Risk Factors Dashboard
Once a year, publicly traded companies issue a comprehensive report of their business, called a 10-K. A component mandated in the 10-K is the ‘Risk Factors’ section, where companies disclose any major potential risks that they may face. This dashboard highlights all major changes and additions in new 10K reports, allowing investors to quickly identify new potential risks and opportunities.
View risk factors by ticker
Search filings by term
Risk Factors - BPOP
-New additions in green
-Changes in blue
-Hover to see similar sentence in last filing
ITEM 1A. RISK FACTORS A significant portion of our business involves lending money, which exposes us to credit risk and risk of loss if borrowers We rely primarily on bank deposits as a low cost and stable source of funding for our lending and investment activities and As cyber threats continue to evolve, we also expect to expend significant additional resources to continue to modify or Under the MSA, we are able to terminate services for convenience with 180 days’ prior notice. We expect to exercise The Enterprise Risk Management Committee (the “ERM Committee”), chaired by the Chief Risk Officer, oversees and The Information Technology and Cyber Risk Committee (“ITCRC”), chaired by the Chief Security Officer and the Chief The Operational Risk Committee (“ORCO”), chaired by the Chief Risk Officer, oversees and monitors operational risk The Board in turn also receives briefings on cybersecurity matters and risks, including an annual presentation from the Chief To identify, assess and manage risks from cybersecurity threats, the Corporation has established a three lines of defense framework. The first line of defense is composed of business line management that identifies and manages the risks associated with business activities, including cybersecurity risk. The second line of defense is made up of members of the Corporation’s Corporate Risk Management Group and the Corporate Security and Operations Group (the “CSOG”) who, among other things, measure and report on the Corporation’s risk activities. In such line of defense, the FORM Division, within the Corporate Risk Management Group, is responsible for (i) establishing baseline metrics that measure, monitor, limit and manage the framework that identifies and manages multiple and cross-enterprise risks, including cybersecurity risks; and (ii) articulating the RAS and supporting metrics, including those related to operational risk, business continuity, disaster recovery and third-party management oversight processes. Meanwhile, Popular’s Corporate Information Security and Privacy Division (the “CISP”), which is headed by the CISO and reports to the CSOG, is responsible for the development of strategies, policies and programs to assess and mitigate cybersecurity and privacy risks. Members of the CISP (including the CISO) and FORM Division report on and escalate cybersecurity, IT and privacy risks to management committees, such as the ITCRC, ORCO and ERM Committees, and, if appropriate, to the RMC, TC, and the Board of Directors, as required under relevant policies and procedures. Lastly, the third line of defense consists of the Corporate Auditing Division, which independently provides assurance regarding the effectiveness of the risk framework and reports directly to the Audit Committee of the Board. Popular monitors various vectors of threats and utilizes open-source intelligence forums and communities such as the Financial Services Information Sharing and Analysis Center and the Cybersecurity and Infrastructure Security Agency, among others, to receive threat intelligence feeds which are reviewed by the CISP. As cybersecurity threats are identified, they are evaluated to assess the level of exposure and the potential risk to Popular. The ITCRC and the ERM Committee discuss and track the threats identified in internal assessments and scans or in third-party reports. Depending on the evolution and materiality of the threat, these are escalated to the RMC as appropriate. Conduct tabletop exercises that simulate cybersecurity incidents to raise awareness and enhance Popular’s responsive Assess how business and corporate strategies, new products, technology deployments, external events and the evolution of Discuss cybersecurity risks with law enforcement, peer groups, industry forums and trade associations; Provide training to all Popular employees upon hiring and annually thereafter on cybersecurity and customer data handling Offer training and awareness campaigns to customers and employees based on their role; Conduct phishing simulations for employees, with escalation protocols for employees that fail such tests to enhance Offer learning and development opportunities to employees who handle and manage cybersecurity matters; Carry cyber insurance to provide protection against potential losses arising from cybersecurity incidents; and Monitor emerging legal and regulatory requirements and implement changes to our processes, policies and statements, as Popular engages third parties to assist in certain cybersecurity matters. Popular engages third parties to assist in certain cybersecurity matters. In particular, Popular uses the expertise of third parties to perform specialized assessments to test its systems, such as periodic penetration testing, that provide insights into the effectiveness of its controls. Popular also engages third parties to provide computer forensics and investigations services as needed to assess and address actual or potential cybersecurity incidents. In addition, Popular hires third parties to provide the first level security monitoring of Popular’s external and internal networks. To date, previous cybersecurity incidents have not materially affected our results of operations or financial condition. 
We, like other financial institutions, face risks inherent to our business, financial condition, liquidity, results of operations
and capital position. These risks could cause our actual results to differ materially from our historical results or the results
contemplated by the forward-looking statements contained in this report.
The risks described in this report are not the only risks we face. Additional risks and uncertainties not currently known by
us or that we currently deem to be immaterial, or that are generally applicable to all financial institutions, may also materially
adversely affect our business, financial condition, liquidity, results of operations or capital position.
ECONOMIC AND MARKET RISKS
Weakness in the economy, particularly in Puerto Rico, where a significant portion of our business is concentrated, has
adversely impacted us in the past and may adversely impact us in the future.
We have been, and will continue to be, impacted by global and local economic and market conditions, including weakness
in the economy, disruptions and volatility in the financial markets, inflation, monetary, trade and fiscal policies, public policy,
geopolitical conflicts, business and consumer sentiment and unemployment. A significant portion of our business is concentrated in
Puerto Rico, which accounted for 77% of our assets and 79% of our deposits as of December 31, 2025 and 80% of our revenues for
the year ended December 31, 2025. As a result, our financial condition and results of operations are highly dependent on the
general trends of the Puerto Rico economy and other conditions affecting Puerto Rico consumers and businesses. The
concentration of our operations in Puerto Rico exposes us to greater risks than other banking companies with a wider geographic
base.
Puerto Rico has faced significant economic and fiscal challenges in the past, including a severe recession that began in
2007 and persisted for over a decade and an acute fiscal crisis that led the Puerto Rico government to file for a form of federal
bankruptcy protection in 2017. Puerto Rico’s fiscal and economic challenges have in the past adversely affected our customers,
resulting in higher delinquencies, charge-offs and increased losses for us. While Puerto Rico’s economy has been gradually
recovering and the Puerto Rico government emerged from bankruptcy in 2022, Puerto Rico still faces significant economic and
fiscal challenges.
Puerto Rico’s economy is closely tied to the U.S. economy, as well as highly reliant on U.S. public policy and funding
decisions. Puerto Rico has historically received significant federal support for a wide range of government programs and services,
including healthcare, education, infrastructure and social assistance programs. More recently, Puerto Rico has received significant
federal stimulus, disaster relief and reconstruction funding, which has served as a major driver of economic activity. Reductions in
federal funding to programs that have benefited the Puerto Rico economy or delays in disbursements could significantly impact
Puerto Rico’s economy and hinder reconstruction efforts, including the restoration and improvement of critical infrastructure. In
addition, given that Puerto Rico’s Medicaid program is funded through federal block grants, absent federal legislative action, annual
24
Medicaid funding for Puerto Rico is projected to drop significantly during the 2027-2028 fiscal year, which would require the Puerto
Rico government to cover substantial program costs and potentially place significant strain on its finances. Beyond direct funding,
broader shifts in U.S. policy, such as changes to tax or trade policies, and shifts in policies of other governments in response, could
also adversely impact the Puerto Rico economy. A weakening of the Puerto Rico economy or other adverse economic conditions
affecting Puerto Rico consumers and businesses could result in decreased demand for our products or services, deterioration in the
credit quality of our customers, higher delinquencies, charge-offs or increased losses, all of which could adversely affect our
business, financial condition, liquidity, results of operations or capital position.
We are also exposed to risks related to the state of the local economies of the other markets in which we do business,
such as New York and Florida, as well as to the state of the global and U.S. economy and financial markets. Evolving geopolitical
tensions, the introduction or escalation of tariffs, inflationary pressures and other political or economic shifts may lead to increased
market volatility and disruption. These factors could, in turn, adversely impact our business, financial condition, liquidity, results of
operations or capital position.
Changes in interest rates and credit spreads can adversely impact our financial condition, including our investment
portfolio, since a significant portion of our business involves borrowing and lending money, and investing in financial
instruments.
Our business and financial performance are impacted by market interest rates and movements in those rates. Since a
high percentage of our assets and liabilities are interest bearing or otherwise sensitive in value to changes in interest rates, changes
in interest rates, in the shape of the yield curve or in spreads between different types of rates, have had and could in the future have
a material impact on our results of operations and the values of our assets and liabilities, including our investment portfolio. Interest
rates are highly sensitive to many factors over which we have no control and which we may not be able to anticipate adequately,
including general economic conditions and the monetary and tax policies of various governmental bodies, particularly the Federal
Reserve Board. Changes in these policies, including changes in interest rates, impact various aspects of our business, including
loan originations, the speed of prepayments, loan delinquencies, the value of our investments, the rates we receive on our loans
and investment securities, our ability to maintain and generate deposits and the rates we pay on our deposits and other funding
sources. The effects of these changes may be amplified if we are unable to effectively manage the sensitivity of our assets and
liabilities to market interest rate changes.
