KeyCorp (KEY) Risk Factors

We are subject to, and may in the future be subject to, claims or legal actions taken against us by customers, vendors, shareholders, or other parties. Further, KeyCorp and certain of its directors and officers are currently named, and have in the past been named and may be named in the future, as defendants in various class actions and other litigation relating to our business and activities. We maintain reserves for certain claims when deemed appropriate based upon our assessment that a loss is probable, estimable, and consistent with applicable accounting guidance. At any given time, we have a variety of legal actions asserted against us in various stages of litigation. Resolution of a legal action can often take years. Whether any particular claims and legal actions are founded or unfounded, if such claims and legal actions are not resolved in our favor, they may result in significant financial liability and adversely affect how the market perceives us and our products and services as well as impact customer demand for those products and services. We are also involved, from time to time, in other information-gathering requests, reviews, investigations, and proceedings (both formal and informal) by governmental and self-regulatory agencies regarding our business,including, among other things, accounting, compliance, and operational matters, which may result in adverse judgments, settlements, fines, penalties, injunctions, or other relief which, if significant, could adversely affect our business, results of operations and/or financial condition. Enforcement authorities may also seek admissions of wrongdoing and, in some cases, criminal pleas as part of the resolutions of matters and any such resolution of a matter involving Key could lead to increased exposure to private litigation, could adversely affect Key's reputation, and could result in limitations on our ability to do business in certain jurisdictions. Further, enforcement matters could impact our supervisory and CRA ratings, which may in turn restrict or limit our activities. In recent years, there has been an increase in the number of investigations and proceedings in the financial services industry. A violation of law or regulation by another financial institution may give rise to an inquiry or investigation by regulators or other authorities of the same or similar practices by Key. For example, on February 9, 2024, affiliates of Key entered into a settlement agreement with the SEC's Division of Enforcement to resolve an investigation of the affiliates' compliance with records preservation requirements related to business communications sent over off-channel electronic messaging platforms. The settlement resulted in payment of a $10 million penalty to the SEC along with other prospective relief. The SEC has conducted similar investigations of other financial institutions as part of a widely publicized industry sweep that has included publicly announced settlements with multiple firms. The outcome of regulatory matters as well as the timing of ultimate resolution are inherently difficult to predict, and the uncertain regulatory enforcement environment makes it difficult to estimate probable losses, which can lead to substantial disparities between legal reserves and actual settlements or penalties.

Natural disasters, including wildfires, tornadoes, severe storms, and hurricanes, have seemingly become more frequent and severe due to climate change. The timing and effects of these natural disasters are difficult to accurately predict, and the potential impact of such disasters on our operations, employees, and customers could have a material adverse effect on our business, financial position, and results of operations. Given our broad regional focus, we are exposed to a wide range of weather-related risk across different geographical areas. Severe weather events can directly affect our operations by interrupting systems, damaging facilities, disrupting our supply chain, and hindering our ability to conduct business as usual. Additionally, these events can indirectly impact us by damaging or destroying customer businesses, impairing their ability to repay loans, or causing damage to properties pledged as collateral for loans made by Key. Although preventative measures may help to mitigate damage, such measures could be costly, and any disaster could adversely affect our ability to conduct our business as usual. In addition, the insurance we maintain may not be adequate to cover our losses resulting from any business interruption resulting from a natural disaster or other severe weather events, and recurring extreme weather events could reduce the availability or increase the cost of insurance. Our failure to comply with evolving regulatory requirements related to natural disaster risk management may also result in legal and financial consequences.

?We are subject to a variety of operational risks. ?We and third parties on which we rely (including their downstream service providers) may experience a cyberattack, technology failure, information system or security breach or interruption. ?We rely on third parties to perform significant operational services for us. ?We are, and may in the future be, subject to claims, litigation, investigations, and governmental proceedings, which could result in significant financial liability and/or reputational harm. ?Our controls and procedures may fail or be circumvented, and our methods of reducing risk exposure may not be effective. ?Our operations and financial performance could be adversely affected by severe weather and natural disasters exacerbated by climate change. ?Societal and governmental responses to climate change could adversely affect Key's business and performance, including indirectly through impacts on Key's customers. ?The increased use of remote work infrastructure has expanded potential attack vectors and resulted in increased operational risks.

