--- ticker: CFG company: Citizens Financial Group Inc. filing_type: 10-K year_current: 2024 year_prior: 2023 risks_added: 5 risks_removed: 5 risks_modified: 31 risks_unchanged: 35 source: SEC EDGAR url: https://riskdiff.com/cfg/2024-vs-2023/ markdown_url: https://riskdiff.com/cfg/2024-vs-2023/index.md generated: 2026-05-11 --- # Citizens Financial Group Inc.: 10-K Risk Factor Changes 2024 vs 2023 > Source: U.S. Securities and Exchange Commission (EDGAR) > Generated: 2026-05-11 > All data extracted directly from official filings. No hallucinated content. > **[AI-Generated Summary]** The paragraph below was produced by a language > model and may contain errors. All other content on this page is deterministically > extracted from the original SEC filing. > Citizens Financial Group's 2024 10-K reflects a shift from LIBOR discontinuance concerns to forward-looking regulatory requirements, replacing five discontinued risks with five new ones including long-term debt requirements and sustainability disclosures. The most substantive changes center on evolving regulatory frameworks, with modifications to prudential standards, capital and stress testing requirements, and heightened governance standards representing the company's response to updated regulatory expectations. Notably, the risk around financial estimates was reframed to emphasize subjective determinations and their potential material impact on financial condition, while ESG-related risks were reconceptualized under a sustainability framework. --- ## Summary | Status | Count | |--------|-------| | New risks added | 5 | | Risks removed | 5 | | Risks modified | 31 | | Unchanged | 35 | --- ## New in Current Filing: Sustainability Our efforts relative to ESG matters are aligned with the needs, interests, and expectations of our stakeholders and are divided into four focus areas: Leading with Robust Corporate Governance, Driving Positive Climate Impact, Building the Workforce of the Future, and Fostering Strong Communities. These areas speak to the strengths of our company, align with our business priorities, and define how we can have an outsized impact on our business, society, and the planet. In 2023, we announced a $50 billion Sustainable Finance Target, including $5 billion in green financing, by 2030. As part of this announcement, we committed to engage corporate clients in high-emitting sectors on climate-related topics, beginning with a target to engage 100% of our Oil & Gas clients by the end of 2024. In addition, we committed to achieving carbon neutrality by 2035. For more details regarding ESG and other corporate responsibility matters, go to our website. --- ## New in Current Filing: Enhanced Prudential Standards and Regulatory Tailoring Rules As a BHC with over $100 billion in total consolidated assets, we are currently subject to enhanced prudential standards and associated capital and liquidity rules ("Tailoring Rules"). The Tailoring Rules assign each BHC, including its bank subsidiaries, to one of four categories based on its size and certain risk-based indicators. CFG and CBNA are each subject to Category IV standards, the least restrictive of the requirements under the Tailoring Rules. As discussed in greater detail in "Capital and Stress Testing Requirements" and "Long-Term Debt Requirements", the federal banking regulators proposed sweeping changes to the regulatory capital and liquidity rules that would significantly impact the application of those rules to the Company. --- ## New in Current Filing: Capital and Stress Testing Requirements We are required to comply with the U.S. Basel III rules, which establish risk-based and leverage capital requirements. The risk-based requirements are based on a banking organization's RWA, which is inclusive of the organization's on- and off-balance sheet exposures. We calculate RWA using the standardized approach and have made the AOCI opt-out election, permitting us to exclude components of AOCI from regulatory capital. The leverage requirements are based on a banking organization's average consolidated on-balance sheet assets. Under the U.S. Basel III rules, the minimum capital ratios are: •CET1 capital ratio of 4.5%; •Tier 1 capital ratio of 6.0%; •Total capital ratio of 8.0%; and •Tier 1 leverage ratio of 4.0%. For BHCs with $100 billion or more in assets, such as us, the FRB's capital rules impose an institution-specific SCB on top of each of the three minimum risk-based capital ratios listed above. Banking institutions that fail to meet the effective minimum ratios including the SCB will be subject to constraints on capital distributions, including dividends and share repurchases, and certain discretionary executive compensation. The severity of the constraints depends on the amount of the shortfall and the institution's "eligible retained income", defined as the greater of four quarter trailing net income net of distributions and tax effects not reflected in net income, or the average four quarter trailing net income. On January 1, 2020, we adopted the CECL accounting standard. In reaction to the COVID disruption, on September 30, 2020, the federal banking regulators adopted a final rule relative to regulatory capital treatment of the ACL under CECL. This rule allowed electing banking organizations to delay the estimated impact of CECL on regulatory capital for a two-year period ending December 31, 2021, followed by a three-year transition period ending December 31, 2024. The three-year transition period will phase-in the reversal of the aggregate amount of the capital benefit provided during the initial two-year delay. As a Category IV firm under the Tailoring Rules, we are subject to biennial supervisory stress testing and are exempt from company-run stress testing and related disclosure requirements. The FRB supervises Category IV firms on an ongoing basis, including evaluating the capital adequacy and capital planning processes of firms during off-cycle years. We are required to develop, maintain and submit an annual capital plan for review and approval by our Board of Directors, or one of its committees, as well as FR Y-14 reporting requirements. On July 27, 2023, the federal banking regulators issued a proposal to implement the Basel Committee on Banking Supervision's finalization of the post-crisis bank regulatory capital reforms. The proposal, commonly referred to as Basel III "Endgame," would significantly revise the capital requirements applicable to large banking organizations with total assets of $100 billion or more, including the Company. Under the proposal, Category III and IV firms, including the Company as a Category IV firm, would become subject to the same capital treatment regarding the inclusion of AOCI, deductions, and rules for minority interest as Category I and II firms. The proposal would also replace the existing models-based approaches for credit and operational risk, which currently apply only to Category I and II firms, with two new approaches applicable to Category I through IV firms. The first would use the existing standardized approach and a proposed revised market risk capital rule. The second would use a new expanded risk-based approach, consisting of new non-models-based approaches for credit risk, operational risk and credit valuation adjustment risk, as well as the proposed revised market risk capital rule. The approach resulting in the lower ratio would establish the binding ratio for purposes of satisfying regulatory capital requirements and buffers, including the SCB. Category III and IV firms would also be required to calculate counterparty credit exposure relating to derivative transactions using the standardized approach for counterparty credit risk. Additionally, Category IV firms would become subject to the supplementary leverage ratio and the countercyclical capital buffer. The Company estimates a pro forma CET1 ratio, adjusted for the AOCI opt-out removal, of 9.0% as of December 31, 2023. In addition, the proposal is estimated to modestly increase our RWA on a fully phased-in basis. Under the proposal, the rule would take effect on July 1, 2025, with a three-year phase-in of the capital impact through June 30, 2028. Comments on the proposal were due by January 16, 2024. We continue to evaluate the full impact of the proposal. For more details regarding our regulatory capital and SCB, see the "Capital and Regulatory Matters" section of Item 7. We are also subject to the FRB's risk-based capital requirements for market risk. See the "Market Risk" section of Item 7 for additional details. --- ## New in Current Filing: Long-Term Debt Requirements On August 29, 2023, the federal banking regulators issued a proposal that would require large bank holding companies and IDIs with total assets of $100 billion or more, such as CFG and CBNA, to maintain a minimum amount of long-term debt. The joint agency proposal aims to increase the resolvability and resiliency of large banking organizations by mandating a long-term debt requirement to provide the regulatory agencies additional resources to resolve failed banking organizations, foster depositor confidence, and decrease costs to the DIF in the event of a large banking organization failure. Under the proposal, large bank holding companies and IDIs would each be required to maintain a minimum amount of eligible long-term debt equal to the greater of 6 percent of RWA, 3.5 percent of average total consolidated assets, and 2.5 percent of total leverage exposure for those banks subject to the supplementary leverage ratio. The proposal also prohibits large banking organizations from engaging in certain activities that could complicate their resolution and discourages them from holding long-term debt issued by other banks to reduce interconnectedness. The proposal provides for a three-year transition period, with 25 percent of the long-term debt requirement to be met one year after the rule is finalized, 50 percent after two years, and 100 percent after three years. Comments on the proposal were due by January 16, 2024. We continue to evaluate the full impact of the proposal. --- ## New in Current Filing: The preparation of our financial statements requires us to make subjective determinations and use estimates that may vary from actual results and materially impact our financial condition and results of operations. The preparation of consolidated financial statements in conformity with GAAP requires management to make significant estimates that affect the financial statements. Our accounting policies and methods are fundamental to how we record and report our financial condition and results of operations and, at times, require management to exercise judgment in their application so as to report our financial condition and results of operations in the most appropriate manner. Certain accounting policies are critical because they require management to make difficult, subjective or complex judgments about matters that are inherently uncertain and the likelihood that materially different estimates would result under different conditions or through the utilization of different assumptions. Our critical accounting estimates include the ACL, estimations of fair value and review of goodwill for impairment. If our estimates are inaccurate or need to be adjusted periodically, our financial condition and results of operations could be materially impacted. For more information regarding our use of estimates in the preparation of our consolidated financial statements, see Note 1 in Item 8 and the "Critical Accounting Estimates" section in Item 7. --- ## No Match in Current: Environmental, Social and Governance *This section from the 2023 filing does not have a high-confidence textual match in 2024. It may have been removed, merged, or substantially reworded.* Investors have begun to consider how corporations are addressing ESG matters when making investment decisions. Specifically, certain investors are beginning to incorporate the business risks of climate change and the adequacy of a company's response to climate change as part of their investment strategy. In 2021, we announced targets to reduce our Scope 1 and 2 greenhouse gas emissions 30% by 2025 and 50% by 2035, based on our 2016 baseline. These reductions align with the recommendations of the Paris Agreement, which aims to limit average global temperature increase to well below 2 degrees Celsius compared to pre-industrial levels. In 2022, we published our fifth annual Corporate Responsibility Report and completed the CDP's Climate Change Questionnaire for the seventh time. We also issued our inaugural Task Force on Climate-related Financial Disclosures ("TCFD") report and expanded our climate commitment by: •joining the Partnership for Carbon Accounting Financials ("PCAF"), a collaboration among worldwide financial institutions working to develop and implement a harmonized approach to assess and disclose greenhouse gas ("GHG") emissions associated with loans and investments; •participating in the Risk Management Association Climate Risk Consortium, a financial industry group dedicated to advancing best practices in climate risk management; and •entering into a virtual power purchase agreement with Ørsted, supporting the construction of the Sunflower Wind Project in Kansas, which will offset 100% of our power consumption across our entire operational footprint with renewable energy credits. For more details regarding ESG and other corporate responsibility matters, go to our website. --- ## No Match in Current: Tailoring of Prudential Requirements *This section from the 2023 filing does not have a high-confidence textual match in 2024. It may have been removed, merged, or substantially reworded.* The FRB and the other federal banking regulators have enacted rules that tailor the application of the enhanced prudential standards to BHCs and depository institutions to implement the Economic Growth, Regulatory Relief, and Consumer Protection Act of 2018 amendments to the Dodd-Frank Act ("Tailoring Rules"). Under the Tailoring Rules, we are subject to "Category IV standards," which apply to banking organizations with at least $100 billion in total consolidated assets that do not meet any of the thresholds specified for Categories I through III. We discuss other elements of the Tailoring Rules where relevant below. The liquidity requirements are described below under " - Liquidity Requirements," and the stress testing requirements are described below under " - Capital Planning and Stress Testing Requirements." --- ## No Match in Current: Capital Planning and Stress Testing Requirements *This section from the 2023 filing does not have a high-confidence textual match in 2024. It may have been removed, merged, or substantially reworded.* Under the Tailoring Rules, Category IV firms, such as us, are subject to biennial supervisory stress testing and are exempt from company-run stress testing and related disclosure requirements. The FRB continues to supervise Category IV firms on an ongoing basis, including evaluation of the capital adequacy and capital planning processes during off-cycle years. We remain subject to the requirement to develop, maintain and submit an annual capital plan for review and approval by our board of directors, or one of its committees, as well as FR Y-14 reporting requirements. Regulations relating to capital planning, regulatory reporting, and stress testing and capital buffer requirements applicable to firms like us are presently subject to rule making and potential further guidance and interpretation by the applicable federal regulators. We will continue to evaluate the impact of these and any other prudential regulatory changes, including their potential resultant changes in our regulatory and compliance costs and expenses. For more detail on our capital planning and stress testing requirements see the "Capital and Regulatory Matters" section of Item 7. --- ## No Match in Current: Changes in the method pursuant to which the LIBOR and other benchmark rates are calculated and their planned discontinuance could adversely impact our business operations and financial results. *This section from the 2023 filing does not have a high-confidence textual match in 2024. It may have been removed, merged, or substantially reworded.* Many of our lending products, securities, derivatives, and other financial transactions utilize a benchmark rate, such as LIBOR, to determine the applicable interest rate or payment amount. The U.K. Financial Conduct Authority and the ICE Benchmark Administration have announced that the publication of the most commonly used U.S. Dollar LIBOR tenors will cease to be provided or cease to be representative after June 30, 2023. The publication of all other LIBOR settings ceased to be provided or ceased to be representative as of December 31, 2021. The Adjustable Interest Rate (LIBOR) Act (LIBOR Act), enacted in March 2022, provides a statutory framework to replace U. S. Dollar LIBOR with a benchmark rate based on the Secured Overnight Financing Rate (SOFR) for contracts governed by U.S. law that have no fallbacks or fallbacks that would require the use of a poll or LIBOR-based rate, and in December 2022, the FRB adopted rules which identify different SOFR-based replacement rates for derivative contracts, for cash instruments such as floating-rate notes and preferred stock, for consumer loans, for certain government-sponsored enterprise contracts and for certain asset-backed securities. We continue to monitor market developments and regulatory updates related to the cessation of LIBOR, as well as collaborate with regulators and industry groups on the transition. As the transition from LIBOR is ongoing, there continues to be uncertainty as to the ultimate effect of the transition on the financial markets for LIBOR-linked financial instruments. The discontinuation of a benchmark rate, changes in a benchmark rate, or changes in market perceptions of the acceptability of a benchmark rate, including LIBOR, could, among other things, adversely affect the value of and return on certain of our financial instruments or products, result in changes to our risk exposures, or require renegotiation of previous transactions. In addition, any such discontinuation or changes, whether actual or anticipated, could result in market volatility, increased compliance, legal and operational costs, and risks associated with customer disclosures and contract negotiations. Although the LIBOR Act includes safe harbors if the FRB-identified SOFR-based replacement rate is selected, these safe harbors are untested. As a result, and despite the enactment of the LIBOR Act, for the most commonly used U.S. Dollar LIBOR settings, the use or selection of a successor rate could also expose us to risks associated with disputes with customers and other market participants in connection with implementing LIBOR fallback provisions. For more information on our LIBOR transition, see the "Market Risk" section in Item 7. --- ## No Match in Current: The preparation of our financial statements requires the use of estimates that may vary from actual results. Particularly, various factors may cause our Allowance for Credit Losses to increase. *This section from the 2023 filing does not have a high-confidence textual match in 2024. It may have been removed, merged, or substantially reworded.