The rapid rise in interest rates in 2022 resulted in $2.5 billion in unrealized mark-to-market losses on available-for-sale
securities held in our investment securities portfolio. In October 2022, we transferred U.S. Treasury securities with a fair value of
$6.5 billion (par value of $7.4 billion), and with accumulated unrealized losses of $873 million, from our available-for-sale portfolio to
our held-to-maturity portfolio. While the size of our unrealized mark-to-market losses on available-for-sale securities had been
reduced to $0.9 billion as of December 31, 2025, if interest rates were to again rise rapidly or for a prolonged period, we may
accumulate significant additional mark-to-market losses on investment securities in our available-for-sale portfolio, which may
adversely affect our tangible capital and impact our ability to return capital to our stockholders.
For a discussion of the Corporation’s interest rate sensitivity, please refer to the “Risk Management” section of the MD&A
in this Form 10-K.
BUSINESS RISKS
Negative changes in the financial condition of our clients have adversely impacted us in the past and may adversely
impact us in the future.
do not repay their loans, leases, credit cards or other credit obligations. The performance of these credit portfolios significantly
affects our financial condition and results of operations. We have in the past been adversely affected by negative changes in the
financial condition of our clients due to weakness in the Puerto Rico and U.S. economy. If the current economic environment were to
deteriorate, more customers may have difficulty in repaying their credit obligations, which may result in higher levels of credit losses
and reserves for credit losses.
We are exposed to increased credit risks and credit losses to the extent our clients are concentrated by industry segment
or type of client.
Our credit risk and credit losses can increase to the extent our loans are concentrated in borrowers engaged in the same
or similar activities or in borrowers who as a group may be uniquely or disproportionately affected by certain economic or market
conditions. We have significant exposure to borrowers in certain economic sectors, such as residential and commercial real estate,
25
hospitality and healthcare. Challenging economic or market conditions that affect the industries or types of clients to which we have
significant exposure could result in higher credit losses and adversely affect our business, financial condition, liquidity, results of
operations or capital position.
We also have direct lending and investment exposure to Puerto Rico government entities, which have faced significant
fiscal challenges. At December 31, 2025, our exposure to the Puerto Rico government consisted of $391 million in direct lending
exposure to Puerto Rico municipalities and $209 million in loans insured or securities issued by Puerto Rico governmental entities
but for which the principal source of repayment is non-governmental. We also have indirect lending exposure to the Puerto Rico
government in the form of loans to private borrowers who are service providers, lessors, suppliers or have other relationships with
the Puerto Rico government. While the overall fiscal situation of the Puerto Rico government has improved in recent years, including
as a result of the government and certain of its instrumentalities having restructured their debt obligations, some Puerto Rico
government entities, including certain municipalities, still face significant fiscal challenges. A deterioration in the fiscal situation of the
Puerto Rico government and its instrumentalities, and in particular the fiscal situation of the Puerto Rico municipalities to which we
have direct lending exposure, could result in higher credit losses and reserves for credit losses. For a discussion of risks related to
the Corporation’s credit exposure to the Puerto Rico and USVI governments, see the Geographic and Government Risk section in
the MD&A section of this Form 10-K.
Deterioration in the values of real properties securing our commercial, mortgage loan and construction portfolios have in
the past resulted, and may in the future result, in increased credit losses and harm our results of operations.
As of December 31, 2025, 55% of our loan portfolio consisted of loans secured by real estate collateral (comprised of
29% in commercial loans, 22% in residential mortgage loans and 4% in construction loans). The value of the collateral securing
such loans is dependent upon economic conditions in the area in which the collateral is located. Weakness in the economy of some
of the markets we serve has in the past resulted in significant declines in the value of the real properties securing our loan portfolio,
leading to increased credit losses. If the value of the real estate properties securing our loan portfolio declines again in the future,
we may be required to increase our provisions for loan losses and allowance for loan losses. Any such increase could have an
adverse effect on our financial condition and results of operations. For more information on the credit quality of our construction,
commercial and mortgage portfolio, see the Credit Risk section of the MD&A included in this Form 10-K.
Defective and repurchased loans may harm our business and financial condition.
In connection with the sale and securitization of mortgage loans, we are required to make a variety of customary
representations and warranties regarding Popular and the loans being sold or securitized. Our obligations with respect to these
representations and warranties are generally outstanding for the life of the loan, and they relate to, among other things, compliance
with laws and regulations, underwriting standards, the accuracy of information in the loan documents and loan file and the
characteristics and enforceability of the loan. A loan that does not comply with the secondary market’s requirements may take
longer to sell, impact our ability to securitize the loans or pledge the loans as collateral for borrowings, or be unsalable or salable
only at a significant discount. Moreover, if any such loan is sold before we detect non-compliance, we may be obligated to
repurchase the loan and bear any associated loss directly, or we may be obligated to indemnify the purchaser against any loss. We
seek to minimize repurchases and losses from defective loans by correcting flaws, if possible, and selling or re-selling such loans.
However, if we were to suffer significant losses from defective and repurchased loans, our results of operations and financial
condition could be materially impacted.
If we are unable to maintain or grow our deposits, we may be subject to paying higher funding costs and our net interest
income may decrease.
the operation of our business. Therefore, our funding costs are largely dependent on our ability to maintain and grow our deposits.
As our competitors have raised the interest rates they pay on deposits, our funding costs have increased, as we have had to
increase the rates we pay to our depositors to avoid losing deposits and to procure new ones. Rising interest rates have also led
customers to move their funds to other financial institutions or to alternative investments that pay higher interest rates. Additionally,
periods of market stress or lack of market or customer confidence in financial institutions may result in a loss of customer deposits,
especially to the extent those deposits are in excess of the FDIC-insured limit of $250,000. As of December 31, 2025, we had $14
billion of total deposits (other than collateralized public funds, which represent public deposit balances from governmental entities in
the U.S. and its territories, including Puerto Rico and the United States Virgin Islands, that are collateralized based on such
jurisdictions’ applicable collateral requirements) in excess of the FDIC-insured limit. If deposits decrease, we may need to rely on
26
more expensive sources of funding, which would negatively impact our interest rate margin and net interest income. In addition, a
reduction in our deposits would decrease our earning assets, which would also negatively affect our net interest income.
We have a significant amount of deposits from the Puerto Rico government, its instrumentalities and municipalities ($19.4
billion, or 29% of our total deposits, as of December 31, 2025), and the amount of these deposits may fluctuate depending on the
financial condition and liquidity of these entities, as well as on our ability to maintain these customer relationships. Under the terms
of BPPR’s deposit pricing agreement with the Puerto Rico government, most public fund deposit rates are market linked with a lag
minus a specified spread. Therefore, as market rates rise, we are required to sequentially increase the rates we pay our public
deposits. If the mix of our deposits shifts towards a higher proportion of higher-cost deposits for any reason, our funding costs would
increase and our net interest income would be expected to decrease.
OPERATIONAL RISKS
We and our third-party providers have been, and expect in the future to continue to be, subject to cyber-attacks. Future
cyber-attacks could cause substantial harm and have an adverse effect on our business and results of operations.
Cybersecurity risks for large financial institutions such as Popular have increased significantly in recent years in part
because of the proliferation of new technologies, such as mobile banking, cloud hosting, artificial intelligence and the ability to
conduct instant financial transactions anywhere globally, as well as due to geopolitical conflicts and the increased sophistication and
activities of organized crime, hackers, terrorists, nation-states, hacktivists and other parties. Cybersecurity threats are constantly
evolving, especially given the advances in, and the rise of the use of, artificial intelligence and quantum computing, thereby
increasing the difficulty of preventing, detecting and successfully defending against them.
In the ordinary course of business, we rely on electronic communications and information systems to conduct our
operations and to transmit and store sensitive data. Notwithstanding our defensive measures and the significant resources we
devote to protecting the security of our systems, there is no assurance that all of our security measures will be effective at all times,
especially as the threats from cyber-attacks are continuous and severe. The risk of a security breach due to a cyber-attack is
expected to increase as we continue to expand our digital capabilities, mobile banking and other internet-based product offerings,
the use of the cloud for system development and hosting and internal use of internet-based products and applications.
We continue to detect and identify attacks that are becoming more sophisticated and increasing in volume, as well as
attackers that respond rapidly to changes in defensive countermeasures. The most significant cyber-attack risks that we or our
critical service providers may face include, but are not limited to, e-fraud, denial-of-service (DDoS), ransomware, computer intrusion
and the exploitation of software zero-day vulnerabilities that might result in disruption of services, in the exposure or loss of
customer or proprietary data, and significant financial loss. These types of cyber-attacks have in the past resulted and may continue
to result in the compromise of sensitive customer data, such as account numbers, credit cards and social security numbers, and
could present significant reputational, legal and regulatory costs to Popular if successful.
