Risk Factors - ZION

-New additions in green
-Changes in blue
-Hover to see similar sentence in last filing

$ZION Risk Factor changes from 00/02/24/22/2022 to 00/02/23/24/2024

ITEM 1A. RISK FACTORSWe generate revenue and grow our businesses by taking prudent and appropriately priced and managed risks. These risks are outlined in our Risk Management Framework. Our Board has established an Audit Committee, a Compensation Committee, a Risk Oversight Committee (“ROC”), and appointed an Enterprise Risk Management Committee (“ERMC”) to oversee and implement the Risk Management Framework. The ERMC is comprised of senior management and is chaired by the Chief Risk Officer. These committees monitor the following risk areas: credit risk, interest rate and market risk; liquidity risk; strategic and business risk; operational risk; technology risk; cybersecurity risk; capital/financial reporting risk; legal/compliance risk (including regulatory risk); and reputational risk, as outlined in our risk taxonomy. In addition to credit risk, these committees also monitor the following risk areas: market and interest rate risk; liquidity risk; strategic and business risk; operational risk; technology risk; cyber risk; capital/financial reporting risk; legal/compliance risk (including regulatory risk); and reputational risk, as outlined in our risk taxonomy. We have developed policies, procedures, and controls designed to address these risks, but there can be no certainty that our actions will be effective to prevent or limit the effects of these risks on our business or performance. Although not comprehensive, risk factors that are material to us are described below.CREDIT RISKCredit quality has adversely affected us in the past and may adversely affect us in the future.Credit RiskCredit quality has adversely affected us in the past and may adversely affect us in the future. Credit risk is one of our most significant risks. Rising interest rates, increased market volatility, or a decline in the strength of the U.S. economy in general or the local economies in which we conduct operations could result in, among other things, deterioration in credit quality and reduced demand for credit, including a resultant adverse effect on the income from our loan and investment portfolios, an increase in charge-offs, and an increase in the allowance for credit losses (“ACL”). economy in general or the local economies in which we conduct operations could result in, among other things, deterioration in credit quality and/or reduced demand for credit, including a resultant adverse effect on the income from our loan and investment portfolios, an increase in charge-offs, and an increase in the allowance for credit losses (“ACL”). We have concentration of risk from counterparties and risk in our loan portfolio, including, but not limited to, loans secured by real estate, oil and gas-related lending, and leveraged and enterprise value lending, which may have unique risk characteristics that may adversely affect our results.We have concentrations of risk in our loan portfolio, including loans secured by real estate, oil and gas-related lending, and leveraged and enterprise value lending, which may have unique risk characteristics that may adversely affect our results. Concentrations of risk from counterparties could adversely affect us, and risk across our loan and investment securities portfolios could pose significant additional credit risk to us due to similar exposures between the two asset types. Concentrations with counterparties on derivative or securities financing transactions could pose additional credit risk.We engage in commercial real estate (“CRE”) term and construction lending, primarily in our Western states footprint.We engage in commercial real estate (“CRE”) term and construction and land acquisition and development lending, primarily in our Western states footprint. Certain CRE collateral types, particularly office CRE, continue to experience increased vacancy rates, declining property values, and pressures from rising interest rates, which could result in increased delinquencies and defaults. We also engage in oil and gas-related lending, and we provide leveraged and enterprise value loans across our entire footprint. Certain of these loans may be subject to specific risks, including governmental and social responses to environmental issues and climate change, volatility, and potential significant and prolonged declines in 14Table of ContentsZIONS BANCORPORATION, NATIONAL ASSOCIATION AND SUBSIDIARIEScollateral-values and activity levels. Any decline in these portfolios could cause increased credit losses and reduced loan demand, which could adversely affect our business and that of our customers. We may have other unidentified risks in our loan portfolio. We may have other unidentified concentrated or correlated risks in our loan portfolio. Our business is highly correlated to local economic conditions in a specific geographic region of the U.S.We provide a wide range of banking products and related services through our local management teams and unique brands in Arizona, California, Colorado, Idaho, Nevada, New Mexico, Oregon, Texas, Utah, Washington, and Wyoming. At December 31, 2023, loan balances associated with our banking operations in Utah, Idaho, Texas, and California comprised 77%, 69%, and 70% of the commercial, CRE, and consumer lending portfolios, respectively. At December 31, 2021, loan balances associated with our banking operations in Utah/Idaho, Texas, and California comprised 77% of the commercial lending portfolio, 73% of the CRE lending portfolio, and 71% of the consumer lending portfolio. As a result of this geographic concentration, our financial performance depends largely upon economic conditions in these market areas. Accordingly, deterioration in economic conditions, including those caused by climate change or natural disasters, may specifically affect these states, and could result in higher credit losses and significantly affect our consolidated operations and financial results. Accordingly, deterioration in economic conditions, such as that caused by climate change or natural disasters, may specifically affect these states, and could result in higher credit losses and significantly affect our consolidated operations and financial results. For information about our lending exposure to various industries and how we manage credit risk, see “Credit Risk Management” in MD&A on page 54.INTEREST RATE AND MARKET RISKWe could be negatively affected by adverse economic conditions.Adverse economic conditions pose significant risks to our business, including our loan and investment portfolios, capital levels, results of operations, and financial condition.Adverse economic conditions negatively affect our business, including our loan and investment portfolios, capital levels, results of operations, and financial condition. A slowing economy and uncertainty related to inflationary pressures, including related changes in monetary and fiscal policies and actions, rising interest rates, and decreased values of our fixed-rate assets, can increase these risks and lead to lower demand for loans, higher credit losses, and lower fee income, among other negative effects.Failure to effectively manage our interest rate risk could adversely affect our results.Net interest income is the largest component of our revenue. Factors beyond our control can significantly influence the interest rate environment and increase our risk. These factors include changes in the prevailing interest rate environment, competitive pricing pressures for our loans and deposits, adverse shifts in the mix of deposits and other funding sources, and volatile market interest rates resulting from general economic conditions and the policies of governmental and regulatory agencies, in