Risk Factors Dashboard
Once a year, publicly traded companies issue a comprehensive report of their business, called a 10-K. A component mandated in the 10-K is the ‘Risk Factors’ section, where companies disclose any major potential risks that they may face. This dashboard highlights all major changes and additions in new 10K reports, allowing investors to quickly identify new potential risks and opportunities.
View risk factors by ticker
Search filings by term
Risk Factors - AXP
-New additions in green
-Changes in blue
-Hover to see similar sentence in last filing
ITEM 1A. RISK FACTORS
While we do not believe that our business strategy, results of operations or financial condition have been materially adversely affected by any cybersecurity incidents, cybersecurity threats are pervasive and, similar to other global financial institutions, we, as well as our customers, colleagues, regulators, service providers and other third parties, have experienced a significant increase in information security and cybersecurity risk in recent years and will likely continue to be the target of cyberattacks. We continue to assess the risks and changes in the cyber environment, invest in enhancements to our cybersecurity capabilities, and engage in industry and government forums to promote advancements in our cybersecurity capabilities, as well as the broader financial services cybersecurity ecosystem. For more information on risks to us from cybersecurity threats, see “A major information or cybersecurity incident could lead to reputational damage to our brand and material legal, regulatory and financial exposure, and could reduce the use and acceptance of our products and services.” under “Risk Factors.”
Under our cybersecurity governance framework, our Board and Risk Committee are primarily responsible for overseeing and governing the development, implementation and maintenance of our TRIS program, with our Board designating our Risk Committee to provide oversight and governance of technology and cybersecurity risks. Our Board receives an update on cybersecurity at least once a year from our CISO or their designee. Our Risk Committee receives reports on cybersecurity at least twice a year, including in at least one joint meeting with our Audit and Compliance Committee, and our Board and these committees all receive ad hoc updates as needed. In addition, our Risk Committee annually approves our TRIS program. Our CISO leads the strategy, engineering and operations of cybersecurity across the Company and is responsible for providing annual updates to our Board, the ERMC and the TDRRC on our TRIS program, as well as ad hoc updates on information security and cybersecurity matters. Our current CISO has held a series of roles in telecommunications, networking and information security at American Express, including promotion to the CISO role in 2013, and is also responsible for technology risk management. Prior to joining American Express, our current CISO served in a variety of technology leadership roles at a public pharmaceutical and biotechnology company for 14 years. Our CISO reports to the Chief Information Officer, information about whom is included in “Information About Our Executive Officers” under “Business.”
This section highlights certain risks that could affect us and our businesses, broadly categorized in accordance with the risk types identified in our risk governance framework: “Strategic and Reputational Risks,” “Operational and Compliance Risks” and “Credit, Market and Liquidity Risks.” You should carefully consider each of the following risks and all of the other information set forth in this Annual Report on Form 10-K, including in “Risk Management” under “MD&A,” which describes our approach to identifying, monitoring and managing the risks we assume in conducting our businesses and provides certain quantitative and qualitative disclosures about market risks. Although we have devoted and continue to devote significant resources to develop and strengthen our risk management capabilities and control environment, we may not be successful in meeting regulatory expectations and managing the risks to which we are exposed. Although we have devoted significant resources to develop our risk management policies and procedures and expect to continue to do so in the future, these policies and procedures, as well as our risk management techniques, may not be fully effective in managing the risks to which we are exposed.
The risks and uncertainties we face are not limited to those described below. Additional risks and uncertainties not presently known to us or that we currently believe to be immaterial may also adversely affect our business.
Strategic and Reputational Risks
Macroeconomic conditions are a major driver of our results of operations and changes in the business and economic environment may materially adversely affect our business.
We offer a broad array of products and services to consumers, small businesses, mid-sized companies and large corporations and thus are very dependent upon the level of consumer and business activity and the demand for payment and financing products. Slow economic growth, economic contraction, persistent inflationary pressures or shifts in broader consumer and business trends can significantly impact customer behaviors, including spending on our cards, the ability and willingness of Card Members to borrow and pay amounts owed to us, demand for fee-based products and services and levels of customers’ deposits with us. Slow economic growth, economic contraction or shifts in broader consumer and business trends significantly impact customer behaviors, including spending on our cards, the ability and willingness of Card Members to borrow and pay amounts owed to us, demand for fee-based products and services and levels of customers’ deposits with us.
Factors such as consumer spending and confidence, household income and housing prices, levels of unemployment and underemployment, business investment and inventory levels, bankruptcies, geopolitical instability, public policy decisions and uncertainty, government spending and debt, international trade relationships, tariffs, interest rates, taxes, inflation and deflation (including the effects of related governmental responses), impacts of new technologies, energy costs and availability of capital and credit all affect the economic environment and, ultimately, our profitability.Factors such as consumer spending and confidence, household income and housing prices, unemployment rates, business investment and inventory levels, bankruptcies, geopolitical instability, public policy decisions, government spending, international trade relationships, tariffs, interest rates, taxes, inflation and deflation (including the effects of related governmental responses), energy costs and availability of capital and credit all affect the economic environment and, ultimately, our profitability. Additionally, sustained periods of high inflation may, among other things, increase certain of our expenses and erode consumer purchasing power, confidence and spending. An economic downturn or recession may result in higher unemployment and lower household income, consumer spending, corporate earnings and business investment, which may negatively impact spending on our cards and demand for our products, and increase delinquencies and write-off rates.
Spending by our premium consumer Card Members, for example, is sensitive to personal discretionary spending levels and tends to decline during general economic downturns. Likewise, spending by small business and corporate clients, which comprised approximately 41 percent of our worldwide billed business during 2025, depends in part on the economic environment and a favorable climate for continued business investment and new business formation. The consequences of negative circumstances impacting us or the economic environment generally can be sudden and severe and can impact customer types and geographies in which we operate in very different ways.
Our business is subject to the effects of geopolitical conditions, weather, natural disasters and other catastrophic events.
Geopolitical conditions, terrorist attacks, military conflicts, supply chain issues, natural disasters, severe weather, widespread health emergencies or pandemics, information or cybersecurity incidents (including intrusion into or degradation or unavailability of systems or technology by cyberattacks), operational incidents and other catastrophic events can have a material adverse effect on our business. Political and social conditions, including geopolitical instability (such as from tensions involving China and the United States), fiscal and monetary policies (including developments related to the U.S. federal deficit, debt ceiling, government shutdowns and other budgetary issues), trade wars and tariffs, labor shortages, regional or domestic hostilities, economic sanctions and the prospect or occurrence of more widespread conflicts could also negatively affect our business, operations and partners, consumer and business spending, including travel patterns and business investment, and demand for credit. Pandemics and other health emergencies can have widespread and unpredictable impacts on global society, economic conditions and consumer and business behavior. Pandemics and other health emergencies can have widespread and unpredictable impacts on global society, economic conditions and consumer and business behavior, which may reoccur or occur over an extended duration, such as the macroeconomic and behavioral impacts during the COVID-19 pandemic. Because we derive a portion of our revenues from travel-related spending and many of our partners’ businesses relate to travel, our business is sensitive to impacts to travel and tourism, such as health and safety concerns and limitations on travel and mobility. In addition, disruptions in air travel and other forms of travel can result in the payment of claims under travel protection products we offer.
We are a multinational company that derives a substantial portion of its revenues from activities outside of the United States and many of our U.S. customers have an international presence or are otherwise affected by global developments. Accordingly, events that impact international relations and geopolitical stability may have a significant impact on our business. For example, several countries have implemented and are considering the further implementation of tariffs, trade barriers or restrictions and other retaliatory international or domestic policies, as well as other measures affecting cross-border commerce, migration and the flow of information. These actions have had and may likely continue to have broad consequences for the global economy and regional and country economies, as well as impacts to global supply chains and negative effects on our customers and partners, which may adversely affect our business.
There are multiple ongoing military conflicts around the world and geopolitical tensions may result in additional conflicts or escalate existing conflicts. Such conflicts have led to economic uncertainty and market disruptions. For example, as a result of the Russian invasion of Ukraine, we exited our business operations in Russia and Belarus. Geopolitical conditions may adversely affect macroeconomic conditions and our business in a number of ways, including potential retaliatory action against companies such as us and our clients and partners, further sanctions activity and export controls, heightened regulatory scrutiny, increased inflation, further increases or fluctuations in goods and energy prices, decreases in global travel, further disruptions to the global
22
supply chain and increased prevalence and sophistication of cyberattacks. If international political instability and geopolitical tensions continue or increase, our business and results of operations could be harmed.
Hurricanes, wildfires and other natural disasters have impacted, and may continue to impact, spending and credit performance in the areas affected. Disasters and catastrophic events, and the impact of such events on certain industries or the overall economy, could have a negative effect on our business, results of operations and infrastructure, including our technology and systems and those of our partners and suppliers. Climate-related risks may exacerbate certain of these threats, including the frequency and severity of weather-related events. Card Members in California, Florida, New York, Texas, Georgia and New Jersey account for a significant portion of U.S. consumer and small business billed business and Card Member loans, and our results of operations could be impacted by events or conditions that disproportionately or specifically affect one or more of those states.
Our operating results may materially suffer because of substantial and increasingly intense competition worldwide in the payments industry.
The payments industry is highly competitive, and we compete with networks, issuers, acquirers and other payment service providers and methods of payment, including paper-based transactions (e.g., cash and checks) and electronic transfers (e.g., wire transfers and ACH), as well as evolving and growing alternative mechanisms, systems and products (e.g., web- and mobile-based payment platforms). If we are not able to differentiate ourselves from our competitors, develop compelling value propositions for our customers and/or effectively use emerging technologies to grow in evolving areas such as digital payments and agentic commerce, we may not be able to compete effectively. If we are not able to differentiate ourselves from our competitors, develop compelling value propositions for our customers and/or effectively grow in areas such as digital payments and emerging technologies, we may not be able to compete effectively.
We believe Visa and Mastercard are larger than we are in most countries based on purchase volume. As a result, card issuers and acquirers on the Visa and Mastercard networks may be able to benefit from the dominant position, scale, resources, marketing and pricing of those networks. Our business may also be negatively affected if we are unable to continue increasing merchant acceptance (including by merchants that accept cards on the Visa and Mastercard networks) and perceptions of coverage, or if our Card Members do not experience welcome acceptance of our cards.
Some of our competitors have substantially greater scale and resources than we have and may offer richer value propositions or a wider range of programs and services than we offer or may use more effective strategies to acquire and retain more customers, capture a greater share of spending and borrowings, develop more attractive cobrand card and other partner programs, obtain more favorable terms with merchants and maintain greater merchant acceptance than we have. Competition may also intensify as participants in the payments industry merge or enter into joint ventures or other partnerships or business combinations, which may create advantages in competing with our products and services. Competition may also intensify as participants in the payments industry merge or enter into joint ventures or other business combinations that compete with our products and services. Government actions or initiatives may also provide competitors with increased opportunities to derive competitive advantages and may create new competitors, including in some cases a government entity. We may not be able to compete effectively against these threats or respond or adapt to changes in customer behavior, such as Card Member spending and borrowing or merchant acceptance, as effectively as our competitors. We may not be able to compete effectively against these threats or respond or adapt to changes in consumer spending and borrowing or merchant acceptance as effectively as our competitors. Costs such as Card Member rewards and Card Member services expenses could continue to increase as we evolve our value propositions, including in response to increased competition. Competitors may also use AI technologies more effectively than us or partner with companies that do so, which may increase the attractiveness and availability of their products and services and allow them to offer greater value propositions and realize greater operational efficiencies.We face continued intense competitive pressure that may materially impact the prices we charge for accepting our cards for payment, as well as the risk of losing merchant relationships, which could have a material adverse impact on our business and results of operations.
The payments industry is complex and continues to undergo changes in response to evolving technologies and customer preferences. Spending on our cards could continue to be impacted by increasing usage of credit and debit cards issued on other networks and real-time settlement transactions, such as bank transfers, as well as adoption of alternative payment mechanisms, systems and products, such as digital currencies.Spending on our cards could continue to be impacted by increasing usage of credit and debit cards issued on other networks and real-time settlement transactions, such as bank transfers, as well as adoption of alternative payment mechanisms, systems and products. The fragmentation of Card Member spending, such as to take advantage of different merchant or card incentives, for convenience with technological solutions or as a result of point-of-sale practices that impact merchant acceptance (e. The fragmentation of customer spending, such as to take advantage of different merchant or card incentives, as a result of point-of-sale practices that impact merchant acceptance (e. g., surcharging or differential acceptance), may continue to increase., surcharging or differential acceptance) or for convenience with technological solutions, may continue to increase. Revolving credit balances on our cards could also be impacted by alternative financing providers, such as point-of-sale lenders and buy now, pay later products. Regulatory and legislative changes may also significantly alter the competitive landscape, including by facilitating alternative payment or financing mechanisms, such as recent legislation in the U.S. establishing a regulatory framework for stablecoins, or by imposing constraints on payment or financing mechanisms, such as proposals to cap credit card interest rates. To the extent other payment and financing mechanisms, systems and products continue to successfully expand, our discount revenues earned from Card Member spending and our net interest income earned from Card Member borrowing could be negatively impacted. In addition, companies that control access to consumer and merchant payment method choices at the point of sale or through digital wallets, agentic or other commerce-related experiences, mobile applications or other technologies could choose not to accept, suppress use of, or degrade the experience of using our products or could restrict our access to our customers and transaction data. In addition, companies that control access to consumer and merchant payment method choices at the point of sale or through digital wallets, commerce-related experiences, mobile applications or other technologies could choose not to accept, suppress use of, or degrade the experience of using our products or could restrict our access to our customers and transaction data. Such companies could also require payments from us to participate in such digital wallets, experiences or applications or negotiate incentives or pricing concessions, impacting our profitability on transactions. As AI technologies are increasingly integrated into payments and related services, such as through the adoption of agentic commerce, these dynamics may accelerate and new dynamics that are difficult to predict may develop, any of which may disadvantage our business.