Our customer-facing platforms are also routinely targeted by threat actors aiming to gain unauthorized access to our
clients’ accounts. Although we have implemented defensive measures designed to protect against such attacks, there is no
assurance that these defensive measures will keep pace with threats that are continuous and growing in severity. For example, in
2022, certain customers were affected by brute force attacks on one of our platforms, which resulted in certain of our customers log-
in credentials and information being exposed, resulting in fraudulent transfers or withdrawals. Popular customers have also been
impacted by card skimming events in our ATM terminals. As a result, we have notified, and conducted additional remediation for,
customers identified as affected by these incidents. Cyber-security risks have also been exacerbated by the discovery of zero-day
vulnerabilities in widely distributed third party software, which have in the past affected and in the future could affect Popular’s or
any of its service provider’s systems, as further detailed below.
The increased use of remote access and third-party video conferencing solutions to enable work-from-home
arrangements for employees has also increased our exposure to cyber-attacks, including through the use of deep fakes and brand
impersonation. We expect the rise and use of artificial intelligence to exacerbate this risk. In addition, a third party could
misappropriate confidential information obtained by intercepting signals or communications from mobile devices used by Popular’s
customers or employees. Recent geopolitical conflicts have also exacerbated the risks related to supply-chain compromises and de-
stabilizing activities of nation-state sponsored actors.
A material compromise or circumvention of the security of our systems could have serious negative consequences for us,
including significant disruption of our operations and those of our clients, customers and counterparties, misappropriation of
27
confidential information of Popular or that of our clients, customers, counterparties or employees, or damage to computers or
systems used by us or by our clients, customers and counterparties, and could result in violations of applicable privacy and other
laws, financial loss to us or to our customers, increased regulatory scrutiny and enforcement actions, customer dissatisfaction,
significant litigation exposure and harm to our reputation, all of which could have a material adverse effect on us. Banking regulators
increasingly scrutinize third-party relationships supporting critical activities. If our regulators determine that our oversight, contractual
protections, or the performance and controls of our third-party providers (including critical providers) are inadequate, we could be
required to implement enhanced controls, conduct independent reviews, restrict or terminate relationships, or undertake costly
remediation or conversion activities, any of which could disrupt operations, increase expenses, or adversely affect our reputation
and results of operations.
The extent of a particular cyber-attack and the steps that we may need to take to investigate the attack may not be
immediately clear, and it may take a significant amount of time before such an investigation can be completed. While such an
investigation is ongoing, Popular may not necessarily know the full extent of the harm caused by the cyber-attack, and that damage
may continue to spread. These factors may inhibit our ability to provide rapid, full and reliable information about the cyber-attack to
our clients, customers, counterparties and regulators, as well as the public. Moreover, we may be required under SEC rules or bank
regulations to disclose information about a cybersecurity event before it has been resolved or fully investigated. Furthermore, it may
not be clear how best to contain and remediate the potential harm caused by the cyber-attack, and certain errors or actions could be
repeated or compounded before they are discovered and remediated. Cyber-attacks could also cause interruptions in our operations
and result in the incurrence of significant costs, including those related to forensic analysis and legal counsel.
We also rely on third parties for the performance of a significant portion of our information technology functions and the
provision of information security, technology and business process services. As a result, a successful compromise or circumvention
of the security of the systems of these third-party service providers could have serious negative consequences for us, including
compromise of our systems, misappropriation of our confidential information or that of our clients, customers, counterparties or
employees, or other negative implications identified above with respect to a cyber-attack on our systems. The most important of
these third-party service providers for us is Evertec. As a result, we depend on Evertec to identify and remediate certain of our
cybersecurity vulnerabilities. Cyber-attacks at third-party service providers are also becoming increasingly common, and, as a result,
cybersecurity risks relating to our vendors, including Evertec have increased. Certain risks particular to Evertec and our dependence
on third parties are discussed under “We rely on other companies to provide key components of our business infrastructure,
including certain of our core financial transaction processing and information technology and security services, which exposes us to
a number of operational risks that could have a material adverse effect on us” in the Operational Risks section of Item 1A in this
Form 10-K. During 2023, personal information of Popular customers’ data was compromised in a data breach incident that impacted
MOVEit, the third-party file transfer platform used by one of our service providers. Popular notified, as required or otherwise deemed
appropriate, customers identified as affected by the incident. Furthermore, during 2024, threat actors exploited a zero-day
vulnerability in the Fortinet enterprise management server software used by Evertec, which migrated to one of Popular's domain
controllers due to a shared network environment. While Evertec eventually determined that no BPPR customer information was
exfiltrated as a result of this incident, the event underscores the risks inherent in Popular’s dependency on Evertec. Although these
incidents did not have a material effect on Popular, including its business strategy, results of operations or financial condition, and
our third-party service providers agreed to cover external remediation costs associated therewith, a compromise of Popular
information or the personal information of our customers maintained by third party vendors could result in significant regulatory
consequences, reputational damage and financial loss to us. The success of our business depends in part on the continuing ability
of these (and other) third parties to perform these functions and services in a timely and satisfactory manner, which performance
could be disrupted or otherwise adversely affected due to failures or other information security events originating at the third parties
or at the third parties’ suppliers or vendors (so-called “fourth party risk”). We may not be able to effectively directly monitor or
mitigate fourth-party risk, in particular as it relates to the use of common suppliers or vendors by the third parties that perform
functions and services for us.
enhance our layers of defense or to investigate and remediate additional information security vulnerabilities or incidents. The
obsolescence in our hardware or software limits our ability to mitigate vulnerabilities. System enhancements and updates also
create risks associated with implementing new systems and integrating them with existing ones, including risks associated with
supply chain compromises and the software development lifecycle of the systems used by us and our service providers. In addition,
addressing certain information security vulnerabilities, such as hardware-based vulnerabilities, may affect the performance of our
information technology systems. The ability of our hardware and software providers to deliver patches and updates to mitigate
vulnerabilities in a timely manner can introduce additional risks, particularly when a vulnerability is being actively exploited by threat
28
actors. Moreover, our efforts to timely mitigate vulnerabilities and manage such risks, given the rise in number and urgency of
required patches and third-party software, as well as the obsolescence in some of our hardware and software, may impact our day-
to-day operations, the availability of our systems and delay the deployment of technology enhancements and innovation.
If Popular’s operational systems, or those of external parties on which Popular’s businesses depend, are unable to meet
the requirements of our businesses and operations or the standards of our regulators or other applicable data protection and privacy
laws, or if they fail, have other significant shortcomings or are impacted by cyber-attacks, Popular could be materially and adversely
affected.
We rely on other companies to provide key components of our business infrastructure, including certain of our core
financial transaction processing and information technology and security services, which exposes us to a number of
operational risks that could have a material adverse effect on us.
Third parties provide key components of our business operations, such as data processing, information security, recording
and monitoring transactions, online banking interfaces and services, Internet connections and network access. The most important
of these third-party service providers for us is Evertec due in large part to its role as a service provider to BPPR, our principal
banking subsidiary. We are dependent on Evertec for the provision of essential services to our business, including certain of BPPR’s
core financial transaction processing and information technology and security services. As a result, we are particularly exposed to
the operational risks of Evertec, including those related to its security architecture and potential breakdowns or failures of Evertec’s
systems or internal controls environment.
Over the course of our relationship with Evertec, we have experienced interruptions and delays in key services provided
by Evertec, as well as cyber events, as a result of system breakdowns, their exposure to zero-day vulnerabilities, misconfigurations,
human error, application obsolescence and dependency on shared infrastructure components and shared environments, which
have in certain cases also led to exposure of Popular information and BPPR customer information. In particular, the current level of
obsolescence in the hardware and software used by Evertec to service us exposes us to heightened operational and cybersecurity
risks, including system outages. Our ability to cure legacy obsolescence in the hardware and software we procure from Evertec, to
expand our oversight over security services being provided by Evertec, as well as to effect the segregation of our shared
infrastructure, is expected to be lengthy and complex, which exacerbates our exposure to resulting operational, including
cybersecurity, risks. See “The transition to new financial services technology providers, and the replacement of services currently
provided to us by Evertec, will be lengthy and complex” in the Operational Risks section of Item 1A in this Form 10-K below.
While we select third-party vendors carefully and have increased our oversight of these relationships, our oversight is
constrained by the level of our ongoing visibility into our vendor’s systems and operations, and we do not have direct control over
their actions, assets or services. Any problems caused by these vendors, including those resulting from disruptions in the services
provided, vulnerabilities in or breaches of the vendor’s systems or environments, failure of the vendor to handle current or higher
volumes, failure of the vendor to provide services for any reason or poor performance of services, failure of the vendor to notify us of
a reportable event in a timely manner, or our vendors’ misuse of artificial intelligence and other automatic decision making
technologies, could adversely affect our ability to deliver products and services to our customers and otherwise conduct our
business, disrupt our operations, result in potential liability to customers and counterparties, result in the imposition of fines,
penalties or judgments by our regulators, lead to exposure of our information or that of our customers or harm to our reputation, any
of which could materially and adversely affect us. The inability of our third-party service providers to timely address cybersecurity
threats may further exacerbate these risks. Financial or operational difficulties of a third-party vendor could also hurt our operations
if those difficulties interfere with the vendor’s ability to serve us. Replacing these third-party vendors, when possible, could also
create significant delay and expense. Accordingly, the use of third parties creates an unavoidable inherent risk to our business
operations.