* The preparation of audited Consolidated Financial Statements in conformity with GAAP requires management to make significant estimates that affect the financial statements. Our most critical accounting estimate is the ACL. The ACL is a reserve established through a provision for credit losses charged to expense and represents our estimate of expected credit losses within the existing loan and lease portfolio and unfunded lending commitments. The level of the ACL is based on periodic evaluation of the loan and lease portfolios and unfunded lending commitments that are not unconditionally cancellable considering a number of relevant underlying factors, including key assumptions and evaluation of quantitative and qualitative information. The determination of the appropriate level of the ACL inherently involves a degree of subjectivity and requires that we make significant estimates of current credit risks and future trends, all of which may undergo material changes. Changes in economic conditions affecting borrowers, the stagnation of certain economic indicators that we are more susceptible to, such as unemployment and real estate values, new information regarding existing loans, identification of additional problem loans and other factors, both within and outside our control, may require an increase in the ACL. In addition, bank regulatory agencies periodically review our ACL and may require an increase in the ACL or the recognition of further loan charge-offs, based on judgments that can differ from those of our own management. In addition, if charge-offs in future periods exceed the ACL - that is, if the ACL is inadequate - we will need to recognize additional provision for credit losses. Should such additional provision expense become necessary, it would result in a decrease in net income and capital and may have a material adverse effect on us. For more information regarding our use of estimates in preparation of financial statements, see Note 1 in Item 8 and the "Critical Accounting Estimates" section in Item 7. --- ## Modified: Our financial and accounting estimates and risk management framework rely on analytical forecasting and models. **Key changes:** - Reworded sentence: "The processes we use to estimate loan losses, measure the fair value of financial instruments and estimate the effects of changing interest rates and other market measures on our financial condition and results of operations are reliant upon the use of analytical and forecasting models." **Prior (2023):** The processes we use to estimate our inherent loan losses and to measure the fair value of financial instruments, as well as the processes used to estimate the effects of changing interest rates and other market measures on our financial condition and results of operations, depends upon the use of analytical and forecasting models. Some of our tools and metrics for managing risk are based upon our use of observed historical market behavior. We rely on quantitative models to measure risks and to estimate certain financial values. Models may be used in such processes as determining the pricing of various products, grading loans and extending credit, measuring interest rate and other market risks, predicting losses, assessing capital adequacy and calculating regulatory capital levels, as well as estimating the value of financial instruments and balance sheet items. Poorly designed or implemented models present the risk that our business decisions based on information incorporating such models will be adversely affected due to the inadequacy of that information. Moreover, our models may fail to predict future risk exposures if the information used in the model is incorrect, obsolete or not sufficiently comparable to actual events as they occur. We seek to incorporate appropriate historical data in our models, but the range of market values and behaviors reflected in any period of historical data is not at all times predictive of future developments in any particular period and the period of data we incorporate into our models may turn out to be inappropriate for the future period being modeled. In such case, our ability to manage risk would be limited and our risk exposure and losses could be significantly greater than our models indicated. In addition, if existing or potential customers believe our risk management is inadequate, they could take their business elsewhere. This could harm our reputation as well as our revenues and profits. Finally, information we provide to our regulators based on poorly designed or implemented models could also be inaccurate or insufficient. Some of the decisions that our regulators make, including those related to capital distributions to our stockholders, could be adversely affected due to their perception that the quality of the models used to generate the relevant information is insufficient. **Current (2024):** The processes we use to estimate loan losses, measure the fair value of financial instruments and estimate the effects of changing interest rates and other market measures on our financial condition and results of operations are reliant upon the use of analytical and forecasting models. Some of our tools and metrics for managing risk are based on observed historical market behavior, and we rely on quantitative models to measure risks and to estimate certain financial values. Models may be used in processes such as determining the pricing of various products, grading loans and extending credit, measuring interest rate and other market risks, predicting losses, assessing capital adequacy and calculating regulatory capital levels, as well as estimating the value of financial instruments and balance sheet items. Poorly designed or implemented models could adversely affect our business decisions if the information is inadequate. In addition, our models may fail to predict future risk exposures if the information used is inaccurate, obsolete or not sufficiently comparable to actual events as they occur. We seek to incorporate appropriate historical data in our models, but the range of market values and behaviors reflected in any period of historical data is not always predictive of future developments in any particular period and the period of data we incorporate into our models may turn out to be inappropriate for the future period being modeled. In these instances, our ability to manage risk would be limited and our risk exposure and losses could be significantly greater than our models indicated, which could harm our reputation and adversely affect our revenues and profits. Finally, information provided to our regulators based on poorly designed or implemented models could be inaccurate or insufficient. Some of the decisions that our regulators make, including those related to capital distributions to our stockholders, could be adversely affected due to their perception that the quality of the models used to generate the relevant information is insufficient. --- ## Modified: Heightened Risk Governance Standards **Key changes:** - Reworded sentence: "CBNA is subject to OCC guidelines that impose heightened risk governance standards on large national banks with average total consolidated assets of $50 billion or more." - Reworded sentence: "A bank's board of directors is required to have two members who are independent of bank and parent company management, ensure that the risk governance framework meets the appropriate standards, provide active oversight and a credible challenge to management's recommendations and decisions, and ensure that decisions made by the parent company do not jeopardize the safety and soundness of the bank." **Prior (2023):** CBNA is subject to OCC guidelines imposing heightened risk governance standards on large national banks with average total consolidated assets of $50 billion or more. The guidelines set forth minimum standards for the design and implementation of a bank's risk governance framework, and minimum standards for oversight of that framework by a bank's board of directors. The guidelines are intended to protect the safety and soundness of covered banks and improve bank examiners' ability to assess compliance with the OCC's expectations. Under the guidelines, a bank may use its parent company's risk governance framework if the framework meets the minimum standards, the risk profiles of the parent company and the covered bank are substantially the same, and certain other conditions are met. CBNA has elected to use the Parent Company's risk governance framework. A bank's board of directors is required to have two members who are independent of the bank and parent company management. A bank's board of directors is responsible for ensuring that the risk governance framework meets the standards in the guidelines, providing active oversight and a credible challenge to management's recommendations and decisions and ensuring that the parent company decisions do not jeopardize the safety and soundness of the bank. **Current (2024):** CBNA is subject to OCC guidelines that impose heightened risk governance standards on large national banks with average total consolidated assets of $50 billion or more. The guidelines set forth minimum standards for the design and implementation of a bank's risk governance framework and its associated oversight by a bank's board of directors. The guidelines are intended to protect the safety and soundness of covered banks and improve the ability of bank examiners to assess compliance with the OCC's expectations. Under the guidelines, a bank may use the risk governance framework of its parent company if it meets the minimum standards and the risk profiles of the parent company and the covered bank are substantially the same, along with certain other conditions. CBNA has elected to use the Parent Company's risk governance framework. A bank's board of directors is required to have two members who are independent of bank and parent company management, ensure that the risk governance framework meets the appropriate standards, provide active oversight and a credible challenge to management's recommendations and decisions, and ensure that decisions made by the parent company do not jeopardize the safety and soundness of the bank. --- ## Modified: We are subject to a variety of cybersecurity risks that, if realized, could adversely affect how we conduct our business. **Key changes:** - Reworded sentence: "Evolving technologies and the increased sophistication and activities of organized crime, hackers, terrorists, nation-states, activists and other external parties present a significant information security risk to large financial institutions such as us." - Reworded sentence: "Risks related to cyber-attacks on our vendors and other third parties, including supply chain attacks affecting our software and information technology service providers, are on the rise as such attacks become more frequent and severe." - Reworded sentence: "Although we believe that we have appropriate information security procedures and controls based on our adherence to applicable laws and regulations and industry standards, our technologies, systems, and networks may be the target of cyber-attacks or information security breaches that could result in the unauthorized release, gathering, monitoring, misuse, theft, sale or loss or destruction of the confidential and/or proprietary information of CFG, and our customers, vendors, counterparties, or employees." - Reworded sentence: "Two of the most significant cyber-attack risks that we face as a result of these fraudulent schemes are potential loss of funds resulting from customers falling victim to cybercriminal communications directed to them or unauthorized access to sensitive customer data." - Reworded sentence: "Due to the complexity and interconnectedness of information technology systems, the process of enhancing our layers of defense can itself create a risk of system disruptions and security issues." **Prior (2023):** Information security risks for large financial institutions such as us have increased significantly in recent years in part because of the proliferation of new technologies, such as the internet and mobile banking to conduct financial transactions, and the increased sophistication and activities of organized crime, hackers, terrorists, nation-states, activists and other external parties. Third parties with whom we or our customers do business also present operational and information security risks to us, including security breaches or failures of their own systems. Risks relating to cyber-attacks on our vendors and other third parties, including supply chain attacks affecting our software and information technology service providers, have been rising as such attacks become increasingly frequent and severe. The possibility of employee error, failure to follow security procedures, or malfeasance also presents these risks, particularly given the recent trend towards remote work arrangements. Our operations rely on the secure processing, transmission and storage of confidential information in our computer systems and networks as well as in the third-party computer systems and networks used to provide products and services on our behalf. In addition, to access our products and services, our customers may use personal computers, smartphones, tablets, and other mobile devices that are beyond our control environment. Although we believe that we have appropriate information security procedures and controls based on our adherence to applicable laws and regulations, industry standards and best practices, our technologies, systems, networks and our customers' devices may be the target of cyber-attacks or information security breaches that could result in the unauthorized release, gathering, monitoring, misuse, theft, sale or loss or destruction of the confidential, and/or proprietary information of CFG, our customers, our vendors, our counterparties, or our employees. We are under continuous threat of loss or network degradation due to cyber-attacks, such as computer viruses, malicious or destructive code, phishing attacks, ransomware, and Distributed Denial of Service ("DDoS") attacks. This is especially true as we continue to expand customer capabilities to utilize the Internet and other remote channels to transact business. Two of the most significant cyber-attack risks that we face are e-fraud and loss of sensitive customer data. Loss from e-fraud occurs when cybercriminals extract funds directly from customers' or our accounts using fraudulent schemes that may include Internet-based funds transfers. We have been subject to a number of e-fraud incidents historically. We have also been subject to attempts to steal sensitive customer data, such as account numbers and social security numbers, through unauthorized access to our computer systems including computer hacking. Such attacks are less frequent but could present significant reputational, legal and regulatory costs to us if successful. We have implemented certain technology protections such as Customer Profiling and Set-Up Authentication to be in compliance with the FFIEC Authentication and Access to Financial Institution Services and Systems guidelines. As cyber threats continue to evolve, we may be required to expend significant additional resources to continue to modify or enhance our layers of defense or to investigate and remediate any information security vulnerabilities. System enhancements and updates may also create risks associated with implementing new systems and integrating them with existing ones. Due to the complexity and interconnectedness of information technology systems, the process of enhancing our layers of defense can itself create a risk of systems disruptions and security issues. In addition, addressing certain information security vulnerabilities, such as hardware-based vulnerabilities, may affect the performance of our information technology systems. The ability of our hardware and software providers to deliver patches and updates to mitigate vulnerabilities in a timely manner can introduce additional risks, particularly when a vulnerability is being actively exploited by threat actors. Cyber-attacks against the patches themselves have also proven to be a significant risk that companies will have to address going forward. Despite our efforts to prevent a cyber-attack, a successful cyber-attack could persist for an extended period of time before being detected, and, following detection, it could take considerable time for us to obtain full and reliable information about the cybersecurity incident and the extent, amount and type of information compromised. During the course of an investigation, we may not necessarily know the full effects of the incident or how to remediate it, and actions and decisions that are taken or made in an effort to mitigate risk may further increase the costs and other negative consequences of the incident. Moreover, potential new regulations may require us to disclose information about a cybersecurity event before it has been resolved or fully investigated. The techniques used by cyber criminals change frequently, may not be recognized until launched and can be initiated from a variety of sources, including terrorist organizations and hostile foreign governments. These actors may attempt to fraudulently induce employees, customers or other users of our systems to disclose sensitive information in order to gain access to data or our systems. In the event that a cyber-attack is successful, our business, financial condition or results of operations may be adversely affected. For a discussion of the guidance that federal banking regulators have released regarding cybersecurity and cyber risk management standards, see the "Regulation and Supervision" section of Item 1. **Current (2024):** Evolving technologies and the increased sophistication and activities of organized crime, hackers, terrorists, nation-states, activists and other external parties present a significant information security risk to large financial institutions such as us. Third parties with whom we or our customers do business also present operational and information security risks to us, including security breaches or failures of their own systems. Risks related to cyber-attacks on our vendors and other third parties, including supply chain attacks affecting our software and information technology service providers, are on the rise as such attacks become more frequent and severe. Employee error, failure to follow security procedures, or malfeasance also present these risks. Our operations rely on the secure processing, transmission and storage of confidential information in our computer systems and networks as well as in the third-party computer systems and networks used to provide products and services on our behalf. Although we believe that we have appropriate information security procedures and controls based on our adherence to applicable laws and regulations and industry standards, our technologies, systems, and networks may be the target of cyber-attacks or information security breaches that could result in the unauthorized release, gathering, monitoring, misuse, theft, sale or loss or destruction of the confidential and/or proprietary information of CFG, and our customers, vendors, counterparties, or employees. We and our third-party vendors are under continuous threat of loss or network degradation due to cyber-attacks, such as computer viruses, malicious or destructive code, phishing attacks, ransomware, and Distributed Denial of Service ("DDoS") attacks (collectively, "fraudulent schemes"). Also, our customers are routinely the target of fraudulent schemes. This is especially true as we continue to expand customer capabilities to utilize the Internet and other remote channels to transact business. Two of the most significant cyber-attack risks that we face as a result of these fraudulent schemes are potential loss of funds resulting from customers falling victim to cybercriminal communications directed to them or unauthorized access to sensitive customer data. Cybercriminals can use fraudulent schemes directly targeting our customers or our own systems to compromise and directly extract funds from a customer's account or access sensitive customer data. Certain technology protections such as Customer Profiling and Step-Up Authentications are implemented so that we are compliant with the FFIEC Authentication and Access to Financial Institution Services and Systems guidelines. As cyber threats continue to evolve, we may be required to expend significant additional resources to continue to modify or enhance our layers of defense, to investigate and remediate any information security vulnerabilities internally, to assess and mitigate issues associated with customers that have fallen victim to fraudulent schemes, and perform additional due diligence with respect to our third-party vendors. System enhancements and updates may also create risks associated with implementing new systems and integrating them with existing ones. Due to the