highly regulated nature of the financial services industry, the focus of state and federal prosecutors on banks and the financial services industry and the structure of the credit card industry. Given the inherent uncertainties involved in litigation, government investigations and regulatory enforcement decisions, and the very large or indeterminate damages sought in some matters asserted against us, there can be significant uncertainty as to the ultimate liability we may incur from these kinds of matters. The finding, or even the assertion, of substantial legal liability against us could have a material adverse effect on our business and financial condition and could cause significant reputational harm to us, which could seriously harm our business. For example, the 2019 Cybersecurity Incident has resulted in litigation, consent orders, settlements, government investigations and other regulatory enforcement inquiries. In addition, financial institutions, such as ourselves, face significant regulatory scrutiny, which can lead to public enforcement actions or nonpublic supervisory actions. We and our subsidiaries are subject to comprehensive regulation and periodic examination by, among other regulatory bodies, the Federal Banking Agencies, SEC, CFTC and CFPB. We have been subject to enforcement actions by many of these and other regulators and may continue to be involved in such actions, including governmental inquiries, investigations and enforcement proceedings, including by the OCC, Department of Justice, the FinCEN and state Attorneys General. Over the last several years, federal and state regulators have focused on risk management, compliance with anti-money laundering ("AML") and sanctions laws, privacy, data protection and data security, use of service providers, fair lending and other consumer protection issues and innovative activities, such as those that utilize new technology. In August 2020, we entered into consent orders with the Federal Reserve and the OCC resulting from regulatory reviews of the 2019 Cybersecurity Incident and relating to ongoing enhancements of our cybersecurity and operational risk management processes, and we paid a civil monetary penalty as part of the OCC agreement. The OCC and the Federal Reserve have since terminated their consent orders. In January 2021, we also paid a civil monetary penalty assessed by FinCEN against the Bank in connection with AML violations alleged to have occurred between 2008 and 2014. Regulatory scrutiny is expected to continue in these areas, including as a result of implementation of the AML Act of 2020. We expect that regulators and governmental enforcement bodies will continue taking public enforcement actions against financial institutions in addition to addressing supervisory concerns through nonpublic supervisory actions or findings, which could involve restrictions on our activities, or our ability to make acquisitions or otherwise expand our business, among other limitations that could adversely affect our business. In addition, a violation of law or regulation by another financial institution is likely to give rise to an investigation by regulators and other governmental agencies of the same or similar practices by us. Furthermore, a single event may give rise to numerous and overlapping investigations and proceedings. These and other initiatives from governmental authorities and officials may subject us to further judgments, settlements, fines or penalties, or cause us to restructure our operations and activities or to cease offering certain products or services, all of which could harm our reputation or lead to higher operational costs. Litigation, government investigations and other regulatory actions could generally subject us to significant fines, increased expenses, restrictions on our activities and damage to our reputation and our brand, and could adversely affect our business, financial condition and results of operations. For additional information regarding legal and regulatory proceedings to which we are subject, see "Part II-Item 8. Financial Statements and Supplementary Data-Note 18-Commitments, Contingencies, Guarantees and Others."

