Citigroup Inc.: 10-K Risk Factor Changes

2026 vs 2025  ·  SEC EDGAR  ·  2026-07-05
✓ Deterministic extraction — no AI-generated data

Classification is based on semantic text similarity scoring and may include approximations. “No match” means no high-confidence textual match was found — not necessarily that a section was removed.

11
New Risks
22
Removed
69
Modified
30
Unchanged
🟢 New in Current Filing Severity10/10Det 10

The Development and Use of AI by Citi and Others Present Risks to Citi’s Businesses.

Citi has used AI and machine learning tools for many years and has more recently begun to broadly deploy Generative AI, including within its technology platforms and services. In the future, Citi expects to more broadly integrate Generative AI tools within its systems,…

Read full text

Citi has used AI and machine learning tools for many years and has more recently begun to broadly deploy Generative AI, including within its technology platforms and services. In the future, Citi expects to more broadly integrate Generative AI tools within its systems, businesses and functions, including advanced AI capabilities, such as autonomous agents and sophisticated user interactions, which if improperly managed, could result in increased risks and costs. While Citi has policies that govern the use of emerging technologies, including in model risk management, ineffective, inadequate or faulty Generative AI development or deployment practices by Citi or third parties, including insufficient testing and monitoring, poorly structured or manipulated prompts or insufficient or inadequate human oversight, could result in adverse consequences, such as AI algorithms that produce inaccurate or incomplete output or output based on biased, incomplete and/or inaccurate datasets, infringe on intellectual property rights of others, involve data exfiltration risks, including release of confidential or proprietary information, or cause other issues, concerns or deficiencies. The complexity of AI models, particularly Generative AI models, can make it challenging to understand why particular outputs are generated, which can increase the risk of erroneous and/or biased output and complying with regulations requiring documentation, explainability or auditability on the basis of AI-influenced decisions. Citi may also rely on AI models developed by third parties and be exposed to risks arising from their development and training methods, including potential inclusion of unauthorized material in the training data or limitations in their risk mitigation strategies, over which Citi may have limited visibility or control (see also the operational processes and systems risk factor below). While Citi may provide restrictions on use of certain data in third-party AI applications or models, a third party could breach those terms, which could expose Citi to legal and reputations risks. Citi is also exposed to risks related to the use of AI technologies by counterparties, clients and vendors, where interconnected AI systems could amplify failures and threats of cyber infiltration, as well as cause widespread disruptions. Moreover, the use of increasingly sophisticated AI technologies by malicious actors and others has increased the risk of fraud, including identity theft and bypassing of verification controls, and exposure to cyberattacks (see the cybersecurity risk factor below), as well as disinformation and market manipulation campaigns, and failure to effectively manage such risks could result in misappropriation of funds, unauthorized transactions, exposure of sensitive client or Company information, reputational harm and increased litigation and regulatory risk. Citi also faces competition risks to the extent that competitors may be faster and more successful in developing and deploying AI technologies to improve processes, productivity, efficiency, products and services, and thereby gain competitive advantages over Citi (see the competition risk factor above). In addition, compliance with new or changing laws, regulations or industry standards relating to AI may impose additional operational risks and costs. Failure to sufficiently manage these risks could expose Citi to adverse legal, regulatory or reputational consequences. While Citi has policies that govern the use of emerging technologies, including in model risk management, ineffective, inadequate or faulty Generative AI development or deployment practices by Citi or third parties, including insufficient testing and monitoring, poorly structured or manipulated prompts or insufficient or inadequate human oversight, could result in adverse consequences, such as AI algorithms that produce inaccurate or incomplete output or output based on biased, incomplete and/or inaccurate datasets, infringe on intellectual property rights of others, involve data exfiltration risks, including release of confidential or proprietary information, or cause other issues, concerns or deficiencies. The complexity of AI models, particularly Generative AI models, can make it challenging to understand why particular outputs are generated, which can increase the risk of erroneous and/or biased output and complying with regulations requiring documentation, explainability or auditability on the basis of AI-influenced decisions. Citi may also rely on AI models developed by third parties and be exposed to risks arising from their development and training methods, including potential inclusion of unauthorized material in the training data or limitations in their risk mitigation strategies, over which Citi may have limited visibility or control (see also the operational processes and systems risk factor below). While Citi may provide restrictions on use of certain data in third-party AI applications or models, a third party could breach those terms, which