The transition to new financial services technology providers, and the replacement of services currently provided to us by
Evertec, will be lengthy and complex.
Switching from one vendor of core financial transaction processing and related technology and security services to one or
more new vendors is a complex process that carries business and financial risks. The implementation cycle for such a transition
would be lengthy and require significant financial and management resources from BPPR and Popular. Such a transition can also
increase costs (including conversion costs), impede or disrupt business or technological initiatives, and expose us and our clients to
business disruption, as well as operational and cybersecurity risks. As we transition all or a portion of the existing services provided
by Evertec to new financial services technology providers, either (i) at the end of the term of the Second Amended and Restated
Master Services Agreement (the “MSA”) and related agreements or (ii) earlier upon the termination of any service for convenience
29
under the MSA, these transition risks could result in an adverse effect on our business, financial condition and results of operations.
Although Evertec has agreed to provide certain transition assistance to us in connection with the termination of the MSA, we are
ultimately dependent on their ability to provide those services in a responsive and competent manner, as well as their ability to retain
experienced personnel to provide the services. A successful transition will also depend on our ability to retain personnel who have
relevant experience and expertise. Furthermore, we may require transition assistance from Evertec beyond the term of the MSA,
potentially delaying and lengthening any transition process away from Evertec while increasing related costs and risks of disruption
to us and our clients.
during the term of the MSA the right to terminate certain services for convenience and to transition such services to other service
providers prior to the expiration of the MSA, subject to complying with the revenue minimums contemplated in the MSA and certain
other conditions. In practice, in order to switch to a new provider for a particular service, we will have to commence procuring and
working on a transition process for such service significantly in advance of its termination and, in any case, much earlier than the
expiration date of the MSA, and such process may extend beyond the current term of the MSA. Furthermore, if we are unsuccessful
or decide not to complete the transition after expending significant funds and management resources, it could also result in an
adverse effect on our business, financial condition and results of operations.
Unforeseen or catastrophic events, including extreme weather events and other natural disasters, man-made disasters,
acts of violence or war, or the emergence of pandemics or epidemics, could cause a disruption in our operations or other
consequences that could have a material adverse effect on our financial condition and results of operations.
A significant portion of our operations are located in the Caribbean and Florida, a region susceptible to hurricanes,
earthquakes and other similar events. In 2017, Puerto Rico, USVI and BVI were severely impacted by Hurricanes Irma and María,
which resulted in significant disruption to our operations and adversely affected our clients in these markets, and in 2022, Hurricane
Fiona impacted the southwest area of Puerto Rico, adversely affecting our customers in that region. Other types of unforeseen or
catastrophic events, including pandemics, epidemics, man-made disasters, or acts of violence or war, or the fear that such events
could occur in the future, could also adversely impact our operations and financial results. For example, in 2020, the COVID-19
pandemic severely impacted global health, financial markets, consumer spending and global economic conditions, and caused
significant disruption to businesses worldwide, including our business and those of our customers, service providers and suppliers.
Future unforeseen or catastrophic events, and actions taken by governmental authorities and other third parties in response to such
events, could adversely affect our operations, cause economic and market disruption, adversely impact the ability of borrowers to
timely repay their loans, or affect the value of any collateral held by us, any of which could have a material adverse effect on our
business, financial condition or results of operations. The frequency, severity and impact of future unforeseen or catastrophic events
is difficult to predict. While we maintain insurance against natural disasters and other unforeseen events, including coverage for
business interruption, the insurance may not be sufficient to cover all of the damage from any such event, and there is no insurance
against the disruption that a catastrophic event could produce to the markets that we serve and the potential negative impact to
economic activity.
Climate change could have a material adverse impact on our business operations and that of our clients and customers.
Our business and the activities and operations of our clients and customers may be disrupted by global climate change.
Potential physical risks from climate change include the increase in the frequency and severity of weather events, such as storms
and hurricanes, and long-term shifts in climate patterns, such as sustained higher and lower temperatures, sea level rise, heat
waves and droughts, among others. Our geographic concentration in localities, including Puerto Rico, the U.S.V.I., B.V.I. and
Florida, particularly susceptible to risks arising from climate change, including severe hurricanes and sea level rise, heighten the
threat we face from climate change. Additionally, the impact of climate change in the markets that we operate and in other global
markets may have the effect of increasing the costs or reducing the availability of insurance needed for our business operations.
Climate change may also create transitional risks resulting from a shift to a low-carbon economy. These transition risks may include
changes in the legal and regulatory landscape, technology, consumer sentiment and preferences, and market demands that seek to
mitigate the effects of climate change. Changes in the legal and regulatory landscape may additionally increase our compliance
costs. These climate-driven changes could have a material adverse impact on asset values and on our business and financial
performance and those of our clients and customers.
LEGAL AND REGULATORY RISKS
Our businesses are highly regulated, and the laws and regulations that apply to us have a significant impact on our
business and operations.
30
We are subject to extensive and evolving regulation under U.S. federal, state and Puerto Rico laws that govern almost all
aspects of our operations and limit the businesses in which we may be engaged, including regulation, supervision and examination
by federal, state and foreign banking authorities. These laws and regulations have expanded significantly over an extended period
of time and are primarily intended for the protection of consumers, borrowers and depositors. Compliance with these laws and
regulations has resulted, and will continue to result, in significant costs. Additionally, the current federal administration is pursuing a
policy and regulatory agenda significantly different from that of the previous administration, including the reversal of rules
promulgated under the past administration and shifts in rulemaking, supervision, examination and enforcement priorities. The
implementation of that agenda is happening rapidly and is constantly evolving. The potential impact of any such changes cannot be
predicted.
Additional laws and regulations may be enacted or adopted in the future, and the application, interpretation or
enforcement of laws and regulations may in the future be changed (including through executive orders), in ways that could
significantly affect our powers, authority and operations and which could have a material adverse effect on our financial condition
and results of operations. In particular, we could be adversely impacted by changes in laws and regulations, or changes in the
application, interpretation or enforcement of laws and regulations, that proscribe or institute more stringent restrictions on certain
financial services activities, impose monetary fines or other penalties on institutions that fail to comply with applicable laws and
regulations, or impose new requirements. In addition, new laws or regulations could require significant system and process changes
that require systems upgrades and could limit our ability to meet adoption timeframes or pursue our innovation roadmap. If we do
not appropriately comply with current or future laws or regulations, adapt to the changing interpretation of existing laws or
regulations, or if we fail to meet supervisory expectations, we may be subject to fines, penalties or judgements, or to material
regulatory restrictions on our business, which could also materially and adversely affect our business, financial condition, liquidity,
results of operations or capital position.
Our participation (or lack of participation) in certain governmental programs, such as the Paycheck Protection Program
(“PPP”) enacted in response to the COVID-19 pandemic, also exposes us to increased legal and regulatory risks. We have also
been and could continue to be exposed to adverse action for the violation of applicable legal requirements or the improper conduct
of our employees in connection with such loans. For example, on January 24, 2023, Popular Bank consented to the imposition of an
order from the Federal Reserve Board requiring it to pay a $2.3 million civil money penalty to settle certain findings arising from
Popular Bank’s approval of six Payment Protection Program loans.
In addition, due to divergent policies and stakeholder viewpoints regarding climate and sustainability matters, we are at
increased risk of being subject to conflicting legal and regulatory requirements and stakeholder expectations regarding climate and
sustainability matters. For example, certain states have enacted or proposed laws addressing climate change and other
sustainability issues, including climate-related disclosure requirements. On the other hand, certain states have enacted or proposed
laws or regulations or taken other actions to prohibit the consideration of environmental and social factors in state investments and
contracting. In addition, in August 2025, President Trump signed Executive Order 14331, “Guaranteeing Fair Banking Access for All
Americans,” which states that it is the policy of the United States that no American should be denied access to financial services
because of their constitutionally or statutorily protected beliefs, affiliations, or political views. The Executive Order directs the
Treasury Secretary and federal banking regulators to address politicized or unlawful debanking activities. These, as well as other
laws, regulations, guidance and expectations, many of which may have broad and extraterritorial application, have in the past
subjected and may in the future subject us to additional requirements or different and conflicting requirements and expectations in
the various jurisdictions in which we operate, which could negatively affect our business and brand.
We are from time to time subject to information requests, investigations and other regulatory enforcement proceedings
from departments and agencies of the U.S., Puerto Rico, New York and other state governments, including those that
investigate compliance with U.S. sanctions and consumer protection laws and regulations, which may expose us to
significant penalties and collateral consequences, and could result in higher compliance costs or restrictions on our
operations.
We from time-to-time self-report compliance matters to, or receive requests for information from, departments and
agencies of the U.S., Puerto Rico, New York and other state governments, including with respect to compliance with consumer
protection laws and regulations. For example, BPPR has in the past received requests for information, such as subpoenas and civil
investigative demands from U.S. government regulators, including concerning add-ons on consumer products, real estate appraisals
and residential and construction loans in Puerto Rico. BPPR has also self-identified and reported to applicable regulators
compliance matters related to U.S. sanctions, as well as mortgage, credit reporting and other consumer lending practices.