Our success depends on our ability to attract, retain, motivate, and develop a talented and diverse workforce. Competition for talent in our business is strong and requires us to make investments to provide compensation and benefits at market levels. Rising wages, as well as inflation, may cause us to increase these investments. Such investments cause compensation and benefits to represent our greatest expense. Additionally, we increasingly compete for talent outside of the core financial services industry. Non-financial institutions may be subject to different pay and hiring expectations than us, which may make it more difficult for us to attract qualified teammates. For example, we are required to deliver a substantial portion of the variable compensation of certain teammates in the form of awards tied to our financial performance. The decline in our share price we experienced in 2023 could impact our ability to retain those individuals. Similarly, our pay practices are subject to scrutiny by our regulators who may identify deficiencies in the structure of, or issue additional guidance on our compensation practices, causing us to make changes that may affect our ability to offer competitive pay to these individuals or that place us at a disadvantage to non-financial service industry competitors. Finally, while remote work opportunities allow us to hire outside of our traditional footprint, it also increases competition. These factors individually, or collectively, may constrain our ability to hire or retain a sufficient number of qualified employees, which could impact our ability to serve our customers and clients.

Third parties perform significant operational services on our behalf. Additionally, some of our third parties outsource aspects of their operations to downstream service providers. These parties are subject to similar risks as Key relating to cybersecurity and breakdowns or failures of their own systems, internal processes and controls, or employees. One or more of these third parties or their downstream service providers may experience a cybersecurity event or operational disruption and, if any such event does occur, it may not be adequately addressed, either operationally or financially, by such third party. Certain of these third parties may have limited indemnification obligations or may not have the financial capacity to satisfy their indemnification obligations. Financial or operational difficulties of a third party could also impair our operations if those difficulties interfere with such third party's ability to serve us. Any unanticipated interruption, delay, or degradation in the performance and delivery of our services could negatively impact our customer relationships. Additionally, some of our outsourcing arrangements are located overseas and, therefore, are subject to risks unique to the regions in which they operate. If a critical third party is unable to meet our needs in a timely manner or if the services or products provided by such third party are terminated or otherwise delayed and if we are not able to identify or develop alternative sources for these services and products quickly and cost-effectively, it could have a material adverse effect on our business. Additionally, regulatory guidance adopted by federal banking regulators related to how banks select, contract with,evaluate, engage with, and manage their third parties, including such third parties' use of subcontractors, affects the circumstances and conditions under which we work with third parties and their subcontractors and the cost of managing such relationships.

We face substantial competition in all areas of our operations from a variety of competitors, some of which are larger and may have more financial resources than us. Our competitors primarily include national and super-regional banks as well as smaller community banks within the various geographic regions in which we operate. We also face competition from many other types of financial institutions, including, without limitation, savings associations, credit unions, mortgage banking companies, finance companies, mutual funds, insurance companies, investment management firms, investment banking firms, broker-dealers and other local, regional, national, and global financial services firms. In addition, technology has lowered barriers to entry and made it possible for nonbanks, including large technology companies, to offer products and services traditionally provided by banks. We expect the competitive landscape of the financial services industry to become even more intense as a result of legislative, regulatory, structural, customer preference, and technological changes. Our ability to compete successfully depends on a number of factors, including: our ability to develop and execute strategic plans and initiatives; our ability to develop, maintain, and build long-term customer relationships based on quality service and competitive prices; our ability to develop competitive products and technologies demanded by our customers, while maintaining our high ethical standards and an effective compliance program and keeping our assets safe and sound; our ability to attract, retain, and develop a highly competent employee workforce; and industry and general economic trends. Increased competition in the financial services industry, or our failure to perform in any of these areas, could significantly weaken our competitive position, which could adversely affect our growth and profitability. Strategic risk may also be realized due to events or issues that materialize in other risk factor areas. For example, significant deficiencies in end-to-end operational execution and/or product delivery or failure to comply with applicable laws and regulations may result in unmet client expectations or harm and impact our competitive standing in the industry.