complexity and interconnectedness of information technology systems, the process of enhancing our layers of defense can itself create a risk of system disruptions and security issues. In addition, addressing certain information security vulnerabilities, such as hardware-based vulnerabilities, may affect the performance of our information technology systems. The ability of our hardware and software providers to deliver patches and updates to mitigate vulnerabilities in a timely manner can introduce additional risks, particularly when a vulnerability is being actively exploited by threat actors. Cyber-attacks against the patches themselves have also proven to be a significant risk that companies will have to address going forward. Despite our efforts to prevent a cyber-attack, a successful cyber-attack could persist for an extended period of time before being detected, and, following detection, could take considerable time for us to obtain full and reliable information about the cybersecurity incident and the extent, amount and type of information compromised. During the course of an investigation, we may not necessarily know the full effects of the incident or how to remediate it, and actions and decisions that are taken or made in an effort to mitigate risk may further increase the costs and other negative consequences of the incident. Moreover, new regulations may require us to disclose information about a cybersecurity event before it has been resolved or fully investigated. The techniques used by cyber criminals change frequently, may not be recognized until launched and can be initiated from a variety of sources, including terrorist organizations and hostile foreign governments. These actors may attempt to fraudulently induce employees, customers or other third-party users of our systems to disclose sensitive information in order to gain access to data or our systems. In the event that a cyber-attack is successful, our business, financial condition or results of operations may be adversely affected. For a discussion of the guidance that regulators have released regarding cybersecurity and cyber risk management standards, see the "Regulation and Supervision" section of Item 1. --- ## Modified: Consumer Banking Segment **Key changes:** - Reworded sentence: "Consumer Banking serves consumer customers and small businesses with annual revenues of up to $25 million, with products and services that include deposits, mortgage and home equity lending, credit cards, small business loans, wealth management and investment services largely across our 14-state traditional banking footprint." **Prior (2023):** Consumer Banking serves retail customers and small businesses with annual revenues of up to $25 million, with products and services that include deposit products, mortgage and home equity lending, credit cards, business loans, wealth management and investment services largely across our 14-state traditional banking footprint. We also offer auto, education and point-of-sale finance loans in addition to select digital deposit products nationwide. Consumer Banking operates a multi-channel distribution network with a workforce of approximately 5,780 branch colleagues, approximately 1,100 branches, including 220 in-store locations, and approximately 3,400 ATMs. Our network includes approximately 1,250 specialists covering lending, savings and investment needs as well as a broad range of small business products and services. We serve customers on a national basis through telephone service centers as well as through our online and mobile platforms where we offer customers the convenience of depositing funds, paying bills and transferring money between accounts and from person to person, as well as a host of other everyday transactions. **Current (2024):** Consumer Banking serves consumer customers and small businesses with annual revenues of up to $25 million, with products and services that include deposits, mortgage and home equity lending, credit cards, small business loans, wealth management and investment services largely across our 14-state traditional banking footprint. We also offer education and point-of-sale finance loans in addition to select digital deposit products nationwide. Citizens Private Bank, launched during 2023, integrates wealth management and banking services to serve high net-worth individuals and families, as well as businesses. Consumer Banking operates a multi-channel distribution network with a workforce of approximately 5,300 branch colleagues, approximately 1,100 branches, including 187 in-store locations, and approximately 3,200 ATMs. Our network includes approximately 1,100 specialists covering lending, savings and investment needs as well as a broad range of small business products and services. We serve customers on a national basis through telephone service centers as well as through our online and mobile platforms where we offer customers the convenience of depositing funds, paying bills and transferring money between accounts and from person to person, as well as a host of other everyday transactions. --- ## Modified: A reduction in our credit ratings could have a material adverse effect on our business, financial condition and results of operations. **Key changes:** - Reworded sentence: "Rating agencies regularly evaluate us, and their ratings are based on a number of factors, including our financial strength and conditions affecting the financial services industry generally." **Prior (2023):** Credit ratings affect the cost and other terms upon which we are able to obtain funding. Rating agencies regularly evaluate us, and their ratings are based on a number of factors, including our financial strength. Other factors considered by rating agencies include conditions affecting the financial services industry generally. Any downgrade in our ratings would likely increase our borrowing costs, could limit our access to capital markets, and otherwise adversely affect our business. For example, a ratings downgrade could adversely affect our ability to sell or market certain of our securities, including long-term debt, engage in certain longer-term derivatives transactions and retain our customers, particularly corporate customers who may require a minimum rating threshold in order to place funds with us. In addition, under the terms of certain of our derivatives contracts, we may be required to maintain a minimum credit rating or have to post additional collateral or terminate such contracts. Any of these results of a rating downgrade could increase our cost of funding, reduce our liquidity and have adverse effects on our business, financial condition and results of operations. **Current (2024):** Credit ratings affect the cost and other terms upon which we are able to obtain funding. Rating agencies regularly evaluate us, and their ratings are based on a number of factors, including our financial strength and conditions affecting the financial services industry generally. Any downgrade in our ratings would likely increase our borrowing costs and could limit our access to capital markets, which would adversely affect our business. For example, a ratings downgrade could adversely affect our ability to sell or market our securities, including long-term debt, engage in certain longer-term derivatives transactions and retain our customers, particularly corporate customers who may require a minimum rating threshold in order to place funds with us. In addition, under the terms of our derivatives contracts, we may be required to maintain a minimum credit rating, post additional collateral or terminate such contracts. Any of these results of a ratings downgrade could increase our cost of funding, reduce our liquidity and have adverse effects on our business, financial condition and results of operations. For more information regarding our credit ratings, see the "Liquidity" section in Item 7. --- ## Modified: We rely on third parties for the performance of a significant portion of our information technology. **Key changes:** - Reworded sentence: "We rely on third parties for the performance of a significant portion of our information technology functions and the provision of information technology and business process services including, but not limited to, the operation of our data communications networks, hosted services, and a wide range of other support services." - Reworded sentence: "If these services are not performed in a satisfactory manner, we would not be able to adequately serve our customers." **Prior (2023):** We rely on third parties for the performance of a significant portion of our information technology functions and the provision of information technology and business process services. For example, (i) unaffiliated third parties operate data communications networks on which certain components and services relating to our online banking system rely, (ii) third parties host or maintain many of our applications, including a commercial loan system, which is hosted and maintained by Automated Financial Systems, Inc., and our Mobile Digital Banking Application, which is hosted and maintained by Amazon Web Services, Inc., (iii) Fidelity Information Services, LLC maintains our core deposits system, (iv) Infosys Limited provides us with a wide range of information technology support services, including service desk, end user support, production application support, and private cloud support, and (v) Kyndryl, Inc. provides us with mainframe support services. The success of our business depends in part on the continuing ability of these (and other) third parties to perform these functions and services in a timely and satisfactory manner, which performance could be disrupted or otherwise adversely affected due to failures or other information security events originating at the third parties or at the third parties' suppliers or vendors (so-called "fourth party risk"). For example, during 2021, there were a number of widely publicized cases of outages in connection with access to cloud service providers. We may not be able to effectively monitor or mitigate fourth-party risk, in particular as it relates to the use of common suppliers or vendors by the third parties that perform functions and services for us. If we experience a disruption in the provision of any functions or services performed by third parties, we may have difficulty in finding alternate providers on terms favorable to us and in reasonable time frames. If these services are not performed in a satisfactory manner, we would not be able to serve our customers well. In either situation, our business could incur significant costs and be adversely affected. **Current (2024):** We rely on third parties for the performance of a significant portion of our information technology functions and the provision of information technology and business process services including, but not limited to, the operation of our data communications networks, hosted services, and a wide range of other support services. The success of our business depends in part on the continuing ability of third parties to perform these functions and services in a timely and satisfactory manner, which performance could be disrupted or otherwise adversely affected due to failures or other information security events originating at the third parties or at the third parties' suppliers or vendors (so-called "fourth party risk"). We may not be able to effectively monitor or mitigate third or fourth-party risk, in particular as it relates to the use of common suppliers or vendors by the third parties that perform functions and services for us. If we experience a disruption in the provision of any functions or services performed by third parties, we may have difficulty in finding alternate providers on terms favorable to us and in reasonable time frames. If these services are not performed in a satisfactory manner, we would not be able to adequately serve our customers. In either situation, our business could incur significant costs and be adversely affected. --- ## Modified: Difficult economic conditions, including inflationary pressures, would likely have an adverse effect on our business, financial position and results of operations. **Key changes:** - Reworded sentence: "From March 2022 to July 2023, the FRB raised its benchmark interest rate eleven times in response to inflationary pressures throughout the economy." - Reworded sentence: "Also, see "Changes in interest rates may have an adverse effect on our profitability" below for more information on the risks associated with changes in interest rates." - Reworded sentence: "Any of the effects of these adverse economic conditions would likely have an adverse impact on our earnings, with the significance of the impact generally depending on the nature and severity of the economic conditions." **Prior (2023):** Robust demand, labor shortages and supply chain constraints have led to persistent inflationary pressures throughout the economy. In response to these inflationary pressures, the FRB has raised benchmark interest rates in recent months and may continue to raise interest rates in response to economic conditions, particularly a continued high rate of inflation. Amidst these uncertainties, including potential recessionary economic conditions, financial markets have continued to experience volatility. Changes in interest rates can affect numerous aspects of our business and may impact our future performance. See risk factor headed "Changes in interest rates may have an adverse effect on our profitability" below for more information on the risks associated with changes in interest rates. Prolonged periods of inflation may impact our profitability by negatively impacting our costs and expenses, including increasing funding costs and expense related to talent acquisition and retention, and negatively impacting consumer demand and client purchasing power for our products and services. If significant inflation continues, our business could be negatively affected by, among other things, increased default rates leading to credit losses which could adversely impact our earnings and capital. Any of the effects of these adverse economic conditions would likely have an adverse impact on our earnings, with the significance of the impact generally depending on the nature and severity of the adverse economic conditions. **Current (2024):** From March 2022 to July 2023, the FRB raised its benchmark interest rate eleven times in response to inflationary pressures throughout the economy. Financial markets remain volatile amidst the uncertainty of economic conditions, including potential recessionary conditions. Changes in interest rates can affect numerous aspects of our business and may impact our future performance. Also, see "Changes in interest rates may have an adverse effect on our profitability" below for more information on the risks associated with changes in interest rates. Prolonged periods of inflation may impact our profitability by negatively impacting our costs and expenses, including increasing funding costs and expense related to talent acquisition and retention, and negatively impacting consumer demand and client purchasing power for our products and services. If significant inflation continues, our business could be negatively affected by, among other things, increased default rates leading to credit losses which could adversely impact our earnings and capital. Any of the effects of these adverse economic conditions would likely have an adverse impact on our earnings, with the significance of the impact generally depending on the nature and severity of the economic conditions. --- ## Modified: Website Access to Citizens' Filings with the SEC and Corporate Governance Information **Key changes:** - Added sentence: "Information about our Board and its committees and corporate governance, including our Code of Business Conduct and Ethics, is available on our website at investor.citizensbank.com/about-us/investor-relations/corporate-governance." - Reworded sentence: "As a financial services organization, certain elements of risk are inherent in our transactions and operations and the business decisions we make." **Prior (2023):** We maintain a website at investor.citizensbank.com. We make available on our website, free of charge, our annual reports on Form 10-K, quarterly reports on Form 10-Q and current reports on Form 8-K, including exhibits, and amendments to those reports that are filed or furnished to the SEC pursuant to Section 13(a) of the Securities Exchange Act of 1934. These documents are made available on our website as soon as reasonably practicable after they are electronically filed with or furnished to the SEC. The SEC also maintains an internet site (www.sec.gov) that contains reports, proxy and information statements, and other information regarding issuers that file electronically with the SEC. ITEM 1A. RISK FACTORS We are subject to a number of risks potentially impacting our business, financial condition, results of operations and cash flows. As we are a financial services organization, certain elements of risk are inherent in our transactions and operations and are present in the business decisions we make. We, therefore, encounter risk as part of the normal course of our business and we design risk management processes to help manage these risks. Our success is dependent on our ability to identify, understand and manage the risks presented by our business activities so that we can appropriately balance revenue generation and profitability. These risks include, but are not limited to, credit risk, market risk, liquidity risk, operational risk, model risk, technology, regulatory and legal risk and strategic and reputational risk. We discuss our principal risk management processes and, in appropriate places, related historical performance in the "Risk Governance" section in Item 7. You should carefully consider the following risk factors that may affect our business, financial condition and results of operations. Other factors that could affect our business, financial condition and results of operation are discussed in the "Forward-Looking Statements" section above. However, there may be additional risks that are not presently material or known, and factors besides those discussed below, or in this or other reports that we file or furnish with the SEC, that could also adversely affect us. **Current (2024):** We maintain a website at investor.citizensbank.com. We make available on our website, free of charge, our annual reports on Form 10-K, quarterly reports on Form 10-Q and current reports on Form 8-K, including exhibits, and amendments to those reports that are filed or furnished to the SEC pursuant to Section 13(a) of the Securities Exchange Act of 1934. These documents are made available on our website as soon as reasonably practicable after they are electronically filed with or furnished to the SEC. The SEC also maintains an internet site (www.sec.gov) that contains reports, proxy and information statements, and other information regarding issuers that file electronically with the SEC. Information about our Board and its committees and corporate governance, including our Code of Business Conduct and Ethics, is available on our website at investor.citizensbank.com/about-us/investor-relations/corporate-governance. ITEM 1A. RISK FACTORS We are subject to a number of risks potentially impacting our business, financial condition, results of operations and cash flows. As a financial services organization, certain elements of risk are inherent in our transactions and operations and the business decisions we make. Therefore, we encounter risk as part of the normal course of our business and design a risk management framework and associated processes to help manage these risks. Our success is dependent on our ability to identify, understand and manage the risks presented by our business activities so that we can appropriately balance risk taking with revenue generation and profitability. We discuss the primary risks we face and our risk management framework and associated processes and strategies in the "Risk Governance" section in Item 7. You should