We are subject to a variety of continuously evolving and developing laws and regulations in the United States at the federal, state and local level regarding privacy, data protection and data security, including those related to the collection, storage, handling, use, disclosure, transfer, security and other processing of personal information. For example, at the federal level, we are subject to the GLBA and the FCRA, among other laws and regulations. Moreover, legislative changes have been proposed in the U.S. Congress for more comprehensive privacy, data protection and data security legislation, to which we may be subject if passed. The enactment of CIRCIA, once rulemaking is complete, will require, among other things, certain companies to report significant cyber incidents to the CISA within 72 hours from the time the company reasonably believes the incident occurred. At the state level, California has enacted the CPRA, and various other states also have enacted or are in the process of enacting state-level privacy, data protection and/or data security laws and regulations, with which we may be required to comply. Additionally, the Federal Banking Agencies, as well as the SEC and related self-regulatory organizations, regularly issue guidance regarding cybersecurity that is intended to enhance cyber risk management among financial institutions. We also are, or may become, subject to continuously evolving and developing laws and regulations in other jurisdictions regarding privacy, data protection and data security. For example, in Canada we are subject to the Personal Information Protection and Electronic Documents Act ("PIPEDA") and may become subject to additional privacy, data protection and data security laws and regulations in Canada, including those which may differ from PIPEDA, if passed. In addition, subject to limited exceptions, the EU General Data Protection Regulation ("EU GDPR") applies EU data protection laws to certain companies processing personal data of individuals in the EU, regardless of the company's location. We also are subject to the U.K. General Data Protection Regulation ("U.K. GDPR"), which is how the EU GDPR has been implemented into U.K. law. These laws and regulations, and similar laws and regulations in other jurisdictions, impose strict requirements regarding the collection, storage, handling, use, disclosure, transfer, security and other processing of personal information, which may have adverse consequences, including significant compliance costs and severe monetary penalties for non-compliance. Significant uncertainty exists as privacy, data protection, and data security laws may be interpreted and applied differently from country to country and may create inconsistent or conflicting requirements. Further, we make public statements about our use, collection, disclosure and other processing of personal information through our privacy policies, information provided on our website and press statements. Although we endeavor to comply with our public statements and documentation, we may at times fail to do so or be alleged to have failed to do so. The publication of our privacy policies and other statements that provide promises and assurances about privacy, data protection and data security can subject us to potential government or legal action if they are found to be deceptive, unfair or misrepresentative of our actual practices. Additional risks could arise in connection with any failure or perceived failure by us, our service providers or other third parties with which we do business to provide adequate disclosure or transparency to individuals, including our customers, about the personal information collected from them and its use, to receive, document or honor the privacy preferences expressed by individuals, to protect personal information from unauthorized disclosure, or to maintain proper training on privacy practices for all employees or third parties who have access to personal information in our possession or control. Our efforts to comply with GLBA, FCRA, CPRA, PIPEDA, EU GDPR, U.K. GDPR and other privacy, data protection and data security laws and regulations, as well as our posted privacy policies, and related contractual obligations to third parties, entail substantial expenses, may divert resources from other initiatives and projects, and could limit the services we are able to offer. Furthermore, enforcement actions and investigations by regulatory authorities related to data security incidents and privacy, data protection and data security violations continue to increase. The enactment of more restrictive laws or regulations, or future enforcement actions, litigation or investigations, could impact us through increased costs or restrictions on our business, and any noncompliance or perceived noncompliance could result in monetary or other penalties, harm to our reputation, distraction to our management and technical personnel and significant legal liability.

We operate in a highly competitive environment across all of our lines of business, whether in making loans, attracting deposits or in the global payments industry, and we expect competitive conditions to continue to intensify with respect to most of our products particularly in our credit card and consumer banking businesses. We compete on the basis of the rates we pay on deposits and the rates and other terms we charge on the loans we originate or purchase, as well as the quality and range of our customer service, products, innovation and experience. This competitive environment is primarily a result of changes in technology, product delivery systems and regulation, as well as the emergence of new or significantly larger financial services providers, all of which may affect our customers' expectations and demands. In addition to offering competitive products and services, we invest in and conduct marketing campaigns to attract and inform customers. If our marketing campaigns are unsuccessful, it may adversely impact our ability to attract new customers and grow market share. Some of our competitors, including new and emerging competitors in the digital and mobile payments space and other