31
Incidents of this nature and investigations or examinations by governmental authorities have resulted in the past, and may
in the future result, in judgments, settlements, fines, enforcement actions, penalties or other sanctions adverse to the Corporation,
which could materially and adversely affect the Corporation’s business, financial condition, results of operations or capital position or
cause serious reputational harm. Any such settlements or orders that we enter into, or that regulatory authorities impose on us could
require enhancements to our procedures and controls and entail significant operational and compliance costs. Furthermore, issues
or delays in satisfying the requirements of a regulatory settlement or action on a timely basis could result in additional penalties and
enforcement actions, which could be significant. In connection with the resolution of regulatory proceedings, enforcement authorities
may seek admissions of wrongdoing and, in some cases, criminal pleas, which could lead to increased exposure to private litigation,
loss of clients or customers, and restrictions on offering certain products or services. In addition, responding to information-gathering
requests, investigations and other regulatory proceedings, regardless of the ultimate outcome of the matter, could be time-
consuming, expensive and divert management attention from our business.
Financial services institutions such as Popular have been subject to heightened expectations and regulatory scrutiny in
recent years. Our regulators’ oversight is not limited to banking and financial services laws but extends to other significant laws
such as those related to anti money laundering, anti-bribery and anti-corruption laws. Further, regulators in the performance of their
supervisory and enforcement duties, have significant discretion and power to prevent or remedy what they deem to be unsafe and
unsound practices or violations of laws by banks and bank holding companies. Therefore, the outcome of any investigative or
enforcement action, which may take years and be material to Popular, may be difficult to predict or estimate.
Complying with economic and trade sanctions programs and anti-money laundering laws and regulations can increase our
operational and compliance costs. If we, and our subsidiaries, affiliates or third-party service providers, are found to have
failed to comply with applicable economic and trade sanctions programs and anti-money laundering laws and regulations,
we could be exposed to fines, sanctions and penalties, and other regulatory actions, as well as governmental
investigations.
As a federally regulated financial institution, we must comply with regulations and economic and trade sanctions and
embargo programs administered by the Office of Foreign Assets Control (“OFAC”) of the U.S. Treasury, as well as anti-money
laundering laws and regulations, including those under the Bank Secrecy Act.
Economic and trade sanctions regulations and programs administered by OFAC prohibit U.S.-based entities from entering
into or facilitating unlicensed transactions with, for the benefit of, or in some cases involving the property and property interests of,
persons, governments or countries designated by the U.S. government under one or more sanctions regimes, and also prohibit
transactions that provide a benefit that is received in a country designated under one or more sanctions regimes. We are also
subject to a variety of reporting and other requirements under the Bank Secrecy Act, including the requirement to file suspicious
activity and currency transaction reports, that are designed to assist in the detection and prevention of money laundering, terrorist
financing and other criminal activities. In addition, as a financial institution we are required to, among other things, identify our
customers, adopt formal and comprehensive anti-money laundering programs, scrutinize or altogether prohibit certain transactions
of special concern, and be prepared to respond to inquiries from U.S. law enforcement agencies concerning our customers and their
transactions. Failure by the Corporation, its subsidiaries, affiliates or third-party service providers to comply with these laws and
regulations could have serious legal and reputational consequences for the Corporation, including the possibility of regulatory
enforcement or other legal action, including significant civil and criminal penalties. We also incur higher costs and face greater
compliance risks in structuring and operating our businesses to comply with these requirements. The markets in which we operate
heighten these costs and risks.
We have established risk-based policies and procedures and employed software designed to assist us and our personnel
in complying with these applicable laws and regulations. Even if the appropriate controls are in place, there can be no assurance
that our policies and procedures will prevent us from blocking and rejecting all applicable transactions of our customers or our
customers’ customers that may involve a sanctioned person, government or country. Any failure to detect and prevent any such
transaction could result in a violation of applicable laws and regulations and adversely affect our reputation, business, financial
condition and results of operations.
From time to time we have identified and voluntarily self-disclosed to OFAC transactions that were not timely identified,
blocked or rejected by our policies, controls and procedures for screening transactions that might violate the regulations and
economic and trade sanctions programs administered by OFAC. For example, during the second quarter of 2022, BPPR entered
into a settlement agreement with OFAC with respect to certain transactions processed on behalf of two employees of the
Government of Venezuela, in apparent violation of U.S. sanctions against Venezuela. Popular agreed to pay $256,000 to settle the
apparent violations, which had been self-disclosed to OFAC. There can be no assurances that any failure to comply with U.S.
32
sanctions and embargoes, or with anti-money laundering laws and regulations, will not result in material fines, sanctions or other
penalties being imposed on us.
Furthermore, if the policies, controls, and procedures of one of the Corporation’s third-party service providers, together
with our third-party oversight of such providers, do not prevent it from violating applicable laws and regulations in transactions in
which it engages, such violations could adversely affect its ability to provide services to us.
We are subject to regulatory capital adequacy requirements, and if we fail to meet these requirements our business and
financial condition will be adversely affected.
Under regulatory capital adequacy requirements, and other regulatory requirements, Popular and our banking subsidiaries
must meet requirements that include quantitative measures of assets, liabilities and certain off-balance sheet items, subject to
qualitative judgments by regulators regarding components, risk weightings and other factors. If we fail to meet these minimum
capital requirements and other regulatory requirements, our business and financial condition will be materially and adversely
affected. If a financial holding company fails to maintain well-capitalized status under the regulatory framework, or is deemed not
well managed under regulatory exam procedures, or if it experiences certain regulatory violations, its status as a financial holding
company and its related eligibility for a streamlined review process for acquisition proposals, and its ability to offer certain financial
products, may be compromised and its financial condition and results of operations could be adversely affected. The failure of any
depository institution subsidiary of a financial holding company to maintain well-capitalized or well-managed status could have
similar consequences.
See “Our businesses are highly regulated, and the laws and regulations that apply to us have a significant impact on our
business and operations” in the Legal and Regulatory Risks section of Item 1A in this Form 10-K.
Increases in FDIC insurance premiums may have a material adverse effect on our earnings.
Substantially all the deposits of BPPR and PB are subject to insurance up to applicable limits by the FDIC’s deposit
insurance fund (“DIF”) and, as a result, BPPR and PB are subject to FDIC deposit insurance assessments. On October 18, 2022,
the FDIC finalized a rule that increased initial base deposit insurance assessment rates by 2 basis points, beginning with the first
quarterly assessment period of 2023. In addition, in November 2023, the FDIC finalized a rule that imposes a special assessment to
recover the costs to the DIF resulting from the FDIC’s use, in March 2023, of the systemic risk exception to the least-cost resolution
test under the FDIA in connection with the receiverships of Silicon Valley Bank and Signature Bank. The exact amount of this
assessment will be determined when the FDIC terminates the related receiverships considered in the final rule. Accordingly, the final
special assessment amount and collection period may change as the estimated cost is periodically adjusted or if the total amount
collected varies. For example, in December 2025, the FDIC reduced the rate at which the assessment is collected for the eighth
quarter of the collection period, with an invoice payment date of March 30, 2026, due to its updated estimate of losses.
We are generally unable to control the amount of premiums or additional assessments that we are required to pay for
FDIC insurance. If there are additional bank or financial institution failures, our level of non-performing assets increases, or our risk
profile changes or our capital position is impaired, we may be required to pay even higher FDIC premiums. Any future additional
increases in FDIC premiums, assessment rates or special assessments may materially adversely affect our results of operations.
See the “Supervision and Regulation—FDIC Insurance” discussion in Item 1. Business of this Form 10-K for additional information
related to the FDIC’s deposit insurance assessments applicable to BPPR and PB.
The resolution of pending litigation and regulatory proceedings, if unfavorable to us, could have material adverse financial
effects or cause us significant reputational harm, which, in turn, could seriously harm our business prospects.
We face legal risks in our businesses, and the volume of claims and amount of damages and penalties claimed in
litigation and regulatory proceedings against financial institutions remains high. We are involved in a number of litigation, arbitration
and regulatory proceedings in the ordinary course of our business. Substantial legal liability or significant regulatory action against
us could have material adverse financial effects or cause significant reputational harm to us or other adverse consequences, which
in turn could seriously harm our business prospects. For further information relating to our legal risk, see Note 23 - “Commitments &
Contingencies”, to the Consolidated Financial Statements in this Form 10-K.
LIQUIDITY RISKS
We are subject to liquidity risks arising from market events or disruptions and instances of low investor and depositor
confidence. Furthermore, actions by the rating agencies or decreases in our capital levels may have adverse effects on our
liquidity and business, including by raising the cost of our obligations or affecting our ability to borrow.
33
We must maintain adequate liquidity and funding sources to support our operations, fund customer deposit withdrawals,
repay borrowings and debt, comply with our financial obligations, fund planned capital distributions and meet regulatory
requirements. The Corporation’s most significant source of funds are bank deposits, including customer deposits and brokered
deposits. In addition to deposits, sources of liquidity include secured borrowing arrangements, such as those with the Federal
Reserve Bank of New York and the Federal Home Loan Bank of New York (“FHLBNY”), unpledged securities from our investment
portfolio, the capital markets and proceeds from loan sales or securitizations.
