Risk Factors Dashboard
Once a year, publicly traded companies issue a comprehensive report of their business, called a 10-K. A component mandated in the 10-K is the ‘Risk Factors’ section, where companies disclose any major potential risks that they may face. This dashboard highlights all major changes and additions in new 10K reports, allowing investors to quickly identify new potential risks and opportunities.
View risk factors by ticker
Search filings by term
Risk Factors - KEY
-New additions in green
-Changes in blue
-Hover to see similar sentence in last filing
Item 1A. Risk Factors - “We operate in a highly competitive industry.”
Should the fundamentals of the commercial real estate market deteriorate, our financial condition and results of operations could be adversely affected.
Our credit ratings affect our liquidity position.
Our controls and procedures may fail or be circumvented, and our methods of reducing risk exposure may not be effective.
Negative coverage about Key published in traditional media or on social media websites, whether or not factually
Differing views on corporate responsibility and sustainability could adversely affect our reputation and our business and results of operations.Key is subject to corporate responsibility and sustainability efforts risks that could adversely affect our reputation and our business and results of operations.
Key maintains an Information Security Program (the “IS Program”) to support the management of information security risk, including cybersecurity risk, across the organization. The IS Program is designed to protect Key’sKey’s information assets. Our Chief Information Security Officer (“CISO ”), who is also the Enterprise Security
The CISO is responsible for reporting on information security matters, including cybersecurity risk, to the Board. The CISO provides regular updates on cybersecurity matters to the Audit Committee (six times in 2025). These updates typically address the cybersecurity threat landscape, information security trends, strategic initiatives related to information security, and cybersecurity program reviews. The CISO’s update to the Committee generally address the cybersecurity threat landscape, information security trends, strategic initiatives related to information security, and cybersecurity program reviews. The CISO also provides regular updates to the Risk Committee on cybersecurity matters as well as Key’s compliance with the Gramm-Leach-Bliley Act (at least
Human Capital
Engaging a high performing and collaborative workforce is a top strategic priority for Key. Our human capital management strategy is focused on attracting, retaining, developing, motivating and rewarding the talent our businesses need to drive sound, profitable growth, and ultimately, enhance shareholder value, which we do by offering a competitive total rewards package, providing opportunities for career development and growth, and fostering a culture that is fair and inclusive for all.
Competitive Rewards
We make investments to hire and retain the people we need to serve our customers and communities and regularly review our pay practices to reflect changing market and economic conditions. As of December 31, 2025, 95% of employees earned $20 or more per hour. In recent years, we have made other compensation adjustments in response to market trends, competitive pressures, and a dynamic market for talent. We have made other compensation adjustments in response to market trends, competitive pressures, and a dynamic market for talent.
These investments include a comprehensive and competitive total rewards program, representing our investment in our teammates’ collective success and reflecting our commitment to helping them thrive. Key’s benefits offerings include employee health and welfare plans, a 401(k) plan with competitive matching contributions (dollar for dollar, up to the first 7% of eligible pay contributed on a per pay period basis for eligible employees), up to ten weeks of paid parental leave, a Discounted Stock Purchase Plan, wellness incentives, and a lifestyle reimbursement account program for covered expenses related to health, mental wellness, family needs, and finances.
Teammates can also participate in a variety of company-sponsored volunteer and giving opportunities, including Neighbors Make the Difference Day, our national employee volunteer day, and the Employee Matching Gift Program, which offers eligible employees the opportunity to support qualified nonprofit organizations and multiply their contributions through the KeyBank Foundation.
We have a pay-for-performance culture that is guided by the following three principles:
•Pay decisions are based on Key’s performance, business unit performance, and individual performance.
•We deliver pay in a way that balances short-term and long-term financial performance objectives and aligns to shareholder value creation.
•We support sustainable performance with policies that focus on prudent risk-taking and the balance between risk and reward.
We design our compensation programs to balance risk and reward and align with the guidance of our regulators, and we regularly monitor these programs to remain within our risk tolerances. We subject all discretionary
8
incentives paid to our employees to a robust risk adjustment process that begins before grant and extends beyond payment.
Career Development and Growth
We invest in our teammates’ growth and professional development through a variety of internal networking groups that are open to all teammates, including our Key Business Impact and Networking Groups (“KBINGs”), formal and informal mentoring programs, including Key’s enterprise-wide formal mentoring program, MentorMe at Key, and a suite of leadership development programs. We also offer employees the opportunities to develop and enhance their skills through formal learning curricula and to obtain tuition reimbursement for eligible collegiate or post-collegiate education and relevant certifications.
Key’s Workforce
Key had an average of 17,226 full time equivalent employees in 2025. As of December 31, 2025, a total of 17,883 full-time and part-time employees worked in the following regions, which are generally aligned to the regions Key uses for its retail branch banking network:
We invest significant time and resources in creating an attractive work environment and competitive total rewards package that attracts and retains top talent. Key’s annualized rate for voluntary turnover as of December 31, 2025, was 12.7%, lower than our annualized voluntary turnover rate for 2024, which was 13.2%, and lower than our previous five-year historical average of 15.3%. Key’s annualized rate for voluntary turnover as of December 31, 2024, was 13.2%, lower than our annualized voluntary turnover rate for 2023, which was 14.6%, and lower than our previous five-year historical average of 15.3%.
Information About Our Executive Officers
KeyCorp’s executive officers are principally responsible for managing the operations of KeyCorp, making policy for KeyCorp, executing on strategic decisions, and managing material risks, subject to the supervision and direction of
9
the Board. All executive officers are subject to annual election at the annual organizational meeting of the Board held each May.
Set forth below are the names and ages of the executive officers of KeyCorp as of December 31, 2025, the positions held by each at KeyCorp during the past five years, and the year each first became an executive officer of KeyCorp. Because Mohit Ramani and James Waters have been employed at KeyCorp for less than five years, information is being provided concerning their prior business experience. Because Mo Ramani and James Waters have been employed at KeyCorp for less than five years, information is being provided concerning their prior business experience. There are no family relationships among the directors or the executive officers, and there is no arrangement or understanding between any executive officer and any other person pursuant to which the executive officer was selected.
Victor B. Alexander (46) - Mr. Alexander has been KeyCorp’s Head of Consumer Bank and an executive officer of KeyCorp since January 2020. Prior to that time, he served as the Head of Home Lending from October 2018 to January 2020 and Treasurer from July 2017 to October 2018.
Amy G. Brady (59) - Ms. Brady is KeyCorp’s Chief Information Officer, serving in that role since May 2012. Ms. Brady has been an executive officer of KeyCorp since she joined in 2012. She has been a director of DuPont de Nemours, Inc., a multi-industry specialty solutions company, since 2019.
Trina M. Evans (61) - Ms. Evans has been the Director of Corporate Center for KeyCorp since August 2012. Prior to this role, Ms. Evans was the Chief Administrative Officer for Key Community Bank and the Director of Client Experience for KeyBank. She became an executive officer of KeyCorp in March 2013.
Kenneth C. Gavrity (49) - Mr. Gavrity has been Head of Commercial Bank since November 2023 and became an executive officer of KeyCorp in May 2021. Prior to this, Mr. Gavrity served as Head of Enterprise Payments from January 2019 to November 2023 and Head of Commercial Payments from 2016 to 2019.
Stacy L. Gilbert (54) - Ms. Gilbert has been the Chief Accounting Officer and an executive officer of KeyCorp since March 2024. Prior to her appointment as Chief Accounting Officer, Ms. Gilbert served as Corporate Controller for KeyCorp since August 2023. She previously served as Assistant Corporate Controller and Senior Director of External Reporting and Accounting Policy from April 2021 to August 2023.
Christopher M. Gorman (65) - Mr. Gorman has been Chairman, Chief Executive Officer, and President of KeyCorp since May 1, 2020. Mr. Gorman previously served as President and Chief Operating Officer from September 2019 to May 2020 and President of Banking and Vice Chairman from 2017 to September 2019. From 2016 to 2017, he served as Merger Integration Executive responsible for leading the integration efforts related to KeyCorp’s merger with First Niagara. Prior to that, Mr. Gorman was the President of Key Corporate Bank from 2010 to 2016. He became an executive officer of KeyCorp in 2010.
Clark H.I. Khayat (54) - Mr. Khayat has been Chief Financial Officer since March 2023 and an executive officer since September 2018. Mr. Khayat rejoined KeyCorp as Chief Strategy Officer in January 2018 and served in that role until March 2023. Mr. Khayat had previously served as Head of Key’s Enterprise Commercial Payments group from April 2014 to June 2016.
Allyson M. Kidik (46) - Ms. Kidik has been the Chief Auditor and an executive officer of KeyCorp since July 2022. Ms. Kidik has been the Chief Risk Review Officer and General Auditor and an executive officer of KeyCorp since July 2022. Ms. Kidik previously served as Senior Deputy General Auditor from 2018 to 2022 and Deputy General Auditor from 2015 to 2018.
Angela G. Mago (60) - Ms. Mago has served as the Chief Human Resources Officer since November 2023. She previously served as Head of Commercial Bank from May 2019 to November 2023 and Co-Head of Key Corporate Bank from 2016 to May 2019. She became an executive officer of KeyCorp in 2016.
Andrew J. Paine III (56) - Mr. Paine has been the Head of Institutional Bank since 2019. He previously served as Co-Head of Key Corporate Bank from 2016 to May 2019. He also serves as President of KeyBanc Capital Markets Inc., a role he has held since 2013. He became an executive officer of KeyCorp in 2016.
Mohit Ramani (52) - Mr. Ramani has served as Chief Risk Officer and an executive officer of KeyCorp since January 2025. Prior to that time, he served in a variety of roles with Truist Financial Corporation, including Deputy Chief Risk Officer and Chief Credit Officer from January 2023 to January 2025 and Chief Business Unit Risk Officer from 2000 to 2023.
10
James L. Waters (59) - Mr. Waters became the General Counsel and Secretary and an executive officer of KeyCorp in July 2021. From 2018 to 2021, he served as General Counsel and Corporate Secretary of Cullen/Frost Bankers, Inc., a financial holding company.
Supervision and Regulation
The regulatory framework applicable to BHCs and banks is intended primarily to protect consumers, the DIF, taxpayers and the banking system as a whole, rather than to protect the security holders and creditors of financial services companies. Comprehensive reform of the legislative and regulatory environment for financial services companies remains ongoing. We cannot predict changes in applicable laws, regulations or regulatory agency policies, but any such changes may materially affect our business, financial condition, results of operations, or access to liquidity or credit.
Overview
Federal law establishes a system of regulation under which the Federal Reserve is the umbrella regulator for BHCs, while their subsidiaries are principally regulated by prudential or functional regulators: (i) the OCC for national banks and federal savings associations; (ii) the FDIC for state non-member banks and savings associations; (iii) the Federal Reserve for state member banks; (iv) the CFPB for consumer financial products or services; (v) the SEC and FINRA for securities broker/dealer activities; (vi) the SEC, CFTC, and NFA for swaps and other derivatives; and (vii) state insurance regulators for insurance activities. Certain specific activities, including traditional bank trust and fiduciary activities, may be conducted in a bank without the bank being deemed a “broker” or a “dealer” in securities for purposes of securities functional regulation.
BHC acquisition rules and permissible activities
Under the BHCA, BHCs generally may not directly or indirectly own or control more than 5% of the voting shares, or substantially all of the assets, of any bank, without prior approval from the Federal Reserve. In addition, BHCs are generally prohibited from engaging in commercial or industrial activities. However, a BHC that satisfies certain requirements regarding management, capital adequacy, and Community Reinvestment Act performance may elect to be treated as a Financial Holding Company (“FHC”) for purposes of federal law, and as a result may engage in a substantially broader scope of activities that are considered to be financial in nature or complementary to those activities. KeyCorp has elected to be treated as a FHC and, as such, is authorized to engage in securities underwriting and dealing, insurance agency and underwriting, and merchant banking activities. In addition, the Federal Reserve has permitted FHCs, like KeyCorp, to engage in the following activities, under the view that such activities are complementary to a financial activity: physical commodities trading activities, energy management services, and energy tolling, among others.
Source of strength doctrine
Under federal law, a BHC also must serve as a source of financial strength to its subsidiary depository institution(s) by providing financial assistance in the event of financial distress. This support may be required when the BHC does not have the resources to, or would prefer not to, provide it. Certain loans by a BHC to a subsidiary bank are subordinate in right of payment to deposits in, and certain other indebtedness of, the subsidiary bank. In addition, federal law provides that in the bankruptcy of a BHC, any commitment by the BHC to a federal bank regulatory agency to maintain the capital of a subsidiary bank will be assumed by the bankruptcy trustee and entitled to priority of payment.
Supervisory framework
The Dodd-Frank Act created the FSOC to overlay the U.S. supervisory framework for BHCs, IDIs, and other financial service providers, by serving as a systemic risk oversight body. Specifically, the FSOC is authorized to: (i) identify risks to U.S. financial stability that could arise from the material financial distress or failure, or ongoing activities, of large, interconnected SIFIs, or that could arise outside the financial services marketplace; (ii) promote market discipline by eliminating expectations that the U.S. government will shield shareholders, creditors, and counterparties from losses in the event of failure; and (iii) respond to emerging threats to the stability of the U.S. financial system. The FSOC is responsible for facilitating regulatory coordination; information collection and sharing; designating nonbank financial companies for consolidated supervision by the Federal Reserve; designating
11
systemic financial market utilities and systemic payment, clearing, and settlement activities requiring prescribed risk management standards and heightened federal regulatory oversight; recommending stricter standards for SIFIs; and, together with the Federal Reserve, determining whether action should be taken to break up firms that pose a grave threat to U.S. financial stability.
As an FHC, KeyCorp is subject to regulation, supervision, and examination by the Federal Reserve under the BHCA. Our national bank subsidiaries and their subsidiaries are subject to regulation, supervision, and examination by the OCC. At December 31, 2025, we operated one full-service, FDIC-insured national bank subsidiary, KeyBank, and one national bank subsidiary that is limited to fiduciary activities. The FDIC also has certain, more limited regulatory, supervisory, and examination authority over KeyBank and KeyCorp under the FDIA and the Dodd-Frank Act.
We have other financial services subsidiaries that are subject to regulation, supervision, and examination by the Federal Reserve, as well as other state and federal regulatory agencies and self-regulatory organizations. Because KeyBank engages in derivative transactions, in 2013 it provisionally registered as a swap dealer with the CFTC and became a member of the NFA, the self-regulatory organization for participants in the U.S. derivatives industry. Our securities brokerage and asset management subsidiaries are subject to supervision and regulation by the SEC, FINRA, and state securities regulators, and our insurance agency subsidiary is subject to regulation by the insurance regulatory authorities of the states in which it operates. Our securities brokerage and asset management subsidiaries are subject to supervision and regulation by the SEC, FINRA, and state securities regulators, and our insurance subsidiaries are subject to regulation by the insurance regulatory authorities of the states in which they operate. Our other nonbank subsidiaries are subject to laws and regulations of both the federal government and the various states in which they are authorized to do business.
Enhanced prudential standards and tailoring rules
The Dodd-Frank Act required the Federal Reserve to impose enhanced prudential standards upon BHCs with at least $50 billion in total consolidated assets (like KeyCorp). Prudential standards were required to include enhanced risk-based capital requirements and leverage limits, liquidity requirements, risk-management and risk committee requirements, resolution plan requirements, credit exposure report requirements, single counterparty credit limits, supervisory and company-run stress test requirements, and for certain financial companies, a debt-to-equity limit.
The Economic Growth, Regulatory Relief, and Consumer Protection Act (“EGRRCPA”) raised the asset threshold above which the Federal Reserve is required to apply enhanced prudential standards to BHCs with at least $250 billion in total consolidated assets and gave the Federal Reserve the authority to apply enhanced prudential standards to BHCs with at least $100 billion in assets but less than $250 billion in assets (like KeyCorp) if it determines that the application of the enhanced prudential standards is appropriate to prevent or mitigate risks to financial stability or to promote the safety and soundness of the BHC or BHCs, taking into consideration the BHC’s or BHCs’ capital structure, riskiness, complexity, financial activities, size, and other relevant factors.
Final rules related to the implementation of EGRRCPA (“Tailoring Rules”) established four risk-based categories of BHCs and their bank subsidiaries with $100 billion or more in total consolidated assets and applied tailored regulatory requirements to each respective category. Final rules related to the implementation of EGRRCPA (“Tailoring Rules”) established four risk-based categories of banking organizations with $100 billion or more in total consolidated assets and applied tailored regulatory requirements to each respective category. KeyCorp and KeyBank fall within the least restrictive of those categories (“Category IV”). KeyCorp falls within the least restrictive of those categories (“Category IV Firms”). The requirements applicable to Category IV firms pursuant to the Tailoring Rules are discussed below.
Regulatory Capital and Liquidity Requirements
Background
KeyCorp and KeyBank are subject to regulatory capital requirements that are based largely on the work of an international group of supervisors known as the Basel Committee on Banking Supervision (“Basel Committee”). The Basel Committee is responsible for establishing international bank supervisory standards for implementation in member jurisdictions, to enhance and align bank regulation on a global scale, and to promote financial stability. The Basel Committee is responsible for establishing international bank supervisory standards for implementation in member jurisdictions, to enhance and align bank regulation on a global scale, and to promote financial stability. The regulatory capital framework developed by the Basel Committee and implemented in the United States is a predominately risk-based capital framework that establishes minimum capital requirements based on the amount of regulatory capital a banking organization maintains relative to the amount of its total assets, adjusted to reflect credit risk (“risk-weighted assets”).The regulatory capital framework developed by the Basel Committee and implemented in the United States is a predominately risk-based capital framework that establishes minimum capital requirements based on the amount of regulatory capital a banking organization maintains relative to the amount of its total assets, adjusted to reflect credit risk (“risk-weighted assets”). Each banking organization subject to this regulatory capital framework is required to satisfy certain minimum risk-based capital measures (e. Each banking organization subject to this regulatory capital framework is required to satisfy certain minimum risk-based capital measures (e. g., a tier 1 risk-based capital ratio requirement of tier 1 capital to total risk-weighted assets), and in the United States, a minimum leverage ratio requirement of tier 1 capital to average total on-balance sheet assets, which serves as a backstop to the risk-based measures.
12
A capital instrument is assigned to one of two tiers based on the relative strength and ability of that instrument to absorb credit losses on a going concern basis. Capital instruments with relatively robust loss-absorption capacity are assigned to tier 1, while other capital instruments with relatively less loss-absorption capacity are assigned to tier 2. A banking organization’s total capital equals the sum of its tier 1 and tier 2 capital. Capital instruments with relatively robust loss-absorption capacity are assigned to tier 1, while other capital instruments with relatively less loss-absorption capacity are assigned to tier 2. A banking organization’s total capital equals the sum of its tier 1 and tier 2 capital.
The Basel Committee also developed a market risk capital framework (that also has been implemented in the United States) to address the substantial exposure to market risk faced by banking organizations with significant trading activity and augment the credit risk-based capital requirements described above. For example, the minimum total risk-based capital ratio requirement for a banking organization subject to the market risk capital rule equals the ratio of the banking organization’s total capital to the sum of its credit risk-weighted assets and market risk-weighted assets. For example, the minimum total risk-based capital ratio requirement for a banking organization subject to the market risk capital rule equals the ratio of the banking organization’s total capital to the sum of its credit risk-weighted assets and market risk-weighted assets. Only KeyCorp is subject to the market risk capital rule, as KeyBank does not engage in substantial trading activity. Only KeyCorp is subject to the market risk capital rule, as KeyBank does not engage in substantial trading activity.
