US Bancorp (USB) Risk Factors

The Company faces significant legal risks in its businesses, and the volume of claims and amount of damages and penalties claimed in litigation and governmental proceedings against it and other financial institutions are substantial. Customers, clients and other counterparties are making claims for substantial or indeterminate amounts of damages, while banking regulators and certain other governmental authorities have focused on enforcement. The Company is named as a defendant or is otherwise involved in many legal proceedings, including class actions and other litigation. As a participant in the financial services industry, it is likely that the Company will continue to experience a high level of litigation related to its businesses and operations in the future. Substantial legal liability or significant governmental action against the Company could materially impact the Company’s financial condition and results of operations (including because such matters may be resolved for amounts that exceed established accruals for a particular period) or cause significant reputational harm to the Company. Since 2020, many financial institutions, including the Company, have received regulatory and governmental inquiries regarding participation directly or on behalf of customers and clients in United States government programs designed to support individuals, households and businesses impacted by the economic disruptions caused by the COVID-19 pandemic. The Company’s participation in these and other programs used in response to the COVID-19 pandemic may lead to additional government and regulatory inquiries and litigation in the future, any of which could negatively impact the Company’s business, reputation, financial condition and results of operations.

The Company is subject to complex and evolving laws and regulations, both inside and outside the United States, governing the privacy and protection of personal information. Individuals whose personal information may be protected by law can include the Company’s customers (and in some cases its customers’ customers), prospective customers, job applicants, employees, and the employees of the Company’s suppliers, and third parties. Complying with laws and regulations applicable to the Company’s collection, use, transfer and storage of personal information can increase operating costs, impact the development and marketing of new products or services, and reduce operational efficiency. Any mishandling or misuse of personal information by the Company or a third party affiliated with the Company could expose the Company to litigation or regulatory fines, penalties or other sanctions. In the United States, several states have recently enacted consumer privacy laws that impose compliance obligations with respect to personal information. In particular, the California Consumer Privacy Act (the “CCPA”) and its implementing regulations impose significant requirements on covered companies with respect to consumer data privacy rights. In November 2020, voters in the State of California approved the California Privacy Rights Act (“CPRA”), a ballot measure that amends and supplements the CCPA by, among other things, expanding certain rights relating to personal information and its use, collection, deletion, and disclosure by covered businesses. Compliance with the CCPA, the CPRA after it becomes effective, and other state statutes, common law, or regulations designed to protect consumer, employee, or job applicant personal information could potentially require substantive technology infrastructure and process changes across many of the Company’s businesses. Non-compliance with the CCPA, CPRA, or similar laws and regulations could lead to substantial regulatory fines and penalties, damages from private causes of action, and/or reputational harm. The Company cannot predict whether any pending or future state or federal legislation will be adopted, or the substance and impact of any legislation on the Company. Future legislation could result in substantial costs to the Company and could have an adverse effect on its business, financial condition and results of operations. In addition, standards for personal data transfers from outside the United States are constantly changing, including the revisions made by the European Economic Area and Switzerland in 2021. Compliance with these changes and any future changes to data transfer or privacy requirements could potentially require the Company to make significant technological and operational changes, any of which could result in substantial costs to the Company, and failure to comply with applicable data protection and privacy laws could subject the Company to fines or regulatory oversight. Additional risks could arise from the failure of the Company or third parties to provide adequate disclosure or transparency to the Company’s customers about the personal information collected from them and the use of such information; to receive, document, and honor the privacy preferences expressed by the Company’s customers; to protect personal information from unauthorized disclosure; or to maintain proper training on privacy practices for all employees or third parties who have access to personal information. Concerns regarding the effectiveness of the Company’s measures to safeguard personal information and abide by privacy preferences, or even the perception that those measures are inadequate, could cause the Company to lose existing or potential customers and thereby reduce its revenues. In addition, any failure or perceived failure by the Company to comply with applicable privacy or data protection laws and regulations could result in requirements to modify or cease certain operations or practices, and/or in material liabilities or regulatory fines, penalties, or other sanctions. Refer to “Supervision and Regulation” in the Company’s Annual Report on Form 10-K for additional information regarding data privacy laws and regulations. Any of these outcomes could damage the Company’s reputation and otherwise adversely affect its business.

