PNC Financial (PNC) Risk Factors

In some cases, we develop internally the intellectual property embedded in the technology we use. In others, we or our vendors license the use of intellectual property from others. Where we rely on access to third-party intellectual property, it may not be available to us on commercially reasonably terms or at all. Regardless of the source of the intellectual property, if another person or entity were deemed to own intellectual property rights infringed by our activities, we could be responsible for significant damages covering past activities and substantial fees to continue to engage in these types of activities. It also is possible that we could be prevented from using technology important to our business for at least some period of time. In such circumstances, there may be no alternative technology for us to use or an appropriate alternative technology might be expensive to obtain. Protections offered by those from whom we license technology against these risks may be inadequate to cover any losses in full. Over time, there have been and continue to be instances where technology used by PNC has been alleged to have infringed patents held by others, and, in some cases, we have suffered related losses.

Most corporate and commercial financial transactions are now handled electronically, and our commercial and retail customers increasingly use online access as well as mobile and cloud technologies to bank with us. The ability to conduct business with us in this manner depends on the transmission and storage of confidential information in electronic form. As a result, in the ordinary course of business, we maintain and process vast amounts of digital information about us, our customers and our employees. This information tends to be confidential or proprietary and much of it is highly sensitive. Such highly sensitive information includes information sufficient to support identity theft and personal health information, as well as information regarding business plans and financial performance that has not been made public. As a result, efforts by bad actors to engage in various types of cyber attacks pose serious risks to our business and reputation. We are faced with ongoing, nearly continual, efforts by others to breach data security at financial institutions or with respect to financial transactions. These efforts may be to obtain access to confidential or proprietary information, often with the intent of stealing from or defrauding us or our customers, or to disrupt our ability to conduct our business, including by destroying or impairing access to information maintained by us. Some of these involve efforts to enter our systems directly by going through or around our security protections. Others involve the use of social engineering schemes to gain access to confidential information from our employees, customers or vendors. Our risk and exposure to data security breaches is heightened because of our expanded digital products and services, geographic footprint and continued remote work environment, which results in more access points to our network. The same risks are presented by attacks potentially affecting information held by third parties on our behalf or accessed by third parties, including those offering financial applications, on behalf of our customers. These risks also arise to the extent that third parties with whom we do business, or their vendors or other entities with whom they do business, are themselves subject to breaches and attacks, which may impact our systems or operations. Our ability to protect confidential or proprietary information is even more limited with respect to information held by these parties. For example, we are likely to be limited in our ability to identify and quickly resolve breaches and attacks that may impact our business the further removed an entity is from our business, such as when a breach or attack occurs at vendors of our vendors. We may suffer reputational damage or legal liability for unauthorized access to customer information held by other parties, even if we were not responsible for preventing such access and had no reasonable way of preventing it. Our customers often use their own devices, such as computers, smartphones and tablets, to do business with us and may provide their PNC customer information (including passwords) to a third party in connection with obtaining services from that third party, including those offering financial applications. Although we take steps to provide safety and security for our customers' transactions with us and their customer information, to the extent they utilize their own devices or provide third parties access to their accounts, our ability to assure such safety and security is necessarily limited. These risks are heightened as we and others continue to expand mobile applications, cloud solutions, and other internet-based financial product offerings. For example, a number of our customers choose to use financial applications that allow them to view, access and aggregate banking and other financial account information, often held at different financial institutions, on a single platform, to monitor the performance of their investments, to compare financial and investment products, to make payments or transfer funds, and otherwise to help manage their finances and investments. Financial applications often ask users to provide their secure banking log-in information and credentials so the applications can link to users' accounts at financial institutions. Companies offering these applications frequently use third-party data aggregators, which are behind-the-scenes technology companies that serve as data-gathering service providers, to deliver customer financial data that is then used by the financial applications. To do this, data aggregators frequently are provided with customers' log-in information and credentials, which allow the aggregators to access the customers' online accounts and "scrape" the customers' data, often on a daily or even more frequent basis. That same information has the potential to facilitate fraud if it is not properly protected. This has resulted in incidences of fraud, including automated clearing house fraud, credit card fraud, and wire fraud, enabled through the use of