Basel III
To address deficiencies in the international regulatory capital standards identified during the 2007-2009 global financial crisis, the Basel Committee in 2010 released comprehensive revisions to the international regulatory capital framework, commonly referred to as “Basel III.” The Basel III revisions are designed to strengthen the quality and quantity of regulatory capital, in part through the introduction of a Common Equity Tier 1 capital requirement; provide more comprehensive and robust risk coverage, particularly for securitization exposures, equities, and off-balance sheet positions; and address pro-cyclicality concerns through the implementation of capital buffers.” The Basel III revisions are designed to strengthen the quality and quantity of regulatory capital, in part through the introduction of a Common Equity Tier 1 capital requirement; provide more comprehensive and robust risk coverage, particularly for securitization exposures, equities, and off-balance sheet positions; and address pro-cyclicality concerns through the implementation of capital 12Table of contentsbuffers. The Basel Committee also released a series of revisions to the market risk capital framework to address deficiencies identified during its initial implementation (e. The Basel Committee also released a series of revisions to the market risk capital framework to address deficiencies identified during its initial implementation (e. g., arbitrage opportunities between the credit risk-based and market risk capital rules) and in connection with the global financial crisis.
KeyCorp and KeyBank are subject to regulatory capital requirements implemented by the U.S. banking agencies that are based largely on Basel III (“Regulatory Capital Rules”). Consistent with the international framework, the Regulatory Capital Rules further restrict the type of instruments that may be recognized in tier 1 and tier 2 capital; establish a minimum Common Equity Tier 1 capital ratio requirement of 4.5% and capital buffers to absorb losses during periods of financial stress while allowing an institution to provide credit intermediation as it would during a normal economic environment; and refine several of the methodologies used for determining risk-weighted assets. The Regulatory Capital Rules provide additional requirements for large banking organizations with over $250 billion in total consolidated assets or $10 billion in foreign exposure, but those additional requirements do not apply to KeyCorp or KeyBank. However, some of those additional requirements will apply to KeyCorp and KeyBank if proposed revisions to the Regulatory Capital Rules are adopted. The proposed revisions to the Regulatory Capital Rules are discussed below under the heading “Regulatory capital-related developments.” For purposes of the Regulatory Capital Rules, KeyCorp and KeyBank are treated as “standardized approach” banking organizations.
Under the Regulatory Capital Rules, standardized approach banking organizations, such as KeyCorp and KeyBank, are required to meet the minimum capital and leverage ratios set forth in the following table. At December 31, 2025, KeyCorp’s ratios under the fully phased-in Regulatory Capital Rules were as set forth in the following table.
Minimum Capital Ratios and KeyCorp Ratios Under Regulatory Capital Rules
(a)As a standardized approach banking organization, KeyCorp is not subject to the 3% supplementary leverage ratio requirement. However, KeyCorp will be subject to the supplementary leverage ratio if proposed revisions to the Regulatory Capital Rules are adopted. However, KeyCorp will be subject to the countercyclical capital buffer if proposed revisions to the Regulatory Capital Rules discussed below are adopted.
(b)Stress capital buffer must consist of Common Equity Tier 1 capital. As a standardized approach banking organization, KeyCorp is not subject to the countercyclical capital buffer of up to 2.5% imposed upon an advanced approaches banking organization under the Regulatory Capital Rules. However, KeyCorp will be subject to the countercyclical capital buffer if proposed revisions to the Regulatory Capital Rules are adopted. KeyCorp’s stress capital buffer is 3.20% as of October 1, 2025.
Revised prompt corrective action framework
The federal Prompt Corrective Action (“PCA”) framework under the FDIA groups FDIC-insured depository institutions into one of five prompt corrective action capital categories: “well capitalized,” “adequately capitalized,” “undercapitalized,” “significantly undercapitalized,” and “critically undercapitalized.” In addition to implementing the Basel III capital framework in the United States, the Regulatory Capital Rules also revised the PCA capital category
13
threshold ratios applicable to FDIC-insured depository institutions such as KeyBank. The revised PCA framework table below identifies the capital category threshold ratios for a “well capitalized” and an “adequately capitalized” institution under the PCA framework. The Revised PCA framework table below identifies the capital category threshold ratios for a “well capitalized” and an “adequately capitalized” institution under the Prompt Corrective Action Framework.
“Well Capitalized” and “Adequately Capitalized” Capital Category Ratios under
Revised Prompt Corrective Action Framework
(a)A “well capitalized” institution also must not be subject to any written agreement, order or directive to meet and maintain a specific capital level for any capital measure.
(b)As a standardized approach banking organization, KeyBank is not subject to the 3% supplementary leverage ratio requirement, which became effective January 1, 2018. However, KeyBank will be subject to the supplementary leverage ratio if proposed revisions to the Regulatory Capital Rules are adopted.
As of December 31, 2025, KeyBank (consolidated) satisfied the risk-based and leverage capital requirements necessary to be considered “well capitalized” for purposes of the revised PCA framework. However, investors should not regard this determination as a representation of the overall financial condition or prospects of KeyBank because the PCA framework is intended to serve a limited supervisory function. Moreover, it is important to note that the PCA framework does not apply to BHCs, like KeyCorp. Moreover, it is important to note that the PCA framework does not apply to BHCs, like KeyCorp.
Regulatory capital-related developments
On July 27, 2023, the federal banking agencies issued a proposal (the “Capital Proposal”) that would make significant changes to the Regulatory Capital Rules applicable to banking organizations with total assets of $100 billion or more and their depository institution subsidiaries (“Large Banking Organizations”) (including KeyCorp and KeyBank) and banking organizations with significant trading activity. This proposal would implement the final elements of the Basel III capital framework and make other changes to the Regulatory Capital Rules in response to the bank failures that occurred in 2023. The Capital Proposal would establish a new framework for calculating risk-weighted assets (the “expanded risk-based approach”) that would apply to Large Banking Organizations. The expanded risk-based approach would include a new more risk-sensitive standardized approach for measuring credit risk and operational risk. It would also include new standardized approaches for measuring market risk and credit valuation adjustment risk but would allow the use of internal models for market risk in certain circumstances with regulatory approval.
In addition, the Capital Proposal would also align the calculation of regulatory capital for Category III and IV banking organizations (like KeyCorp and KeyBank) with the calculation of regulatory capital for Category I and II banking organizations. Under the proposal, Category III and IV banking organizations would be required to include most components of AOCI, including net unrealized gains and losses on available-for-sale securities, in regulatory capital. Furthermore, all Large Banking Organizations would be subject to the supplementary leverage ratio and countercyclical capital buffer requirement. In addition, all Large Banking Organizations would be subject to the supplementary leverage ratio and countercyclical capital buffer requirement and would be required to make certain enhanced public disclosures.
The federal banking agencies have indicated that they will be revising the Capital Proposal that was issued in July 2023, but it is uncertain what changes will be made to the proposal. Key is monitoring developments regarding this matter. Key is monitoring developments in this case. Key is monitoring developments in this case.
Capital planning, stress testing, and stress capital buffer
The Federal Reserve’s capital plan rule requires each U.S.-domiciled, top-tier BHC with total consolidated assets of at least $100 billion (like KeyCorp) to develop and maintain on an annual basis a written capital plan supported by a robust internal capital adequacy process. The capital plan must include, among other things, an assessment of the expected uses and sources of capital over a nine-quarter planning horizon, a description of all planned capital actions over the planning horizon, a detailed description of the BHC’s process for assessing capital adequacy, a discussion of any expected changes to the BHC’s business plan that are likely to have a material impact on its capital adequacy or liquidity, and the BHC’s capital policy. The capital plan must be submitted to the Federal Reserve for supervisory review in connection with the BHC’s CCAR (described below). The supervisory review includes an assessment of many factors, including KeyCorp’s ability to maintain capital above each minimum regulatory capital ratio on a pro forma basis under expected and stressful conditions throughout the planning horizon.
14
The Federal Reserve’s CCAR is an intensive assessment of the capital adequacy of large U.S. BHCs and of the practices these BHCs use to assess their capital needs. The Federal Reserve expects BHCs subject to CCAR to have and maintain regulatory capital in an amount that is sufficient to withstand a severely adverse operating environment and, at the same time, be able to continue operations, maintain ready access to funding, meet obligations to creditors and counterparties, and provide credit intermediation.
The Federal Reserve conducts a supervisory stress test on BHCs with at least $100 billion in total consolidated assets (including KeyCorp), pursuant to which the Federal Reserve projects revenues, expenses, losses, and resulting post-stress capital levels and regulatory capital ratios under conditions that affect the U.S. economy under supervisory baseline and severely adverse scenarios that are determined by the Federal Reserve. The Federal Reserve conducts a supervisory stress test of the largest BHCs on an annual basis. Under one of the Tailoring Rules, Category IV BHCs (such as KeyCorp) are subject to a supervisory stress test conducted by the Federal Reserve every other year rather than every year.
On March 4, 2020, the Federal Reserve adopted a final rule integrating certain aspects of the Federal Reserve’s Regulatory Capital Rules with CCAR and the stress test rules in order to simplify the overall capital framework that is currently applicable to BHCs that have $100 billion or more in total consolidated assets (including KeyCorp). The final rule amended the capital conservation buffer requirement under the Regulatory Capital Rules by replacing the static risk-weighted assets component of the buffer with a new measure, the stress capital buffer, which will be based on the results of an individual BHC’s supervisory stress test and cannot be less than 2.5 percent of risk-weighted assets. A firm will be subject to limitations on capital distributions and discretionary bonus payments if it does not satisfy all minimum capital requirements and its stress capital buffer requirement. Under the Tailoring Rules, the portion of the stress capital buffer for a Category IV firm based on the Federal Reserve’s stress test will be calculated biennially. During a year in which in which a Category IV firm does not undergo a supervisory stress test, the firm will receive an updated stress capital buffer that reflects the firm’s updated planned common stock dividends.
A firm’s stress capital buffer requirement will become effective on October 1 of each year and will remain in effect until September 30 of the following year unless the firm receives an updated stress capital buffer requirement from the Federal Reserve. A firm’s stress capital buffer requirement will become effective on October 1 of each year and will remain in effect until September 30 of the following year unless the firm receives an updated stress capital buffer requirement from the Federal Reserve. If a rule change proposed by the Federal Reserve on April 17, 2025 is adopted, a firm’s stress capital buffer requirement will become effective on January 1 rather than October 1 in order to give firms more time to adjust to updated capital requirements. The adjusted stress capital buffer requirement would then remain in effect until the following December 31 unless the firm receives an updated stress capital buffer requirement from the Federal Reserve.
On June 27, 2025, the Federal Reserve announced the results of the supervisory stress test that it conducted of 22 large BHCs (not including KeyCorp).On June 26, 2024, the Federal Reserve announced the results of the supervisory stress test that it conducted of 31 BHCs having more than $100 billion in total consolidated assets (including KeyCorp). As a Category IV banking organization subject to a supervisory stress test every other year, KeyCorp was not required to participate in the Federal Reserve’s supervisory stress test in 2025. On August 29, 2025, the Federal Reserve published the updated stress capital buffer requirements for large BHCs, including BHCs like KeyCorp that did not participate in the supervisory stress test in 2025. KeyCorp’s updated stress capital buffer is 3.2% (based on the results of KeyCorp’s 2024 supervisory stress test and adjusted for KeyCorp’s planned common stock dividends as set forth in KeyCorp’s 2025 capital plan). This stress capital buffer became effective on October 1, 2025, and will remain in effect until September 30, 2026, unless KeyCorp later receives an updated stress capital buffer requirement from the Federal Reserve.
On October 24, 2025, the Federal Reserve issued a proposal that would codify a process under which the Federal Reserve would be required to annually disclose and seek public comment on the models and scenarios used in the supervisory stress test. The Federal Reserve indicated that the proposal is intended to enhance the transparency and public accountability of the Federal Reserve’s supervisory stress test framework. The Federal Reserve indicated that all BHCs subject to the stress test maintained capital ratios above the minimum required levels under the severely adverse scenario. The Federal Reserve also proposed revisions to reporting forms submitted by firms subject to the supervisory stress test to reduce burden and improve risk capture in the stress tests. Comments on the proposal were due by January 22, 2026.
Liquidity requirements
Under final rules adopted by the federal banking agencies, the largest U.S. banking organizations are subject to a liquidity coverage ratio (“LCR”), calculated as the ratio of a banking organization’s high-quality liquid assets to its total net cash outflows over 30 consecutive calendar days, and a net stable funding ratio (“NSFR”), calculated as the ratio of the amount of stable funding available to a banking organization to its required amount of stable funding
15
over a one-year time horizon. KeyCorp and KeyBank are not subject to an LCR requirement or an NSFR requirement under these rules because KeyCorp and KeyBank are Category IV banking organizations that have average weighted short-term wholesale funding of less than $50 billion.
However, Category IV BHCs, like KeyCorp, are subject to liquidity requirements contained in regulations adopted by the Federal Reserve pursuant to the Dodd-Frank Act and EGRRCPA. Under these regulations, KeyCorp is subject to requirements involving cash flow projections over short-term and long-term time horizons, a contingency funding plan, liquidity risk limits, the monitoring of liquidity risks (with respect to collateral, legal entities, currencies, business lines, and intraday exposures), quarterly liquidity stress testing, liquidity risk management requirements, monthly liquidity reporting requirements, and a liquidity buffer that is sufficient to meet projected net stressed cash-flow needs over a 30-day planning horizon.As a result of the Federal Reserve’s implementation of certain of the enhanced prudential standards, KeyCorp is subject to requirements relating to cash flow projections, a contingency funding plan, liquidity risk limits, the monitoring of liquidity risks (with respect to collateral, legal entities, currencies, business lines, and intraday exposures), liquidity stress testing, a liquidity buffer, and liquidity risk management requirements, including requirements that apply to the board of directors, the risk committee, senior management, and the independent review function.
Dividend restrictions
Federal law and regulation impose limitations on the payment of dividends by our national bank subsidiaries, like KeyBank. Historically, dividends paid by KeyBank have been an important source of cash flow for KeyCorp to pay dividends on its equity securities and interest on its debt. Dividends by our national bank subsidiaries are limited to the lesser of the amounts calculated under an earnings retention test and an undivided profits test. Under the earnings retention test, without the prior approval of the OCC, a dividend may not be paid if the total of all dividends declared by a bank in any calendar year is in excess of the current year’s net income combined with the retained net income of the two preceding years. Under the undivided profits test, a dividend may not be paid in excess of a bank’s undivided profits. Moreover, under the FDIA, an IDI may not pay a dividend if the payment would cause it to be less than “adequately capitalized” under the PCA framework or if the institution is in default in the payment of an assessment due to the FDIC. Moreover, under the FDIA, an insured depository institution may not pay a dividend if the payment would cause it to be less than “adequately capitalized” under the prompt corrective action framework or if the institution is in default in the payment of an assessment due to the FDIC. Similarly, under the Regulatory Capital Rules, a banking organization that fails to satisfy the minimum capital conservation buffer requirement will be subject to certain limitations, which include restrictions on capital distributions. For more information about the payment of dividends by KeyBank to KeyCorp, please see Note 22 (“Regulatory Matters”) in this report. For more information about the payment of dividends by KeyBank to KeyCorp, please see Note 3 (“Restrictions on Cash, Dividends, and Lending Activities”) in this report.
FDIA, Resolution Authority and Financial Stability
Deposit insurance and assessments
The DIF provides insurance coverage for domestic deposits funded through assessments on IDIs like KeyBank. The amount of deposit insurance coverage for each depositor’s deposits is $250,000 per depository.
The FDIC must assess the deposit insurance premium based on an IDI’s assessment base, calculated as its average consolidated total assets minus its average tangible equity.The FDIC must assess the premium based on an insured depository institution’s assessment base, calculated as its average consolidated total assets minus its average tangible equity. KeyBank’s current annualized premium assessments can range from $.025 to $.45 for each $100 of its assessment base. The rate charged depends on KeyBank’s performance on the FDIC’s “large and highly complex institution” risk-assessment scorecard, which includes factors such as KeyBank’s regulatory rating, its ability to withstand asset and funding-related stress, and the relative magnitude of potential losses to the FDIC in the event of KeyBank’s failure.
On October 18, 2022, the FDIC adopted a final rule, applicable to all IDIs (including KeyBank), to increase the initial base deposit insurance assessment rate schedules uniformly by two basis points consistent with the Amended Restoration Plan approved by the FDIC on June 21, 2022. The FDIC indicated that it was taking this action in order to restore the DIF reserve ratio to the required statutory minimum of 1.35% by the statutory deadline of September 30, 2028. Under the final rule, the increase in rates began with the first quarterly assessment period of 2023 and will remain in effect unless and until the reserve ratio meets or exceeds 2% in order to support growth in the DIF in progressing toward the FDIC’s long-term goal of a 2% reserve ratio.On October 18, 2022, the FDIC adopted a final rule, applicable to all insured depository institutions (including KeyBank), to increase the initial base deposit insurance assessment rate schedules uniformly by two basis points consistent with the Amended Restoration Plan approved by the FDIC on June 21, 2022. The FDIC indicated that it was taking this action in order to restore the DIF reserve ratio to the required statutory minimum of 1.35% by the statutory deadline of September 30, 2028. Under the final rule, the increase in rates began with the first quarterly assessment period of 2023 and will remain in effect unless and until the reserve ratio meets or exceeds 2% in order to support growth in the DIF in progressing toward the FDIC’s long-term goal of a 2% reserve ratio.
On March 10, 2023, and March 12, 2023, Silicon Valley Bank (“SVB”) and Signature Bank (“Signature”) were closed by the state banking authorities in California and New York, respectively, and the FDIC was appointed as receiver of SVB and Signature. All deposits of SVB and Signature were transferred to bridge banks established by the FDIC under the systemic risk exception to the least cost test in the FDIA so that the uninsured deposits as well as the insured deposits of both banks were protected by the FDIC. Under the FDIA, the loss to the DIF arising from the use of the systemic risk exception must be recovered through one or more special assessments.
16
On November 16, 2023, the FDIC issued a final rule to impose a special assessment on IDIs (including KeyBank) to recover the loss to the DIF resulting from the use of the systemic risk exception to protect the uninsured depositors of SVB and Signature. Under the final rule, the FDIC would collect a special assessment from IDIs at an annual rate of approximately 13.4 basis points (or 3.36 basis points per quarter) over eight quarterly assessment periods, starting with the first quarterly assessment period of 2024 (i.e., January 1, 2024 through March 31, 2024) with an invoice payment date of June 28, 2024. The assessment base for the proposed special assessment is equal to an IDI’s estimated uninsured deposits reported as of December 31, 2022, adjusted to exclude the first $5 billion in estimated uninsured deposits held by the IDI.
On December 16, 2025, the FDIC issued an interim final rule to reduce the quarterly rate at which the special assessment will be collected from 3.36 basis points to 2.97 basis points in the eighth collection quarter (with an invoice payment date of March 30, 2026) in order to ensure that the amount collected will be approximately equal to the FDIC’s current estimate of the loss to the DIF from the use of the systemic risk exception. The interim final rule also provides that the FDIC will provide an offset to IDIs’ regular quarterly deposit insurance assessments if the aggregate amount collected exceeds losses following resolution of litigation between the FDIC and SVB’s parent company. The interim final rule further provides that upon the final termination of the receiverships, the FDIC will either (1) provide an offset to IDIs’ regular quarterly deposit insurance assessments if the amount collected exceeds losses or (2) collect from IDIs a one-time final shortfall assessment if losses exceed the amount collected. Comments on the interim final rule were due by January 20, 2026.