The Company’s business activities and earnings are affected by general business conditions in the United States and abroad, including factors such as the level and volatility of short-term and long-term interest rates, inflation, home prices, unemployment and under-employment levels, bankruptcies, household income, consumer spending, fluctuations in both debt and equity capital markets, liquidity of the global financial markets, the availability and cost of capital and credit, investor sentiment and confidence in the financial markets, and the strength of the domestic and global economies in which the Company operates. Changes in these conditions caused by the COVID-19 pandemic adversely affected the Company’s consumer and commercial businesses and securities portfolios, its level of charge-offs and provision for credit losses, and its results of operations during 2020 and 2021, and other future changes in these conditions, whether related to the COVID-19 pandemic or otherwise, could have additional adverse effects on the Company and its businesses. Given the high percentage of the Company’s assets represented directly or indirectly by loans, and the importance of lending to its overall business, weak economic conditions caused by COVID-19 negatively affected the Company’s business and results of operations, including new loan origination activity, existing loan utilization rates and delinquencies, defaults and the ability of customers to meet obligations under the loans. Although the effects of COVID-19 were mitigated in part by governmental programs, availability of vaccines and the Company’s measures to assist its borrowers, there can be no assurances that such measures will continue to be effective or that there will be future governmental programs. In addition, future deterioration in economic conditions, whether caused by COVID-19 or other events, could have adverse effects on loan origination activity, loan utilization rates and delinquencies, defaults and the ability of customers to meet loan obligations. The value to the Company of other assets such as investment securities, most of which are debt securities or other financial instruments supported by loans, similarly have been, and would be, negatively impacted by widespread decreases in credit quality resulting from a weakening of the economy. In addition, volatility and uncertainty related to inflation and its effects, which could potentially contribute to poor economic conditions, may contribute to or enhance some of the risks described herein. For example, higher inflation could reduce demand for the Company’s products, adversely affect the creditworthiness of its borrowers or result in lower values for its interest-earning assets and investment securities. Any of these effects, or others that the Company is not able to predict, could adversely affect its financial condition or results of operations. Any deterioration in global economic conditions could damage the domestic economy or negatively impact the Company’s borrowers or other counterparties that have direct or indirect exposure to these regions. Such global disruptions, including disruptions in supply chains or geopolitical risk, can undermine investor confidence, cause a contraction of available credit, or create market volatility, any of which could have material adverse effects on the Company’s businesses, results of operations, financial condition and liquidity, even if the Company’s direct exposure to the affected region is limited. Global political trends toward nationalism and isolationism, could increase the probability of a deterioration in global economic conditions.