synthetic identities and through account takeovers via these platforms. In addition, transactions by customers on financial applications that facilitate payments and fund transfers have also been fraudulently induced. These transactions occur when a customer authorizes payment to a recipient that fraudulently induced the customer into transferring a payment to such recipient. PNC has and may continue to face increased financial exposure due to activity associated with the increased use of these applications and data aggregators. Even where PNC does not have financial exposure for losses, PNC could suffer increased reputational harm when such losses occur. As our customers regularly use PNC-issued credit and debit cards to pay for transactions with retailers and other businesses, there is also the risk of data security breaches at those other businesses covering PNC account information. When our customers use PNC-issued cards to make purchases from those businesses, card account information often is provided to such businesses. If a business's systems that process or store card account information are subject to a data security breach, holders of our cards who have made purchases from that business may experience fraud on their card accounts. We can be responsible for reimbursing our customers for such fraudulent transactions on customers' card accounts, as well as for other costs related to data security compromise events, such as replacing cards associated with compromised card accounts. In addition, we provide card transaction processing services to some merchant customers under agreements we have with payment networks such as Visa and Mastercard. Under these agreements, we may be responsible for certain losses and penalties if one of our merchant customers suffers a data security breach. Moreover, to the extent more consumer confidential information becomes available to bad actors through the cumulative effect of data breaches at companies generally, bad actors may find it easier to use such information to gain access to our customer accounts. Other cyber attacks are not focused on gaining access to credit card or user credential information, but instead seek access to a range of other types of confidential information, such as internal emails and other forms of customer financial information, and this information may be used to support a ransomware attack. Ransomware attacks have sought to deny access to data and possibly shut down systems and devices maintained by target companies. In a ransomware attack, system data is encrypted, stolen or extorted, or access is otherwise denied, accompanied by a demand for ransom to restore access to the data or to prevent public disclosure of confidential information. Attacks have also been conducted through business email compromise scams that involve using social engineering to cause employees to wire funds to the perpetrators in the mistaken belief that the requests were made by a company executive or established vendor. These types of phishing attacks have increased over time, and they have evolved to include other types of attacks like vishing (through voice messages) and smishing (through SMS text). Other attacks have included distributed denial of service cyber attacks, in which individuals or organizations flood commercial websites with extraordinarily high volumes of traffic with the goal of disrupting the ability of commercial enterprises to process transactions and possibly making their websites unavailable to customers for extended periods of time. Similarly, attacks have been conducted through application program interfaces where cyber attackers seek to exploit the interfaces between mobile or web applications. We (as well as other financial services companies) have been subject to such attacks. Recent cyber attacks have also included the insertion of malware into software updates and the infection of software while it is under assembly, known as a "supply chain attack." Attacks on our customers may put these relationships at risk, particularly if customers' ability to continue operations is impaired due to the losses suffered. The techniques used in cyber attacks change rapidly and are increasingly sophisticated, including through the use of generative artificial intelligence and deepfakes, and we expect in the future through the use of quantum computing, and we may not be able to anticipate cyber attacks or data security breaches. In addition to threats from external sources, insider threats represent a significant risk to us. Insiders, including those having legitimate access to our systems and the information contained in them, have the easiest opportunity to make inappropriate use of the systems and information. Addressing that risk requires understanding not only how to protect us from unauthorized use and disclosure of data, but also how to engage behavioral analytics and other tools to identify potential internal threats before any damage is done. In addition, due to the increase in the number of employees who work remotely, the opportunity for insiders to grant access to third parties or to disclose confidential information of PNC or its customers has increased. As more work is conducted outside of PNC's facilities, the risk of improper access to PNC's network or confidential information has increased, including for reasons such as a failure by an employee or contractor to secure a device with PNC access. We have been and expect to continue to be the target of some of these types of cyber attacks. To date, none of these types of cyber attacks has had a material impact on us. Nonetheless, we cannot entirely block efforts by bad actors to harm us, and there can be no assurance that future cyber attacks will not be material. While we maintain insurance coverage that may cover certain aspects of cyber risks, such insurance coverage may be insufficient to cover all losses. As a result, we could suffer material financial and reputational losses in the future from any of these or other types of attacks or the public perception that such an attack on our systems has been successful, whether or not this perception is correct. Attacks on others, some of which have led to serious adverse consequences, demonstrate the risks posed by new and evolving types of cyber attacks.

