Risk Factors Dashboard

Once a year, publicly traded companies issue a comprehensive report of their business, called a 10-K. A component mandated in the 10-K is the ‘Risk Factors’ section, where companies disclose any major potential risks that they may face. This dashboard highlights all major changes and additions in new 10K reports, allowing investors to quickly identify new potential risks and opportunities.

View risk factors by ticker

Search filings by term

Risk Factors - COF

-New additions in green
-Changes in blue
-Hover to see similar sentence in last filing

Item 1A. Risk Factors.”


SUPERVISION AND REGULATION

General

The regulatory framework applicable to banking organizations is intended primarily for the protection of depositors and the stability of the U.S. financial system, rather than for the protection of stockholders and creditors.

As a banking organization, we are subject to extensive regulation and supervision by U.S. federal and state laws, as well as the applicable laws of the jurisdictions outside the U.S. in which we do business. In addition to banking laws and regulations, we are subject to various other laws and regulations, all of which directly or indirectly affect our operations, management and ability to make distributions to stockholders. We and our subsidiaries are also subject to supervision and examination by multiple regulators. Any change in the statutes, regulations or regulatory policies applicable to us, including changes in their interpretation or implementation, could have a material effect on our business or organization.

The descriptions below summarize certain significant federal and state laws, as well as international laws, to which we are subject. The descriptions are qualified in their entirety by reference to the particular statutory or regulatory provisions summarized. They do not summarize all possible or proposed changes in current laws or regulations and are not intended to be a substitute for the related statutes or regulatory provisions.

Prudential Regulation of Banking

Capital One Financial Corporation is a bank holding company (“BHC”) and a financial holding company (“FHC”) under the Bank Holding Company Act of 1956, as amended (“BHC Act”), and is subject to the requirements of the BHC Act, including approval requirements for investments in or acquisitions of banking organizations, capital adequacy standards and limitations

Table of Contents

on non-banking activities. As a BHC and FHC, we are subject to supervision, examination and regulation by the Board of Governors of the Federal Reserve System (“Federal Reserve”). Permissible activities for a BHC include those activities that are so closely related to banking as to be a proper incident thereto. In addition, an FHC is permitted to engage in activities considered to be financial in nature (including, for example, securities underwriting and dealing and merchant banking activities), incidental to financial activities or, if the Federal Reserve determines that they pose no risk to the safety or soundness of depository institutions or the financial system in general, activities complementary to financial activities.

To become and remain eligible for FHC status, a BHC and its subsidiary depository institutions must meet certain criteria, including capital, management and Community Reinvestment Act (“CRA”) requirements. Failure to meet such criteria could result, depending on which requirements were not met, in restrictions on new financial activities or acquisitions or being required to discontinue existing activities that are not generally permissible for BHCs.

The Bank is a national association chartered under the National Bank Act, the deposits of which are insured by the Federal Deposit Insurance Corporation (“FDIC”) up to applicable limits. The Bank is subject to comprehensive regulation and periodic examination by the Office of the Comptroller of the Currency (“OCC”), the FDIC and the Consumer Financial Protection Bureau (“CFPB”).

We also are registered as a financial institution holding company under the laws of the Commonwealth of Virginia and, as such, we are subject to periodic examination by the Virginia Bureau of Financial Institutions.

We also face regulation in the international jurisdictions in which we conduct business. The Bank is subject to laws and regulations in foreign jurisdictions where it operates, currently in the U.K. and Canada. In the U.K., the Bank operates through COEP, an authorized payment institution regulated by the Financial Conduct Authority (“FCA”). COEP’s parent, Capital One Global Corporation, is wholly owned by the Bank and is subject to regulation by the Federal Reserve as an “agreement corporation” under the Federal Reserve’s Regulation K. COEP does not take deposits. In Canada, the Bank operates as an authorized foreign bank and is permitted to conduct its credit card business in Canada through its Canadian branch, Capital One Bank (Canada Branch) (“Capital One Canada”). Capital One Canada does not take deposits. The primary regulators of Capital One Canada are the Office of the Superintendent of Financial Institutions (“OSFI”) and the Financial Consumer Agency of Canada (“FCAC”). Non-bank subsidiaries are subject to regulation in foreign jurisdictions, including licensing and registration requirements.

The foreign legal and regulatory requirements to which the Company’s non-U.S. operations are subject include, among others, those related to consumer protection, business practices and limits on interchange fees. For more information on foreign regulatory activity concerning interchange fees, please see “Item 1A. Risk Factors” under the heading “Our business, financial condition and results of operations may be adversely affected by legislation, regulation and merchants’ efforts to reduce the fees (including the interchange component) charged by credit and debit card networks and acquirers to facilitate card transactions.”

Capital and Stress Testing Regulation

The Company and the Bank are subject to capital adequacy guidelines adopted by the Federal Reserve and OCC, respectively. For a further discussion of the capital adequacy guidelines, see “Part II—Item 7. MD&A—Capital Management” and “Part II—Item 8. Financial Statements and Supplementary Data—Note 12—Regulatory and Capital Adequacy.”

Basel III and U.S. Capital Rules

The Company and the Bank are subject to the regulatory capital requirements established by the Federal Reserve and the OCC, respectively (“Basel III Capital Rules”). The Basel III Capital Rules implement certain capital requirements published by the Basel Committee on Banking Supervision (“Basel Committee”), along with certain provisions of the Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010 (“Dodd-Frank Act”) and other capital provisions.

As a BHC with total consolidated assets of at least $250 billion but less than $700 billion and not exceeding any of the applicable risk-based thresholds, the Company is a Category III institution under the Basel III Capital Rules.

The Bank, as a subsidiary of a Category III institution, is a Category III bank. Moreover, the Bank, as an insured depository institution, is subject to prompt corrective action (“PCA”) capital regulations, as described below.

Table of Contents

Under the Basel III Capital Rules, we must maintain a minimum common equity Tier 1 (“CET1”) capital ratio of 4.5%, a Tier 1 capital ratio of 6.0% and a total capital ratio of 8.0%, in each case in relation to risk-weighted assets. In addition, we must maintain a minimum leverage ratio of 4.0% and a minimum supplementary leverage ratio of 3.0%. We are also subject to the capital conservation buffer requirement and countercyclical capital buffer requirement, each as described below. Our capital and leverage ratios are calculated based on the Basel III standardized approach framework.

We have elected to exclude certain elements of accumulated other comprehensive income (“AOCI”) from our regulatory capital as permitted for a Category III institution. See “Basel III Finalization Proposal” below for information on the recognition of AOCI in regulatory capital under the proposed changes to the Basel III Capital Rules.

Global systemically important banks (“G-SIBs”) that are based in the U.S. are subject to an additional CET1 capital requirement known as the “G-SIB Surcharge.” We are not a G-SIB based on the most recent available data and thus we are not subject to a G-SIB Surcharge.

Capital Buffer Requirements

The Basel III Capital Rules require banking institutions to maintain a capital conservation buffer, composed of CET1 capital, above the regulatory minimum ratios.

In particular, the Company’s stress capital buffer requirement equals, subject to a floor of 2.5%, the sum of (i) the difference between the Company’s starting CET1 capital ratio and its lowest projected CET1 capital ratio under the severely adverse scenario of the Federal Reserve’s supervisory stress test plus (ii) the ratio of the Company’s projected four quarters of common stock dividends (for the fourth to seventh quarters of the planning horizon) to the projected risk-weighted assets for the quarter in which the Company’s projected CET1 capital ratio reaches its minimum under the supervisory stress test.

Based on the Company’s 2025 supervisory stress test results, the Company’s stress capital buffer requirement for the period beginning on October 1, 2025 through September 30, 2026 is 4.5%. On February 4, 2026, the Federal Reserve notified all participating firms, including the Company, that because the Stress Testing Transparency Proposal (defined below) remains subject to public comment, the Federal Reserve is maintaining stress capital buffer requirements for all such firms at their current levels. Consequently, absent further action from the Federal Reserve, the Company’s stress capital buffer requirement will remain at 4.5% until September 30, 2027. Accordingly, the Company’s minimum capital requirements plus the standardized approach capital conservation buffer for CET1 capital, Tier 1 capital and total capital ratios under the stress capital buffer framework are 9.0%, 10.5% and 12.5%, respectively, for the period from October 1, 2025 through September 30, 2027.

The Stress Capital Buffer Rule does not apply to the Bank. Pursuant to the OCC’s capital regulations, which are only applicable to the Bank, the capital conservation buffer for the Bank continues to be fixed at 2.5%. The Bank is also subject to the countercyclical capital buffer requirement (which is currently set at 0%). Accordingly, the Bank’s minimum capital requirements plus its capital conservation buffer for CET1 capital, Tier 1 capital and total capital ratios are 7.0%, 8.5% and 10.5%, respectively. See “Part II—Item 7. MD&A—Capital Management” and “Part II—Item 8. Financial Statements and Supplementary Data—Note 12—Regulatory and Capital Adequacy” for additional information.

If the Company or the Bank fails to maintain its capital ratios above the minimum capital requirements plus the applicable capital conservation buffer requirements, it will face increasingly strict automatic limitations on capital distributions and discretionary bonus payments to certain executive officers.

In April 2025, the Federal Reserve issued a notice of proposed rulemaking to amend the calculation of the stress capital buffer requirement (the “SCB Averaging Proposal”). The proposal would average stress test results over two consecutive years for purposes of determining the stress capital buffer requirement. The proposal would also shift the annual effective date of the stress capital buffer requirement from October 1 to January 1. The proposal has not yet been finalized, and our stress capital

Table of Contents

buffer requirement disclosed above has been calculated under the current framework and does not reflect the proposed averaging.

See also “Capital Planning and Stress Testing” below for more information about the stress capital buffer determination process.

Market Risk Rule

The “Market Risk Rule” supplements the Basel III Capital Rules by requiring institutions subject to the rule to adjust their risk-based capital ratios to reflect the market risk in their trading book. The Market Risk Rule generally applies to institutions with aggregate trading assets and liabilities equal to 10% or more of total assets or $1 billion or more. As of December 31, 2025, the Company and the Bank are subject to the Market Risk Rule. See “Part II—Item 7. MD&A—Market Risk Profile” for additional information.

Basel III Finalization Proposal

In July 2023, the Federal Reserve, OCC and the FDIC (collectively, the “Federal Banking Agencies”) released a notice of proposed rulemaking (“Basel III Finalization Proposal”) to revise the Basel III Capital Rules applicable to banking organizations with total assets of $100 billion or more and their subsidiary depository institutions, including the Company and the Bank.

The Basel III Finalization Proposal would introduce a new framework for calculating risk-weighted assets (“Expanded Risk-Based Approach”). An institution subject to the proposal would be required to calculate its risk-weighted assets under both the Expanded Risk-Based Approach and the existing Basel III standardized approach and, for each risk-based capital ratio, would be bound by the calculation that produces the lower ratio. All capital buffer requirements, including the stress capital buffer requirement, would apply regardless of whether the Expanded Risk-Based Approach or the existing Basel III standardized approach produces the lower ratio. The proposal would also replace the existing approach for calculating market risk with a new approach based on both internal models and standardized methodologies.

Under the proposal, these institutions would be required to begin recognizing certain elements of AOCI in CET1 capital, including unrealized gains and losses on available for sale securities. The proposal would also generally reduce the threshold above which these institutions must deduct certain assets from their CET1 capital, including certain deferred tax assets, mortgage servicing assets and investments in unconsolidated financial institutions.

The Federal Banking Agencies have indicated an intent to repropose the Basel III Finalization Proposal. It is uncertain if and when a reproposal will be issued, and if so, whether and to what extent it will differ from the original Basel III Finalization Proposal. As a result, the timing and content of any final rule, and the potential effects of any final rule on the Company and the Bank, remain uncertain.

FDICIA and Prompt Corrective Action

The Federal Deposit Insurance Corporation Improvement Act of 1991 (“FDICIA”) requires the Federal Banking Agencies to take PCA for banks that do not meet minimum capital requirements. FDICIA establishes five capital ratio levels: well capitalized; adequately capitalized; undercapitalized; significantly undercapitalized; and critically undercapitalized. The three undercapitalized categories are based upon the amount by which a bank falls below the ratios applicable to an adequately capitalized institution. The capital categories relate to FDICIA’s PCA provisions, and such capital categories may not constitute an accurate representation of the Bank’s overall financial condition or prospects.

An adequately capitalized depository institution must maintain a total risk-based capital ratio of 8% or more; a Tier 1 capital ratio of 6% or more; a CET1 capital ratio of 4.5% or more; a leverage ratio of 4% or more; and, for Category III and certain other institutions, a supplementary leverage ratio of 3% or more. The PCA provisions also authorize the Federal Banking Agencies to reclassify a bank’s capital category or take other action against banks that are determined to be in an unsafe or unsound condition or to have engaged in unsafe or unsound banking practices.

Table of Contents

Capital Planning and Stress Testing

Under the Federal Reserve’s capital plan rule, a covered company, such as the Company, must submit a capital plan to the Federal Reserve on an annual basis that contains a description of all planned capital actions, including dividends or stock repurchases, over a nine-quarter planning horizon beginning with the first quarter of the calendar year the capital plan is submitted.

Pursuant to the capital plan rule, the Company must file its capital plan with the Federal Reserve by April 5 of each year (unless the Federal Reserve designates a later date), using data as of the end of the prior calendar year. The Federal Reserve will release the results of the supervisory stress test and notify the Company of its preliminary stress capital buffer requirement by June 30 of that year, and final stress capital buffer requirement by August 31 of that year. The Company’s final stress capital buffer requirement will be effective from October 1 of the year in which the capital plan is submitted through September 30 of the following year. In April 2025, the Federal Reserve issued the SCB Averaging Proposal.”

As a general matter, the Company may make capital distributions in excess of those included in its capital plan without the prior approval of the Federal Reserve so long as the Company is otherwise in compliance with the capital rule’s automatic limitations on capital distributions. However, as described below, in the event a capital plan resubmission is required, all capital distributions would be subject to the prior approval of the Federal Reserve.

The Federal Reserve’s capital plan rule further provides that if a covered company determines there has been or will be a material change in its risk profile, financial condition, or corporate structure since it last submitted its capital plan, it must update and resubmit its capital plan within 30 calendar days, subject to a potential 60-day extension.

We are also subject to supervisory and company-run stress testing requirements (also known as the Dodd-Frank Act stress tests (“DFAST”)). DFAST is a forward-looking exercise conducted by the Federal Reserve and each covered company to help assess whether a company has sufficient capital to absorb losses and continue operations during adverse economic conditions. In particular, the Federal Reserve is required to conduct annual stress tests on certain covered companies, including us, to ensure that the covered companies have sufficient capital to absorb losses and continue operations during adverse economic conditions, as well as to determine the Company’s stress capital buffer requirement as described above. Under the OCC’s stress test rule, a bank with at least $250 billion in assets, including the Bank, must conduct its own company-run stress tests. The Bank must also disclose the results of its stress test on a biennial basis.

In October 2025, the Federal Reserve proposed revisions to its supervisory stress testing framework. The first proposal included requirements for the Federal Reserve to annually disclose its supervisory stress test models and provide a formal public comment period on material changes to these models and the design of annual stress test scenarios, as well as shifting the “as of” or “jump-off” date of the stress test data from December 31 to September 30 (the “Stress Testing Transparency Proposal”). The second proposal requested comment on the specific supervisory stress test scenarios proposed to be used in the 2026 stress test cycle.

Funding and Dividends from Subsidiaries

Dividends from the Company’s direct and indirect subsidiaries represent a major source of the funds we use to pay dividends on our capital stock, make payments on our corporate debt securities and meet our other obligations. There are various federal law limitations on the extent to which the Bank can finance or otherwise supply funds to the Company through dividends and loans. These limitations include minimum regulatory capital and capital buffer requirements, federal banking law requirements concerning the payment of dividends out of net profits or surplus, provisions of Sections 23A and 23B of the Federal Reserve Act and Regulation W governing transactions between an insured depository institution and its affiliates, as well as general federal regulatory oversight to prevent unsafe or unsound practices. In general, federal and applicable state banking laws prohibit insured depository institutions, such as the Bank, from making dividend distributions without first obtaining regulatory approval if such distributions are not paid out of available earnings or would cause the institution to fail to meet applicable capital adequacy standards.

Table of Contents

Liquidity Regulation

The Company and the Bank are subject to minimum liquidity standards as adopted by the Federal Reserve and OCC, respectively. For a further discussion of the minimum liquidity standards, see “Part II—Item 7. MD&A—Liquidity Risk Profile.”

The Basel Committee has published a liquidity framework that includes two standards for liquidity risk supervision. One standard, the liquidity coverage ratio (“LCR”), seeks to promote short-term resilience by requiring organizations to hold sufficient high-quality liquid assets (“HQLAs”) to survive a stress scenario lasting for 30 days. The other standard, the net stable funding ratio (“NSFR”), seeks to promote longer-term resilience by requiring sufficient stable funding over a one-year period based on the liquidity characteristics of the organization’s assets and activities.

The Company and the Bank are subject to the LCR standard as implemented by the Federal Reserve and OCC, respectively (“LCR Rule”). In addition, the Company is required to make quarterly public disclosures of its LCR and certain related quantitative liquidity metrics, along with a qualitative discussion of its LCR.

As a Category III institution with less than $75 billion in weighted average short-term wholesale funding, the Company’s and the Bank’s total net cash outflows are multiplied by an outflow adjustment percentage of 85%. Although the Bank may hold more HQLA than it needs to meet its LCR requirements, the LCR Rule restricts the amount of such excess HQLA held at the Bank (referred to as “Trapped Liquidity”) that can be included in the Company’s HQLA amount. Because we typically manage the Bank’s LCR to levels well above 100%, the result is additional Trapped Liquidity as the Bank’s net cash outflows are reduced by the outflow adjustment percentage of 85%.

The Company and the Bank are subject to the NSFR standard as implemented by the Federal Reserve and OCC, respectively (“NSFR Rule”). The NSFR Rule requires each of the Company and the Bank to maintain an amount of available stable funding, which is a weighted measure of a company’s funding sources over a one-year time horizon, calculated by applying standardized weightings to equity and liabilities based on their expected stability, that is no less than a specified percentage of its required stable funding, which is calculated by applying standardized weightings to assets, derivatives exposures and certain other items based on their liquidity characteristics. As a Category III institution, the Company and the Bank are each required to maintain available stable funding in an amount at least equal to 85% of its required stable funding. The Company is required to make public disclosures of its NSFR every second and fourth quarter, including certain quantitative metrics and a qualitative discussion of its NSFR drivers and results.