particular the FRB. Most components of our balance sheet are sensitive to rising and falling rates, and mismatches in rate sensitivity between assets and liabilities may result in unanticipated changes in both asset and liability values and related income and expense. Additionally, asset and liability values may be significantly impacted by customer behavior, as customers may choose to withdraw certain deposits or prepay certain loans at any time, which may significantly affect our expected cash flows.For information about how we manage interest rate risk and market risk, see “Interest Rate and Market Risk Management” in MD&A on page 63.For information about how we manage the transition from LIBOR, interest rate risk, and market risk, see “Interest Rate and Market Risk Management” on page 57 in MD&A. LIQUIDITY RISKChanges in levels and sources of liquidity and capital, including the resulting effects of recent events in the banking industry, may limit our operations and potential growth.Our primary source of liquidity is deposits from our customers, which may be impacted by market-related forces such as increased competition for these deposits and a variety of other factors.Our primary source of liquidity is deposits from our customers, which may be impacted by market-related forces and a variety of other events. Deposits across the banking industry have fluctuated in recent quarters in large part due to the increased interest rate environment and prominent bank closures. We, like many other banks, experienced deposit outflows as customers spread deposits among several different banks to maximize their amount of FDIC insurance, moved deposits to institutions offering higher rates or removed deposits from the U.S. financial system entirely. Since the FDIC insurance limit is not inflation-indexed and has not increased since 2008, the percent of our and other regional bank uninsured deposits has steadily increased, and may continue to increase without additional congressional action to increase the FDIC insurance limits.15Table of ContentsZIONS BANCORPORATION, NATIONAL ASSOCIATION AND SUBSIDIARIESAlthough our deposit levels have increased during the latter half of 2023, our cost of funds has also increased, primarily as a result of declining noninterest-bearing deposits, growth in interest-bearing deposits, and a higher interest rate environment. The potential for greater volatility and further increased costs remains, particularly if there is negative news surrounding the banking industry or perceived risks regarding bank safety and soundness. In such an environment, some depositors may be more likely to believe that there is greater safety in maintaining large, uninsured deposits at banks deemed “too big to fail,” which may contribute to further deposit runoff and increased deposit costs of community and regional institutions, including the Bank. If we are unable to continue to fund assets through customer bank deposits or access other funding sources on favorable terms, or if we experience continued increases in borrowing costs or FDIC insurance assessments, or otherwise fail to manage liquidity effectively, our liquidity, operating margins, financial condition, and results of operations may be materially and adversely affected. However, if enacted, some of these proposals could adversely affect us by, among other things: impacting after-tax returns earned by financial services firms in general; limiting our ability to grow; increasing FDIC insurance assessments, taxes or fees on our funding or activities; limiting the range of products and services that we could offer; and requiring us to raise capital at inopportune times. The Federal Reserve’s tightened monetary policy has contributed to a decline in the value of our fixed-rate loans and investment securities that are pledged as collateral to support short-term borrowings. Other economic conditions may also affect (or continue to affect) our liquidity and efforts to manage associated risks. The Federal Home Loan Bank (“FHLB”) system and Federal Reserve have been, and continue to be, a significant source of additional liquidity and funding. Changes in FHLB or Federal Reserve funding programs could adversely affect our liquidity and management of associated risks.We and the holders of our securities could be adversely affected by unfavorable rating actions from rating agencies.Liquidity RiskWe and the holders of our securities could be adversely affected by unfavorable rating actions from rating agencies. We access capital markets to augment our funding. This access is affected by the ratings assigned to us by rating agencies. The rates we pay on our securities are also influenced by, among other things, the credit ratings that we and our securities receive from recognized rating agencies. Ratings downgrades to us or our securities could increase our costs or otherwise have a negative effect on our liquidity position, financial condition, or the market prices of our securities.For information about how we manage liquidity risk, including rating agency actions, see “Liquidity Risk Management” in MD&A on page 67.For information about how we manage liquidity risk, see “Liquidity Risk Management” on page 62 in MD&A. STRATEGIC AND BUSINESS RISKProblems encountered by other financial institutions could adversely affect financial markets generally and have indirect adverse effects on us.The soundness and stability of many financial institutions may be closely interrelated as a result of credit, trading, clearing, or other relationships between the institutions. As a result, concerns about, or a default or threatened default by, one institution could lead to significant market-wide liquidity and credit problems, losses, or defaults by other institutions. This is sometimes referred to as “systemic risk” and may adversely affect financial intermediaries, such as clearing agencies, clearing houses, banks, securities firms, and exchanges, with which we interact on a daily basis, and therefore, could adversely affect us. This phenomenon has been evident in the recent events affecting the banking industry (such as the prominent bank closures), as financial institutions like us have been impacted by concerns regarding the soundness or creditworthiness of other financial institutions or reports of the risk of systemic deterioration in asset classes, such as commercial real estate. This has caused substantial and cascading disruptions within the financial markets and deposits environment, increased expenses, reduced bank fees, and adversely impacted the market price and volatility of our common stock.We may not be able to hire or retain qualified personnel or effectively promote our corporate culture, and recruiting and compensation costs may increase as a result of changes in the workplace, marketplace, economy, and regulatory environment.Our ability to execute our strategy, provide services, and remain competitive may suffer if we are unable to recruit or retain qualified people, or if the costs of employee compensation and benefits increase substantially. Bank regulatory agencies have published regulations and guidance that limit the manner and amount of compensation that banking organizations provide to employees. These regulations and guidance may adversely affect our ability to attract and retain key personnel. Some of these limitations may not apply to institutions with which we compete for 16Table of ContentsZIONS BANCORPORATION, NATIONAL ASSOCIATION AND SUBSIDIARIEStalent, in particular, as we are more frequently competing for personnel with financial technology providers and other entities that may not have the same limitations on compensation as we do. Some of these limitations may not apply to institutions with which we compete for talent, in particular, as we are more frequently