Many aspects of our business involve substantial risk of legal liability. We have been named or threatened to be named as defendants in various lawsuits arising from our business activities. In addition, we are regularly the subject of governmental investigations and other forms of regulatory inquiry. We also are at risk when we have agreed to indemnify others for losses related to legal proceedings they face, such as in connection with the sale of a business or assets by us. The results of these legal proceedings could lead to significant monetary damages or penalties, restrictions on the way in which we conduct our business or reputational harm. Although we establish accruals for legal proceedings when information related to the loss contingencies represented by those matters indicates both that a loss is probable and that the amount of loss can be reasonably estimated, we do not have accruals for all legal proceedings where we face a risk of loss. In addition, due to the inherent subjectivity of the assessments and unpredictability of the outcome of legal proceedings, amounts accrued often do not represent the ultimate loss to us from the legal proceedings in question. Thus, our ultimate future losses may be higher, and possibly significantly so, than the amounts accrued for legal loss contingencies. We discuss further the unpredictability of legal proceedings and describe certain of our pending legal proceedings in Note 20 Legal Proceedings.

Over time, there has been an increase in legislative and regulatory efforts to protect the privacy and enhance the portability of personal data, including enhanced data privacy laws regulating the use of health and biometric data. Individuals whose personal information may be protected by law may include our customers, prospective customers, job applicants, employees and third parties. These initiatives, among other things, limit how companies can use personal data and impose obligations on companies in their management of such data, including requiring companies like PNC to make available to consumers and authorized third parties certain data relating to transactions and accounts and establishing obligations for accessing such data. Financial services companies such as PNC necessarily gather, maintain and use a significant amount of personal data. These types of initiatives increase compliance complexity and related costs, may result in significant financial penalties for compliance failures, and may limit our ability to develop new products or respond to technological changes. This is particularly true as we continue to expand our business into new markets. We are, or may become, subject to regularly evolving and developing data privacy and data security laws and regulations in other jurisdictions, including certain foreign jurisdictions even where our presence in such jurisdictions is minimal. Such legal requirements also could heighten the reputational impact of perceived misuses of personal data by us, our vendors or others who gain unauthorized access to our personal data. Other jurisdictions may adopt similar requirements that impose different and potentially inconsistent compliance burdens. The impacts will be greater to the extent requirements vary across jurisdictions.

We are subject to intense competition both from other financial institutions and from non-bank entities, including financial technology companies (often referred to as "FinTech"). In many cases, non-bank entities can engage in many activities similar to ours or offer products and services desirable to our customers without being subject to the same types of regulation, supervision and restrictions that are applicable to banks, which could place us at a competitive disadvantage. Emerging financial technologies, including with respect to payment services and systems, lending, digital wallets, non-fungible tokens and digital currencies and cryptocurrencies, may affect our customers' needs and expectations for products and services. We may fail to attract or retain customers if we are unable to develop and market products and services that meet evolving customer needs or demands or if we are unable to deliver them effectively and securely to our customers. We may also fail to attract or retain customers if we are unwilling to provide products or services that we deem to be speculative or risky. The competition we face is described in Item 1 of this Report under "Competition." Consolidation in our industry, including among smaller banks combining to form more competitive larger ones and between banks and non-bank entities, could result in PNC facing more intense competition, particularly in impacted regions or with respect to particular products. As we expand into new markets, we may face competitors with more experience and established relationships in these markets, which could adversely affect our ability to compete. A failure to adequately address the competitive pressures we face could make it harder for us to attract and retain customers across our businesses. On the other hand, meeting these competitive pressures could require us to incur significant additional expense or to accept risk beyond what we would otherwise view as desirable under the circumstances. In addition, in our interest rate sensitive businesses, competitive pressures to increase rates on deposits or decrease rates on loans could reduce our net interest margin, negatively impacting our net interest income.