financial technology providers, are not subject to the same regulatory requirements or scrutiny to which we are subject, which also could place us at a competitive disadvantage, in particular in the development of new technology platforms or the ability to rapidly innovate. We compete with many forms of payments offered by both bank and non-bank providers, including a variety of new and evolving alternative payment mechanisms, systems and products, such as aggregators and web-based and wireless payment platforms or technologies, digital or cryptocurrencies, prepaid systems and payment services targeting users of social networks, communications platforms and online gaming. If we are unable to continue to keep pace with innovation, do not effectively market our products and services or are prohibited from or unwilling to enter emerging areas of competition, our business and results of operations could be adversely affected. In addition, government actions or initiatives may also provide competitors with increased opportunities to derive competitive advantages and may create new competitors. For example, the CFPB has proposed a rule that would require certain financial institutions, including the Company, to share certain financial information with third parties upon a customer's request, which could enable those third parties to offer competing financial services to consumers. Some of our competitors are substantially larger than we are, which may give those competitors advantages, including a more diversified product and customer base, the ability to reach more customers and potential customers, operational efficiencies, broad-based local distribution capabilities, lower-cost funding and larger existing branch networks. Many of our competitors are also focusing on cross-selling their products and developing new products or technologies, which could affect our ability to maintain or grow existing customer relationships or require us to offer lower interest rates or fees on our lending products or higher interest rates on deposits. Competition for loans could result in origination of fewer loans, earning less on our loans or an increase in loans that perform below expectations. We operate as an online direct bank in the United States. While direct banking provides a significant opportunity to attract new customers that value greater and more flexible access to banking services at reduced costs, we face strong and increasing competition in the direct banking market. Aggressive pricing throughout the industry may adversely affect the retention of existing balances and the cost-efficient acquisition of new deposit funds and may affect our growth and profitability. Customers could also close their online accounts or reduce balances or deposits in favor of products and services offered by competitors for other reasons. These shifts, which could be rapid, could result from general dissatisfaction with our products or services, including concerns over pricing, online security or our reputation. The potential consequences of this competitive environment are exacerbated by the flexibility of direct banking and the financial and technological sophistication of our online customer base. In our credit card business, competition for rewards customers may result in higher rewards expenses, or we may fail to attract new customers or retain existing rewards customers due to increasing competition for these consumers. As of December 31, 2023, we have a number of large partnerships in our credit card loan portfolio. The market for key business partners, especially in the credit card business, is very competitive, and we may not be able to grow or maintain these partner relationships or assure that these relationships will be profitable or valued by our customers. Additionally, partners themselves may face changes in their business, including market factors and ownership changes, that could impact the partnership. We face the risk that we could lose partner relationships, even after we have invested significant resources into acquiring and developing the relationships. The loss of any key business partner could have a negative impact on our results of operations, including lower returns, excess operating expense and excess funding capacity. We depend on our partners to effectively promote our co-brand and private label products and integrate the use of our credit cards into their retail operations. The failure by our partners to effectively promote and support our products as well as changes they may make in their business models could adversely affect card usage and our ability to achieve the growth and profitability objectives of our partnerships. In addition, if our partners do not adhere to the terms of our program agreements and standards, or otherwise diminish the value of our brand, we may suffer reputational damage and customers may be less likely to use our products. Some of our competitors have developed, or may develop, substantially greater financial and other resources than we have, may offer richer value propositions or a wider range of programs and services than we offer, or may use more effective advertising, marketing or cross-selling strategies to acquire and retain more customers, capture a greater share of spending and borrowings, attain and develop more attractive co-brand card programs and maintain greater merchant acceptance than we have. We may not be able to compete effectively against these threats or respond or adapt to changes in consumer spending habits as effectively as our competitors. In such a competitive environment, we may lose entire accounts or may lose account balances to competing firms, or we may find it more costly to maintain our existing customer base. Customer attrition from any or all of our lending products, together with any lowering of interest rates or fees that we might implement to retain customers, could reduce our revenues and therefore our earnings. Similarly, unexpected customer attrition from our deposit products, in addition to an increase in rates or services that we may offer to retain deposits, may increase our expenses and therefore reduce our earnings.