In addition to the LCR and NSFR requirements discussed above, the Company is required to meet liquidity risk management standards, conduct internal liquidity stress tests and maintain a 30-day buffer of highly liquid assets, in each case, consistent with Federal Reserve regulations.

Deposit Funding and Brokered Deposits

Under FDICIA, only well capitalized and adequately capitalized institutions may accept “brokered deposits,” as defined by FDIC regulations. Adequately capitalized institutions, however, must obtain a waiver from the FDIC before accepting brokered deposits, and such institutions may not pay rates that significantly exceed the rates paid on deposits of similar maturity obtained from the institution’s normal market area or, for deposits obtained from outside the institution’s normal market area, the national rate on deposits of comparable maturity. See “Part II—Item 7. MD&A—Liquidity Risk Profile” for additional information.

The FDIC is authorized to terminate a bank’s deposit insurance upon a finding by the FDIC that the bank’s financial condition is unsafe or unsound or that the institution has engaged in unsafe or unsound practices or has violated any applicable rule, regulation, order or condition enacted or imposed by the bank’s regulatory agency.

Table of Contents

Resolution and Recovery Planning Requirements and Related Authorities

Resolution and Recovery Planning

The Company is required by Section 165(d) of the Dodd-Frank Act to submit to the Federal Reserve and FDIC every three years a resolution plan for orderly resolution in the event it faces material financial distress or failure, with submissions alternating between a full resolution plan and a targeted resolution plan. In addition, the Company may be required to submit an interim update to its resolution plan upon a joint determination of the Federal Reserve and the FDIC, or following material mergers or acquisitions or fundamental changes to the Company’s resolution strategy. As a result of the Transaction, the Federal Reserve and the FDIC in May 2025 required the Company to file an interim update to its resolution plan by October 1, 2025 and extended the Company’s deadline for the next full resolution submission from October 1, 2025 to July 1, 2026. Following review of a plan, the Federal Reserve and FDIC may jointly determine that a resolution plan is not credible or would not facilitate an orderly resolution under the U.S. Bankruptcy Code. If the Company were to fail to adequately address deficiencies jointly identified by the Federal Reserve and FDIC in a timely manner, it may be subject to more stringent capital, leverage, or liquidity requirements, or restrictions on growth, activities, or operations.

In addition, the Bank, as an insured depository institution, is required by FDIC regulation to submit its own resolution plan to the FDIC. In June 2024, the FDIC issued a final rule amending the resolution plan submission requirements applicable to insured depository institutions with $50 billion or more in total assets, including the Bank. Under the final rule, the Bank is required to submit to the FDIC full resolution plans every three years and interim targeted information between full resolution plan submissions. In addition, under the final rule, the Bank’s resolution plan submissions are subject to more detailed content requirements and a credibility standard for the FDIC’s evaluation of resolution plans, which is enforceable against the Bank.

In addition, the OCC has enforceable guidelines that require banks with assets of $100 billion or more, including the Bank, to develop recovery plans detailing the actions they would take to remain a going concern when they experience considerable financial or non-financial risks but have not deteriorated to the point that resolution is imminent. In October 2025, the OCC proposed to rescind these recovery planning guidelines in their entirety. If adopted as proposed, the Bank would no longer be subject to the guidelines.

Long-Term Debt and Clean Holding Company Proposal

The Federal Banking Agencies have proposed a rule that would require banking organizations with $100 billion or more in total assets, including the Company, to comply with certain long-term debt requirements and so called “clean holding company” requirements that are designed to improve the resolvability of covered organizations (“LTD Proposal”). If adopted as proposed, the LTD Proposal would require the Company and the Bank to each maintain a minimum outstanding eligible long-term debt amount of no less than the greatest of (i) 6% of total risk-weighted assets, (ii) 2.5% of total leverage exposure and (iii) 3.5% of average total consolidated assets. To qualify as eligible long-term debt, a debt instrument would be required to meet the requirements currently applicable under the rules that apply to U.S. G-SIBs, as well as certain additional requirements. Additionally, the clean holding company requirements included in the LTD Proposal would limit or prohibit the Company from entering into certain transactions that could impede its orderly resolution. It is uncertain when or if a final rule will be adopted, and if so, whether and to what extent it will differ from the LTD Proposal. As a result, the timing and content of any final rule, and the potential effects of any final rule on the Company and the Bank, remain uncertain.

Source of Strength

The Federal Reserve’s Regulation Y requires a BHC to serve as a source of financial and managerial strength to its subsidiary banks (this is known as the “source of strength doctrine”). In addition, the Dodd-Frank Act requires a BHC to serve as a source of financial strength to its subsidiary banks and further requires the Federal Banking Agencies to jointly adopt rules implementing this requirement. The Federal Banking Agencies have yet to propose rules as required by the Dodd-Frank Act, but they may do so in the future.

FDIC Orderly Liquidation Authority

The Dodd-Frank Act provides the FDIC with liquidation authority that may be used to liquidate non-bank financial companies and BHCs if the Treasury Secretary, in consultation with the President and based on the recommendation of the Federal Reserve and other appropriate Federal Banking Agencies, determines that doing so is necessary, among other criteria, to mitigate serious adverse effects on U.S. financial stability. The costs of a liquidation of a company would be borne by shareholders and unsecured creditors and then, if necessary, by risk-

Table of Contents

based assessments on large financial companies. The FDIC has issued rules implementing certain provisions of its liquidation authority.

FDIC Deposit Insurance Assessments

The Bank, as an insured depository institution, is a member of the Deposit Insurance Fund (“DIF”) maintained by the FDIC. Through the DIF, the FDIC insures the deposits of insured depository institutions up to prescribed limits for each depositor. The FDIC sets a Designated Reserve Ratio (“DRR”) for the DIF. To maintain the DIF, member institutions may be assessed an insurance premium, and the FDIC may take action to increase insurance premiums if the DRR falls below its required level.

The FDIC, as required under the Federal Deposit Insurance Act, established a plan in September 2020, to restore the DIF reserve ratio to meet or exceed 1.35 percent within eight years. On October 18, 2022, the FDIC finalized a rule that increases the initial base deposit insurance assessment rate schedules by 2 basis points (“bps”) for all insured depository institutions to improve the likelihood that the DIF reserve ratio reaches 1.35 percent by the statutory deadline of September 30, 2028. The rule took effect in January 2023 and this increase was reflected in the Bank’s first quarterly assessment in 2023.

On November 16, 2023, the FDIC finalized a rule to implement a special assessment to recover the loss to the DIF arising from the protection of uninsured depositors in connection with the systemic risk determination announced on March 12, 2023, following the closures of Silicon Valley Bank and Signature Bank. The special assessment base is equal to an insured depository institution’s estimated uninsured deposits reported on its Consolidated Reports of Condition and Income as of December 31, 2022 (“2022 Call Report”), adjusted to exclude the first $5 billion of uninsured deposits. On December 16, 2025, the FDIC issued an interim final rule providing that the FDIC will collect the special assessment over an initial seven quarters of the collection period, which began in the second quarter of 2024, at a quarterly rate of 3.36 basis points and reduce the rate at which the special assessment will be collected in the eighth collection quarter, which will have an invoice payment date of March 30, 2026, to 2.97 basis points. Under the interim final rule, upon termination of the FDIC’s receiverships of Silicon Valley Bank and Signature Bank, the FDIC will either provide an offset to insured depository institutions, if the special assessment amount then-collected exceeds losses, or collect from insured depository institutions a one-time final shortfall special assessment, if losses exceed the special assessment amount then-collected. In addition, the FDIC will provide an offset to regular quarterly deposit insurance assessments for banks subject to the special assessment if, following the final resolution of litigation between the FDIC and SVB Financial Trust, the total amount collected through the special assessment exceeds the loss estimate at that time.”

Investment in the Company and the Bank

Certain acquisitions of our capital stock may be subject to regulatory approval or notice under federal or state law. Investors are responsible for ensuring that they do not, directly or indirectly, acquire shares of our capital stock in excess of the amount that can be acquired without regulatory approval, including under the BHC Act and the Change in Bank Control Act (“CIBC Act”).

Federal law and regulations prohibit any person or company from acquiring control of the Company or the Bank without, in most cases, prior written approval of the Federal Reserve or the OCC, as applicable. Control under the BHC Act exists if, among other things, a person or company acquires more than 25% of any class of our voting stock or otherwise has a controlling influence over us. A rebuttable presumption of control arises under the CIBC Act for a publicly traded BHC such as ourselves if a person or company acquires more than 10% of any class of our voting stock.

Additionally, the Bank is a “bank” within the meaning of Chapter 7 of Title 6.2 of the Code of Virginia governing the acquisition of interests in Virginia financial institutions (“Virginia Financial Institution Holding Company Act”).

Transactions with Affiliates

There are various legal restrictions on the extent to which we and our non-bank subsidiaries may borrow or otherwise engage in certain types of transactions with the Bank. In addition, transactions between the Bank and its non-bank affiliates are required to be on arm’s length terms and must be consistent with standards of safety and soundness.

Table of Contents

Volcker Rule

We and each of our subsidiaries, including the Bank, are subject to the “Volcker Rule,” a provision of the Dodd-Frank Act that contains prohibitions on proprietary trading and certain investments in, and relationships with, covered funds (hedge funds, private equity funds and similar funds), subject to certain exemptions, in each case as the applicable terms are defined in the Volcker Rule and the implementing regulations.

Regulation of Business Activities

The business activities of the Company and the Bank, as well as certain of the Company’s non-bank subsidiaries, are subject to regulation and supervision under various other laws and regulations.

Regulation of Consumer Lending Activities

The activities of the Bank as a consumer lender are subject to regulation under various federal laws, including, for example, the Truth in Lending Act (“TILA”), the Equal Credit Opportunity Act, the Fair Credit Reporting Act (“FCRA”), the CRA, the Servicemembers Civil Relief Act and the Military Lending Act, as well as under various state laws. TILA, as amended, and together with its implementing rule, Regulation Z, imposes a number of restrictions on credit card practices impacting rates and fees, requires that a consumer’s ability to pay be taken into account before issuing credit or increasing credit limits, and imposes revised disclosures required for open-end credit.

Depending on the underlying issue and applicable law, regulators may be authorized to impose penalties for violations of these statutes and, in certain cases, to order banks to compensate customers. Borrowers may also have a private right of action for certain violations. Federal bankruptcy and state debtor relief and collection laws may also affect the ability of a bank, including the Bank, to collect outstanding balances owed by borrowers.

Debit Card Interchange Fees

For debit cards issued on networks not owned by the Company, the Bank earns interchange fees when customers use its debit cards to make transactions at merchants. The Bank is subject to the Federal Reserve’s Regulation II (Debit Card Interchange Fees and Routing) for those debit cards issued on networks not owned by the Company, which limits the amount of interchange fees that can be received per debit card transaction by debit card issuers with over $10 billion in assets and places certain prohibitions on payment routing restrictions and network exclusivity.

Regulation II’s cap on debit interchange fees, including the 2023 proposal, has been challenged in the courts. Changes to, or the invalidity of, Regulation II could result in lower debit card interchange fees issued on four-party networks. Risk Factors” under the heading “Our business, financial condition and results of operations may be adversely affected by legislation, regulation and merchants’ efforts to reduce the fees (including the interchange component) charged by credit and debit card networks and acquirers to facilitate card transactions.”

Payment Card Networks

The Global Payment Network operations are regulated by certain federal and state laws, including banking, payment services, privacy, data protection and data security laws, and are also subject to examination by the Federal Banking Agencies. For example, Regulation II includes a number of requirements for debit cards issued on networks that are not three-party networks, such as certain requirements related to routing and network exclusivity, which apply to certain activities of the Global Payment Networks when third-party issuers issue debit cards on the Global Payment Networks.

In addition, because the Global Payment Network operates internationally, certain subsidiaries through which it operates are subject to government regulation and examination, directly or indirectly, in some countries in which we have operations, or where cards that are accepted on our networks are issued or accepted.

Privacy, Data Protection and Data Security

We are, or may become, subject to a variety of continuously evolving and developing laws and regulations in the United States at the federal, state and local level regarding privacy, data protection and data security, including those related to the collection, storage, handling, use, disclosure, transfer and other processing of personal information. For example, at the federal level, we

Table of Contents

are currently subject to the Gramm-Leach-Bliley Act (“GLBA”) and the FCRA, among other laws and regulations, and expect additional privacy, data protection and data security requirements, including cyber incident reporting requirements, to apply to us as a result of future laws or regulations. Moreover, legislative updates have been proposed, and will likely in the future be proposed, in the U.S. Congress for more comprehensive privacy, data protection and data security legislation, to which we may be subject if passed. At the state level, California has enacted the California Consumer Privacy Act (“CCPA”) and continues to issue regulations thereunder, and various other states also have enacted or are in the process of enacting state-level privacy, data protection and/or data security laws and regulations, with which we may be required to comply.

We also are subject to the U.K. General Data Protection Regulation (“U.K. GDPR”), a version of the EU GDPR as implemented into U.K law. These laws and regulations, and similar laws and regulations in other jurisdictions, impose strict requirements regarding the collection, storage, handling, use, disclosure, transfer, security and other processing of personal information, which may have adverse consequences, including significant compliance costs and severe monetary penalties for non-compliance.

For further discussion of privacy, data protection and data security, and related risks for our business, see “Item 1A. Risk Factors” under the headings “We face risks related to our operational, technological and organizational infrastructure,” “A cyber-attack or other security incident on us or third parties (including their supply chains) with which we conduct business, including an incident that results in the theft, loss, manipulation or misuse of information (including personal information), or the disabling of systems and access to information critical to business operations, may result in increased costs, reductions in revenue, reputational damage, legal exposure and business disruptions” and “Our required compliance with applicable laws and regulations related to privacy, data protection and data security, in addition to compliance with our own privacy policies and contractual obligations to third parties, may increase our costs, reduce our revenue, increase our legal exposure and limit our ability to pursue business opportunities.”

For further discussion of our cybersecurity risk management, see “Item 1C. Cybersecurity.”

Anti-Money Laundering, Combating the Financing of Terrorism and Economic Sanctions

The Bank Secrecy Act (“BSA”), as amended by the USA PATRIOT Act of 2001 (“Patriot Act”), and its implementing regulations require financial institutions to, among other things, implement a risk-based compliance program reasonably designed to prevent money laundering and to combat the financing of terrorism, including through suspicious activity and currency transaction reporting, the implementation of policies, procedures, and internal controls, record-keeping and customer due diligence.

The Patriot Act provides enhanced information collection tools and enforcement mechanisms to the U.S. government and expanded certain requirements for financial institutions, including due diligence and record-keeping requirements for private banking and correspondent accounts; standards for verifying customer identification at account opening; rules to produce certain records upon request of a regulator or law enforcement agency; and rules to promote cooperation among financial institutions, regulators and law enforcement agencies in identifying parties that may be involved in terrorism, money laundering and other crimes.

The Anti-Money Laundering Act of 2020 (“AML Act”), enacted as part of the National Defense Authorization Act, requires the U.S. Treasury Department’s Financial Crimes Enforcement Network (“FinCEN”) to issue a number of rules that will update and expand the BSA’s regulatory requirements. For example, the AML Act requires FinCEN to issue National Anti-Money Laundering and Countering the Financing of Terrorism Priorities, which the agency did in June 2021, and to conduct studies and issue regulations that may alter some of the due diligence, record-keeping and reporting requirements that the BSA and

Table of Contents

Patriot Act impose on banks. FinCEN has yet to issue most of the implementing regulations required by the AML Act. The AML Act also promotes increased information-sharing and use of technology and increases penalties for violations of the BSA and includes whistleblower incentives, both of which could increase the prospect of regulatory enforcement.

We are also required to comply with sanctions laws and regulations administered and imposed by the United States government, including the U.S. Treasury Department's Office of Foreign Assets Control (“OFAC”) and the Department of State, as well as comparable sanctions programs imposed by foreign governments and multilateral bodies.

Derivatives Activities

Title VII of the Dodd-Frank Act establishes a regulatory framework for the governance of the over-the-counter (“OTC”) derivatives market, including swaps and security-based swaps and requires the registration of certain market participants as swap dealers or security-based swap dealers. The Bank is registered with the Commodity Futures Trading Commission (“CFTC”) as a swap dealer. Registration as a swap dealer subjects the Bank to additional regulatory requirements with respect to its swaps and other derivatives activities. As a result of the Bank’s swap dealer registration, it is subject to the rules of the OCC concerning capital and margin requirements for swap dealers, including the mandatory exchange of variation margin and initial margin with certain counterparties. Additionally, as a registered swap dealer, the Bank is subject to requirements under the CFTC’s regulatory regime, including rules regarding business conduct standards, recordkeeping obligations, regulatory reporting and procedures relating to swaps trading. The Bank’s swaps and other derivatives activities do not require it to register with the SEC as a security-based swap dealer.

Broker-Dealer Activities

Certain of our non-bank subsidiaries are subject to regulation and supervision by various federal and state authorities. Capital One Securities, Inc., KippsDeSanto & Company and TripleTree, LLC are registered broker-dealers regulated by the SEC and the Financial Industry Regulatory Authority (“FINRA”). These broker-dealer subsidiaries are subject to, among other things, net capital rules designed to measure the general financial condition and liquidity of a broker-dealer. Under these rules, broker-dealers are required to maintain the minimum net capital deemed necessary to meet their continuing commitments to customers and others, and to keep a substantial portion of their assets in relatively liquid form. These rules also limit the ability of a broker-dealer to transfer capital to its parent companies and other affiliates. Broker-dealers are also subject to regulations covering their business operations, including sales and trading practices, public and private offerings, publication of research reports, use and safekeeping of client funds and securities, capital structure, record-keeping and the conduct of directors, officers and employees.

Climate-related Developments

Climate change and the risks it may pose to financial institutions are areas of focus by various legislative bodies and regulators. In the future, new laws, regulations or guidance may be issued, or other regulatory or supervisory actions may be taken in this area by regulatory agencies. Risk Factors” under the heading “Climate change manifesting as physical or transition risks could adversely affect our businesses, operations and customers and result in increased costs.”

Table of Contents


HUMAN CAPITAL RESOURCES

Our human capital practices are designed to develop a collaborative work environment while rewarding employees based on the merit of their work. We prioritize employee recruitment, development, recognition and retention.” The following disclosures provide information on our human capital resources, including certain human capital objectives and measures that we focus on in managing our business.

Governance of Human Capital

Our Board of Directors oversees our human capital management, including strategies, policies and practices, and is assisted by our Board’s Compensation Committee and Governance and Nominating Committee.