Our ability to compete effectively, to attract and retain customers and employees, and to grow our business is dependent on maintaining our reputation and having the trust of our customers, employees, the communities that we serve and other stakeholders. Many types of developments, if publicized, can negatively impact a company's reputation with adverse consequences to its business. Financial services companies are highly vulnerable to reputational damage when they are found to have harmed customers, particularly retail customers, through conduct that is seen as illegal, unfair, deceptive, abusive, manipulative or otherwise wrongful. There also may be reputational damage from human error or systems failures viewed as having harmed customers without involving misconduct, including service disruptions or negative perceptions regarding our ability to maintain the security of our technology systems and protect client data. For example, we may suffer reputational harm to the extent that we are unable to successfully detect, prevent and remedy fraud that harms our clients. Our reputation may also be harmed by failing to deliver products and services of the quality expected by our customers and support the communities that we serve. In addition, our reputation may be harmed as a result of our participation in certain programs, such as those supporting diversity and inclusion, that may expose us to increased scrutiny and criticism. Significant acquisitions by large banks also often attract public scrutiny, which may result in negative publicity that adversely affects our reputation if we engage in such a transaction. We are also subject to the risk of reputational harm resulting from conduct of persons identified as our employees but acting outside of the scope of their employment, including through their misconduct, unethical behavior, or activities on personal social media. The reputational impact is likely greater to the extent that the bad conduct, errors or failures are pervasive, long-standing or affect a significant number of customers, particularly retail consumers. The negative impact of such reputational damage on our business may be disproportionate to the actual harm caused to customers. It may be severe even if we fully remediate any harm suffered by our customers. Furthermore, because we conduct most of our businesses under the "PNC" brand, negative public opinion about one business could also affect our other businesses. In addition, we could suffer reputational harm and a loss of customer trust as a result of the conduct of others in our industry even if we have not engaged in such conduct. We use third parties to help in many aspects of our business, with the risk that their conduct can affect our reputation regardless of the degree to which we are responsible for it. To an increasing extent, financial services companies, including PNC, are facing criticism with accompanying reputational risk from activists, investors and stakeholders who believe companies should be focusing more or less on environmental, social and governance matters. Companies in our industry, including PNC, are targeted for engaging in business with specific customers or with customers in particular industries, where the customers' activities, even if legal, are perceived as having harmful impacts on matters such as the environment, consumer health and safety, or society at large. In addition, some activists, investors and other stakeholders are seeking increased transparency and action from financial services companies with respect to environmental, social and governance activities, political activities and activities that are or may be perceived to be politically partisan in nature. Criticism has come in many forms, including protests at PNC facilities and social media campaigns. In some circumstances, our stakeholders have held and continue to hold conflicting views on the role PNC and other financial services companies should play in continuing to or refraining from financing certain sectors. In some cases, we are subject to potentially conflicting proposed and enacted state and local laws affecting our industry that regulate the manner in which or whether we may finance or service certain clients, industries or sectors. Many of these issues are divisive without broad agreement as to the appropriate steps a company such as PNC should take. As a result, however we respond to such criticism, we expose ourselves to the risks that current or potential customers decline to do business with us or current or potential employees refuse to work for us. This can be true regardless of whether we are perceived by some as not having done enough to address these concerns or by others as having inappropriately yielded to these pressures. These pressures can also be a factor in decisions as to which business opportunities and customers we pursue, potentially resulting in foregone profit opportunities. The speed with which information moves through social media and other news sources on the internet means that negative information about PNC can rapidly have a broadly adverse impact on our reputation. This is true whether or not the information is accurate. False information can also be spread from unaffiliated or parody social media accounts pretending to be official company communications channels. Once information has gone viral, it can be difficult to counter it effectively, either by correcting inaccuracies or communicating remedial steps taken for actual issues. The potential impact of negative information going viral means that material reputational harm can result from a single discrete or isolated incident.