The Company experiences numerous attacks on its computer systems, software, networks and other technology assets daily, and the number of attacks is increasing. Although the Company devotes significant resources to maintain and regularly upgrade its systems and processes that are designed to protect the security of the Company’s computer systems, software, networks and other technology assets, as well as its intellectual property, and to protect the confidentiality, integrity and availability of information belonging to the Company and its customers, the Company’s security measures may not be effective. Adversaries continue to develop more sophisticated cyber attacks that could impact the Company. Many banking institutions, retailers and other companies engaged in data processing, including software and information technology service providers, have reported breaches in the security of their websites or other systems, some of which have involved sophisticated and targeted attacks intended to obtain unauthorized access to confidential information, destroy data, disable or degrade service, or sabotage systems, often through the introduction of computer viruses or malware, cyber attacks and other means. Attacks on financial or other institutions important to the overall functioning of the financial system could also adversely affect, directly or indirectly, aspects of the Company’s businesses. The increasing consolidation, interdependence and complexity of financial entities and technology systems increases the risk of operational failure, both for the Company and on an industry-wide basis, and means that a technology failure, cyber attack, or other information or security breach that significantly degrades, deletes or compromises the systems or data of one or more financial entities could materially affect counterparties or other market participants, including the Company. Third parties that facilitate the Company’s business activities, including exchanges, clearinghouses, payment and ATM networks, financial intermediaries or vendors that provide services or technology solutions for the Company’s operations, could also be sources of operational and security risks to the Company, including with respect to breakdowns or failures of their systems, misconduct by their employees or cyber attacks that could affect their ability to deliver a product or service to the Company or result in lost or compromised information of the Company or its customers. The Company’s ability to implement back-up systems or other safeguards with respect to third-party systems is limited. Furthermore, an attack on or failure of a third-party system may not be revealed to the Company in a timely manner, which could compromise the Company’s ability to respond effectively. Some of these third parties may engage vendors of their own, which introduces the risk that these “fourth parties” could be the source of operational and security failures. In addition, if a third party or fourth party obtains access to the customer account data on the Company’s systems, and that party experiences a breach or misappropriates such data, the Company and its customers could suffer material harm, including heightened risk of fraudulent transactions, losses from fraudulent transactions, increased operational costs to remediate any security breach and reputational harm. These risks are expected to continue to increase as the Company expands its interconnectivity with its customers and other third parties. During the past several years a number of retailers and hospitality companies have disclosed substantial cyber security breaches affecting debit and credit card accounts of their customers, some of whom were the Company’s cardholders and who may experience fraud on their card accounts as a result of a breach. The Company might suffer losses associated with reimbursing its customers for such fraudulent transactions, as well as for other costs related to data security compromise events, such as replacing cards associated with compromised card accounts. These attacks involving Company cards are likely to continue and could, individually or in the aggregate, have a material adverse effect on the Company’s financial condition or results of operations. It is possible that the Company may not be able to anticipate or to implement effective preventive measures against all security breaches of these types, because the techniques used change frequently, generally increase in sophistication, often are not recognized until launched, sometimes go undetected even when successful, and originate from a wide variety of sources, including organized crime, hackers, terrorists, activists, hostile foreign governments and other external parties. Those parties may also attempt to fraudulently induce employees, customers or other users of the Company’s systems to disclose sensitive information to gain access to the Company’s data or that of its customers or clients, such as through “phishing” and other “social engineering” schemes. Other types of attacks may include computer viruses, malicious or destructive code, denial-of-service attacks, ransomware or ransom demands. During the COVID-19 pandemic, the Company has experienced increased information security risks, primarily as a result of the increase in work-from-home arrangements. These risks may increase in the future as the Company continues to increase its mobile and internet-based product offerings and expands its internal usage of web-based products and applications, which is expected to remain elevated at least as long as the COVID-19 pandemic continues. In addition, the Company’s customers often use their own devices, such as computers, smart phones and tablet computers, to make payments and manage their accounts, and are subject to “phishing” and other attempts from cyber criminals to compromise or deny access to their accounts. The Company has limited ability to assure the safety and security of its customers’ transactions with the Company to the extent they are using their own devices, which have been, and likely will continue to be, subject to such threats. In the event that the Company’s physical or cyber security systems are penetrated or circumvented, or an authorized user intentionally or unintentionally removes, loses or destroys operations data, serious negative consequences for the Company can follow, including significant disruption of the Company’s operations, misappropriation of confidential Company and/or customer information, or damage to the Company’s or customers’ or counterparties’ computers or systems. These consequences could result in violations of applicable privacy and other laws; financial loss to the Company or to its customers; loss of confidence in the Company’s security measures; customer dissatisfaction; significant litigation exposure; regulatory fines, penalties or intervention; reimbursement or other compensatory costs (including the costs of credit monitoring services); additional compliance costs; and harm to the Company’s reputation, all of which could adversely affect the Company. Because the investigation of any information security breach is inherently unpredictable and would require substantial time to complete, the Company may not be able to quickly remediate the consequences of any breach, which may increase the costs, and enhance the negative consequences associated with a breach. In addition, to the extent the Company’s insurance covers aspects of any breach, such insurance may not be sufficient to cover all of the Company’s losses.

The Company engages in leasing activities and is subject to the risk that the residual value of the property under lease will be less than the Company’s recorded asset value. Adverse changes in the residual value of leased assets can have a negative impact on the Company’s financial results. The risk of changes in the realized value of the leased assets compared to recorded residual values depends on many factors outside of the Company’s control, including supply and demand for the assets, condition of the assets at the end of the lease term, and other economic factors.