The competitive value of our data and demand for our products and services may also be diminished as traditional and non-traditional competitors use other, new data sources and technologies, including generative AI, to derive similar insights and by certain regulations. Open banking initiatives, including those promoted by governments and regulators, may result in a number of challenges to our business model, such as disintermediating us from our customers, steering customers away from our products and services or decreasing our attractiveness to partners. Open banking initiatives that are increasingly being promoted by governments and regulators may result in a number of challenges to our business model, such as disintermediating us from our customers, steering customers away from our products and services or decreasing our attractiveness to partners. Competitors have also sought to create their own integrated payments platforms and may have competitive advantages in doing so as compared to our business.
To the extent we expand into, or further grow in, new business areas, such as new products and services that complement our card products, and new geographic regions, we will face competitors with more experience and more established relationships with relevant customers, regulators and industry participants, which could adversely affect our ability to compete. Laws and business practices that favor local competitors, require card transactions to be routed over domestic networks or prohibit or limit foreign ownership of certain businesses could limit our growth in international regions.
23
We may face additional compliance and regulatory risks to the extent that we expand into new business areas, and we may need to dedicate more expense, time and resources to comply with regulatory requirements than our competitors, particularly those that are not regulated financial institutions.
Many of our competitors are subject to different, and in some cases, less stringent, legislative and regulatory regimes, and some may have lower cost structures and more agile business models and systems.24Table of ContentsMany of our competitors are subject to different, and in some cases, less stringent, legislative and regulatory regimes, and some may have lower cost structures and more agile business models and systems. For example, banking regulators are increasingly open to issuing limited-purpose licenses to allow companies to conduct certain banking activities under more limited regulatory requirements. More restrictive laws and regulations that do not apply to all of our competitors can put us at a disadvantage, including prohibiting us from engaging in certain transactions, regulating our business practices or adversely affecting our cost structure.
We face intense competition for partner relationships, which could result in a loss or renegotiation of these arrangements that could have a material adverse impact on our business and results of operations.
In the ordinary course of our business we enter into different types of contractual arrangements with business partners in a variety of industries. For example, we work with partners such as Delta, Marriott, British Airways and Hilton to offer cobranded cards for consumers and small businesses, and with partners in many industries, including Delta, to offer benefits and rewards to Card Members. Other aspects of our customer value propositions also increasingly rely on our ability to co-create and co-fund value with partners, such as statement credits for purchases with partners and travel and dining benefits.We face intense competition for partner relationships, which could result in a loss or renegotiation of these arrangements that could have a material adverse impact on our business and results of operations. See “Partners and Relationships” under “Business” for additional information on our business partnerships, including with Delta.
Competition for relationships with key business partners is very intense and there can be no assurance we will be able to grow or maintain these partner relationships or that they will remain as profitable or valued by our customers. Establishing and retaining attractive cobrand card partnerships is particularly competitive among card issuers and networks as these partnerships typically appeal to high-spending loyal customers. All of our cobrand portfolios in the aggregate accounted for approximately 26 percent of our worldwide billed business for the year ended December 31, 2025. Card Member loans related to our cobrand portfolios accounted for approximately 36 percent of our worldwide Card Member loans as of December 31, 2025.
Cobrand and other partner arrangements are generally entered into for a fixed period and will terminate in accordance with their terms, including at the end of the fixed period unless extended or renewed at the option of the parties, or upon early termination as a result of an event of default or otherwise. We face the risk that we could lose partner relationships, even after we have invested significant resources in the relationships. Additionally, partners may make changes to the products and services they offer or otherwise become less desirable to our customers, which may lower the value of our products, such as cards with embedded partner value and the cobranded cards we issue to our customers. Additionally, partners may make changes to the products and services they offer or otherwise become less desirable to our customers, which may lower the value of our products, such as the cobranded cards we issue to our customers. We also may not renew certain relationships, such as our Amazon and Lowe’s small business cobrand portfolios, which, as previously disclosed, have been reclassified to held for sale on our Consolidated Balance Sheets. Billed business could decline and Card Member attrition could increase, in each case, significantly as a result of the termination of one or more partnership relationships. In addition, some of our cobrand arrangements provide that, upon expiration or termination, the cobrand partner may purchase or designate a third party to purchase the loans generated with respect to such cobranded card portfolio, which could result in the loss of the card accounts and a significant decline in our Card Member loans outstanding.
We regularly seek to extend or renew cobrand and other partner arrangements in advance of the end of the contract term and face the risk that existing relationships will be renegotiated with less favorable terms for us or that we may be unable to renegotiate on terms that are acceptable to us, as competition for such relationships continues to increase.We regularly seek to extend or renew cobrand arrangements in advance of the end of the contract term and face the risk that existing relationships will be renegotiated with less favorable terms for us or that we may be unable to renegotiate on terms that are acceptable to us, as competition for such relationships continues to increase. We make payments to our cobrand partners, which can be significant, based primarily on the amount of Card Member spending and corresponding rewards earned on such spending and, under certain arrangements, on the number of accounts acquired and retained. The amount we pay to our cobrand partners has increased, particularly in the United States, and may continue to increase as arrangements are renegotiated due to increasingly intense competition for cobrand partners among card issuers and networks.
The loss of exclusivity arrangements with business partners, the loss of the partner relationship altogether (whether by non-renewal at the end of the contract period, such as the end of our relationship with Costco in the United States in 2016, or as the result of a merger, legal or regulatory action or otherwise) or the renegotiation of existing partnerships with terms that are significantly worse for us could have a material adverse impact on our business and results of operations. See “Our business is subject to evolving and comprehensive government regulation and supervision, which could materially adversely affect our results of operations and financial condition” above for information on the uncertainty regarding our cobrand and agent relationships in the EU. In addition, any publicity associated with the loss of any of our key business partners could harm our reputation, making it more difficult to attract and retain Card Members and merchants, and could weaken our negotiating position with our remaining and prospective business partners.
Arrangements with our business partners represent a significant portion of our business. We are exposed to risks associated with our business partners, including reputational issues, business slowdowns, bankruptcies, liquidations, restructurings, consolidations and outages, and the possible obligation to make payments to our partners.
Our success is, in many ways, dependent on the success of our partners. From customer acquisition to cobranding arrangements, from providing rewards and benefits to customers to facilitating B2B supplier payments for our corporate clients, we rely on our business partners across many aspects of our company and our arrangements with business partners represent a significant portion of our business. From customer acquisition to cobranding arrangements, from participation in our rewards programs to facilitating B2B supplier payments for our corporate clients, we rely on our business partners across many aspects of our company and our arrangements with business partners represent a significant portion of our business. For example, our two largest redemption partners are Amazon and Delta. Some of our partners manage certain aspects of our customer relationships, such as our OptBlue program participants. To the extent any of our partners fail to effectively promote and support our products, experience a slowdown in their business, operational disruptions, reputational issues or loss of consumer confidence, or are otherwise unable to meet our expectations or those of their other stakeholders, our business may be materially negatively impacted. We also face the risk that existing relationships will be renegotiated with less favorable terms for us or that we may be unable to renegotiate on terms that are acceptable to us. In addition, we may be obligated to make or accelerate payments to certain business partners such as cobrand partners upon the occurrence of certain triggering events such as a
24
shortfall in certain performance and revenue levels. If we are not able to effectively manage these triggering events, we could unexpectedly have to make payments to these partners, which could have a negative effect on our financial condition and results of operations. See Note 12 to the “Consolidated Financial Statements” for additional information on financial commitments related to agreements with certain cobrand partners.
Similarly, we are exposed to risk from bankruptcies, liquidations, insolvencies, financial distress, restructurings, structural shifts in the economy, consolidations, operational outages, cybersecurity incidents and other similar events that may occur in any industry representing a significant portion of our billed business or with respect to any of our important business partners (such as those with whom we co-create and co-fund value for customers), which could negatively impact particular card products and services (and volumes generally) and our financial condition and results of operations. Such disruptions or other events could interrupt or compromise the quality of our services to customers, impact the confidentiality, integrity, availability and security of our data, lead to fraudulent transactions on our cards or other products, impact our business, cause brand or reputational damage, and lead to costs associated with responding to such a disruption, including notification and remediation costs, costs to switch service providers or move operations in house, regulatory investigations and fines and increased regulatory oversight and litigation. We have previously and may in the future pre-purchase loyalty points from certain of our cobrand partners, the value of which may diminish to the extent such partners cease operations or such points become less desirable to our customers. We could also be materially impacted if we were obligated or elected to reimburse Card Members for products and services purchased from merchants that have ceased operations or stopped accepting our cards. For example, we are exposed to credit risk in the airline industry to the extent we protect Card Members against non-delivery of purchases, such as where we have remitted payment to an airline for a Card Member purchase of tickets that have not yet been used or “flown.” If we are unable to collect the amount from the airline, we may bear the loss for the amount credited to the Card Member. Spending at airline merchants accounted for approximately 6 percent of our worldwide billed business for the year ended December 31, 2025.
For additional information relating to operational risks of our business partners, see “We rely on third-party providers for acquiring and servicing customers, technology, platforms and other services integral to the operations of our businesses. These third parties may act in ways or experience issues that could materially harm our business” below.
We face continued intense competitive pressure that may materially impact the prices we charge for accepting our cards for payment, as well as the risk of losing merchant relationships, which could have a material adverse impact on our business and results of operations.
We face pressure from competitors that primarily rely on sources of revenue other than discount revenue or have lower costs that can make their pricing for card acceptance more attractive. Merchants, business partners and third-party merchant acquirers, processors and payment facilitators are also able to negotiate incentives, pricing concessions and other favorable contractual provisions from us as a condition to accepting our cards, being cobrand partners, offering benefits to our Card Members or signing merchants to accept American Express cards. Merchants, business partners and third-party merchant acquirers, aggregators and processors are also able to negotiate incentives, pricing concessions and other favorable contractual provisions from us as a condition to accepting our cards, being cobrand partners, offering benefits to our Card Members or signing merchants to accept American Express cards. As these parties become even larger (such as the largest tech companies) or as evolving technologies and customer preferences alter the payments landscape, we may have to increase the amount of incentives and/or concessions we provide to them. As these parties become even larger (such as the largest tech companies), we may have to increase the amount of incentives and/or concessions we provide to them. We also face the risk of losing relationships with these parties or that they limit acceptance of our cards, which could materially adversely affect spending on our cards and our ability to retain current Card Members and attract new Card Members and therefore, our business and results of operations.
Our merchant discount rates have been impacted by regulatory changes affecting competitor pricing in certain international countries and U.S. states, as well as litigation related to pricing, and may in the future be impacted by pricing regulation and litigation. We have also experienced erosion of our merchant discount rates as we increase merchant acceptance. We may not be successful in significantly expanding merchant acceptance or offsetting rate erosion with volumes at new merchants. In addition, the regulatory environment and differentiated payment models and technologies from non-traditional players in the alternative payments space could pose challenges to our payment model and adversely impact our merchant discount rates. Some merchants, including large tech companies and other large merchants, continue to invest in their own payment and financing solutions, such as proprietary-branded digital wallets, using both traditional and new technology platforms. If merchants are able to drive broad consumer adoption and usage, it could adversely impact our merchant discount rates and network and loan volumes.
A continuing priority of ours is to drive greater and differentiated value to our merchants that, if not successful, could negatively impact our discount revenue and financial results. We may not succeed in maintaining merchant discount rates or offsetting the impact of declining merchant discount rates, for the reasons discussed above and others, which could materially and adversely affect our revenues and profitability, and therefore our ability to invest in innovation and in value-added services for merchants, business partners and Card Members.
Surcharging, steering or other differential acceptance practices by merchants could materially adversely affect our business and results of operations.
In certain countries, such as Australia (where surcharging is currently under reconsideration), Canada (other than in the Province of Quebec) and certain Member States in the EU, and in certain states in the United States, merchants are permitted by law to engage in surcharging, steering or other differential acceptance practices for certain card purchases and certain merchants and merchant organizations continue to push for these practices in other jurisdictions.In certain countries, such as Australia, Canada (other than in the Province of Quebec) and certain Member States in the EU, and in certain states in the United States, merchants are permitted by law to engage in surcharging, steering or other differential acceptance practices for certain card purchases and certain merchants and merchant organizations continue to push for these practices in other jurisdictions. In jurisdictions where surcharging is not prohibited, we have seen an increase in merchant surcharging on American Express cards, particularly in certain merchant categories, and in some cases, either the surcharge is greater than that applied to cards issued on competing networks or cards issued on competing networks are not surcharged at all (practices that are known as differential surcharging), even though there are many cards issued on competing networks that have an equal or greater cost of acceptance for the merchant. In jurisdictions allowing surcharging, we have seen an increase in merchant surcharging on American Express cards, particularly in certain merchant categories, and in some cases, either the surcharge is greater than that applied to Visa and Mastercard cards or Visa and Mastercard cards are not surcharged at all (practices that are known as differential surcharging), even though there are many cards issued on competing networks that have an equal or greater cost of acceptance for the merchant. In addition to surcharging, we also encounter merchants that accept our cards, but tell their customers that they prefer to accept another type of payment or otherwise seek to suppress use of our cards or certain of our cards, such as limiting the use of our cards for certain transactions.We also encounter merchants that accept our cards, but tell their customers that they prefer to accept another type of payment or otherwise seek to suppress use of our cards or certain of our cards, such as limiting the use of our cards for certain transactions.