Conservatorship and receivership of insured depository institutions
Upon the insolvency of an IDI, the FDIC will be appointed as receiver or, in rare circumstances, conservator for the insolvent institution under the FDIA. In an insolvency, the FDIC may repudiate or disaffirm any contract to which the institution is a party if the FDIC determines that performance of the contract would be burdensome and that disaffirming or repudiating the contract would promote orderly administration of the institution’s affairs. If the contractual counterparty makes a claim against the receivership (or conservatorship) for breach of contract, the amount paid to the counterparty would depend upon, among other factors, the receivership (or conservatorship) assets available to pay the claim and the priority of the claim relative to others. In addition, the FDIC may enforce most contracts entered into by the insolvent institution, notwithstanding any provision that would terminate, cause a default, accelerate or give other rights under the contract solely because of the insolvency, the appointment of the receiver (or conservator), or the exercise of rights or powers by the receiver (or conservator). The FDIC may also transfer any asset or liability of the insolvent institution without obtaining approval or consent from the institution’s shareholders or creditors. These provisions would apply to obligations and liabilities of KeyCorp’s IDI subsidiary, KeyBank, including obligations under senior or subordinated debt issued to public investors. These provisions would apply to obligations and liabilities of KeyCorp’s insured depository institution subsidiary, KeyBank, including obligations under senior or subordinated debt issued to public investors.
Receivership of certain SIFIs
The Dodd-Frank Act created a new resolution regime, as an alternative to bankruptcy, known as the “orderly liquidation authority” (“OLA”) for certain SIFIs, including BHCs and their affiliates. Under the OLA, the FDIC would generally be appointed as receiver to liquidate and wind down a failing SIFI. The determination that a SIFI should be placed into OLA receivership is made by the U.S. Treasury Secretary, who must conclude that the SIFI is in default or in danger of default and that the SIFI’s failure poses a risk to the stability of the U.S. financial system. This determination must come after supermajority recommendations by the Federal Reserve and the FDIC, and consultation between the U.S. Treasury Secretary and the President.
If the FDIC is appointed as receiver under the OLA, its powers and the rights and obligations of creditors and other relevant parties would be determined exclusively under the OLA. The powers of a receiver under the OLA are generally based on the FDIC’s powers as receiver for IDIs under the FDIA. The powers of a receiver under the OLA are generally based on the FDIC’s powers as receiver for insured depository institutions under the FDIA. Certain provisions of the OLA were modified to reduce disparate treatment of creditors’ claims between the U.S. Bankruptcy Code and the OLA. However, substantial differences between the two regimes remain, including the FDIC’s right to disregard claim priority in some circumstances, the use of an administrative claims procedure under OLA to determine creditors’ claims (rather than a judicial procedure in bankruptcy), the FDIC’s right to transfer claims to a bridge entity, and limitations on the ability of creditors to enforce contractual cross-defaults against potentially viable affiliates of the entity in receivership. OLA liquidity would be provided through credit support from the U.S. Treasury and assessments made, first, on claimants against the receivership that received more in the OLA resolution than they would have received in ordinary liquidation (to the full extent of the excess), and second, if necessary, on SIFIs like KeyCorp utilizing a risk-based methodology.
17
Depositor preference
The FDIA provides that, in the event of the liquidation or other resolution of an IDI, the claims of its depositors (including claims of its depositors that have subrogated to the FDIC) and certain claims for administrative expenses of the FDIC as receiver have priority over other general unsecured claims. If an IDI fails, insured and uninsured depositors, along with the FDIC, will be placed ahead of unsecured, nondeposit creditors, including the institution’s parent BHC and subordinated creditors, in order of priority of payment. If an insured depository institution fails, insured and uninsured depositors, along with the FDIC, will be placed ahead of unsecured, nondeposit creditors, including the institution’s parent BHC and subordinated creditors, in order of priority of payment.
Resolution and recovery plans
BHCs with at least $50 billion in total consolidated assets, like KeyCorp, have been required to periodically submit to the Federal Reserve and FDIC a plan discussing how the company could be rapidly and orderly resolved if the company failed or experienced material financial distress. IDIs with at least $50 billion in total consolidated assets, like KeyBank, have also been required to submit a resolution plan to the FDIC. The Federal Reserve and FDIC make available on their websites the public sections of resolution plans for the companies, including KeyCorp and KeyBank, that submitted plans. The public sections of the resolution plans of KeyCorp and KeyBank are available at http://www.federalreserve.gov/supervisionreg/resolution-plans.htm and https://www.fdic.gov/resolutions/fdic-and-financial-regulatory-reform-title-i-and-idi-resolution-planning/. KeyCorp’s last resolution plan was submitted in 2017, and KeyBank’s last resolution plan was submitted in 2025. KeyCorp is no longer required to submit a resolution plan because of the rule change discussed below while KeyBank remains subject to resolution plan requirements as discussed below.
Category IV BHCs with less than $250 billion in total consolidated assets are no longer required to submit a resolution plan unless they have $75 billion or more in certain risk-based indicators. Under this rule, KeyCorp is no longer subject to resolution planning requirements.
On June 20, 2024, the FDIC adopted a final rule to amend and restate its current resolution plan rule in order to clarify and strengthen resolution plan submission requirements and reflect lessons learned since the adoption of the FDIC’s current resolution plan rule in 2012. Among other things, the final rule (i) enhances and clarifies the requirements for the content of resolution plan submissions (ii) requires IDIs with more than $100 billion in total assets that are not affiliated with a U.S. G-SIB (including KeyBank) to submit full resolution plans every three years and more limited supplements in the off years, and (iii) expands expectations regarding engagement with the FDIC and capabilities testing. The final rule was effective on October 1, 2024. KeyBank was required to file its next resolution plan by July 1, 2025, which was its initial filing under the 2024 rule. The final rule was effective on October 1, 2024. KeyBank is required to file its next resolution plan by July 1, 2025, which will be its initial filing under the final rule.
In April 2025, the FDIC issued guidance to further clarify its expectations regarding resolution plan submissions. On December 31, 2025, the FDIC announced that it will propose changes in 2026 to the resolution plan rule to incorporate guidance it issued in April 2025 and to make additional changes to take into account lessons learned from its review of the 2025 resolution plan submissions. The FDIC indicated that it wants to focus on resolution plan content requirements that will facilitate the quick resolution of a failed institution.
The OCC has issued recovery planning guidelines that require large OCC-regulated banks to develop and maintain a recovery plan that identifies triggers and options for responding to a wide range of severe internal and external stress scenarios so that the bank can be restored to financial strength and viability in a timely manner if it were to experience such stress situations. The OCC’s recovery planning guidelines require large OCC-regulated banks to develop and maintain a recovery plan that identifies triggers and options for responding to a wide range of severe internal and external stress scenarios so that the bank can be restored to financial strength and viability in a timely manner if it were to experience such stress situations. On October 21, 2024, the OCC adopted revisions to its recovery planning guidelines and lowered the threshold for the applicability of these guidelines from banks with at least $250 billion in average total consolidated assets to those with at least $100 billion in average total consolidated assets, including KeyBank. KeyBank was required to be in compliance with these guidelines by January 1, 2026 except that KeyBank’s compliance with the testing requirement was delayed until January 1, 2027.
On October 27, 2025, the OCC requested public comment on a proposal to rescind its recovery planning guidelines. In proposing the rescission of these guidelines, the OCC said that the guidelines were overly prescriptive and imposed an unnecessary regulatory burden on the covered institutions. The OCC said that if the recovery planning guidelines are rescinded, it would still expect all institutions that it regulates to have appropriate risk management processes in place to address all material risks in their operating environment and to maintain a formal contingency funding plan that considers a range of possible stress scenarios, assesses the stability of funding during periods of stress, and provides for a broad range of funding sources under adverse conditions. Comments on the proposal were due by December 18, 2025.
18
Other Regulatory Requirements and Developments
The Bank Secrecy Act
The BSA requires all financial institutions (including banks and securities broker-dealers) to, among other things, maintain a risk-based system of internal controls reasonably designed to prevent money laundering and the financing of terrorism. It includes a variety of recordkeeping and reporting requirements (such as cash and suspicious activity reporting) as well as due diligence and know-your-customer documentation requirements. Key has established and maintains an AML program to comply with the BSA’s requirements.
OFAC
The U.S. has imposed economic sanctions that affect transactions with designated foreign countries, foreign nationals, and others pursuant to various laws and executive orders. These sanctions are administered by the Office of Foreign Assets Control (“OFAC”), an office within the U.S. Department of the Treasury. Sanctions are imposed to carry out U.S. foreign policy and national security goals and involve prohibiting trade and various types of commercial and financial transactions with sanctioned countries, individuals, organizations, and groups. OFAC regulations require the rejection of transactions or the blocking of assets when a sanctioned country, individual, organization, or group is involved. Blocked assets (e.g., property and bank deposits) cannot be paid out, withdrawn, set off, or transferred in any manner without a license from OFAC. Key is required to comply with sanctions administered by OFAC. Failure to comply with the sanctions could have serious legal consequences, including the imposition of civil and criminal penalties.
Compensation-related rules and regulations
Guidelines adopted by the federal banking agencies prohibit as an unsafe and unsound practice the payment by a banking organization of excessive compensation and describe compensation as “excessive” when the amounts paid are unreasonable or disproportionate to the services performed by an executive officer, employee, director, or principal shareholder. The federal banking agencies have also issued guidance to ensure that incentive compensation policies at banking organizations are consistent with safe and sound practices. This guidance provides that such policies should (1) provide employees incentives that appropriately balance risk and reward, (2) are compatible with effective controls and risk management, and (3) are supported by strong corporate governance, including active and effective oversight by the organization’s board of directors.
Section 956 of the Dodd-Frank Act requires six federal agencies to jointly prescribe regulations or guidelines that prohibit any types of incentive-based payment arrangement that the agencies determine encourages inappropriate risks by financial institutions with more than $1 billion in assets (including KeyCorp and KeyBank). These six agencies issued proposed regulations in 2011 and 2016 to implement this provision, but these regulations have not been finalized.
Also, as mandated by Section 954 of the Dodd-Frank Act, the SEC has adopted rules directing U.S. stock exchanges to establish listing standards that require listed companies to adopt policies providing for the recovery or clawback of incentive-based compensation received by current or former executive officers where such compensation is based on erroneous financial information which required an accounting restatement. The NYSE has adopted such clawback listing standards, which are applicable to NYSE-listed companies, including KeyCorp.
Lending standards
The federal banking agencies have adopted interagency guidelines establishing standards for safety and soundness that include standards that apply to banks (including KeyBank) when making loans to borrowers. These guidelines provide, among other things, that banks should establish and maintain loan documentation practices that enable the bank to make an informed lending decision, assess risk on an ongoing basis, and ensure that any claim against a borrower is legally enforceable. The guidelines also provide that banks should establish and maintain prudent credit underwriting practices that are commensurate with the type of loans that the bank makes and take adequate account of concentration of credit risk. The guidelines further provide that banks should establish a system of independent, ongoing credit review, provide for appropriate communication to management and the board of directors, and take appropriate corrective actions to resolve problem assets.
19
The federal banking agencies have also adopted regulations that apply specifically to extensions of credit made by banks (including KeyBank) that are secured by liens or interests in real estate or made for the purpose of financing permanent improvements to real estate. Under these regulations, a bank is required to adopt and maintain policies that establish loan portfolio diversification standards, prudent underwriting standards (including loan-to-value limits) that are clear and measurable, loan administration procedures, and documentation, approval, and reporting requirements.
Cybersecurity and data privacy
Federal and state laws and regulations contain extensive data privacy and cybersecurity provisions. This is an area of considerable legislative and regulatory focus, and the requirements in this area are evolving. Key monitors these developments on a continual basis and when appropriate, updates its policies, procedures, and practices to reflect any new or revised requirements.
The Gramm-Leach-Bliley Act (“GLBA”) and implementing regulations require a financial institution to provide notice to customers of its privacy policies and practices, describe the conditions under which the financial institution may disclose nonpublic personal information to non-affiliated third parties, and provide consumers with a means to “opt-out” of having that information disclosed in certain circumstances. Other federal laws and regulations require financial institutions to provide customers with the choice to “opt-out” of having certain information shared among the financial institution’s affiliates while other provisions regulate the use by financial institutions of information from credit bureaus and the provision of information to such bureaus. Various state statutes and regulations impose additional data privacy protections.
The GLBA and other laws and regulations require financial institutions to adopt and implement a comprehensive written information security program that includes administrative, technical, and physical safeguards that are designed to ensure the security and confidentiality of customer information, protect against any anticipated threats or hazards to the security or integrity of such information (including cyber threats), protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any customer, and ensure the proper disposal of customer information. In addition, a financial institution is expected to have a response program that specifies actions to be taken if it detects that unauthorized individuals have gained access to customer information, including notifying affected customers of the breach. A financial institution is further expected to develop appropriate processes to recover data and resume business operations if business operations of the institution or a critical service provider are impacted by a cyber-attack.
Also, rules adopted by the federal banking agencies require a financial institution to notify its primary federal regulator within 36 hours of certain computer-security incidents, including an incident that has materially disrupted or degraded, or is reasonably likely to materially disrupt or degrade, an institution’s operations or activities or its ability to deliver products or services to a material portion of its customer base. In addition, the SEC has adopted final rules requiring public companies (including KeyCorp) to disclose on Form 8-K material cybersecurity incidents and to disclose annually on Form 10-K information regarding their cybersecurity risk management, strategy, and governance.
Governance standards
In 2014, the OCC adopted guidelines imposing heightened governance and risk management standards (the “Heightened Standards”) on national banks with average total consolidated assets of $50 billion or more (including KeyBank). The Heightened Standards (1) establish minimum standards for the design and implementation of a bank’s risk governance framework and (2) set forth minimum standards for the board of directors to follow in overseeing the bank’s risk governance framework’s design and implementation.
On December 23, 2025, the OCC issued a proposal to raise the threshold for applying the Heightened Standards to $700 billion in average total consolidated assets. In proposing to raise this threshold, the OCC noted that the Heightened Standards establish highly prescriptive standards and that the application of the standards may be justified only for the largest and most complex institutions. The OCC indicated that the institutions that would be excluded from the Heightened Standards under this proposal would still be expected to maintain robust governance frameworks, risk management systems, and processes that are tailored to their individual size, complexity, and risk
20
profile. If this proposal is adopted, KeyBank will no longer be subject to the Heightened Standards. Comments on this proposal are due by March 2, 2026.
Regulations adopted by the Federal Reserve to implement enhanced prudential standards under the Dodd-Frank Act and EGRRCPA require a BHC with $100 billion or more in total consolidated assets to have a risk committee of its board of directors that oversees the BHC’s risk management framework. These regulations set forth detailed requirements applicable to the risk committee and the chief risk officer of such a BHC.
In 2021, the Federal Reserve issued guidance setting forth supervisory expectations for boards of directors of large financial institutions, including BHCs with total consolidated assets of $100 billion or more (like KeyCorp). This guidance describes attributes of an effective board of directors. In addition, the Federal Reserve proposed, but has not finalized, guidance that describes core principles for effective senior management, business line management, and independent risk management of large financial institutions.
Consumer Financial Protection Bureau
The CFPB, which was created by the Dodd-Frank Act in 2010, was given the authority by that statute to regulate the offer and sale of consumer financial products and services, enforce federal consumer protection laws, and supervise certain providers of consumer financial products and services, including banks with over $10 billion in assets (such as KeyBank). The current U.S. presidential administration has announced its intention to close or substantially downsize the CFPB and has taken various actions to accomplish that objective, including issuing a stop work order to CFPB employees, terminating many CFPB employees, placing other CFPB employees on administrative leave, significantly reducing the CFPB’s annual funding through legislation, and refusing to request funding from the Federal Reserve. A union representing the CFPB’s employees and other interested parties brought a lawsuit in the United States District Court for District of Columbia, seeking a court order to stop the current U.S. presidential administration from dismantling the CFPB. On March 25, 2025, the court in that case issued a preliminary injunction, which enjoined the U.S. presidential administration from taking actions to dismantle the CFPB. The U.S. presidential administration has appealed this court order. On August 15, 2025, a three-judge panel of the United States Court of Appeals for the District of Columbia Circuit vacated the preliminary injunction issued by the District Court. On December 17, 2025, the District of Columbia Court of Appeals granted the plaintiffs’ request for an en banc rehearing of this decision. In addition, the refusal of the CFPB to request funds from the Federal Reserve has been challenged in three cases, and the District Court in one of those cases ruled on December 30, 2025 that the CFPB must request and accept new funds from the Federal Reserve to stay operational. Following the court’s ruling, the CFPB requested additional funding from the Federal Reserve. Key is monitoring developments in these cases.
While the current U.S. presidential administration has sought to close or downsize the CFPB, many states have sought to increase their enforcement of existing consumer protection laws and regulations. In addition, new consumer protection laws and regulations have been adopted or proposed in many states. Key is monitoring these developments. Key is monitoring developments in this case.
Data collection and reporting for small business loans
On March 30, 2023, the CFPB issued a final rule to require certain lenders (including depository institutions such as KeyBank) to report detailed data on applications for credit submitted by small businesses, including those owned by women and minorities. This rule was issued to implement Section 1071 of the Dodd-Frank Act. Various lawsuits were brought to challenge this rule. In one of these lawsuits, the CFPB, on April 3, 2025, asked the court to hold the lawsuit in abeyance because the CFPB planned to issue a new proposed rulemaking on this subject. In that case and two other cases challenging the 1071 rule, courts stayed compliance with the rule for the parties in those cases. On October 2, 2025, the CFPB issued a final rule delaying compliance with the 1071 rule for all institutions covered by the rule. On November 13, 2025, the CFPB issued a proposal to streamline the 1071 rule and to scale back the scope of data collection required under the rule. Compliance with the revised rule would be delayed until January 1, 2028. Comments on this proposal were due by December 15, 2025. Key is monitoring developments regarding this matter. Key is monitoring developments in this case. Key is monitoring developments in this case.
21
Volcker Rule
The Volcker Rule implements Section 619 of the Dodd-Frank Act, which prohibits “banking entities,” such as KeyCorp, KeyBank and their affiliates and subsidiaries, from owning, sponsoring, or having certain relationships with hedge funds and private equity funds (referred to as “covered funds”) and engaging in short-term proprietary trading of financial instruments, including securities, derivatives, commodity futures and options on these instruments.
The Volcker Rule excepts certain transactions from the general prohibition against proprietary trading, including transactions in government securities (e.g., U.S. Treasuries or any instruments issued by the GNMA, FNMA, FHLMC, a Federal Home Loan Bank, or any state or a political division of any state, among others); transactions in connection with underwriting or market-making activities; and transactions as a fiduciary on behalf of customers. A banking entity may also engage in risk-mitigating hedging activity if it can demonstrate that the hedge reduces or mitigates a specific, identifiable risk or aggregate risk position of the entity. The banking entity is required to conduct an analysis supporting its hedging strategy and the effectiveness of the hedges must be monitored and, if necessary, adjusted on an ongoing basis.
Key does not anticipate that the proprietary trading or covered fund restrictions in the Volcker Rule will have a material impact on its business, but it was required to divest certain fund investments. Key has established monitoring programs to support compliance with the Volcker Rule’s restrictions.
Bank transactions with affiliates
Federal banking law and regulation imposes qualitative standards and quantitative limitations upon certain transactions by a bank with its affiliates, including the bank’s parent BHC and certain companies the parent BHC may be deemed to control for these purposes. Transactions covered by these provisions must be on arm’s-length terms, and cannot exceed certain amounts that are determined with reference to the bank’s regulatory capital. Moreover, if the transaction is a loan or other extension of credit, it must be secured by collateral in an amount and quality expressly prescribed by statute, and if the affiliate is unable to pledge sufficient collateral, the BHC may be required to provide it. These provisions significantly restrict the ability of KeyBank to fund its affiliates, including KeyCorp, KBCM, and KeyCorp’s nonbanking subsidiaries engaged in making merchant banking investments (and certain companies in which these subsidiaries have invested). The Dodd-Frank Act expanded the coverage and scope of these regulations, including by applying them to the credit exposure arising under derivative transactions, repurchase and reverse repurchase agreements, and securities borrowing and lending transactions.