competing for personnel with financial technology providers and other entities that may not have the same limitations on compensation as we do. If we were to suffer such adverse effects with respect to our employees, our business, financial condition and results of operations could be adversely or materially affected.Our ability to retain talent may also be adversely affected by changes in the economy and workforce trends, priorities, migration, modes of delivery and other considerations, such as the increased ability of employees to work from anywhere in many industries. This growth in remote work and other changing priorities and benefits has led to an increase in compensation and related expenses and workplace challenges, such as fewer opportunities for face-to-face interactions, training and mentoring new employees, promoting a cohesive corporate culture, and increased competition for experienced labor, especially in high-demand and highly skilled categories. Inflationary pressures have also increased our compensation costs and are likely to continue to do so in the future.We have made, and are continuing to make, significant changes that include, among other things, organizational restructurings, efficiency initiatives, and replacement or upgrades of technology systems to improve our operating efficiency and control environment. The ultimate success and completion of these changes, and their effects on us, may vary significantly from intended results, which could materially adversely affect us. The ultimate success and completion of these changes, and their effects on us, may vary significantly from initial planning, which could materially adversely affect us. We continue to invest in a variety of strategic projects designed to improve our products and services and to simplify how we do business. These initiatives and other significant changes continue to be implemented and are in various stages of completion. These initiatives and other changes continue to be implemented and are in various stages of completion. By their very nature, projections of duration, cost, expected savings, expected efficiencies, and related items are subject to change and significant variability. There can be no certainty that we will achieve the expected benefits or other intended results associated with these projects.We could be adversely affected by our ability to develop, adopt, implement, and deliver technology advancements.Technology RiskWe could be adversely affected by our ability to develop, adopt, and implement technology advancements. Our ability to remain competitive is increasingly dependent upon our ability to maintain critical technological capabilities, and to identify and develop new, value-added products for existing and future customers. These technological competitive pressures arise from both traditional banking and nontraditional sources. Larger banks may have greater resources and economies of scale attendant to maintaining existing capabilities and developing digital and other technologies. Fintechs and other technology platform companies continue to emerge and compete with traditional financial institutions across a wide variety of products and services. Industry experimentation with, and adoption of, artificial intelligence (“AI”), the expansion of blockchain technologies, and digital currencies, including the potential creation and adoption of central bank digital currencies, present similar risks. Our failure to remain technologically competitive could impede our competitive market position and reduce customer satisfaction, product accessibility, and relevance. Our failure to remain technologically competitive could impede our time to market and reduce customer satisfaction, product accessibility, and relevance. OPERATIONAL RISKOur operations could be disrupted by the effects of new and ongoing projects and initiatives.Our operations could be disrupted by the effects of our new and ongoing projects and initiatives. We may encounter significant operational disruptions arising from our numerous projects and initiatives.We may encounter significant operational disruption arising from our numerous projects and initiatives. These may include significant time delays, cost overruns, loss of key people, technological problems, and processing failures. We may also experience operational disruptions due to capacity constraints, service level failures and inadequate performance, and certain replacement costs. We may also experience operational disruptions due to capacity constraints, service level failures and inadequate performance, the level of concentration, replacement costs, and other risks arising from our dependence on third-party vendors. Any or all of these issues could result in disruptions to our systems, processes, control environment, procedures, employees, and customers. The ultimate effect of any significant disruption to our business could subject us to additional regulatory scrutiny or expose us to civil litigation and possible financial liability, any of which could materially affect us, including our control environment, operating efficiency, and results of operations.We could be adversely affected by failure in our internal controls.Because of their inherent limitations, our internal controls may not prevent or detect the risk of operational failures, misstatements in our financial statements, or capital arising from inadequate or failed internal processes or systems, human errors or misconduct, or other adverse external events. A failure in our internal controls could have a 17Table of ContentsZIONS BANCORPORATION, NATIONAL ASSOCIATION AND SUBSIDIARIESsignificant negative impact not only on our earnings, but also on the perception that customers, regulators, and investors may have of us and adversely affect our business and our stock price. A failure in our internal controls could have a significant negative impact not only on our earnings, but also on the perception that customers, regulators, and investors may have of us and adversely affect our business and our stock price. We could be adversely affected by internal and external fraud schemes.Attempts to commit fraud both internally and externally are becoming increasingly more sophisticated and may increase in an adverse economic environment. We have experienced losses in the past as a result of these attempts and schemes and may not be able to identify, prevent, or otherwise mitigate all instances of fraud in the future that have the potential to result in material losses. We have suffered losses in the past as a result of these schemes and will not be able to identify, prevent, or otherwise mitigate all instances of fraud in the future that have the potential to result in material losses. These attempts may go undetected by the systems and procedures that we have in place to monitor our operations.Climate-related and other catastrophic events including, but not limited to, hurricanes, tornadoes, earthquakes, fires, floods, prolonged drought, and pandemics may adversely affect us, our customers, and the general economy, financial and capital markets, and specific industries.Operational RiskCatastrophic events including, but not limited to, hurricanes, tornadoes, earthquakes, fires, floods, prolonged drought, and pandemics may adversely affect us and the general economy, financial and capital markets, and specific industries. The occurrence of pandemics, natural disasters, and other climate-related or catastrophic events could materially and adversely affect our operations and financial results.The occurrence of pandemics, natural disasters, and other catastrophic events could adversely affect our operations. We have significant operations and customers in Utah, Texas, California, and other regions where natural and other disasters have occurred, and are likely