Our Card Members value the ability to use their cards where and when they want to, and we, therefore, take steps to meet our Card Members’ expectations and to protect the American Express brand by prohibiting discrimination through provisions in our merchant contracts, including non-discrimination and honor-all-cards provisions, subject to local legal requirements. We generally do not prohibit surcharging in our agreements with merchants so long as it is permitted by law and a merchant does not discriminate against American Express cards by engaging in differential surcharging.
25
American Express cards could become less desirable to consumers and businesses generally due to surcharging, steering or other forms of discrimination, which could result in a decrease in cards-in-force, coverage and transaction volumes, including as a result of related actions we may take to enforce our merchant contractual provisions such as terminating merchant contracts. The impact could vary depending on such factors as: the industry or manner in which a surcharge is levied; how Card Members are surcharged or steered to other card products or payment forms at the point of sale; the ease and speed of implementation for merchants, merchant acquirers, processors, payment facilitators or other merchant service providers, including as a result of new or emerging technologies such as AI and agentic commerce; the size and recurrence of the underlying charges; and whether and to what extent these actions are applied to other forms of payment, including whether it varies depending on the type of card (e. The impact could vary depending on such factors as: the industry or manner in which a surcharge is levied; how Card Members are surcharged or steered to other card products or payment forms at the point of sale; the ease and speed of implementation for merchants, merchant acquirers, aggregators, processors or other merchant service providers, including as a result of new or emerging technologies; the size and recurrence of the underlying charges; and whether and to what extent these actions are applied to other forms of payment, including whether it varies depending on the type of card (e. g., credit or debit), product, network, acquirer or issuer. We also increasingly rely on merchant acquirers, processors and payment facilitators to manage certain aspects of our merchant relationships and promote and support the acceptance and usage of our cards, but they may have business interests, strategies or goals that are inconsistent with ours. Discrimination against American Express cards could have a material adverse effect on our business, financial condition and results of operations, particularly where it only or disproportionately impacts credit card usage or card usage generally, our Card Members or our business.
We may not be successful in our efforts to promote card usage or attract new customers, including through marketing and promotion, merchant acceptance and Card Member rewards and services, or to effectively control the costs of such investments, all of which may materially impact our profitability.We may not be successful in our efforts to promote card usage or attract new Card Members, including through marketing and promotion, merchant acceptance and Card Member rewards and services, or to effectively control the costs of such investments, all of which may materially impact our profitability.
Revenue growth is dependent on increasing consumer and business spending on our cards, growing loan balances and increasing fee revenue. We have been investing in a number of growth initiatives, including to attract new Card Members, retain existing Card Members, grow merchant acceptance and capture a greater share of customers’ total spending and borrowings. We have been investing in a number of growth initiatives, including to attract new Card Members, retain existing Card Members and capture a greater share of customers’ total spending and borrowings. We have also introduced complementary products, such as travel and dining platforms, checking accounts, debit cards and expense management tools. There can be no assurance that our investments will continue to be effective, particularly as consumer and business behaviors continue to change and competition in the payments industry remains intense. There can be no assurance that our investments will continue to be effective, particularly as consumer and business behaviors continue to change. Increasing spending on our cards also depends on our continued expansion of merchant acceptance of our cards. If we are unable to continue growing merchant acceptance and perceptions of coverage, or if merchants decide to no longer accept American Express cards or more greatly engage in surcharging, steering or other differential acceptance practices, our business could suffer. As the payments industry continues to evolve, we may expand our product and service offerings, which could include offering new payment mechanisms or additional complementary products, or shift the focus of our investments. We may also add customer acquisition channels and form new partnerships or renew current partnerships. Any of these initiatives could have higher costs than our current arrangements, fail to resonate with customers, adversely impact our merchant discount rates and existing product and service offerings or dilute our brand.
Another way we invest in customer value is through a range of Card Member rewards and benefits, including our Membership Rewards program.Another way we invest in customer value is through our Membership Rewards program, as well as other Card Member benefits. We rely on third parties for certain Membership Rewards redemption options, statement credits, Card Member offers, travel- and dining-related benefits and other rewards and benefits, and we may modify or not be able to continue to offer such rewards and benefits in the future, which could diminish the value of our cards. We rely on third parties for certain redemption options, Card Member offers and other rewards and benefits, and we may modify or not be able to continue to offer such rewards and benefits in the future, which could diminish the value of the program for our Card Members. Many credit card issuers and certain other companies have developed rewards and cobrand programs and other benefits and services that are similar to ours and may be more attractive. In addition, many credit card issuers and certain other companies have instituted rewards and cobrand programs and other benefits and services that are similar to ours and may be more attractive. An inability to differentiate our products and services could materially adversely affect us.
We may not be able to cost-effectively manage and expand Card Member benefits, including containing the growth of marketing, promotion, rewards and Card Member services expenses in the future, and our ability to do so will depend in part on our ability to attract value from partners. In addition, to the extent our products or offers attract customers looking for short-term incentives and fail to incentivize long-term loyalty, costs and Card Member attrition could increase. In addition, to the extent our products or offers attract customers looking for short-term incentives rather than incentivize long-term loyalty, Card Member attrition and costs could increase. Any significant change in, or failure by management to reasonably estimate, usage of Card Member services, redemptions of Membership Rewards points and statement credit offers and associated costs could adversely affect our profitability. Any significant change in, or failure by management to reasonably estimate, actual redemptions of Membership Rewards points and associated redemption costs could adversely affect our profitability. If our expenses significantly increase beyond our expectations, we may be unable to offset the financial impact by decreasing investments in other areas of the business or operating expenses or increasing revenues such as fee-based revenues, or both, particularly in the current regulatory and competitive environment.
Our brand and reputation are key assets of our Company, and our business may be materially affected by how we are perceived in the marketplace.
Our brand and its attributes are key assets, and we believe our continued success depends on our ability to preserve, grow and realize the benefits of the value of our brand. Our ability to attract and retain consumer and small business Card Members and corporate clients is highly dependent upon the external perceptions of our level of service, trustworthiness, business practices, fraud prevention, privacy and data protection, management, workplace culture, merchant acceptance, financial condition, response to political and social issues or catastrophic events and other subjective qualities. Our ability to attract and retain consumer and small business Card Members and corporate clients is highly dependent upon the external perceptions of our level of service, trustworthiness, business practices, privacy and data protection, management, workplace culture, merchant acceptance, financial condition, response to political and social issues or catastrophic events and other subjective qualities. Negative perceptions or publicity regarding these matters—even if related to seemingly isolated incidents and whether or not factually correct—could erode trust and confidence and damage our reputation among existing and potential Card Members, corporate clients, merchants and partners, which could make it difficult for us to attract new customers and maintain existing ones, and could subject us to heightened legal and regulatory scrutiny. Negative perceptions or publicity regarding these matters — even if related to seemingly isolated incidents and whether or not factually correct—could erode trust and confidence and damage our reputation among existing and potential Card Members, corporate clients, merchants and partners, which could make it difficult for us to attract new customers and maintain existing ones, and could subject us to heightened legal and regulatory scrutiny. Negative public opinion could result from actual or alleged conduct in any number of activities or circumstances, including card practices, regulatory compliance, the use and protection of customer information, conduct by our colleagues and policy engagement and charitable giving, including activities of the American Express Company Political Action Committee and the American Express Foundation, and from actions taken by regulators or others in response thereto. Negative public opinion could result from actual or alleged conduct in any number of activities or circumstances, including card practices, regulatory compliance, the use and protection of customer information, conduct by our colleagues and policy engagement, including activities of the American Express Company Political Action Committee, and from actions taken by regulators or others in response thereto. Moreover, the speed with which information spreads through social media and other news sources, the increased prevalence of campaigns by activists and others targeting corporate practices (including those advancing certain political or social agendas), and the ease with which customers can switch to competing products may amplify the onset and negative effects from such perceptions.
Our brand and reputation may also be harmed by actions taken by third parties that are outside our control. For example, any shortcoming of, or controversy related to, a third-party service provider, business partner, merchant acquirer or network partner may be attributed by Card Members and merchants to us, thus damaging our reputation and brand value. For example, any shortcoming of or controversy related to a third-party service provider, business partner, merchant acquirer or network partner may be attributed by Card Members and merchants to us, thus damaging our reputation and brand value. Our brand may also be
26
negatively impacted by perceptions about our Card Member base, ability or inability of certain individuals or companies to become customers and their usage of our cards and other products and services, and acceptance of American Express cards by merchants in certain industries, when American Express cards are used for payment for legal, but controversial, products and services, or any government inquiries or legislative scrutiny related to customer acquisition practices or card acceptance or usage. The lack of acceptance, suppression of card usage or surcharging by merchants can also negatively impact perceptions of our brand and our products, lower overall transaction volume and increase the attractiveness of other payment products or systems. Adverse developments with respect to our industry may also negatively impact our reputation, or result in greater regulatory or legislative scrutiny or litigation against us. Furthermore, as a corporation with headquarters and operations located in the United States and a brand name referring to the United States, a negative perception of the United States arising from its political or other positions could harm the perception of our company and our brand. Furthermore, as a corporation with headquarters and operations located in the United States and a brand name 27Table of Contentsreferring to the United States, a negative perception of the United States arising from its political or other positions could harm the perception of our company and our brand. These risks to our brand and reputation, as well as other risks described herein, are heightened by the increasing sophistication and availability of AI technology, including by assisting with the creation of deepfakes, increasing the velocity of distribution of disinformation and potentially altering the payments landscape in ways that disintermediate or create a negative perception of us. These risks to our brand and reputation, as well as other risks described in this Risk Factors section, are heightened by the increasing sophistication and availability of artificial intelligence technology, including by assisting with the creation of deepfakes and increasing the velocity of distribution of disinformation. Although we monitor developments for areas of potential risk to our reputation and brand, negative perceptions or publicity could materially and adversely affect our business volumes, revenues, liquidity and profitability.
We face increased scrutiny from stakeholders who have diverging views related to business practices and company activities, which could result in reputational harm, litigation, enforcement actions and other adverse consequences. In addition, we are subject to increasing regulatory requirements and legal risks related to corporate sustainability topics, such as those arising from new disclosure requirements in certain jurisdictions. In addition, we are subject to increasing regulatory requirements and legal risks related to environmental, social and governance topics, such as those arising from new disclosure requirements in certain jurisdictions. Inaccurate perceptions or mischaracterizations of disclosures on these topics, or our goals and initiatives, while outside of our control, could impact our reputation, colleague hiring and retention, and demand for our products and services.
If we are not able to successfully invest in, and compete with respect to, technological developments and new products and services across all our businesses, our revenue and profitability could be materially adversely affected.
Our industry is subject to rapid and significant technological changes. In order to compete in our industry, we need to continue to invest in technology across all areas of our business, including in transaction processing, data management and analytics, AI & ML (including agentic commerce), customer interactions and communications, open banking and alternative payment and financing mechanisms (including related to digital currencies and blockchain technologies), authentication technologies and digital identification, tokenization, real-time settlement and risk management and compliance systems. Incorporating new technologies into our products and services, including developing the appropriate governance and controls consistent with regulatory expectations, requires substantial expenditures and takes considerable time, and may have unintended consequences or ultimately be unsuccessful. We expect that new technologies in the payments industry will continue to emerge, and these new technologies may be superior to, or render obsolete, our existing technology.
The process of developing new products and services, enhancing existing products and services and adapting to technological changes and evolving industry standards is complex, costly and uncertain, and any failure by us to accurately anticipate and respond to customers’ changing needs and emerging technological trends could significantly impede our ability to compete effectively.The process of developing new products and services, enhancing existing products and services and adapting to technological changes and evolving industry standards is complex, costly and uncertain, and any failure by us to anticipate customers’ changing needs and emerging technological trends accurately could significantly impede our ability to compete effectively. Our competitors may develop, or partner with companies that develop, products, platforms or technologies that become more widely adopted by consumers, merchants or service providers than ours, including as a result of increased involvement by technology companies in the payments industry and our competitors’ greater scale or ability to pursue and adopt new technologies. Our competitors may develop products, platforms or technologies that become more widely adopted by consumers, merchants or service providers than ours, including as a result of increased involvement by technology companies in the payments industry and our competitors’ greater scale or ability to pursue and adopt new technologies. In addition, we may underestimate the resources needed and overestimate our ability to develop new products and services and customer demand for such products and services, particularly beyond our traditional card products and travel-related services. In addition, we may underestimate the resources needed and overestimate our ability to develop new products and services, particularly beyond our traditional card products and travel-related services.