Hiring, Developing and Retaining

We employ a comprehensive people strategy that includes significant investments in recruiting and associate development in order to attract and retain top talent from all backgrounds. Investment in associate training and professional development is important to maintaining our talent competitiveness. Our internal enterprise learning and development team blends multiple approaches to learning to support associate development across lines of business, levels and roles, including online and live classroom training. In addition to formal programming provided by learning professionals, including regulatory compliance, role-specific topics and others, our peer-to-peer learning strategy allows associates to be both learners and teachers, further enhancing a culture of learning. We also focus on cultivating talent with leadership development courses, cohort-based programs, network building and coaching, open to all associates.

On a quarterly basis, we review our ability to attract and retain talent. Each line of business and staff group reviews hiring, tenure and attrition metrics as part of this assessment, and they implement risk mitigation plans when needed.

Compensation and Wellness

We appreciate the importance of a competitive total compensation package to attract and retain great talent. Our benefits, including competitive parental leave, on-site health centers, company contributions to associates’ 401(k) plans, educational assistance and other health, wellness and financial benefits are designed to support our associates’ wellbeing inside and outside of the workplace. Furthermore, pay equity is an important element of our pay philosophy. We evaluate base pay and incentive pay for all of our associates globally, at least annually. We review groups of associates in similar roles, adjusting for factors that appropriately explain differences in pay such as job location and experience.

Communication and Connection

We communicate with our associates regularly to better understand their perspectives. To assess and improve associate retention and engagement, the Company surveys associates on a periodic basis with the assistance of third-party consultants and takes actions to address various areas of associate concern. We encourage full participation and use the results to effect change and promote transparency.


TECHNOLOGY AND INTELLECTUAL PROPERTY

Technology/Systems

We leverage information and technology to achieve our business objectives and to develop and deliver products and services. Consequently, we frequently consider our capabilities and develop or acquire systems, processes and competencies to meet our business requirements or objectives.

Table of Contents

As part of our frequent consideration of our technologies, we may either develop such capabilities internally, or rely on third-party service providers who have the ability to deliver technology that is of higher quality, lower cost, or both. We continue to rely on third-party service providers to help us deliver systems and operational infrastructure. These relationships include, but are not limited to: Amazon Web Services, Inc. (“AWS”) for our cloud infrastructure, Total System Services LLC (“TSYS”) for consumer and commercial credit card processing services for our North American and U.K. portfolios and Fidelity Information Services (“FIS”) for certain of our banking systems. Certain of the acquired Discover businesses, including the Global Payment Network, are processed through a combination of data centers and the use of third-party vendors.

We are committed to implementing safeguards designed to protect our customers’ information, as well as our own information and technology. For additional information on our risks associated with cybersecurity and our use of technology systems and our management of these risks, please see “Item 1A. Risk Factors” under the headings “A cyber-attack or other security incident on us or third parties (including their supply chains) with which we conduct business, including an incident that results in the theft, loss, manipulation or misuse of information (including personal information), or the disabling of systems and access to information critical to business operations, may result in increased costs, reductions in revenue, reputational damage, legal exposure and business disruptions” and “We face risks related to our operational, technological and organizational infrastructure” and “Item 1C. Cybersecurity.”

Intellectual Property and Other Proprietary Information

As part of our overall and ongoing strategy to protect and enhance our intellectual property rights, we rely on a variety of protections, including copyrights, trademarks, trade secrets, patents and certain restrictions on disclosure, solicitation and competition. We also undertake other measures to control access to, or distribution of, our other proprietary and confidential information.g., cross-licenses) or other arrangements with third parties. For a discussion of risks associated with intellectual property, see “Item 1A. Risk Factors” under the heading “If we are not able to protect our intellectual property rights, or we violate third-party intellectual property rights, our revenue and profitability could be negatively affected.”


FORWARD-LOOKING STATEMENTS

From time to time, we have made and will make forward-looking statements, including those that discuss, among other things: strategies, goals, outlook or other non-historical matters; projections, revenues, income, returns, expenses, assets, liabilities, capital and liquidity measures, capital allocation plans, accruals for claims in litigation and for other claims against us; earnings per share, efficiency ratio, operating efficiency ratio or other financial measures for us; future financial and operating results; our plans, objectives, expectations and intentions; and the assumptions that underlie these matters.

To the extent that any such information is forward-looking, it is intended to fit within the safe harbor for forward-looking information provided by the Private Securities Litigation Reform Act of 1995.

Forward-looking statements often use words such as “will,” “anticipate,” “target,” “expect,” “think,” “estimate,” “intend,” “plan,” “goal,” “believe,” “forecast,” “outlook” or other words of similar meaning. Any forward-looking statements made by us or on our behalf speak only as of the date they are made or as of the date indicated, and we do not undertake any obligation to update forward-looking statements as a result of new information, future events or otherwise. For additional information on factors that could materially influence forward-looking statements included in this Report, see the risk factors set forth under “Item 1A. Risk Factors.” You should carefully consider the factors discussed below, and in our Risk Factors or other disclosures, in evaluating these forward-looking statements.

Numerous factors could cause our actual results to differ materially from those described in such forward-looking statements, including, among other things:

Table of Contents

•risks related to the integration of the Transaction, including our ability to successfully integrate our businesses, incur substantial expenses related to the Transaction and to the integration of Discover, and the expenses may be greater than anticipated due to factors, some or all of which may be outside our control; our ability to realize all of the anticipated benefits of the Transaction, or those benefits may take longer to realize than expected due to factors that may be outside our control; the integration of Discover may have an adverse effect on our business and results of operations due to the diversion of a substantial portion of the time and attention of our management team; potential employee attrition; and other factors that may affect our future results;

•changes and instability in the macroeconomic environment, resulting from factors that include, but are not limited to monetary, fiscal and trade policy actions such as tariffs, geopolitical conflicts or instability, such as the war in Ukraine, the ongoing conflict in the Middle East and the political instability in Venezuela, labor shortages, government shutdowns, inflation and deflation, potential recessions, technology-driven disruption of certain industries, adverse developments impacting the U.S. or global banking industry, immigration policies, lower demand for credit, changes in deposit practices and payment patterns;

•fluctuations in interest rates;

•our ability to maintain adequate sources of funding and liquidity to operate our business;

•increases in credit losses and delinquencies and the impact of incorrectly estimated expected losses, which could result in inadequate reserves;

•our ability to maintain adequate capital or liquidity levels or to comply with revised capital or liquidity requirements, which could have a negative impact on our financial results and our ability to return capital to our stockholders;

•limitations on our ability to receive dividends from our subsidiaries;

•a downgrade in our credit ratings;

•our ability to develop, operate and adapt our operational, technology and organizational infrastructure suitable for the nature of our business;

•increased costs, reductions in revenue, reputational damage, legal exposure and business disruptions that can result from a cyber-attack or other security incident on us or third parties (including their supply chains) with which we conduct business, including an incident that results in the theft, loss, manipulation or misuse of information, or the disabling of systems and access to information critical to business operations;

•the use, reliability and accuracy of the models, AI, and data on which we rely;

•our ability to manage risks of internal and external fraud;

•compliance with new and existing domestic and foreign laws, regulations and regulatory expectations, which may change over time including as a result of the political and policy goals of elected and appointed officials;

•compliance with applicable laws and regulations related to privacy, data protection and data security, in addition to compliance with our own privacy policies and contractual obligations to third parties;

•developments, changes or actions relating to any litigation, governmental investigation or regulatory enforcement action or matter involving us;

•our response to competitive pressures;

•the amount and rate of deposit growth and changes in deposit costs;

•our ability to execute on our strategic initiatives and operational plans;

•change in market preference towards other operators of payment networks and alternative payment providers;

•our ability to create and maintain a strong base of network licensees and achieving meaningful global card acceptance;

Table of Contents

•legislation, regulation and merchants’ efforts to reduce the fees (including the interchange component) charged by credit and debit card networks and acquirers to facilitate card transactions;

•the number of large merchants that accept cards on our recently acquired Discover Network or PULSE Network;

•defaults or risks from bankruptcies, liquidations, restructurings, consolidations and outages by our network participants;

•our ability to invest successfully in and introduce digital and other technological developments across all our businesses;

•our success in integrating acquired businesses and loan portfolios, and our ability to realize anticipated benefits from announced transactions and strategic partnerships;

•changes in the reputation of, or expectations regarding, us or the financial services industry with respect to practices, products, services or financial condition;

•our ability to protect our intellectual property rights;

•the success of our marketing efforts in attracting and retaining customers;

•our risk management strategies;

•our ability to attract, develop, retain and motivate key senior leaders and skilled employees;

•our ability to manage risks from catastrophic events;

•climate change manifesting as physical or transition risks;

•our assumptions or estimates in our financial statements;

•the soundness of other financial institutions and other third parties, actual or perceived; and

•other risk factors identified from time to time in our public disclosures, including in the reports that we file with the SEC.

Item 1A. Risk Factors

The following discussion sets forth what management currently believes could be the material risks and uncertainties that could impact our businesses, results of operations and financial condition. These risk factors do not identify all risks that we face; our operations could also be affected by factors, events or uncertainties that are not presently known to us or that we currently do not consider to present significant risks to our operations. In addition, the global economic and political climate may amplify many of these risks.

Summary of Risk Factors

The following is a summary of the Risk Factors disclosure in this Item 1A. This summary does not address all of the risks that we face. Additional discussion of the risks summarized in this risk factor summary, and other risks that we face, can be found below and should be carefully considered, together with other information in this Form 10-K and our other filings with the SEC, before making an investment decision regarding our securities.

•We may not be able to successfully integrate our businesses associated with the Transaction, or such integration may be more difficult, time-consuming or costly than expected.

•We will continue to incur substantial expenses related to the integration of Discover, and the expenses may be greater than anticipated due to factors, some or all of which may be outside our control.

Table of Contents

•We may fail to realize all of the anticipated benefits of the Transaction, or those benefits may take longer to realize than expected due to factors that may be outside our control.

•The integration of Discover may have an adverse effect on our business and results of operations due to the diversion of a substantial portion of the time and attention of our management team as well as potential employee attrition.

•Changes and instability in the macroeconomic environment could disrupt capital markets, reduce consumer and business activity and weaken the labor market, all of which could impact borrowers’ ability to service their debt obligations and adversely impact our financial results.

•

•We may not be able to maintain adequate sources of funding and liquidity to operate our business.

•We may experience increases in delinquencies and credit losses, or we may incorrectly estimate expected losses, which could result in inadequate reserves.

•We may not be able to maintain adequate capital or liquidity levels or may become subject to revised capital or liquidity requirements, which could have a negative impact on our financial results and our ability to return capital to our stockholders.

•Limitations on our ability to receive dividends from our subsidiaries could affect our liquidity and ability to pay dividends and repurchase our common stock.

•A downgrade in our credit ratings could significantly impact our liquidity, funding costs and access to the capital markets.

•We face risks related to our operational, technological and organizational infrastructure.

•A cyber-attack or other security incident on us or third parties (including their supply chains) with which we conduct business, including an incident that results in the theft, loss, manipulation or misuse of information (including personal information), or the disabling of systems and access to information critical to business operations, may result in increased costs, reductions in revenue, reputational damage, legal exposure and business disruptions.

•We face risks resulting from the extensive use of models and data, as well as from our evolving use of AI.

•Risks of external fraud exceeding our expectations due to larger, more sophisticated, or more frequent fraud attacks, failure to detect and respond to such attacks and/or the reduced capability to recover losses from those incidents. This could result in increased fraud loss, operational cost, customer dissatisfaction, reputational damage and/or constrained revenue growth for us.

•Compliance with new and existing domestic and foreign laws, regulations and regulatory expectations is costly and complex, and any significant changes may adversely affect our business.

•Our required compliance with applicable laws and regulations related to privacy, data protection and data security, in addition to compliance with our own privacy policies and contractual obligations to third parties, may increase our costs, reduce our revenue, increase our legal exposure and limit our ability to pursue business opportunities.

•Our businesses are subject to the risk of increased litigation, government investigations and regulatory enforcement.

•We face intense competition in all of our markets, which could have a material adverse effect on our business and results of operations.

•A change in market preference towards other operators of payment networks and alternative payment providers could result in reduced transaction volume, limited merchant acceptance of our cards and limited issuance of cards on our networks by third parties, and in turn may impact our revenue margins.

Table of Contents

•If we are unsuccessful in creating and maintaining a strong base of network licensees and achieving meaningful global card acceptance, we may be unable to achieve long-term success in our recently acquired international network business.

•Our business, financial condition and results of operations may be adversely affected by legislation, regulation and merchants’ efforts to reduce the fees (including the interchange component) charged by credit and debit card networks and acquirers to facilitate card transactions.

•A reduction in the number of large merchants that accept cards on our recently acquired Discover Network or PULSE Network or in the rates they pay could materially adversely affect our business, financial condition, results of operations and cash flows.

•Defaults or risks from bankruptcies, liquidations, restructurings, consolidations and outages by our network participants may adversely affect our business, financial condition, cash flows and results of operations.

•If we are not able to invest successfully in and introduce digital and other technological developments across all our businesses, our financial performance may suffer.

•We may fail to realize the anticipated benefits of our mergers, acquisitions and strategic partnerships.

•Reputational risk and social factors may impact our results and damage our brand.

•If we are not able to protect our intellectual property rights, or we violate third-party intellectual property rights, our revenue and profitability could be negatively affected.

•Our risk management strategies may not be fully effective in mitigating our risk exposures in all market environments or against all types of risk.

•Our business could be negatively affected if we are unable to attract, develop, retain and motivate key senior leaders and skilled employees.

•We face risks from catastrophic events.

•Climate change manifesting as physical or transition risks could adversely affect our businesses, operations and customers and result in increased costs.

•We face risks from the use of or changes to assumptions or estimates in our financial statements.

•The soundness of other financial institutions and other third parties, actual or perceived, could adversely affect us.

Risks Relating to the Transaction and Integration of Discover

We may not be able to successfully integrate our businesses associated with the Transaction, or such integration may be more difficult, time-consuming or costly than expected.

The successful integration of two independent businesses is complex, difficult, time-consuming and costly. The success of the Transaction depends, in part, on our ability to successfully integrate Discover’s operations in a manner that results in various benefits and that does not materially disrupt existing customer relationships or materially decrease revenues due to loss of customers. Additionally, the success of the Transaction depends on our ability to successfully integrate Discover into our Risk Management Framework (the “Framework”), compliance systems and corporate culture, which we believe requires extensive investment, including to enhance the risk management function at Discover consistent with our risk management standards and those of regulators, as well as to address remediation obligations under existing and possible future regulatory orders. The difficulties of combining the operations of our businesses include, among others:

•difficulties integrating operations, systems and networks, including related technology, operations and compliance programs;

•difficulties managing our expanded operations, including challenges related to management and monitoring of new operations and associated increased costs and complexity;

Table of Contents

•difficulties managing our expanded international business footprint, including risks adapting to new markets, legal and regulatory regimes, languages, businesses and cultural practices;

•challenges in conforming standards, controls, procedures and accounting and other policies, such as the integration of Discover into our Framework and corporate culture;

•risks arising from increased scrutiny by, and/or additional regulatory requirements of, governmental authorities as a result of the Transaction, including those related to the integration process or the size, scope and complexity of our expanded business operations;

•difficulties in retaining existing personnel or hiring and integrating new personnel;

•difficulties retaining existing customers or maintaining existing customer relationships;

•diversion of management’s attention to integration matters;

•potential failures, outages, interruptions, compromises and other disruptions resulting from the integration of certain systems, networks and infrastructures, such as our third-party cloud infrastructure platforms or mainframes;

•changes in laws or regulations or in the interpretation of existing laws or regulations;

•risks arising from known or potential unknown contingencies and liabilities of Discover assumed in connection with the consummation of the Transaction; and

•risks related to the outcome of any legal, regulatory, political or community group proceedings or inquiries that may be currently pending or later instituted against us in connection with the Transaction.

The successful combination of our businesses depends on the result of the factors listed above and on the resolution of any potential unknown liabilities, adverse consequences and unforeseen events and increased expenses associated with the Transaction, some or all of which may be outside of our control. If we are unable to successfully integrate our businesses or manage risks related to the above factors, the anticipated benefits of the Transaction may not be fully realized or at all, or may take longer to realize than expected, all of which may have an adverse effect on our business, financial condition and results of operations.

We will continue to incur substantial expenses related to the integration of Discover, and the expenses may be greater than anticipated due to factors, some or all of which may be outside our control.

There are a large number of processes, policies, procedures, operations, technologies and systems that have been and will continue to be integrated, including purchasing, accounting and finance, payroll, cybersecurity, compliance, treasury management, customer management operations, vendor management, risk management, lines of business, pricing and benefits.

While we have assumed that a certain level of costs will be incurred, many of the expenses that we will incur are, by their nature, difficult to estimate accurately. Moreover, there are many factors beyond our control that could affect the total amount or the timing of integration expenses. These expenses could, particularly in the near term, exceed the savings that we expect to achieve from the elimination of duplicative expenses and the realization of economies of scale. These expenses may result in us recording increased expenses as a result of the integration of Discover, and the amount and timing of such charges are uncertain at the present and could exceed initial estimates.

We may fail to realize all of the anticipated benefits of the Transaction, or those benefits may take longer to realize than expected due to factors that may be outside our control.

We may fail to realize the anticipated benefits of the Transaction, including, among other things, anticipated revenue and cost synergies, due to factors that may be outside our control. Our ability to continue to grow our business depends upon our ability to successfully hire, train, supervise, retain and manage new employees, obtain financing for our capital needs, expand our systems effectively, control increasing costs, allocate our human resources optimally, maintain clear lines of communication between our operational functions and our finance and accounting functions and manage the pressures on our management and administrative, operational and financial infrastructure. There can be no assurance that we will be able to accurately anticipate and respond to the changing demands we will face as we continue to expand our operations or that we will be able to achieve

Table of Contents

further growth at all. Additionally, we face risks that any business, technology, service or product we integrate from Discover may significantly under-perform relative to our expectations, and that we may not achieve the benefits we expect, which could, among other things, result in a write-down of goodwill and other intangible assets associated with the Transaction.

Other factors include, but are not limited to, changes in laws or regulations or the implementation or interpretation of laws or regulations due to, among other things, changes in government or general economic, marketplace, technological, political, legislative or regulatory conditions. For example, debit card transactions on three-party networks could become subject to the Federal Reserve’s Regulation II (Debit Card Interchange Fees and Routing) requirements, and other changes in laws or regulations or in the interpretation of existing laws or regulations could impose additional limitations on the fees issuers or networks can charge on debit or credit card transactions or require merchants to be provided an alternative network for transaction routing, any of which may have an adverse effect on our business. Other factors that also may impact our ability to achieve the anticipated benefits of the Transaction include the outcome of any legal or regulatory proceedings that may be currently pending or later instituted against us, including those related to the Card Product Misclassification.