to continue to occur. We have significant operations and number of customers in Utah, Texas, California, and other regions where natural and other disasters have and are likely to continue to occur. These regions are known for being vulnerable to natural disasters and other risks, such as hurricanes, tornadoes, earthquakes, fires, floods, prolonged droughts, and other weather-related events, some of which may be exacerbated by climate change and become more frequent and intense. These regions are known for being vulnerable to natural disasters and other risks, such as hurricanes, tornadoes, earthquakes, fires, floods, prolonged droughts, and other weather-related events, which may become more frequent and intense. These types of catastrophic events at times have posed physical risks to our property and have disrupted the local economy, our business, and customers, including decreased access to insurance and other services. These types of catastrophic events at times have disrupted the local economy, our business and customers, and have posed physical risks to our property. In addition, catastrophic events occurring in other regions of the world may have an impact on us and our customers.We use models in the management of the Bank. There is risk that these models are inaccurate in various ways, which may cause us to make suboptimal decisions. There is risk that these models are inaccurate in various ways, which can cause us to make suboptimal decisions. We rely on models in the management of the Bank. For example, we use models to inform our estimate of the allowance for credit losses, to manage interest rate and liquidity risk, to project stress losses in various segments of our loan and investment portfolios, and to project net revenue under stress. Models are inherently imperfect and cannot perfectly predict outcomes. Models are inherently imperfect for a number of reasons and cannot perfectly predict outcomes. Management decisions that are largely informed by such models, therefore, may be suboptimal. Management decisions based in part on such models, therefore, may be suboptimal. For example, with the recent prominent bank closures during the first half of 2023, customer deposit behavior deviated from modeled behaviors, and as a result, we redeveloped our deposit models, which are currently used by management. For more information about our deposit models, see “Interest Rate and Market Risk Management” in MD&A on page 63.We outsource various operations to third-party vendors, which could adversely impact our business and operational performance.We rely on various vendors to perform operational activities to conduct our business. Although there are benefits in entering into these relationships, there are risks associated with such activities. Our operational controls and third-party management programs may not provide adequate oversight and control. Our operational controls and third-party management programs may not provide adequate oversight and control, and inadequate performance by third parties can adversely affect our ability to deliver products and services to our customers and conduct our business. Inadequate performance by third parties can adversely affect our ability to deliver products and services to our customers and conduct our business. Replacing or finding alternatives for vendors who do not perform adequately can be difficult and costly, and may also adversely impact our customers and other operations, particularly when circumstances require us to make changes under tight time constraints. Many of our vendors have experienced adverse effects upon their operations, supply chains, personnel, and businesses arising from inflationary pressures, wars and geopolitical conflicts, cyber vulnerabilities, and other events, all of which can impact our operations as well.For information about how we manage operational risk, see “Operational, Technology, and Cybersecurity Risk Management” in MD&A on page 70.For information about how we manage operational risk, see “Operational, Technology, and Cyber Risk Management” on page 65 in MD&A. 18Table of ContentsZIONS BANCORPORATION, NATIONAL ASSOCIATION AND SUBSIDIARIESTECHNOLOGY RISKWe could be adversely impacted by system vulnerabilities, failures, or outages impacting operations and customer services such as online and mobile banking.We rely on various information technology systems that work together in supporting internal operations and customer services.We rely on hundreds of information technology systems that work together in supporting internal operations and customer services. Vulnerabilities in, or a failure or outage of, one or many of these systems could impact the ability to perform internal operations and provide services to customers, such as online banking, mobile banking, remote deposit capture, treasury and payment services, and other services dependent on system processing. Vulnerabilities in, or a failure or outage of, one or many of these systems could impact the ability to perform internal operations and provide services to customers such as online banking, mobile banking, remote deposit capture, and other services dependent on system processing. These risks increase as systems and software approach the end of their useful life or require more frequent updates and modifications. We cannot guarantee that such occurrences will not have a significant operational or customer impact.For information regarding risks associated with the replacement or upgrades of our core technology systems, see “Strategic and Business Risk” in Risk Factors on page 16. For information about how we manage technology risk, see “Operational, Technology, and Cybersecurity Risk Management” in MD&A on page 70. For information about how we manage technology risk, see “Operational, Technology, and Cyber Risk Management” on page 65 in MD&A. CYBERSECURITY RISKWe are subject to a variety of information system failure and cybersecurity risks that could adversely affect our business and financial performance.We rely heavily on communications and information systems to conduct our business. We process and maintain on our systems certain information that is confidential, proprietary, personal, or otherwise sensitive, including financial and other confidential business information. We, our customers, and other financial institutions with which we interact, are subject to ongoing, continuous attempts by threat actors, such as organized cybercrime, hackers, and state-sponsored organizations to penetrate key systems. We, our customers, and other financial institutions with which we interact, are subject to ongoing, continuous attempts to penetrate key systems by individual hackers, organized criminals, and in some cases, state-sponsored organizations. Information security risks for us and other large financial institutions have increased significantly in recent years, in part because of the proliferation of new technologies, the ubiquity of internet connections, and the increased sophistication and activities of threat actors. The types of attacks these threat actors may use include, but are not limited to: exploiting customer or system vulnerabilities or misconfigurations, deceiving employees through email phishing or social engineering, and compromising any of our suppliers.Third parties, including our suppliers and their subcontractors, also present operational and information security risks to us, including security incidents or failures of their own systems and downstream systems. In incidents involving third parties, we may not be informed promptly of any effect on our services or our data, or be able to participate in any related investigation, notification, or remediation that occurs. In incidents involving third parties, we may not be informed timely of any effect on our services or our data, or