The use of AI & ML technologies, including generative AI and agentic commerce, has increased rapidly and may be transformative to the payments industry, heightening the risks described herein and others in ways that may be unpredictable and disadvantageous to us. Our and our partners’ use of AI & ML is subject to various and evolving risks, including flaws in models or datasets that may result in biased or inaccurate results, especially as generative AI has been known to produce false or “hallucinatory” inferences or outputs. The use of AI may also result in unintended or unexpected outcomes, present significant ethical challenges and heighten risks related to information security, the infringement of intellectual property rights and exposure of proprietary or personal information. We may also face challenges in our ability to safely deploy AI systems and implement appropriate governance and controls, which may not be as burdensome to our competitors, and which may impair our implementation or impose additional risks. The complexity of these technologies can make it difficult to assess proper operation, reduce error, or understand and explain their outputs. Adverse consequences of AI & ML remain uncertain but could include flaws in the decisions, predictions, outputs or analysis such technologies produce, subjecting us to competitive harm, legal liability, heightened regulatory scrutiny, greater prevalence of surcharging or other negative point-of-sale practices and brand or reputational harm, as well as decreased demand for our products and services or increased costs.
Our ability to adopt new technologies may be inhibited by the emergence of industry-wide standards, a changing legislative and regulatory environment, an inability to develop appropriate governance and controls, a lack of internal product and engineering expertise, resistance to change from Card Members, merchants or service providers, lack of appropriate change management processes or the complexity of our systems. In addition, our adoption of new technologies and our introduction of new products and services may increase operational complexity and risk, and expose us to new or enhanced risks, particularly in areas where we have less experience or our existing governance and control systems may be insufficient, which could require us to make substantial expenditures or subject us to legal liability, heightened regulatory scrutiny and brand or reputational harm.
We may not be successful in realizing the benefits associated with our acquisitions, strategic alliances, joint ventures and investment activity, and our business and reputation could be materially adversely affected.
We have acquired a number of businesses and have made a number of strategic investments, and continue to evaluate potential transactions. There is no assurance that we will be able to successfully identify suitable candidates, value potential investment or acquisition opportunities accurately, detect potential risks and liabilities related to those opportunities, negotiate acceptable terms
27
for those opportunities, or complete proposed acquisitions and investments. The process of integrating an acquired company, business or technology could create unforeseen operating difficulties and expenditures, including in integrating systems, customers and personnel or further developing the acquired business or technology, result in unanticipated liabilities, including legal claims, violations of laws, commercial disputes and information security vulnerabilities or breaches (including from not integrating the acquired company, business or technology quickly or appropriately, from activities that occurred prior to the acquisition, from inadequate systems or controls of the acquired company, and from exposure to third party relationships of the acquired company or business or new laws and regulations), and may divert company time and resources or harm our business generally. The process of integrating an acquired company, business or technology could create unforeseen operating difficulties and expenditures, including in integrating systems and personnel or further developing the acquired business or technology, result in unanticipated liabilities, including legal claims, violations of laws, commercial disputes and information security vulnerabilities or breaches (including from not integrating the acquired company, business or technology quickly or appropriately, from activities that occurred prior to the acquisition, from inadequate systems or controls of the acquired company, and from exposure to third party relationships of the acquired company or business or new laws and regulations), and harm our business generally. For example, legal claims have arisen relating to the structure and consideration paid in certain of our acquisitions. Expanding to new businesses, geographies or customer types through acquisitions may subject us to new risks and we may not have the relevant expertise or business structure to achieve desired results. It may take us longer than expected to fully realize the anticipated benefits of these transactions, and those benefits may ultimately be smaller than anticipated, not realized at all or fully offset by other costs, which could materially adversely affect our business and operating results, including as a result of write-downs of goodwill and other intangible assets. It may take us longer than expected to fully realize the anticipated benefits of these transactions, and those benefits may ultimately be smaller than anticipated or may not be realized at all, which could materially adversely affect our business and operating results, including as a result of write-downs of goodwill and other intangible assets.
Joint ventures, such as those through which we operate in certain foreign jurisdictions, and minority investments in companies, such as GBTG, inherently involve a lesser degree of control over business operations, thereby potentially increasing the financial, legal, operational and/or compliance risks associated with the joint venture or minority investment, including as a result of being subject to different laws or regulations.28Table of ContentsJoint ventures, including our joint ventures in China, the Middle East and Switzerland, and minority investments in companies such as GBTG inherently involve a lesser degree of control over business operations, thereby potentially increasing the financial, legal, operational and/or compliance risks associated with the joint venture or minority investment, including as a result of being subject to different laws or regulations. Joint ventures and other partnerships or minority investments operating in foreign jurisdictions may also face risks from adverse regulatory actions, which could adversely affect their operations or our investment. In addition, we may be dependent on joint venture partners, controlling shareholders or management who may have business interests, strategies or goals that are inconsistent with ours and we have been and may in the future be involved in litigation with our joint venture partners and other shareholders and parties related to the joint ventures and investments. We have commercial arrangements with GBTG, including, among other things, a long-term trademark license agreement pursuant to which GBTG uses select American Express marks. GBTG also supports certain of our strategic partnerships and our Commercial Services business. Business decisions or other actions or omissions of a joint venture partner, other shareholders or management of our joint ventures and companies in which we have minority investments may adversely affect the value of our investment or any commercial benefit to us from the relationship, result in litigation or regulatory action against us and otherwise damage our reputation and brand. In addition, trade secrets and other proprietary information we may provide to a joint venture may become available to third parties beyond our control. The ability to enforce intellectual property and contractual rights to prevent disclosure of our trade secrets and other proprietary information may be limited in certain jurisdictions.
Additionally, from time to time we may decide to divest certain businesses or assets. These divestitures may involve significant uncertainty and execution complexity, which may cause us not to achieve our strategic objectives, realize expected cost savings or obtain other benefits from the divestiture and may result in unexpected losses of colleagues or harm to our brand, customers or other partners. Further, during the pendency of a divestiture, we may be subject to risks such as that the transaction may not close or the business to be divested may decline, and if a divestiture is not completed, we may not be able to find another acquiror on similar terms.
Operational and Compliance Risks
We may not be able to effectively manage the operational and compliance risks to which we are exposed.
We consider operational risk as the risk to our current or projected financial condition and resilience arising from inadequate or failed processes, human error or adverse external events. Operational risk includes, among others, the risk that error or misconduct could result in a material financial misstatement, a failure to monitor a third party’s compliance with regulatory or legal requirements, a failure to adequately monitor and control access to, or use of, data in our systems we grant to third parties or a failure to satisfy our obligations to our customers with respect to our products and services. For example, as previously disclosed, we have identified issues related to our rewards and benefits programs and have taken actions to remediate the issues and enhance our related procedures and controls. As processes or organizations are changed or become more complex, we grow in size or acquire businesses, new products and services are introduced, such as new lending features, banking products, dining capabilities and digital collectibles, or we become subject to more stringent or complicated regulatory requirements, we may not identify or address new operational risks. As processes or organizations are changed or become more complex, we grow in size, new products and services are introduced, such as new lending features, banking products, dining capabilities and digital collectibles, or we become subject to more stringent or complicated regulatory requirements, we may not identify or address new operational risks. Through human error, fraud or malfeasance, conduct risk can result in harm to customers, legal liability, fines, sanctions, customer remediation and brand damage. Although we maintain systems and controls to help mitigate conduct risk, they may not be effective, and misconduct by one or more colleagues or partners, particularly those with access to key systems or information, could have wide-reaching consequences.
Compliance risk arises from violations of, or failure to conform or comply with, laws and/or regulations, internal policies and procedures and related practices, or ethical standards.Compliance risk arises from violations of, or failure to conform or comply with, laws, rules, regulations, internal policies and procedures and ethical standards. We need to continually update and enhance our control environment to address operational and compliance risks, and our control environment and related systems have in certain instances not sufficiently detected, and may in the future not sufficiently detect, errors or omissions. Operational and compliance failures, deficiencies in our control environment or an inability to maintain high standards of business conduct can expose us to reputational and legal risks as well as fines, civil money penalties or payment of damages and can lead to diminished business opportunities and diminished ability to expand key operations.
A major information or cybersecurity incident could lead to reputational damage to our brand and material legal, regulatory and financial exposure, and could reduce the use and acceptance of our products and services.A major information or cybersecurity incident or an increase in fraudulent activity could lead to reputational damage to our brand and material legal, regulatory and financial exposure, and could reduce the use and acceptance of our products and services.
We and third parties collect, process, transfer, host, store, analyze, retain, provide access to and dispose of account information, payment transaction information, sensitive business information and certain types of personally identifiable and other information pertaining to our customers, partners and colleagues in connection with our cards and other products and in the normal course of our business.We and third parties collect, process, transfer, host, store, analyze, retain, provide access to and dispose of account information, payment transaction information, and certain types of personally identifiable and other information pertaining to our customers and colleagues in connection with our cards and other products and in the normal course of our business.
28
Global financial institutions like us, as well as our customers, colleagues, regulators, service providers and other third parties, have experienced a significant increase in information security and cybersecurity risk in recent years and will likely continue to be the target of increasingly sophisticated cyberattacks, including computer viruses, malicious or destructive code, ransomware, social engineering attacks (including phishing, impersonation and identity takeover attempts), AI-assisted deepfake attacks and disinformation campaigns, corporate espionage, hacking, website defacement, denial-of-service attacks, exploitation of vulnerabilities and other attacks and similar disruptions from the misconfiguration or unauthorized use of or access to computer systems and company accounts. These threats have arisen from external parties, including state-sponsored and nation state actors, as well as insiders who knowingly or unknowingly engage in or enable malicious cyber activities. These threats have arisen from external parties, as well as insiders who knowingly or unknowingly engage in or enable malicious cyber activities. There are a number of motivations for cyber threat actors, including criminal activities such as fraud, identity theft and ransom, corporate or nation-state espionage, political agendas, public embarrassment with the intent to cause financial or reputational harm, intent to disrupt information technology systems and supply chains, and to expose and exploit potential security and privacy vulnerabilities in corporate systems and websites. Cyber threat actors have rapidly evolved their techniques and increasingly utilize advanced capabilities, including the exploitation of unknown security flaws in software and hardware and the integration of advanced forms of AI and other new technology, which can increase the efficacy, severity, frequency and ease of execution of cyberattacks. Cyber threat actors, including state-sponsored and nation state actors, have rapidly evolved their techniques and increasingly utilize advanced capabilities, including the integration of advanced forms of artificial intelligence and other new technology, which can increase the efficacy, severity, frequency and ease of execution of cyberattacks. In addition, new computing technologies, such as quantum computing, may enable threat actors to compromise data encryption and other protective measures.
Our and our partners’ networks and systems are subject to constant attempts to disrupt business operations and capture, destroy, manipulate or expose various types of information relating to corporate trade secrets, customer information (including Card Member, travel, dining and loyalty program data), colleague information and other sensitive business information (including acquisition activity, non-public financial results and intellectual property).29Table of ContentsOur and our partners’ networks and systems are subject to constant attempts to disrupt business operations and capture, destroy, manipulate or expose various types of information relating to corporate trade secrets, customer information (including Card Member, travel and loyalty program data), colleague information and other sensitive business information (including acquisition activity, non-public financial results and intellectual property). For example, we and other U.S. financial services providers have been the target of attacks, such as denial-of-service attacks, social engineering and the impersonation of current or prospective employees and contractors, in some cases conducted by nation state-affiliated actors. We develop and maintain systems and processes aimed at detecting and preventing information security and cybersecurity incidents and fraudulent activity, including our cyber crisis response procedures, which require significant investment, maintenance and ongoing monitoring and updating as technologies and regulatory requirements change, new vulnerabilities and exploits are discovered and as efforts to overcome security measures become more sophisticated. In addition, our own usage of generative AI and other emerging technologies may increase our vulnerabilities or limit our ability to detect intrusion.
Despite our efforts and the efforts of third parties that process, transmit or store our data and data of our customers and colleagues or support our operations, such as service providers, merchants and regulators, the possibility of information, operational and cybersecurity incidents, malicious social engineering, password mismanagement, corporate espionage, fraudulent or other malicious activities and human error or malfeasance cannot be eliminated entirely and will evolve as new and emerging technologies are deployed by threat actors, including the potential use of advanced forms of AI and quantum computing, and we increasingly use platforms that are outside of our network and control environments. For example, we are aware that certain of our third-party service providers and joint ventures have been the victims of ransomware and other cyberattacks, in some instances that affected our data or services provided to us. Furthermore, recently introduced products and services, such as checking accounts and non-card lending, may lead to an increase in the number or types of cyberattacks and our exposure to fraud and other malfeasance. In addition, recently introduced products and services, such as checking accounts and non-card lending, may lead to an increase in the number or types of cyberattacks and our exposure to fraud and other malfeasance. Risks associated with such incidents and activities include theft of funds and other monetary loss, disruption of our operations and the unauthorized disclosure, release, gathering, monitoring, misuse, modification, loss or destruction of confidential, proprietary, trade secret or other information (including account data information). An incident may not be detected until well after it occurs and the severity and potential impact may not be fully known for a substantial period of time after it has been discovered. We are subject to varied cybersecurity regulations and incident reporting requirements, which could require us to disclose incidents that may not have been resolved or fully investigated at the time of disclosure, leading to customer confusion, regulatory scrutiny and negative publicity and exacerbating risks related to the incident itself. Our ability to address incidents may also depend on the timing and nature of assistance that may be provided by relevant governmental or law enforcement agencies.