could expose Citi to legal and reputations risks. Citi is also exposed to risks related to the use of AI technologies by counterparties, clients and vendors, where interconnected AI systems could amplify failures and threats of cyber infiltration, as well as cause widespread disruptions. Moreover, the use of increasingly sophisticated AI technologies by malicious actors and others has increased the risk of fraud, including identity theft and bypassing of verification controls, and exposure to cyberattacks (see the cybersecurity risk factor below), as well as disinformation and market manipulation campaigns, and failure to effectively manage such risks could result in misappropriation of funds, unauthorized transactions, exposure of sensitive client or Company information, reputational harm and increased litigation and regulatory risk. Citi also faces competition risks to the extent that competitors may be faster and more successful in developing and deploying AI technologies to improve processes, productivity, efficiency, products and services, and thereby gain competitive advantages over Citi (see the competition risk factor above). In addition, compliance with new or changing laws, regulations or industry standards relating to AI may impose additional operational risks and costs. Failure to sufficiently manage these risks could expose Citi to adverse legal, regulatory or reputational consequences. 54 54 54 OPERATIONAL RISKSA Disruption or Failure of Citi’s Operational Processes or Systems Could Negatively Impact Its Reputation, Customers, Clients, Businesses or Results of Operations and Financial Condition.Citi’s global operations rely heavily on its technology systems and infrastructure, including the accurate, complete, timely and secure processing, management, storage and transmission of data, including confidential transactions, and other information, as well as the monitoring of a substantial amount of data and complex transactions in real time. Citi obtains and stores an extensive amount of personal and client-specific information for its consumer and institutional customers and clients, and must accurately record and reflect their account transactions. With the proliferation of emerging technologies, including AI and digital assets, and the use of the internet, mobile devices and cloud services to conduct financial transactions, and customers’ and clients’ increasing use of online banking and trading systems and other platforms, large global financial institutions such as Citi have been, and will continue to be, subject to an ever-increasing risk of operational loss, failure or disruption. For example, Citi’s involvement in digital assets,including custody, asset tokenization and facilitation of clients’ digital assets activities, exposes Citi to increased operational risks due to the unique technological requirements for securing these assets.Although Citi has continued to upgrade its technology, including systems to automate processes and gain efficiencies, operational incidents are unpredictable and can arise from numerous sources, not all of which are fully within Citi’s control. These include, among others, operational or execution failures or deficiencies by third parties that provide products or services to Citi (e.g., cloud service providers), including such third parties’ downstream service providers, as well as other Citi counterparties and market participants, which could be exacerbated by the concentration of third-party providers across the financial services industry; deficiencies in processes or controls; inadequate management of data governance practices, data controls and monitoring mechanisms that may adversely impact internal or external reporting and decision-making; cyber or information security incidents (see the cybersecurity risk factor below); human error, such as manual transaction processing errors (e.g., erroneous payments to lenders or manual errors by traders that cause system and market disruptions or losses), which can be exacerbated by staffing challenges and processing backlogs; fraud or malice on the part of employees or third parties; insufficient (or limited) straight-through processing between legacy or bespoke systems and any failure to design and effectively operate controls that mitigate operational risks associated with those legacy or bespoke systems, leading to potential risk of errors and operating losses; accidental system or technological failure; electrical or telecommunication outages; failures of or cyber incidents involving computer servers or infrastructure, including software updates and cloud services; or other similar losses or damage to Citi’s property or assets (see also the climate change risk factor above). Additionally, Citi’s ability to effectively maintain and upgrade systems and infrastructure can become more challenging as the speed, frequency, volume, interconnectivity and complexity of transactions continue to increase.For example, operational incidents can arise due to failures by third parties with which Citi does business, such as failures by internet, mobile technology and cloud service providers or other vendors to adequately follow procedures or processes, safeguard their systems or prevent system disruptions or cyberattacks. Failure by Citi to develop, implement and operate a third-party risk management program commensurate with the level of risk, complexity and nature of its third-party relationships can also result in operational incidents. In addition, Citi has experienced and could experience further losses associated with manual transaction processing errors, including erroneous payments to lenders or manual errors by Citi traders that cause system and market disruptions and losses for Citi and its clients. Irrespective of the sophistication of the technology