be able to participate in any investigation, notification, or remediation that occurs as a result. The possibility of third-party or employee error, failure to follow security procedures, or malfeasance also presents these risks.As cybersecurity threats continue to evolve, we will be required to expend additional resources to continue to modify or enhance our defenses or to investigate or remediate any information security vulnerabilities.As cyber threats continue to evolve, we will be required to expend significant additional resources to continue to modify or enhance our layers of defense or to investigate or remediate any information security vulnerabilities. We, and our third-party suppliers, have experienced cybersecurity incidents in the past that have not had material impact to our data, customers, or operations, but there can be no assurance that any such failure, interruption, or significant security breach will not occur in the future, or, if any future occurrences will be adequately addressed. We, and our third-party vendors, have experienced security breaches due to cyberattacks in the past that have not had material impact to our data, customers, or operations, but there can be no assurance that any such failure, interruption, or significant security breach will not occur in the future, or, if any future occurrences will be adequately addressed. It is impossible to determine the severity or potential effects of these incidents with any certainty. It is impossible to determine the severity or potential effects of these events with any certainty, but any such breach could result in material adverse consequences for us and our customers. System enhancements and updates may also create risks associated with implementing new systems and integrating them with existing ones. Due to the complexity and interconnectedness of information technology systems, the process of enhancing our defenses itself can create a risk of systems disruptions and security issues. Due to the complexity and interconnectedness of information technology systems, the process of enhancing our layers of defense can itself create a risk of systems disruptions and security issues. We may face additional risks to the extent our hardware and software providers are unable to deliver patches and updates to mitigate vulnerabilities or we are unable to implement patches in a timely manner, particularly when a vulnerability is being actively exploited by threat actors. The ability of our hardware and software providers to deliver patches and updates to mitigate vulnerabilities and our ability to implement them in a timely manner can introduce additional risks, particularly when a vulnerability is being actively exploited by threat actors. We have devoted and will continue to devote significant resources to the security of our computer systems, but they may still be vulnerable to these threats and our efforts may subsequently be deemed to have been inadequate by regulators or courts. The occurrence of any failure, interruption or security incident to our information systems or those of our third-party suppliers could interfere with or disrupt our 19Table of ContentsZIONS BANCORPORATION, NATIONAL ASSOCIATION AND SUBSIDIARIESoperations and services, damage our reputation, result in a loss of customer business, subject us to additional regulatory scrutiny, expose us to civil litigation and financial liability, or otherwise result in material adverse consequences on us.For information about how we manage cybersecurity risk, see Part I, Item 1C. Cybersecurity on page 24.CAPITAL/FINANCIAL REPORTING RISKInternal stress testing and capital management, as well as provisions of the National Bank Act and OCC regulations, may limit our ability to increase dividends, repurchase shares of our stock, and access the capital markets.We utilize stress testing as an important mechanism to inform our decisions on the appropriate level of capital, based upon actual and hypothetically stressed economic conditions. The stress testing and other applicable regulatory requirements may, among other things, require us to increase our capital levels, limit our dividends or other capital distributions to shareholders, modify our business strategies, or decrease our exposure to various asset classes. Under the National Bank Act and OCC regulations, certain capital transactions, including share repurchases, are subject to the approval of the OCC.Under the National Bank Act and OCC regulations, certain capital transactions, including share repurchases, are subject to the approval of the OCC. These requirements may limit our ability to respond to and take advantage of market developments.Regulatory requirements, economic and other circumstances may require us to raise capital at times or in amounts that are unfavorable to us.We maintain certain risk-based and leverage capital ratios, as required by our banking regulators, which can change depending upon general economic conditions, as well as the particular conditions, risk profiles, and our growth plans.We must maintain certain risk-based and leverage capital ratios, as required by our banking regulators, which can change depending upon general economic conditions, as well as the particular conditions, risk profiles, and our growth plans. Compliance with capital requirements may limit our ability to expand and has required, and may require, us to raise additional capital or retain earnings that could otherwise be distributed to shareholders. Compliance with capital requirements may limit our ability to expand and has required, and may require, us to raise additional capital. These uncertainties and risks, including those created by legislative and regulatory change and uncertainties, such as recent regulatory proposals that would significantly revise the capital requirements and expand long-term debt requirements applicable to large banking organizations, may increase our cost of capital and other financing costs. For more information about these regulatory proposals, see “Recent Regulatory Developments” in Supervision and Regulation on page 8.We could be adversely affected by accounting, financial reporting, and regulatory compliance risk.We could be adversely affected by failure in our internal controls. We are exposed to accounting, financial reporting, and regulatory compliance risk. Significant estimates, judgments, and interpretations of complex and changing accounting and regulatory policies are required to properly account for the products and services we provide to our customers. Estimates, judgments, and interpretations of complex and changing accounting and regulatory policies are required in order to provide and account for these products and services. Changes in our accounting policies or accounting standards could materially affect how we report our financial results and conditions. Changes in our accounting policies or in accounting standards could materially affect how we report our financial results and conditions. The level of regulatory compliance oversight continues to be heightened. Identification, interpretation, and implementation of complex and changing accounting standards, as well as compliance with regulatory requirements, pose an ongoing risk. Therefore, identification, interpretation, and implementation of complex and changing accounting standards, as well as compliance with regulatory requirements, pose an ongoing risk. The value of our goodwill may decline in the future.If the fair value of a reporting unit is determined to be less than its carrying value, we may have to take a charge related to the impairment of our goodwill. If the fair value of a reporting unit is determined to be less than its carrying value, we may have to take a charge related to the impairment of our goodwill. Such a charge could result from, among other factors, weakening in the economic environment, a decline in the performance of the reporting unit, or new legislative or regulatory changes not anticipated in management’s expectations.We may not be able to fully realize our deferred tax assets, which could adversely affect our operating results and financial performance.At December 31, 2023, we had a net deferred tax asset of $1.0 billion. The accounting treatment for realization of deferred tax assets is complex and requires judgment. Our ability to fully realize our deferred tax asset could be reduced in the future if our estimates of future taxable income from our operations, future reversals of existing deferred tax liabilities (“DTLs”), or tax planning strategies do not support the realization of our deferred tax asset. 