Information, operational or cybersecurity incidents and other actual or perceived failures to maintain confidentiality, integrity, availability of services and data, privacy and/or security has led to regulatory investigations and increased regulatory scrutiny and may lead to regulatory intervention (such as mandatory card reissuance), consent decrees, increased litigation (including class action litigation), response costs (including notification and remediation costs), fines, negative assessments of us and our subsidiaries by banking regulators and rating agencies, reputational and financial damage to our brand, negative impacts to our partner relationships, and reduced usage of our products and services, all of which could have a material adverse impact on our business.Information, operational or cybersecurity incidents, fraudulent activity and other actual or perceived failures to maintain confidentiality, integrity, availability of services and data, privacy and/or security has led to increased regulatory scrutiny and may lead to regulatory investigations and intervention (such as mandatory card reissuance), consent decrees, increased litigation (including class action litigation), response costs (including notification and remediation costs), fines, negative assessments of us and our subsidiaries by banking regulators and rating agencies, reputational and financial damage to our brand, negative impacts to our partner relationships, and reduced usage of our products and services, all of which could have a material adverse impact on our business. The disclosure of sensitive company information could also undermine our competitive advantage and divert management attention and resources.
Successful cyberattacks, data breaches, disruptions or other incidents related to the actual or perceived failures to maintain confidentiality, integrity, availability of services and data, privacy and/or security at other large financial institutions, large retailers, travel and hospitality companies, government agencies or other market participants, whether or not we are impacted, could lead to a general loss of customer confidence that could negatively affect us, including harming the market perception of the effectiveness of our security measures or harming the reputation of the financial system in general, which could result in reduced use of our products and services. Such events could also result in legislation and additional regulatory requirements. Although we maintain cyber insurance, there can be no assurance that liabilities or losses we may incur will be covered under such policies or that the amount of insurance will be adequate.
The uninterrupted operation of our information systems is critical to our success and a significant disruption could have a material adverse effect on our business and results of operations.
We rely extensively on our information technology systems and those of our third parties, including our transaction authorization, clearing and settlement systems, data centers and cloud data storage and processing services, which have experienced and may continue to experience service disruptions or degradation that may result from technology malfunction, sudden increases in
29
processing or other volumes, natural disasters and weather events, fires, accidents, technology change management issues, power outages, internet outages, telecommunications failures, fraud, denial-of-service, ransomware and other cyberattacks, inadequate infrastructure in lesser-developed markets, technology capacity management issues, terrorism, computer viruses, vulnerabilities or failures in hardware or software, physical or electronic break-ins, or other operational issues or similar events. Due to the interconnectivity and complexity of information systems and their reliance on common systems, software and vendors (e. Due to the interconnectivity and complexity of information systems and their reliance on common systems, software and vendors, disruptions or degradations have had, and will likely continue to have, wide-reaching consequences, including the potential to disrupt the overall financial system and other key systems in the global economy. g., large technology and cloud-service providers), disruptions or degradations have had, and will likely continue to have, wide-reaching consequences, including the potential to disrupt the overall financial system and other key systems in the global economy. Service disruptions or degradations impacting us or our partners can prevent access to online services and account information, compromise or limit access to company or customer data, impede or prevent transaction processing, communications to customers and financial reporting, disrupt ordinary business operations, result in contractual penalties or obligations, trigger regulatory reporting obligations, and lead to regulatory investigations and fines, increased regulatory oversight, and litigation (including class action litigation). Any such service disruption or degradation could adversely affect the perception of the reliability of our products and services and materially adversely affect our overall business, reputation and results of operations.
Fraudulent activity associated with our products and services could have a material adverse effect on our business and results of operations.
We face risks from fraudulent activity associated with Card Members, merchants and others, including through bad actors obtaining access to our customer accounts and information and frauds committed by our customers against us. Large financial services firms such as American Express and our customers are regularly targeted by a range of fraudulent activity, including fraud on our card and banking products, false disputes, account takeovers, identity theft and electronic-transaction related crimes, with sophisticated perpetrators increasingly utilizing a range of advanced techniques and multiple parties acting in concert. New or emerging technologies, such as generative AI capabilities, have increased these fraud risks. For example, we have seen our customers targeted by elaborate and voluminous social engineering attacks, which may utilize advanced methods of deception, such as synthetic voice and conversation generation. For example, we and other US financial services providers have been the target of attacks, such as denial of service attacks, social engineering and the impersonation of current or prospective employees and contractors. Information and cybersecurity breaches and other operational incidents that we or third parties experience also increase our fraud risk. Information security and cybersecurity risk is an operational risk that is measured and managed as part of our operational risk framework. Additionally, our introduction of new products and services, expansion into new jurisdictions or usage of new partners or vendors may create new fraud risks or heighten existing risks. While we have policies and procedures designed to address fraud risks, such as customer authentication controls and fraud detection systems, they may be insufficient to accurately predict, prevent or detect fraud.
Increased fraudulent activity associated with our products and services could materially adversely affect our financial condition and results of operations, including as a result of credit losses and other expenses. Furthermore, fraudulent activity could harm our brand and reputation, negatively impact the use or acceptance of our products and services and lead to regulatory intervention or other actions (such as mandatory card reissuance).
Our business is subject to evolving and comprehensive government regulation and supervision, which could materially adversely affect our results of operations and financial condition.
We face heightened and evolving regulatory expectations and scrutiny in the U.S. and globally, which significantly affects our business and requires continual enhancement of our compliance efforts. Supervision efforts and the enforcement of existing laws and regulations impact the scope and profitability of our existing business activities, limit our ability to pursue certain business opportunities and adopt new technologies, compromise our competitive position (particularly where we may be treated differently from our competitors), and affect our relationships with Card Members, partners, merchants, service providers and other third parties. Supervision efforts and the enforcement of existing laws 30Table of Contentsand regulations impact the scope and profitability of our existing business activities, limit our ability to pursue certain business opportunities and adopt new technologies, compromise our competitive position, and affect our relationships with Card Members, partners, merchants, service providers and other third parties. New laws or regulations could similarly affect our business, increase the costs and complexity of doing business, impact what we are able to charge for, or offer in connection with, our products and services, impose conflicting obligations, and require us to change certain of our business practices and invest significant management attention and resources, all of which could adversely affect our results of operations and financial condition. Political developments, including those relating to recent shifts in trade policy and heightened geopolitical tensions, have resulted in and may further result in an increase in the number, complexity and scope of laws and regulations, heightened legislative and regulatory uncertainty, changes to supervisory and enforcement priorities, and increased risk of fragmentation in global financial regulation. In addition, legislators and regulators around the world are aware of each other’s approaches to the regulation of the financial services industry, so a development in one jurisdiction may influence regulatory approaches in another. In addition, legislators and regulators around the world are aware of each other’s approaches to the regulation of the financial services industry.
If we fail to satisfy regulatory requirements and expectations or maintain our financial holding company status or other applicable licenses and charters, our financial condition and results of operations could be adversely affected, and we may be restricted in our ability to take certain capital actions (such as declaring dividends or repurchasing outstanding shares) or engage in certain business activities or acquisitions, which could compromise our competitive position.If we fail to satisfy regulatory requirements or maintain our financial holding company status, our financial condition and results of operations could be adversely affected, and we may be restricted in our ability to take certain capital actions (such as declaring dividends or repurchasing outstanding shares) or engage in certain business activities or acquisitions, which could compromise our competitive position. Additionally, our banking regulators have wide discretion in the examination and the enforcement of applicable banking statutes and regulations and may restrict our ability to engage in certain business activities or acquisitions or require us to maintain more capital. We are currently a Category III firm for purposes of the U.S. federal bank regulatory agencies’ tailoring framework, which subjects us to heightened regulatory expectations and more stringent regulatory requirements. As we continue to grow, these expectations and requirements may further increase, such as if we become a Category II firm, which may increase our compliance costs and adversely affect our business.
Legislators and regulators continue to focus on the operation of card networks, including interchange fees paid to card issuers in payment networks such as Visa and Mastercard, network routing practices and the fees merchants are charged to accept cards. While in some cases our business is subject to exemptions related to certain of these regulations, there is no guarantee that such exemptions will continue to be available and even where we are not directly regulated, regulation of bankcard fees significantly negatively impacts the discount revenue derived from our business, including as a result of downward pressure on our discount rate from decreases in competitor pricing in connection with caps on interchange fees. In some cases, regulations also extend, or may extend, to certain aspects of our business, such as network and cobrand arrangements, new products or services we may offer, or the terms of card acceptance for merchants, including terms relating to non-discrimination and honor-all-cards. For example, we have exited our network licensing businesses in the EU and Australia as a result of regulation in those jurisdictions. In addition,
30
there is uncertainty as to when or how interchange fee caps and other provisions of payments legislation might apply when we work with cobrand partners and agents in the EU. See “Supervision and Regulation — Payments Regulation” under “Business” for more information. Given differing interpretations by regulators and participants in cobrand arrangements, we are subject to regulatory action, penalties and the possibility we will not be able to maintain our existing cobrand and agent relationships in the EU. In addition, a number of federal and state laws to regulate various aspects of network operations are being considered or have passed, including regarding information associated with electronic transactions (such as the use of specific merchant categories codes or limitations on the use of transaction data) and pricing of electronic transactions (such as interchange fees on sales tax or gratuities).
Legislators and regulators also continue to focus on consumer protection, including product design and pricing constructs, account management and security, creditworthiness assessments, credit bureau reporting, disclosure rules, marketing, forbearance measures and debt collection practices.Legislators and regulators also continue to focus on consumer protection, including product design and pricing constructs, account management and security, credit bureau reporting, disclosure rules, marketing and debt collection practices. This focus has included fees, interest rates and rewards associated with card and banking products, such as recent proposals to cap credit card interest rates. In addition, government agencies are reviewing financial institutions’ policies and practices for providing, maintaining or discontinuing financial products or services to certain clients or potential clients. Any new requirements or increased enforcement of existing requirements could materially and adversely impact our revenue growth and profitability, including, as a result of increased scrutiny of our pricing, underwriting and account management practices; the imposition of fines and customer remediation; higher compliance costs; reputational harm; impacts to our ability to issue cards or extend credit to current and prospective Card Members, appropriately price for the value of our products or work with certain business partners; and changes to our business practices generally. Any new requirements or increased enforcement of existing requirements could materially and adversely impact our revenue growth and profitability, including, as a result of increased scrutiny of our pricing, underwriting and account management practices; the imposition of fines and customer remediation; higher compliance costs; reputational harm; restrictions on our ability to issue cards, appropriately price for the value of our products or work with certain business partners; and changes to our business practices generally.
We are subject to significant supervision and regulation with respect to compliance with AML/CFT laws, sanctions regimes and anti-corruption laws in numerous jurisdictions. As regulators increase their focus with respect to these financial crimes laws, new technologies such as digital currencies develop, near real-time money movement solutions are adopted, we introduce new products and geopolitical tensions increase, we face increased costs related to oversight, supervision and potential fines. As regulators increase their focus in these areas, new technologies such as digital currencies develop, near real-time money movement solutions are adopted, we introduce new products like checking accounts and geopolitical tensions increase, we face increased costs related to oversight, supervision and potential fines. We have been engaging with our federal regulators in relation to certain aspects of our financial crimes compliance program and we are working to enhance our existing programs, policies and procedures and identify and remediate deficiencies to strengthen our program and address regulatory feedback. From time to time, we identify transactions or accounts relating to certain sanctioned parties that we terminate, block and report to our regulators, as applicable. Errors, failures or delays in complying with financial crimes laws, deficiencies in our related compliance programs or association of our business with money laundering, terrorist financing, tax fraud or other illicit activities or sanctioned persons, entities, governments or countries could give rise to significant supervisory, criminal and civil proceedings and lawsuits, which could result in significant penalties and forfeiture of assets, loss of licenses or restrictions on business activities, or other enforcement actions, and our reputation may suffer due to our customers’ association with certain countries, persons or entities or the existence of any such transactions.” Errors, failures or delays in complying with AML/CFT, sanctions and anti-corruption laws, deficiencies in our related compliance programs or association of our business with money laundering, terrorist financing, tax fraud or other illicit activities or sanctioned persons, entities, governments or countries can give rise to significant supervisory, criminal and civil proceedings and lawsuits, which could result in significant penalties and forfeiture of assets, loss of licenses or restrictions on business activities, or other enforcement actions, and our reputation may suffer due to our customers’ association with certain countries, persons or entities or the existence of any such transactions. Additionally, our financial crimes compliance programs may limit our ability to pursue certain business opportunities or affect our relationships with certain partners, service providers and other third parties. Additionally, our AML/CFT, sanctions and anti-corruption compliance programs may limit our ability to pursue certain business opportunities or affect our relationships with certain partners, service providers and other third parties.
See “Supervision and Regulation” under “Business” for more information about certain laws and regulations to which we are subject and their impact on us.
Litigation and regulatory actions could subject us to significant fines, penalties, judgments and/or requirements resulting in significantly increased expenses, damage to our reputation and/or a material adverse effect on our business and results of operations.31Table of ContentsLitigation and regulatory actions could subject us to significant fines, penalties, judgments and/or requirements resulting in significantly increased expenses, damage to our reputation and/or a material adverse effect on our business and results of operations.