carefully consider the following risk factors that may affect our business, financial condition, results of operations or cash flows. Other factors that could affect us are discussed in the "Forward-Looking Statements" section above. However, there may be additional risks that are not currently material or known, and factors besides those discussed below, or in this or other reports that we file or furnish with the SEC, that could adversely affect us. Therefore, the risks described in the risk factors below should not be considered a complete list of risks that we may encounter. --- ## Modified: We may not be able to successfully execute our business strategy. **Key changes:** - Reworded sentence: "Our business strategy is designed to maximize the full potential of our business and drive sustainable growth and enhanced profitability, with our success resting on our ability to distinguish ourselves." - Reworded sentence: "If we are not able to successfully execute our business strategy, we may not achieve our financial performance goals and any shortfall may be material." **Prior (2023):** Our business strategy is designed to maximize the full potential of our business and drive sustainable growth and enhanced profitability, and our success rests on our ability to maintain a high-performing, customer-centric organization; develop differentiated value propositions to acquire, deepen, and retain core customer segments; build excellent capabilities designed to help us stand out from our competitors; operate with financial discipline and a mindset of continuous improvement to self-fund investments; prudently grow and optimize our balance sheet; modernize our technology and operational models to improve delivery, organizational agility and speed to market; and embed risk management within our culture and our operations. Our future success and the value of our stock will depend, in part, on our ability to effectively implement our business strategy, including the cost savings and efficiency components, and achieve our financial performance goals, including through the integration of Investors and the HSBC branches. There are risks and uncertainties, many of which are not within our control, associated with each element of our strategy. If we are not able to successfully execute our business strategy, we may never achieve our financial performance goals and any shortfall may be material. See the "Business Strategy" section in Item 1 for further information. **Current (2024):** Our business strategy is designed to maximize the full potential of our business and drive sustainable growth and enhanced profitability, with our success resting on our ability to distinguish ourselves. Our future success and the value of our stock depends, in part, on our ability to effectively implement our business strategy, including the cost savings and efficiency components, and achieve our financial performance goals, including the anticipated benefits of the Private Bank start-up investment and Investors acquisition. There are risks and uncertainties, many of which are not within our control, associated with each element of our strategy. If we are not able to successfully execute our business strategy, we may not achieve our financial performance goals and any shortfall may be material. See the "Business Strategy" section in Item 1 for further information. --- ## Modified: Protection of Customer Personal Information and Cybersecurity **Key changes:** - Reworded sentence: "The privacy provisions of GLBA generally prohibit financial institutions, including us, from disclosing nonpublic personal financial information of consumer customers to third parties for certain purposes unless customers have the opportunity to opt out of the disclosure." - Reworded sentence: "Both the Fair Credit Reporting Act and Regulation V, which are issued by the FRB, govern the use and provision of information to consumer reporting agencies." - Reworded sentence: "Financial institutions are expected to design multiple layers of security controls to establish lines of defense and to ensure that their risk management processes also address the risk posed by compromised customer credentials, including security measures to reliably authenticate customers when accessing internet-based services of the financial institution." - Reworded sentence: "For a further discussion of risks related to cybersecurity, see Item 1A "Risk Factors." A financial institution is also required to notify its primary banking regulator within 36 hours of computer-security incidents that have materially disrupted or degraded, or is reasonably likely to materially disrupt or degrade its: •ability to carry out banking operations, activities, or processes, or deliver banking products and services to a material portion of its customer base; •business lines, including associated operations, services, functions, and support, that upon failure would result in a material loss of revenue, profit, or franchise value; or •operations, including associated services, functions, and support, the failure or discontinuance of which would pose a threat to the financial stability of the United States." **Prior (2023):** The privacy provisions of GLBA generally prohibit financial institutions, including us, from disclosing nonpublic personal financial information of consumer customers to third parties for certain purposes (primarily marketing) unless customers have the opportunity to opt out of the disclosure. The Fair Credit Reporting Act restricts information sharing among affiliates for marketing purposes. Both the Fair Credit Reporting Act and Regulation V, issued by the FRB, govern the use and provision of information to consumer reporting agencies. The federal banking regulators regularly issue guidance regarding cybersecurity intended to enhance cyber risk management standards among financial institutions. Financial institutions are expected to design multiple layers of security controls to establish lines of defense and to ensure that their risk management processes also address the risk posed by compromised customer credentials, including security measures to reliably authenticate customers' accessing internet-based services of the financial institution. Further, a financial institution's management is expected to maintain sufficient business continuity planning processes to ensure the rapid recovery, resumption and maintenance of the institution's operations after a cyber-attack involving destructive malware. A financial institution is also expected to develop appropriate processes to enable recovery of data and business operations and address rebuilding network capabilities and restoring data if the institution or its critical service providers fall victim to this type of cyber-attack. If we fail to observe the regulatory guidance, we could be subject to various regulatory sanctions, including financial penalties. For a further discussion of risks related to cybersecurity, see Item 1A "Risk Factors." In November 2021, the federal banking regulators issued a final rule mandating financial institutions to report certain significant cybersecurity incidents to regulators. The final rule requires a financial institution to notify its primary banking regulator within 36 hours of certain significant cybersecurity incidents which has or is reasonably likely to disrupt or degrade its: •ability to carry out banking operations, activities, or processes, or deliver banking products and services to a material portion of its customer base; •business lines, including associated operations, services, functions, and support, that upon failure would result in a material loss of revenue, profit, or franchise value; or •operations, including associated services, functions, and support, the failure or discontinuance of which would pose a threat to the financial stability of the United States. Bank service providers are required to notify at least one designated point of contact at affected banking organization customers as soon as possible after any computer-security incident which has or is reasonably likely to materially disrupt or degrade covered services for four or more hours. The final rule was effective April 1, 2022, with a compliance date of May 1, 2022. In addition, in March 2022, the SEC proposed new rules that would require reporting on Form 8-K of material cybersecurity incidents. State regulators have also been increasingly active in implementing privacy and cybersecurity standards and regulations. Recently, several states have adopted laws and regulations requiring certain financial institutions to implement cybersecurity programs and providing detailed requirements with respect to these programs, including data encryption requirements. For example, the California Consumer Privacy Act, which became effective on January 1, 2020, gives new rights to California residents to require certain businesses to disclose or delete their personal information. In addition, many states have also recently implemented or modified their data breach notification and data privacy requirements. We expect this trend of state-level activity to continue and are continually monitoring developments in the states in which we operate. **Current (2024):** The privacy provisions of GLBA generally prohibit financial institutions, including us, from disclosing nonpublic personal financial information of consumer customers to third parties for certain purposes unless customers have the opportunity to opt out of the disclosure. The Fair Credit Reporting Act restricts information sharing among affiliates for marketing purposes. Both the Fair Credit Reporting Act and Regulation V, which are issued by the FRB, govern the use and provision of information to consumer reporting agencies. The federal banking regulators regularly issue guidance regarding cybersecurity intended to enhance cyber risk management standards among financial institutions. Financial institutions are expected to design multiple layers of security controls to establish lines of defense and to ensure that their risk management processes also address the risk posed by compromised customer credentials, including security measures to reliably authenticate customers when accessing internet-based services of the financial institution. Further, a financial institution's management is expected to maintain sufficient business continuity planning processes to ensure the rapid recovery, resumption and maintenance of the institution's operations after a cyber-attack involving destructive malware or other compromise of customer data and/or systems. A financial institution is also expected to develop appropriate processes to enable recovery of data and business operations and address rebuilding network capabilities and restoring data if the institution or its critical service providers fall victim to this type of cyber-attack or compromise. If we fail to observe the regulatory guidance, we could be subject to various regulatory sanctions, including financial penalties. For a further discussion of risks related to cybersecurity, see Item 1A "Risk Factors." A financial institution is also required to notify its primary banking regulator within 36 hours of computer-security incidents that have materially disrupted or degraded, or is reasonably likely to materially disrupt or degrade its: •ability to carry out banking operations, activities, or processes, or deliver banking products and services to a material portion of its customer base; •business lines, including associated operations, services, functions, and support, that upon failure would result in a material loss of revenue, profit, or franchise value; or •operations, including associated services, functions, and support, the failure or discontinuance of which would pose a threat to the financial stability of the United States. In addition, in August 2023, the SEC adopted a final rule that requires the disclosure of material cybersecurity incidents on Form 8-K. Registrants must describe the material aspects of the nature, scope and timing of the incident, as well as the impact of the incident on the registrant. The final rule also requires registrants to describe, on Form 10-K, their processes for assessing, identifying and managing material risks from cybersecurity threats and whether such risks have materially affected the registrant. Registrants must also describe Board oversight of risks from cybersecurity threats and management's role and expertise in assessing and managing material risks from such threats. See Item 1C "Cybersecurity" for more information. State regulators have also been active in implementing privacy and cybersecurity standards and regulations. Recently, several states have adopted laws and regulations requiring certain financial institutions to implement cybersecurity programs and provide details with respect to these programs. In addition, many states have recently implemented or modified their data breach notification and data privacy requirements. We expect this trend of state-level activity to continue and are continually monitoring developments in the states in which we operate. --- ## Modified: Support of Subsidiary Bank **Key changes:** - Reworded sentence: "The Parent Company is required to serve as a source of financial and managerial strength to CBNA and, under appropriate conditions, to commit resources to support CBNA." **Prior (2023):** Under Section 616 of the Dodd-Frank Act, which codifies the FRB's long-standing "source of strength" doctrine, the Parent Company must serve as a source of financial and managerial strength for our depository institution subsidiary. The statute defines "source of financial strength" as the ability to provide financial assistance in the event of the financial distress at the insured depository institution. The FRB may require that the Parent Company provide such support at times even when the Parent Company may not have the financial resources to do so, or when doing so may not serve our interests or those of our shareholders or creditors. In addition, any capital loans by a BHC to its subsidiary bank are subordinate in right of payment to deposits and to certain other indebtedness of such subsidiary bank. In the event of a BHC's bankruptcy, any commitment by the BHC to a federal bank regulatory agency to maintain the capital of a subsidiary bank will be assumed by the bankruptcy trustee and entitled to a priority of payment. **Current (2024):** The Parent Company is required to serve as a source of financial and managerial strength to CBNA and, under appropriate conditions, to commit resources to support CBNA. This support may be required by the FRB at times when the Parent Company may not have the financial resources to do so, or when doing so may not serve our interests or those of our shareholders or creditors. In addition, any capital loans by a BHC to a subsidiary bank are subordinate in right of payment to deposits and certain other indebtedness of such subsidiary bank. In the event of a BHC's bankruptcy, any commitment by the BHC to a federal bank regulatory agency to maintain the capital of a subsidiary bank will be assumed by the bankruptcy trustee and entitled to a priority of payment. --- ## Modified: Diversity, Equity and Inclusion **Key changes:** - Reworded sentence: "Development programs are designed to build a strong pipeline of emerging talent, including diverse talent, internally, and have been effective in increasing the development of our overall colleague base as well as increasing the number of women and people of color in senior leader roles." - Reworded sentence: "Each BRG is sponsored by a member of the executive team and approximately 3,500 colleagues belonged to at least one BRG as of December 31, 2023." **Prior (2023):** We foster a culture where all stakeholders feel respected, valued, and heard. Our DE&I strategy is focused on creating an environment of inclusion and belonging, building a more diverse workforce and evaluating the effectiveness of our initiatives. We are committed to increasing the representation of women and people of color, particularly in leadership roles. To that end, we have continued to develop strong partnerships with business and community organizations to help identify qualified diverse candidates for roles within every segment of our organization. In addition, through our diverse hiring commitment, we aim to have at least 50% of candidates interviewed for mid-to-senior openings be women or people of color. Internal diversity scorecards are used to measure our progress across multiple DE&I metrics. As of December 31, 2022, approximately 58% of our colleagues were women and approximately 32% were people of color. In addition, approximately 31% of the members of our Board of Directors are women and approximately 15% are people of color. More detail regarding our workforce demographics can be found on our website and in our Corporate Responsibility Report. Development programs are designed to build a strong pipeline of diverse emerging talent internally. Development efforts have been effective in increasing the number of women and people of color considered "ready now" succession candidates. We also partner with external organizations to offer additional resources for reskilling and upskilling diverse colleagues. We also offer education programs focused on embedding inclusive behaviors in our culture to all colleagues. We require all colleagues to attend inclusion training and there is additional targeted inclusion training specifically for colleagues in manager roles. We use various resources to understand what drives a sense of inclusion and belonging and to identify what actions will be effective in attracting and retaining diverse colleagues. Analytics are used to help prioritize initiatives, including answers to OHI survey items, which we segment by various colleague populations to provide additional insights. In addition, we have seven business resource groups ("BRGs"), which are an extension of the business and are integral to identifying and formulating solutions to DE&I issues that are most important to customers, colleagues, and the community. Citizens BRGs include Citizens WIN (Women's Impact Network), Citizens Elev8 (Rising Professionals), Prism (Multicultural), Citizens Pride (LGBTQ+), Citizens Veterans, and Citizens Awake (Disability Awareness). In 2023, we launched an additional BRG, Caring for Citizens (Caregivers). Each BRG is sponsored by a member of the executive team and, as of December 31, 2022, approximately 3,200 colleagues belonged to at least one BRG. **Current (2024):** We foster a culture where all stakeholders feel respected, valued, and heard. Our DE&I strategy is focused on creating an environment of inclusion and belonging, building a more diverse workforce and evaluating the effectiveness of our initiatives. Development programs are designed to build a strong pipeline of emerging talent, including diverse talent, internally, and have been effective in increasing the development of our overall colleague base as well as increasing the number of women and people of color in senior leader roles. We also partner with external organizations to offer additional resources for reskilling and upskilling colleagues, including diverse colleagues. We acknowledge that there are opportunities to further increase the representation of women and people of color, particularly in leadership roles, and we continue to develop strong partnerships with business and community organizations to help identify diverse candidates for roles within every segment of our organization. In addition, we ensure that interview slates for senior openings include candidates with diverse backgrounds and perspectives. An internal dashboard is used to monitor our progress across multiple DE&I metrics. Information regarding our workforce demographics can be found in our Environmental Social Governance Report and on our website, which includes a link to our most recently filed EEO-1 report. Various resources are used by management to understand what drives a sense of inclusion and belonging and to identify what actions will be effective in attracting and retaining diverse