20Table of ContentsZIONS BANCORPORATION, NATIONAL ASSOCIATION AND SUBSIDIARIESChanges in applicable tax laws, regulations, macroeconomic conditions, or market conditions may adversely affect our financial results, and there can be no assurance that we will be able to fully realize our deferred tax assets.For information about how we manage capital, see “Capital Management” in MD&A on page 72.LEGAL/COMPLIANCE RISKLaws and regulations applicable to us and the financial services industry impose significant limitations on our business activities and subject us to increased regulation and additional costs.Legal/Compliance RiskLaws and regulations applicable to us and the financial services industry impose significant limitations on our business activities and subject us to increased regulation and additional costs. We, and the entire financial services industry, have incurred, and will continue to incur, substantial costs related to personnel, systems, consulting, and other activities in order to comply with banking regulations. See “Supervision and Regulation” on page 7 for further information about the regulations applicable to us and the financial services industry generally.Regulators, the U.S. Congress, state legislatures, and other governing or consultative bodies continue to enact rules, laws, and policies to regulate the financial services industry and public companies, including laws that are designed to promote, protect, or penalize certain activities or industries and their access to financial services. We are, and may in the future become, subject to these laws by offering our products and services to certain industries or in certain locations. The nature of these laws and regulations and their effect on our future business and performance cannot be predicted.There can be no assurance that any or all of these regulatory changes or actions will ultimately be enacted. However, if enacted, some of these proposals could adversely affect us by, among other things: impacting after-tax returns earned by financial services firms in general; limiting our ability to grow; increasing FDIC insurance assessments, taxes or fees on our funding or activities; limiting the range of products and services that we could offer; and requiring us to raise capital at inopportune times.Political developments may also result in substantial changes in tax, international trade, immigration, and other policies. The extent and timing of any such changes are uncertain, as are the potential direct and indirect impacts, whether beneficial or adverse. Regulations and laws may be modified or repealed, and new legislation may be enacted that will affect us and our subsidiaries. The ultimate impact of these proposals cannot be predicted as it is unclear which, if any, may be enacted.The ultimate impact of these proposals cannot be predicted as it is unclear which, if any, may be enacted. Tax laws, regulations, and case law may change due to legislative, administrative, and judicial changes that could adversely impact our business and financial performance.We are subject to the income tax laws of the U.S., its states, and other jurisdictions where we conduct business. These laws are complex and subject to different interpretations by the taxpayer and the various taxing authorities. In determining the provision for income taxes, management makes judgments and estimates about the application of these inherently complex laws, related regulations, and case law. In the process of preparing our tax returns, management attempts to make reasonable interpretations of the tax laws. These interpretations are subject to challenge by the tax authorities upon audit or to reinterpretation based on management’s ongoing assessment of facts and evolving case law. Changes in tax laws, regulations, or case law may result in an adverse impact to our effective tax rate, tax obligations, and financial results. Additionally, challenges made by tax authorities during an audit may result in adjustments to our tax return filings, resulting in similar adverse impacts to our financial position.We could be adversely affected by legal and governmental proceedings.We are subject to risks associated with legal claims, litigation, and regulatory and other government proceedings. Our exposure to these proceedings may increase as a result of stresses on customers, counterparties, and others arising from the past or current economic environments, more frequent claims and actions resulting from fraud schemes perpetrated by or involving our customers, new regulations promulgated under recently enacted statutes, the creation of new examination and enforcement bodies, and enforcement and legal actions against banking organizations. Our exposure to these proceedings has increased and may further increase as a result of stresses on customers, counterparties, and others arising from the past or current economic environments, more frequent claims and actions resulting from fraud schemes perpetrated by or involving our customers, new regulations promulgated under recently enacted statutes, the creation of new examination and enforcement bodies, and enforcement and legal 18Table of ContentsZIONS BANCORPORATION, NATIONAL ASSOCIATIONactions against banking organizations. Any such matters may result in material adverse consequences to our results of operations, financial 21Table of ContentsZIONS BANCORPORATION, NATIONAL ASSOCIATION AND SUBSIDIARIEScondition or ability to conduct our business, including adverse judgments, settlements, fines, penalties (e. Any such matters may result in material adverse consequences to our results of operations, financial condition or ability to conduct our business, including adverse judgments, settlements, fines, penalties (e. g., civil money penalties under applicable banking laws), injunctions, restrictions on our business activities, or other relief. We maintain insurance coverage to mitigate the financial risk of defense costs, settlements, and awards, but the coverage is subject to deductibles and limits of coverage. Our involvement in any such matters, even if the matters are ultimately determined in our favor, could also cause significant harm to our reputation and divert management attention from the operation of our business. In general, the amounts paid by financial institutions in settlement of proceedings or investigations, have been increasing dramatically. This has affected and will continue to adversely affect (1) our ability to obtain insurance coverage for certain claims, (2) our deductible levels, and (3) the cost of premiums associated with our coverage. This has affected and will continue to adversely affect our ability to obtain insurance coverage for certain claims and significantly increase our deductibles and premiums associated with the coverage. Consequently, our financial results are subject to greater risk of adverse outcomes from legal claims.Due to the difficulty in predicting the timing of, and damages or penalties associated with, the resolution of legal