As a result of the Transaction, we have become the legal successor to Discover and, as a result, have assumed the risks relating to actions that were or may be later instituted against Discover or us relating to Discover’s previous actions, as well as ongoing expenses in defending and resolving these actions, and are subject to reputational and other risks associated with Discover’s previous actions.

If we fail to realize the anticipated benefits of the Transaction, or if those benefits take longer to realize than expected, it could have an adverse effect on our business, financial condition and results of operations.

The integration of Discover may have an adverse effect on our business and results of operations due to the diversion of a substantial portion of the time and attention of our management team as well as potential employee attrition.

Our management team has spent, and continues to spend, a significant amount of time and effort focusing on the integration of Discover. This diversion of attention may have an adverse effect on the conduct of our business, and, as a result, on our financial condition and results of operations, particularly if the time it takes to complete the integration is protracted. During this period of integration, our employees may face distraction and uncertainty, and we may experience increased levels of employee attrition. A loss of key personnel or material erosion of employee morale could have a materially adverse effect on our ability to meet customer expectations, thereby adversely affecting our business and results of operations. The failure to retain members of our management team and other key personnel could also impair our ability to execute our strategy and implement operational initiatives, thereby having a material adverse effect on our financial condition and results of operations.

General Economic and Market Risks

Changes and instability in the macroeconomic environment could disrupt capital markets, reduce consumer and business activity and weaken the labor market, all of which could impact borrowers’ ability to service their debt obligations and adversely impact our financial results.

Changes or instability in the macroeconomic environment may impact payment patterns, consumer spending and credit losses. Because we offer a broad array of financial products and services to consumers, small businesses and commercial clients, our financial results are impacted by the level of consumer and business activity and the demand for our products and services. A prolonged period of economic weakness, volatility, slow growth or a significant deterioration in economic conditions, in the countries in which we operate, could have a material adverse effect on our financial condition and results of operations as customers or commercial clients default on their loans, maintain lower deposit levels or, in the case of credit card accounts, carry lower balances and reduce credit card purchase activity.

Some of the factors that could disrupt capital markets, reduce consumer and business activity and weaken the labor market include the following:

•Monetary policy actions, such as changes to interest rates, taken by the Federal Reserve and other central banks, such as the central banks in the U.K. and Canada, and a growing fiscal deficit and increase in the U.S. debt-to-gross domestic product ratio;

•Fiscal policy actions, such as changes to applicable tax codes and programs supported by government funding (e.g., Medicaid, Medicare, Social Security);

Table of Contents

•Geopolitical conflicts or instabilities, such as the war in Ukraine, the ongoing conflict in the Middle East and the political instability in Venezuela and increased geopolitical tensions between the U.S. and China;

•Trade wars, trade barriers, tariffs, economic sanctions, labor shortages and disruptions of global supply chains, including their impacts on the auto industry;

•The effects of stalemates in the U.S. government, including government shutdowns whether recurring, prolonged or otherwise, developments related to the U.S. federal debt ceiling, default by the U.S. government on its debt obligations, or related credit-rating downgrades;

•Inflation and deflation, including the effects of related governmental responses;

•Concerns over a potential recession, which may lead to adjustments in spending patterns;

•Technology-driven disruption of certain industries, such as those due to advances in AI, robotics and cryptocurrency;

•Adverse developments impacting the U.S. or global banking industry, including bank failures, the failure of non-bank financial institutions and liquidity concerns and fluctuations or other significant changes in both debt and equity capital markets and currencies;

•Changes in immigration policies and their impact to the labor market;

•Lower demand for credit such as loans and shifts in consumer behavior, including shifts away from using credit cards or deposits, other changes in deposit practices and changes in payment patterns; and

•Changes in usage of commercial real estate, which may have a sustained negative impact on utilization rates and values.

Decreases in overall business activity and changes in customer behavior (such as the increased use of debt settlement companies) may lead to increases in our charge-off rate caused by bankruptcies and may reduce our ability to recover debt that we have previously charged off. See “We face risks resulting from the extensive use of models and data, as well as from our evolving use of AI.”

Additionally, we have and may in the future implement measures to tighten credit access in response to certain consumer and economic indicators that have or may in the future impact our financial performance, such as purchase volume and new accounts.

For example, rapid changes in interest rates make it difficult for us to balance our loan and deposit portfolios, which may adversely affect our results of operations by, for example, reducing asset yields or spreads, or having other adverse impacts on our business. While higher interest rates generally enhance our ability to grow our net interest income, there are potential risks associated with operating in a higher interest rate environment. For example, some customers have been and may continue to be less willing or able overall to borrow at higher interest rates. Higher interest rates also have hindered and may continue to hinder the ability of some borrowers to support required loan payments. On the other hand, if the rate of economic growth decreased sharply, causing the Federal Reserve to lower interest rates, our net income could be adversely affected as our variable-rate assets tend to be more immediately responsive to changes in market rates than most deposit liabilities.

Additionally, interest rate fluctuations and competitor responses to those changes may have a material adverse effect on our financial condition and results of operations, as customers or commercial clients default on their loans, maintain lower deposit

Table of Contents

levels or, in the case of credit card accounts, reduce demand for credit or (for existing customers) the level of borrowing or purchase activity. For example, increases in interest rates increase debt service requirements for some of our borrowers, which may adversely affect those borrowers’ ability to pay as contractually obligated. This could result in additional or fluctuating delinquencies or charge-offs and negatively impact our results of operations. These changes could reduce the overall yield on our interest-earning asset portfolio.

We assess our interest rate risk by estimating the effect on our net interest income and earnings, economic value and capital under various interest rate scenarios of different direction and magnitude. We take risk mitigation actions based on those assessments. For example, the Company employs various hedging strategies to mitigate the interest rate, foreign exchange and market risks inherent in many of our assets and liabilities. The Company’s hedging strategies rely considerably on assumptions and projections regarding our assets and liabilities as well as general market factors. If any of these assumptions or projections prove to be incorrect or our hedges do not adequately mitigate the impact of changes in interest rates, foreign exchange rates and other market factors, the Company may experience volatility in our earnings that could adversely affect our profitability and financial condition. We face the risk that changes in interest rates could materially reduce our net interest income and our earnings, especially if actual conditions turn out to be materially different than those we assumed.

Changes in valuations in the debt and equity markets could have a negative impact on the assets we hold in our investment portfolio. Such market changes could also have a negative impact on the valuation of assets for which we provide servicing. See “Part II—Item 7. MD&A—Market Risk Profile” and “We face intense competition in all of our markets, which could have a material adverse effect on our business and results of operations” for additional information.

We may not be able to maintain adequate sources of funding and liquidity to operate our business.

We may not be able to maintain adequate sources of funding and liquidity to fund our operations, grow our business, pay our outstanding liabilities and meet regulatory expectations. We could also experience impairments of other financial assets and other negative impacts on our financial position, including possible constraints on liquidity and capital, as well as higher costs of capital.

In addition, our access to funding sources in amounts adequate to finance our activities on terms that are acceptable to us could be impaired by factors that affect us specifically or the financial services industry or economy generally. Factors that could detrimentally impact our access to liquidity sources include increases in funding costs, downturns in the geographic markets in which our loans and operations are concentrated, difficulties in credit markets or unforeseen outflows of cash or collateral, including as a result of unusual effects in the market.

Our ability to fund our business and our liquidity position also depend on our ability to attract or maintain deposits. We cannot predict how this competition will affect our costs. If we are required to offer higher interest rates to attract or maintain deposits, our funding costs will be adversely impacted. Although we have historically been able to meet the liquidity needs of customers as necessary, the ability to do so is not assured, especially if a large number of our depositors seek to withdraw their accounts or if our customers seek significant draws on their credit lines, regardless of the reason. A failure to maintain adequate liquidity could materially and adversely affect our business, results of operations and financial condition.

Credit Risk

We may experience increases in delinquencies and credit losses, or we may incorrectly estimate expected losses, which could result in inadequate reserves.

Like other lenders, we face the risk that our customers will not repay their loans. A customer’s ability and willingness to repay us can be adversely affected by decreases in the income of the borrower or increases in their payment obligations to other lenders, whether as a result of a job loss, higher debt levels or rising cost of servicing debt, inflation outpacing wage growth, or by restricted availability of credit generally. We may fail to quickly identify and reduce our exposure to customers that are

Table of Contents

likely to default on their payment obligations, whether by closing credit lines or restricting authorizations. Our ability to manage credit risk also is affected by legal or regulatory changes (such as restrictions on collections, bankruptcy laws, minimum payment regulations and re-age guidance), competitors’ actions and consumer behavior, and depends on the effectiveness of our collections staff, techniques and models. Additionally, there can be no assurance that we can effectively integrate Discover’s business into our credit models in a manner that will be effective at predicting credit outcomes.

Rising credit losses or leading indicators of rising credit losses (such as higher delinquencies, higher rates of nonperforming loans, higher bankruptcy rates, lower collateral values, elevated unemployment rates or changing market terms) may require us to increase our allowance for credit losses, which would decrease our profitability if we are unable to raise revenue or reduce costs to compensate for higher credit losses, whether actual or expected. In particular, we face the following risks in this area:

•Missed Payments: Our customers may fail to make required payments on time and may default or become delinquent. Loan charge-offs (including from bankruptcies) are generally preceded by missed payments or other indications of worsening financial conditions for our customers. Historically, customers are more likely to miss payments during an economic downturn, recession, periods of high unemployment, or prolonged periods of slow economic growth. Customers might also be more likely to miss payments if the payment burdens on their existing debt grow due to higher interest rates, or if inflation outpaces wage growth.

•Incorrect Estimates of Expected Credit Losses: The credit quality of our loan portfolios can have a significant impact on our earnings. We allow for and reserve against credit risks based on our assessment of expected credit losses in our loan portfolios. This process, which is critical to our financial condition and results of operations, requires complex judgments, including forecasts of economic conditions. We may underestimate our expected credit losses and fail to hold an allowance for credit losses sufficient to account for these credit losses. Incorrect assumptions could lead to material underestimations of expected credit losses and an inadequate allowance for credit losses. See “We face risks resulting from the extensive use of models and data, as well as from our evolving use of AI.”

•Inaccurate Underwriting: Our ability to accurately assess the creditworthiness of our customers may diminish, which could result in an increase in our credit losses and a deterioration of our returns. See “Our risk management strategies may not be fully effective in mitigating our risk exposures in all market environments or against all types of risk.”

•Business Mix: We engage in a diverse mix of businesses with a broad range of potential credit exposure. Because we originate a relatively greater proportion of consumer loans in our loan portfolio compared to other large bank peers and originate both prime and subprime credit card accounts and auto loans, we may experience higher delinquencies and a greater number of accounts charging off, as well as greater fluctuations in those metrics, compared to other large bank peers, which could result in increased credit losses, operating costs and regulatory scrutiny. Additionally, a change in this business mix over time to include proportionally more consumer loans or subprime credit card accounts or auto loans could adversely affect the credit quality of our loan portfolios.

•Counterparty Credit Risk: In addition to consumer credit risk, we are exposed to counterparty credit risk arising from business-facing activities, including our operation of the Global Payment Network and related arrangements. These activities include purchasing for our investment securities portfolio, entering into derivative transactions to manage our market risk exposure and to accommodate customers, extending short-term advances on syndication activity including bridge financing transactions we have underwritten, depositing certain operational cash balances in other financial institutions, executing certain foreign exchange transactions and extending customer overdrafts. If one or more of these counterparties fail to perform on their obligations to us, for example, by failing to meet settlement, reimbursement or guarantee obligations, or by experiencing financial or operational distress, we could experience losses, delayed or disrupted settlement of transactions, increased funding and liquidity needs, higher credit losses or other adverse effects on our business, financial condition and results of operations.

•Increasing Charge-off Recognition/Allowance for Credit Losses: We account for the allowance for credit losses according to accounting and regulatory guidelines and rules, including Financial Accounting Standards Board (“FASB”) standards and the Federal Financial Institutions Examination Council (“FFIEC”) Account Management Guidance. The impact of measuring our allowance for credit losses on our results will depend on the characteristics of our financial instruments, economic conditions, and our economic and loss forecasts.

Table of Contents

•Insufficient Asset Values: The collateral we have on secured loans could be insufficient to compensate us for credit losses. When customers default on their secured loans, we attempt to recover collateral where permissible and appropriate. However, the value of the collateral may not be sufficient to compensate us for the amount of the unpaid loan, and we may be unsuccessful in recovering the remaining balance from our customers. Decreases in real estate and other asset values adversely affect the collateral value for our commercial lending activities, while the auto business is similarly exposed to collateral risks arising from the auction markets that determine used car prices. Borrowers may be less likely to continue making payments on loans if the value of the property used as collateral for the loan is less than what the borrower owes, even if the borrower is still financially able to make the payments. In that circumstance, the recovery of such property could be insufficient to compensate us for the value of these loans upon a default. For example, high vacancy rates in commercial properties may affect the value of commercial real estate, including by causing the value of properties securing commercial real estate loans to be less than the amounts owed on such loans. In our auto business, business and economic conditions that negatively affect household incomes and savings, housing prices and consumer behavior, as well as technological advances that make older cars obsolete faster, could decrease (i) the demand for new and/or used vehicles and (ii) the value of the collateral underlying our portfolio of auto loans, which could cause the number of consumers who become delinquent or default on their loans to increase.

•Geographic and Industry Concentration: Although our consumer lending is geographically diversified, approximately 36% of our commercial real estate loan portfolio is concentrated in the Northeast region. The regional economic conditions in the Northeast affect the demand for our commercial products and services as well as the ability of our customers to repay their commercial real estate loans and the value of the collateral securing these loans. In addition, our Commercial Banking strategy includes an industry-specific focus. If any of the industries that we focus on experience changes, we may experience increased credit losses and our results of operations could be adversely impacted.

Capital and Liquidity Risk

We may not be able to maintain adequate capital or liquidity levels or may become subject to revised capital or liquidity requirements, which could have a negative impact on our financial results and our ability to return capital to our stockholders.

Financial institutions are subject to extensive and complex capital and liquidity requirements, which are subject to change. These requirements affect our ability to lend, grow deposit balances, make acquisitions and distribute capital. Failure to maintain adequate capital or liquidity levels, whether due to adverse developments in our business or the economy or to changes in the applicable requirements, could subject us to a variety of restrictions and/or remedial actions imposed by our regulators. These include limitations on the ability to pay dividends or repurchase shares and the issuance of a capital directive to increase capital. Such limitations or capital directive could have a material adverse effect on our business and results of operations.

We consider various factors in the management of capital, including the impact of both internal and supervisory stress scenarios on our capital levels as determined by our internal modeling and the Federal Reserve’s estimation of losses in supervisory stress scenarios that are used to annually set our stress capital buffer requirement. Although the Federal Reserve has issued the Stress Testing Transparency Proposal, there can be significant differences between our modeling and the Federal Reserve’s projections for a given supervisory stress scenario and between the capital needs suggested by our internal stress scenarios and the supervisory stress scenarios. This, in turn, could lead to restrictions on our ability to pay dividends and engage in repurchases of our common stock.

We also consider various factors in the management of liquidity, including maintaining sufficient liquid assets to meet the requirements of several internal and regulatory stress tests. Regulatory liquidity stress testing, regulatory liquidity requirements

Table of Contents

and internal stress tests may, therefore, require us to take actions to increase our liquid assets or alter our activities or funding sources, which could negatively affect our financial results or our ability to return capital to our stockholders.

Additionally, growth in our total consolidated assets (including as a result of our acquisition of Discover) or cross-jurisdictional activity could affect the Company’s continued classification as a Category III institution. If the Company were to have $700 billion or more in total consolidated assets or $75 billion or more in cross-jurisdictional activity, each as measured based on the average for the four most recent calendar quarters, the Company and the Bank would become subject to more stringent capital and liquidity regulations as a Category II institution and Category II bank, respectively. For example, if the Company were to become a Category II institution, each of the Company and Bank would become subject to the full LCR requirement, which would multiply its total net cash flows by an outflow adjustment percentage of 100% (rather than 85%), and the full NSFR requirement, which would require it to maintain an available stable funding in an amount at least equal to 100% (rather than 85%) of its required stable funding, as well as required daily (rather than monthly) liquidity reporting. In addition, unlike Category III institutions, Category II institutions are not permitted to exclude AOCI from regulatory capital calculations and are subject to a more stringent capital deductions framework as well as the advanced approaches framework under the current Basel III Capital Rules. Although the Company is currently a Category III institution, we cannot predict with certainty whether or when future growth will result in its exceeding the applicable thresholds for classification as a Category II institution.

Limitations on our ability to receive dividends from our subsidiaries could affect our liquidity and ability to pay dividends and repurchase our common stock.

We are a separate and distinct legal entity from our subsidiaries, including, without limitation, the Bank and our broker-dealer subsidiaries. Dividends to us from these direct and indirect subsidiaries have represented a major source of funds for us to pay dividends on our common and preferred stock, repurchase our common stock, make payments on corporate debt securities and meet other obligations. These capital distributions may be limited by law, regulation or supervisory policy. There are various federal law limitations on the extent to which the Bank can finance or otherwise supply funds to us through dividends and loans. These limitations include minimum regulatory capital and capital buffer requirements, federal banking law requirements concerning the payment of dividends out of net profits or surplus, and Sections 23A and 23B of the Federal Reserve Act and Regulation W governing transactions between an insured depository institution and its affiliates, as well as general federal regulatory oversight to prevent unsafe or unsound practices. Our broker-dealer subsidiaries are also subject to laws and regulations, including net capital requirements, that may limit their ability to pay dividends or make other distributions to us. If our subsidiaries’ earnings are not sufficient to make dividend payments to us while maintaining adequate capital levels, our liquidity may be affected and we may not be able to make dividend payments to our common or preferred stockholders, repurchase our common stock, make payments on outstanding corporate debt securities or meet other obligations, each and any of which could have a material adverse impact on our results of operations, our financial position or the perception of our financial health.”

A downgrade in our credit ratings could significantly impact our liquidity, funding costs and access to the capital markets.

There can be no assurance we will be able to maintain our current ratings and outlooks.

Table of Contents

Operational Risk

We face risks related to our operational, technological and organizational infrastructure.

Our ability to retain and attract customers depends on our ability to develop, operate and adapt our technology and organizational infrastructure in a rapidly changing environment. In addition, we must accurately process, record and monitor an increasingly large number of complex transactions. Digital technology, cloud-based services, data and software development are deeply embedded into our business model and how we work.