Recent Federal Reserve monetary policy, including shrinkage of its balance sheet and incremental increases in target interest rates early in 2023 followed by a sustained period of relatively high target interest rates throughout the latter part of 2023, continue to impact the commercial and residential real estate markets. Capitalization rates are rising, and property value appreciation has slowed or is now declining. In many markets within Key's footprint,property values have begun to decrease. Industrial and retail properties continue to remain stable, but multifamily,office, hospitality, and single family detached properties are beginning to show signs of deterioration. Development and construction continue, but at muted levels, and deliveries of additional units into the market have been supported. Oversupply of multifamily housing is a concern in certain urban and gateway markets. However, our exposures in those markets are limited (for example, approximately 5% of our multifamily portfolio is located in New York City, Chicago, Los Angeles, and San Francisco; we also have no exposure to rent controlled properties in New York City). The most severely impacted commercial real estate segments have been in office. Key's non-owner occupied office exposures are 5% of our total commercial real estate exposure. Substantial deterioration in property market fundamentals could negatively impact our portfolio, with a large portion of our clients active in real estate but in the comparatively better performing multifamily space over the cycle. A correction in the real estate markets could impact the ability of borrowers to make debt service payments on loans or to refinance the loans at maturity. A relatively small portion of our commercial real estate loans are construction loans. New construction and value-add or rehabilitation construction projects may not be fully leased at loan origination. These properties typically require additional leasing through the life of the loan to provide cash flow to support debt service payments. If property market fundamentals deteriorate sharply, performance under existing leases could deteriorate and the execution of new leases could slow, compromising the borrower's ability to cover debt service payments.

The continuous, widespread adoption of new technologies requires us to evaluate our product and service offerings to ensure they remain competitive. Our success depends, in part, on our ability to adapt our products and services,as well as our distribution of them, to evolving industry standards and consumer preferences. New technologies have altered consumer behavior by allowing consumers to complete transactions such as paying bills or transferring funds directly without the assistance of banks. New products allow consumers to maintain funds in brokerage accounts or mutual funds that would have historically been held as bank deposits. The process of eliminating banks as intermediaries, known as "disintermediation," could result in the loss of fee income, as well as the loss of customer loans and deposits and related income generated from those products. The increasing pressure from our competitors, both bank and nonbank, to keep pace and adopt new technologies and products and services requires us to incur substantial expense. We may be unsuccessful in developing or introducing new products and services, modifying our existing products and services, adapting to changing consumer preferences and spending and saving habits, achieving market acceptance or regulatory approval, sufficiently developing or maintaining a loyal customer base, or offering products and services at prices equal to or lower than the prices offered by our competitors. These risks may affect our ability to achieve growth in our market share and could reduce both our revenue streams from certain products and services and our revenues from our net interest income.