At any given time, we are involved in a number of legal proceedings, including class action lawsuits, mass arbitrations and similar actions. Many of these actions include claims for substantial compensatory or punitive damages and require us to incur significant costs for legal representation, arbitration fees or other legal or related services. While we have historically relied on our arbitration clause in agreements with customers to limit our exposure to class action litigation, there can be no assurance that we will be able to continue to maintain our arbitration provisions in the future or be successful in enforcing them, including as a result of legal challenges to, and new regulations affecting, our arbitration provisions, and claims of the type we previously arbitrated could be subject to the complexities, risks and costs associated with class action cases. While we have historically relied on our arbitration clause in agreements with customers to limit our exposure to class action litigation, there can be no assurance that we will continue to be successful in enforcing our arbitration clause in the future, including as a result of legal challenges to, and new regulations affecting, our arbitration provisions, and claims of the type we previously arbitrated could be subject to the complexities, risks and costs associated with class action cases. The continued focus of merchants and other parties on issues relating to the acceptance of various forms of payment may lead to additional litigation and other legal actions. The continued focus of merchants on issues relating to the acceptance of various forms of payment may lead to additional litigation and other legal actions. Given the inherent uncertainties involved in litigation, and the very large or indeterminate damages and broad injunctive relief sought in some matters asserted against us, there is significant uncertainty as to the ultimate liability we may incur, and changes to our business practices we may be required to make, due to litigation. Given the inherent uncertainties involved in litigation, and the very large or indeterminate damages sought in some matters asserted against us, there is significant uncertainty as to the ultimate liability we may incur from litigation.
We expect that financial institutions, such as American Express, will continue to face significant regulatory scrutiny, with regulators taking formal enforcement actions against financial institutions in addition to addressing supervisory concerns through non-public supervisory actions or findings, which could involve restrictions on our activities, among other limitations, that could adversely affect our business.We expect that financial institutions, such as us, will continue to face significant regulatory scrutiny, with regulators taking formal enforcement actions against financial institutions in addition to addressing supervisory concerns through non-public supervisory actions or findings, which could involve restrictions on our activities, among other limitations, that could adversely affect our business. In addition, a violation of law or regulation by another financial institution could give rise to an investigation by regulators and other governmental agencies of the same or similar practices by us. Further, a single event may give rise to numerous and overlapping investigations and proceedings. External publicity concerning investigations can increase the scope and scale of investigations and lead to further regulatory inquiries.
We are also involved at any given time with governmental and regulatory inquiries, investigations and proceedings. Regulatory scrutiny has continued to increase in a number of areas, and regulatory action could subject us to significant fines, penalties or other requirements resulting in Card Member reimbursements, increased expenses, limitations or conditions on our business activities, and damage to our reputation and our brand, all of which could materially adversely affect our business and results of operations. For example, as previously disclosed, in 2025 we entered into agreements to resolve governmental investigations related to historical sales practices for certain U.S. small business customers.
Legal proceedings regarding provisions in our merchant contracts, including non-discrimination and honor-all-cards provisions, could have a material adverse effect on our business and result in additional litigation and/or arbitrations, changes to our merchant agreements and/or business practices, substantial monetary damages and damage to our reputation and brand.
31
We are, and have been in the past, a defendant in a number of actions, including legal proceedings, arbitrations and proposed class actions, challenging certain provisions of our card acceptance agreements. See Note 12 to the “Consolidated Financial Statements” for a description of certain outstanding legal proceedings.
An adverse outcome in these proceedings could have a material adverse effect on our business and results of operations, require us to change our merchant agreements in a way that could expose our cards to increased merchant surcharging, steering and other forms of discrimination that could impair the Card Member experience, result in additional litigation and/or arbitrations, impose substantial monetary damages and damage our reputation and brand.An adverse outcome in these proceedings could have a material adverse effect on our business and results of operations, require us to change our merchant agreements in a way that could expose our cards to increased merchant steering and other forms of discrimination that could impair the Card Member experience, result in additional litigation and/or arbitrations, impose substantial monetary damages and damage our reputation and brand. Even if we were not required to change our merchant agreements, changes in Visa’s and Mastercard’s policies or practices as a result of legal proceedings, lawsuit settlements or regulatory actions pending against them could result in changes to our business practices and materially and adversely impact our profitability. For example, in November 2025 Visa and Mastercard proposed a lawsuit settlement agreement that would, among other things, require reductions and caps on interchange fees, provide merchants greater options to impose a surcharge on credit transactions, and allow merchants to choose not to accept certain categories of credit cards. If the settlement agreement is approved by the court, or Visa and Mastercard otherwise agree to make similar changes, it may result in greater surcharging generally, decreased acceptance by merchants of certain types of cards, such as premium cards, or downward pressure on our merchant discount rates from decreases in competitor pricing in connection with reductions and caps on interchange fees. While the settlement agreement was not approved by the court, Visa and Mastercard may ultimately agree or be subject to changes in policies or practices that result in greater surcharging generally or downward pressure on our merchant discount rates from decreases in competitor pricing in connection with reductions and caps on interchange fees.
We rely on third-party providers for acquiring and servicing customers, technology, platforms and other services integral to the operations of our businesses. These third parties may act in ways or experience issues that could materially harm our business. These third parties may act in ways that could materially harm our business.
We rely on third-party service providers, cobrand partners, merchants, dining partners, affiliate marketing firms, merchant acquirers, processors, payment facilitators, network partners and other third parties for services that are integral to our operations and are subject to the risk that activities of such third parties may adversely affect our business.We rely on third-party service providers, cobrand partners, merchants, affiliate marketing firms, processors, aggregators, network partners and other third parties for services that are integral to our operations and are subject to the risk that activities of such third parties may adversely affect our business. As outsourcing, specialization of functions, third-party digital services and technology innovation within the payments industry and related service functions increase (including with respect to mobile technologies, tokenization, big data, AI and cloud-based solutions), more third parties are involved in processing payment transactions, handling our data and supporting our operations and we may require significantly greater scale from these third parties. As outsourcing, specialization of functions, third-party digital services and technology innovation within the payments industry increase (including with respect to mobile technologies, tokenization, big data, artificial intelligence and cloud-based solutions), more third parties are involved in processing card transactions, handling our data and supporting our operations. For example, we rely on third parties for the timely transmission of accurate information across our global network, card acquisition and provision of services to our customers.
We have experienced in certain limited circumstances and may continue to experience disruptions, operational issues or other events with respect to our third parties or our third parties’ service providers, including their failure to fulfill their obligations, contractual breaches and the information, cybersecurity and operational incidents described above, and we also have identified weaknesses in certain third parties’ processes and controls. Such disruptions, operational issues, control and process weaknesses or other events could interrupt or compromise the quality of our services to customers, impact the confidentiality, integrity, availability and security of our data, lead to fraudulent transactions on our cards or other products, impact our business, cause brand or reputational damage, and lead to costs associated with responding to a disruption, including notification and remediation costs, costs to switch service providers or move operations in house, regulatory investigations and fines and increased regulatory oversight and litigation. Such disruptions or other events could interrupt or compromise the quality of our services to customers, impact the confidentiality, integrity, availability and security of our data, lead to fraudulent transactions on our cards or other products, impact our business, cause brand or reputational damage, and lead to costs associated with responding to such a disruption, including notification and remediation costs, costs to switch service providers or move operations in house, regulatory investigations and fines and increased regulatory oversight and litigation. Third parties may face similar or greater risks than we do, including as a result of their relationship with us; however, they may be less prepared to mitigate those risks and may be targeted by bad actors as a result, which can result in greater disruptions and other risk events. Third parties may face similar or greater risks as us, including as a result of their relationship with us; however, they may be less prepared to mitigate those risks and may be 32Table of Contentstargeted by bad actors as a result, which can result in greater disruptions and other risk events. Third parties may also act in other ways that are inconsistent with our interests or contrary to our strategic or technological initiatives, such as ceasing to provide data to us or using our data in a way that was not authorized or diminishes the value of the transaction data we receive through our integrated payments platform.
The management and oversight of an increasing number of third parties increases our operational complexity and governance challenges and decreases our control. A failure to exercise adequate oversight over third parties, including compliance with service level agreements or regulatory or legal requirements, could result in regulatory actions, fines, litigation, sanctions or economic and reputational harm to us. In addition, we may not be able to effectively monitor or mitigate operational risks relating to our third-party providers’ service providers. We are also exposed to the risk that a service disruption at a service provider common to our third parties could impede their ability to provide services to us. Notwithstanding any attempts to diversify our reliance on third parties, in certain cases there may be limited alternatives or high costs for diversification, and we also may not be able to effectively mitigate operational risks relating to the service providers of our third-party providers.
Our use of models, including the data that underlie them, to manage risk and make business decisions may not be effective.
We use models and automation throughout our business, including to inform and support decision making, manage risks, estimate financial values and forecast liquidity and funding needs.We use models and automation throughout our business, including to inform and support decision making, manage risks and estimate financial values. Although we have a governance framework for model development and independent model validation, the modeling methodology or key assumptions could be erroneous or the models could be misused. In addition, issues with completeness, accuracy and timeliness of data inputs, the quality or effectiveness of our data aggregation and validation procedures, and the quality and integrity of formulas and algorithms, could result in ineffective or inaccurate model outputs and reports. Disruptions, uncertainty or volatility across the financial markets, as well as adverse developments affecting our competitors and the financial industry generally, could negatively impact market liquidity and limit our access to funding required to operate our business. Models based on historical data sets might not be accurate predictors of future outcomes, such as when we lack recent precedent or recent precedent deviates from current circumstances because of changes in customer behavior, the credit or demographic profiles of our Card Members, the geopolitical or macroeconomic environment or otherwise. We periodically review our models, and updates that we make may result in significantly different outputs. Additionally, we increasingly use models that leverage AI, which are subject to additional risks such as biased or inaccurate results or lowered interpretability. Additionally, we increasingly use models that leverage artificial intelligence, which are subject to additional risks such as biased or inaccurate results or lowered interpretability. The complexity of these models and our limited transparency into the AI may make it difficult to understand certain outputs or identify errors. The complexity of these technologies can make it difficult to assess proper operation, reduce error, or understand and explain their outputs. Certain models, such as models used to estimate reserves for credit losses under Current Expected Credit Loss (CECL) and Membership Rewards liability, require us to make difficult, subjective and complex judgments, and utilize forward-looking information and information provided by third parties over which we have limited oversight or control. If our business decisions, risk management practices or financial estimates and forecasts are based on incorrect or misused models and assumptions or we fail to manage data inputs effectively and to aggregate or analyze data in an accurate and timely manner, our results of operations and financial condition may be materially adversely affected. If our business decisions or financial estimates are based on incorrect or misused models and assumptions or we fail to manage data inputs effectively and to aggregate or analyze data in an accurate and timely manner, our results of operations and financial condition may be materially adversely affected.
32
Our success is dependent on maintaining a culture that adheres to our values and upon our executive officers and other key personnel, and misconduct by or loss of personnel could materially adversely affect our business.
We rely upon our colleagues not only for business success, but also to adhere to our Blue Box Values, which include acting with integrity, promoting a culture of respect and operating with a mindset of controls and risk management. To the extent our colleagues behave in a manner that does not comport with our company’s values, including acting in ways that harm customers, colleagues or others, the consequences to our brand, reputation and compliance and risk management efforts could be severe and could negatively affect our financial condition and results of operations. To the extent our colleagues behave in a manner that does not comport with our company’s values, the consequences to our brand and reputation could be severe and could negatively affect our financial condition and results of operations.
The market for qualified, highly motivated individuals with a range of perspectives is highly competitive and we may not be able to attract and retain such individuals.The market for qualified, highly motivated individuals with diverse perspectives is highly competitive and we may not be able to attract and retain such individuals. Advances in technology such as AI may increase competition for individuals with expertise in key skills and require our colleagues to adapt to new skills and methods of working. The unexpected loss of key personnel or our inability to effectively execute succession planning for such personnel could disrupt our business and have an adverse impact on our future performance.Our success is dependent on maintaining a culture of integrity and respect and upon our executive officers and other key personnel, and misconduct by or loss of personnel could materially adversely affect our business. Changes in immigration and work permit laws and regulations or the administration or enforcement of such laws or regulations or other changes in the legal or regulatory environment can also impair our ability to attract and retain qualified personnel, or to employ colleagues in the location(s) of our choice. Our compensation practices are subject to regulatory review and oversight, which could further affect our ability to attract and retain our executive officers and other key personnel. Our inability to attract, develop and retain highly skilled and motivated personnel with a range of perspectives could materially adversely affect our business and our culture. Our inability to attract, develop and retain highly skilled, motivated and diverse personnel could materially adversely affect our business and our culture.
Regulation in the areas of privacy, data protection, data management, resiliency, data transfer, third party oversight, account access, AI & ML and information security and cybersecurity could increase our costs and affect or limit our business opportunities and how we collect, use and/or retain personal information.
Legislators and regulators in the United States and other countries in which we operate are increasingly adopting or revising privacy, data protection, data management, resiliency, data transfer, third party oversight, account access, AI & ML and information security and cybersecurity laws, including data localization, authentication and notification laws. As such laws are interpreted and applied (in some cases with significant differences or conflicting requirements across jurisdictions), compliance and technology costs will continue to increase. Additionally, automated decision making and AI & ML technologies, including the adoption of agentic commerce, present novel and complex legal risks, often with limited established guidance and significant uncertainty. New laws and regulations related to these technologies, as well as the application of existing laws and regulations, may restrict or impose burdensome and costly requirements on our ability to use them or impact other aspects of our business, particularly as the legal landscape related to these technologies remains fragmented with potentially inconsistent requirements.