Similar to other large corporations in our industry, we are exposed to operational risk that can manifest itself in many ways, such as errors in execution, inadequate processes, inaccurate models, faulty or disabled technological infrastructure, malicious disruption and fraud by employees or persons outside of our company, whether through attacks on Capital One directly, or on our third-party service providers or customers. In addition, our employees, service providers, partners and other third parties with whom we interact may expose us to certain risks as a result of human error or misconduct. For example, errors in processing wire transfers may result in the inadvertent release of funds in incorrect amounts or to incorrect recipients, and we may be unable to recover such funds. In addition, in connection with the integration of Discover, we may experience increased risks associated with processing a large volume of transactions in multiple currencies and in jurisdictions where we have not historically operated.

We also face the risk of adverse customer impacts and business disruption arising from the execution of strategic initiatives and operational plans we may pursue across our operations. For example, when we launch a new product, service or platform for the delivery or distribution of products or services, acquire or invest in a business or make changes to an existing product, service or delivery platform, there is the risk of execution issues related to changes to technology, operations or processes. These issues could be driven by insufficient mitigation of operational risks associated with the change implementation, inadequate training, failure to account for new or changed requirements, or failure to identify or address impacted downstream processes.

If we do not maintain the necessary operational, technological and organizational infrastructure to operate our business, including to maintain the resiliency and security of that infrastructure, our business and reputation could be materially adversely affected.

We also rely on the business infrastructure and systems of third-party service providers (and their supply chains) with which we do business and/or to whom we outsource the operation, maintenance and development of our information technology and communications systems. Other than the ongoing integration of Discover, we have substantially migrated primarily all aspects of our core information technology infrastructure and systems and customer-facing applications to third-party cloud infrastructure platforms, principally AWS. If we fail to architect, administer or oversee these environments in a well-managed, secure and effective manner, or if such platforms become unavailable, are disrupted, fail to scale, do not operate as designed or do not meet their service level agreements for any reason, we may experience unplanned service disruption or unforeseen costs which could result in material harm to our business and operations. We must successfully develop and maintain information, financial reporting, disclosure, privacy, data protection, data security and other controls adapted to our reliance on outside platforms and providers. Weakness in our third-party service providers’ processes or controls could impact our ability to deliver

Table of Contents

products or services to our customers and expose us to compliance and operational risks. For example, in January 2025, we experienced a multi-day system outage due to a technical issue experienced by FIS, a third-party service provider, which temporarily impacted certain services for some of our customers. Any such service outage, particularly where the vendor is the single source from which we obtain such services, could significantly disrupt our business or negatively impact the relationship we have with customers that rely on such services.

Any disruptions, failures or inaccuracies of our operational processes, technology systems, networks and models, including those associated with improvements or modifications to such technology systems, networks and models, or failure to identify or effectively respond to operational risks in a timely manner and continue to deliver our services through an operational disruption, could cause us to be unable to market, deliver and manage our products and services, manage our risk, meet our regulatory obligations, report our financial results in a timely and accurate manner, or pay our debts in a timely manner (which could limit our access to future funding), all of which could have a negative impact on our results of operations. In addition, our ongoing investments in technology may increase our expenses. As our business develops, changes or expands, additional expenses can arise as a result of a reevaluation of business strategies or risks, management of outsourced services, asset purchases or other acquisitions, structural reorganization, compliance with new laws or regulations, the integration of newly acquired businesses or the prevention or occurrence of cyber-attacks and other security incidents. Changes to our business, including those resulting from our strategic imperatives, also require robust governance to ensure that our objectives are executed as intended without adversely impacting our customers, associates, operations or financial performance. Further, any of the foregoing risks could be heightened and we could experience failures, outages and other disruptions as a result of the integration of Discover, including the migration of and other changes to Discover’s data, systems, networks and infrastructure to our infrastructure platforms.

A cyber-attack or other security incident on us or third parties (including their supply chains) with which we conduct business, including an incident that results in the theft, loss, manipulation or misuse of information (including personal information), or the disabling of systems and access to information critical to business operations, may result in increased costs, reductions in revenue, reputational damage, legal exposure and business disruptions.

Our products and services involve the collection, authentication, management, usage, storage, transmission and destruction of sensitive and confidential information, including personal information, regarding our customers and their accounts, our employees, our partners and other third parties with which we do business. We also have arrangements in place with third-party business partners through which we share and receive information about their customers who are or may become our customers. The financial services industry, including Capital One, is particularly at risk because of the increased use of and reliance on digital banking products and other digital services, including mobile banking products, such as mobile payments, and other internet- and cloud-based products and applications, and the development of additional remote connectivity solutions, which increase cybersecurity risks and exposure. In addition, global events and geopolitical instability may lead to increased nation-state targeting us and other financial institutions in the U.S. and abroad, particularly given our expanded global footprint.

Technologies, systems, networks and other devices of Capital One, as well as those of our employees, service providers, insiders, customers, partners, network participants, including merchants, and other third parties with whom we interact, have been and may continue to be the subject of cyber-attacks and other security incidents, including computer viruses, hacking,

Table of Contents

malware, ransomware, denial of service attacks, supply chain attacks, exploitation of vulnerabilities, credential stuffing, account takeovers, insider threats, business email compromise scams or the use of phishing, vishing (through voice messages), smishing (through SMS text), “deep fakes,” or other forms of social engineering. Such cyber-attacks and other security incidents are designed to lead to various harmful outcomes, such as unauthorized transactions in Capital One accounts, unauthorized or unintended access to or release, gathering, monitoring, disclosure, loss, destruction, corruption, disablement, encryption, misuse, modification or other processing of confidential or sensitive information (including personal information), intellectual property, software, methodologies or business secrets, disruption, sabotage or degradation of service, systems or networks, an attempt to extort Capital One, its third-party service providers or its business partners or other damage. Cyber-attacks and other security incidents that occur in the supply chain of third parties with which we interact could also negatively impact Capital One.

For instance, any party that obtains our confidential or sensitive information (including personal information) through a cyber-attack or other security incident may use this information for ransom, to be paid by us or a third party, as part of a fraudulent activity that is part of a broader criminal activity, or for other illicit purposes. Additionally, the failure of our employees, service providers, insiders, customers, partners, network participants, including merchants, or other third parties with whom we interact, or their respective supply chains, to exercise sound judgment and vigilance when targeted with social engineering or other cyber-attacks may increase our vulnerability.

For example, on July 29, 2019, we announced that on March 22 and 23, 2019 an outside individual gained unauthorized access to our systems (the “2019 Cybersecurity Incident”). This individual obtained certain types of personal information relating to people who had applied for our credit card products and to our credit card customers. While the 2019 Cybersecurity Incident has been remediated, it resulted in fines, litigation, consent orders, settlements, government investigations and other regulatory enforcement inquiries. Cyber and information security risks for large financial institutions like us continue to increase due to the proliferation of new technologies, the industry-wide shift to reliance upon the internet to conduct financial transactions, the increased sophistication and activities of malicious actors, organized crime, perpetrators of fraud, hackers, terrorists, activists, extremist parties, formal and informal instrumentalities of foreign governments, state-sponsored or nation-state actors and other external parties and the growing use of AI by threat actors.

In addition, our customers access our products and services using personal devices that are necessarily external to our security control systems. These third-party breach events could create a threat for our customers if their Capital One log-in credentials are the same as or similar to the credentials that have been compromised on other internet sites. This threat could include the risk of unauthorized account access, data loss and fraud. The use of AI, “bots” or other automation software can increase the velocity and efficacy of these types of attacks and such use by companies has resulted in, and may continue to result in, cyber-attacks and other security incidents that implicate the sensitive and confidential information, including personal information, of AI users. We will likely face an increasing number of attempted cyber-attacks as we expand our mobile and other internet-based products and services, expand our usage of mobile, cloud and other internet-based technologies, increase international merchant acceptance of credit cards issued on the Discover Network, acquire new business operations or outsource certain business operations and otherwise attempt to keep pace with rapid technological changes in the financial services industry.

The methods and techniques employed by malicious actors continue to develop and evolve rapidly, including from emerging technologies, such as AI and quantum computing, are increasingly sophisticated and often are not fully recognized or understood until after they have occurred, and some techniques could occur and enable persistent access for an extended period of time before being detected and remediated, if at all. We and our service providers and other third parties with which we interact may be unable to anticipate or identify certain attack methods or techniques in order to implement effective

Table of Contents

preventative or detective measures or mitigate or remediate the damages caused in a timely manner. Similarly, any cyber-attack or other security incident, information or security breach or technology failure that significantly exposes, degrades, destroys or compromises our information systems or networks could adversely impact third parties and the critical infrastructure of the financial services industry, thereby creating additional risk for us.

We may also be unable to hire, develop and retain talent that keeps pace with the rapidly changing cyber threat landscape, and which are capable of preventing, detecting, mitigating or remediating these risks. Although we seek to maintain a robust suite of authentication and layered information security controls, any one or combination of these controls could fail to prevent, detect, mitigate, remediate or recover from these risks in a timely manner.

An actual, suspected, threatened or alleged disruption or breach, including as a result of a cyber-attack, or media (including social media) reports of alleged or perceived security vulnerabilities or incidents at Capital One or at our service providers, could result in significant legal and financial exposure, regulatory intervention, litigation, enforcement actions, remediation costs, card reissuance, inability to timely pay our debts (and consequently limit our access to future funding), operational disruptions, supervisory liability, damage to our reputation or loss of confidence in the security of our systems, products and services that could adversely affect our business. Moreover, we are subject to varied cybersecurity laws and regulations and incident reporting requirements, and may in the future be subject to new cybersecurity laws and regulations and incident reporting requirements, which could require us to publicly disclose certain information about certain cybersecurity incidents before they have been resolved or fully investigated, and any delays in receiving timely information from impacted service providers and business partners can affect our ability to fully meet applicable disclosure requirements for a given incident. If future attacks are successful or if customers are unable to access their accounts online for other reasons, it could adversely impact our ability to service customer accounts or loans, complete financial transactions for our customers or otherwise operate any of our businesses or services. In addition, a breach or attack affecting one of our service providers or other third parties with which we interact could harm our business even if we do not control the service that is attacked.

Further, our ability to monitor our service providers’ and other business partners’ cybersecurity practices is inherently limited. Although the agreements that we have in place with our service providers and other business partners generally include requirements relating to privacy, data protection and data security, we cannot guarantee that such agreements will prevent a cyber incident impacting our systems or information or enable us to obtain adequate or any reimbursement from our service providers or other business partners in the event we should suffer any such incidents. However, due to applicable laws and regulations or contractual obligations, we may be held responsible for cyber incidents attributed to our service providers and other business partners as they relate to the information we share with them.

In addition, we continue to incur increased costs with respect to preventing, detecting, investigating, mitigating, remediating and recovering from cybersecurity risks, as well as any related attempted fraud. In order to address ongoing and future risks, we must expend significant resources to support protective security measures, investigate and remediate any vulnerabilities of our information systems and infrastructure and invest in new technology designed to mitigate security risks. We have insurance against some cyber risks and attacks; nonetheless, our insurance coverage may not be sufficient to offset the impact of a material loss event (including if our insurer denies coverage as to any particular claim in the future), and such insurance may increase in cost or cease to be available on commercially reasonable terms, or at all, in the future. In addition, in the case of any cyber-attack or other security incident, information or security breach or technology failure arising from third-party systems impacting us, any third-party indemnification may not be applicable or sufficient to address the impact of such incidents.

Furthermore, the Transaction exposes us to additional cybersecurity risks, which we expect to continue until the integration of Discover is completed. These risks include the possibility of previously undetected cybersecurity threats in Discover's operations, systems and networks, as well as risks related to the cybersecurity posture of Discover and its third-party service providers. The materialization of such risks could lead to the degradation or disruption of our operations and services; unauthorized access; breach of confidentiality; and misuse or modification of systems, networks and data. Additionally, in connection with the integration of Discover, failures or difficulties in retaining new personnel, including those with access to our confidential or sensitive information (including personal information), and other difficulties in the organizational,

Table of Contents

technological and cultural integration process may heighten the risk of cyber-attacks and other security incidents, including as a result of human error, fraud or malice on the part of current or former employees.

We face risks resulting from the extensive use of models and data, as well as from our evolving use of AI.

We rely on quantitative models and, in some cases, the use of AI. In particular, we use models and AI in certain processes and may expand our use of AI in additional processes in the future.

However, there are significant risks involved in using models and AI, and we cannot assure that our use will enhance our businesses or produce only the intended or beneficial results. For example, generative AI has been known to produce false or “hallucinatory” inferences or output. Certain generative AI tools use machine learning and predictive analytics, which can create inaccurate, incomplete or misleading outputs; unexpected results; or errors or inadequacies, any of which may not be easily detectable. In addition, models and AI that are based on historical data sets might not be accurate predictors of future outcomes. The ability of models and AI to appropriately predict future outcomes may degrade over time due to limited historical patterns, extreme or unanticipated market movements, or customer behavior and liquidity, especially during severe market downturns or stress events (e.g., geopolitical or pandemic events). Consequently, our use of models and AI could result in inaccurate forecasts, ineffective risk management practices, inaccurate risk reporting and other negative or unexpected consequences.

If the models or AI solutions that we or a third party create and use or the data inputs, formulas, or algorithms on which such models or AI solutions rely – or if the content, analyses or recommendations that the models or AI solutions produce are (or are perceived to be) deficient, inaccurate, biased, unethical or controversial – we could incur operational inefficiencies, competitive harm, legal liability, or brand or reputational harm. We could also incur other adverse impacts on our businesses and financial results. We may be liable if we were to violate applicable laws and regulations, third-party intellectual property, privacy or other rights, or contracts we have. Further, the use of models and AI solutions within products or services that we use or that are used by our third-party service providers may pose similar risks, and we have limited ability to control the manner in which third-party products are developed or maintained or the manner in which third-party services are provided.

The development and implementation of some of these models require us to make difficult, subjective and complex judgments. Our risk reporting and risk management, including our business decisions that are based on information gathered through models and AI, depend on the effectiveness of our models and AI. They also depend on our policies, programs, processes and practices governing how data, models and AI are acquired, validated, stored, protected, processed and analyzed, including our data aggregation and validation procedures, and any issues with the quality or effectiveness of the foregoing could have negative consequences.

While we continuously update our policies, programs, processes and risk management practices, many of our data management, modeling, AI, aggregation and implementation processes are manual. They may be subject to human error, data limitations, process delays or system failure. If any of our employees, contractors, third-party service providers or other third parties with which we do business use any third-party AI solutions in connection with our business, it may lead to the inadvertent or unauthorized disclosure or incorporation of our sensitive and confidential information, including personal information, into third-party systems or publicly available or third-party training sets, which may impact our ability to realize the benefit of our intellectual property or other proprietary rights in such information. Failure to manage data effectively and to aggregate data in an accurate and timely manner may limit our ability to manage current and emerging risks; to produce accurate financial, regulatory and operational reporting; and to manage changing business needs. If our Framework is ineffective, we could suffer unexpected losses, which could materially adversely affect our results of operation or financial condition.

Table of Contents

Any information we provide to the public or to our regulators based on incorrectly designed/implemented models or AI could be inaccurate or misleading. Some of the decisions that our regulators make could be adversely affected if their perception is that the quality of the data, models and AI used to generate the information is insufficient.

The regulation of AI is rapidly evolving worldwide as legislators and regulators are increasingly focused on these powerful, emerging technologies. They are expected to be subject to increased regulation and new laws or new applications of existing laws and regulations.

Various U.S. governmental and regulatory agencies continue to review AI. Several U.S. states and foreign jurisdictions are applying (or are considering applying) their platform moderation, privacy, data protection, and data security laws and regulations to AI. They are also considering general legal frameworks for AI. In particular, several states, including Colorado and California, have passed or are continuing to propose laws and regulations that govern various facets and uses of AI.

Furthermore, because AI technology itself is highly complex and rapidly developing, it is not possible to predict all of the legal, operational, competitive or technological risks that may arise from using AI.

Risks of external fraud exceeding our expectations due to larger, more sophisticated, or more frequent fraud attacks, failure to detect and respond to such attacks and/or the reduced capability to recover losses from those incidents. This could result in increased fraud loss, operational cost, customer dissatisfaction, reputational damage and/or constrained revenue growth for us.

We are subject to the risk of fraudulent activity perpetrated by bad actors or by our customers. Our customers may also fall victim to scams in which they authorize bad actors to take account actions on their behalf. The risk of fraud continues to be a persistent inherent risk for the financial services industry. Our risk of fraud continues to increase as third parties that handle confidential consumer information suffer security breaches, we expand our digital banking business and we introduce new products and features (including our acquisition of the Global Payment Network). Credit and debit card fraud, identity theft and electronic-transaction related crimes are prevalent, and perpetrators are growing ever more sophisticated. While we have fraud defenses, authentication tools and various other strategies designed to address such risks, there can be no assurance that losses will not exceed historical levels or our expectations.

There are also risks to our ability to recover fraud losses based on potential changes to fraud liability. Additionally, consumer activists and regulators have sought to expand financial institutions’ responsibility to hold customers harmless for transactions that they authorized on their accounts that are the result of scams.

Emerging generative AI capabilities, such as synthetic video, images and identity documents may introduce new risks, in the form of identity fraud and scams. Additionally, the growth of agentic commerce, in which autonomous AI agents initiate and execute transactions on behalf of users, may increase fraud losses as well as change circumstances when the merchant or issuer is liable for fraud losses.

Our financial condition, the level of our fraud charge-offs and other results of operations could be materially adversely affected if fraudulent activity were to significantly increase. Furthermore, high-profile fraudulent activity could negatively impact our brand and reputation. In addition, significant increases in fraudulent activity could lead to regulatory intervention or other actions (such as mandatory card reissuance) and reputational and financial damage to our brands, which could negatively impact the use of our deposit accounts, cards and networks, any of which could have a material adverse effect on our business.

Legal and Regulatory Risk

Compliance with new and existing domestic and foreign laws, regulations and regulatory expectations is costly and complex, and any significant changes may adversely affect our business.

Table of Contents

A wide array of laws and regulations, including banking, tax, consumer lending and payment services laws and regulations, apply to our business and these laws can be uncertain and evolving. We and our subsidiaries are also subject to supervision and examination by multiple regulators both in the U.S. and abroad, and the manner in which our regulators interpret applicable laws and regulations may affect how we comply with them.

The Company, including Discover’s business acquired in the Transaction, may be subject to increased scrutiny by, and/or may require additional regulatory compliance with, governmental authorities in connection with the Transaction as a result of an increase in the size, scope and complexity of the combined company’s business operations, which may have an adverse effect on our business, financial condition and results of operations. Also, if the Company were to become a Category II institution due to an increase in size or cross-jurisdictional activity, it would become subject to certain additional or enhanced regulatory requirements. See “We may not be able to maintain adequate capital or liquidity levels or may become subject to revised capital or liquidity requirements, which could have a negative impact on our financial results and our ability to return capital to our stockholders.” for additional information.