colleagues. Analytics are used to help prioritize initiatives, including responses to our OHS, which we segment by various colleague populations to provide additional insights. In addition, we have seven business resource groups ("BRGs"), which are integral to identifying and formulating solutions to DE&I issues that are most important to customers, colleagues, and the community. Our BRGs include Citizens WIN (Women's Impact Network), Citizens Elev8 (Rising Professionals), Prism (Multicultural), Citizens Pride (LGBTQ+), Citizens Veterans, and Citizens Awake (Disability Awareness). In 2023, we launched an additional BRG, Caring for Citizens (Caregivers). Each BRG is sponsored by a member of the executive team and approximately 3,500 colleagues belonged to at least one BRG as of December 31, 2023. We also offer education programs focused on embedding inclusive behaviors in our culture designed for colleagues at all levels of leadership. --- ## Modified: Business Segments **Key changes:** - Reworded sentence: "We manage our business through two primary business segments: Consumer Banking and Commercial Banking." - Removed sentence: "Our activities outside these segments are classified as "Other" and include treasury activities, wholesale funding activities, the securities portfolio, community development assets, and other unallocated assets, liabilities, capital, revenues, provision for credit losses and expenses, including income tax expense." **Prior (2023):** We manage our business through two business segments: Consumer Banking and Commercial Banking. For additional information regarding our business segments see the "Business Operating Segments" section of Item 7 and Note 26 in Item 8. Our activities outside these segments are classified as "Other" and include treasury activities, wholesale funding activities, the securities portfolio, community development assets, and other unallocated assets, liabilities, capital, revenues, provision for credit losses and expenses, including income tax expense. **Current (2024):** We manage our business through two primary business segments: Consumer Banking and Commercial Banking. Our activities outside these segments are classified as Non-Core or Other. Non-Core includes our indirect auto and certain purchased consumer loan portfolios that we discontinued the origination of as part of our recently announced balance sheet optimization strategy. Other includes treasury activities, wholesale funding, the securities portfolio, community development assets, and other unallocated assets, liabilities, capital, revenues, provision (benefit) for credit losses and expenses, including income tax expense. For additional information regarding our business segments see the "Business Operating Segments" section of Item 7 and Note 26 in Item 8. --- ## Modified: The effects of geopolitical instability may adversely affect us and create significant risks and uncertainties for our business, with the ultimate impact dependent on future developments, which are highly uncertain and unpredictable. **Key changes:** - Reworded sentence: "Ongoing geopolitical instability, such as the wars in Ukraine and the Middle East, has negatively impacted, and could in the future negatively impact, the global and U.S." - Reworded sentence: "The extent to which such geopolitical instability adversely affects our business, financial condition and results of operations, as well as our liquidity and capital profile, will depend on future developments, which are highly uncertain and unpredictable, including the extent and duration of the wars and the associated immeasurable humanitarian toll inflicted as a result." **Prior (2023):** Ongoing geopolitical instability, such as Russia's invasion of Ukraine, has negatively impacted, and could in the future negatively impact, the global and U.S. economies, including by causing supply chain disruptions, rising prices for oil and other commodities, volatility in capital markets and foreign currency exchange rates, rising interest rates and heightened cybersecurity risks. The extent to which such geopolitical instability, such as Russia's invasion of Ukraine, adversely affects our business, financial condition and results of operations, as well as our liquidity and capital profile, will depend on future developments, which are highly uncertain and unpredictable, including with respect to Russia's invasion, the extent and duration of the invasion and economic sanctions imposed on Russia, and the immeasurable humanitarian toll inflicted on Ukraine. If geopolitical instability adversely affects us, it may also have the effect of heightening other risks related to our business. **Current (2024):** Ongoing geopolitical instability, such as the wars in Ukraine and the Middle East, has negatively impacted, and could in the future negatively impact, the global and U.S. economies, including by causing supply chain disruptions, rising prices for oil and other commodities, volatility in capital markets and foreign currency exchange rates, rising interest rates and heightened cybersecurity risks. The extent to which such geopolitical instability adversely affects our business, financial condition and results of operations, as well as our liquidity and capital profile, will depend on future developments, which are highly uncertain and unpredictable, including the extent and duration of the wars and the associated immeasurable humanitarian toll inflicted as a result. If geopolitical instability adversely affects us, it may also have the effect of heightening other risks related to our business. --- ## Modified: Unpredictable catastrophic events, including pandemics, terrorist attacks, extreme weather events and other large-scale catastrophes, could have an adverse effect on our business, financial position and results of operations. **Key changes:** - Reworded sentence: "The occurrence of catastrophic events, including pandemics, terrorists attacks, extreme weather events, such as hurricanes, tropical storms, or tornadoes, and other large-scale catastrophes could adversely affect our business, financial condition or results of operations." **Prior (2023):** The occurrence of catastrophic events, including pandemics, such as COVID-19, terrorists attacks, extreme weather events, such as hurricanes, tropical storms, or tornadoes, and other large-scale catastrophes could adversely affect our business, financial condition or results of operations, including by affecting the stability of our deposit base, impairing the ability of our borrowers to repay outstanding loans, impairing the value of collateral securing loans, causing significant property damage or operational disruptions, resulting in loss of revenue or causing us to incur additional expenses. For example, the COVID-19 pandemic has in the past negatively affected, and could in the future negatively affect, the global and U.S. economies, including by increasing unemployment levels, disrupting supply chains and businesses in many industries, lowering equity market valuations, decreasing liquidity in fixed income markets, and creating significant volatility and disruption in financial markets. This has in the past resulted in, and could in the future result in, higher and more volatile provisions for credit losses and has in the past adversely affected, and could in the future adversely affect, our noninterest income. The extent to which the COVID-19 pandemic could adversely affect our business, financial condition and results of operations, as well as our liquidity and capital profile, will depend on future developments, which are highly uncertain and cannot be predicted, including the scope and duration of the pandemic, any resurgence of COVID-19 cases and the emergence of new variants, the widespread availability, use and effectiveness of vaccines, actions taken by governmental authorities and other third parties in response to the pandemic and the direct and indirect impact of the pandemic on us, our clients and customers, our service providers and other market participants. As the COVID-19 pandemic adversely affects us, it may also have the effect of heightening many of the other risks described herein. Furthermore, although we maintain both business continuity and disaster recovery plans, if a terrorist attack, extreme weather event, or other catastrophe rendered both our production data center in Rhode Island and our recovery data center in North Carolina unusable, there can be no assurance that these plans and related capabilities will adequately protect us from such events, and our business, financial condition or results of operations could be adversely affected. **Current (2024):** The occurrence of catastrophic events, including pandemics, terrorists attacks, extreme weather events, such as hurricanes, tropical storms, or tornadoes, and other large-scale catastrophes could adversely affect our business, financial condition or results of operations. Such events could affect the stability of our deposit base, impair the ability of our borrowers to repay outstanding loans, impair the value of collateral securing loans, and cause significant property damage or operational disruptions, resulting in loss of revenue or causing us to incur additional expenses. Furthermore, although we maintain both business continuity and disaster recovery plans, if a terrorist attack, extreme weather event, or other catastrophe rendered our production and recovery data unusable, there can be no assurance that these plans and related capabilities will adequately protect us from such events, and our business, financial condition or results of operations could be adversely affected. While the U.S. economy has generally recovered since the onset of the COVID disruption, a resurgence of pandemic conditions could reintroduce, or intensify, these impacts and adversely affect our business, financial condition and results of operations, as well as our liquidity and capital profile. --- ## Modified: The financial services industry, including the banking sector, continues to make technological enhancements to meet customer preferences, as well as meet legal and regulatory requirements, and we may not be able to compete effectively as a result of these changes. **Key changes:** - Reworded sentence: "Technology within the financial services industry continues to evolve and new, unexpected technological changes could have a transformative effect on the way banks offer products and services." - Reworded sentence: "Regulatory guidance continues to be focused on the need for financial institutions to perform appropriate due diligence and ongoing monitoring of third-party vendor relationships, thus increasing the scope of management involvement and decreasing the efficiency otherwise resulting from our relationships with third-party technology providers." - Reworded sentence: "Also, see "Supervisory requirements and expectations on us as a financial holding company and a bank holding company and any regulator-imposed limits on our activities could adversely affect our ability to implement our strategic plan, expand our business, continue to improve our financial performance and make capital distributions to our stockholders."" **Prior (2023):** The financial services industry, including the banking sector, is continually undergoing rapid technological change with frequent introductions of new technology-driven products and services. In addition, new, unexpected technological changes could have a disruptive effect on the way banks offer products and services. We believe our success depends, to a great extent, on our ability to address customer needs by using technology to offer products and services that provide convenience to customers and to create additional efficiencies in our operations. However, we may not be able to, among other things, keep up with the rapid pace of technological changes, effectively implement new technology-driven products and services or be successful in marketing these products and services to our customers. As a result, our ability to compete effectively to attract or retain new business may be impaired, and our business, financial condition or results of operations may be adversely affected. In addition, changes in the legal and regulatory framework under which we operate require us to update our information systems to ensure compliance. Our need to review and evaluate the impact of ongoing rule proposals, final rules and implementation guidance from regulators further complicates the development and implementation of new information systems for our business. Also, recent regulatory guidance has focused on the need for financial institutions to perform increased due diligence and ongoing monitoring of third-party vendor relationships, thus increasing the scope of management involvement and decreasing the efficiency otherwise resulting from our relationships with third-party technology providers. Given the significant number of ongoing regulatory reform initiatives, it is possible that we incur higher than expected information technology costs in order to comply with current and impending regulations. See " - Supervisory requirements and expectations on us as a FHC and a BHC and any regulator-imposed limits on our activities could adversely affect our ability to implement our strategic plan, expand our business, continue to improve our financial performance and make capital distributions to our stockholders." **Current (2024):** Technology within the financial services industry continues to evolve and new, unexpected technological changes could have a transformative effect on the way banks offer products and services. We believe our success depends, to a great extent, on our ability to utilize technology to offer products and services that address the needs of our customers and to create efficiencies in our operations. However, we may not be able to, among other things, keep up with the rapid pace of technological changes, effectively implement new technology-driven products and services, or be successful in marketing these products and services to our customers. As a result, our ability to compete effectively to attract or retain business may be impaired, and our business, financial condition or results of operations may be adversely affected. In addition, changes in the legal and regulatory framework under which we operate require us to update our information systems to ensure compliance. Our need to review and evaluate the impact of ongoing rule proposals, final rules and implementation guidance from regulators further complicates the development and implementation of new information systems for our business. Regulatory guidance continues to be focused on the need for financial institutions to perform appropriate due diligence and ongoing monitoring of third-party vendor relationships, thus increasing the scope of management involvement and decreasing the efficiency otherwise resulting from our relationships with third-party technology providers. Given the significant number of ongoing regulatory reform initiatives, it is possible that we incur higher than expected information technology costs in order to comply with current and impending regulations. Also, see "Supervisory requirements and expectations on us as a financial holding company and a bank holding company and any regulator-imposed limits on our activities could adversely affect our ability to implement our strategic plan, expand our business, continue to improve our financial performance and make capital distributions to our stockholders." --- ## Modified: Volcker Rule **Key changes:** - Reworded sentence: "This statutory provision is commonly called the "Volcker Rule." Under this rule, we are viewed as having "moderate" trading assets and liabilities, which subjects us to a simplified compliance program requirement that is appropriate for our activities, size, scope, and complexity." **Prior (2023):** The Dodd-Frank Act prohibits banks and their affiliates from engaging in proprietary trading and investing in, sponsoring and having certain relationships with private funds such as certain hedge funds or private equity funds. The statutory provision is commonly called the "Volcker Rule." In 2019, the FRB, OCC, FDIC, SEC and CFTC (collectively, the "Volcker Agencies") finalized amendments to their regulations to tailor the Volcker Rule's compliance requirements to the amount of a firm's trading activity, revise the definition of trading account, clarify certain key provisions in the Volcker Rule, and modify the information companies are required to provide the Volcker Agencies. Under those amendments, we are viewed as having "moderate" trading assets and liabilities, and therefore subject to a requirement to have a simplified compliance program that is appropriate for our activities, size, scope, and complexity. In June 2020, the Volcker Agencies finalized other regulations modifying the Volcker Rule's prohibition on banking entities investing in or sponsoring hedge funds or private equity funds (referred to under the rule as covered funds). We do not expect either of these regulatory amendments to the Volcker Rule to have a material impact on Citizens. **Current (2024):** The Dodd-Frank Act prohibits banks and their affiliates from engaging in proprietary trading and investing in, sponsoring and having certain relationships with private funds such as certain hedge funds or private equity funds. This statutory provision is commonly called the "Volcker Rule." Under this rule, we are viewed as having "moderate" trading assets and liabilities, which subjects us to a simplified compliance program requirement that is appropriate for our activities, size, scope, and complexity. This Volcker Rule does not have a material impact on Citizens. --- ## Modified: Resolution Planning **Key changes:** - Reworded sentence: "Category IV firms such as CFG are no longer required to submit resolution plans under section 165(d) of the Dodd-Frank Act." - Added sentence: "On August 29, 2023, the FDIC issued a proposal that would require IDIs with total assets of $100 billion or more, including CBNA, to submit a more robust resolution plan biennially that includes a comprehensive strategy from the point of failure to liquidation or return of the institution to the private sector." - Added sentence: "The identified strategy must ensure timely access to insured deposits, maximize value from the sale or disposition of assets, minimize losses realized by creditors, and address potential risks of adverse effects on U.S." - Added sentence: "economic conditions or financial stability." - Added sentence: "In addition, the strategy generally expects, but does not require, a default scenario whereby the FDIC, as receiver of the failed institution, operates the institution under a bridge bank." **Prior (2023):** Category IV firms are no longer required to submit resolution plans to the FRB and FDIC. However, CBNA is required to file periodically a separate resolution plan with the FDIC that should enable the FDIC, as receiver, to resolve the institution under applicable receivership provisions of the FDIA in a manner that ensures that depositors receive access to their insured deposits within one business day of the institution's failure, maximizes the net present value return from the sale or disposition of its assets and minimizes the amount of any loss to the institution's creditors. In June 2021, the FDIC issued a Statement on Resolution Plans for Insured Depository Institutions that, among other things, established a three-year filing cycle for banks with $100 billion or more in total assets, such as CBNA, and provides details regarding the content of the resolution plans that filers are required to prepare. CBNA submitted its most recent resolution plan to the FDIC on December 1, 2022. **Current (2024):** Category IV firms such as CFG are no longer required to submit resolution plans under section 165(d) of the Dodd-Frank Act. However, CBNA is required to periodically file an IDI resolution plan with the FDIC. This plan enables the FDIC, as receiver, to resolve the institution under applicable receivership provisions of the FDIA in a manner that ensures that