Compliance with current or future laws in the aforementioned areas could significantly impact our business operations, including our collection, use, sharing, retention and safeguarding of consumer, partner and/or colleague information and could restrict our ability to fully maximize our integrated payments platform or provide certain products and services or work with certain service providers, which could materially and adversely affect our profitability.Compliance with current or future laws in the aforementioned areas could significantly impact our business operations, including our collection, use, sharing, retention and safeguarding of consumer and/or colleague information and could restrict our ability to fully maximize our integrated payments platform or provide certain products and services or work with certain service providers, which could materially and adversely affect our profitability. Our failure to comply with such laws, including as a result of process breakdowns, human error or technical issues, or to maintain sufficient governance and control structures could result in potentially significant regulatory and/or governmental investigations and/or actions, litigation, fines, sanctions, ongoing regulatory monitoring, customer attrition, decreases in the use or acceptance of our cards and damage to our reputation and our brand. Our failure to comply with such laws or to maintain sufficient governance and control structures could result in potentially significant regulatory and/or governmental investigations and/or actions, litigation, fines, sanctions, ongoing regulatory monitoring, customer attrition, decreases in the use or acceptance of our cards and damage to our reputation and our brand. In recent years, there has been increasing regulatory enforcement and litigation activity in the areas of privacy, data protection, data management, AI & ML and information security and cybersecurity in the United States, the EU and various other countries in which we operate and our data protection and governance programs have become the subject of heightened scrutiny.
For more information on regulatory and legislative activity in this area, see “Supervision and Regulation — Privacy, Data Protection, Data Management, AI, Resiliency, Information Security and Cybersecurity” under “Business.For more information on regulatory and legislative activity in this area, see “Supervision and Regulation — Privacy, Data Protection, Data Management, Artificial Intelligence, Resiliency, Information Security and Cybersecurity” under “Business. ”
If we are not able to protect our intellectual property rights, or successfully defend against any infringement or misappropriation assertions brought against us, our revenue and profitability could be negatively affected.
We rely on a variety of measures to protect our intellectual property rights and control access to, and distribution of, our trade secrets and other proprietary information.We rely on a variety of measures to protect our intellectual property and control access to, and distribution of, our trade secrets and other proprietary information. These measures may not prevent infringement of our intellectual property rights or misappropriation of our proprietary information and a resulting loss of competitive advantage. Our ability to detect infringements of our intellectual property, enforce intellectual property rights and prevent disclosure of our trade secrets and other proprietary information may be limited and such efforts may be costly. In addition, competitors or other third parties may allege that our products, systems, processes or technologies infringe on their intellectual property rights. Given the complex, rapidly changing and competitive technological and business environments in which we operate, and the potential risks and uncertainties of intellectual property-related litigation, a future assertion of an infringement or misappropriation claim against us could cause us to lose significant revenues, incur significant defense, license, royalty or technology development expenses, and/or pay significant monetary damages. Given the complex, rapidly changing and competitive technological and business environments in which we operate, and the potential risks and uncertainties of intellectual property-related litigation, a future assertion of an infringement or 33Table of Contentsmisappropriation claim against us could cause us to lose significant revenues, incur significant defense, license, royalty or technology development expenses, and/or pay significant monetary damages. Furthermore, given intellectual property ownership and license rights surrounding AI, such as generative AI, are currently not fully addressed by courts or regulators, we may not be able to protect our intellectual property rights against infringing use and our use or adoption of AI may result in exposure to claims by third parties. Furthermore, given intellectual property ownership and license rights surrounding artificial intelligence, such as generative artificial intelligence, are currently not fully addressed by courts or regulators, we may not be able to protect our intellectual property against infringing use and our use or adoption of artificial intelligence may result in exposure to claims by third parties.
Tax legislative initiatives or assessments could adversely affect our results of operations and financial condition.
We are subject to income and other taxes in the United States and in various foreign jurisdictions. The laws and regulations related to tax matters are extremely complex, require significant judgment and are subject to varying interpretations. Although management believes our positions are reasonable, they are subject to challenge by the Internal Revenue Service in the United States and by tax authorities in other jurisdictions in which we conduct business operations, which could have an adverse impact on our tax liabilities. Refer to Note 19 to the “Consolidated Financial Statements” for information on the U.S. federal income tax audit of transfer pricing arrangements between our U.S. and foreign subsidiaries.
We are being challenged in a number of countries regarding our application of value-added taxes (VAT) to certain transactions. While we believe we comply with all applicable VAT and other tax laws, rules and regulations in the relevant jurisdictions, the tax
33
authorities may determine that we owe additional taxes or apply existing laws and regulations more broadly, which could result in a significant increase in liabilities for taxes and interest in excess of accrued liabilities.
Legislative action or inaction in the jurisdictions in which we have operations could increase our effective tax rate.Legislative action or inaction in the countries in which we have operations could increase our effective tax rate. For example, guidelines issued by the Organization for Economic Cooperation and Development introduced a global minimum tax of 15 percent on the global profits of multinational enterprises, such as us. The global minimum tax increased our tax liability in 2025 as it came into effect in various jurisdictions where we operate and we expect the global minimum tax will continue to increase our tax liability in 2026 if it continues to be in effect in its current form.
Jurisdictions may also make changes related to the tax treatment of card transactions, such as imposing taxes on Card Member rewards or prohibiting interchange fees on sales tax, which could decrease the value we provide to customers and adversely impact our business.
Our operations, business, customers and partners could be adversely affected by climate-related risks. Our operations, business, customers and partners could be adversely affected by climate-related risks.
We may face physical risks related to climate, including rising average global temperatures, rising sea levels and an increase in the frequency and severity of extreme weather events and natural disasters. We face physical risks related to climate, including rising average global temperatures, rising sea levels and an increase in the frequency and severity of extreme weather events and natural disasters. Such events and disasters could disrupt our operations or the operations of customers or third parties on which we rely and could result in market volatility or negatively impact our customers’ spending behaviors or ability to pay outstanding loans. We also may face risks related to the transition to a low-carbon economy, such as changes in consumer preferences, travel patterns and legal requirements, which could impact our revenues or expenses or otherwise adversely affect our business, our customers and partners.
We may not be able to effectively identify, measure or control our exposure to climate-related risks, particularly given that the timing, nature and severity of the impacts of these risks may not be predictable. We could be criticized for the timing, scope or nature of our climate-related initiatives and goals. There can be no assurance that we will achieve these goals, which depend in part on third-party performance, data that is outside of our control and methodologies that may evolve over time. We could be required to change our business, management practices and partnerships, incur expenses from changes to our technology, operations, products and services and experience reputational harm as a result of negative public sentiment, regulatory scrutiny and reduced stakeholder confidence, due to our response or perceived lack of response to climate and environmental issues.
Credit, Market and Liquidity Risks
We are exposed to credit risk and trends that affect Card Member spending and the ability of customers and partners to pay us, which could have a material adverse effect on our results of operations and financial condition.
We are exposed to both individual credit risk, principally from consumer and small business Card Member loans and receivables, and institutional credit risk, principally from corporate Card Member loans and receivables, merchants, network partners, loyalty coalition partners and treasury and investment counterparties. Third parties may default on their obligations to us due to bankruptcy, lack of liquidity, operational failure or other reasons. General economic factors, such as recession or slow economic growth, unemployment, inflation, structural changes in the economy and interest rates, may result in greater delinquencies that lead to greater credit losses. General economic factors, such as recession, unemployment, inflation and interest rates, may result in greater delinquencies that lead to greater credit losses. A customer’s ability and willingness to repay us can be negatively impacted not only by economic, market, political and social conditions but also by a customer’s other payment obligations (with these factors sometimes influencing one another, such as the end of the moratorium on student loan repayments), and increasing leverage can result in a higher risk that customers will default or become delinquent in their obligations to us. A customer’s ability and willingness to repay us can be negatively impacted not only by economic, market, political and social conditions but also by a customer’s other payment obligations, and increasing leverage can result in a higher risk that customers will default or become delinquent in their obligations to us.
We rely principally on the customer’s creditworthiness for repayment of loans or receivables and therefore often have no other recourse for collection. Our ability to assess creditworthiness may be impaired as a result of changes in our underwriting practices or if the criteria or models we use to manage our credit risk prove inaccurate in predicting future losses, which could have a negative impact on our results of operations. This may be exacerbated to the extent information we have historically relied upon to make credit decisions does not accurately portray a customer’s creditworthiness, including as a result of the current interest rate and economic conditions. Further, our pricing strategies, particularly for new lending features and non-card lending products, may not offset the negative impact on profitability caused by increases in delinquencies and losses; thus any material increases in delinquencies and losses beyond our current estimates could have a material adverse impact on us. Although we make estimates to provide for credit losses in our outstanding portfolio of loans and receivables, these estimates may not be accurate. In addition, the information we use in managing our credit risk may be inaccurate or incomplete.
Rising indicators of credit losses, both with respect to our customers, such as delinquencies, and with respect to broader macroeconomic factors, such as current or future levels of unemployment, gross domestic product (GDP) and bankruptcies, may require us to increase our reserve for credit losses and result in future write-offs. Higher write-off rates and increases in our reserves for credit losses adversely affect our profitability and the performance of our securitizations, and may increase our cost of funds. Higher write-off rates and the resulting increase in our reserves for credit losses adversely affect our profitability and the performance of our securitizations, and may increase our cost of funds.
Although we regularly review our credit exposure to specific clients and counterparties and to specific industries, countries and regions that we believe may present credit concerns, default risk may arise from events or circumstances that are difficult to foresee or detect, such as fraud. In addition, our ability to manage credit risk or collect amounts owed to us may be adversely affected by legal or regulatory changes (such as restrictions on collections or changes in bankruptcy laws, minimum payment regulations and re-age guidance), changes in customer behavior (such as the increased use of debt settlement companies) or decreases in the effectiveness of our collections operations. In addition, our ability to manage credit risk or collect amounts owed to us may be adversely affected by legal or regulatory changes (such as restrictions on collections or changes in bankruptcy laws, minimum payment regulations and re-age guidance) or changes in customer behavior (such as the increased use of debt settlement companies). Increased credit risk, whether resulting from underestimating the credit losses inherent in our portfolio of loans and receivables, deteriorating economic or political conditions (particularly in the United States, as U.S. Card Members were responsible for approximately 79 percent of our total Card Member loans and receivables outstanding as of December 31, 2025), increases in the level of loan and receivable balances, changes in our mix of business or otherwise, could require us to increase our provisions for losses and could have a material adverse effect on our results of operations and financial condition.
34
Interest rate changes could materially adversely affect our earnings.
We had net interest income of approximately $17.4 billion for the year ended December 31, 2025. Changes in interest rates could adversely affect our net interest yield, and consequently our net interest income and results of operations, including if our borrowing costs and the interest we pay on deposits increase at a greater magnitude than the rate of interest we earn on our loans.We had net interest income of approximately $15.5 billion for the year ended December 31, 2024. If the rate of interest we pay on our borrowings increases more or decreases less than the rate of interest we earn on our loans, our net interest yield, and consequently our net interest income, could decrease. In addition, interest rate changes or prolonged periods of elevated or depressed rates may affect customer behavior, such as by impacting the balances Card Members carry on their cards or their ability to make payments to us, general spending and economic activity, or the demand for deposit accounts. In addition, interest rate changes may affect customer behavior, such as impacting the loan balances Card Members carry on their credit cards or their ability to make payments as higher interest rates lead to higher payment requirements, further impacting our results of operations. While we take actions to mitigate interest risk, such as employing hedging strategies and changing the rates we pay on deposits, these actions may not be effective and we may be limited in our ability to maintain the spread between our borrowing costs and our interest income, whether as a result of changes in benchmark rates, regulation, the competitive environment, customer behavior or otherwise. For a further discussion of our interest rate risk, see “Risk Management ― Market Risk Management Process” under “MD&A.”
We are subject to capital adequacy and liquidity rules, and if we fail to meet our capital and liquidity requirements, our business would be materially adversely affected.
As a financial institution, we are subject to extensive and complex capital and liquidity requirements. Our failure to meet current or future requirements, whether as a result of adverse business developments or changes in the applicable requirements, could compromise our competitive position and result in restrictions imposed by the Federal Reserve, or the OCC with respect to AENB, including limiting our ability to pay dividends, repurchase our capital stock, invest in our business, expand our business or engage in acquisitions. Some elements of the capital and liquidity regimes are not yet final and certain developments could significantly impact the requirements applicable to financial institutions. For example, if the U.S. federal bank regulatory agencies adopt the 2017 Basel Committee standards revisions to the standardized approach for credit risk and operational capital requirements, it could result in significantly higher regulatory capital requirements. In addition, it may be necessary for us to hold additional capital because of an increase in the SCB requirement based on results from a supervisory stress test.
Compliance with capital adequacy and liquidity rules requires a material investment of resources and may be affected by unforeseen events impacting our business or general economic conditions.Compliance with capital adequacy and liquidity rules requires a material investment of resources. An inability to meet regulatory expectations regarding our compliance with applicable capital adequacy and liquidity rules or supervisory expectations regarding capital and liquidity risk management capabilities and practices may also negatively impact the assessment of us and AENB by federal banking regulators. Additionally, as a Category III firm, we are subject to more stringent capital and liquidity requirements, which may further increase if we grow to become a Category II firm. Additionally, we are subject to more stringent capital and liquidity requirements as a result of becoming a Category III firm, which may further increase if we grow to become a Category II firm.
For more information on capital adequacy requirements, see “Supervision and Regulation — Capital and Liquidity Regulation” under “Business.”
We are subject to restrictions that limit our ability to pay dividends and repurchase our capital stock. Our subsidiaries are also subject to restrictions that limit their ability to pay dividends to us, which may adversely affect our liquidity.
We are limited in our ability to pay dividends and repurchase capital stock by our regulators, who have broad authority to prohibit any action that would be considered an unsafe or unsound banking practice. We are subject to a requirement to submit capital plans to the Federal Reserve for review that include, among other things, projected dividend payments and repurchases of capital stock. As part of the capital planning and stress testing process, our proposed capital actions are assessed against our ability to satisfy applicable capital requirements in the event of a stressed market environment. If we fail to satisfy applicable capital requirements, including the stress capital buffer, our ability to undertake capital actions may be restricted.