Failure to comply with these laws and regulations and effectively navigate this complex regulatory landscape, even if the failure is inadvertent, results from human error or reflects a difference in interpretation or conflicting legal requirements, could subject us to restrictions on our business activities, fines, criminal sanctions and other penalties and/or damage to our reputation with regulators, our customers or the public. Hiring, training and retaining qualified compliance and legal personnel, and establishing and maintaining risk management and compliance-related systems, infrastructure and processes, is difficult and may lead to increased expenses. These efforts and the associated costs could limit our ability to invest in other business opportunities. In addition, actions, behaviors or practices by us, our employees or representatives that are illegal, unethical or contrary to our core values could harm us, our stockholders or customers or damage the integrity of the financial markets and are subject to regulatory scrutiny across jurisdictions. Violations of law by other financial institutions may also result in increased regulatory scrutiny of our business.

Applicable laws and regulations may affect us disproportionately compared to our competitors or in an unforeseen manner. For example, we have a large number of customer accounts in our credit card and auto lending businesses and we have made the strategic choice to originate and service subprime credit card and auto loans, which typically have higher delinquencies and charge-offs than prime customer accounts. As a result, we have significant involvement with credit bureau reporting and the collection and recovery of delinquent and charged-off debt, primarily through customer communications, the filing of litigation against customers in default, the periodic sale of charged off debt and vehicle repossession. Any future changes to or legal liabilities resulting from our business practices in these areas, including our debt collection practices and the fees we charge, whether mandated by regulators, courts, legislators or otherwise, could have a material adverse impact on our financial condition.

The legislative, regulatory and supervisory environment is beyond our control, may change rapidly and unpredictably, and may negatively influence our revenue, costs, operations, transaction volumes, earnings, growth, liquidity and capital levels. There have been efforts to impose price controls and other impositions. Such changes, among others, could impact credit availability, affect our ability or willingness to provide certain products or services, necessitate changes to our business practices or materially reduce our revenues. Some laws and regulations may be subject to litigation or other challenges that delay implementation or result in modifications, rescissions or withdrawals, which impacts us. Furthermore, political and policy goals of elected and appointed officials may change over time, which could impact the rulemaking, supervision, examination and enforcement priorities of the Federal Banking Agencies. It is possible that expected changes in law, regulation and policy do not occur or are reversed subsequently, or the regulatory measures that are ultimately enacted deliver significant competitive advantages to financial services that are structured differently or serve different markets than us. For example, there may be future legislation or rulemaking in emerging regulatory areas, such as a more accommodative stance on novel financial services or new technologies, including those related to stablecoins. Adoption of new technologies, such as distributed ledger technologies, tokenization, cloud computing, AI and machine learning technologies, can present challenges in applying and relying on existing compliance systems.

Compliance expectations and expenditures have significantly increased over time for us, particularly as regulators have heightened their focus on the adequacy of controls to support business operations. We may have to make additional investments in risk management, compliance and other functions in response to enforcement actions, supervisory expectations and the integration of Discover into our Framework and corporate culture. We may face additional risks, including risks of supervisory and enforcement actions, if we are unable to align Discover’s risk and control culture and environment with the expectations of

Table of Contents

our regulators. We may become subject to compliance and regulatory risks if new issues, including issues that may be more severe than we anticipated before the closing of the Transaction, are identified as part of the integration of Discover or otherwise relating to Discover’s activities. We may also face compliance and regulatory risks if we introduce new or changed products and services or enter into new business arrangements with third-party service providers, alternative payment providers or other industry participants as a result of the Transaction. Heightened regulatory expectations and increased volume of regulatory changes may generate additional expenses or require significant time and resources to maintain compliance.

Certain laws and regulations, and any interpretations and applications with respect thereto, are generally intended to protect consumers, borrowers, depositors, the DIF, the U.S. banking and financial system, and financial markets as a whole, but not stockholders. Our success depends on our ability to maintain compliance with both existing and new laws and regulations. For a description of the material laws and regulations, including those related to the consumer lending business, to which we are subject, see “Part I—Item 1. Business—Supervision and Regulation.”

Our required compliance with applicable laws and regulations related to privacy, data protection and data security, in addition to compliance with our own privacy policies and contractual obligations to third parties, may increase our costs, reduce our revenue, increase our legal exposure and limit our ability to pursue business opportunities.

We are subject to a variety of continuously evolving and developing laws and regulations in the United States at the federal, state and local level regarding privacy, data protection and data security, including those related to the collection, storage, handling, use, disclosure, transfer, security and other processing of personal information. These laws and regulations, and similar laws and regulations in other jurisdictions, impose strict requirements regarding the collection, storage, handling, use, disclosure, transfer, security and other processing of personal information, which may have adverse consequences, including significant compliance costs and severe monetary penalties for non-compliance. For further discussion of applicable privacy, data protection and data security laws and regulations, see “Part I—Item 1. Business—Supervision and Regulation” under the headings “Privacy, Data Protection and Data Security” and “Regulation by Authorities Outside the United States.” Significant uncertainty exists as privacy, data protection and data security laws may be interpreted and applied differently from country to country and may create inconsistent or conflicting requirements. In connection with the integration of Discover, we expect to continue to integrate Discover data, including personal information, into our systems and networks, which may subject us to increased regulatory and compliance risks, including at the international level.

Further, we make public statements about our use, collection, disclosure and other processing of personal information through our privacy policies, information provided on our website and press statements. Although we endeavor to comply with our public statements and documentation, we may at times fail to do so or be alleged to have failed to do so. The publication of our privacy policies and other statements that provide promises and assurances about privacy, data protection and data security can subject us to potential government or legal action if they are found to be deceptive, unfair or misrepresentative of our actual practices. We have been subject to these types of claims in the past, and there can be no assurance that we will not be subject to these types of claims in the future. Additional risks could arise in connection with any failure or perceived failure by us, our service providers or other third parties with which we do business to provide adequate disclosure or transparency to individuals, including our customers, about the personal information collected from them and its use, to receive, document or honor the privacy preferences expressed by individuals, to protect personal information from unauthorized disclosure, misuse or mishandling or to maintain proper training on privacy practices for all employees or third parties who have access to personal information in our possession or control. Furthermore, the increased risk of inadvertent disclosure of confidential information or personal data in connection with the utilization of AI technologies may result in stronger regulatory scrutiny, leading to legal and regulatory investigations and enforcement actions that may negatively affect our business, even if unfounded.

Our efforts to comply with the GLBA, the FCRA, the CCPA, the PIPEDA and provincial privacy laws, EU GDPR, U.K. GDPR and other privacy, data protection and data security laws and regulations, as well as our posted privacy policies, and related contractual obligations to third parties, entail substantial expenses, may divert resources from other initiatives and projects, and could limit the services we are able to offer. Furthermore, enforcement actions and investigations by regulatory authorities related to data security incidents and privacy, data protection and data security violations continue to increase. The enactment of more restrictive laws or regulations, or future enforcement actions, litigation or investigations, could impact us through increased costs or restrictions on our business, and any noncompliance or perceived noncompliance could result in monetary or other penalties, harm to our reputation, distraction to our management and technical personnel and significant legal liability.

Our businesses are subject to the risk of increased litigation, government investigations and regulatory enforcement.

Table of Contents

Our businesses are subject to increased litigation, government investigations and other regulatory enforcement risks as a result of a number of factors and from various sources, including the highly regulated nature of the financial services industry, the focus of state and federal prosecutors on banks and the financial services industry and the structure of the credit card industry.

Given the inherent uncertainties involved in litigation, government investigations and regulatory enforcement decisions, and the very large or indeterminate damages sought in some matters asserted against us, there can be significant uncertainty as to the ultimate liability we may incur from these kinds of matters. The finding, or even the assertion, of substantial legal liability against us could have a material adverse effect on our business and financial condition and could cause significant reputational harm to us, which could seriously harm our business.

In addition, financial institutions, such as ourselves, face significant regulatory scrutiny, which can lead to public enforcement actions or nonpublic supervisory actions. We and our subsidiaries are subject to comprehensive regulation and periodic examination by, among other regulatory bodies, the Federal Banking Agencies, the SEC, the CFTC and the CFPB.

In December 2025, the OCC issued a report of preliminary findings of its ongoing supervisory review, in accordance with Executive Order 14331 “Guaranteeing Fair Banking for All Americans,” of the nine largest OCC-regulated banks, including the Bank, to determine whether those banks may have debanked or discriminated against customers or potential customers on the basis of their political or religious beliefs or lawful business activities. In the report, the OCC states that its review is ongoing and, once its supervisory review has concluded, it intends to hold the banks reviewed accountable for any unlawful debanking activities, including by making referrals to the Attorney General.

Over the last several years, federal and state regulators have focused on risk management, compliance with anti-money laundering (“AML”) and sanctions laws, privacy, data protection and data security, use of service providers, fair access and lending, unfair or deceptive practices, and other consumer protection issues and new technologies. Regulators have indicated the potential for escalating consequences for banks that do not timely resolve open issues or have repeat issues. Regulatory scrutiny is expected to continue in these areas, including as a result of implementation of the AML Act of 2020.

We expect that regulators and governmental enforcement bodies will continue taking public enforcement actions against financial institutions in addition to addressing supervisory concerns through nonpublic supervisory actions or findings, which could involve restrictions on our activities, or our ability to make acquisitions or otherwise expand our business, among other limitations that could adversely affect our business. Furthermore, a single event may give rise to numerous and overlapping investigations and proceedings. For additional information regarding legal and regulatory proceedings to which we are subject, see “Part II—Item 8. Financial Statements and Supplementary Data—Note 19—Commitments, Contingencies, Guarantees and Others.”

As a result of the Transaction, we have assumed the contingencies and liabilities of Discover, for which we have incurred and may continue to incur financial risk, compliance obligations, litigation risk, or reputational risk, including as a result of assuming ongoing litigation disputes, claims, government agency investigations and enforcement actions and other proceedings associated with Discover’s actions prior to the Transaction. For additional information regarding legal and regulatory proceedings in connection with the Transaction, refer to “Part II—Item 8. Financial Statements and Supplementary Data—Note 19—Commitments, Contingencies, Guarantees and Others.”

We continue to face significant uncertainty regarding the contingencies and liabilities we have assumed from Discover, and any significant or unanticipated liability we may incur from these matters may adversely impact our business, financial condition and results of operations.

Table of Contents

Other Business Risks

We face intense competition in all of our markets, which could have a material adverse effect on our business and results of operations.

We operate in a highly competitive environment across all of our lines of business, whether in making loans, attracting deposits or in the global payments industry, and we expect competitive conditions to continue to intensify with respect to most of our products, particularly in our card, payment network and consumer banking businesses. In addition to offering competitive products and services, we invest in and conduct marketing campaigns to attract and inform customers. If our marketing campaigns are unsuccessful, it may adversely impact our ability to attract new customers and grow our business.

Some of our competitors, including new and emerging competitors in the digital and mobile payments space and other financial technology providers and payment networks, are not subject to the same regulatory requirements or scrutiny to which we are subject, which also could place us at a competitive disadvantage, in particular in the development of new technology platforms or the ability to rapidly innovate. If we are unable to continue to keep pace with innovation and fail to reflect such technology in our payments offerings, do not effectively market our products and services, are unable to deliver them effectively and securely to our customers or are prohibited from or unwilling to enter emerging areas of competition, our business and results of operations could be adversely affected. Also, our competitors or other third parties may incorporate emerging technologies, such as AI, into their products or services more quickly or more successfully than we do, which could impair our ability to compete effectively. For example, our competitors may be more timely or successful in developing or integrating AI technologies to increase their productivity and reduce their costs or to provide better transaction execution or improved products or services to clients. In addition, government actions or initiatives by the federal and state governmental authorities, including the Federal Banking Agencies, may also provide competitors with increased opportunities to derive competitive advantages and may create new competitors. These actions or initiatives may include more accommodative positions on the processing and approval of traditional bank charters and deposit insurance, expanded access to the banking and payments systems through the approval of competitors, including competitors with novel business models, to hold specialized charters, or more accommodative positions on novel activities performed by banks or non-banks. For example, the Guiding and Establishing National Innovation for U.S. Stablecoins Act of 2025 (GENIUS Act) provides a legal framework for stablecoins to be issued in the United States, which may allow new and existing competitors to compete for funds that may have otherwise been deposited with banks, such as the Bank.

Some of our competitors are substantially larger than we are, which may give those competitors advantages, including a more diversified product and customer base, the ability to reach more customers and potential customers, operational efficiencies, broad-based local distribution capabilities, lower-cost funding and larger existing branch networks. Many of our competitors are also focusing on cross-selling their products and developing new products or technologies, which could affect our ability to maintain or grow existing customer relationships or require us to offer lower interest rates or fees on our lending products or higher interest rates on deposits. Competition for loans could result in origination of fewer loans, earning less on our loans or an increase in loans that perform below expectations.

We face strong and increasing competition in the direct banking market. Aggressive pricing throughout the industry may adversely affect the retention of existing balances and the cost-efficient acquisition of new deposit funds and may affect our growth and profitability. These shifts, which could be rapid, could result from general dissatisfaction with our products or services, including concerns over pricing, online security or our reputation. The potential consequences of this competitive environment are exacerbated by the flexibility of direct banking and the financial and technological sophistication of our online customer base.

The increased pressure on transaction fees associated with card payments due to competition could create additional risk to growth for both our card issuing businesses and the Global Payment Network. This, in turn, could adversely affect the revenue

Table of Contents

for our network and card issuing businesses, as well as our ability to attract and retain Network Partners who may seek alternatives from both traditional and non-traditional payment service providers, which may limit our ability to maintain or grow revenues from the Global Payment Network. In addition, competitors’ settlements with merchants and related actions, including pricing pressures and/or surcharging, could negatively impact our business practices. Competitor actions related to the structure of merchant and acquirer fees and merchant and acquirer transaction routing strategies may adversely affect our recently acquired PULSE Network’s business practices, network transaction volume, revenue and prospects for future growth and entry into new product markets. The market for key business partners, especially in the credit card business, is very competitive, and we may not be able to grow or maintain these partner relationships or assure that these relationships will be profitable or valued by our customers. We face the risk that we could lose partner relationships, even after we have invested significant resources into acquiring and developing the relationships. The loss of any key business partner could have a negative impact on our results of operations, including lower returns, excess operating expense and excess funding capacity.

We depend on our partners to effectively promote our co-brand and private label credit card products and integrate the use of our credit cards into their retail operations. The failure by our partners to effectively promote and support our products, as well as changes they may make in their business models, could adversely affect card usage and our ability to achieve the growth and profitability objectives of our partnerships. In addition, if our partners do not adhere to the terms of our program agreements and standards, or otherwise diminish the value of our brand, we may suffer reputational damage and customers may be less likely to use our products.

Some of our competitors have developed, or may develop, substantially greater financial and other resources than we have, may offer richer value propositions or a wider range of programs and services than we offer, or may use more effective advertising, marketing or cross-selling strategies to acquire and retain more customers, capture a greater share of spending and borrowings, attain and develop more attractive co-brand card programs, obtain more favorable terms with merchants and maintain greater merchant acceptance than we have. Competition may also intensify as participants in the payments industry merge or enter into joint ventures or other business combinations that compete with our products and services. We may not be able to compete effectively against these threats or respond or adapt to changes in consumer spending habits as effectively as our competitors.

In such a competitive environment, we may lose entire accounts or may lose account balances to competing firms, or we may find it more costly to maintain our existing customer base. Customer attrition from any or all of our lending products, together with any lowering of interest rates or fees that we might implement to retain customers, could reduce our revenues and therefore our earnings. Similarly, unexpected customer attrition from our deposit products, in addition to an increase in rates or services that we may offer to retain deposits, may increase our expenses and therefore reduce our earnings.

A change in market preference towards other operators of payment networks and alternative payment providers could result in reduced transaction volume, limited merchant acceptance of our cards and limited issuance of cards on our networks by third parties, and in turn may impact our revenue margins.

As a result of our recent acquisition of the Global Payment Network, we now face substantial and increasingly intense competition in the payments industry, both from traditional players and new, emerging alternative payment providers. For example, we now compete with other payment networks to attract Network Partners to issue credit and debit cards and other card products on the Global Payment Network. In addition, increased competition with certain network operators, such as Visa and Mastercard, could affect our existing partnerships and business relationships with these networks, which have historically played a significant role in facilitating our card-issuing and transaction processing services. Competition with other operators of payment networks is generally based on issuer fees, fees paid to networks (including switch fees), merchant acceptance and functionality, technological capabilities and other economic terms. Competition is also based on customer perception of service quality, merchant acceptance, brand image, reputation and market share. Further, we are now facing ongoing competition from emerging alternative payment providers who may create innovative networks or other arrangements with our primary competitors, large merchants or other industry participants, or provide stablecoins, other digital currencies or tokenized deposits, which could adversely impact our costs, transaction volume and ability to grow our business. In addition, we, along with our competitors, clients, network participants and others, are developing or participating in alternative payment systems or products such as mobile and ecommerce payment services, P2P payment services, real-time and faster payment initiatives, and

Table of Contents

payment services that could reduce our role in, or otherwise disintermediate us from, transaction processing or the value-added services we provide to support such processing.

Many of our payment network and alternative payment provider competitors are well established and have significant financial resources and scale. These competitors have provided financial incentives to card issuers, such as large cash signing bonuses for new programs and funding for, and sponsorship of, marketing programs and other bonuses.

We cannot be certain that we will be able to continue to increase international merchant acceptance, as well as the perception of merchant acceptance of the Global Payment Network, and we cannot be certain that we will achieve global market parity with Visa or Mastercard. In addition, Visa and Mastercard have entered into long-term arrangements with financial institutions, some of which are exclusive, or nearly exclusive, which has the effect of limiting our ability to conduct material amounts of business with these institutions. Moreover, American Express is also a strong competitor with international merchant acceptance, competitive transaction fees and an upscale brand image. Internationally, American Express competes in the same market segments as Diners Club. We may face challenges in increasing international merchant acceptance on our networks, particularly if third parties that we rely on to issue Diners Club cards, increase card acceptance and market our brands, do not perform to our expectations.

In addition, if we are unable to maintain sufficient network functionality to be competitive with other networks, or if our competitors develop better data security solutions or more innovative products and services than we do, our ability to retain and attract Network Partners and maintain or increase the revenues generated by the Global Payment Network or our proprietary card-issuing businesses could be materially and adversely affected. Our competitive position could also be affected if we are unable to deploy, in a cost-effective and competitive manner, technology such as generative AI. Additionally, competitors may develop ancillary products, which as a consequence of the competitors’ size and scale, we may be forced to use. Such developments could adversely affect our business, as those competitors may be better positioned to absorb the costs of such data security solutions over higher volumes or a larger customer base.