claims, it is possible that adverse financial impacts from litigation could occur sporadically and could be significant. In addition, any enforcement matters could impact our supervisory and CRA ratings, which may restrict or limit our activities.The corporate and securities laws applicable to us are not as well-developed as those applicable to a state-chartered corporation, which may impact our ability to effect corporate transactions in an efficient and optimal manner.Our corporate affairs are governed by the National Bank Act, and related regulations are administered by the OCC. As to securities laws, the OCC maintains its own securities offering framework applicable to national banks and their securities offerings, and our compliance with the Exchange Act is governed and enforced by the OCC.State corporate codes, including that of Utah, are widely recognized, updated by legislative action from time-to-time, and may be based on and influenced by model statutes.State corporate codes, including that of Utah, are widely recognized, updated by legislative action from time-to-time, and are often based on and influenced by model statutes. The federal securities law regime established by the Securities Act and the Exchange Act and the SEC’s extensive and well-developed framework thereunder are widely used by public companies. The OCC’s statutory and regulatory frameworks have been used by publicly traded banking organizations relatively rarely and are not as well-developed as the corporate and securities law frameworks applicable to other public corporations. The OCC statutory and regulatory frameworks have been used by publicly-traded banking organizations relatively rarely and are not as well-developed as the corporate and securities law frameworks applicable to other public corporations. While certain specific risks associated with operating under these frameworks are described below, unless and until these frameworks are further developed and established over time, the uncertainty of how these frameworks might apply to any given corporate or securities matters may prevent us from effecting transactions in an efficient and optimal manner or perhaps at all.Differences between the National Bank Act and state law requirements regarding mergers could hinder our ability to execute acquisitions as efficiently and advantageously as bank holding companies or other financial institutions.Unlike state corporate law, the National Bank Act requires shareholder approval of all mergers between a national bank and another national or state bank and does not allow for exceptions in the case of various “minor” mergers, such as a parent company’s merger with a subsidiary or an acquirer’s merger with an unaffiliated entity in which the shares issued by the acquirer do not exceed a designated percentage. The National Bank Act and related regulations may also complicate the structuring of certain nonbank acquisitions.These differences could adversely affect the ability of the Bank and other banks registered under the National Bank Act to efficiently consummate acquisition transactions. In addition, such differences could make us less competitive as a potential acquirer in certain circumstances given that our acquisition proposal may be conditioned on shareholder approval while our competitors’ proposals will not have such a condition.We are subject to restrictions on permissible activities that would limit the types of business we may conduct and that may make acquisitions of other financial companies more challenging.Under applicable laws and regulations, bank holding companies and banks are generally limited to business activities and investments that are related to banking or are financial in nature. The range of permissible financial activities is set forth in the Gramm-Leach-Bliley Act and is more limited for banks than for bank holding company organizations. The differences relate mainly to insurance underwriting (but not insurance agency activities) and 22Table of ContentsZIONS BANCORPORATION, NATIONAL ASSOCIATION AND SUBSIDIARIESmerchant banking (but not broker-dealer and investment advisory activities). The differences relate mainly to insurance underwriting (but not insurance agency activities) and merchant banking (but not broker-dealer and investment advisory activities). The fact that we do not have a bank holding company could make future acquisitions of financial institutions with such operations more challenging.REPUTATIONAL RISKWe are presented with various reputational risk issues that could stem from operational, regulatory, compliance, and legal risks.Any of the aforementioned risks may give rise to adverse publicity and other expressions of negative public opinion, increased regulatory scrutiny, and damaged relationships among other reputational risks.OTHER RISKSThe Russian invasion of Ukraine, the conflicts in the Middle East, other geopolitical conflicts, and retaliatory measures imposed by the U.S. and other countries, including the responses to such measures, may cause significant disruptions to domestic and foreign economies and markets.The Russia-Ukraine war and the conflicts in the Middle East, along with other geopolitical conflicts, have created new risks for global markets, trade, economic conditions, cybersecurity, and similar concerns. For example, these conflicts could affect the availability and price of commodities and products, adversely affecting supply chains and increasing inflationary pressures; the value of currencies, interest rates, and other components of financial markets; and lead to increased risks of events such as cyberattacks that could result in severe costs and disruptions to governmental entities and companies and their operations. The impact of these conflicts and retaliatory measures is continually evolving and cannot be predicted with certainty. It is likely that these conflicts will continue to affect the global political order and global and domestic markets for a substantial period of time, regardless of when these conflicts end.While these events have not materially interrupted our operations, these or future developments resulting from these conflicts, such as cyberattacks on the U.S., the Bank, our customers, or our suppliers, could make it difficult to conduct business.Sustainability-related risk developments could lead or require us to restrict or modify some of our business activities.Expectations of investors and regulators could, over time, lead us to restrict or modify some of our business practices.ESG expectations of investors and regulators could, over time, lead us to restrict or modify some of our business practices. In addition, our business practices could be adversely affected by laws and regulations enacted or promulgated by federal, state, and local governments that relate to environmental and social issues. For example, in 2022 and 2023, certain states passed, or considered passing, laws prohibiting financial institutions from restricting the services that they provide to certain types of businesses if the institutions also conduct business with governmental entities in such states. Depending on how these laws are worded and implemented, they could adversely affect our ability to manage risk. These laws and rules related to environmental and social issues may include provisions that conflict with other state and federal regulations and may increase our costs or limit our ability to conduct business in certain jurisdictions.Heightened regulatory and social focus on climate change may place additional requirements on public companies, including financial institutions, regarding the measurement, management, and disclosure of climate-related risks and associated lending and investment activities. For example, the state of California recently passed sweeping climate-related disclosure