Our ability to attract and retain customers is highly dependent upon the perceptions of consumer and commercial borrowers and deposit holders and other external perceptions of our products, services, trustworthiness, business practices, workplace culture, compliance practices or our financial health. Capital One's brand is one of our most important assets. Maintaining and enhancing our brand depends largely on our ability to continue to provide high-quality products and services. Adverse perceptions regarding our reputation in the consumer, commercial, and funding markets could lead to difficulties in generating, maintaining and financing accounts. In particular, negative public perceptions regarding our reputation, including negative perceptions regarding our ability to maintain the security of our technology systems and protect customer data, could lead to decreases in the levels of deposits that current and potential consumer and commercial customers choose to maintain with us. Negative perceptions may also significantly increase the costs of attracting and retaining customers. In addition, negative perceptions regarding certain industries, partners or clients could also prompt us to cease business activities associated with those entities in order to manage reputational risk. Negative public opinion or damage to our brand could also result from actual or alleged conduct in any number of activities or circumstances, including lending practices, regulatory compliance, cyber-attacks or other security incidents, corporate governance and sales and marketing, and from actions taken by regulators or other persons in response to such conduct. Such conduct could fall short of our customers' and the public's heightened expectations of companies of our size with rigorous privacy, data protection, data security and compliance practices, and could further harm our reputation. In addition, our co-brand and private label credit card partners or other third parties with whom we have important relationships may take actions over which we have limited control that could negatively impact perceptions about us or the financial services industry. The proliferation of social media may increase the likelihood that negative public opinion from any of the actual or alleged events discussed above could impact our reputation and business. In addition, a variety of economic or social factors may cause changes in borrowing activity, including credit card use, payment patterns and the rate of defaults by account holders and borrowers domestically and internationally. These economic and social factors include changes in consumer confidence levels, the public's perception regarding the banking industry and consumer debt, including credit card use, and changing attitudes about the stigma of bankruptcy. If consumers develop or maintain negative attitudes about incurring debt, or consumption trends decline or if we fail to maintain and enhance our brand, or we incur significant expenses to do so, our reputation and business and financial results could be materially and negatively affected. There has also been an increased focus by investor advocacy groups, investment funds and shareholder activists, among others, on topics related to environmental, social and corporate governance policies, and our policies, practices and disclosure in these areas, including those related to climate change. Reputation risk related to corporate policies and practices on environmental, social and corporate governance topics is increasingly complex. Divergent ideological and social views may create competing stakeholder, legislative, and regulatory scrutiny that may impact our reputation. Furthermore, responding to environmental, social and corporate governance considerations and implementing our related goals and initiatives involve risk and uncertainties, require investments and depend in part on third-party performance or data that is outside of our control. There can be no assurance that we will achieve these goals and initiatives or that any such achievements will have the desired results. Our failure to achieve progress in these areas on a timely basis, if at all, could impact our reputation and public perceptions of our business.

Changes and instability in the macroeconomic environment may lead to changes in payment patterns, increases or fluctuations in delinquencies and default rates and decrease consumer spending. Because we offer a broad array of financial products and services to consumers, small businesses and commercial clients, our financial results are impacted by the level of consumer and business activity and the demand for our products and services. A prolonged period of economic weakness, volatility, slow growth, or a significant deterioration in economic conditions, in the U.S., Canada or the U.K., could have a material adverse effect on our financial condition and results of operations as customers or commercial clients default on their loans, maintain lower deposit levels or, in the case of credit card accounts, carry lower balances and reduce credit card purchase activity. Some of the factors that could disrupt capital markets, reduce consumer and business activity, and weaken the labor market include the following: - Monetary policy actions, such as changes to interest rates, taken by the Federal Reserve and other central banks, such as the central banks in the United Kingdom and Canada;- Geopolitical conflicts or instabilities, such as the war between Ukraine and Russia and the war between Israel and Hamas, and increased geopolitical tensions between the U.S. and China;- Trade wars, tariffs, labor shortages and disruptions of global supply chains;- The effects of divided government in the U.S., including government shutdowns whether recurring, prolonged or otherwise, and developments related to the U.S. federal debt ceiling;- Inflation and deflation, including the effects of related governmental responses;- Concerns over a potential recession, which may lead to adjustments in spending patterns;- Lower demand for credit and shifts in consumer behavior, including shifts away from using credit cards, changes in deposit practices, and changes in and payment patterns; and - Ongoing changes in usage of commercial real estate, which may have a sustained negative impact on utilization rates and values. Decreases in overall business activity and changes in customer behavior may lead to increases in our charge-off rate caused by bankruptcies and may reduce our ability to recover debt that we have previously charged-off. Such changes may also decrease the reliability of our internal processes and models, including those we use to estimate our allowance for credit losses, particularly if unexpected variations in key inputs and assumptions cause actual losses to diverge from the projections of our models and our estimates become increasingly subject to management's judgment. See "We face risks resulting from the extensive use of models, AI, and data."