Supervision, examination, and enforcement
KeyCorp is subject to the Federal Reserve’s supervisory rating system for large financial institutions, which includes BHCs with total consolidated assets of $100 billion or more (including KeyCorp) (“LFI Rating System”). The LFI Rating System provides a supervisory evaluation of whether an institution possesses sufficient operational strength and resilience to maintain safe and sound operations through a range of conditions and assesses an institution’s capital planning and positions, liquidity risk management and positions, and governance and controls. Ratings issued under the LFI Rating System are confidential.
On November 5, 2025, the Federal Reserve finalized revisions to the LFI Rating System. These revisions changed the component ratings that a firm must receive to be considered “well managed” for supervisory purposes. A firm that is not “well managed” faces limitations on certain activities and acquisitions. The Federal Reserve said that the revisions were intended to provide a more accurate assessment of a BHC’s financial and operational strength and resilience and better align the LFI Rating System with the rating systems used for other banking organizations.
Federal law grants substantial supervisory and enforcement powers to the federal banking agencies. The federal banking agencies may bring enforcement actions against banking organizations in various situations such as when an agency determines that a banking organization has committed a violation of law or regulation, is engaged in an unsafe or unsound practice, or has engaged in an act or practice that is unfair, deceptive, or abusive. In such enforcement actions, the federal banking agencies may, among other things, impose restrictions on an institution’s business, assess civil money penalties, or issue cease and desist orders against the banking organization or affiliated parties.
22
On October 7, 2025, the OCC and the FDIC issued a joint proposal for public comment that would define the term “unsafe or unsound practice” for purposes of the agencies’ supervisory and enforcement authority under Section 8 of the FDIA and would establish uniform standards for when the agencies may issue matters requiring attention (“MRAs”) and other supervisory communications in connection with the examination process. Under the proposal, the definition of an “unsafe or unsound practice” and the standard for issuing MRAs would focus on whether a practice involves a risk of material harm to the financial condition of a financial institution or a material risk of loss to the DIF. The OCC and the FDIC said that the proposed rule would promote greater clarity and certainty regarding supervisory and enforcement standards and would ensure that bank supervisors and examiners prioritize concerns related to material financial risks over concerns related to policies, processes, and documentation. Comments on this proposal were due by December 29, 2025.
On November 18, 2025, the Federal Reserve issued a statement of supervisory operating principles which indicated that MRAs issued by examiners should prioritize deficiencies that could have a material impact on a firm’s financial condition. The Federal Reserve said that work was underway to provide more specific guidance on this subject as well as guidance on the Federal Reserve’s interpretation of the standard for issuing enforcement actions based on unsafe or unsound practices.
Community Reinvestment Act
The Community Reinvestment Act (“CRA”) was enacted in 1977 to encourage depository institutions to help meet the credit needs of the communities that they serve, including low- and moderate-income (“LMI”) neighborhoods, consistent with the institutions’ safe and sound operations. The CRA requires the federal banking agencies to assess the record of each institution that they supervise in meeting the credit needs of its entire community, including LMI neighborhoods.
On October 24, 2023, the federal banking agencies adopted a final rule to substantially revise their regulations implementing the CRA. Various trade associations filed a lawsuit in the United States District Court for the Northern District of Texas seeking to invalidate the CRA final rule.Various trade associations filed a lawsuit in the United States District Court for the Northern District of Texas seeking to invalidate the CRA final rule. On March 29, 2024, the court in that case issued a preliminary injunction barring the federal banking agencies from enforcing the CRA final rule pending the resolution of that lawsuit. The court’s decision is on appeal to the United States Court of Appeals for the Fifth Circuit. The court’s decision granting a preliminary injunction is on appeal to the United States Court of Appeals for the Fifth Circuit. On April 1, 2025, the Fifth Circuit granted a request by the federal banking agencies to stay further proceedings in this case. On July 16, 2025, the federal banking agencies issued for public comment a proposal to rescind the CRA final rule that was issued in October 2023 and to reinstate the CRA framework that was in place prior to the issuance of that rule with certain technical amendments. The agencies said that they were doing so to restore certainty in the CRA framework for stakeholders and to limit regulatory burden on banks, while ensuring that banks continue to focus on the purpose of the CRA. Comments on the proposal were due by August 18, 2025. KeyBank will be subject to any changes that are made to the CRA regulations.
Long-term debt requirement
On August 29, 2023, the federal banking agencies issued for public comment a proposal that would require certain large BHCs and certain large IDIs to issue and maintain minimum amounts of long-term debt (“LTD”). This proposal would apply to Category II, III, and IV BHCs (including KeyCorp) and IDIs that (i) are not consolidated subsidiaries of U.S. global systemically important banks and (ii) have at least $100 billion in total assets (including KeyBank) or are affiliated with an IDI that has at least $100 billion in total assets. Under the proposal, the required minimum amount of LTD would be the greater of 6 percent of an entity’s total risk-weighted assets, 3.5 percent of an entity’s average total consolidated assets, and 2.5 percent of an entity’s total leverage exposure if it is subject to the supplementary leverage ratio. IDIs that are consolidated subsidiaries of BHCs would be required to issue the LTD to their parent company or another entity that consolidates the IDI.
Debt instruments issued to satisfy the minimum LTD requirement would have to meet certain criteria including, among other things, being unsecured, have a remaining maturity of more than one year, and not provide the holder with acceleration rights except in limited circumstances. BHCs subject to the proposal would also have to comply with certain “clean holding-company” requirements such as a cap on liabilities other than eligible LTD and a prohibition on entering into most qualified financial contracts with third parties. The proposal would provide a three-year transition period with the incremental phase-in of the requirements during this period. The federal banking agencies indicated that the proposal would improve the resolvability of the covered entities in case of their failure,
23
reduce costs to the DIF, and mitigate contagion and financial stability risks by reducing the risk of loss to uninsured depositors. Comments on the proposal were due by January 16, 2024.
Debit card interchange fee cap
On October 25, 2023, the Federal Reserve issued for public comment a proposal to lower the maximum interchange fee that a debit card issuer with $10 billion or more in total consolidated assets (including KeyBank) can receive for a debit card transaction. The interchange fee cap is currently set at the sum of 21 cents for each transaction plus an amount equal to 0.05% of the value of the transaction and a one cent fraud prevention adjustment for issuers that satisfy certain criteria. In the new proposal, the Federal Reserve proposed to lower the cap to the sum of 14.4 cents for each transaction plus an amount equal to 0.04% of the value of the transaction and a 1.3 cent fraud prevention adjustment. The Federal Reserve indicated that it was proposing this revision to the fee cap to reflect changes in issuer costs. The Federal Reserve also proposed to update the amount of the fee cap every other year going forward by using data it collects in a biennial survey of large debit card issuers. Comments on the proposal were due by May 12, 2024.
Personal financial data rights
On October 22, 2024, the CFPB issued a final rule to implement Section 1033 of the Dodd-Frank Act. The 1033 rule requires financial institutions (including KeyBank) to make available to consumers and authorized third parties data concerning covered consumer financial products or services in an electronic form usable by the consumer and authorized third parties. In adopting the rule, the CFPB said that the 1033 rule was a step towards bringing about an “open banking” system in the United States. Following the issuance of this rule, two trade associations and a national bank filed a lawsuit challenging the rule in the United States District Court for the Eastern District of Kentucky. In this lawsuit, the plaintiffs alleged that the CFPB exceeded its statutory authority in adopting the 1033 rule. On May 23, 2025, the CFPB filed a status report with the court saying that it agreed with the plaintiffs. On May 30, 2025, the parties challenging the rule and the CFPB filed a motion for summary judgment asking the court to invalidate the rule. In a summary judgment motion filed on June 29, 2025, the Financial Technology Association, which had been allowed to intervene in this case, asked the court to uphold the rule. Before the court issued a decision on the summary judgment motions, the CFPB asked the court to stay the litigation. On July 29, 2025, the court granted the CFPB’s request to stay the litigation. On August 21, 2025, the CFPB issued an advance notice of proposed rulemaking, asking the public to respond to a series of questions related to the 1033 rule. Comments were due by October 21, 2025. In a court filing in the case challenging the 1033 rule, the CFPB indicated that it plans to issue a revamped 1033 rule as an interim final rule. Key is monitoring developments regarding this matter. Key is monitoring developments in this case. Key is monitoring developments in this case.
24
ITEM 1A. RISK FACTORS
Summary of Risk Factors
The following is a summary of some of the material risks and uncertainties that could have an adverse effect on our business.
•Credit Risk
◦We have concentrated credit exposure in commercial and industrial loans, commercial real estate loans, and commercial leases.
◦Should the fundamentals of the commercial real estate market deteriorate, our financial condition and results of operations could be adversely affected.
◦We are subject to the risk of defaults by our loan clients and counterparties.
◦Declining asset prices could adversely affect us.
◦Various factors may cause our allowance for loan and lease losses to increase or to be inadequate.
◦Geopolitical destabilization could adversely impact our loan portfolios.
•Market Risk
◦A worsening of the U.S. economy and volatile or recessionary conditions in the U.S. or abroad could negatively affect our business or our access to capital markets.
◦We are subject to interest rate risk, which could adversely affect net interest income.
◦Our profitability depends upon economic conditions in the geographic regions where we have significant operations and in certain market segments in which we conduct significant business.
◦The soundness of other financial institutions could adversely affect us.
•Liquidity Risk
◦We are subject to liquidity risk, which could negatively affect our funding levels.
◦Capital and liquidity requirements imposed by banking regulators and the credit rating agencies may require banks and BHCs to maintain more and higher quality capital and more and higher quality liquid assets.Capital and liquidity requirements imposed by banking regulations require banks and BHCs to maintain more and higher quality capital and more and higher quality liquid assets.
◦Federal agencies’ actions to ensure stability of the U.S. economy and financial system may have costly or disruptive effects on us.
◦We rely on dividends by our subsidiaries for most of our funds.
◦Our credit ratings affect our liquidity position.
◦A loss of customer deposits or an adverse change in deposit mix could increase our funding costs and/or impair our liquidity.
•Operational Risk
◦We are subject to a variety of operational risks.
◦We and third parties on which we rely (including their downstream service providers) may experience a cyberattack, technology failure, information system or security breach or interruption.
◦We rely on third parties to perform significant operational services for us, and their failure to perform to our standards or other issues of concern with them could harm us.
◦Our framework for managing risks and mitigating losses may not be effective.
◦We are, and may in the future be, subject to claims, litigation, arbitration, investigations, and governmental proceedings, which could result in significant financial liability and/or reputational harm.
◦Our controls and procedures may fail or be circumvented, and our methods of reducing risk exposure may not be effective.
◦Our operations and financial performance could be adversely affected by severe weather and natural disasters, both directly and as a result of impacts on our customers.Our operations and financial performance could be adversely affected by severe weather and natural disasters exacerbated by climate change.
◦Our development and use of AI, including through third parties, exposes us to inherent risks that may adversely impact KeyCorp.
•Compliance Risk
◦We are subject to extensive government regulation, supervision, and tax legislation.
◦We are subject to complex and evolving laws and regulations regarding privacy and cybersecurity, which could limit our ability to pursue business initiatives, increase the cost of doing business and subject us to compliance risks and potential liability.
25
•Strategic Risk
◦We may not realize the expected benefits of our strategic initiatives.
◦We operate in a highly competitive industry.
◦Maintaining or increasing our market share depends upon our ability to adapt our products and services to evolving industry standards and consumer preferences, while maintaining competitive products and services.
◦We may not be able to attract and retain skilled people.
◦Acquisitions or strategic partnerships may disrupt our business and dilute shareholder value.
◦Scotiabank holds a significant equity interest in our business and may exercise influence over us, including through its ability to designate up to two directors to our Board of Directors.
◦Damage to our reputation could significantly impact our business and major stakeholders.
◦Differing views on corporate responsibility and sustainability could adversely affect our reputation and our business and results of operations.Key is subject to corporate responsibility and sustainability efforts risks that could adversely affect our reputation and our business and results of operations.
•Model Risk
◦We rely on quantitative models to manage certain accounting, risk management, capital planning, and treasury functions.
•Estimates and Assumptions Risk
◦The preparation of our consolidated financial statements requires us to make subjective determinations and use estimates that may vary from actual results and materially impact our financial condition and results of operations.
◦Changes in accounting policies, standards, and interpretations could materially affect how we report our financial condition and results of operations.
◦Impairment of goodwill could require charges to earnings, which could result in a negative impact on our results of operations.
As a financial services organization, we are subject to a number of risks inherent in our transactions and present in the business decisions we make. Described below are the material risks and uncertainties that if realized could have a material and adverse effect on our business, financial condition, results of operations or cash flows, and our access to liquidity. Although the risks are organized by headings and each risk is discussed separately, many are interrelated. The risks and uncertainties described below are not the only risks we face. Disclosures of risks should not be interpreted to imply that the risks have not already materialized.
I. Credit Risk
We have concentrated credit exposure in commercial and industrial loans, commercial real estate loans, and commercial leases.
We have concentrated credit exposure in commercial and industrial loans, commercial real estate loans, and commercial leases.
As of December 31, 2025, approximately 72% of our loan portfolio consisted of commercial and industrial loans, commercial real estate loans, including commercial mortgage and construction loans, and commercial leases. These types of loans are typically larger than single family residential real estate loans and other types of consumer loans and have a different risk profile. The deterioration of a larger loan or a group of loans in this category could cause an increase in criticized, classified, and nonperforming loans, which could result in lower earnings from these loans, additional provision for loan and lease losses, and ultimately an increase in loan losses.
Should the fundamentals of the commercial real estate market deteriorate, our financial condition and results of operations could be adversely affected.
After disruptions in 2022 through early 2024 as a result of the increases in the Fed Funds rate and dislocations in the office sector as a result of COVID-19, the commercial and residential real estate markets have remained relatively steady over the past 18 months as they have adjusted to a more “normalized” rate environment. Capitalization rates and commercial property prices have been supported by a continued inflow of capital into the real estate markets. However, potential headwinds (labor market, geo-political, rate environment) could impact the real estate markets and Key’s portfolio moving forward.
A large portion of our clients are active in real estate, with most focused on the multifamily space, which has been the best performing real estate sector over the cycle. However, while development and construction have continued
26
at muted levels over the past two years, oversupply of multifamily housing is a concern in certain urban markets. This oversupply has resulted in higher vacancy rates and put pressure on some borrowers to achieve underwritten rents. These two factors impact the ability of borrowers to generate sufficient cash flow in order to make debt service payments on loans or to refinance the loans at maturity. A correction in the real estate markets could impact the ability of borrowers to make debt service payments on loans or to refinance the loans at maturity. Key’s risk to any specific market is limited, with all metropolitan statistical area concentrations less than 4%. Further, Key has limited its exposure to rent-controlled properties across the country, with no exposure to rent-controlled properties in New York City.
A relatively small portion of our commercial real estate loans are construction loans, with most of these loans utilized to support the construction of affordable housing under the Low-Income Housing Tax Credit (LIHTC) program. Loans made under the LIHTC program typically carry less risk due to the aligned interest of Tax Credit Investors and committed permanent loans at construction origination, which mitigates interest rate risk. In addition, our ability to change deposit rates in response to changes in interest rates and other market and related factors is limited by client relationship considerations. New construction and value-add or rehabilitation construction projects may not be fully leased at loan origination. These properties typically require additional leasing through the life of the loan to provide adequate cash flow to support debt service payments. If property market fundamentals deteriorate sharply, performance under existing leases could deteriorate and the execution of new leases could slow, compromising the borrower’s ability to cover debt service payments.
An inability to grow cash flow or pressure on expenses created by supply chain, insurance, or interest rate increases would result in an increase in the level of payment defaults within the sector, as well as limiting refinance options. Further, these pressures would likely result in an outflow of capital from the real estate markets, which would in turn drive up capitalization rates and decrease property values.
We are subject to the risk of defaults by our loan clients and counterparties.
We are subject to the risk of defaults by our loan clients and counterparties.
Many of our routine transactions expose us to credit risk, including the risk of default of our counterparties, which include other financial institutions, or clients. Our credit risk may be exacerbated when the collateral held cannot be realized or is liquidated at prices insufficient to recover the full amount of the loan or derivative exposure due to us. In deciding whether to extend credit or enter into other transactions, we rely on information furnished by or on behalf of counterparties and clients, including financial statements, credit reports and other information. We also rely on representations of those counterparties, clients, or other third parties as to the accuracy and completeness of that information. The inaccuracy of that information or those representations affects our ability to accurately evaluate the default risk of a counterparty or client. In addition, given the Dodd-Frank legislative mandate to centrally clear eligible derivative contracts, we rely on central clearing counterparties to remain open and operationally viable at all times. A financial institution or other counterparty failure or a cybersecurity breach that causes the failure of or disruption to a counterparty or client, may materially and adversely affect our business, financial condition, or results of operations. Further, market volatility or difficulty accessing liquidity in the capital markets can result in a weaker counterparty profile and eventual failure of the counterparty to meet its contractual obligations.
Declining asset prices could adversely affect us.
Declining asset prices could adversely affect us.
During periods of macroeconomic or financial market stress, the volatility and disruption that the capital and credit markets experience may reach, and have in the past reached, extreme levels.During periods of economic stress, the volatility and disruption that the capital and credit markets experience may reach, and have in the past reached, extreme levels. Market disruption may severely stress or even lead to the failure of financial institutions, which can cause credit market constriction and liquidation of assets, driving down their prices. Market disruption may severely stress or even lead to the failure of financial institutions, which can cause further credit market constriction and further liquidation of assets, driving asset prices down even more. Asset price deterioration has a negative effect on the valuation of collateral and certain assets represented on our balance sheet and reduces our ability to sell assets at prices we deem acceptable.
Although the most recent U.S. economic recession resulting from the impact of the COVID-19 pandemic did not have significant lasting impact on collateral value, the nature of that recession was atypical. Most economic recessions are associated with financial market downturns and lower asset prices.
Present risks to stable asset prices include, but are not limited to:
•A correction in equity or housing markets;
•The imposition of further tariffs and other changes to U.S. or global trade policies;
•Supply chain issues such as closed factories and disrupted port activity, as well as the impact of the Russia-Ukraine war and the Israel-Hamas war on global transportation and the availability of materials;
•Recessionary pressures on other major international economies, such as China, that may impact the broader global and our domestic economy;
27
•Labor-supply constraints, including as a result of further changes to U.S. immigration policies and laws and immigration enforcement, leading to slowing job growth and rising wages along with inflation (wage-price spiral); and
•Negative real GDP growth, as a result of, in part, the Federal Reserve’s monetary policy to arrest inflationary pressures within the broader economy.
Various factors may cause our allowance for loan and lease losses to increase or to be inadequate.
We maintain an ALLL (a reserve established through a provision for loan and lease losses charged to expense) that represents our estimate of losses based on our evaluation of risks within our existing portfolio of loans. The level of the allowance at December 31, 2025 represents management’s estimate of expected credit losses over the contractual life of our existing loan portfolio. The determination of the appropriate level of the ALLL inherently involves a degree of subjectivity and requires that we make significant estimates of current credit risks, current trends, and reasonable and supportable forecasts of future economic conditions, all of which may undergo frequent and material changes. Changes in economic conditions affecting borrowers, the softening of certain macroeconomic variables that we are more susceptible to, such as GDP, unemployment, SOFR and other interest rates, the producer price index, and real estate values, along with updated information regarding existing loans, identification of additional problem loans and other factors, both within and outside of our control, may require an increase in the ALLL. Further, the multitude and totality of factors impacting our estimates and the subjectivity of components of its calculation may cause the ALLL to be an inadequate representation of the actual losses incurred over the life of our loan portfolio. Both an increase in the ALLL and actual losses exceeding our current estimates will reduce our net income and could impact our capital positions and may materially and adversely affect our business, financial condition or results of operations.
Geopolitical destabilization could adversely impact our loan portfolios.
Geopolitical destabilization could adversely impact our loan portfolios.