depositors receive access to their insured deposits within one business day of the institution's failure, maximizes the net present value return from the sale or disposition of the institution's assets and minimizes the amount of any loss to the institution's creditors. In 2021, the FDIC issued a Statement on Resolution Plans for IDIs that, among other things, established a three-year filing cycle for banks with $100 billion or more in total assets, such as CBNA, and provided details regarding the content of the resolution plans that filers are required to prepare. CBNA submitted its most recent resolution plan to the FDIC on December 1, 2022. On August 29, 2023, the FDIC issued a proposal that would require IDIs with total assets of $100 billion or more, including CBNA, to submit a more robust resolution plan biennially that includes a comprehensive strategy from the point of failure to liquidation or return of the institution to the private sector. The identified strategy must ensure timely access to insured deposits, maximize value from the sale or disposition of assets, minimize losses realized by creditors, and address potential risks of adverse effects on U.S. economic conditions or financial stability. In addition, the strategy generally expects, but does not require, a default scenario whereby the FDIC, as receiver of the failed institution, operates the institution under a bridge bank. The proposal also enhances how the credibility of resolution plans will be assessed, expands expectations regarding engagement and capabilities testing, and requires IDIs to demonstrate the capability to promptly establish a virtual data room in the run-up to or upon failure. The proposal provides that IDIs submit their initial resolution plan no earlier than 270 days from the effective date of the amended rule. Comments on the proposal were due by November 30, 2023. We are in the process of evaluating the impact of the proposal on our business. --- ## Modified: Our regulators may impose restrictions or limitations on our operations. **Key changes:** - Reworded sentence: "In addition, as part of our regular examination process, our regulators may advise us to conduct significant remediation activities or operate under various restrictions as a prudential matter." - Reworded sentence: "As a result, such supervisory actions or restrictions, if and in whatever manner imposed, could have a material adverse effect on our business and results of operations." **Prior (2023):** From time to time, bank regulatory agencies take supervisory actions that restrict or limit a financial institution's activities and lead it to raise capital or subject it to other requirements. Directives issued to enforce such actions may be confidential and thus, in some instances, we are not permitted to publicly disclose these actions. In addition, as part of our regular examination process, our regulators may advise us to operate under various restrictions as a prudential matter. Any such actions or restrictions, if and in whatever manner imposed, could adversely affect our costs and revenues. Moreover, efforts to comply with any such nonpublic supervisory actions or restrictions may require material investments in additional resources and systems, as well as a significant commitment of managerial time and attention. As a result, such supervisory actions or restrictions, if and in whatever manner imposed, could have a material adverse effect on our business and results of operations; and, in certain instances, we may not be able to publicly disclose these matters. **Current (2024):** From time to time, bank regulatory agencies take supervisory actions that restrict or limit a financial institution's activities and lead it to raise capital or subject it to other requirements. In addition, as part of our regular examination process, our regulators may advise us to conduct significant remediation activities or operate under various restrictions as a prudential matter. Any such actions or restrictions, if and in whatever manner imposed, could adversely affect our costs and revenues. Moreover, efforts to comply with any such nonpublic supervisory actions or restrictions may require material investments in additional resources and systems, as well as a significant commitment of managerial time and attention. As a result, such supervisory actions or restrictions, if and in whatever manner imposed, could have a material adverse effect on our business and results of operations. --- ## Modified: Bank and Financial Holding Company Regulation **Key changes:** - Reworded sentence: "To maintain FHC status, a BHC and all of its depository institution subsidiaries must remain "well capitalized" and "well managed," as described below under "Federal Deposit Insurance Act." If a BHC fails to meet these regulatory standards, the FRB could place limitations on its ability to conduct the broader financial activities permissible for FHCs or impose limitations or conditions on the conduct or activities of the BHC or its affiliates." - Reworded sentence: "As noted above, FRB approval is generally not required for BHCs to acquire a company engaged in activities that are financial in nature or incidental to activities that are financial in nature, as determined by the FRB." - Reworded sentence: "banking or financial system; the companies' compliance with anti-money laundering laws and regulations; the convenience and needs of the communities to be served; and the performance record of the IDIs involved in the transaction under the CRA." **Prior (2023):** As a FHC, we may engage in a broader range of activities than a BHC that is not also a FHC. These activities include securities underwriting and dealing, insurance underwriting and brokerage, merchant banking and other activities that are determined by the FRB, in coordination with the Treasury Department, to be "financial in nature or incidental thereto" or that the FRB determines unilaterally to be "complementary" to financial activities. In addition, a FHC may commence new permissible financial activities or acquire non-bank financial companies engaged in such activities, in either case, with after-the-fact notice to the FRB. To maintain our FHC status, a BHC (and all of its depository institution subsidiaries), must remain "well capitalized" and "well managed," as described below under "Federal Deposit Insurance Act". If a BHC fails to meet these regulatory standards, the FRB could place limitations on its ability to conduct the broader financial activities permissible for FHCs or impose limitations or conditions on the conduct or activities of the BHC or its affiliates. If the deficiencies persisted, the FRB could order the BHC to divest any subsidiary bank or to cease engaging in any activities permissible for FHCs that are not permissible for BHCs, or the BHC could elect to conform its non-banking activities to those permissible for a BHC that is not also a FHC. In addition, the CRA requires U.S. banks to help serve the needs of their communities. If a depository institution subsidiary of a BHC were to receive a CRA rating of less than "satisfactory", the BHC would be prohibited from engaging in certain activities or acquisitions (see "Community Reinvestment Act" below). Federal and state laws impose notice and approval requirements for mergers and acquisitions of other depository institutions or BHCs. As noted above, FRB approval is generally not required for us to acquire a company engaged in activities that are financial in nature or incidental to activities that are financial in nature, as determined by the FRB. Prior regulatory approval is required, however, before we may acquire or control more than 5% of any class of voting shares or substantially all of the assets of a BHC (including a FHC) or a bank. In considering applications for approval of acquisitions, the banking regulators may take several factors into account, including the competitive effects of the transaction in the relevant geographic markets; the financial and managerial resources and future prospects of companies involved in the transaction; the effect of the transaction on the financial stability of the U.S. banking or financial system; the companies' compliance with anti-money laundering laws and regulations; the convenience and needs to the communities to be served; and the records of performance under the CRA of the insured depository institutions involved in the transaction. Capital The U.S. Basel III rules apply to us. These rules establish risk-based and leverage capital requirements. The risk-based requirements are based on a banking organization's risk-weighted assets, also known as RWA, which reflect the organization's on- and off-balance sheet exposures, subject to risk weights. The leverage requirements are based on a banking organization's average consolidated on-balance sheet assets. For more detail on our regulatory capital, see the "Capital and Regulatory Matters" section of Item 7. We calculate RWA using the standardized approach and have made the one-time election to opt-out of recognizing in regulatory capital the impacts of net unrealized gains and losses included within AOCI for debt securities that are available for sale or held to maturity, accumulated net gains and losses on cash flow hedges and certain defined benefit pension plan assets. On January 1, 2020, we adopted the CECL accounting standard. In reaction to the COVID disruption, on September 30, 2020, the federal banking regulators adopted a final rule relative to regulatory capital treatment of the ACL under CECL. This rule allowed electing banking organizations to delay the estimated impact of CECL on regulatory capital for a two-year period ending December 31, 2021, followed by a three-year transition period ending December 31, 2024. The three-year transition period will phase-in the reversal of the aggregate amount of the capital benefit provided during the initial two-year delay. Under the U.S. Basel III rules, the minimum capital ratios are: •4.5% CET1 capital to risk-weighted assets; •6.0% tier 1 capital (that is, CET1 capital plus additional tier 1 capital) to risk-weighted assets; •8.0% total capital (that is, tier 1 capital plus tier 2 capital) to risk-weighted assets; and •4.0% tier 1 capital to total average consolidated assets as defined under U.S. Basel III Standardized approach (known as the "leverage ratio"). For BHCs with $100 billion or more in assets, such as us, the FRB's capital rules impose a dynamic institution-specific SCB on top of each of the three minimum risk-weighted capital ratios listed above. Banking institutions that fail to meet the effective minimum ratios including the SCB will be subject to constraints on capital distributions, including dividends and share repurchases, and certain discretionary executive compensation. The severity of the constraints depends on the amount of the shortfall and the institution's "eligible retained income", defined as the greater of four quarter trailing net income net of distributions and tax effects not reflected in net income, or the average four quarter trailing net income. As a Category IV firm, our SCB is re-calibrated with each biennial supervisory stress test and updated annually to reflect our planned common stock dividends. On August 4, 2022, the FRB announced, based on the results of the 2022 CCAR supervisory stress tests, that our SCB will remain at 3.4% through September 30, 2023. To incorporate the effects of the Investors acquisition on our capital requirements, the FRB will require that we participate in the 2023 CCAR supervisory stress test. For more details, see " - Capital Planning and Stress Testing Requirements" below and the "Capital and Regulatory Matters" section of Item 7. We are also subject to the FRB's risk-based capital requirements for market risk. See the "Market Risk" section of Item 7. **Current (2024):** As a FHC, we may engage in a broader range of activities than a BHC that is not also a FHC. These activities include securities underwriting and dealing, insurance underwriting and brokerage, merchant banking and other activities that are determined by the FRB, in coordination with the Treasury Department, to be "financial in nature or incidental thereto" or that the FRB determines unilaterally to be "complementary" to financial activities. In addition, a FHC may commence new permissible financial activities or acquire non-bank financial companies engaged in such activities, in either case, with after-the-fact notice to the FRB. To maintain FHC status, a BHC and all of its depository institution subsidiaries must remain "well capitalized" and "well managed," as described below under "Federal Deposit Insurance Act." If a BHC fails to meet these regulatory standards, the FRB could place limitations on its ability to conduct the broader financial activities permissible for FHCs or impose limitations or conditions on the conduct or activities of the BHC or its affiliates. If the deficiencies persisted, the FRB could order the BHC to divest any subsidiary bank or to cease engaging in any activities permissible for FHCs that are not permissible for BHCs, or the BHC could elect to conform its non-banking activities to those permissible for a BHC that is not also a FHC. In addition, the CRA requires U.S. banks to help serve the needs of their communities. If a depository institution subsidiary of a BHC were to receive a CRA rating of less than "satisfactory", the BHC would be prohibited from engaging in certain activities or acquisitions (see "Community Reinvestment Act" below). Federal and state laws impose notice and approval requirements for mergers and acquisitions of other depository institutions or BHCs. As noted above, FRB approval is generally not required for BHCs to acquire a company engaged in activities that are financial in nature or incidental to activities that are financial in nature, as determined by the FRB. Prior regulatory approval is required, however, before a BHC may acquire or control more than 5% of any class of voting shares or substantially all of the assets of a BHC, including a FHC, or a bank. In considering applications for approval of acquisitions, the banking regulators may take several factors into account, including the competitive effects of the transaction in the relevant geographic markets; the financial and managerial resources and future prospects of companies involved in the transaction; the effect of the transaction on the financial stability of the U.S. banking or financial system; the companies' compliance with anti-money laundering laws and regulations; the convenience and needs of the communities to be served; and the performance record of the IDIs involved in the transaction under the CRA. --- ## Modified: Liquidity Requirements **Key changes:** - Reworded sentence: "The liquidity coverage ratio ("LCR") is designed to ensure that a covered bank or BHC maintains an adequate level of unencumbered high-quality liquid assets to cover expected net cash outflows over a 30-day time horizon under an acute liquidity stress scenario." **Prior (2023):** The federal banking regulators have adopted the Basel III-based U.S. Liquidity Coverage Ratio rule, which is a quantitative liquidity metric designed to ensure that a covered bank or BHC maintains an adequate level of unencumbered high-quality liquid assets to cover expected net cash outflows over a 30-day time horizon under an acute liquidity stress scenario. Under the Tailoring Rules, Category IV firms with less than $50 billion in weighted short-term wholesale funding, including us, are not subject to any Liquidity Coverage Ratio requirement. The Basel III framework also includes a second liquidity standard, the NSFR, which is designed to promote more medium- and long-term funding of the assets and activities of banks over a one-year time horizon. In October 2020, the federal banking regulators issued a final rule to implement the NSFR for large U.S. banking organizations. Under the final rule, Category IV firms with less than $50 billion in weighted short-term wholesale funding, including us, are not subject to the NSFR requirement. Finally, per the liquidity rules included in the FRB's enhanced prudential standards adopted pursuant to Section 165 of the Dodd-Frank Act, we are also required to maintain a buffer of highly liquid assets based on projected funding needs for 30 days. Under the Tailoring Rules, the liquidity buffer requirements continue to apply to Category IV firms, such as us, and we remain subject to liquidity risk management requirements. However, these requirements are now tailored such that we are required to: •calculate collateral positions monthly, as opposed to weekly; •establish a more limited set of liquidity risk limits than was previously required; and •monitor fewer elements of intraday liquidity risk exposures than were previously monitored. We are also now subject to liquidity stress testing quarterly, rather than monthly, and are required to report liquidity data on a monthly basis. **Current (2024):** The liquidity coverage ratio ("LCR") is designed to ensure that a covered bank or BHC maintains an adequate level of unencumbered high-quality liquid assets to cover expected net cash outflows over a 30-day time horizon under an acute liquidity stress scenario. The NSFR is designed to promote more medium- and long-term funding of the assets and activities of banking organizations over a one-year time horizon. Under the Tailoring Rules, Category IV firms with less than $50 billion in weighted short-term wholesale funding, such as us, are not subject to any LCR or NSFR requirement. We are subject to certain liquidity requirements under the Tailoring Rules including liquidity buffer, stress testing, risk management and reporting requirements. In addition, as a Category IV firm, we are required to calculate collateral positions monthly, establish a set of liquidity risk limits, and monitor certain elements of intraday liquidity risk exposures. --- ## Modified: Changes in our accounting policies or in accounting standards could materially affect how we report our financial results and condition. **Key changes:** - Reworded sentence: "The FASB and SEC periodically change the financial accounting and reporting standards that govern the accounting for our financial results and the preparation of our consolidated financial statements." **Prior (2023):** From time to time, the FASB and SEC change the financial accounting and reporting standards that govern the accounting for our financial results and the preparation of our financial statements. These changes can be operationally complex to implement and can materially impact how we record and report our financial condition and results of operations. For example, in June 2016, the FASB issued Accounting Standards Update 2016-13, Measurement of Credit Losses on Financial Instruments ("CECL"), that substantially changed the accounting for credit losses on loans and other financial assets held by banks, financial institutions and other organizations. Upon adoption of CECL on January 1, 2020, we recognize credit losses on these assets equal to management's estimate of credit losses over the full remaining expected life. We consider all relevant information when estimating expected credit losses, including details about past events, current conditions, and reasonable and supportable forecasts. As evidenced in the first half of 2020 due to the impact of COVID-19, the standard introduces heightened volatility in provision for credit losses, given uncertainty in the accuracy of macroeconomic forecasts over longer time horizons, variances in the rate and composition of loan growth, and changes in overall loan portfolio size and mix. As a result, it is possible that our ongoing reported earnings and lending activity could be negatively impacted. For more information regarding CECL, see Note 6 in Item 8. **Current (2024):** The FASB and SEC periodically change the financial accounting and reporting standards that govern the accounting for our financial results and the preparation of our consolidated financial statements. These changes can be hard to predict and can materially