The Company operates in a highly competitive industry that could become even more competitive as a result of legislative, regulatory and technological changes, as well as continued industry consolidation, which may increase in connection with current economic and market conditions. This consolidation may produce larger, better-capitalized and more geographically diverse companies that are capable of offering a wider array of financial products and services at more competitive prices. The Company competes with other commercial banks, savings and loan associations, mutual savings banks, finance companies, mortgage banking companies, credit unions, investment companies, credit card companies, and a variety of other financial services and advisory companies. Legislative or regulatory changes also could lead to increased competition in the financial services sector. For example, the Economic Growth Act and the Tailoring Rules have reduced the regulatory burden of large bank holding companies, including the Company and some of its competitors, and raised the asset thresholds at which more onerous requirements apply, which could cause certain large bank holding companies with less than $250 billion in total consolidated assets, which were previously subject to more stringent enhanced prudential standards, to become more competitive or to pursue expansion more aggressively. The adoption and rapid growth of new technologies, including cryptocurrencies and blockchain and other distributed ledger technologies, have required the Company to invest resources to adapt its systems, products and services, and it expects to continue to make similar investments. In addition, technology has lowered barriers to entry and made it possible for non-banks to offer products and services, such as loans and payment services, that traditionally were banking products, and made it possible for technology companies to compete with financial institutions in providing electronic, internet-based, and mobile phone–based financial solutions. Competition with non-banks, including technology companies, to provide financial products and services is intensifying. In particular, the activity of financial technology companies (“fintechs”) has grown significantly over recent years and is expected to continue to grow. Fintechs have and may continue to offer bank or bank-like products. For example, a number of fintechs have applied for bank or industrial loan charters, which, in some cases, have been granted. In addition, other fintechs have partnered with existing banks to allow them to offer deposit products or payment services to their customers. Many of these companies, including the Company’s competitors, have fewer regulatory constraints, and some have lower cost structures, in part due to lack of physical structures. Also, the potential need to adapt to industry changes in information technology systems, on which the Company and financial services industry are highly dependent, could present operational issues and require capital spending. The Company’s ability to compete successfully depends on a number of factors, including, among others, its ability to develop and execute strategic plans and initiatives; developing, maintaining and building long-term customer relationships based on quality service, competitive prices, high ethical standards and safe, sound assets; and industry and general economic trends. A failure to compete effectively could contribute to downward price pressure on the Company’s products or services or a loss of market share.

The Company’s success depends, in part, on its ability to adapt its products and services to evolving industry standards. There is increasing pressure to provide products and services at lower prices. Lower prices can reduce the Company’s net interest margin and revenues from its fee-based products and services. In addition, the adoption of new technologies or further developments in current technologies require the Company to make substantial expenditures to modify or adapt its existing products and services. Also, these and other capital investments in the Company’s businesses may not produce expected growth in earnings anticipated at the time of the expenditure. The Company might not be successful in developing or introducing new products and services, adapting to changing customer preferences and spending and saving habits (which may be altered significantly and with little warning, such as during the COVID-19 pandemic), achieving market acceptance of its products and services, or sufficiently developing and maintaining loyal customer relationships.

Reputation risk, or the risk to the Company’s business, earnings and capital from negative public opinion, is inherent in the Company’s business. Negative public opinion about the financial services industry generally or the Company specifically could adversely affect the Company’s ability to keep and attract customers, investors, and employees and could expose the Company to litigation and regulatory action. Negative public opinion can result from the Company’s actual or alleged conduct in any number of activities, including lending practices, cybersecurity breaches, failures to safeguard personal information, discriminating or harassing behavior of employees toward other employees or customers, mortgage servicing and foreclosure practices, compensation practices, sales practices, regulatory compliance, mergers and acquisitions, and actions taken by government regulators and community organizations in response to that conduct. In addition, failure to deliver against environmental, social and governance (“ESG”) goals and objectives could present reputational and financial harm to the Company. Many of the Company’s stakeholders, including investors, communities, customers, and employees, have increased expectations regarding how corporations are establishing and meeting ESG objectives when considering whether to conduct business with, invest in, or otherwise work with the Company. If the Company is unable to design or execute against business strategies that support ESG initiatives, reputational damage could result, leading to a loss of customers or negative investor sentiment. Although the Company takes steps to minimize reputation risk in dealing with customers and other constituencies, the Company, as a large diversified financial services company with a high industry profile, is inherently exposed to this risk.