Popular’s liquidity and ability to fund and operate its business could be materially adversely affected by a variety of
conditions and factors, some of which are out of Popular’s control. For example, market events or disruptions, such as periods of
market stress and low investor confidence in financial institutions could result in deposit withdrawals, especially to the extent those
deposits are in excess of the FDIC-insured limit of $250,000. As of December 31, 2025, we had $14 billion of total deposits (other
than collateralized public funds, which represent public deposit balances from governmental entities in the U.S. and its territories,
including Puerto Rico and the United States Virgin Islands, that are collateralized based on such jurisdictions’ applicable collateral
requirements) in excess of the FDIC-insured limit. We may also suffer outflows of customer deposits due to competition from other
banks or alternative investments. In addition, in periods of stress, we may not be able to access existing funding sources, access
the capital markets or to sell or securitize loans or other assets, or to access such sources or to sell or securitize assets on favorable
terms.
In addition, actions by the rating agencies could raise the cost of our borrowings, since lower rated securities are usually
required by the market to pay higher rates than obligations of higher credit quality. Our credit ratings were reduced substantially in
2009 and, although one of the three major rating agencies upgraded our senior unsecured rating back to “investment grade” during
2021, the remaining two rating agencies have not upgraded their current “non-investment grade” rating. The market for non-
investment grade securities is much smaller and less liquid than for investment grade securities. If we were to attempt to issue
preferred stock or debt securities into the capital markets, it is possible that there would not be sufficient demand to complete a
transaction or that the cost could be substantially higher than for more highly rated securities. If Popular is unable to access the
capital markets on favorable terms, our liquidity may be adversely affected.
Changes in our ratings and capital levels could affect our relationships with some creditors and limit our access to funding.
For example, having negative tangible capital may impact our ability to access some sources of wholesale funding. The Federal
Housing Finance Agency restricts the FHLBNY from lending to members of the FHLBNY with negative tangible capital unless the
member’s primary banking regulator makes a written request to the FHLBNY to maintain access to borrowings. Both BPPR and PB
have secured borrowing facilities with the FHLBNY and could borrow up to $3.3 billion and $1.5 billion respectively as of December
31, 2025, of which $42.7 million and $0.8 billion respectively were used. Losing access to the FHLBNY borrowing facilities could
adversely impact liquidity at the banking subsidiaries. Additionally, if BPPR or PB cease to be well-capitalized, the FDIA and
regulations adopted thereunder would restrict their ability to accept brokered deposits and limit the rate of interest payable on
deposits.
Our banking subsidiaries also have recourse obligations under certain agreements with third parties, including servicing
and custodial agreements, that include ratings covenants. Upon failure to maintain the required credit ratings, the third parties could
have the right to require us to engage a substitute fund custodian and increase collateral levels securing recourse obligations.
Collateral pledged by us to secure recourse obligations approximated $23.8 million on December 31, 2025. While management
expects that we would be able to meet any additional collateral requirements if and when needed, the requirements to post collateral
under certain agreements or the loss of custodian funds could reduce our liquidity resources and impact our results of operations.
As a bank holding company, we depend on dividends and distributions from our subsidiaries for liquidity.
As a bank holding company, we depend primarily on dividends from our banking and other operating subsidiaries to fund
our cash needs, including to capitalize our subsidiaries. Our banking subsidiaries, BPPR and PB, are limited by law in their ability to
make dividend payments and other distributions to us based on their earnings, dividend history, and capital position. Based on its
current financial condition, PB may not declare or pay a dividend without the prior approval of the Federal Reserve Board and the
NYSDFS. A failure by our banking subsidiaries to generate sufficient income and free cash flow to make dividend payments to us
may affect our ability to fund our cash needs, which could have a negative impact on our financial condition, liquidity, results of
operation or capital position. Such failure could also affect our ability to pay dividends to our stockholders and to repurchase shares
of our common stock. We have in the past suspended dividend payments on our common stock and preferred stock during times of
economic uncertainty, and there can be no assurance that we will be able to continue to declare dividends to our stockholders in
any future periods.
34
An impact on the tangible capital levels of our operating subsidiaries, could also limit the amount of capital we may
upstream to the holding company. Tangible capital levels have in the past been, and may in the future be, adversely affected by the
impact of rapidly rising interest rates on investment securities in our available-for-sale portfolio. For a discussion of risks related to
changes in interest rates, see “Changes in interest rates and credit spreads can adversely impact our financial condition, including
our investment portfolio, since a significant portion of our business involves borrowing and lending money, and investing in financial
instruments” in Item 1A of this Form 10-K.
We also depend on dividends from our banking and other operating subsidiaries to pay debt service on outstanding debt
and to repay maturing debt. Our ability to declare such dividends would be subject to regulatory requirements and could require the
prior approval of the Federal Reserve Board.
STRATEGIC RISKS
Potential acquisitions of businesses or loan portfolios could increase some of the risks that we face, and may be delayed
or prohibited due to regulatory constraints.
To the extent permitted by our applicable regulators, we may pursue strategic acquisition opportunities. Acquiring other
businesses, however, involves various risks, including potential exposure to unknown or contingent liabilities of the target company,
exposure to potential asset quality issues of the target company, potential disruption to our business, the possible loss of key
employees and customers of the target company, and difficulty in estimating the value of the target company. If we pay a premium
over book or market value in connection with an acquisition, some dilution of our tangible book value and net income per common
share may occur. Furthermore, failure to realize the expected revenue increases, cost savings, increases in geographic or product
presence, or other projected benefits from an acquisition could have a material adverse effect on our business, financial condition
and results of operations.
Similarly, acquiring loan portfolios involves various risks. When acquiring loan portfolios, management makes
assumptions and judgments about the collectability of the loans, including the creditworthiness of borrowers and the value of the
real estate and other assets serving as collateral for the repayment of secured loans. In estimating the extent of the losses, we
analyze the loan portfolio based on historical loss experience, volume and classification of loans, volume and trends in
delinquencies and nonaccruals, local economic conditions, and other pertinent information. If our assumptions are incorrect,
however, our actual losses could be higher than estimated and increased loss reserves may be required, which would negatively
affect our results of operations.
Finally, certain acquisitions by financial institutions, including us, are subject to approval by a variety of federal and state
regulatory agencies. Regulatory approvals could be delayed, impeded, restrictively conditioned or denied. We may fail to pursue,
evaluate or complete strategic and competitively significant acquisition opportunities as a result of our inability, or perceived or
anticipated inability, to obtain regulatory approvals in a timely manner, under reasonable conditions or at all. Difficulties associated
with potential acquisitions that may result from these factors could have a material adverse effect on our business, financial
condition and results of operations.
We continue our broad-based multi-year, technological and business process transformation. The failure to achieve the
goals of the transformation project, the inability to maintain expenses related to our transformation program within current
estimates or delays in executing our plans may materially and adversely affect our business, competitive position,
financial condition, results of operations, or cause reputational harm.
The Corporation continues its broad-based multi-year, technological and business process transformation, which was
launched in 2022. As part of this transformation, we are making significant investments in technology, talent and new digital and
data capabilities in order to provide our customers with more personalized and accessible services, increase employee performance
and satisfaction with more agile work processes, and generate sustainable profitable growth and value for our shareholders.
We may not succeed in executing all projects or aspects of the transformation program, may abandon projects or aspects,
or fail to successfully launch new applications or achieve the intended functionality and operational benefits from these technological
initiatives, which could result in failed or partially successful implementations. In addition, we may fail to properly estimate costs of
the transformation program or may experience delays in executing our plans. Such failures or delays may in turn cause the
Corporation to incur costs exceeding our current estimates or disrupt our operations, including our technological services to our
customers, or fall short of our projected earnings or expense reduction targets driven by these efforts. To the extent that these
disruptions persist over time and/or recur, this could negatively impact our competitive position, require additional expenditures,
35
and/or harm our relationships with our customers and thus may materially adversely affect our business, financial condition, results
of operations, or cause reputational harm.
We face significant and increasing competition in the rapidly evolving financial services industry, and face challenges in
the adoption of new technologies such as artificial intelligence which may put us at a competitive disadvantage.
We operate in a highly competitive environment, in which we compete on the basis of a number of factors, including
customer service, quality and variety of products and services, price, interest rates on loans and deposits, innovation, technology,
ease of use, reputation, and transaction execution. While our main competition continues to come from other Puerto Rico banks and
financial institutions, we face increased competition from non-Puerto Rico institutions, as emerging technologies and the growth of
e-commerce have significantly reduced geographic barriers. These technologies have also made it easier for non-depositary
institutions to offer products and services that were traditionally considered banking products and allowed non-traditional financial
service providers and technology companies to provide electronic and internet-based financial solutions and services. In addition,
nonbank firms may have a competitive advantage over traditional banks and bank holding companies such as Popular due to
factors such as differences in regulation, funding models and tax treatment. We may also be unable to adopt or integrate new
technologies that could reduce expenses and simplify our operations, including artificial intelligence, automation and algorithmic
tools, at the pace of such competitors due to operational and compliance challenges and risks relating to data quality, internal
controls, privacy and consumer protection, among others. Our failure to successfully adopt and integrate these new technologies in
a timely and effective manner may impair our ability to compete effectively or to attract or retain business. Moreover, increased
competition could create pressure to lower prices, fees, commissions or credit standards on our products and services, which could
adversely affect our financial condition and results of operations. Increased competition could also create pressure to raise interest
rates on deposits or increase deposit attrition, which could negatively impact our business, financial condition, liquidity results of
operations or capital position.