impact how we record and report our financial condition and results of operations. In some cases, we could be required to apply a new or revised standard retroactively, which would result in the recasting of our prior period financial statements. --- ## Modified: Leadership, Talent Development, and Talent Acquisition and Mobility **Key changes:** - Reworded sentence: "During 2023, we continued tailored leadership training and coaching for senior management following the detailed talent assessments conducted the prior year." - Reworded sentence: "The talent market remains competitive, particularly in emerging skill areas, and we implemented a strategy to fill critical gaps that utilizes a combination of external hiring in critical areas (e.g., technology, digital, cyber, risk, marketing, and data), a strong internal mobility program made possible by the expanded learning and development offerings provided to colleagues, and reliance on temporary workers for short-term or technical projects." **Prior (2023):** Our leaders are the catalysts to achieve the culture we want to foster. During 2022, we conducted a detailed assessment of the current state of our culture and leadership to inform future areas of focus. As we continue to prepare colleagues for the future, we are building capabilities by upskilling and reskilling colleagues to support new ways of working and operating models. We offer programs that include technical and skills-based programs as well as resources aligned with our leadership competencies. To deepen critical skills, we have expanded our learning academies focusing on Innovation, Agile, Next Gen Tech, Banking and Credit, and Data & Analytics. Through our development programs, we aim to equip colleagues with the skills necessary to excel in their current roles and to build competencies that will enable them to be highly valuable contributors in the future. Our culture is one of continuous learning, which we believe is crucial for colleagues to thrive as part of our organization and to feel a sense of accomplishment and purpose. We continue to expand recruiting efforts across the different levels of the organization, with the goal of building a strong pipeline of future leaders. This includes strengthening opportunities for internal mobility within Citizens through rotational programs and our academies, as well as external partnerships to support our ability to hire critical talent in areas such as technology, digital, cyber, marketing and data. **Current (2024):** Our leaders are the catalysts to achieve the culture we want to foster. During 2023, we continued tailored leadership training and coaching for senior management following the detailed talent assessments conducted the prior year. We aim to equip all colleagues with the skills necessary to excel in their current roles and to build capabilities that will enable them to be highly valuable contributors in the future. We expanded our learning academies as well as badging and bootcamp programs focusing on critical skills such as Innovation, Agile, Next Gen Tech, Banking and Credit, and Data & Analytics. Our culture is one of continuous learning, which we believe is crucial for colleagues to thrive as part of our organization and to feel a sense of accomplishment and purpose. The talent market remains competitive, particularly in emerging skill areas, and we implemented a strategy to fill critical gaps that utilizes a combination of external hiring in critical areas (e.g., technology, digital, cyber, risk, marketing, and data), a strong internal mobility program made possible by the expanded learning and development offerings provided to colleagues, and reliance on temporary workers for short-term or technical projects. --- ## Modified: Deposit Insurance **Key changes:** - Reworded sentence: "The DIF provides insurance coverage for certain deposits, up to a standard maximum deposit insurance amount of $250,000 per depositor based on ownership right and capacity category codes and is funded through assessments on IDIs based on the risk each institution poses to the DIF." - Reworded sentence: "Our payment of dividends to our stockholders is subject to oversight by the FRB." - Reworded sentence: "See "Capital and Stress Testing Requirements" above." - Reworded sentence: "Under the recent earnings test, a dividend may not be paid if the total of all dividends declared during any calendar year exceeds the sum of current year net income and retained net income of the two preceding years, less any required transfers to surplus, unless the national bank obtains the approval of the OCC." **Prior (2023):** The FDIA requires CBNA to pay deposit insurance assessments. FDIC assessment rates for large institutions are calculated based on one of two scorecards: one for most large institutions that have more than $10 billion in assets, such as CBNA, and another for "highly complex" institutions that have over $50 billion in assets and are fully owned by a parent with over $500 billion in assets. Each scorecard has a performance score and a loss-severity score that are combined to produce a total score, which is translated into an initial assessment rate. In calculating these scores, the FDIC utilizes the CAMELS ratings and forward-looking financial measures to assess an institution's ability to withstand asset-related stress and funding-related stress. The FDIC may make discretionary adjustments to the total score, based upon significant risk factors that are not adequately captured in the scorecard. The total score is then translated to an initial base assessment rate on a non-linear, sharply increasing scale. The deposit insurance assessment is calculated based on average consolidated total assets less average tangible equity of the insured depository institution during the assessment period. Deposit insurance assessments are also affected by the minimum reserve ratio with respect to the DIF. The FDIA established a minimum DIF reserve ratio of 1.15% prior to September 2020 and 1.35% thereafter. As of September 30, 2022, the reserve ratio of the DIF was 1.26%. On October 18, 2022, the FDIC finalized a rule that will increase initial base deposit insurance assessment rates by 2 basis points, beginning with the first quarterly assessment period of 2023. The FDIC, as required under the FDIA, established a plan in September 2020 to restore the DIF reserve ratio to meet or exceed the statutory minimum of 1.35% within eight years. The increased assessment is intended to improve the likelihood that the DIF reserve ratio would reach the required minimum by the statutory deadline of September 30, 2028. Dividends Various federal statutory provisions and regulations, as well as regulatory expectations, limit the amount of dividends that we and our subsidiaries may pay. Our payment of dividends to our stockholders is subject to the oversight of the FRB. In particular, the FRB reviews the dividend policies and share repurchases of a large BHC based on capital plans submitted as part of the CCAR process and on the results of stress tests, as discussed above. In addition to other limitations, our ability to make any capital distributions, including dividends and share repurchases, is subject to the prior approval of the FRB if we are required to resubmit our capital plan. See " - Capital" and " - Capital Planning and Stress Testing Requirements" above. Dividends payable by CBNA, as a national bank subsidiary, are limited to the lesser of the amount calculated under a "recent earnings" test and an "undivided profits" test. Under the recent earnings test, a dividend may not be paid if the total of all dividends declared by a bank in any calendar year is in excess of the current year's net income combined with the retained net income of the two preceding years, less any required transfers to surplus, unless the national bank obtains the approval of the OCC. Under the undivided profits test, a dividend may not be paid in excess of the entity's "undivided profits" (generally, accumulated net profits that have not been paid out as dividends or transferred to surplus). Federal bank regulatory agencies have issued policy statements that provide that FDIC-insured depository institutions and their holding companies should generally pay dividends only out of their current operating earnings. **Current (2024):** The DIF provides insurance coverage for certain deposits, up to a standard maximum deposit insurance amount of $250,000 per depositor based on ownership right and capacity category codes and is funded through assessments on IDIs based on the risk each institution poses to the DIF. CBNA accepts customer deposits insured by the DIF and, therefore, must pay insurance premiums. The FDIC may increase CBNA's insurance premiums based on various factors, including the FDIC's assessment of its risk profile. The FDIC also requires large depository institutions, including CBNA, to maintain enhanced deposit account recordkeeping and related information technology system capabilities to facilitate prompt calculation of insured deposits if such an institution was taken into FDIC receivership. The FDIC, as required under the FDIA, established a plan in September 2020 to restore the DIF reserve ratio, 1.13% as of September 30, 2023, to meet or exceed the statutory minimum of 1.35% within eight years. This plan did not include an increase in the deposit insurance assessment rate. During 2022, the FDIC determined that the DIF reserve ratio was at risk of not reaching the statutory minimum by the statutory deadline of September 30, 2028, absent an increase in assessment rates. In October 2022, the FDIC adopted a final rule to increase initial base deposit insurance assessment rates by 2 basis points, beginning with the first quarterly assessment period of 2023. This increase in assessment rates was intended to improve the likelihood that the DIF reserve ratio will reach the required minimum by the statutory deadline of September 30, 2028. In November 2023, the FDIC approved a final rule to impose special assessments to recover the loss to the DIF arising from the protection of uninsured depositors in connection with the systemic risk determination announced on March 12, 2023, following the closures of Silicon Valley Bank and Signature Bank, as required by the FDIA. Under the final rule, the special assessment is levied on an IDI's assessment base, which is equal to estimated uninsured deposits as reported on the institution's December 31, 2022 Call Report, excluding the first $5 billion in estimated uninsured deposits. The special assessment is imposed at an annual rate of approximately 13.4 basis points and will be collected over eight quarterly assessment periods beginning with the first quarter of 2024. The FDIC's current estimate of the loss attributable to this systemic risk determination is $16.3 billion. This estimate will be periodically adjusted as assets are sold, liabilities are satisfied, and receivership expenses are incurred. The FDIC would cease collection of special assessments before the end of the initial eight-quarter collection period if they expect the loss to be less than expected assessment collections. The FDIC also reserves the right to impose an extended special assessment collection period after the initial eight-quarter period to collect the difference between losses and amounts collected, and impose a one-time final shortfall special assessment after both receiverships terminate. Based on the final rule and related accounting guidance, CBNA's special assessment is approximately $225 million and was recognized in other operating expense in the Company's Consolidated Statement of Operations for the year ended December 31, 2023. CBNA's special assessment is subject to change if the eventual loss to the DIF differs from the FDIC's current estimate. Dividends Various federal statutory provisions and regulations, as well as regulatory expectations, limit the amount of dividends that we and our subsidiaries may pay. Our payment of dividends to our stockholders is subject to oversight by the FRB. In particular, the FRB reviews the dividend policies and share repurchases of a large BHC based on capital plans submitted as part of the CCAR process and the results of stress tests, as discussed above. In addition to other limitations, our ability to make any capital distributions, including dividends and share repurchases, is subject to the prior approval of the FRB if we are required to resubmit our capital plan. See "Capital and Stress Testing Requirements" above. Dividends payable by CBNA, as a national bank subsidiary, are limited to the lesser of the amount calculated under a "recent earnings" test and an "undivided profits" test. Under the recent earnings test, a dividend may not be paid if the total of all dividends declared during any calendar year exceeds the sum of current year net income and retained net income of the two preceding years, less any required transfers to surplus, unless the national bank obtains the approval of the OCC. Under the undivided profits test, a dividend may not be paid in excess of the entity's "undivided profits" (generally accumulated net profits that have not been paid out as dividends or transferred to surplus). Federal banking regulatory agencies have issued policy statements that provide that FDIC-insured depository institutions and their holding companies should generally pay dividends only out of current operating earnings. --- ## Modified: Transactions with Affiliates and Insiders **Key changes:** - Reworded sentence: "Sections 23A and 23B of the Federal Reserve Act establish certain quantitative limits and other prudential requirements for loans, purchases of assets, and certain other transactions between a member bank or its subsidiaries and its affiliates." **Prior (2023):** Sections 23A and 23B of the Federal Reserve Act and related FRB rules, including Regulation W, restrict CBNA from extending credit to, or engaging in certain other transactions with, the Parent Company and its non-bank subsidiaries. These restrictions place limits on certain specified "covered transactions" between bank subsidiaries and their affiliates, which must be limited to 10% of a bank's capital and surplus for any one affiliate and 20% for all affiliates. Furthermore, within the foregoing limitations as to amount, certain covered transactions must meet specified collateral requirements ranging from 100% to 130%. Covered transactions are defined to include, among other things, a loan or extension of credit, as well as a purchase of securities issued by an affiliate, a purchase of assets (unless otherwise exempted by the FRB) from the affiliate, the acceptance of securities issued by the affiliate as collateral for a loan, derivatives transactions and securities lending transactions where the bank has credit exposure to an affiliate, and the issuance of a guarantee, acceptance or letter of credit on behalf of an affiliate. All covered transactions, including certain additional transactions (such as transactions with a third party in which an affiliate has a financial interest), must be conducted on market terms. The FRB enforces these restrictions, and we are audited for compliance. Section 23B prohibits an institution from engaging in certain transactions with affiliates unless the transactions are on terms substantially the same, or at least as favorable to the bank, as those prevailing at the time for comparable transactions with non-affiliated companies. Transactions between a bank and any of its subsidiaries that are engaged in certain financial activities may be subject to the affiliated transaction limits. The FRB also may designate banking subsidiaries as affiliates. Pursuant to FRB Regulation O, we are also subject to quantitative restrictions on extensions of credit to executive officers, directors, principal stockholders and their related interests. In general, such extensions of credit may not exceed certain dollar limitations, must be made on substantially the same terms, including interest rates and collateral, as those prevailing at the time for comparable transactions with third parties and must not involve more than the normal risk of repayment or present other unfavorable features. Certain extensions of credit also require the approval of our Board. **Current (2024):** Sections 23A and 23B of the Federal Reserve Act establish certain quantitative limits and other prudential requirements for loans, purchases of assets, and certain other transactions between a member bank or its subsidiaries and its affiliates. The term "member bank" includes national banks such as CBNA. Section 23A prohibits a bank from entering a "covered transaction" with an affiliate if, after the transaction, the aggregate amount of the bank's covered transactions with that affiliate would exceed 10% of the bank's capital stock and surplus, or the aggregate amount of the bank's covered transactions with all of its affiliates would exceed 20% of the bank's capital stock and surplus. Covered transactions include loans and other extensions of credit to an affiliate, investments in the securities of an affiliate, purchases of assets from an affiliate, and certain other transactions that expose the bank to the credit risks of its affiliates. Section 23B of the Federal Reserve Act requires that transactions, including all covered transactions, be on terms substantially the same, or at least as favorable to the bank, as those prevailing at the time for comparable transactions with non-affiliates (the "Market Terms Requirement"). In addition to covered transactions, the Market Terms Requirement applies to certain other transactions between CBNA and its affiliates, including services between CBNA and the Parent Company and loans to CBNA from the Parent Company. Under sections 22(g) and (h) of the Federal Reserve Act and the FRB's Regulation O, we are also subject to quantitative restrictions on extensions of credit to executive officers, directors, principal stockholders and their related interests. These extensions of credit may not exceed certain quantitative limits, must be made on substantially the same terms as those currently prevailing in the market for comparable transactions with third parties, and must not involve more than the normal risk of repayment or present other unfavorable features. Certain extensions of credit also require the approval of our Board. --- ## Modified: Health, Well-Being, and Flexibility **Key changes:** - Reworded sentence: "Our benefit programs are designed to support colleagues' physical, mental, and financial well-being and we have added several resources in recent years." **Prior (2023):** We prioritize the health and well-being of our colleagues and their loved ones. Our benefit programs are designed to support colleagues' physical, mental, and financial well-being and we have added several resources in recent years, including additional mental and emotional health resources and emergency back-up child and adult care. We also recently enhanced our Parental Leave Policy to six weeks of paid time off for all permanent colleagues who become parents; birth mothers are eligible for an additional 10 weeks, for a total of 16 weeks. We added an ESG fund to our 401(k) plan investment options and there were no increases to colleague premiums, co-pays or deductibles for medical, dental, and vision coverage for 2023 in recognition of the impact of inflation on colleagues. We implemented a return to office strategy which incorporates flexibility for colleagues. As part of that strategy, non-branch roles have been assigned to various categories including fully remote, hybrid, or fully in the office, based on the responsibilities of each role. This approach has allowed us to balance colleague flexibility with in-person collaboration, which we believe is key to maintaining our Company values and culture. **Current (2024):** We prioritize the health and well-being of our colleagues and their loved ones. Our benefit programs are designed to support colleagues' physical, mental, and financial well-being and we have added several resources in recent years. In an effort to greater support each colleague's