While we have minimal direct foreign company exposure in our loan portfolios, there are correlated and contingent risks posed by geopolitical destabilization within our loan portfolio. For example, conflicts across the world, including the Russia-Ukraine war and the Israel-Hamas war, and recent military action in Venezuela, have proven to or may have a material impact on certain domestic commodity prices, impacting our borrowers' input costs and disrupting supply chains both domestically and abroad. For example, conflicts across the world, including the Russia-Ukraine war and the Israel-Hamas war, have proven to have a material impact on certain domestic commodity prices, impacting our borrowers' input costs and disrupting supply chains both domestically and abroad. These factors increase potential defaults in our loan portfolio and could ultimately increase loan losses.
II. Market Risk
A worsening of the U.S. economy and volatile or recessionary conditions in the U.S. or abroad could negatively affect our business or our access to capital markets.
A worsening of the U.S. economy and volatile or recessionary conditions in the U.S. or abroad could negatively affect our business or our access to capital markets.
A worsening of economic and financial market conditions or downside shocks could result in adverse effects on Key and others in the financial services industry.A worsening of economic and market conditions or downside shocks could result in adverse effects on Key and others in the financial services industry. Banking conditions may deteriorate during periods of persistent or large and sudden interest rate increases and/or a slowing economy, negatively affecting business and financial performance.
In particular, we face the following risks, and other unforeseeable risks, in connection with a downturn in the macroeconomic and financial market environment or other such downside shocks, whether in the United States or internationally:
•A loss of confidence in the financial services industry and the debt and equity markets by investors, placing pressure on the price of our common shares or decreasing the credit or liquidity available to Key, while also increasing the cost of such credit or liquidity;
•A decrease in consumer and business confidence levels generally, decreasing credit usage and investment or increasing delinquencies and defaults and committed line draws;
•A decrease in household or corporate incomes, reducing demand for our products and services;
•A decrease in the value of collateral securing loans to our borrowers or a decrease in the quality of our loan portfolio, increasing loan charge-offs and reducing our net income;
•A decrease in the value of collateral, or an increase in the haircuts on that collateral, that we pledge to secure funding and liquidity, reducing the quantum of that funding and/or liquidity;
28
•An impairment in our ability to liquidate financial positions at acceptable market prices;
•An increase in competition or consolidation in the financial services industry;
•Increased concern over and scrutiny of the capital and liquidity levels of financial institutions generally, and those of our transaction counterparties specifically with a corresponding increase in our cost of capital, liquidity and/or funding;
•A decrease in confidence in the creditworthiness of the United States or other issuers whose securities we hold; and
•An increase in limitations on or the regulation of financial services companies like Key.
In the event of severely adverse business and economic conditions generally or specifically in the principal markets in which we conduct business, there can be no assurance that the federal government and the Federal Reserve would intervene or make adjustments to fiscal or monetary policy that would cause business and economic conditions to improve. A worsening of business and economic conditions or market volatility related thereto could have a material adverse effect on our business, financial condition, and results of operations.
In addition, volatility and uncertainty related to inflation and the effects of inflation, which has, in recent years, led to increased costs for businesses and consumers, and could cause the Federal Reserve to reinitiate a series of interest rate increases, which may amplify or contribute to some of the risks of our business by adversely affecting the creditworthiness of our borrowers, increasing our costs, or resulting in lower values for our investment securities and other fixed-rate assets.In addition, volatility and uncertainty related to inflation and the effects of inflation, which has, in recent years, led to increased costs for businesses and consumers and could cause the Federal Reserve to reinitiate a series of interest rate increases, which may amplify or contribute to some of the risks of our business by adversely affecting the creditworthiness of our borrowers, increasing our costs, or resulting in lower values for our investment securities and other fixed-rate assets. To the extent that the Federal Reserve’s policies around managing inflation fail to mitigate the volatility and uncertainty related to inflation and the effects of inflation, or to the extent conditions otherwise worsen or are exacerbated by policies enacted by the U.S. government, including the imposition of tariffs or other commercial policies, we could experience adverse effects on our business, financial condition, and results of operations.
In addition, when U.S. economic conditions are weak or recessionary, unemployment may rise and corporate profits may fall significantly, creating adverse credit conditions in our lending businesses. Rising credit costs may materially reduce our profitability as we generate the majority of our income from lending activity; See the section entitled “Credit Risk” in this Item 1A. “Risk Factors.”
We are subject to interest rate risk, which could adversely affect net interest income.
We are subject to interest rate risk, which could adversely affect net interest income.
Our earnings depend heavily upon our net interest income. Net interest income is the difference between interest income earned on interest-earning assets such as loans and securities and interest expense paid on interest-bearing liabilities such as deposits and borrowed funds. Hence, interest rate risk is inherent to our banking business and takes four primary forms: repricing risk, yield curve risk, basis risk, and option risk. Repricing risk occurs when assets and liabilities respond to interest rate changes at different paces and to a different degree. Yield curve risk arises when short- and long-term interest rates change to a different extent. We incur basis risk to the extent that the relationship between different interest rate indices changes over time. Option risk is present in assets, liabilities or other financial instruments that allow a counterparty to change the timing of interest or principal payments. Option risk is present in assets, liabilities or other financial instruments that allow a party to change the timing of interest or principal payments.
Interest rates are highly sensitive to many factors that are beyond our control, including general economic conditions, the competitive environment within our markets, consumer preferences for specific loan and deposit products and their payment behavior, and policies of various governmental and regulatory agencies, in particular, the Federal Reserve. Our ability to anticipate changes in these factors or to hedge the related on-and off-balance sheet exposures, and the cost of any such hedging activity, can significantly influence the success of our asset-and-liability management activities and our net interest income and net interest margin. Changes in monetary policy, including changes in interest rate controls being applied by the Federal Reserve, could influence the amount and timing of interest we receive on loans and securities, the amount and timing of interest we pay on deposits and borrowings, our ability to originate loans and obtain deposits, and the fair value of our financial assets and liabilities. When the Federal Reserve raises or reduces interest rates, the behavior of national money market rate indices, the correlation of consumer deposit rates to financial market interest rates, and the evolution of benchmark rates may not follow historical relationships, which could influence net interest income and net interest margin through basis and other risks. In addition, our ability to change deposit rates in response to changes in interest rates and other market and related factors is limited by client relationships and competitive considerations.
29
Moreover, if the interest we pay on deposits and other borrowings increases at a faster rate than the interest we receive on loans and other investments, net interest income, and therefore our earnings, would decline. Conversely, earnings could also be adversely affected if the interest we receive on loans and other investments falls more quickly than the interest we pay on deposits and other borrowings. These scenarios illustrate repricing risk.
The impact of interest rates on our investment portfolio and consolidated financial results, including AOCI, can also affect our ability to maintain our capital ratios within our target ranges as well as the amount and timing of our future share repurchases and dividends. For additional information about the effects on interest rates on our business, refer to the information included under the caption “Risk Management — Market risk management” in Item 7 of this report.
Our profitability depends upon economic conditions in the geographic regions where we have significant operations and in certain market segments in which we conduct significant business.
Our profitability depends upon economic conditions in the geographic regions where we have significant operations and in certain market segments in which we conduct significant business.
We have concentrations of loans and other business activities in geographic regions where our bank branches are located — Washington; Oregon/Alaska; Rocky Mountains; Indiana/Northwest Ohio/Michigan; Central/Southwest Ohio; East Ohio/Western Pennsylvania; Atlantic; Western New York; Eastern New York; and New England — and additional exposure to geographic regions outside of our branch footprint. Economic growth in the various regions where we operate has been uneven, and the health of the overall U.S. economy may differ from the economy of any particular geographic region. Adverse conditions in a geographic region such as inflation, unemployment, recession, natural disasters, political instability, impact of public health crises, or other factors beyond our control could impact the ability of borrowers in these regions to repay their loans, decrease the value of collateral securing loans made in these regions, or affect the ability of our customers in these regions to continue conducting business with us. Adverse conditions in a geographic region such as inflation, unemployment, recession, natural disasters, impact of public health crises, or other factors beyond our control could impact the ability of borrowers in these regions to repay their loans, decrease the value of collateral securing loans made in these regions, or affect the ability of our customers in these regions to continue conducting business with us.
Additionally, a significant portion of our business activities are concentrated within the commercial real estate, healthcare, finance, and utilities market segments. The profitability of some of these market segments depends upon the health of the overall economy, seasonality, the impact of regulation, and other factors that are beyond our control and may be beyond the control of our customers in these market segments.
An economic downturn or recession in one or more geographic regions where we conduct our business, or any significant or prolonged impact on the profitability of one or more of the market segments with which we conduct significant business activity, could adversely affect the demand for our products and services, the ability of our customers to repay loans, the value of the collateral securing loans, and the stability of our deposit funding sources.
The soundness of other financial institutions could adversely affect us.
The soundness of other financial institutions could adversely affect us.
Our ability to engage in routine funding transactions could be adversely affected by the actions and commercial soundness of other financial institutions. We have exposure to many different industries and counterparties in the financial services industries, and we routinely execute transactions with such counterparties, including brokers and dealers, banks, mortgage originators, hedge funds, insurance companies, and other institutional clients. Financial services institutions are interrelated as a result of trading, clearing, counterparty, or other relationships. As a result, defaults by, or even rumors or questions about, one or more financial services institutions, or the financial services industry generally, have led to, and may further lead to, market-wide liquidity problems and could lead to losses or defaults by us or other financial institutions. Banking is a confidence sensitive business, so disruption within the financial markets, including negative news, rumors, or misinformation regarding the banking industry or perceived risks of a bank’s safety and soundness, can adversely impact the market price and volatility of our common stock, cause deposit runoff or prompt the loss of important customers or counterparties. Online and mobile banking have made it easier for customers to withdraw their deposits. Higher than customary withdrawals can raise funding cost, which may reduce Key’s net interest margin and net interest income. Higher withdrawals can raise funding cost, which may reduce Key’s net interest margin and net interest income. In addition, many of our transactions with other financial institutions expose us to credit risk in the event of default of a counterparty or client. Our credit risk may be affected when the collateral held by us cannot be liquidated at prices sufficient to recover the full amount of our loan or derivatives exposure. Our credit risk may be affected when the collateral held by us cannot be realized or is liquidated at prices not sufficient to recover the full amount of our loan or derivatives exposure. There can be no assurance that any such losses would not adversely and materially affect our results of operations.
III. Liquidity Risk
We are subject to liquidity risk, which could negatively affect our funding levels.
We are subject to liquidity risk, which could negatively affect our funding levels.
30
Liquidity risk is the danger that a bank may not be able to meet near-term cash demands, such as funding liability maturities and deposit withdrawals, meeting contractual obligations, or funding asset growth and new business initiatives at a reasonable cost, in a timely manner and without adverse consequences. Our banking business is subject to four primary liquidity risks: contingency risk, mismatch risk, funding risk, and refinancing risk. Contingency risk arises from unexpected funding or liquidity needs occurring during adverse systemic or idiosyncratic economic or financial conditions. Contingency risk arises from unexpected funding or liquidity needs occurring during challenging economic or financial market conditions. Mismatch risk may occur when illiquid assets are funded with less stable funding sources. Funding risk arises if funding sources become too concentrated, raising the risk of higher borrowing costs. Funding risk arises if funding sources become too concentrated. Refinancing risk arises when a concentrated liability maturity profile creates near-term funding stress. Despite actions that we take to manage these risks, unanticipated changes in assets, liabilities, and off-balance sheet commitments under various economic conditions (reduced wholesale funding capacity), or a substantial, unexpected, or prolonged change in the level or cost of liquidity could have a material adverse effect on us. Despite actions that we take to manage these risks, unanticipated changes in assets, liabilities, and off-balance sheet commitments under various economic conditions (including a reduced level of wholesale funding sources), a substantial, unexpected, or prolonged change in the level or cost of liquidity could have a material adverse effect on us. If the cost effectiveness or the availability of supply in these credit markets is reduced for a prolonged period of time, our funding needs may require us to access funding and manage liquidity by other means. These alternatives may include generating client deposits, securitizing or selling loans, extending the maturity of wholesale borrowings, borrowing under certain secured borrowing arrangements, using relationships developed with a variety of fixed income investors to access new funds or renegotiate the terms of outstanding debt, and reducing loan growth and investment opportunities. These alternative means of funding would increase our overall cost of funds and they may not be available under stressed conditions, which may cause us to liquidate a portion of our liquid asset portfolio to meet any funding needs. These alternative means of funding may result in an increase in the overall cost of funds and may not be available under stressed conditions, which would cause us to liquidate a portion of our liquid asset portfolio to meet any funding needs.
Capital and liquidity requirements imposed by banking regulators and the credit rating agencies may require banks and BHCs to maintain more and higher quality capital and more and higher quality liquid assets.Capital and liquidity requirements imposed by banking regulations require banks and BHCs to maintain more and higher quality capital and more and higher quality liquid assets.
Capital and liquidity requirements imposed by banking regulators and the credit rating agencies may require banks and BHCs to maintain more and higher quality capital and more and higher quality liquid assets.Capital and liquidity requirements imposed by banking regulations require banks and BHCs to maintain more and higher quality capital and more and higher quality liquid assets.
Evolving capital standards resulting from the Dodd-Frank Act and the Regulatory Capital Rules adopted by our regulators have had and will continue to have a significant impact on banks and BHCs, including Key. For a detailed explanation of the capital and liquidity rules that apply to us, see the section titled “Regulatory capital requirements” under the heading “Supervision and Regulation” in Item 1 of this report.
Regulatory capital standards require Key to maintain significant amounts of high-quality capital (e.g., common equity) and could limit our business activities (including lending) and our ability to expand organically or through acquisitions. They could also result in our taking steps to increase our capital that may be dilutive to shareholders or limit our ability to pay dividends or otherwise return capital to shareholders.
In addition, regulatory liquidity standards require us to hold high-quality liquid assets, which has caused us to change, and may in the future cause us to change, our mix of investments in favor of lower-yielding securities, and may impact future business relationships with certain customers, both of which may reduce our profitability.In addition, regulatory liquidity standards require us to hold high-quality liquid assets, which has caused us to change, and may in the future cause us to change, our mix of investments, and may impact future business relationships with certain customers. Additionally, support of liquidity standards may be satisfied through the use of long-term wholesale borrowings, which tend to have a higher cost than that of traditional core deposits.
Further, the Federal Reserve has detailed the processes that BHCs should maintain to ensure they hold adequate capital under severely adverse conditions and have ready access to funding before engaging in any capital activities. The severity and other features of these processes, which take the form of stress tests and other measures, may evolve from year to year and are used by the Federal Reserve to, among other things, evaluate our management of capital and the adequacy of our regulatory capital and to determine the stress capital buffer that we must maintain above our minimum regulatory capital requirements. Notwithstanding recent actions by the Federal Reserve to increase transparency into capital stress tests and models, the results of these processes are difficult to predict due to, among other things, the Federal Reserve’s use of proprietary stress models that differ from our internal models. Despite recent announcements by the Federal Reserve declaring intent to increase transparency into capital stress tests and models, the results of these processes are difficult to predict due to, among other things, the Federal Reserve’s use of proprietary stress models that differ from our internal models. Consequently, the Federal Reserve may impose capital requirements in excess of our expectations which could require us, as applicable, to revise our stress-testing or capital management approaches, resubmit our capital plan or postpone, cancel, or alter our planned capital actions. The results may also lead to limits on Key’s ability to make capital distributions, including paying out dividends or buying back shares. The results may also lead to limits on Key’s ability to make distributions, including paying out dividends or buying back shares.
To facilitate our wholesale funding and other business activities, we maintain credit ratings with three major credit rating agencies, and their assessments of our capital and liquidity are prominent determinants of our credit ratings. Additionally, from time to time, the agencies revise their bank rating methodologies and may increase their expectations of the amount and/or type of capital and liquidity we hold in order to maintain our investment grade credit ratings. In certain cases, those rating agency requirements may exceed regulatory requirements, making the
31
rating agency requirements our binding constraint and increasing our capital and/or liquidity costs above what they would otherwise be and potentially reducing our profitability.
From time to time, federal banking regulators tailor the extent to which various categories of large banks are subject to certain capital, liquidity and other regulations. For instance, Category IV banks with assets between $100 billion and $250 billion, including Key, are not currently subject to certain capital and liquidity standards required of larger banks. However, the bank regulatory environment evolves continually, and regulatory standards, expectations and requirements evolve along with that environment, raising the risk of increased compliance costs in the future. However, the bank regulatory environment evolves continually, and regulatory standards, expectations and 30Table of contentsrequirements evolve along with that environment, raising the risk of increased compliance costs in the future. Moreover, often in response to industry or macroeconomic stress events, informal regulatory expectations of capital and liquidity management practices may exceed formal requirements. Consequently, Key may not be able to realize any potential benefits of periodic regulatory tailoring.
For more information on regulatory requirements and proposals regarding the management of liquidity risk, see the section titled “Regulatory capital requirements” under the heading “Supervision and Regulation” in Item 1 of this report.
Federal agencies’ actions to ensure stability of the U.S. economy and financial system may have costly or disruptive effects on us.
Federal agencies’ actions to ensure stability of the U.S. economy and financial system may have costly or disruptive effects on us.
The federal government’s actions can impact financial markets. For example, beginning in 2024 and during 2025, the Federal Reserve, after an extended period of raising its monetary policy rate, began lowering interest rates to support what it viewed as a weakening labor market. These types of actions can impact financial markets and our business and cause increased financial market and interest rate volatility.
Bank failures, such as those that occurred in 2023, have led the U.S. Treasury Secretary, the FDIC, and the Federal Reserve to invoke the systemic risk exception to the least-cost resolution requirement under the FDIA to guarantee uninsured deposits of the failed banks. The systemic bank exception can only be invoked for financial market risks that pose a threat to financial stability. The FDIC may impose a special assessment on IDIs to recover the loss to the failed bank resulting from the use of the systemic risk exception to protect uninsured depositors. A special assessment could increase our noninterest expense for that quarter, as was the case during the fourth quarter of 2023 and first quarter of 2024.
Regulators can implement measures designed to strengthen capital and liquidity standards and restore confidence in the banking system applicable to Key including those discussed in “Regulatory capital requirements” under the heading “Supervision and Regulation” in Item 1 of this report. These regulatory rules could have a material effect on our business, financial condition, and results of operations. Capital and long-term debt requirements require us to divert resources from otherwise profitable lending and investment opportunities to ensure compliance, which may be dilutive to shareholders or limit Key’s ability to buy back shares or pay dividends.
The Federal Home Loan Bank (FHLB) system continues to be a source of secured funding. Changes in FHLB lending policies or the haircuts they apply to our pledged collateral could adversely affect our liquidity and profitability.
We rely on dividends by our subsidiaries for most of our funds.
We rely on dividends by our subsidiaries for most of our funds.
We are a legal entity separate and distinct from our subsidiaries. With the exception of cash that we may raise from debt and equity issuances, we receive substantially all of our funding from dividends by our subsidiaries. Dividends by our subsidiaries are the principal source of funds for the dividends we pay on our common and preferred stock and interest and principal payments on KeyCorp debt and capital securities. Federal banking law and regulations limit the amount of dividends that KeyBank (KeyCorp’s largest subsidiary) can pay. For further information on the regulatory restrictions on the payment of dividends by KeyBank, see “Supervision and Regulation” in Item 1 of this report.
In the event KeyBank is unable to pay dividends to us, we may not be able to service debt, pay obligations, or pay dividends on our common or preferred stock. Such a situation could result in Key losing access to alternative wholesale funding sources. In addition, our right to participate in a distribution of assets upon a subsidiary’s liquidation or reorganization is subject to the prior claims of the subsidiary’s creditors.
32
Our credit ratings affect our liquidity position.