Our use of third parties to support our business needs typically means that we do not directly control the activities we are having them perform. Any disruption in services provided by these third parties could adversely affect our ability to conduct our business. Replacing third parties could also entail significant delay and expense. Risks can arise through inadequate performance by a third party (including by its downstream service providers), specifically where that performance could affect us or our customers, and even when the result of factors or events are beyond such third party's control. Many of the kinds of risks presented by activities performed by third parties are described elsewhere in these Risk Factors. Enhanced regulatory and other standards for the oversight of our use of third-party vendors and other service providers can result in higher costs and other potential exposures. We are also vulnerable, including to regulatory penalties, if an outside company fails to comply with legal requirements relevant to its work on our behalf. We may in any such circumstance suffer financial losses, legal consequences and injury to our reputation. Even if the other company makes us whole for financial losses, which is not necessarily the case, it is unlikely that it would be able to restore any injury to our reputation. As a result, the use of third parties to assist in our business activities heightens the risks to us inherent in those activities.

Given the nature of our business, our business and overall financial performance are affected to a significant extent by economic conditions, primarily in the U.S. Declining or adverse economic conditions and adverse changes in investor, consumer and business sentiment generally result in reduced business activity, which may decrease the demand for our products and services or reduce the number of creditworthy borrowers. The ability of borrowers to repay loans is often weakened as a result of economic downturns, higher inflation and unemployment. This may be further exacerbated by a deterioration in households' finances, particularly if consumers also continue to face high inflation. In addition, adverse economic conditions, including periods of inflation, may limit the availability of, or increase the costs of, capital and labor, erode consumer and customer purchasing power, confidence and spending and may also reduce our tolerance for extending credit. Increases in costs or expenses impacting our customers' operations and financial performance, such as the interest rates payable on their debt obligations, could increase our credit risk or decrease the demand for our products and services. We operate in an uncertain economic environment due to structural and secular changes triggered by the pandemic for certain sectors of the economy combined with increased interest rates, inflation and geopolitical tensions. These conditions may not abate in the near term, and their continuation could materially adversely affect our operations and financial performance. Such economic conditions also have led and may continue to lead to turmoil and volatility in financial markets, often with at least some financial asset categories losing value. Any of these effects would likely have an adverse impact on our operations and financial performance, with the significance of the impact generally depending on the nature and severity of the adverse economic conditions. Even when economic conditions are relatively good or stable, specific economic factors can negatively affect our business and performance. This can be especially true when the factors relate to particular segments of the economy. For example, as remote work continues to be a feasible alternative to pre-pandemic in-office work arrangements, notable portions of available commercial real estate space remain underutilized. This likely decreases demand for financial services in that sector and harms the creditworthiness of some of our office commercial real estate customers, as well as businesses whose customers have historically been office workers. Given the geographic scope of our business and operations, we are most exposed to issues within the U.S. economy and financial markets. Our foreign business activities continue to be a relatively small part of our overall business. As a result, the direct impact on our business and financial performance from economic conditions outside the U.S. is not likely to be significant, although the impact would increase if we expanded our foreign business more than nominally. We are, however, susceptible to the risk that foreign economic conditions and geopolitical tensions could negatively affect our business and financial performance. Primarily, this risk results from the possibility that poor economic conditions or financial market disruptions affecting other major economies would also affect the U.S. Throughout the remainder of this Risk Factors section, we address specific ways in which economic issues could create risk for us and result in adverse impacts on our business and financial performance.