utilized by Citi, there will always be a risk of human and other errors. In view of the large transactions in which Citi engages, such errors have in the past resulted, and could result, in significant losses. While Citi has change management processes in place to appropriately upgrade its operational processes and systems to ensure that any changes introduced do not adversely impact security and operational continuity, such change management can fail or be ineffective. Furthermore, when Citi introduces new products, systems or processes, new operational risks that may arise from those changes may not be identified, or adequate controls to mitigate the identified risks may not be appropriately implemented or operate as designed. Incidents that impact information security, technology operations or other operational processes may cause disruptions and/or malfunctions within Citi’s businesses (e.g., the temporary loss of availability of Citi’s online banking system or mobile banking platform), as well as the operations of its clients, customers or other third parties. In addition, operational incidents could involve the failure or ineffectiveness of internal processes or controls. Given Citi’s global footprint and the high volume of transactions processed by Citi, certain failures, errors or actions may be repeated or compounded before they are discovered and rectified, which would further increase the consequences and costs. Operational incidents could result in financial losses and other costs as well as misappropriation, corruption or loss of confidential and other information or assets, which could significantly negatively impact Citi’s reputation, customers, clients, employees, businesses or results of operations and financial condition, or the potential for systemic disruption due to interconnected systems and dependencies. Additionally, any unavailability or failure of backup systems could impact business continuity in the event of an operational incident. Cyber-related and other operational incidents can also result in legal and regulatory actions or proceedings, fines and other costs (see the legal and regulatory proceedings risk factor below).Failure by Citi to continue to increase its operational resilience, and ensure that important business services and their impact tolerance time and severity scales are clearly defined, could expose Citi to service disruptions, leading to OPERATIONAL RISKSA Disruption or Failure of Citi’s Operational Processes or Systems Could Negatively Impact Its Reputation, Customers, Clients, Businesses or Results of Operations and Financial Condition.Citi’s global operations rely heavily on its technology systems and infrastructure, including the accurate, complete, timely and secure processing, management, storage and transmission of data, including confidential transactions, and other information, as well as the monitoring of a substantial amount of data and complex transactions in real time. Citi obtains and stores an extensive amount of personal and client-specific information for its consumer and institutional customers and clients, and must accurately record and reflect their account transactions. With the proliferation of emerging technologies, including AI and digital assets, and the use of the internet, mobile devices and cloud services to conduct financial transactions, and customers’ and clients’ increasing use of online banking and trading systems and other platforms, large global financial institutions such as Citi have been, and will continue to be, subject to an ever-increasing risk of operational loss, failure or disruption. For example, Citi’s involvement in digital assets,including custody, asset tokenization and facilitation of clients’ digital assets activities, exposes Citi to increased operational risks due to the unique technological requirements for securing these assets.Although Citi has continued to upgrade its technology, including systems to automate processes and gain efficiencies, operational incidents are unpredictable and can arise from numerous sources, not all of which are fully within Citi’s control. These include, among others, operational or execution failures or deficiencies by third parties that provide products or services to Citi (e.g., cloud service providers), including such third parties’ downstream service providers, as well as other Citi counterparties and market participants, which could be exacerbated by the concentration of third-party providers across the financial services industry; deficiencies in processes or controls; inadequate management of data governance practices, data controls and monitoring mechanisms that may adversely impact internal or external reporting and decision-making; cyber or information security incidents (see the cybersecurity risk factor below); human error, such as manual transaction processing errors (e.g., erroneous payments to lenders or manual errors by traders that cause system and market disruptions or losses), which can be exacerbated by staffing challenges and processing backlogs; fraud or malice on the part of employees or third parties; insufficient (or limited) straight-through processing between legacy or bespoke systems and any failure to design and effectively operate controls that mitigate operational risks associated with those legacy or bespoke systems, leading to potential risk of errors and operating losses; accidental system or technological failure; electrical or telecommunication outages; failures of or cyber incidents involving computer servers or infrastructure, including software updates and cloud services; or other similar losses or damage to Citi’s property or assets (see also the climate change risk factor above). Additionally, Citi’s ability to effectively maintain and upgrade systems and infrastructure