laws that will require large entities doing business in the state, including the Bank, to measure and disclose greenhouse gas emissions and report on their climate-related risks. These new laws, which will require initial disclosures as early as 2026, impose disclosure obligations on companies that in certain respects exceed those previously proposed by the SEC. These new laws may result in higher regulatory, compliance, credit, and reputational risks and costs. In addition, the transition to a lower-carbon economy could subject us to other risks, such as through our customers’ exposure to volatility in commodity prices, increased insurance costs or inability to access insurance, and changes in the market for carbon-related products and services.23Table of ContentsZIONS BANCORPORATION, NATIONAL ASSOCIATION AND SUBSIDIARIESProtracted congressional negotiations and political stalemates in Washington, D.C. regarding government funding and other issues may introduce additional volatility in the U.S. economy including capital and credit markets and the banking industry in particular.The U.S. government is currently funded through early March 2024 as a result of a series of continuing resolutions that provide short-term appropriations. Democrat and Republican lawmakers are at a stalemate, and efforts to pass spending bills for long-term government funding have been complicated, increasing the risk of an eventual government shutdown. Any such shutdown may result in further U.S. credit rating downgrades or defaults, and may introduce additional volatility in the U.S. economy, including capital and credit markets and the banking industry in particular; cause disruptions in the financial markets; impact interest rates; and result in other potential unforeseen consequences. In any such event, the Bank’s liquidity, operating margins, financial condition, and results of operations may be materially and adversely affected.ITEM 1B. UNRESOLVED STAFF COMMENTSThere are no unresolved written comments that were received from SEC or OCC staff 180 days or more before the end of our fiscal year relating to our periodic or current reports filed under the Exchange Act. UNRESOLVED STAFF COMMENTSThere are no unresolved written comments that were received from the SEC’s or OCC’s staff 180 days or more before the end of our fiscal year relating to our periodic or current reports filed under the Securities Exchange Act of 1934. ITEM 1C.ITEM 1A. CYBERSECURITYCybersecurity risk is the risk of adverse impacts to the confidentiality, integrity, and availability of data owned, stored, or processed by the Bank or the accompanying information systems. The number and sophistication of attempts to disrupt or penetrate our systems, and those of our suppliers — sometimes referred to as hacking, cybersecurity fraud, cyberattacks, or other similar names — continues to grow.Cybersecurity risk is overseen by the Board and the Bank’s multiple lines of defense, including front-line bankers and operations teams, Enterprise Risk Management (“ERM”), and internal audit. Information security risk is managed in accordance with an established ERM framework, which includes elements such as key risk indicators, enterprise standards, controls, and self-assessments that comply with established ERM policies. These elements are regularly assessed, measured, and reported to Board-level and Bank senior management-level risk committees, and those committees review such reports.As set forth in its charter, the ROC has the responsibility to review reports from management relating to enterprise-wide risk management efforts, including cybersecurity risks. As part of that oversight, the ROC performs an annual review and approval of information security policies and programs, and receives regular updates on key risk indicators, threat trends, risk remediation activities, and operational events. The ROC periodically provides reports regarding this oversight to the Board. Management uses multiple real-time and interval-based monitoring and reporting mechanisms to detect and respond to cybersecurity incidents. Documented escalation procedures are tested regularly as part of tabletop exercises and other activities and include notification to executive management during qualifying cybersecurity incidents.Management positions directly responsible for assessing, measuring, and managing cybersecurity risks include the Chief Information Security Officer (“CISO”) and the Chief Technology and Operations Officer (“CTOO”). The current CISO has more than 20 years of technology leadership experience, including a significant period directly leading cybersecurity efforts, and holds multiple industry certifications. The CTOO has more than 25 years of audit, risk, operations, and technology leadership experience, including prior assignments as the Bank’s Chief Audit Executive and Director of Bank Operations. The CISO and CTOO regularly report information about cybersecurity risks to the Board or a committee of the Board.We engage multiple independent third parties or cyber experts to assess information security programs and practices, including, but not limited to, framework maturity assessments, blind penetration testing, technology health checks, cyber skill and staffing assessments, externally facilitated tabletop exercises, external cyber legal counsel briefings, and strategic assessments. Findings from these assessments are regularly reviewed with management and the ROC. Additionally, we participate in various cybersecurity industry forums and have access to law enforcement analysis regarding current threats.24Table of ContentsZIONS BANCORPORATION, NATIONAL ASSOCIATION AND SUBSIDIARIESOur supply chain risk management practices include risk assessments of suppliers, including with respect to cybersecurity. We monitor our suppliers using commercially available services that provide real-time security scoring of supplier technology services, threat intelligence, financial intelligence, geopolitical risk intelligence, and other considerations related to cybersecurity. Reviews are also regularly performed to monitor changes in suppliers’ cybersecurity risk posture. Continuous threat intelligence monitoring is also performed to identify potential cybersecurity incidents involving third parties. We strive to negotiate appropriate provisions with respect to cybersecurity in our contracts with suppliers.When a cybersecurity incident occurs, whether detected internally or from third-party cybersecurity incidents, we evaluate the incident for criticality and potential materiality and disclosure across a range of contributing indicators, including service availability, impact to operations, reputational impact, regulatory and legal considerations, data sensitivity, and direct financial impact. The potential impact of the incident, individually or in aggregate, is evaluated by the CISO continuously across these criteria. We have escalation procedures to notify members of senior and executive management, the Board (or an applicable subset), and regulators in a timely manner based on the criticality and materiality of the cybersecurity incident.To date, risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have not materially affected us, including our business strategy, results of operations, or financial condition. At December 31, 2023, management has assessed known cybersecurity incidents for potential materiality and disclosure using formal documented processes and has determined that there have been no material cybersecurity incidents, individually or in aggregate. We may nevertheless be unsuccessful in the future in preventing or mitigating a cybersecurity incident that could have a material adverse effect on us.For additional discussion regarding cybersecurity risks, see “Cybersecurity Risk” in Risk Factors on page 19..