Like other financial institutions, our business is sensitive to interest rate movements and the performance of the capital markets. We rely on access to the capital markets to fund our operations and to grow our business. Our ability to borrow from other financial institutions or to engage in funding transactions on favorable terms or at all could be adversely affected by disruptions, uncertainty or volatility in the capital markets. Additionally, increased charge-offs, rising interest rates, increased refinancing activity and other events may cause our securitization transactions to amortize earlier than scheduled or reduce the value of the securities that we hold for liquidity purposes, which could accelerate our need for additional funding from other sources. We could also experience impairments of other financial assets and other negative impacts on our financial position, including possible constraints on liquidity and capital, as well as higher costs of capital. Additionally, changes in interest rates could adversely affect the results of our operations and financial condition. For example, if inflation were to remain elevated or begin to increase, interest rates could increase further. Higher interest rates increase our borrowing costs and may require us to increase the interest we pay on funds deposited with us and may reduce the market value of our securities holdings. If interest rates continue to increase or if higher interest rates persist for an extended period of time, our expenses may increase further. If the rate of economic growth decreased sharply, causing the Federal Reserve to lower interest rates, our net income could be adversely affected. Additionally, a shrinking yield premium between short-term and long-term market interest rates could adversely impact the rates that we pay on our liabilities and the rates that we earn on our assets and thus affect our profitability. We assess our interest rate risk by estimating the effect on our earnings, economic value and capital under various scenarios that differ based on assumptions about the direction and the magnitude of interest rate changes. We take risk mitigation actions based on those assessments. We face the risk that changes in interest rates could materially reduce our net interest income and our earnings, especially if actual conditions turn out to be materially different than those we assumed. Furthermore, interest rate fluctuations and competitor responses to those changes may have a material adverse effect on our financial condition and results of operations, as customers or commercial clients default on their loans, maintain lower deposit levels or, in the case of credit card accounts, reduce demand for credit or (for existing customers) the level of borrowing or purchase activity. For example, increases in interest rates increase debt service requirements for some of our borrowers, which may adversely affect those borrowers' ability to pay as contractually obligated. This could result in additional or fluctuating delinquencies or charge-offs and negatively impact our results of operations. These changes could reduce the overall yield on our interest-earning asset portfolio. An inability to attract or maintain deposits could materially affect our ability to fund our business and our liquidity position. Many other financial institutions have increased their reliance on deposit funding and, as such, we expect continued competition in the deposit markets. We cannot predict how this competition will affect our costs. If we are required to offer higher interest rates to attract or maintain deposits, our funding costs will be adversely impacted. Changes in valuations in the debt and equity markets could have a negative impact on the assets we hold in our investment portfolio. Such market changes could also have a negative impact on the valuation of assets for which we provide servicing. See "Part II-Item 7. MD&A-Market Risk Profile" and "We face intense competition in all of our markets" for additional information.

Our success depends, in large part, on our ability to retain key senior leaders and to attract, develop and retain skilled employees, particularly employees with advanced expertise in credit, risk, digital and technology skills. We depend on our senior leaders and skilled employees to oversee simultaneous, transformative initiatives across the enterprise and execute on our business plans in an efficient and effective manner. Competition for such senior leaders and employees, and the costs associated with attracting, developing and retaining them, is high and competitive. While we engage in robust succession planning, our key senior leaders have deep and broad industry experience and could be difficult to replace without some degree of disruption. Our ability to attract, develop and retain qualified employees also is affected by perceptions of our culture and management, including our position on remote and hybrid work arrangements, our profile in the regions where we have offices and the professional opportunities we offer. In addition, an increase in remote working arrangements by other companies may create more job opportunities for employees and make it more difficult for us to attract and retain key talent. Regulation or regulatory guidance restricting executive compensation, as well as evolving investor expectations, may limit the types of compensation arrangements that we may enter into with our most senior leaders and could have a negative impact on our ability to attract, retain and motivate such leaders in support of our long-term strategy. These laws and regulations may not apply in the same manner to all financial institutions and technology companies, which therefore may subject us to more restrictions than other institutions and companies with which we compete for talent and may also hinder our ability to compete for talent with other industries. We rely upon our senior leaders not only for business success, but also to lead with integrity. To the extent our senior leaders behave in a manner that does not comport with our values, the consequences to our brand and reputation could be severe and could adversely affect our financial condition and results of operations. If we are unable to attract, develop and retain talented senior leadership and employees, or to implement appropriate succession plans for our senior leadership, our business could be negatively affected.