Our recently acquired network business depends upon relationships with card issuers, merchant acquirers, alternative payment providers and licensees, many of whom are financial institutions. The economic and regulatory environment and increased competition and innovation in the payments space could decrease our opportunities for new business and may result in the termination of existing business relationships. In addition, if as a result of this environment, financial institutions have decreased interest in engaging in new card issuance opportunities or expanding existing card issuance relationships, that would inhibit our ability to grow our network business. We will face substantial and intense competition in the payments industry, which may impact our revenue margins, transaction volume and business strategies.

If we are unsuccessful in creating and maintaining a strong base of network licensees and achieving meaningful global card acceptance, we may be unable to achieve long-term success in our recently acquired international network business.

The success of our international network business, and our ability to grow global card acceptance for the Global Payment Network, depends on the cooperation, support and continued operation of the network licensees that issue Diners Club cards and maintain associated merchant acceptance relationships, as well as the partners that participate in our network alliances with us; these participants issue cards that operate on our network and support merchant acceptance in their respective markets.

Outside of the United States, we do not issue cards that are accepted on our networks, and we do not determine the terms and conditions of cards issued by our international network participants, whether they are Diners Club participants or work with us through a network alliance. The level of acceptance in any given market reflects a combination of factors, including the number and competitiveness of cards issued directly by us and by network participants, whether merchants in a given market view acceptance of our cards as commercially attractive based on perceived customer demand and competitive pricing and terms, and the commitment, investment and effectiveness of those participants in promoting card usage and expanding or sustaining merchant acceptance.

If we are unable to continue our relationships with network participants, or if those participants are unable to continue their relationships with merchants or otherwise effectively support merchant acceptance, our ability to maintain or increase revenues and remain competitive would be adversely affected due to the potential deterioration in our card issuers’ relationships with their cardholders, which would in turn reduce demand and lead to declines in transaction volume or acceptance levels. If one or more network participants were to experience a significant impairment of their business or cease doing business for economic,

Table of Contents

regulatory or other reasons, we could face business interruption in affected markets, including loss of volume, global card acceptance and revenue and exposure to potential reputational risk. If such conditions arise in the future, we may need to deploy resources and incur expenses in order to sustain network acceptance and support network functionality. Additionally, interruption of network licensee relationships could have an adverse effect on the international acceptance of our credit cards when they are used on our networks.

Achieving global card acceptance would allow our customers, including third-party issuers leveraging the network, to use their cards at merchant and ATM locations around the world. The long-term success of our international network business depends upon achieving meaningful global card acceptance, which may include higher overall costs or longer time frames than anticipated.

Our business, financial condition and results of operations may be adversely affected by legislation, regulation and merchants’ efforts to reduce the fees (including the interchange component) charged by credit and debit card networks and acquirers to facilitate card transactions.

As an issuer of credit and debit cards on four-party networks, the Bank earns interchange fees, which are included in the charges to merchants by their acquirers when customers use our cards. Interchange fees continue to be the subject of significant and intense global legislative, regulatory and legal focus, and the resulting legislation, regulation and decisions may have a material adverse impact on our overall business, financial condition and results of operations. For cards issued on the Global Payment Network, a three-party network, the Bank earns an issuer rate instead of interchange fees.

Legislative and regulatory bodies in a number of countries have sought, or are currently seeking, to reduce interchange fees through legislation, competition-related regulatory proceedings, voluntary agreements, central bank regulation and/or litigation.

In the United States, the Federal Reserve’s Regulation II places limits on the interchange fees that issuers may charge, and requires additional routing requirements for, debit cards issued on four-party networks, such as the remaining debit cards issued by the Bank on networks other than the Global Payment Network. In August 2025, a North Dakota district court ruled that the Federal Reserve exceeded its statutory authority when it originally promulgated Regulation II in 2011. As a result, the court vacated Regulation II, although the court stayed the vacatur order to allow time for the resolution of an appeal and allowed the Federal Reserve’s 2023 proposed rule to go into effect if it becomes finalized. Conversely, a district court in Kentucky ruled that the Federal Reserve acted in accordance with its statutory authority when it promulgated Regulation II and upheld the regulation. Any changes to Regulation II and the debit interchange regulatory scheme, including as a result of the ultimate resolution of these district court decisions, which remains unknown, may result in lower debit card interchange fees for cards issued on four-party networks. Such lower fees could, in turn, result in market pressures that reduce the discount rate charged for debit cards issued by the Bank on the Global Payment Network. For more information on Regulation II and the Federal Reserve’s 2023 proposed rule, please see “Part I—Item 1. Business—Supervision and Regulation.” State legislatures and regulatory agencies may also seek to enact legislation and regulation to limit fees or discount rates charged by networks.

K., interchange fees and related practices are subject to regulatory activity, including in some cases, imposing caps on permissible interchange fees. Our international card businesses have been impacted by these restrictions. For example, in the U.K. In 2005, a number of entities filed antitrust lawsuits against Mastercard and Visa and several member banks, including our subsidiaries and us, alleging among other things, that the

Table of Contents

defendants conspired to fix the level of interchange fees. For additional information about the lawsuits, see “Part II—Item 8. Financial Statements and Supplementary Data—Note 19—Commitments, Contingencies, Guarantees and Others.” .

In addition, some major retailers or industry sectors could independently negotiate lower interchange fees with Mastercard and Visa. This, as well as any ultimate resolution on the settlement with Mastercard and Visa, could in turn result in lower interchange fees or discount rates for us when our cardholders undertake purchase transactions with these retailers, either directly with respect to any debit or credit cards issued by the Bank on Mastercard’s and Visa’s networks, or indirectly as a result of market pressures with respect to debit or credit cards issued by the Bank on the Global Payment Network. Retailers may continue to bring legal proceedings against us or other credit card and debit card issuers and networks in the future.

Beyond pursuing legislation, regulation and litigation, merchants may also promote forms of payment with lower fees, as noted above, or seek to impose surcharges or discounts at the point of sale for use of credit or debit cards. If merchants increasingly impose surcharges or other point of sale pricing strategies in response to transaction fees, card usage and transaction volumes could decline, which could adversely affect our revenues and results of operations.

The heightened focus by legislative and regulatory bodies on the fees charged by credit and debit card networks, including on prepaid cards, and the ability of certain merchants to successfully pursue litigation, negotiate discounts to interchange fees or discount rates with payment networks or develop alternative payment systems could result in a loss of income from interchange fees. Changes to the terms or implementation of Regulation II or the adoption of other laws and regulations that impose limitations on the fees that can be charged by issuers or networks on debit or credit card transactions or require merchants to be provided an alternative network for transaction routing could have an adverse effect on our business, financial condition and results of operations. For example, if a change in law or regulation results in debit card transactions on three-party networks, such as debit cards issued by the Bank on the Global Payment Network being subject to the Regulation II cap on interchange fees, it could result in the Company not recognizing a significant majority of the network revenue synergies that the Company anticipated to be realized in connection with the Transaction. Additionally, the development of alternative payment systems or exclusivity arrangements among merchants and their debit card networks could result in loss of fee income earned by the Global Payment Network. Any resulting loss in income to us could have a material adverse effect on our business, financial condition and results of operations.

A reduction in the number of large merchants that accept cards on our recently acquired Discover Network or PULSE Network or in the rates they pay could materially adversely affect our business, financial condition, results of operations and cash flows.

The largest merchants participating in our recently acquired Discover Network or PULSE Network could seek to negotiate different pricing or other financial incentives by conditioning their continued participation on a change in the terms of their economic participation. Loss of acceptance at these merchants would decrease transaction volume, negatively impact our recently acquired brand and could cause customer attrition. In addition, some of the merchants on these networks, primarily small- and mid-size merchants, are not contractually committed to us for any period of time and may cease to participate in our Discover Network and PULSE Network at any time on short notice.

Actual or perceived limitations on acceptance of credit cards issued on the Discover Network or debit cards issued on the PULSE Network could adversely affect the use of, or the attractiveness to prospective customers of, our credit cards that rely on the Discover Network. Also, we may have difficulty attracting and retaining Network Partners if we are unable to add or retain acquirers or merchants who accept cards issued on the Discover or PULSE Networks. As a result of these factors, a reduction in the number of our merchants or the rates they pay could materially adversely affect our business, financial condition, results of operations and cash flows.

Defaults or risks from bankruptcies, liquidations, restructurings, consolidations and outages by our network participants may adversely affect our business, financial condition, cash flows and results of operations.

As the operator of the Global Payment Network, as an issuer and as a merchant acquirer, we face credit risk related to transactions on the Global Payment Network, including bankruptcies, liquidations, insolvencies, financial distress,

Table of Contents

restructurings, consolidations, operational outages, cybersecurity incidents and other similar events that may occur in any industry. For example, we are contingently liable for certain disputed credit card sales transactions that arise between customers and merchants. If we are unable to collect this amount from the merchant or merchant acquirer, we will bear the loss for the amount credited or refunded to the customer. Where the purchased product or service is not provided until some later date following the purchase, such as an airline ticket, the likelihood of potential liability increases.

If we are not able to invest successfully in and introduce digital and other technological developments across all our businesses, our financial performance may suffer.

We expect digital technologies to continue to have a significant impact on banking over time. Consumers expect robust digital experiences from their financial services providers. The ability for customers to access their accounts and conduct financial transactions using digital technology, including mobile applications, is an important aspect of the financial services industry, and financial institutions are rapidly introducing new digital and other technology-driven products and services that aim to offer a better customer experience and to reduce costs. We continue to invest in digital technology designed to attract new customers, facilitate the ability of existing customers to conduct financial transactions and enhance the customer experience related to our products and services.

Our continued success depends, in part, upon our ability to assess and address the needs of our customers by using digital technology to provide products and services that meet their expectations. The development and launch of new digital products and services depends in large part on our ability to invest in and build the technology platforms that can enable them, in a cost-effective and timely manner. We expect that new technologies in the payments industry will continue to emerge, and these new technologies may be superior to our existing technology. See “We face intense competition in all of our markets, which could have a material adverse effect on our business and results of operations” and “We face risks related to our operational, technological and organizational infrastructure.”

Furthermore, any new technology could have a significant impact on the effectiveness of the Company’s system of internal controls. Failure to successfully manage these risks in the development and implementation of new lines of business, new products or services and/or new technologies could have a material adverse effect on our business, financial condition and results of operations.

Some of our competitors are substantially larger than we are, which may allow those competitors to invest more money into their technology infrastructure and digital innovation than we do. In addition, smaller competitors may experience lower cost structures and different regulatory requirements and scrutiny than we do, which may allow them to innovate more rapidly than we can. See “We face intense competition in all of our markets, which could have a material adverse effect on our business and results of operations. The competition is intense, and the compensation costs continue to increase for such talent. If we are unable to attract and retain digital and technology talent, our ability to offer digital products and services and build the necessary technology infrastructure could be negatively affected, which could negatively impact our business and financial results. A failure to maintain or enhance our competitive position with respect to digital products and services, whether because we fail to anticipate customer expectations or because our technological developments fail to perform as desired or are not implemented in a timely or successful manner, could negatively impact our business and financial results.

We may fail to realize the anticipated benefits of our mergers, acquisitions and strategic partnerships.

We engage in merger and acquisition activity and enter into strategic partnerships from time to time.

Any merger, acquisition, disposition or strategic partnership we undertake, including the Transaction, entails certain risks, which may materially and adversely affect our results of operations. If we experience greater than anticipated costs to integrate

Table of Contents

acquired businesses into our existing operations, or are not able to achieve the anticipated benefits of any merger, acquisition or strategic partnership, including cost savings and other synergies, our business could be negatively affected. In addition, it is possible that the ongoing integration processes could result in the loss of key employees, errors or delays in systems implementation, exposure to cybersecurity risks associated with acquired businesses, exposure to additional regulatory oversight, the disruption of our ongoing businesses or inconsistencies in standards, controls, procedures and policies that adversely affect our ability to maintain relationships with partners, clients, customers, depositors and employees or to achieve the anticipated benefits of any merger, acquisition or strategic partnership. Integration efforts also may divert management attention and resources. These integration matters may have an adverse effect on us during any transition period.

In addition, we may face the following risks in connection with any merger, acquisition or strategic partnership:

•New Businesses and Geographic or Other Markets: Our merger, acquisition or strategic partnership activity may involve our entry into new businesses or new geographic areas or markets in the U.S. or internationally that present risks resulting from our relative inexperience in these new businesses, localities or markets. These new businesses, localities or markets may change the overall character of our consolidated portfolio of businesses and alter our exposure to economic and other external factors. We also face the risk that we will not be successful in these new businesses, localities or markets.

•Identification and Assessment of Merger and Acquisition Targets and Deployment of Acquired Assets: We may not be able to identify, acquire or partner with suitable targets. Further, our ability to achieve the anticipated benefits of any merger, acquisition or strategic partnership will depend on our ability to assess the asset quality, risks and value of the particular assets or institutions we partner with, merge with or acquire. We may be unable to profitably deploy any assets we acquire.

•Accuracy of Assumptions: In connection with any merger, acquisition or strategic partnership, we may make certain assumptions relating to the proposed merger, acquisition or strategic partnership that may be, or may prove to be, inaccurate, including as a result of the failure to anticipate the costs, timeline or ability to realize the expected benefits of any merger, acquisition or strategic partnership. The inaccuracy of any assumptions we may make could result in unanticipated consequences that could have a material adverse effect on our results of operations or financial condition.

•Target-Specific Risk: Assets and companies that we acquire, or companies that we enter into strategic partnerships with, will have their own risks that are specific to a particular asset or company. For example, we may face challenges associated with integrating other companies due to differences in corporate culture, compliance systems or standards of conduct. Indemnification rights, if any, may be insufficient to compensate us for any losses or damages resulting from such risks. In addition to regulatory approvals discussed below, certain of our merger, acquisition or partnership activity may require third-party consents in order for us to fully realize the anticipated benefits of any such transaction.

•Conditions to Regulatory Approval: We may be required to obtain various governmental and regulatory approvals to consummate certain acquisitions. We cannot be certain whether, when or on what terms and conditions, such approvals may be granted. Consequently, we may not obtain governmental or regulatory approval for a proposed acquisition on acceptable terms or at all, in which case we would not be able to complete the acquisition despite investing resources in pursuing it.

For additional risks related to the Transaction, see “Risks Relating to the Transaction and Integration of Discover.”

Reputational risk and social factors may impact our results and damage our brand.

Our ability to attract and retain customers is highly dependent upon the perceptions of consumer and commercial borrowers and deposit holders and other external perceptions of our products, services, business practices, workplace culture, compliance practices or our financial health. Capital One’s brands, including Discover, PULSE and Diners Club, are some of our most

Table of Contents

important assets. Maintaining and enhancing our brands depends largely on our ability to continue to provide high-quality products and services. Adverse perceptions regarding our reputation in the consumer, commercial and funding markets could lead to difficulties in generating, maintaining and financing accounts. In particular, negative public perceptions regarding our reputation, including negative perceptions regarding our ability to maintain the security of our technology systems and protect customer data, could lead to decreases in the levels of deposits that current and potential consumer and commercial customers choose to maintain with us.

Such conduct could fall short of our customers’ and the public’s heightened expectations of companies of our size with rigorous privacy, data protection, data security and compliance practices, and could further harm our reputation. We strategically license our trademarks to business partners and network participants, some of whom have contractual obligations to promote and develop our brands. In addition, our co-brand and private label credit card partners or other third parties with whom we have important relationships may take actions over which we have limited control that could negatively impact perceptions about us or the financial services industry.

The proliferation of social media and its rapid and broad dissemination of information (or misinformation and disinformation) may increase the likelihood that negative public opinion from any of the actual or alleged events discussed above may trigger a loss of trust or confidence on the part of clients, counterparties, shareholders, investors, debt holders, market analysts or other relevant parties, including regulators, and could impact our reputation and business.

In addition, a variety of economic or social factors may cause changes in borrowing activity, including credit card use, payment patterns and the rate of defaults by account holders and borrowers domestically and internationally. These economic and social factors include changes in consumer confidence levels, the public’s perception regarding the banking industry and consumer debt, including credit card use, and changing attitudes about the stigma of bankruptcy. If consumers develop or maintain negative attitudes about incurring debt, or consumption trends decline or if we fail to maintain and enhance our brand, or we incur significant expenses to do so, our reputation and business and financial results could be materially and negatively affected.

Environmental, social and corporate governance policies may create competing stakeholder, legislative and regulatory scrutiny that may impact our reputation or operations. As a result, we may not be able to meet the full range of expectations and demands of all our stakeholders. Any failure to meet our stakeholders full range of expectations and demands could result in reputational damage, a loss of customer and investor confidence, increased legal and operational risks and other adverse effects on our results of operations and prospects. For example, as part of our acquisition of Discover, we have committed to a $265 billion Community Benefits Plan (“CBP”) over five years. Failure to adequately deliver on, or material revisions to, this commitment, whether due to financial constraints, operational inefficiencies or external economic factors, may lead to public criticism, which may expose us to significant reputational risks. Also, some stakeholders may object to the scope or nature of the CBP initiative, which could give rise to negative responses by governmental actors (e.g., litigation, retaliatory legislation) or by customers and advocates (e.g., boycotts) that could adversely affect our brand value.

If we are not able to protect our intellectual property rights, or we violate third-party intellectual property rights, our revenue and profitability could be negatively affected.

We also undertake other measures to control access to and distribution of our other proprietary and confidential information. In certain situations, we may be compelled to engage in intellectual property-related litigation to enforce our intellectual property rights, which may incur significant expense and may be perceived negatively by customers or industry partners, thus potentially resulting in reputational harm and may adversely impact our business, financial position and results of operations. Given the complex,

Table of Contents

rapidly changing and competitive technological and business environments in which we operate, if our competitors or other third parties are successful in obtaining such patents or prevail in intellectual property-related litigation or demands against us, we could lose significant revenues, incur significant license, royalty, technology development or other expenses, or pay significant damages. Furthermore, given intellectual property ownership and license rights surrounding AI, such as generative AI, are currently not fully addressed by courts or regulators, any output created by us using AI may not be subject to copyright or other intellectual property protection, which may adversely affect our intellectual property or other proprietary rights in, or ability to commercialize or use, any such output, and our use or adoption of AI may result in exposure to claims by third parties.