We rely heavily on communications, information systems (both internal and provided by third parties), and the internet to conduct our business. Our business is dependent on our ability to process and monitor large numbers of daily transactions in compliance with legal, regulatory, and internal standards and specifications. In addition, a significant portion of our operations relies heavily on the secure processing, storage, and transmission of personal and confidential information, such as the personal information of our employees, customers, and clients. These risks may increase in the future as we continue to increase mobile payments and other internet-based product offerings, expand our internal usage of web/cloud-based products and applications, and maintain and develop new relationships with third-party providers, including their downstream service providers. In addition, our ability to extend protections to customers' information to individual customer devices is limited, especially if the customers willingly provide third parties access to their devices or information. In the event of a failure, interruption, or breach of our information systems, or that of a third party that provides services to us or our customers, we may be unable to avoid impact to our customers. For example, we may experience operational disruptions or interruptions as a result of a cyber incident, including disruption caused by protective containment measures taken by us, such as taking certain first- or third-party systems off-line for a prolonged period. Such a failure, interruption, or breach could result in legal liability, remediation costs, regulatory action, or reputational harm. U.S. financial service institutions and companies have reported breaches in the security of their websites or other systems and several financial institutions, including Key, have had third parties on which they rely experience such breaches. In addition, several financial institutions, including Key, have experienced significant distributed denial-of-service attacks, some of which involved sophisticated and targeted attacks intended to disrupt, disable, or degrade services, or sabotage systems or data. Other attacks have attempted to obtain unauthorized access to confidential, proprietary, or personal information or intellectual property, to extort money through the use of "ransomware" or other extortion tactics, or to alter or destroy data or systems, often through various attack vectors and methods, including the introduction of computer viruses or malicious code (commonly referred to as "malware"), phishing, cyberattacks, account takeovers, credential stuffing, and other means. To the extent that we use third parties to provide services to our clients, we cannot control all of the risks at these third parties or third parties' downstream service providers. Hardware, software, or applications developed by Key or received from third parties may contain exploitable vulnerabilities, bugs, or defects in design, maintenance or manufacture or other issues that could unpredictably compromise information and cybersecurity. We depend on third party service providers and their downstream service providers to implement adequate controls and safeguards to protect against and report cyber incidents. If such parties fail to deter, detect, or report cyber incidents in a timely manner, we may suffer from financial and other harm, including to our information, operations, performance, employees, and reputation. In addition, should an adverse event affecting another company's systems occur, we may not have indemnification or other protection from the other company sufficient to fully compensate us or otherwise protect us or our clients from the consequences. To date, our losses and costs related to these breaches have not been material, but other similar events in the future could have a material impact on our business strategy, results of operations, or financial condition. In addition, our customers routinely use Key-issued credit and debit cards to pay for transactions conducted with businesses in person and over the internet. If the business's systems that process or store debit or credit card information experience a security breach, our card holders may experience fraud on their card accounts. We may suffer losses associated with such fraudulent transactions, as well as for other costs, such as replacing impacted cards. Key also provides card transaction processing services to some merchant customers under agreements we have with payment networks such as Mastercard. Under these agreements, we may be responsible for certain losses and penalties if one of our merchant customers suffers a data breach. We also face risks related to the increasing interdependence and interconnectivity of financial entities and technology systems. A technology failure, cyberattack or other security breach that significantly compromises the systems of one or more financial parties or service providers in the financial system could have a material impact on counterparties or market participants, including us. Any third-party technology failure, cyberattack, or security breach could adversely affect our ability to effect transactions, service clients, or otherwise operate our business and could result in legal liability, remediation costs, regulatory action, or reputational harm. Additionally, the increasing use of third-party financial data aggregators and emerging technologies, including the use of automation,artificial intelligence and robotics, introduces new information security risks and exposure for us and for our third party service providers; such technologies could also result in increasingly sophisticated cyberattacks. Such security attacks can originate from a wide variety of sources/malicious actors, including, but not limited to,persons who constitute an insider threat, who are involved with organized crime, or who may be linked to terrorist organizations or hostile foreign governments. Those same parties may also attempt to fraudulently induce employees, customers, or other users of our systems to disclose sensitive information in order to gain access to our data or that of our customers or clients through social engineering, phishing, mobile phone malware and SIM card swapping, and other methods. Our security systems, and those of the third-party service providers on which we rely,may not be able to protect our information systems or data from similar attacks due to the rapid evolution and creation of sophisticated cyberattacks. We are also subject to the risk that a malicious actor or our employees may intercept and/or transmit or otherwise misuse unauthorized personal, confidential, or proprietary information or intellectual property. An interception, misuse, or mishandling of personal, confidential, or proprietary information or intellectual property being sent to or received from a customer or third party could result in legal liability, remediation costs, regulatory action, and reputational harm. We have incurred and will continue to incur significant expense in an effort to improve the reliability and resilience of our systems and their security against internal and external threats. Nonetheless, we cannot guarantee our measures will be effective or sufficient to prevent a cyber incident, and there remains the risk that one or more adverse events might occur. If one does occur, it could go undetected and persist for an extended period of time and/or we may be unable to remediate the event or its consequences timely or adequately. While we do maintain cyber information security and business interruption insurance, losses from a major interruption may exceed our coverage and there can be no assurance that liabilities or losses we may incur will be covered under such policies, that such insurance will continue to be available to us on economically reasonable terms, or at all, or that any insurer will not deny coverage as to any future claim.

The increase in remote work over the past several years has resulted in an expanded potential attack surface and heightened operational risks and may negatively impact our ability, and the ability of our third-party service providers (including their downstream service providers), to perform services efficiently, securely, and without interruptions. In addition to some of our workforce working remotely periodically or on a full-time basis, our third-party service providers (including their downstream service providers) may utilize personnel who work remotely. Increased levels of remote access create additional cybersecurity risk and opportunities for cybercriminals to exploit vulnerabilities. For example, cybercriminals have become increasingly sophisticated in their attempts to compromise business emails, including by targeting employees through an increase of phishing attempts and fraudulent calls, including through the use of artificial intelligence. These fraudulent activities have resulted in increased fraud losses to us and the financial services industry generally. In addition to enhanced cybersecurity risk, employees and other personnel performing services for us who work remotely may experience disruptions to their home internet or phone connections, decreased efficiency due to delayed network speeds or other interruptions, and/or delays in the dissemination and exchange of information, any of which could negatively impact our operations. We have experienced, and may continue to experience, disruption related to remote work, which disruptions could adversely impact our business, and could result in legal liability, regulatory penalties, litigation expenses, remediation costs, or reputational harm.