If we are unable to meet constant technological changes and react quickly to meet new industry standards, including as a
result of our continued dependence on Evertec, we may be unable to enhance our current services and introduce new
products and services in a timely and cost-effective manner, placing us at a competitive disadvantage and significantly
affecting our business, financial condition, liquidity, results of operations or capital position.
To compete effectively, we need to constantly enhance and modify our products and services and introduce new products
and services to attract and retain clients or to match products and services offered by our competitors, including technology
companies and other nonbank firms that are engaged in providing similar products and services,
some of which are or may be
provided by Evertec itself. Our ability to compete effectively will depend in part on our ability to react quickly to meet new industry
standards and use new technology, such as artificial intelligence, to satisfy customer demands, as well as to create additional
efficiencies in our operations. Popular expects that it will continue to depend on Evertec’s technology services to operate and control
current products and services and to implement future products and services, making our success dependent on Evertec’s ability to
timely complete and introduce these enhancements and new products and services in a cost-effective manner.
Some of our competitors rely on financial services technology and outsourcing companies that are much larger than
Evertec, serve a greater number of clients than Evertec, and may have better technological capabilities and product offerings than
Evertec. Furthermore, financial services technology companies typically make capital investments to develop and modify their
product and service offerings to facilitate their customers’ compliance with the extensive and evolving regulatory and industry
requirements, and, in most cases, such costs are borne by the technology provider. Because of our contractual relationship with
Evertec, and because Popular is the sole customer of certain of Evertec’s services and products,
including core bank processing of
BPPR, we have in the past borne the full cost of such developments and modifications and may be required to do so in the future,
subject to the terms of the MSA.
Moreover, the terms, speed, scalability, and functionality of certain of Evertec’s technology services are not competitive
when compared to offerings from its competitors. Evertec’s failure to sufficiently invest in and upscale its technology and services
infrastructure to meet the rapidly changing technology demands of our industry may result in our being unable to meet customer
expectations and attract or retain customers. Furthermore, Evertec’s strategy and investments may also be refocused away from
Popular towards other strategic initiatives,
potentially including initiatives that could have the effect of disintermediating us from our
customers or otherwise present a competitive risk. Any such impact could, in turn, reduce Popular’s revenues, place us at a
competitive disadvantage and significantly affect our business, financial condition, liquidity, results of operations or capital position.
While we have over time narrowed the scope of services which we are dependent on Evertec to obtain, in exchange for obtaining
releases in 2022 from exclusivity restrictions that limited our ability to engage other third-party providers of financial technology
services, we agreed to extensions of certain existing commercial agreements with Evertec and, as a result, have prolonged the
36
duration of our exposure to the risks presented by Evertec’s technological capabilities and its failures to enhance its products and
services and otherwise meet evolving demands. We may also be exposed to heightened business risks in connection with our
dependency on Evertec with respect to BPPR’s merchant acquiring business, which exclusivity runs until 2035, and with respect to
the ATH Network, which commitment runs until 2030, in light of the pace of technology changes and competition in the payments
industry.
The ability to attract and retain qualified employees is critical to our success.
Our success depends, in large part, on our ability to attract and retain qualified employees. Competition for qualified
candidates, especially in the area of information technology, is intense and has increased recently as a result of a tighter labor
market. Increased competition may lead to difficulties in attracting or retaining qualified employees, which may, in turn, lead to
significant challenges in the execution of our business strategies and have an adverse effect on the quality of the service we provide
to the customers and communities we serve. Such challenges could adversely affect our business, operations and financial
condition. In addition, increased competition may lead to higher compensation packages and more flexible work arrangements. We
may also be required to hire employees outside of our market areas for certain positions that require specific expertise, which could
result in employment and tax compliance-related expenses, challenges and risks. In addition, flexible work arrangements, such as
remote or hybrid work models, have led to other workplace challenges, including fewer opportunities for face-to-face interactions or
to promote a cohesive corporate culture and heightened cybersecurity, information security and other operational risks.
Our ability to attract and retain qualified employees is also impacted by regulatory limitations on our compensation
practices, such as clawback requirements of incentive compensation, which may not affect other institutions with which we compete
for talent. The scope and content of regulators’ policies on executive compensation continue to develop and are likely to continue
evolving. Such policies and limitations on our compensation practices could adversely affect our ability to attract, retain and motivate
talented senior leaders in support of our long-term strategy.
OTHER RISKS
An impairment of our goodwill, deferred tax assets or amortizable intangible assets could adversely affect our financial
condition and results of operations.
As of December 31, 2025, we had $790 million, $814 million and $188 million, respectively, of goodwill, net deferred tax
assets and amortizable intangible assets, including capitalized software costs, recorded on our balance sheet.
Under GAAP, goodwill is tested for impairment at least annually and amortizable intangible assets are tested for
impairment when events or changes in circumstances indicate the carrying value may not be recoverable. Factors that may be
considered a change in circumstances, indicating that the carrying value of the goodwill or amortizable intangible assets may not be
recoverable, include a decline in Popular’s stock price related to a deterioration in global or local economic conditions, declines in
our market capitalization, reduced future earnings estimates, and interest rate changes. The goodwill impairment evaluation process
requires us to make estimates and assumptions with regards to the fair value of our reporting units. Actual values may differ
significantly from these estimates. Such differences could result in future impairment of goodwill that would, in turn, negatively
impact our results of operations and the reporting unit where the goodwill is recorded.
The determination of whether a deferred tax asset is realizable is based on weighting all available evidence. The
realization of deferred tax assets, including carryforwards and deductible temporary differences, depends upon the existence of
sufficient taxable income of the same character during the carryback or carryforward period. The analysis considers all sources of
taxable income available to realize the deferred tax asset, including the future reversal of existing taxable temporary differences,
future taxable income exclusive of reversing temporary differences and carryforwards, taxable income in prior carryback years and
tax-planning strategies. Changes in these factors may affect the realizability of our deferred tax assets in our Puerto Rico and U.S.
operations.
If our goodwill, deferred tax assets or amortizable intangible assets become impaired, we may be required to record a
significant charge to earnings, which could adversely affect our financial condition and results of operations.
We could experience unexpected losses if the estimates or assumptions we use in preparing our financial statements are
incorrect or differ materially from actual results.
In preparing our financial statements pursuant to U.S. GAAP, we are required to make estimates and assumptions that
are often based on subjective and complex judgments about matters that are inherently uncertain. For example, we use estimates
and assumptions to determine our allowance for credit losses, our liability for contingent litigation losses, and the fair value of certain
37
of our assets and liabilities, such as debt securities, loans held for sale, MSRs, intangible assets and deferred tax assets. If such
estimates or assumptions are incorrect or differ materially from actual results, we could experience unexpected losses or other
adverse impacts, some of which could be significant.
For further information on other risks faced by Popular please refer to the MD&A section of this Form 10-K.
ITEM 1B. UNRESOLVED STAFF COMMENTS
None.
Item 1C. Cybersecurity
The Corporation assesses, identifies and manages cybersecurity risk as part of the Corporation’s overall risk management
framework, alongside associated information security, anti-money laundering and counterterrorism, operational, fraud, regulatory,
legal and reputational risks, among others.
The Corporation has established three management committees that oversee and monitor different aspects of cybersecurity risk.
●
monitors the risks included in the Risk Appetite Statement (the “RAS”) of the Corporation’s Risk Management Policy,
including cybersecurity risks.
●
Information and Digital Strategy Officer, oversees and monitors information technology (“IT”), privacy and cybersecurity
risks, mitigating actions and controls, applicable regulatory developments, key risks metrics, and IT and cyber incidents
that may result in operational, compliance and reputational risks.
●
management activities to ensure the development and consistent application of operational risk policies, processes and
procedures that measure, limit and manage the Corporation's operational risks while maintaining the effectiveness and
efficiency of the operating and business processes. As part of its responsibilities, ORCO oversees business continuity
matters, as well as operational losses stemming from any cybersecurity or fraud events.
The ITCRC and ORCO meet at least quarterly and report on cybersecurity and other matters to the ERM Committee.