The rating agencies regularly evaluate the securities issued by KeyCorp and KeyBank. The ratings of our long-term debt and other securities are based on a number of factors, including our financial strength, ability to generate earnings, and other factors. Some of these factors are not entirely within our control, such as conditions affecting the financial services industry and the economy and changes in rating methodologies. Changes in any of these factors could impair our ability to maintain our current credit ratings. We may be unable to maintain our current ratings and our ratings may be downgraded in the future. Downgrades to KeyCorp's or KeyBank's credit ratings could impair our access to liquidity and could significantly increase our cost of funds, trigger additional collateral or funding requirements, and decrease the number of investors and counterparties willing to lend to us, reducing our ability to generate income. The impact of downgrades to KeyCorp's or KeyBank's credit ratings could adversely affect our access to liquidity and could significantly increase our cost of funds, trigger additional collateral or funding requirements, and decrease the number of investors and counterparties willing to lend to us, reducing our ability to generate income. If KeyCorp’s or KeyBank's credit ratings fell below investment grade, it could also create obligations or liabilities under the terms of existing arrangements that could increase our costs and reduce our profitability.
A loss of customer deposits or an adverse change in deposit mix could increase our funding costs and/or impair our liquidity.
A loss of customer deposits or an adverse change in deposit mix could increase our funding costs and/or impair our liquidity.
We rely on customer deposits as a low-cost and stable source of funding. KeyBank competes with banks and other financial institutions, and increasingly with non-banks that offer non-deposit and other alternative savings vehicles, such as stablecoins, for deposits. If demand for deposit alternatives were to grow materially, KeyBank could experience deposit outflows or be compelled to materially increase deposit interest rates to retain its deposits. Customers may also shift their deposits from non-interest bearing to interest bearing accounts or otherwise to higher cost products at KeyBank. Our ability to maintain and grow deposits may be constrained by gaps in our product offerings, emerging technologies and changes in consumer behaviors and preferences, our scale relative to other banks and financial institutions, underlying macroeconomic conditions and monetary policy, and loss of confidence in our brand and our business. To the extent that KeyBank is unable to retain deposits, funding costs may increase as such deposits are replaced with more expensive wholesale funding. Any adverse movement in deposits and associated higher funding costs could reduce our net interest margin and net interest income and otherwise materially and adversely affect our liquidity, financial condition, and results of operations.
IV. Operational Risk
We are subject to a variety of operational risks.
We are subject to a variety of operational risks.
We are subject to operational risk, which represents the risk of loss resulting from human error, inadequate or failed internal processes, internal controls, systems, and external events. Operational risk includes the risk of fraud by employees or others outside of Key, clerical and recordkeeping errors, nonperformance by vendors, threats from cyber activity, and computer/telecommunications malfunctions. Fraudulent activity has escalated, become more sophisticated, and is ever evolving as there are more options to access financial services. Operational risk also encompasses compliance and legal risk, which is the risk of loss from violations of, or noncompliance with, laws, rules, regulations, prescribed practices, or ethical standards, as well as the risk of our noncompliance with contractual and other obligations. We are also exposed to operational risk through our outsourcing arrangements, and the effect that changes in circumstances or capabilities of our outsourcing vendors can have on our ability to continue to perform operational functions necessary to our business, such as certain loan processing functions. For example, breakdowns or failures of our vendors’ systems or employees could be a source of operational risk to us. Resulting losses from operational risk could take the form of explicit charges, increased operational costs (including remediation costs), harm to our reputation, inability to secure insurance, litigation, regulatory intervention or sanctions, or foregone business opportunities.
We rely on our employees to design, manage, and operate our systems and controls to assure that we properly enter into, record and manage processes, transactions and other relationships with customers, vendors, suppliers, and other parties with whom we do business. We also depend on employees and the systems and controls for which they are responsible to assure that we identify and mitigate the risks that are inherent in our relationships and activities. These concerns are increased when we change processes or procedures, introduce new products or services, or implement new technologies, as we may fail to adequately identify or manage operational risks resulting from such changes. These concerns may be further exacerbated by employee turnover or labor shortages. As a result of our necessary reliance on employees to perform these tasks and manage resulting risks, we are thus
33
subject to human vulnerabilities. These range from innocent human error to misconduct or malfeasance, potentially leading to operational breakdowns or other failures. Our controls may not be adequate to prevent problems resulting from human involvement in our business, including risks associated with the design, operation and monitoring of automated systems. We may also fail to adequately develop a culture of risk management among our employees.
We and third parties on which we rely (including their downstream service providers) may experience a cyberattack, technology failure, information system or security breach or interruption.
We and third parties on which we rely (including their downstream service providers) may experience a cyberattack, technology failure, information system or security breach or interruption.
We rely heavily on communications, information systems (both internal and provided by third parties), and the internet to conduct our business. Our business is dependent on our ability to process and monitor large numbers of daily transactions in compliance with legal, regulatory, and internal standards and specifications. In addition, a significant portion of our operations relies heavily on the secure processing, storage, and transmission of personal and confidential information, such as the personal information of our employees, customers, and clients. These risks may increase in the future as we continue to increase mobile payments and other internet-based product offerings, expand our internal usage of web/cloud-based products and applications, and maintain and develop new relationships with third-party providers, including their downstream service providers. In addition, our ability to extend protections to customers’ information to individual customer devices is limited, especially if the customers willingly provide third parties access to their devices or information.
In the event of a failure, interruption, or breach of our information systems, or that of a third party that provides services to us or our customers, we may be unable to avoid impact to our customers.32Table of contentsIn the event of a failure, interruption, or breach of our information systems, or that of a third party that provides services to us or our customers, we may be unable to avoid impact to our customers. For example, we may experience operational disruptions or interruptions as a result of a cyber incident, including disruption caused by protective containment measures taken by us, such as taking certain first- or third-party systems off-line for a prolonged period. Such a failure, interruption, or breach could result in legal liability, remediation costs, regulatory action, or reputational harm. U.S. financial service institutions and companies have reported breaches in the security of their websites or other systems and several financial institutions, including Key, have had third parties on which they rely experience such breaches. In addition, several financial institutions, including Key, have experienced significant distributed denial-of-service attacks, some of which involved sophisticated and targeted attacks intended to disrupt, disable, or degrade services, or sabotage systems or data. Other attacks have attempted to obtain unauthorized access to confidential, proprietary, or personal information or intellectual property, to extort money through the use of “ransomware” or other extortion tactics, or to alter or destroy data or systems, often through various attack vectors and methods, including the introduction of computer viruses or malicious or destructive code (commonly referred to as “malware”), phishing, cyberattacks, account takeovers, credential stuffing, and other means. To the extent that we use third parties to provide services to our clients, we cannot control all of the risks at these third parties or third parties’ downstream service providers. Hardware, software, or applications developed by Key or received from third parties may contain exploitable vulnerabilities, bugs, or defects in design, maintenance or manufacture or other issues that could lead to compromise of information and cybersecurity. We depend on third party service providers and their downstream service providers to implement adequate controls and safeguards to protect against and report cyber incidents. While we have a third party risk management program, because we do not control our third party service providers or their downstream service providers and our ability to monitor their cybersecurity is limited, we cannot ensure the cybersecurity measures they take will be sufficient to protect any information we share with them or prevent any disruption arising from a technology failure, cyberattack or other information or security breach. If such parties fail to deter, detect, or report cyber incidents in a timely manner, we may suffer from financial and other harm, including to our information, operations, performance, employees, and reputation. In addition, should an adverse event affecting another company’s systems occur, we may not have indemnification or other protection from the other company sufficient to fully compensate us or otherwise protect us or our clients from the consequences. To date, our losses and costs related to these breaches have not been material, but other similar events in the future could have a material impact on our business strategy, results of operations, or financial condition.
In addition, our customers routinely use Key-issued credit and debit cards to pay for transactions conducted with businesses in person and over the internet. If the business’s systems that process or store debit or credit card information experience a security breach, our card holders may experience fraud on their card accounts. We may suffer losses associated with such fraudulent transactions, as well as for other costs, such as replacing impacted cards. Key also provides card transaction processing services to some merchant customers under agreements we have with payment networks. Under these agreements, we may be responsible for certain losses and penalties if one of our merchant customers suffers a data breach.
34
We also face risks related to the interdependence and interconnectivity of financial entities and technology systems. A technology failure, cyberattack or other security breach that significantly compromises the systems of one or more financial parties or service providers in the financial system could have a material impact on counterparties or market participants, including us. Such incidents could also lead to widespread technology outages, interruptions or other failures of operational, communication, or other systems globally and across companies and industries. Any third-party technology failure, cyberattack, or security breach could adversely affect our ability to effect transactions, service clients, or otherwise operate our business and could result in legal liability, remediation costs, regulatory action, or reputational harm. Additionally, the increasing use of third-party financial data aggregators and emerging technologies, including the use of AI, introduces new information security risks and exposure for us and for our third party service providers, and, additionally, such technologies may be used to identify vulnerabilities; such technologies have resulted in a substantial increase in the volume and sophistication of cyberattacks against financial and other institutions, including the use of generative AI to conduct more sophisticated social engineering attacks. Additionally, the increasing use of third-party financial data aggregators and emerging technologies, including the use of automation, artificial intelligence and robotics, introduces new information security risks and exposure for us and for our third party service providers, and, additionally, such technologies may be used to identify vulnerabilities; such technologies have resulted in a substantial increase in the volume and sophistication of cyberattacks against financial and other institutions, including the use of generative artificial intelligence to conduct more sophisticated social engineering attacks.
Security attacks can originate from a wide variety of sources/malicious actors, including, but not limited to, persons who constitute an insider threat, who are involved with organized crime, or who may be linked to terrorist organizations or hostile foreign governments. Those same parties may also attempt to fraudulently induce employees, customers, or other users of our systems to disclose sensitive information in order to gain access to our data or that of our customers or clients through social engineering, phishing, mobile phone malware and SIM card swapping, and other methods. Our security systems, and those of the third-party service providers on which we rely, may not be able to protect our information systems or data from similar attacks due to the rapid evolution and creation of sophisticated cyberattacks. Our security systems, and those of the third-party service providers on which we rely, 33Table of contentsmay not be able to protect our information systems or data from similar attacks due to the rapid evolution and creation of sophisticated cyberattacks. We are also subject to the risk that a malicious actor or our employees may intercept and/or transmit or otherwise misuse unauthorized personal, confidential, or proprietary information or intellectual property. An interception, misuse, or mishandling of personal, confidential, or proprietary information or intellectual property being sent to or received from a customer or third party could result in legal liability, remediation costs, regulatory action, and reputational harm.
We have incurred and will continue to incur significant expense in an effort to improve the reliability and resilience of our systems and their security against internal and external threats. Nonetheless, we cannot guarantee our measures will be effective or sufficient to prevent a cyber incident, and there remains the risk that one or more adverse events might occur. If one does occur, it could go undetected and persist for an extended period of time and/or we may be unable to remediate the event or its consequences timely or adequately. While we do maintain cyber information security and business interruption insurance, losses from a major interruption may exceed our coverage and there can be no assurance that liabilities or losses we may incur will be covered under such policies, that such insurance will continue to be available to us on economically reasonable terms, or at all, or that any insurer will not deny coverage as to any future claim.
We rely on third parties to perform significant operational services for us, and their failure to perform to our standards or other issues of concern with them could harm us.
We rely on third parties to perform significant operational services for us, and their failure to perform to our standards or other issues of concern with them could harm us.
Third parties perform significant operational services on our business, and many of our third party vendors outsource aspects of their operations and contractual obligations to downstream service providers. These parties – both our vendors and their downstream service providers – are subject to similar risks as Key. While we have a third party risk management program and can exert varying degrees of influence over our service providers, we do not control them, their actions, or their businesses. For example, one or more of these parties may experience a cybersecurity event, financial distress (including, but not limited to, filing for bankruptcy), operational difficulties, or operational disruptions that could negatively impact performance and delivery of our services. In addition, some of our third party arrangements are located overseas and, therefore, are subject to risks unique to the regions in which they operate. Service providers have not always met our requirements and expectations, and no assurance can be provided that in the future they will perform to our standards, adequately represent our brand, comply with applicable law, appropriately manage their own risks, including cybersecurity, remain financially or operationally viable, abide by their contractual obligations, or continue to provide us with the services that we require or that they are contractually obligated to provide. Disruption in services provided by these third parties, including a discontinuation or delay in services, could increase the costs of doing business and adversely affect our ability to deliver products and services to clients, to support teammates, and otherwise to conduct business, which would negatively impact our customer relationships, our reputation, and our business.
Further, regulatory guidance adopted by federal banking regulators related to how banks select, contract with, evaluate, engage with, and manage their third parties, including such third parties’ use of subcontractors and
35
downstream service providers, impacts whether and how we work with such parties, as well as the cost of managing such relationships. In some instances, we may be responsible for failures of third parties to comply with government regulations. We may need to incur substantial expenses to address issues with a service provider, and if the issues cannot be acceptably resolved, we may not be able to timely or effectively replace the service provider due to contractual restrictions, the unavailability of acceptable alternative providers, or other reasons. Further, regardless of how much we can influence our service providers, issues of concern with them could result in supervisory actions and private litigation against us and could harm our reputation, business, and financial results. Certain third parties may have limited identification obligations to us or may not have the financial capacity to satisfy their indemnification obligations, and our insurance coverage may be inadequate to protect us from losses related to the actions of our third party vendors and their downstream service providers.
Our framework for managing risks and mitigating losses may not be effective.
Our framework for managing risks and mitigating losses may not be effective.
Our risk management framework seeks to maintain safety and soundness and maximize profitability. We have established policies, processes, and procedures intended to identify, measure, monitor, report, and analyze the types of risk to which we are subject, including compliance, operational, technology, liquidity, market, credit, model, and strategic risk, among others. We cannot provide assurance that our risk management framework will effectively mitigate risk and limit losses in our business and operations. For example, our risk management framework and measures that we take to mitigate risk may not be fully effective in identifying and mitigating our risk exposure in all market environments or against all types of risks, including risks that are unidentified or unanticipated, even if the frameworks for assessing risk are properly designed and implemented. For example, our risk management framework and measures that we take to mitigate risk may not be fully effective in identifying and mitigating our risk exposure in all 34Table of contentsmarket environments or against all types of risks, including risks that are unidentified or unanticipated, even if the frameworks for assessing risk are properly designed and implemented. In addition, some of our methods of managing risk are based upon our use of observed historical market behavior and management’s judgment. These methods may not accurately predict future exposures, which could be significantly greater than historical measures indicate. If our risk management framework proves ineffective, we could suffer unexpected losses and our business, results of operations, and financial condition could be adversely affected.
We are, and may in the future be, subject to claims, litigation, arbitration, investigations, and governmental proceedings, which could result in significant financial liability and/or reputational harm.
We are, and may in the future be, subject to claims, litigation, arbitration, investigations, and governmental proceedings, which could result in significant financial liability and/or reputational harm.
We are subject to, and may in the future be subject to, claims or legal actions taken against us by customers, vendors, shareholders, or other parties. Further, KeyCorp is currently named, and KeyCorp and certain of its officers and directors have in the past been named, and may in the future be named, as defendants in various class actions, mass arbitrations, and other litigation relating to our business and activities. We maintain reserves for certain claims when deemed appropriate based upon our assessment that a loss is probable, estimable, and consistent with applicable accounting guidance. At any given time, we have a variety of legal actions asserted against us in various stages of litigation. Resolution of a legal action can often take years. Whether any particular claims and legal actions are founded or unfounded, if such claims and legal actions are not resolved in our favor, they may result in significant financial liability and adversely affect how the market perceives us and our products and services as well as impact customer demand for those products and services.
We are also involved, from time to time, in other information-gathering requests, reviews, investigations, and proceedings (both formal and informal) by governmental and self-regulatory agencies regarding our business, including, among other things, accounting, compliance, and operational matters, which may result in adverse judgments, settlements, fines, penalties, injunctions, or other relief which, if significant, could adversely affect our business, results of operations and/or financial condition. Enforcement authorities may also seek admissions of wrongdoing and, in some cases, criminal pleas as part of the resolutions of matters and any such resolution of a matter involving Key could lead to increased exposure to private litigation, could adversely affect Key’s reputation, and could result in limitations on our ability to do business in certain jurisdictions. Further, enforcement matters could impact our supervisory and CRA ratings, which may in turn restrict or limit certain of our business activities. In recent years, there has been an increase in the number of investigations and proceedings in the financial services industry. A violation of law or regulation by another financial institution has, in the past, resulted in, and may, in the future, give rise to an inquiry or investigation by regulators or other authorities of the same or similar practices by Key. The outcome of regulatory matters as well as the timing of ultimate resolution are inherently difficult to predict, and the uncertain regulatory enforcement environment makes it difficult to estimate probable losses, which can lead to substantial disparities between legal reserves and actual settlements or penalties.
36
Our controls and procedures may fail or be circumvented, and our methods of reducing risk exposure may not be effective.
We regularly review and update our internal controls, disclosure controls and procedures, compliance monitoring activities, and corporate governance policies and procedures. We also maintain an ERM program designed to identify, measure, monitor, report, and analyze our risks. Additionally, our internal audit function provides an independent assessment and testing of Key’s internal controls, policies, and procedures. Any system of controls and any system to reduce risk exposure, however well designed, operated, and tested, is based in part on certain assumptions and can provide only reasonable, not absolute, assurances that the objectives of the system are met. The systems may not work as intended or be circumvented by employees, third parties, or others outside of Key. Additionally, instruments, systems, and strategies used to mitigate or otherwise manage exposure to various types of risk could be less effective than anticipated. As a result, we may not be able to effectively or fully mitigate our risk exposures in particular market environments or against particular types of risk.
Our operations and financial performance could be adversely affected by severe weather and natural disasters, both directly and as a result of impacts on our customers.Our operations and financial performance could be adversely affected by severe weather and natural disasters exacerbated by climate change.
Our operations and financial performance could be adversely affected by severe weather and natural disasters, both directly and as a result of impacts on our customers.Our operations and financial performance could be adversely affected by severe weather and natural disasters exacerbated by climate change.
Natural disasters, including wildfires, tornadoes, severe storms, and hurricanes, have seemingly become more frequent and severe. The timing and effects of these climate-related physical risks are difficult to accurately predict, and the potential impact of such risks on our operations, employees, communities, and customers could have a material adverse effect on our business, financial position, and results of operations. The timing and effects of these climate-related physical risks are difficult to accurately predict, and the potential impact of such risks on our operations, employees, communities, and 35Table of contentscustomers could have a material adverse effect on our business, financial position, and results of operations. Given our broad regional focus, we are exposed to a wide range of climate-related physical risks across different geographical areas. Severe weather events can directly affect our operations by interrupting systems, damaging facilities, disrupting our supply chain, and hindering our ability to conduct business as usual. Additionally, these events can indirectly impact us by damaging or destroying customer businesses, impairing their ability to repay loans, or causing damage to properties pledged as collateral for loans made by Key. Although preventative measures may help to mitigate damage, such measures could be costly, and any disaster could adversely affect our ability to conduct our business as usual. Furthermore, the insurance we maintain may not be adequate to cover our losses resulting from any business interruption resulting from a natural disaster or other severe weather events. Furthermore, the insurance we maintain may not be adequate to cover our losses resulting from any business interruption resulting from a natural disaster or other severe weather events. Recurring extreme weather events could also reduce or eliminate the availability or increase the cost of insurance to Key and our customers. Recurring extreme weather events could also reduce the availability or increase the cost of insurance. Our failure to comply with evolving regulatory requirements related to natural disaster risk management may also result in legal and financial consequences.
Our development and use of AI, including through third parties, exposes us to inherent risks that may adversely impact KeyCorp.
Our development and use of AI, including through third parties, exposes us to inherent risks that may adversely impact KeyCorp.