We license certain intellectual property and technology that are important to our business, and in the future, we may enter into additional agreements that provide us with licenses to valuable intellectual property or technology. If we fail to comply with any of these obligations under our license agreements, we may be required to pay damages and the licensor may have the right to terminate the license. Termination by the licensor (or other applicable counterparty) may cause us to lose valuable rights, and could disrupt our operations and harm our reputation. In the future, we may identify additional third-party intellectual property and technology we need, including to develop and offer new products and services. However, such licenses may not be available on acceptable terms or at all.

While we believe that we have all the necessary licenses from third parties for any intellectual property, including technology and software, that we use in the operations of our business but do not own, a third party could nonetheless allege that we are infringing its rights, which may deter our ability to obtain licenses on commercially reasonable terms from the third party, if at all, or cause the third party to commence litigation against us.

Our risk management strategies may not be fully effective in mitigating our risk exposures in all market environments or against all types of risk.

Management of market, credit, liquidity, strategic, reputational, operational and compliance risk requires, among other things, policies and procedures to properly record and verify a large number of transactions and events. See “Part II—Item 7. MD&A—Risk Management” for further details. In addition, the Transaction introduced new and different sources of risk that may present unique risk exposures. As a result of the Transaction, we have inherited control gaps and risk exposures that differ in nature, timing and magnitude from those we have historically managed.

Some of our methods of managing these risks are based upon our use of observed historical market behavior, the use of analytical and/or forecasting models and management’s judgment. These methods may not accurately predict future exposures, which could be significantly greater than the historical measures or models indicate, and market conditions, particularly during a period of financial market stress, can involve unprecedented dislocations. For example, credit risk is inherent in the financial services business and results from, among other things, extending credit to customers. Our ability to assess the creditworthiness of our customers may be impaired if the models and approaches we use to select, manage and underwrite our consumer and commercial customers become less predictive of future charge-offs due, for example, to rapid changes in the economy, or degradation in the predictive nature of credit bureau and other data used in underwriting.

While we employ a broad and diversified set of risk monitoring and risk mitigation techniques, those techniques and the judgments that accompany their application cannot anticipate every economic and financial outcome or the timing of such outcomes. For example, our ability to implement our risk management strategies may be hindered by adverse changes in the volatility or liquidity conditions in certain markets and, as a result, may limit our ability to distribute such risks (for instance, when we seek to syndicate exposure in bridge financing transactions we have underwritten). We may, therefore, incur losses in the course of our risk management or investing activities. As our business expands and evolves, including in connection with the Transaction and the adoption of new technologies, such as AI, our risk management methods may not always effectively adapt with those changes.

Our business could be negatively affected if we are unable to attract, develop, retain and motivate key senior leaders and skilled employees.

Table of Contents

Our success depends, in large part, on our ability to retain key senior leaders and to attract, develop and retain skilled employees, particularly employees with advanced expertise in credit, risk, digital and technology skills. We depend on our senior leaders and skilled employees to oversee simultaneous, transformative initiatives across the enterprise and execute on our business plans in an efficient and effective manner. The market for such senior leaders and skilled employees can be competitive and hard to predict, and attracting, developing and retaining them may require significant investment generally and in any given year. While we engage in robust succession planning, our key senior leaders have deep and broad industry experience and could be difficult to replace without some degree of disruption.

Regulation or regulatory guidance restricting executive compensation, as well as evolving investor expectations, may limit the types of compensation arrangements that we may enter into with our most senior leaders and could have a negative impact on our ability to attract, retain and motivate such leaders in support of our long-term strategy. These laws and regulations may not apply in the same manner to all financial institutions and technology companies, which therefore may subject us to more restrictions than other institutions and companies with which we compete for talent and may also hinder our ability to compete for talent with other industries. We rely upon our senior leaders not only for business success, but also to lead with integrity. To the extent our senior leaders behave in a manner that does not comport with our values, the consequences to our brand and reputation could be severe and could adversely affect our financial condition and results of operations. If we are unable to attract, develop and retain talented senior leadership and employees, or to implement appropriate succession plans for our senior leadership, our business could be negatively affected.

In addition, advances in technology, such as automation and AI, may lead to workforce evolution. This could require us to invest in additional employee training, manage impacts on morale and retention, and compete for employment candidates who possess more advanced technological skills, all of which could have a negative impact on our business and operations.

We face risks from catastrophic events.

Natural disasters, geopolitical events, supply chain issues and other catastrophic events can have widespread and unpredictable impacts on global society, economic conditions and consumer and business behavior, which may reoccur or occur over an extended duration. These events could harm our employees, business and infrastructure, including our information technology systems and third-party platforms. Our ability to conduct business may be adversely affected by a disruption in the infrastructure that supports our business and the communities where we are located, which are concentrated in the Northern Virginia, New York and Chicago metropolitan areas, Richmond, Virginia, Plano, Texas and the Philippines. This may include a disruption involving damage or loss of access to a physical site, cyber-attacks and other security incidents, terrorist activities, the occurrence or worsening of disease outbreaks or pandemics, natural disasters, extreme weather events, electrical outage, environmental hazards, disruption to technological infrastructure, communications or other services we use, our employees or third parties with whom we conduct business. Our business, financial condition and results of operations may be impacted by any such disruption and our ability to implement corresponding response measures quickly. In addition, if a natural disaster or other catastrophic event occurs in certain regions where our business, customers or assets securing our loans are concentrated, such as the mid-Atlantic, New York, California or Texas metropolitan areas, or in regions where our third-party platforms are located, we could be disproportionately impacted as compared to our competitors. The impact of such events and other catastrophes on the overall economy and our physical and transition risks may also adversely affect our financial condition and results of operations.

Climate change manifesting as physical or transition risks could adversely affect our businesses, operations and customers and result in increased costs.

Climate change risks can manifest as physical or transition risks.

Physical risks are the risks from the effects of climate change arising from acute, climate-related events, such as hurricanes, flooding and wildfires, and chronic shifts in climate, such as sea level rise and higher average temperatures. Such events could

Table of Contents

lead to financial losses or disrupt our operations or those of our customers or third parties on which we rely, including through direct damage to assets and indirect impacts from supply chain disruption and market volatility.

Transition risks are the risks resulting from the shift toward a lower-carbon economy arising from the changes in policy, consumer and business sentiment or technologies associated with changes to limit climate change. Transition risks, including changes in consumer preferences and additional regulatory requirements or taxes, could increase our expenses, affect credit performance and impact our strategies or those of our customers.

Physical and transition risks could also affect the financial health of certain customers in impacted industries or geographies. In addition, due to divergent views of stakeholders, we are at increased risk that any action, or lack thereof, by us concerning our response to climate change could be perceived negatively by some stakeholders, which could adversely impact our reputation and businesses. We may incur additional costs and require additional resources as we evolve our strategy, practices and related disclosures with respect to these matters.

As climate risk is interconnected with many risk types, we continue to enhance processes to embed evolving climate risk considerations into our existing risk management strategies; however, because the timing and severity of climate change may not be predictable, our risk management strategies may not be effective in mitigating climate risk exposure. Additionally, estimations used in climate reporting and climate-related risk assessments have an increased level of uncertainty due to limited historical trend information and the absence of standardized, reliable and comprehensive greenhouse gas emissions data across the economy, which could cause these risk assessments to vary significantly over time or actual risks to vary from our assessments.

We face risks from the use of or changes to assumptions or estimates in our financial statements.

Pursuant to generally accepted accounting principles in the United States of America (“U.S. GAAP”), we are required to use certain assumptions, judgments and estimates in preparing our financial statements, including determining our allowance for credit losses, the liability for legal actions, the fair value of certain assets and liabilities, and goodwill impairment, among other items. For a discussion of our use of estimates in the preparation of our consolidated financial statements, see “Part II—Item 7. MD&A—Critical Accounting Policies and Estimates” and “Item 8. Financial Statements and Supplementary Data—Note 1—Summary of Significant Accounting Policies.”

The soundness of other financial institutions and other third parties, actual or perceived, could adversely affect us.

Financial services institutions are interrelated as a result of trading, clearing, servicing, counterparty and other relationships. We have exposure to financial institutions, intermediaries and counterparties that are exposed to risks over which we have little or no control.

Since 2023, several financial services institutions failed or required outside liquidity support, in many cases, as a result of the inability of the institutions to obtain needed liquidity. This has led to additional risk for other financial services institutions and the financial services industry generally as a result of increased lack of confidence in the financial sector. The failure of other banks and financial institutions and the measures taken by governments, businesses and other organizations in response to these events could adversely impact our business, financial condition and results of operations. For information on the FDIC’s special assessment following the closures of Silicon Valley Bank and Signature Bank, see “Part I—Item 1. Business—Supervision and Regulation.”

In addition, we routinely execute transactions with counterparties in the financial services industry, including brokers and dealers, commercial banks, investment banks, mutual and hedge funds and other institutional clients, resulting in a significant credit concentration with respect to the financial services industry overall. As a result, defaults by, or even rumors or questions

Table of Contents

about, one or more financial services institutions, or the financial services industry generally, have led to market-wide liquidity problems and could lead to losses or defaults by us or by other institutions.

Likewise, adverse developments affecting the overall strength and soundness of our competitors, the financial services industry as a whole and the general economic climate and the U.S. Treasury market could have a negative impact on perceptions about the strength and soundness of our business even if we are not subject to the same adverse developments. In addition, adverse developments with respect to third parties with whom we have important relationships also could negatively impact perceptions about us. These perceptions about us could cause our business to be negatively affected and exacerbate the other risks that we face.

Item 1B. Unresolved Staff Comments

None.

Item 1C. Cybersecurity

Risk Management and Strategy

As a financial services company entrusted with the safeguarding of sensitive information, including sensitive personal information, we believe that a strong enterprise cybersecurity program is a vital component of effectively managing risks related to the confidentiality, integrity and availability of our data, including information about us, our customers, transactions processed on our networks or on third-party networks on our behalf, or third parties with which we do business. For further discussion of cybersecurity and technology risk, and related risks for our business, see “Item 1A. Risk Factors.”

We manage cybersecurity and technology risk at the enterprise level according to our Framework, as described in more detail under “Part II—Item 7. MD&A—Risk Management” in this Report, which uses a three lines of defense model. Through this Framework, we establish practices for assessing our risk posture and executing key controls for cybersecurity and technology risk, data management, and oversight of third parties with which we do business.

Our policies and procedures define an enterprise-wide approach for managing cybersecurity and technology risk. They establish the following process to identify, assess and manage such risks across our three lines of defense:

1.Identification: We evaluate the activities of our lines of business on a regular basis to identify potential cybersecurity and technology risk, including cybersecurity threats and vulnerabilities. This process takes into account the changing business environment, the technology and cyber threat landscape, and the objectives of the line of business being assessed.

2.Assessment, Measurement and Response: Management assesses identified risks to estimate such risk’s potential severity and the likelihood of occurrence. Once a risk is identified and measured, management determines the appropriate response, including determining whether to accept the risk in accordance with our established risk appetite, or alternatively to implement new controls, enhance existing controls, and/or develop additional mitigation strategies to reduce the impact of the risk.

3.Monitoring and Testing: Management is required to evaluate the effectiveness of risk management practices and controls through monitoring of key risk indicator metrics, testing and other activities. Identified issues are remediated, addressed via mitigation plans, or escalated, in line with our risk appetite.

4.Aggregation, Reporting and Escalation: Management collects and aggregates risks across the Company in order to support strategic decision-making and to measure overall risk performance against risk appetite metrics. Management also establishes processes designed to escalate, report, and address risks and deficiencies within different business

Table of Contents

lines, according to the requirements of our policies. For additional information regarding the escalation of these risks to the Board of Directors, see “Governance” below.

For example, our third-party risk management policy is designed to help enable timely and effective identification, measurement and management of third-party risks throughout the lifecycle of such relationships, which includes planning, due diligence, and third-party selection, contracting, risk-based monitoring and termination. We also assess, identify and manage cybersecurity and technology risks associated with our merger and acquisition activities.

We also engage a number of external service providers with additional knowledge and capabilities in cybersecurity threat intelligence, detection and response. When appropriate, we leverage partnerships with relevant government entities, law enforcement agencies and industry information sharing forums, such as the Financial Services Information Sharing and Analysis Center (“FS-ISAC”), to further inform our understanding of the threat environment and how to effectively defend the Company against such threats. Employees are required to annually certify their completion of training on both cybersecurity and data privacy, and our cyber education program implements targeted testing and training focused on high-risk populations and responding to an evolving threat landscape.

We also maintain an Enterprise Cyber Response Plan (“ECRP”) designed to handle suspected or actual cybersecurity events that could impact us and our personnel, data, systems, transactions processed on our networks, customers and third parties with which we do business. The ECRP is reviewed and refined periodically and refinement is informed in part by a series of table-top exercises that we conduct over the course of the year.

With respect to our recent acquisition of Discover, we have been actively integrating the Discover cybersecurity program into ours in accordance with our Framework, while continuing to identify, assess, and manage cybersecurity and technology risks that may arise as part of our ongoing integration processes. See “Item 1A. Risk Factors—Risks Relating to the Transaction and Integration of Discover” for more information.

For further discussion of cybersecurity, and related risks for our business, see “Item 1A. Risk Factors” under the headings “We face risks related to our operational, technological and organizational infrastructure” and “A cyber-attack or other security incident on us or third parties (including their supply chains) with which we conduct business, including an incident that results in the theft, loss, manipulation or misuse of information (including personal information), or the disabling of systems and access to information critical to business operations, may result in increased costs, reductions in revenue, reputational damage, legal exposure and business disruptions.”

Governance

The Board of Directors is responsible for providing oversight of our Framework. The Risk Committee of the Board of Directors (“Risk Committee”) assists the full Board of Directors in discharging these responsibilities.

The Risk Committee is responsible for overseeing our Framework, including cybersecurity and technology risk. The Risk Committee regularly receives reports from management on our cybersecurity and technology risk profile, key enterprise cybersecurity initiatives, and on any identified significant threats or incidents, or new risk developments, which, in the aggregate, are intended to present an overall view on the status of our cybersecurity program and the Company’s compliance with applicable legal and regulatory requirements.

Table of Contents

The Risk Committee coordinates with the full Board of Directors regarding the strategic implications of cybersecurity and technology risks.

At least annually, the Board of Directors, either directly or through the Risk Committee, reviews our technology strategy with the Chief Information Officer (“CIO”); reviews our cybersecurity program with the Chief Information Security Officer (“CISO”) and the Chief Technology Risk Officer (“CTRO”); and approves our cybersecurity policy and program. In addition, the Risk Committee and the Board of Directors participate in periodic cybersecurity education sessions.

We assess and manage risk at the enterprise level according to our Framework using a three lines of defense model. For cybersecurity and technology risks,

our first line of defense includes the following:

•Chief Information Security Officer: The CISO establishes and manages the enterprise-wide cybersecurity program.

•Chief Information Officer: The CIO oversees the establishment of appropriate governance, processes and accountabilities within each business area to comply with our internal policies.

our second line of defense includes the following:

•Chief Technology Risk Officer: The CTRO provides independent oversight of our cybersecurity programs and challenges of first line risk management and risk-taking activities pertaining to cybersecurity and technology risk.

•The Executive Risk Committee: This committee provides a forum for our top management to have integrated discussions of risk management across the enterprise, including cybersecurity and technology risk, with the purpose of ensuring prioritization and awareness, encouraging alignment and coordinating risk management activities among key executives. Primary responsibility for specialized risk categories, such as cybersecurity and technology, can also be delegated to other senior management sub-committees, as appropriate.

our third line of defense is comprised of:

•Internal Audit: Our internal audit team provides independent and objective assurance to senior management and to the Board of Directors that our cybersecurity and technology risk management processes are designed and working as intended.

In order to be appointed to one of the roles described above, we require the individuals to possess significant relevant experience and expertise in information security, technology, risk management or audit, as demonstrated by a combination of prior employment, possession of relevant industry certifications or related degrees, and other competencies and qualifications. In particular, our CISO has more than 30 years of cybersecurity and information technology experience, including for nearly five years as CISO at a major global technology company before joining the Company, and holds a CISO Certificate from Carnegie Mellon’s Heinze College. Our CTRO has been in cybersecurity for approximately 25 years and spent over three years as the global CISO of a G-SIB. Prior to that, he served as a senior executive in cybersecurity in the U.S. government. He holds a degree in computer science from the Georgia Institute of Technology and a doctorate in computer security from the University of Cambridge. Our CIO has been with the Company for approximately 20 years, during which he has overseen multiple technology transformation initiatives, including the Company’s transition to the public cloud. He holds degrees in physics and business administration from Harvard University.

Recently Filed

Click on a ticker to see risk factors

Ticker *	File Date
IRTC	30 minutes ago
GCMG	33 minutes ago
ED	37 minutes ago
IAUX	38 minutes ago
LNC	38 minutes ago
TSCO	42 minutes ago
MSTR	42 minutes ago
GH	46 minutes ago
MIR	55 minutes ago
CSGS	an hour ago
LKQ	an hour ago
DTM	an hour ago
BG	an hour ago
THRM	an hour ago
SEM	an hour ago
TVTX	an hour ago
KALU	an hour ago
LYV	an hour ago
FTI	an hour ago
MS	an hour ago
ICUI	an hour ago
ET	an hour ago
BNL	an hour ago
OWL	an hour ago
BTU	an hour ago
EFX	an hour ago
PTCT	an hour ago
RPD	an hour ago
MET	an hour ago
IEX	an hour ago
CNDT	an hour ago
SPSC	an hour ago
CYH	an hour ago
SLM	an hour ago
STT	an hour ago
WSC	an hour ago
NPO	an hour ago
FFBC	an hour ago
SUNC	an hour ago
FDP	an hour ago
SUN	an hour ago
UDMY	an hour ago
OPEN	an hour ago
MSEX	an hour ago
ULS	an hour ago
GATX	an hour ago
RMAX	an hour ago
CTO	an hour ago
GLPI	an hour ago
AIZ	an hour ago

OTHER DATASETS

House Trading

Dashboard

Corporate Flights

Dashboard

App Ratings

Dashboard

Strategies

Alerts

Browse Data

Risk Factors Dashboard

View risk factors by ticker

Search filings by term

Risk Factors - COF

-New additions in green
-Changes in blue
-Hover to see similar sentence in last filing

Recently Filed

OTHER DATASETS

House Trading

Corporate Flights

App Ratings

TRADE SMARTER

TRADE SMARTER

Strategies

Alerts

Browse Data

Risk Factors Dashboard

View risk factors by ticker

Search filings by term

Risk Factors - COF

-New additions in green-Changes in blue-Hover to see similar sentence in last filing

Recently Filed

OTHER DATASETS

House Trading

Corporate Flights

App Ratings

TRADE SMARTER

TRADE SMARTER

-New additions in green
-Changes in blue
-Hover to see similar sentence in last filing