The Board has established a Board-level Risk Management Committee (“RMC”), which is responsible for the oversight of the
Corporation’s overall risk framework, and assists the Board in the monitoring, review and approval of the policies that measure, limit
and manage the Corporation’s risks, including cybersecurity risk. The RMC holds periodic meetings in which management provides
an overview of Popular’s cybersecurity threat risk management and strategy processes, which includes summaries of escalated
incidents and incident remediation status. Our Chief Security Officer, Chief Information and Digital Strategy Officer, Chief
Information Security Officer (“CISO”), Chief Risk Officer and the Financial and Operational Risk Management Division (the “FORM
Division”) Manager generally participate in such meetings. The RMC is also responsible for (i) overseeing the development,
implementation and maintenance of the Corporation’s information security program (the “Information Security Program”); (ii)
approving the Corporation’s risk management program and any related policies and controls; (iii) overseeing the implementation by
the Corporation’s management of the Corporation’s risk management program and any related policies, procedures and controls;
(iv) overseeing the Corporation’s risk management with respect to emerging technologies, including artificial intelligence; and (v)
reviewing reports regarding selected topics such as cyber.
In addition, the Board also has a standing Technology Committee (the “TC”) that oversees the Corporation’s technology functions,
strategy, operations, investments and needs. The TC meets at least quarterly and our Chief Information and Digital Strategy Officer
and our Chief Security Officer generally participate in such meetings. The TC (i) oversees the development and implementation of
the Corporation’s technology strategy and initiatives, (ii) monitors the risks associated with critical technology vendor relationships,
including cyber risks, and (iii) reviews and receives reports from management and third parties regarding the Corporation’s
technology functions, operations, strategy and initiatives, as well as current and emerging technology trends and risks arising
therefrom.
38
Security Officer and the CISO on the Information Security Program.
In addition, as part of the Board’s director education plan,
members of the Board take, on an annual basis, a cybersecurity training that provides the Board with an overview of cybersecurity
principles and regulations that are relevant to our institution and the Board’s oversight function.
The CISP develops the Information Security Program, which considers and evaluates risks posed by cybersecurity threats, events
and activities impacting the industry and the Corporation. The Information Security Program outlines the Corporation’s overall
strategy and governance to protect the confidentiality, integrity and availability of information and prevent access by unauthorized
personnel, and is based on standards and controls set by the National Institute of Standards and Technology (“NIST”), including the
NIST’s Framework for Improving Critical Infrastructure Cybersecurity. Popular currently leverages the Cyber Assessment Tool (the
“CAT”), a tool based on NIST standards and controls developed by the Federal Financial Institutions Examination Council (“FFIEC”),
in order to measure the Corporation’s cybersecurity preparedness and maturity levels. The CAT assessment results are integrated
into the overall Information Security Program evaluation. In 2025, we began the transition to the Cyber Risk Institute (“CRI”) Profile
2.0 assessment framework, following the announcement by the FFIEC of the sunset of the CAT. The transition to the CRI
framework is expected to be completed in 2026. The CRI Profile was produced through public-private collaboration and is a list of
assessment questions curated based on the intersection of global regulations and cyber standards, such as the International
Standards Organization (ISO) and the NIST.
The CISP also manages the Incident Response Program (“IRP”) of the Corporation and is in charge of overseeing, assessing and
managing cyber incidents. The IRP outlines the measures Popular must take to prepare for, detect, respond to and recover from
cybersecurity incidents, which include processes to triage, assess severity for, escalate, contain, investigate and remediate
incidents, as well as to comply with potentially applicable legal obligations and mitigate brand and reputational damage.
The Corporation also undertakes the below listed additional activities in its effort to maintain regulatory compliance, identify, assess
and manage its material risks from cybersecurity threats, and to protect against, detect and respond to cybersecurity incidents:
●
measures;
●
threats impact the Corporation’s information security controls in order to determine if they require any additional resources,
technology or processes;
●
39
●
and use requirements;
●
●
awareness and responsiveness to such possible threats;
●
●
●
necessary.
Popular’s Third Party Risk Management Policy outlines the management of risks associated with the Corporation’s use of third-party
service providers, and the CSOG assesses the impact and level of cybersecurity and privacy risk of such providers. Popular
performs due diligence on third parties and monitors third parties that have access to its systems, data or facilities that house such
systems or data on a periodic basis, and based on due diligence results, determines how often vendor assessments are performed
on such third party. Popular also conducts periodic application and vendor assessments for third-party providers and their products.
Furthermore, Popular requires third parties that have access to its systems, data or facilities that house such systems or data to take
a training on cybersecurity at least annually.
For a description of how identified cybersecurity threats may affect Popular’s business strategy or results, see under the headings
“We and our third-party providers have been, and expect in the future to continue to be, subject to cyber-attacks. Future cyber-
attacks could cause substantial harm and have an adverse effect on our business and results of operations.” and “We rely on other
companies to provide key components of our business infrastructure, including certain of our core financial transaction processing
and information technology and security services, which exposes us to a number of operational risks that could have a material
adverse effect on us.”, included as part of our risk factor disclosures in Item 1A in this Form 10-K, which disclosures are
incorporated by reference herein.
The CSOG operates under the direction of the Chief Security Officer. The Chief Security Officer has over 37 years of experience,
including over 13 years of professional experience in information technology and cybersecurity matters such as the oversight of the
Information Security Program and the design and execution of the information security audit plan of the Corporation.
Certified Public Accountant and also holds a Juris Doctor degree and FINRA administered Series 7 and Series 27 certifications. She
holds the title of Executive Vice President and Chief Security Officer and has been in her role since 2018. Prior to that, she served
as Senior Vice President and General Auditor of the Corporation from November 2012 to April 2018. Before 2012, she served in
various risk related functions of the Corporation and as the Chief Operating Officer and Chief Financial Officer of Popular’s broker
dealer business.
The CISO has over 30 years of work experience. She holds the title of Senior Vice President and Corporate Chief Information
Security Officer and assumed this role in January 2026. Prior to this role, since 2022, she served as Senior Vice President and
Financial and Operational Risk Management Division Manager, with oversight of the enterprise and operational risks of the
Corporation. Before 2022, she held positions for 18 years as Operational and IT Risk Director, Head of ERM and Operational Risk,
and Chief Information Security Officer for other financial institutions. She holds a BBA with majors in Accounting and Information
Systems, and a Master of Science in Information Technology Management.
The Corporate Risk Management Group operates under the direction of the Chief Risk Officer. The Chief Risk Officer has over 32
years of work experience.
Prior to joining the Corporation, he served for 17 years as Chief Financial Officer, Head of Retail Bank and Mortgage Operations,
Head of Commercial and Construction Mortgage and Head of Interest Rate Risk, among other positions, for other banks. He holds
a BS with a major in Computer Engineering and an MBA with majors in Finance and Accounting.
40
The FORM Division Manager has over 30 years of work experience. She holds the title of Senior Vice President and FORM Division
Manager and has been in her role since January 2026. Prior to this role, since 2018, she held the position of Senior Vice President
and Division Manager of the Corporate Risk Reviews Division reporting directly to the RMC. She has leadership experience in
treasury management, investment strategy and enterprise risk oversight. She holds a BSBA with majors in Finance and
International Business and an MBA with concentrations in Finance and Management.
Recently Filed
Click on a ticker to see risk factors
| Ticker * | File Date |
|---|---|
| AMRN | 2 hours ago |
| CECO | 2 hours ago |
| SIVR | 2 hours ago |
| GLTR | 2 hours ago |
| PALL | 2 hours ago |
| PPLT | 2 hours ago |
| SGOL | 2 hours ago |
| LINC | 2 hours ago |
| HSTA | 2 hours ago |
| TPB | 2 hours ago |
| BPOP | 2 hours ago |
| RDNT | 2 hours ago |
| SKWD | 2 hours ago |
| AIV | 3 hours ago |
| NVTS | 3 days, 5 hours ago |
| DAN | 3 days, 5 hours ago |
| FSBC | 3 days, 5 hours ago |
| CLMB | 3 days, 5 hours ago |
| NPKI | 3 days, 5 hours ago |
| SBGI | 3 days, 5 hours ago |
| BXP | 3 days, 5 hours ago |
| SHO | 3 days, 6 hours ago |
| HFWA | 3 days, 6 hours ago |
| SSP | 3 days, 6 hours ago |
| FBP | 3 days, 6 hours ago |
| WULF | 3 days, 6 hours ago |
| GSG | 3 days, 6 hours ago |
| SLV | 3 days, 6 hours ago |
| IBIT | 3 days, 6 hours ago |
| IAUM | 3 days, 6 hours ago |
| IAU | 3 days, 6 hours ago |
| ETHA | 3 days, 6 hours ago |
| SOLV | 3 days, 6 hours ago |
| NWN | 3 days, 6 hours ago |
| TDC | 3 days, 7 hours ago |
| SAFT | 3 days, 7 hours ago |
| RPC | 3 days, 7 hours ago |
| FMAO | 3 days, 7 hours ago |
| HMN | 3 days, 7 hours ago |
| STLD | 3 days, 7 hours ago |
| UBSI | 3 days, 7 hours ago |
| DKL | 3 days, 7 hours ago |
| DK | 3 days, 7 hours ago |
| SBAC | 3 days, 7 hours ago |
| GLP | 3 days, 7 hours ago |
| CCBG | 3 days, 7 hours ago |
| CRI | 3 days, 7 hours ago |
| SBR | 3 days, 7 hours ago |
| MSIF | 3 days, 8 hours ago |
| MAIN | 3 days, 8 hours ago |