🟢 New in Current Filing Branded Cards—Credit Cards 🔒
🟢 New in Current Filing Scenario Analysis 🔒
🟡 Modified Board Oversight 🔒
🟡 Modified Citi’s Emerging Markets Presence Subjects It to Various Risks as well as Increased Compliance and Regulatory Risks and Costs. 🔒
🟡 Modified Changes to Financial Accounting and Reporting Standards or Interpretations Could Have a Material Impact on How Citi Records and Reports Its Financial Condition and Results of Operations. 🔒
🟢 New in Current Filing Citi Is Subject to Complex Tax Laws, Which May Change, and Citi’s Interpretation or Application of These Complex Tax Laws Could Differ from Those of Governmental Authorities, Which Could Result in Litigation or Examinations and the Payment of Additional Taxes, Penalties or Interest. 🔒
🟢 New in Current Filing First Line of Defense 🔒
🟢 New in Current Filing Independent Compliance Risk Management 🔒
🟢 New in Current Filing Average Loans 🔒
🟢 New in Current Filing Portfolio Mix—Industry 🔒
🟢 New in Current Filing This page intentionally left blank. 🔒
🟢 New in Current Filing Consumer Credit Portfolio 🔒
🔴 No Match in Current Filing Workforce Development 🔒
🟡 Modified Citi’s and Third Parties’ Computer Systems and Networks Continue to Be Susceptible to an Increasing Risk of Evolving, Sophisticated Cybersecurity Incidents That Could Result in the Theft, Loss, Non-Availability, Alteration, Misuse or Disclosure of Confidential Information, Damage to Citi’s Reputation, Regulatory Penalties, Legal Exposure and Financial Losses. 🔒
🟡 Modified Business Environment, Including Competitive Challenges and Emerging Technologies. 🔒
🟡 Modified Climate Change Presents Various Financial and Non-Financial Risks to Citi. 🔒
🟡 Modified Citi May Be Unable to Achieve Its Objectives from Its Simplification, Transformation and Enhanced Business Performance Priorities. 🔒
🟡 Modified Board and Executive Management Governance Committees 🔒
🟡 Modified Citi Faces Ongoing Regulatory and Legislative Uncertainties and Changes in the U.S. and Globally. 🔒
🟡 Modified Managing Global Risk—Table of Contents 🔒
🟡 Modified All Other—Legacy Franchises 🔒
🟢 New in Current Filing Executive Management Team 🔒
🔴 No Match in Current Filing Net Zero Emissions by 2050 🔒
🔴 No Match in Current Filing Sustainable Operations 🔒
🔴 No Match in Current Filing HUMAN CAPITAL RESOURCES AND MANAGEMENT 🔒
🔴 No Match in Current Filing Workforce Size and Distribution 🔒
🔴 No Match in Current Filing All Other, including Legacy Franchises, Operations and Technology, and Global Staff Functions 🔒
🔴 No Match in Current Filing Driving a Culture of Excellence and Accountability 🔒
🔴 No Match in Current Filing Benefits and Well-being 🔒
🔴 No Match in Current Filing Independent Risk Management 🔒
🔴 No Match in Current Filing Branded Cards 🔒
🔴 No Match in Current Filing Loan Maturities 🔒
🟡 Modified A Disruption or Failure of Citi’s Operational Processes or Systems Could Negatively Impact Its Reputation, Customers, Clients, Businesses or Results of Operations and Financial Condition. 🔒
🟡 Modified If Citi’s Risk Management and Other Processes or Strategies Are Deficient or Ineffective, Citi May Incur Significant Losses and Its Regulatory Capital and Capital Ratios Could Be Negatively Impacted. 🔒
🟡 Modified Parallel shift(1) 🔒
🟡 Modified High-Quality Liquid Assets (HQLA) 🔒
🟡 Modified Citi’s Performance Could Be Negatively Impacted if It Is Not Able to Hire and Retain Qualified Employees. 🔒
🟡 Modified Credit Risk and Concentrations of Risk Can Increase the Potential for Citi to Incur Significant Losses. 🔒
🟡 Modified Retail Services 🔒
🟡 Modified Non-Markets Net Interest Income 🔒
🟡 Modified SUSTAINABILITY 🔒
🟡 Modified Loan Maturities and Fixed/Variable Pricing of Consumer Loans 🔒
🟡 Modified U.S. Personal Banking 🔒