We use, and will increasingly use AI, including through third party vendors acting on our behalf and other counterparties, in connection with our business and operations. AI is complex and rapidly evolving and in order to compete with other banks and financial institutions effectively, we must incorporate new and emerging AI technology into our business and this may subject us to new or heightened legal, regulatory, operational, and other risk. The legal and regulatory environment relating to AI is uncertain and evolving, and any changes to applicable laws and regulations could require changes to our use of AI technology and could cause an increase in associated costs and expenses. We may also be unsuccessful in realizing the intended benefits of AI or otherwise enhancing our business or operations and our competitors may incorporate AI in their businesses or operations more quickly or more successfully than us, all of which could occur despite considerable expense and which could negatively affect our financial condition and results of operations.
The models underlying AI that we may leverage, including those developed by third party providers, may be incorrectly or inadequately designed or implemented and trained on, or otherwise use, data or algorithms that are incomplete, inadequate, misleading, biased, or otherwise flawed, or that are subject to intellectual property rights not known to us, and that ultimately produce outputs that are similarly flawed but that which we or third parties acting on our behalf rely, and any such flaw may not be easily and readily detectable. The limited transparency into the underlying complexity of AI and associated models that we rely on makes reproducing the connection between input and output, at times, difficult or impossible. If the AI that we leverage is flawed in such ways, we may make inaccurate or ineffective decisions and otherwise incur operational inefficiencies, compliance issues, competitive and reputational harm, adverse legal and regulatory actions, or other adverse impacts to our business and operations. We may not be able to sufficiently mitigate or detect any of the foregoing risks given the emerging nature of AI technology. Additionally, inappropriate or controversial data practices by third party AI developers and
37
their end-users could adversely affect public opinion of AI and ultimately impair acceptance of AI, including those incorporated into our business and operations.
V. Compliance Risk
We are subject to extensive government regulation, supervision, and tax legislation.
We are subject to extensive government regulation, supervision, and tax legislation.
As a financial services institution, we are subject to extensive federal and state regulation, supervision, and tax legislation. Banking regulations are primarily intended to protect depositors’ funds, the DIF, consumers, taxpayers, and the banking system as a whole, not our debtholders or shareholders. These regulations increase our costs and affect our lending practices, capital structure, investment practices, dividend policy, ability to repurchase our common shares, and growth, among other things.
KeyBank and KeyCorp remain covered institutions under the Dodd-Frank Act’s enhanced prudential standards and regulations, including its provisions designed to protect consumers from financial abuse. Like similarly situated institutions, Key undergoes routine scrutiny from bank supervisors in the examination process and is subject to enforcement of regulations at the federal and state levels, particularly with respect to customer practices involving fair and responsible banking, fair lending, unfair, deceptive or abusive practices, and the Community Reinvestment Act, as well as compliance with AML, BSA and Office of Foreign Assets Control efforts. Like similarly situated 36Table of contentsinstitutions, Key undergoes routine scrutiny from bank supervisors in the examination process and is subject to enforcement of regulations at the federal and state levels, particularly with respect to customer practices involving fair and responsible banking, fair lending, unfair, deceptive or abusive practices, and the Community Reinvestment Act, as well as compliance with AML, BSA and Office of Foreign Assets Control efforts.
Changes to existing statutes and regulations, and taxes (including industry-specific taxes and surcharges), or their interpretation or implementation, could affect us in substantial and unpredictable ways, particularly with those laws and regulations that serve to protect customers. Such changes may subject us to additional costs, adversely impact our income, and increase our litigation risk should we fail to appropriately comply and may also impact consumer behavior, limit the types of financial services and products we may offer, affect the investments we make, and change the manner in which we operate. In addition, changes to laws and regulations may impact our customers by requiring them to adjust their operations or practices or impair their ability to pay fees or outstanding loans or afford new products, which could negatively impact demand for our products and services.
Certain federal regulations have been in existence for decades without modification to account for modern banking practices, such as digital delivery of products and services, which can create challenges in execution and in the examination process. Emerging technologies, such as cryptocurrencies, could limit KeyBank’s ability to track the movement of funds. KeyBank’s ability to comply with BSA/AML and other regulations is dependent on its ability to continuously improve detection and reporting capabilities and reduce variation in control processes and oversight accountability.
Additionally, federal banking law grants substantial enforcement powers to federal banking regulators. This enforcement authority includes, among other things, the ability to assess civil money penalties, fines, or restitution, to issue cease and desist or removal orders, and to initiate injunctive actions against banking organizations and affiliated parties. These enforcement actions may be initiated for violations of laws and regulations, for practices determined to be unsafe or unsound, or for practices or acts that are determined to be unfair, deceptive, or abusive. Failure to comply with these and other regulations, and supervisory expectations related thereto, may result in fines, penalties, lawsuits, regulatory sanctions, reputational damage , or restrictions on our business. Moreover, different government administrations may have different regulatory priorities, which may impact the level of regulation of financial institutions and the enforcement environment. For more information, see “Supervision and Regulation” in Item 1 of this report.
We are subject to complex and evolving laws and regulations regarding privacy and cybersecurity, which could limit our ability to pursue business initiatives, increase the cost of doing business and subject us to compliance risks and potential liability.
We are subject to complex and evolving laws and regulations regarding privacy and cybersecurity, which could limit our ability to pursue business initiatives, increase the cost of doing business and subject us to compliance risks and potential liability.
We are subject to complex and evolving laws, regulations, and requirements governing the privacy and protection of personal information of our customers, employees, job applicants, and other individuals. Complying with laws, regulations, and requirements applicable to our collection, use, transfer, and storage of personal information, as well as notification requirements related to our obligations with respect to such personal information, can increase operating costs, impact the development and marketing of new products or services, and reduce operational efficiency. Complying with laws, regulations, and requirements applicable to our collection, use, transfer, and storage of personal information, as well as notification requirements related to our obligations with respect to such personal information, can increase operating costs, impact the development and marketing of new products or services, and reduce operational efficiency. Any mishandling or misuse of personal information by Key or our vendors or our failure to comply with notification requirements related to incidents relating to such personal information could expose us to litigation or regulatory fines, penalties, or other sanctions.
38
At the federal level, we are subject to the Gramm-Leach-Bliley Act of 1999, as amended, which requires financial institutions to, among other things, periodically disclose their privacy policies and practices relating to sharing personal information and, in some cases, enables customers to opt out of the sharing of certain non-public personal information with unaffiliated third parties. We are also subject to the rules and regulations promulgated under the authority of the Federal Trade Commission, which regulates unfair or deceptive acts or practices, including with respect to privacy and cybersecurity. A number of states have also recently enacted consumer privacy laws that impose compliance obligations with respect to personal information or issued guidance regarding the same, such as the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act (known as the “CCPA”), and the New York Department of Financial Services Cybersecurity Regulations. In addition, there has been a significant increase in privacy-related litigation in recent years with respect to how organizations collect information and technical data from their public facing websites, and federal and state courts have been creating new legal frameworks around consumer and website privacy, which also creates new risks on businesses. As new privacy-related laws and regulations, and judicially-created frameworks, are implemented in jurisdictions in which KeyBank operates, the time and resources needed for us to comply with such laws and regulations, as well as our potential liability for noncompliance and reporting obligations in the case of data breaches, may significantly increase. As new privacy-related laws and regulations, and judicially-created frameworks, are implemented in jurisdictions in which 37Table of contentsKeyBank operates, the time and resources needed for us to comply with such laws and regulations, as well as our potential liability for noncompliance and reporting obligations in the case of data breaches, may significantly increase. Compliance with these laws and regulations has required and may continue to require us to change our policies, procedures, and technology for information security and segregation of data, which could, among other things, make us more vulnerable to operational failures, result in increased costs as a result of continually evaluating our policies and processes and adapting to new requirements that are or become applicable to us, and subject us to monetary penalties for breach of such laws and regulations. As a result, some uncertainty remains as to the aggregate impact upon Key of significant regulations.
VI. Strategic Risk
We may not realize the expected benefits of our strategic initiatives.
We may not realize the expected benefits of our strategic initiatives.
Our ability to compete depends on a number of factors, including, among others, our ability to develop and successfully execute our strategic plans and initiatives. Our strategic priorities include growing profitability; acquiring and expanding targeted client relationships; effectively managing risk and rewards; maintaining financial strength; fostering an inclusive work environment for all employees; and engaging, retaining, and inspiring our high-performing and talented workforce. The success of these initiatives can be subject to changes in the macroeconomic environment that are beyond our control. In addition, our inability to execute on or achieve the anticipated outcomes of our strategic priorities, or to do so in the expected timeframe, may affect how the market perceives us and could impede our growth and profitability.
We operate in a highly competitive industry.
We operate in a highly competitive industry.
We face substantial competition in all areas of our operations from a variety of competitors, some of which are larger and may have more financial resources than us. Our competitors primarily include national and super-regional banks as well as smaller community banks within the various geographic regions in which we operate. We also face competition from many other types of financial institutions, including, without limitation, savings associations, credit unions, mortgage banking companies, finance companies, mutual funds, insurance companies, investment management firms, private credit funds, investment banking firms, broker-dealers, financial technology companies, and other local, regional, national, and global financial services firms. In addition, technology has lowered barriers to entry and made it possible for nonbanks, including large technology companies, to offer products and services traditionally provided by banks. Furthermore, both financial institutions and their non-banking competitors face the risk that payments processing and other products and services, including deposits and other traditional banking products, could be significantly disrupted by the use of new technologies, such as cryptocurrencies and other applications using secure distributed ledgers that may not require intermediation. We expect the competitive landscape of the financial services industry to become even more intense as a result of legislative, regulatory, structural, customer preference, and technological changes.
Our ability to compete successfully depends on a number of factors, including: our ability to develop and execute strategic plans and initiatives; our ability to develop, maintain, and build long-term client relationships; our ability to develop and deliver competitive products and technologies expected by our customers, while maintaining safety and soundness, effective risk management practices, and high ethical standards; our ability to attract, retain, and develop a workforce with the required skills and expertise; and industry and economic trends. Increased competition
39
in the financial services industry, or our failure to perform in any of these areas, could significantly weaken our competitive position, which could adversely affect our growth and profitability.
Strategic risk may also be realized due to events or issues that materialize in other risk factor areas. For example, significant deficiencies in end-to-end operational execution and/or product delivery or failure to comply with applicable laws and regulations may result in unmet client expectations or harm and impact our competitive standing in the industry.
Maintaining or increasing our market share depends upon our ability to adapt our products and services to evolving industry standards and consumer preferences, while maintaining competitive products and services.
Maintaining or increasing our market share depends upon our ability to adapt our products and services to evolving industry standards and consumer preferences, while maintaining competitive products and services.
The continuous, widespread adoption of new technologies requires us to continually evaluate our product and service offerings to ensure they remain competitive. Our success depends, in part, on our ability to adapt our products and services, as well as our distribution of them, to evolving industry standards and consumer preferences. New technologies have altered consumer behavior by allowing consumers to complete transactions such as paying bills or transferring funds directly without the assistance of banks. New products allow consumers to maintain funds in brokerage accounts or mutual funds that would have historically been held as bank deposits. Furthermore, both financial institutions and their non-banking competitors face the risk that payments processing and other products and services, including deposits and other traditional banking products, could be significantly disrupted by the use of new technologies, such as cryptocurrencies and other applications using secure distributed ledgers that may not require intermediation. The process of eliminating banks as intermediaries, known as “disintermediation,” could result in the loss of fee income, as well as the loss of customer loans and deposits and related income generated from those products. The 38Table of contentsprocess of eliminating banks as intermediaries, known as “disintermediation,” could result in the loss of fee income, as well as the loss of customer loans and deposits and related income generated from those products.
The increasing pressure from our competitors, both bank and nonbank, to keep pace and adopt new technologies and products and services requires us to incur substantial expense. We may be unsuccessful in developing or introducing new products and services, modifying our existing products and services, adapting to changing consumer preferences and spending and saving habits, achieving market acceptance or regulatory approval, sufficiently developing or maintaining a loyal customer base, or offering products and services at prices equal to or lower than the prices offered by our competitors. These risks may affect our ability to achieve growth in our market share and could reduce both our revenue streams from certain products and services and our revenues from our net interest income.
We may not be able to attract and retain skilled people.
We may not be able to attract and retain skilled people.
Our success depends on our ability to attract, retain, motivate, and develop a high performing and collaborative workforce. Competition for talent in our business is strong and requires us to make investments to provide compensation and benefits at market levels. Rising wages, as well as inflation, may cause us to increase these investments. Such investments cause compensation and benefits to represent our greatest expense.
Additionally, we increasingly compete for talent outside of the core financial services industry. Non-financial institutions may be subject to different pay and hiring expectations than us, which may make it more difficult and/or costlier for us to attract and retain qualified teammates. Non-financial institutions may be subject to different pay and hiring expectations than us, which may make it more difficult for us to attract qualified teammates. For example, we are required to deliver a substantial portion of the variable compensation of certain teammates in the form of awards tied to our financial performance and/or share price performance. Our failure to achieve our long-term financial goals and/or our share price performance may cause the value of these awards to decline or fall to zero, which would impact our ability to retain and incentivize qualified teammates. Similarly, our pay practices are subject to scrutiny by our regulators who may identify deficiencies in the structure of, or issue additional guidance on our compensation practices, causing us to make changes that may affect our ability to offer competitive pay to these individuals or that place us at a disadvantage to non-financial service industry competitors.
Acquisitions or strategic partnerships may disrupt our business and dilute shareholder value.
Acquisitions or strategic partnerships may disrupt our business and dilute shareholder value.
Acquisitions of businesses, such as financial technology companies or investment banking firms, bank branches, or other banks involves various risks commonly associated with acquisitions or partnerships, including exposure to unknown or contingent liabilities of the acquired company; diversion of our management’s time and attention; significant integration risk with respect to employees, accounting systems, and technology platforms; increased regulatory scrutiny; and the possible loss of key employees and customers of the acquired company.Acquiring other banks, bank branches, or other businesses involves various risks commonly associated with acquisitions or partnerships, including exposure to unknown or contingent liabilities of the acquired company; diversion of our management’s time and attention; significant integration risk with respect to employees, accounting systems, and technology platforms; increased regulatory scrutiny; and the possible loss of key employees and customers of the acquired company. We regularly
40
evaluate merger and acquisition and strategic partnership opportunities and conduct due diligence activities related to possible transactions. As a result, mergers or acquisitions involving cash, debt or equity securities may occur at any time. Acquisitions may involve the payment of a premium over book and market values. Therefore, some dilution of our tangible book value and net income per common share could occur in connection with any future transaction.
Scotiabank holds a significant equity interest in our business and may exercise influence over us, including through its ability to designate up to two directors to our Board of Directors.
Scotiabank holds a significant equity interest in our business and may exercise influence over us, including through its ability to designate up to two directors to our Board of Directors.
Scotiabank holds approximately 14.9% of our issued and outstanding common shares. Pursuant to the Investment Agreement, dated August 12, 2024, between us and Scotiabank (the “Investment Agreement”), Scotiabank is entitled to designate up to two directors to our Board of Directors, subject to specified minimum ownership requirements. As of the date hereof, our Board of Directors includes two directors who were appointed pursuant to Scotiabank’s director designation rights. As a result of the amount of common shares that are currently held by Scotiabank, together with its director designation rights, Scotiabank may be able to influence our policies and operations and impact matters requiring shareholder approval. In addition, the existence of a large shareholder may have the effect of deterring takeovers, delaying or preventing changes in control or changes in management, or limiting the ability of our other shareholders to approve transactions that they may deem to be in the best interests of our company. The interests of Scotiabank with respect to matters potentially or actually involving or affecting us and our other shareholders, such as future acquisitions, financings, and other corporate opportunities and attempts to acquire us, may conflict with the interests of our other shareholders.
Damage to our reputation could significantly impact our business and major stakeholders.
Damage to our reputation could significantly impact our business and major stakeholders.
Our ability to attract and retain customers, clients, investors, and highly skilled management and employees is affected by our reputation. Damage to our reputation could also adversely impact our credit ratings and access to capital markets.
Significant harm to our reputation can arise from various sources, including inappropriate behavior or misconduct of employees, actual or perceived unethical behavior, litigation or regulatory outcomes, inadequate or ineffective risk management practices, failing to deliver minimum or required standards of service and quality, failure to safeguard client information, corporate governance and regulatory compliance issues, disclosure of confidential information, significant or numerous failures, interruptions or breaches of our information systems, complex fraud threats, failure to meet external commitments and goals, including financial corporate responsibility and sustainability related commitments, the activities of our clients, customers and counterparties, including vendors, and actions taken by shareholder activists and community organizations.Significant harm to our reputation can arise from various sources, including inappropriate behavior or misconduct of employees, actual or perceived unethical behavior, litigation or regulatory outcomes, inadequate or ineffective risk management practices, failing to deliver minimum or required standards of service and quality, corporate governance and regulatory compliance failures, disclosure of confidential information, significant or numerous failures, interruptions or breaches of our information systems, complex fraud threats, failure to meet external commitments and goals, including financial corporate responsibility and sustainability related commitments, the activities of our clients, customers and counterparties, including vendors, and actions taken by shareholder activists and community organizations. The harm to our reputation is likely greater
to the extent that the behavior, misconduct, failures, issues, interruptions or actions are pervasive, long-standing or affect a significant number of customers, and particularly retail consumers. The negative impacts to our business from such reputational damage may be disproportionate to the actual harm caused to customers. Furthermore, because we conduct most of our businesses under the “Key” brand, negative public opinion about one business could also affect our other businesses. Additionally, actions by the financial services industry generally or by certain members or individuals in the industry as well as legislative or regulatory actions that target or negatively impact the industry may also have a significant adverse effect on our reputation.
We are also subject to the risk that disruptions to how our customers access our banking services, such as disruptions to our technology platforms (e.g., online banking websites or mobile applications) or other impacts to our branches, could harm our reputation with customers. In particular, a cybersecurity event impacting Key or our customers’ data or personal information could negatively impact our reputation and customer confidence in Key and our data security procedures. Increased model and generative AI use could expose us to liability or adverse legal or regulatory consequences and harm our reputation and the public perception of our business or the effectiveness of our security measures.
We could also suffer significant reputational harm if we fail to properly identify and manage potential conflicts of interest. Management of potential conflicts of interests is complex as we expand our business activities through more numerous transactions, obligations, and interests with and among our clients. The actual or perceived failure to adequately address conflicts of interest could affect the willingness of clients to deal with us, which could adversely affect our businesses, and could give rise to litigation or enforcement actions.
Negative coverage about Key published in traditional media or on social media websites, whether or not factually
41
correct, may affect our reputation and our business prospects and impact our ability to attract and retain highly skilled employees and customers. Social media facilitates the rapid dissemination of information or misinformation, thereby increasing the potential for widespread dissemination of inaccurate, false, misleading, or other negative information that could damage our reputation. There can be no assurance that such negative coverage will not damage our reputation and adversely affect our business. There can be no assurance that any such losses would not adversely and materially affect our results of operations.
Differing views on corporate responsibility and sustainability could adversely affect our reputation and our business and results of operations.Key is subject to corporate responsibility and sustainability efforts risks that could adversely affect our reputation and our business and results of operations.
Views about corporate responsibility and sustainability-related issues are differing, dynamic, and rapidly changing. Financial services companies, including Key, face increasing criticism with accompanying reputational risk from activists, politicians, investors, and stakeholders who believe companies should be focusing more or less on environmental, social, political, and governance matters. Financial services companies, including Key, face increasing criticism from social and environmental activists who target companies, including Key, for engaging in business with clients engaged in industries which such activists perceive to be harmful to communities or the environment. Companies in our industry are also targeted for engaging or not engaging in business with specific customers or with customers in particular industries. Additionally, however we respond to such criticism, we face the risk that current or potential customers may decline to do business with us (or encourage others to do so) or current or potential employees refuse to work for us and could subject us to litigation or regulatory action. Additionally, however we respond to such criticism, we face the risk that current or potential clients may decline to do business with us or current or potential employees refuse to work with us. This can be true regardless of whether we are perceived by some as not having done enough to address these concerns or by others as having inappropriately yielded to stakeholder pressures. This can be true regardless of whether we are perceived by some as not having done enough to address activist concerns or by others as having inappropriately yielded to activist pressures.