unique journey, we enhanced our partnership with our BRGs by providing subject matter experts to share their experience and expertise with all BRG members, as well as increasing awareness of available tools and resources. In late 2022, we enhanced our Parental Leave Policy to six weeks of paid time off for all permanent colleagues who become parents; birth mothers are eligible for an additional 10 weeks, for a total of 16 weeks. In 2023, we increased paid bereavement leave, added several mental health resources, and provided each colleague an extra day of paid time-off to be used as a wellness day. In recognition of the impact of inflation on colleagues there were also no increases to colleague premiums, co-pays or deductibles for medical, dental, and vision coverage for 2023. We continue to embrace flexibility and manage our hybrid workforce in a manner that ensures colleagues are working in ways that best support our customers, foster engagement and innovation, and maintain our company culture. --- ## Modified: Changes in interest rates may have an adverse effect on our liquidity and profitability. **Key changes:** - Reworded sentence: "Changes in interest rates can have a material impact on the value of our securities, a primary objective of which is to provide a ready source of contingent liquidity." **Prior (2023):** Net interest income historically has been, and we anticipate that it will remain, a significant component of our total revenue. This is due to the fact that a high percentage of our assets and liabilities have been and will likely continue to be in the form of interest-bearing or interest-related instruments. Changes in interest rates can have a material effect on many areas of our business, including net interest income, deposit costs, loan volume and delinquency, and the value of our mortgage servicing rights. Interest rates are highly sensitive to many factors that are beyond our control, including general economic conditions and policies of various governmental and regulatory agencies and, in particular, the Federal Open Market Committee. Changes in monetary policy, including changes in interest rates, could influence not only the interest we receive on loans and securities and the amount of interest we pay on deposits and borrowings, but such changes could also affect our ability to originate loans and obtain deposits and the fair value of our financial assets and liabilities. If the interest rates on our interest-bearing liabilities increase at a faster pace than the interest rates on our interest earning assets, our net interest income may decline and, with it, a decline in our earnings may occur. Our net interest income and our earnings would be similarly affected if the interest rates on our interest earning assets declined at a faster pace than the interest rates on our interest-bearing liabilities. We cannot control or predict with certainty changes in interest rates. Global, national, regional and local economic conditions, competitive pressures and the policies of regulatory authorities, including monetary policies of the FRB, affect interest income and interest expense. Although we have policies and procedures designed to manage the risks associated with changes in market interest rates, as further discussed under the "Risk Governance" section in Item 7, changes in interest rates still may have an adverse effect on our profitability. If our ongoing assumptions regarding borrower or depositor behavior or overall economic conditions are significantly different than we anticipate, then our risk mitigation may be insufficient to protect against interest rate risk and our net income would be adversely affected. **Current (2024):** Changes in interest rates can have a material impact on the value of our securities, a primary objective of which is to provide a ready source of contingent liquidity. An increase in rates could lower the collateral value of these securities, reducing the amount we could borrow, and lead to losses in the event of their sale. Since our earning assets are primarily in the form of loans and debt securities, changes in interest rates can have a material impact our net interest income, net interest margin, fee income, and credit costs. Changes in interest rates can affect our net interest income and margin as our asset yields and funding costs may not rise or fall in parallel, causing our net interest income to increase or decrease and our margin to expand or contract. If our funding costs rise faster than our asset yields, or if our asset yields fall faster than our funding costs, our net interest income could decrease, and our margin could contract. An increase in interest rates could cause lower demand for loans by customers, reducing our net interest income due to lower loan balances and origination-related fee income due to lower production volume, and could also have an adverse impact on our credit costs, as borrowers may have difficulty in making higher interest payments. Additionally, an increase in rates could cause recognition of losses on the debt securities in our AFS portfolio if the securities needed to be sold. Similarly, a decrease in interest rates could lower our net interest income, net interest margin and fee income. We may be adversely affected by a prolonged period of low interest rates as it may result in us holding lower yielding loans and securities should rates rise rapidly after the period of low interest rates. Changes in the spread between short-term and long-term interest rates (i.e., the yield curve) can also have a material impact on our net interest income and net interest margin. Typically, the yield curve is upward sloping, with short-term rates being lower than long-term rates. When the yield curve flattens or inverts, our net interest income and net interest margin may decrease if the cost of our short-term funding increases relative to the yield we can earn on our long-term assets. Interest rates and the yield curve are highly sensitive to many factors that are beyond our control, including general economic conditions and the policies of various governmental and regulatory agencies and, in particular, the Federal Open Market Committee. Although we have policies and procedures designed to manage our interest rate risks, as further discussed in the "Risk Governance" section in Item 7, there can be no assurance that these policies and procedures will be effective in avoiding material adverse effects on our profitability. --- ## Modified: Our ability to meet our obligations, and the cost of funds to do so, depend on our ability to access identified sources of liquidity at a reasonable cost. **Key changes:** - Reworded sentence: "Liquidity risk is the risk arising from the inability to meet our obligations when they come due." **Prior (2023):** Liquidity risk is the risk that we will not be able to meet our obligations, including funding commitments, as they come due. This risk is inherent in our operations and can be heightened by a number of factors, including an over-reliance on a particular source of funding (including, for example, secured FHLB advances), changes in credit ratings or market-wide phenomena such as market dislocation and major disasters. Like many banking groups, our reliance on customer deposits to meet a considerable portion of our funding has grown over recent years, and we continue to seek to increase the proportion of our funding represented by customer deposits. However, these deposits are subject to fluctuation due to certain factors outside our control, such as increasing competitive pressures for retail or corporate customer deposits, changes in interest rates and returns on other investment classes, or a loss of confidence by customers in us or in the banking sector generally which could result in a significant outflow of deposits within a short period of time. To the extent there is heightened competition among U.S. banks for retail customer deposits, this competition may increase the cost of procuring new deposits and/or retaining existing deposits, and otherwise negatively affect our ability to grow our deposit base. An inability to grow, or any material decrease in, our deposits could have a material adverse effect on our ability to satisfy our liquidity needs. Maintaining a diverse and appropriate funding strategy for our assets consistent with our wider strategic risk appetite and plan remains challenging, and any tightening of credit markets could have a material adverse impact on us. In particular, there is a risk that corporate and financial institution counterparties may seek to reduce their credit exposures to banks and other financial institutions (for example, reductions in unsecured deposits supplied by these counterparties), which may cause funding from these sources to no longer be available. Under these circumstances, we may need to seek funds from alternative sources, potentially at higher costs than has previously been the case, or may be required to consider disposals of other assets not previously identified for disposal, in order to reduce our funding commitments. **Current (2024):** Liquidity risk is the risk arising from the inability to meet our obligations when they come due. We must maintain adequate funding to meet current and future obligations, including customer loan requests, customer deposit maturities and withdrawals, debt service, equipment and premises leases, and other cash commitments, under both normal operating conditions and under periods of company-specific and/or market stress. We primarily rely on customer deposits to be a relatively stable and low-cost source of funding. In addition to customer deposits, our funding sources also include our ability to securitize loans in secondary markets, raise funds in the debt and equity capital markets, pledge loans and/or securities for borrowing from the FHLB, pledge securities as collateral for borrowing under repurchase agreements, and sell AFS securities. Our ability to meet our obligations and support our operations could be materially affected by a variety of conditions, including market-wide illiquidity or disruption, a loss of market or customer confidence in the financial services industry generally or in the Company specifically, or reductions in one or more of our credit ratings. This could limit our ability to retain our deposits, securitize or sell assets, access the debt or equity capital markets, or otherwise borrow money at a reasonable cost. Additionally, these conditions, among others, if severe enough, could create unanticipated material outflows of cash due to, among other factors, draws on unfunded commitments or deposit attrition, which could have significant adverse impact on our liquidity. Further, changes to the FHLB's or the FRB's underwriting guidelines for wholesale borrowings or lending policies may limit or restrict our ability to borrow, and therefore could have a significant adverse impact on our liquidity. --- ## Modified: Employee Engagement **Key changes:** - Reworded sentence: "As part of our ongoing efforts to develop a high performing workforce and make Citizens a great place to work and build a career, we conduct an annual organizational health survey ("OHS")." **Prior (2023):** As part of our ongoing efforts to develop a high performing workforce and make Citizens a great place to work and build a career, we have used McKinsey & Company's Organizational Health Index ("OHI") since our 2014 initial public offering to understand colleagues' viewpoints about Citizens on a range of topics. OHI results are used to refine our focus, address gaps, and strengthen efforts to improve our organizational effectiveness and colleague experience. Since our inaugural survey, our overall OHI score has increased nearly 20 points to 77 in 2022 and is now within the first quartile of McKinsey's global benchmarks. The results of our OHI surveys have been instrumental in helping management prioritize areas of change that are most important to colleagues. In 2023, we are transitioning to a new listening platform, which will include a colleague survey tool aimed at providing additional insights as we continue to evolve our strategy and culture. **Current (2024):** As part of our ongoing efforts to develop a high performing workforce and make Citizens a great place to work and build a career, we conduct an annual organizational health survey ("OHS"). The results of our survey are instrumental in helping management prioritize areas of change that are most important to colleagues. Survey results are used to refine our focus, address gaps, and strengthen efforts to improve our organizational effectiveness and colleague experience. Between our initial public offering and 2022, we had a 19-point increase in our overall survey score and achieved top quartile status within McKinsey's global benchmarks. In 2023, with an eye toward continuing to evolve our strategy and culture, we transitioned to a new OHS tool. In 2023, 87% of colleagues participated in the OHS, which is our all-time highest participation rate. --- ## Modified: Our financial performance may be adversely affected by deterioration in borrower credit quality. **Key changes:** - Reworded sentence: "Risks arising from actual or perceived changes in credit quality and uncertainty over the recoverability of amounts due from borrowers is inherent in our businesses." **Prior (2023):** We have exposure to many different industries and risks arising from actual or perceived changes in credit quality and uncertainty over the recoverability of amounts due from borrowers is inherent in our businesses. Our exposure may be exacerbated by the geographic concentration of our operations, which are predominately located in the New England, Mid-Atlantic and Midwest regions. The credit quality of our borrowers may deteriorate for a number of reasons that are outside our control, including as a result of prevailing economic and market conditions and asset valuation. The trends and risks affecting borrower credit quality, particularly in the New England, Mid-Atlantic and Midwest regions, have caused, and in the future may cause, us to experience impairment charges, increased repurchase demands, higher costs, additional write-downs and losses and an inability to engage in routine funding transactions, which could have a material adverse effect on our business, financial condition and results of operations. **Current (2024):** Risks arising from actual or perceived changes in credit quality and uncertainty over the recoverability of amounts due from borrowers is inherent in our businesses. If the economic environment were to deteriorate, more of our borrowers may have difficulty in repaying their loans which could result in higher credit losses and increased loan loss provision expense. Further, our credit risk and credit losses may increase to the extent our loans are concentrated by loan type, industry segment, collateral type, borrower type, or location of the collateral or borrower. A significant portion of our earnings assets are in the form of loans to borrowers across the U.S., primarily for residential, commercial and industrial, commercial real estate, education, auto and other retail purposes. A deterioration in economic conditions or changes in consumer or business behavior that negatively impacts home property or commercial property values could, in event of the borrower's default, result in materially higher credit losses. Similarly, higher unemployment levels and higher interest rates can adversely affect our customers' ability to repay their loans, which can negatively impact our credit performance. The credit quality of our borrowers may deteriorate for a number of reasons that are outside our control, including prevailing economic and market conditions and collateral valuations. The trends and risks affecting borrower credit quality have caused, and in the future may cause, us to experience credit losses, impairment charges, increased repurchase demands, higher recovery costs, and an inability to engage in routine funding transactions, which could have a material adverse effect on our business, financial condition and results of operations. --- ## Modified: Community Reinvestment Act **Key changes:** - Reworded sentence: "The CRA requires CBNA's primary federal bank regulatory agency, the OCC, to evaluate the bank's record in meeting the credit needs of the communities it serves, including low- and moderate-income neighborhoods and individuals." **Prior (2023):** The CRA requires banking regulators to evaluate the Parent Company and CBNA in meeting the credit needs of our local communities, including providing credit to individuals residing in low- and moderate- income neighborhoods. The CRA also requires each appropriate federal bank regulatory agency, in connection with its examination of a depository institution, to assess such institution's record in assessing and meeting the credit needs of the community served by that institution and assign ratings. The regulatory agency's evaluation of the institution's record and ratings are made public. These CRA performance evaluations are also considered by regulatory agencies in evaluating mergers, acquisitions and applications to open a branch or facility, and, in the case of a BHC that has elected FHC status, a CRA rating of at least "satisfactory" is required to commence certain new financial activities or to acquire a company engaged in such activities. CBNA received a rating of "outstanding" in our most recent CRA evaluation. On May 5, 2022, the FRB, OCC and FDIC jointly issued a notice of proposed rulemaking proposing revisions to the agencies' CRA regulations, including with respect to the delineation of assessment areas, the overall evaluation framework and performance standards and metrics, the definition of community development activities, and data collection and reporting. The proposed rule would adjust CRA evaluations based on bank size and type, with many of the proposed changes applying only to banks with over $2 billion in assets and several applying only to banks with over $10 billion in assets, such as CBNA. We will continue to evaluate the impact of any changes to the regulations implementing the CRA. **Current (2024):** The CRA requires CBNA's primary federal bank regulatory agency, the OCC, to evaluate the bank's record in meeting the credit needs of the communities it serves, including low- and moderate-income neighborhoods and individuals. Institutions are assigned one of four ratings: "Outstanding," "Satisfactory," "Needs to Improve," or "Substantial Noncompliance." A bank's CRA record is considered by regulatory agencies in evaluating mergers, acquisitions and applications to open a branch or facility. In addition, the CRA record of a subsidiary bank of a FHC is considered if a FHC wishes to commence certain new financial activities or to acquire a company engaged in such activities, which requires a rating of at least "satisfactory." CBNA received an "Outstanding" rating on its most recent CRA evaluation. On October 24, 2023, the federal banking regulators issued a joint final rule that revises the agencies' CRA regulations. The primary provisions of the final rule, along with the most significant changes from the existing CRA regulatory framework, are outlined below: •a tiered evaluation framework is established based on a bank's asset size, similar to the existing CRA regulatory framework; •the geographic area in which banks may be evaluated for performance is expanded to include areas outside of where they have physical locations in order to capture the varied activities a bank conducts, such as online and mobile banking, and the communities in which it operates; •bank retail lending and community development financing will be evaluated using a new metrics-based approach; and •clarifies eligible CRA activities, such as affordable housing. The final rule takes effect on April 1, 2024, with staggered compliance dates of January 1, 2026, and January 1, 2027 for certain reporting requirements. We are in the process of evaluating the impact of the final rule on our business. --- *Data sourced from SEC EDGAR. Last updated 2026-05-11.*