🔴 No Match in Current Filing Citi’s Ability to Utilize Its DTAs, and Thus Reduce the Negative Impact of the DTAs on Citi’s Regulatory Capital, Will Be Driven by Its Ability to Generate U.S. Taxable Income. 🔒
🔴 No Match in Current Filing NET ZERO AND SUSTAINABILITY 🔒
🔴 No Match in Current Filing Talent Management 🔒
🔴 No Match in Current Filing Portfolio Mix—Industry 🔒
🔴 No Match in Current Filing Consumer Credit Portfolio 🔒
🔴 No Match in Current Filing Long-Term Liquidity Measurement: Net Stable Funding Ratio (NSFR) 🔒
🔴 No Match in Current Filing Cash and Investments 🔒
🟡 Modified Retail Banking 🔒
🟡 Modified ACLL by type at end of year(10) 🔒
🟡 Modified Citi’s Ability to Utilize Its DTAs, and Thus Reduce the Negative Impact of the DTAs on Citi’s Regulatory Capital, Will Be Driven by Its Ability to Generate U.S. Taxable Income. 🔒
🟡 Modified Independent Risk Management 🔒
🟡 Modified Interest rate exposure(1)(2) 🔒
🟡 Modified All Other—Legacy Franchises (managed basis)(3) 🔒
🟡 Modified CREDIT RISK 🔒
🟡 Modified Non-Accrual Loans 🔒
🟡 Modified HUMAN CAPITAL RESOURCES AND MANAGEMENT 🔒
🟡 Modified Retail Services 🔒
🟡 Modified Branded Cards 🔒
🟡 Modified Short-Term Liquidity Measurement: Liquidity Coverage Ratio (LCR) 🔒
🟡 Modified Long-Term Debt (LTD) 🔒
🟡 Modified Loan Maturities and Fixed/Variable Pricing of Corporate Loans 🔒
🔴 No Match in Current Filing Sustainable Finance 🔒
🔴 No Match in Current Filing Board Oversight 🔒
🔴 No Match in Current Filing Consumer loans, net of unearned income, excluding portfolio-layer cumulative basis adjustments(3) 🔒
🔴 No Match in Current Filing Select Balance Sheet Items 🔒
🟡 Modified Interest Rate Risk of Investment Portfolios—Impact on AOCI 🔒
🟡 Modified A Ratings Downgrade Could Adversely Impact Citi’s Funding and Liquidity. 🔒
🟡 Modified Regulatory Expectations and Scrutiny in the U.S. and Globally as well as Ongoing Interpretation and Implementation of Regulatory and Legislative Requirements and Changes Subject Citi to Significant Compliance, Regulatory and Other Risks and Costs. 🔒
🟡 Modified USPB(5)(6) 🔒
🟡 Modified Mexico Consumer 🔒
🟡 Modified Changes in or Incorrect Accounting Assumptions, Judgments or Estimates, or the Application of Certain Accounting Principles, Could Result in Significant Losses or Other Adverse Impacts. 🔒
🟡 Modified Corporate Credit Portfolio 🔒
🟡 Modified Interest Income/Expense and Net Interest Margin (NIM) 🔒
🟡 Modified Second Line of Defense 🔒
🟡 Modified Total fixed/variable pricing of corporate loans with maturities due after one year, net of unearned income(3)(4) 🔒
🟡 Modified Long-Term Liquidity Measurement: Net Stable Funding Ratio (NSFR) 🔒
🟡 Modified Consumer Loan Delinquencies Amounts and Ratios 🔒
🟡 Modified Wealth(2)(3) 🔒
🟡 Modified Consumer Loan Net Credit Losses (NCLs) and Ratios 🔒
🟡 Modified A Deterioration in or Failure to Maintain Citi’s Co-Branding or Private Label Credit Card Relationships Could Have a Negative Impact on Citi. 🔒
🟡 Modified Total Loss-Absorbing Capacity (TLAC) 🔒
🟡 Modified Citibank—Additional Potential Impacts 🔒
🟡 Modified Short-Term Borrowings 🔒
🟡 Modified FICO distribution(1) 🔒
🟡 Modified Details of Credit Loss Experience 🔒
🟡 Modified 2025 vs. 2024 🔒
🟡 Modified Loans Outstanding 🔒
🟡 Modified Exposure to Commercial Real Estate 🔒
🟡 Modified CONSUMER CREDIT 🔒
🟡 Modified Loans at fair value(1) 🔒
🟡 Modified Allowance for Credit Losses on Loans (ACLL) 🔒
🟡 Modified Taxable Equivalent Basis 🔒
🟡 Modified Rating of Hedged Exposure 🔒
🟡 Modified Third Line of Defense 🔒
🟡 Modified Enterprise Support Functions 🔒
🟡 Modified ACLL for corporate loan losses as a percentage of total corporate loans—net of unearned income(6) 🔒
🟡 Modified Funded exposure(1)(3) 🔒
🟡 Modified Non-bank(1) 🔒
101 more changes in this filing

Full diff access, historical comparisons, and cross-company signal tracking.

Get full access — from $29/month Already a Pro subscriber? View full diff →