Companies are also facing increasing scrutiny from customers, regulators, investors, and other stakeholders related to their corporate responsibility and sustainability practices and disclosures.Companies are facing increasing scrutiny from customers, regulators, investors, and other stakeholders related to their corporate responsibility and sustainability practices and disclosures. We may face criticism or a loss of confidence, with accompanying reputational risk, from our perceived action or inaction to deliver on our corporate responsibility and sustainability-related commitments. Investors and other stakeholders, including U.S. institutional investors, are increasingly considering how corporations are (or are not) incorporating corporate responsibility and sustainability matters, including climate-related financial risks, into their business strategy when analyzing the expected risk and return of potential investments. These considerations in investing priorities may result in adverse effects on the trading price of our common stock if investors determine that Key is not aligned with investors’ priorities. In addition, collecting, measuring, and reporting corporate responsibility and sustainability information and metrics can be costly, difficult and time consuming, is subject to evolving and potentially conflicting reporting standards, and can present numerous operational, reputational, financial, legal, and other risks.
VII. Model Risk
We rely on quantitative models to manage certain accounting, risk management, capital planning, and treasury functions.
We rely on quantitative models to manage certain accounting, risk management, capital planning, and treasury functions.
We use quantitative models to help manage certain aspects of our business and to assist with certain business decisions, including, but not limited to, estimating ALLL, measuring the fair value of financial instruments when reliable market prices are unavailable, estimating the effects of changing interest rates and other market measures on our financial condition and results of operations, managing risk, predicting cash flows, and for capital planning purposes (including during the capital stress testing process). Models are simplified representations of real-world relationships. Thus, our modeling methodologies rely on many assumptions, historical analyses, correlations, and available data. These assumptions provide only reasonable, not absolute, estimates, particularly in times of market distress when historical correlations on which we rely may no longer be relevant. Additionally, as businesses and markets evolve, our measurements may not accurately reflect this evolution. Models can also produce inadequate estimates due to errors in computer code, use of unsuitable data during model development or implementation, or the use of a model for a purpose outside the scope of the model’s design. Models can also produce inadequate estimates due to errors in computer code, use of unsuitable data during development or input into the model during model use, or the use of a model for a purpose outside the scope of the model’s design.
Some models we use employ methodologies based on artificial intelligence or machine learning. Compared to traditional models, these models may involve some additional complexities, such as the need for large datasets for training, the potential for algorithmic bias, and difficulty in interpreting model outputs.
If our models fail to produce reliable results on an ongoing basis, we may not make appropriate risk management, capital planning, or other business or financial decisions. Furthermore, strategies that we employ to manage and govern the risks associated with our use of models may not be effective or fully reliable, and as a result, we may realize losses or other lapses.
We have an enterprise-wide model risk management program designed to accurately identify, measure, report, monitor, and manage model risk. The management of model risk includes independent validation and model
42
governance, establishing and monitoring model control standards and model risk metrics, and completeness and accuracy of the inventory of models.
Banking regulators continue to focus on the models used by banks and bank holding companies in their businesses. The failure or inadequacy of a model may result in increased regulatory scrutiny on us or may result in an enforcement action or proceeding against us by one of our regulators.
IX. Estimates and Assumptions Risk
The preparation of our consolidated financial statements requires us to make subjective determinations and use estimates that may vary from actual results and materially impact our financial condition and results of operations.
The preparation of our consolidated financial statements requires us to make subjective determinations and use estimates that may vary from actual results and materially impact our financial condition and results of operations.
The preparation of consolidated financial statements in conformity with U.S. GAAP requires management to make significant estimates that affect the financial statements. Our accounting policies and methods are fundamental to how we record and report our financial condition and results of operations. Some of these policies require the use of estimates and assumptions that may affect the value of the Key’s assets or liabilities and financial results. Certain accounting policies are critical because they require management to make difficult, subjective or complex judgments about matters that are inherently uncertain and the likelihood that materially different estimates would result under different conditions or through the utilization of different assumptions. If assumptions or estimates underlying the Key’s consolidated financial statements are incorrect or are adjusted periodically, our financial condition and results of operations could be materially impacted. See the “Critical Accounting Policies” section of Item 7. Management’s Discussion and Analysis of Financial Condition and Results of Operations in this report for additional information.
Changes in accounting policies, standards, and interpretations could materially affect how we report our financial condition and results of operations.
Changes in accounting policies, standards, and interpretations could materially affect how we report our financial condition and results of operations.
The FASB periodically changes the financial accounting and reporting standards governing the preparation of Key’s consolidated financial statements. Additionally, those bodies that establish and/or interpret the financial accounting and reporting standards (such as the FASB, SEC, and other regulatory agencies) may change prior interpretations or positions on how these standards should be applied. These changes can be difficult to predict and can materially affect how Key records and reports its consolidated financial condition and results of operations. In some cases, Key could be required to retroactively apply a new or revised standard, resulting in changes to previously reported financial results.
Impairment of goodwill could require charges to earnings, which could result in a negative impact on our results of operations.
Impairment of goodwill could require charges to earnings, which could result in a negative impact on our results of operations.
Goodwill is periodically tested for impairment by comparing the fair value of each reporting unit to its carrying amount. If the fair value is greater than the carrying amount, then the reporting unit’s goodwill is deemed not to be impaired. The fair value of a reporting unit is impacted by the reporting unit’s expected financial performance and susceptibility to adverse economic, regulatory, and legislative changes. A significant decline in a reporting unit’s expected future cash flows, a significant adverse change in the business climate, slower economic growth or a significant and sustained decline in the price of our common stock may cause the fair value of a reporting unit to be below its carrying amount, resulting in goodwill impairment. If an impairment loss is recorded, it will have little or no impact on the tangible book value of our common stock, or on our regulatory capital levels, but such an impairment loss could significantly reduce our earnings and thereby restrict KeyBank’s ability to make dividend payments to us without prior regulatory approval, which in turn could impact our ability to pay dividends. At December 31, 2025, the book value of our goodwill was $2.8 billion, substantially all of which was recorded at KeyBank. Any such write down of goodwill will reduce Key’s earnings, as well. See the “Critical Accounting Policies” section of Item 7. Management’s Discussion and Analysis of Financial Condition and Results of Operations in this report for additional information.
43
ITEM 1B. UNRESOLVED STAFF COMMENTS
None.
ITEM 1C. CYBERSECURITY
Cybersecurity Risk Management
As a financial services institution, Key faces heightened risk of cybersecurity incidents. Risks and exposures related
to cybersecurity incidents are expected to remain high for the foreseeable future due to the rapidly evolving nature
and increasing sophistication of cybersecurity threats and geopolitical events, as well as the fact that threat actors frequently target technologies and systems commonly used by us and our clients. In addition, our use of emerging technology-based products and services, including cloud computing and artificial intelligence may introduce new and evolving cybersecurity risks and may create additional avenues for exploitation by threat actors. In addition, the multiple and potentially conflicting laws and regulations regarding climate change that have been or may be adopted by various jurisdictions could increase our cost of doing business and make compliance with such laws and regulations more difficult. To date, Key has not experienced material disruption to our operations, or material harm to our client base, from cyberattacks. However, we have incurred, and may again incur, expenses related to the investigation of cybersecurity incidents involving third-party providers or related to the protection of our clients from identity theft as a result of such incidents. We have also incurred, and may continue to incur, expenses to enhance our systems or processes to protect against cyber or other security incidents. For more information, see “Risk Factors—We and third parties on which we rely (including their downstream service providers) may experience a cyberattack, technology failure, information system or security breach or interruption” in Item 1A. Risk Factors of this report.
clients, employees, third parties, and assets from threats by managing the confidentiality, availability, and integrity of
Executive, oversees the IS Program and its related policy and has overall responsibility for managing the appropriate identification and ownership of cybersecurity risks. Key’s Corporate Information Security Team, under the oversight of the CISO, is responsible for maintaining the IS Program, assessing program-level risks and threats to our information assets, and overseeing the proper level of investment in security resources.
The IS Program is designed to provide safeguards for Key’s assets through a series of administrative, technical,
and physical controls. Key employs a variety of security practices and controls to protect information and assets,
including, but not limited to, access controls, vulnerability scans, network monitoring, internal and external
penetration testing, monitoring of vendor vulnerability notices and patch releases, firewalls and intrusion detection and prevention systems, and dedicated security personnel.
As described in more detail in “Risk Management — Overview” in Item 7 of this report and in “Cybersecurity
Governance” below, Key employs the “Three Lines of Defense” in its risk governance framework. Assessing,
identifying, and managing cybersecurity risk across the organization in support of the IS Program is a cross-functional effort that requires collaboration and direction from all lines of defense – the lines of business and support functions (First Line of Defense), Risk Management (Second Line of Defense), and Key’s Internal Audit (IA) function (Third Line of Defense):
•First Line of Defense – Lines of Business and Support Functions. Primary responsibility for day-to-day management of cybersecurity risk lies with the senior management of each of Key’s lines of business (LOB) and support functions. The LOB and support functions own and manage the individual processes and procedures that are used throughout the IS Program, implement and manage business-specific security controls, and enforce behavioral controls throughout the management structure.
•Second Line of Defense – Risk Management. Risk Management oversees risk and monitors the First Line of Defense controls. Operational Risk Management performs review and challenge of controls, monitors the operational and technology risk profiles, and ensures Key operates within its operational and technology risk appetite. Operational Risk Management performs review and challenge of controls, monitors the operational risk profile, and ensures Key operates within its operational risk appetite. Compliance Risk Management provides an independent, enterprise-wide function that focuses on compliance with laws, rules, regulations, and guidance applicable to Key. Privacy Compliance, which sits within Compliance Risk Management, provides advisory support, governance, and oversight of privacy-related statutes, regulations, and risks related to Key’s customers, employees, and other individuals from who Key collects personally identifiable information.
•Third Line of Defense – Internal Audit (IA). IA reviews and evaluates the scope and breadth of security activities throughout Key and the effectiveness of the IS Program. The RRG reviews and evaluates the scope and breadth of security activities throughout Key and the effectiveness of the IS Program. IA conducts independent internal audits on Key’s
44
LOBs, operations, information systems, and technologies. These internal audits provide an independent perspective on Key’s processes and risks. Technology risks are evaluated in areas including cybersecurity and information security, data control, acquisition and development, delivery and support, business continuity, and information technology governance. IA shares the results of its audits with the LOB management, Key’s Operational and Compliance Risk Management Groups, the Board’s Audit Committee, and banking regulators.
As part of its cybersecurity risk management strategy, Key regularly reviews its security and privacy controls in the context of industry standard practices, frameworks, evolving laws, and changing client expectations. Annually, we benchmark ourselves against industry-leading frameworks, such as the National Institute of Standards and Technology Cybersecurity Framework and the Cyber Risk Institute Profile. We also engage external providers periodically to perform a maturity assessment of the IS Program against industry cybersecurity frameworks and to perform security posture assessments of our environment to proactively identify weakness within our security policy and/or configurations. Summary level results from these assessments are shared to internal stakeholders through Key’s Risk Governance committee structure. Key is also subject to cybersecurity and privacy regulatory exams, as required by law for financial institutions operating in the U.S.
Key has implemented cybersecurity, privacy, and fraud education and awareness programs across the
enterprise to educate teammates on how to identify and report cybersecurity and privacy concerns. Employees and
contractors with access to assets or data owned or maintained by Key receive mandatory enterprise-wide
cybersecurity, privacy, and fraud training on an annual basis. In addition, our management team from time to time participates in cybersecurity tabletop exercises that simulate cybersecurity incidents. These exercises are intended to test our response to potential incidents and assess the procedures outlined in our incident response playbooks.
With respect to third party service providers, Key maintains a third party management program that is designed to
identify, review, monitor, escalate, and, if necessary, remediate third party information security risks. Key’s third
party onboarding process includes risk-based due diligence and security-relevant contract language. Risk-based
due diligence can also include an assessment of the strength of certain control areas, including, but not limited to,
information security management, physical security, network security, platform security, application security, cloud
security, encryption management, business resiliency, and privacy. Once a business relationship is established with a service provider, Key performs risk-based periodic reviews of the third party service provider's security programs. In addition to an established governance approval process for new engagements, Key has established a Third Party Management Committee to oversee compliance with Key’s Third Party Management Policy and Program.
Cybersecurity Governance
As described in more detail in “Risk Management — Overview” in Item 7 of this report, the Board serves in an
oversight capacity to ensure that Key’s risks, including risk from cybersecurity threats, are managed in a manner that is effective and balanced and adds value for our shareholders. The Board’s Risk Committee exercises primary oversight over enterprise-wide risk at Key, including technology risk, which includes (but is not limited to) cybersecurity, business resiliency, and other technology-related risks, and provides oversight of management’s activities related to the same. The Board’s Technology Committee, in consultation with the Risk Committee, provides additional oversight of the technology-related risks listed above, and is expected to escalate to the Risk Committee on certain risk management issues. The Technology Committee also oversees major technology investments supporting Key’s strategic objectives in areas such as cybersecurity, fraud and data, project management, technology strategy, technology innovation, and emerging technology trends. The Board’s Audit Committee also shares in oversight of cybersecurity risk.
Key’s CISO oversees the IS Program and its related policies and is responsible for determining whether relevant security risk information is properly integrated into strategic and business decisions, overseeing the appropriate identification and ownership of security risks, monitoring critical risks, and maintaining the appropriate oversight and governance of information security through associated programs and/or standards. Our CISO has served in various roles in information technology and information security at Key for over 30 years, including serving as Enterprise Security Executive. The CISO holds a B.S.B.A in Management Information Systems.
45
annually) and presents the Information Security Policy for Risk Committee approval. In addition, the CISO, together with Key’s Deputy CISO, reports annually to the Technology Committee to seek approval of Key’s Cyber Strategy and Investment Plan. The CISO provides additional updates to the Board and its committees as circumstances warrant. The CISO provides updates to the Board as needs arise and from time to time.
Key’s Deputy CISO leads the Corporate Information Security function, including Cyber Defense, Identity
& Access Management, Information Security Governance and Data Protection, and Security Architecture, Engineering and Platform Operations. The Deputy CISO has over 18 years of cybersecurity and technology risk management experience across financial services and retail, previously served as the Head of Information Security Governance within KeyCorp’s Corporate Information Security group, as well as the Head of Cybersecurity and Technology Risk Oversight within KeyCorp’s Risk Management group. The Deputy CISO holds a bachelor’s degree in Finance and Management Information Systems and an MBA. He holds a bachelor’s degree in Finance and Management Information Systems and an MBA.
The CISO reports to Key’s Chief Information Officer who oversees all of Key’s shared services for technology,
operations, data, servicing, cyber and physical security, and corporate real estate solutions. Our Chief Information Officer, who has served in the role since 2012, has extensive experience overseeing technology and operations delivery for critical enterprise functions and has held various leadership roles during her over 30-year career in the financial services industry.
At the management level, our ERM Committee, chaired by the Chief Risk Officer and comprising other senior level executives, including the Chief Information Officer, reports to the Board’s Risk Committee and supports the management of all risks by providing governance, direction, oversight and high-level management of risk.At the management level, our Enterprise Risk Management (ERM) Committee, chaired by the Chief ExecutiveOfficer and comprising other senior level executives, including the Chief Information Officer, reports to the Board’sRisk Committee and is responsible for managing risk, including cybersecurity risk. The ERM Committee serves as a senior level forum for review and discussion of material risk issues, including cybersecurity risk. The Operational Risk Committee also reports to the Board’s Risk Committee and provides governance, direction, and oversight of operational risks, including technology risks, and includes senior management representation from the LOB and support areas. The Chief Information Officer is a voting member of the Operational Risk Committee.
The Operational Risk Committee also includes subcommittees, including the Security & Technology Committee (the “SecTec Committee”). The SecTec Committee is responsible for ensuring a cohesive and coordinated approach to security and technology risk management and provides an enterprise-wide perspective of security and technology risk management. Competitive RewardsWe make investments to hire and retain the people we need to serve our customers and communities and regularly review our pay practices to reflect changing market and economic conditions.
Key also has a Privacy Team led by a Chief Privacy Officer (CPO) who has over ten years of experience in legal,
compliance, and risk roles at financial institutions, focusing primarily on data protection and privacy. Our CPO holds
an undergraduate degree in finance, a master’s degree in business administration, and a juris doctorate. The CPO is licensed to practice law in the state of Ohio and has obtained the CIPP/US certification through the International
Association of Privacy Professionals. The CPO and Privacy team have the authority to escalate privacy risks to the Board. The Privacy and Information Security teams work together to implement controls around how personally identifiable information is managed and protected and to comply with applicable laws and regulations. The Privacy and Information Security teams work together to implement controls around how personallyidentifiable information is managed and protected and to comply with applicable laws and regulations.
Cybersecurity Incidents
When a cybersecurity incident is identified, we follow established processes in our enterprise privacy and cyber
incident response plans, which are a supplement to our corporate incident response plan. These plans provide a
framework to enable the appropriate personnel to recover operations in the event of a cyberattack and manage
incidents impacting banking information, including our clients’ and employees’ information.
Our Core Incident Response Rapid Emergency Assessment and Coordination Team (Core IR REACT) is
responsible for responding to incidents, including cyberattacks, performing a preliminary assessment, and engaging
additional support team members as necessary. The Core IR REACT team is a multidisciplinary team that is
empowered to escalate issues, as appropriate, to our Crisis Management Team (CMT), which includes the CEO
and senior executives from Key’s LOB and major support areas. The CMT provides overall strategic
direction for incident responses and recovery. Incidents are also reported internally to key stakeholders through Key’s risk governance committee structure.
As discussed above in “Cybersecurity Risk Management,” Internal Audit shares the results of its independent internal audits of security activities at Key and the effectiveness of the IS Program with the line of business management, Key’s Operational and Compliance Risk Management Groups, the Board’s Audit Committee, and
46
banking regulators. Any identified gaps are risk rated, issued a due date for remediation, and tracked through completion of remediation. Remediation is then verified by IA. Remediation is then verified by the RRG.
Recently Filed
Click on a ticker to see risk factors
| Ticker * | File Date |
|---|---|
| OVV | an hour ago |
| ACVA | an hour ago |
| USB | an hour ago |
| BWXT | an hour ago |
| MAT | an hour ago |
| AXSM | an hour ago |
| CAKE | an hour ago |
| NOVT | an hour ago |
| BDN | an hour ago |
| RIG | an hour ago |
| RYN | an hour ago |
| LPLA | an hour ago |
| KTOS | an hour ago |
| KWR | 2 hours ago |
| LAZ | 2 hours ago |
| PRA | 2 hours ago |
| BLBX | 2 hours ago |
| MAN | 2 hours ago |
| DEA | 2 hours ago |
| ERIE | 2 hours ago |
| COUR | 2 hours ago |
| MMLP | 2 hours ago |
| MAX | 2 hours ago |
| WEN | 2 hours ago |
| PRK | 2 hours ago |
| TRMK | 2 hours ago |
| BOOM | 2 hours ago |
| APLE | 2 hours ago |
| GLDD | 2 hours ago |
| ORIC | 2 hours ago |
| CCI | 2 hours ago |
| AGNC | 2 hours ago |
| TARS | 2 hours ago |
| SMMT | 2 hours ago |
| FBIN | 2 hours ago |
| CINF | 2 hours ago |
| LZ | 2 hours ago |
| EKSO | 2 hours ago |
| FRPT | 2 hours ago |
| VVX | 2 hours ago |
| IVR | 2 hours ago |
| VRE | 2 hours ago |
| RNA | 2 hours ago |
| CL | 2 hours ago |
| SAH | 2 hours ago |
| SEIC | 2 hours ago |
| UVSP | 2 hours ago |
| KEY | 3 hours ago |
| WTS | 3 hours ago |
| D | 6 hours ago |