Our ability to declare or pay dividends on, or to purchase, redeem or otherwise acquire, shares of our common stock will be prohibited, subject to certain exceptions, in the event that we do not declare and pay in full dividends for the last preceding dividend period of our preferred stock.
We rely on dividends from our subsidiaries for liquidity, and such dividends may be limited by law, regulation or supervisory policy. For example, AENB is subject to various statutory and regulatory limitations on its declaration and payment of dividends. These limitations may hinder our ability to access funds we may need to make payments on our obligations, make dividend payments or otherwise achieve strategic objectives. In addition, as a bank holding company, we may be required to commit capital and financial resources to support AENB, which could adversely affect our liquidity.
Any future reduction or elimination of our common stock dividend or share repurchase program could adversely affect the market price of our common stock and market perceptions of American Express. For more information on bank holding company and depository institution dividend restrictions, see “Supervision and Regulation — Stress Testing and Capital Planning” and “— Dividends and Other Capital Distributions” under “Business,” as well as “Consolidated Capital Resources and Liquidity — Dividends and Share Repurchases” under “MD&A” and Note 21 to the “Consolidated Financial Statements.”
Adverse market conditions may significantly affect our access to, and cost of, capital and ability to meet liquidity needs.
Our ability to obtain financing in the capital markets, such as from unsecured term debt issuances and asset securitizations, is dependent on financial market conditions.Our ability to obtain financing in the debt capital markets for unsecured term debt and asset securitizations is dependent on financial market conditions. Disruptions, uncertainty or volatility across the financial markets, as well as adverse developments affecting us, our competitors, the financial industry or the economy generally, could negatively impact market liquidity and limit our access to funding required to operate and grow our business and satisfy cash needs, maturing liabilities and regulatory capital requirements. Disruptions, uncertainty or volatility across the financial markets, as well as adverse developments affecting our competitors and the financial industry generally, could negatively impact market liquidity and limit our access to funding required to operate our business. In some circumstances, our business growth or funding needs may increase unexpectedly and/or we may incur an unattractive cost to raise capital, which could decrease profitability and significantly reduce financial flexibility. Additional factors affecting the extent to which we may securitize loans and receivables in the future include the overall credit quality of our loans and receivables, the costs of securitizing our loans and receivables, the demand for credit card asset-backed securities and the legal, regulatory, accounting or tax rules affecting securitization transactions and asset-backed securities, generally. Our liquidity and cost of funds would also be adversely affected by the occurrence of events that could result in the early
35
amortization of our existing securitization transactions. For a further discussion of our liquidity and funding needs, see “Consolidated Capital Resources and Liquidity” under “MD&A.”
Any reduction in our credit ratings could increase the cost of our funding from, and restrict our access to, the capital markets and have a material adverse effect on our results of operations and financial condition.
Ratings of our long-term and short-term debt and deposits are based on a number of factors, including our financial strength, as well as factors not within our control, including conditions affecting the financial services industry, the U.S. Government and the macroeconomic environment, as well as changes made by ratings agencies to their methodologies or assumptions. Our ratings could be downgraded at any time and without any notice by any of the rating agencies, which could, among other things, adversely limit our access to the capital markets and adversely affect the cost and other terms upon which we are able to obtain funding. Our ability to raise funding through the securitization market also depends, in part, on the credit ratings of the securities we issue from our securitization trusts. If we are not able to satisfy rating agency requirements to confirm the ratings of our asset-backed securities, it could limit our ability to access the securitization markets.
Adverse currency fluctuations and foreign exchange controls could decrease earnings we receive from our international operations.
During 2025, approximately 22 percent of our total revenues net of interest expense were generated from activities outside the United States. We are exposed to foreign exchange risk from our international operations, and accordingly the revenue we generate outside the United States is subject to unpredictable fluctuations if the values of other currencies change relative to the U.S. dollar, which could have a material adverse effect on our results of operations.
Political and economic conditions could continue to cause changes in the values of currencies and a further strengthening of the U.S. dollar will negatively impact our net revenues. Substantial and sudden devaluation of Card Members’ local currency can also affect their ability to make payment to us. Foreign exchange regulations or capital controls might restrict or prohibit the conversion of other currencies into U.S. dollars or our ability to transfer them and the availability of foreign exchange could further impact our results of operations.
An inability to attract or maintain deposits could materially adversely affect our liquidity position and our ability to fund our business. An inability to attract or maintain deposits in the future could materially adversely affect our ability to fund our business.
Our U.S. bank subsidiary, AENB, accepts deposits and uses the proceeds as a source of funding, with our direct retail deposits becoming a larger proportion of our funding over time. We continue to face strong competition with regard to deposits, and pricing and product changes may adversely affect our ability to attract and retain cost-effective deposit balances. To the extent we offer higher interest rates to attract or maintain deposits, our funding costs will be adversely impacted. Additionally, a decrease in confidence in the soundness of us or in the banking sector more broadly, such as following the occurrence of bank failures, or in the level of insurance available on deposits may cause rapid deposit withdrawals or an unwillingness to maintain deposits with us, which could materially adversely affect us and our ability to fund our business. The use of social media and similar channels has the potential to intensify and accelerate such a decrease in confidence in soundness.
Our ability to obtain deposit funding and offer competitive interest rates on deposits is also dependent on AENB’s capital levels. The FDIA’s brokered deposit provisions and related FDIC rules in certain circumstances prohibit banks from accepting or renewing brokered deposits and apply other restrictions, such as a cap on interest rates that can be paid. Additionally, our regulators can adjust applicable capital requirements at any time and have authority to place limitations on our deposit businesses. An inability to attract or maintain deposits in the future could materially adversely affect our ability to fund our business.
The value of our investments may be adversely impacted by economic, political or market conditions.
Market risk includes the loss in value of portfolios and financial instruments due to adverse changes in market variables, which could negatively impact our financial condition. We have experienced realized and unrealized losses in our Amex Ventures™ equity investments and may experience further losses in the future. As of December 31, 2025, we held approximately $1.0 billion of investment securities, primarily consisting of debt securities, and equity investments, including certain equity method investments, totaling approximately $2.4 billion. Negative market conditions, changes in valuations or increases in default rates or bankruptcies with respect to these investments, due to economic conditions, business performance or otherwise, could have a material adverse impact on the value of our investments, potentially resulting in impairment charges. Defaults, threats of defaults or economic disruptions, even in countries or territories in which we do not have material investment exposure, conduct business or have operations, could adversely affect us.
36
ITEM 1B. UNRESOLVED STAFF COMMENTS
Not applicable.
ITEM 1C. CYBERSECURITY
We maintain an information security and cybersecurity program and a cybersecurity governance framework that are designed to protect our information systems against operational risks related to cybersecurity.
Cybersecurity Risk Management and Strategy
We define information security and cybersecurity risk as the risk that the confidentiality, integrity or availability of our information and information systems are impacted by unauthorized or unintended access, use, disclosure, disruption, modification or destruction. Information security and cybersecurity risk is an operational risk under our enterprise risk taxonomy, which is measured and managed as part of our operational risk management framework. Operational risk is incorporated into our risk governance framework, which we use to identify, assess, control, measure & monitor and report & escalate risks. For more information on our risk governance framework, see “Risk Management” under “MD&A.”
Our Technology Risk and Information Security (TRIS) program, which is our enterprise information security and cybersecurity program incorporated in our risk governance framework and led by our Chief Information Security Officer (CISO), is designed to (i) ensure the security, confidentiality, integrity and availability of our information and information systems; (ii) protect against any anticipated threats or hazards to the security, confidentiality, integrity or availability of such information and information systems; and (iii) protect against unauthorized access to or use of such information or information systems that could result in substantial harm or inconvenience to us, our colleagues or our customers. The TRIS program is built upon a foundation of advanced security technology, employs a highly trained team of experts and is designed to operate in alignment with global regulatory requirements. The program deploys multiple layers of controls, including embedding security into our technology investments, which are designed to identify, protect, detect, respond to and recover from information security and cybersecurity incidents. The program deploys multiple layers of controls, including embedding security into our technology investments, designed to identify, protect, detect, respond to and recover from information security and cybersecurity incidents. Those controls are measured and monitored by a combination of subject matter experts and a security operations center with integrated cyber detection, response and recovery capabilities. The TRIS program includes our Enterprise Incident Response Program, which manages information security incidents involving compromises of sensitive information, and our Cyber Crisis Response Plan, which provides a documented framework for handling critical security incidents and facilitates coordination across multiple parts of the Company to manage response efforts. We also routinely perform simulations and drills at both a technical and management level, and our colleagues receive annual cybersecurity awareness training.
The TRIS program aligns with the standards developed by the Cyber Risk Institute Profile for the financial sector and global regulatory requirements and incorporates reviews and assessments by our independent Technical Risk Management Team (part of our second line of defense), our Internal Audit Group (our third line of defense) and external experts. In addition, we engage third parties to provide specialized services and capabilities, including vulnerability insights, operation of certain security controls and threat intelligence. We also collaborate with our peers in areas of threat intelligence, vulnerability management, incident response and drills, and are active participants in industry and government forums. We also invest in threat intelligence, collaborate with our peers in areas of threat intelligence, vulnerability management, incident response and drills, and are active participants in industry and government forums.
Cybersecurity risks related to third parties are managed as part of our Third Party Management Policy , which sets forth the procurement, risk management and contracting framework for managing third-party relationships commensurate with their risk and complexity. Our Third Party Lifecycle Management (TLM) program sets guidelines for identifying, measuring, monitoring, and reporting the risks associated with third parties through the life cycle of the relationships, which includes planning, due diligence and third-party selection, contracting, ongoing monitoring and termination. Our TLM program includes the identification of third parties with risks related to information security. Third parties that access, process, collect, share, create, store, transmit or destroy our information or have access to our systems may have additional security requirements depending on the levels of risk, such as enhanced risk assessments and monitoring, and additional contractual controls.
37
Cybersecurity Governance
We have multiple internal management committees that are responsible for the oversight of cybersecurity risk. Our Technology, Data, Resiliency Risk Committee (TDRRC), co-chaired by our Chief Information Officer and the Head of Technical Risk Management, provides oversight and governance for our information security risk management activities, including those related to cybersecurity. This includes efforts to identify, assess, control, measure & monitor and report & escalate information security risks associated with our information and information systems and potential impacts to the American Express brand. The TDRRC escalates risks to our Enterprise Risk Management Committee (ERMC), co-chaired by our Chief Executive Officer and our Chief Risk Officer, or our Board based on the escalation criteria provided in our enterprise-wide risk appetite framework. The ORMC escalates risks to our Enterprise Risk Management Committee (ERMC), chaired by our Chief Risk Officer, or our Board based on the escalation criteria provided in our enterprise-wide risk appetite framework. Members of management with cybersecurity oversight responsibilities are informed about cybersecurity risks and incidents through a number of channels, including periodic and annual reports, with the annual report on our TRIS program also provided to our Risk Committee, the TDRRC and ERMC.
For more information on our risk governance structure, see “Risk Management — Governance and Board Oversight” and “Risk Management —Operational Risk Management Process” under “MD&A.”
38
Recently Filed
Click on a ticker to see risk factors
| Ticker * | File Date |
|---|---|
| AAT | 7 hours ago |
| LVS | 7 hours ago |
| RTX | 7 hours ago |
| APTV | 7 hours ago |
| SYF | 7 hours ago |
| POWI | 7 hours ago |
| MAA | 7 hours ago |
| CHAC | 7 hours ago |
| VTR | 8 hours ago |
| ELV | 9 hours ago |
| MSCI | 9 hours ago |
| HNOI | 10 hours ago |
| HAL | 10 hours ago |
| AXP | 11 hours ago |
| RLEA | 12 hours ago |
| ATR | 12 hours ago |
| MTD | 12 hours ago |
| TXN | 13 hours ago |
| UNP | 14 hours ago |
| OMF | 15 hours ago |
| BIIB | 16 hours ago |
| PM | 17 hours ago |
| AMZN | 1 day, 5 hours ago |
| RDDT | 1 day, 6 hours ago |
| CCIX | 1 day, 6 hours ago |
| VRSN | 1 day, 7 hours ago |
| CUZ | 1 day, 7 hours ago |
| XPO | 1 day, 7 hours ago |
| PINE | 1 day, 7 hours ago |
| BYRN | 1 day, 7 hours ago |
| BKR | 1 day, 7 hours ago |
| OTIS | 1 day, 8 hours ago |
| APPF | 1 day, 8 hours ago |
| LUV | 1 day, 8 hours ago |
| BSET | 1 day, 8 hours ago |
| CFR | 1 day, 8 hours ago |
| HII | 1 day, 8 hours ago |
| CARR | 1 day, 8 hours ago |
| TT | 1 day, 8 hours ago |
| FAST | 1 day, 12 hours ago |
| SIRI | 1 day, 14 hours ago |
| IDCC | 1 day, 15 hours ago |
| ICE | 1 day, 15 hours ago |
| OCUL | 1 day, 16 hours ago |
| TW | 1 day, 17 hours ago |
| AMD | 3 days, 5 hours ago |
| PYPL | 3 days, 7 hours ago |
| KREF | 3 days, 7 hours ago |
| ISRG | 3 days, 7 hours ago |
| DOC | 3 days, 7 hours ago |
