Capital One Financial Corporation: 10-K Risk Factor Changes

Climate change risks can manifest as physical or transition risks. Physical risks are the risks from the effects of climate change arising from acute, climate-related events, such as, hurricanes, flooding and wildfires, and chronic shifts in climate, such as sea level rise and higher average temperatures. Such events could lead to financial losses or disrupt our operations or those of our customers or third parties on which we rely, including through direct damage to assets and indirect impacts from supply chain disruption and market volatility. Transition risks are the risks resulting from the shift toward a lower-carbon economy arising from the changes in policy, consumer and business sentiment or technologies in regards to limiting climate change. Transition risks, including changes in consumer preferences and additional regulatory requirements or taxes, could increase our expenses, affect credit performance, and impact our strategies or those of our customers. For example, on October 24, 2023, the Federal Banking Agencies jointly issued guidance on climate-related financial risk management for large institutions, which applies to us. For more information on climate-related regulatory developments, see “Item 1. Business—Supervision and Regulation.” Physical and transition risks could also affect the financial health of certain customers in impacted industries or geographies. In addition, we face reputational risk as a result of our policies, practices, disclosures and decisions related to climate change and the environment, or the practices or involvement of our clients or vendors and suppliers, in certain industries or projects associated with causing or exacerbating climate change. Further, there is increased scrutiny of climate change-related policies, goals and disclosures, which could result in litigation and regulatory investigations and actions. We may incur additional costs and require additional resources as we evolve our strategy, practices and related disclosures with respect to these matters. As climate risk is interconnected with many risk types, we continue to enhance processes to embed evolving climate risk considerations into our existing risk management strategies; however, because the timing and severity of climate change may not be predictable, our risk management strategies may not be effective in mitigating climate risk exposure.

Climate change risks can manifest as physical or transition risks. Physical risks are the risks from the effects of climate change arising from acute, climate-related events, such as, hurricanes and wildfires, and chronic shifts in climate, such as sea level rise and higher average temperatures. Such events could lead to financial losses or disrupt our operations or those of our customers or third parties on which we rely, including through direct damage to assets and indirect impacts from supply chain disruption and market volatility. Transition risks are the risks resulting from the shift toward a lower-carbon economy arising from the changes in policy, consumer and business sentiment or technologies in regards to limiting climate change. Transition risks, including changes in consumer preferences and additional regulatory requirements or taxes, could increase our expenses, affect credit performance, and impact our strategies or those of our customers. For more information on climate-related regulatory developments, see “Part I—Item 1. Business—Supervision and Regulation” for additional information. Physical and transition risks could also affect the financial health of certain customers in impacted industries or geographies. In addition, we face reputational risk as a result of our policies, practices, disclosures and decisions related to climate change and the environment, or the practices or involvement of our clients or vendors and suppliers, in certain industries or projects associated with causing or exacerbating climate change. As climate risk is interconnected with many risk types, we continue to enhance processes to embed evolving climate risk considerations into our existing risk management strategies; however, because the timing and severity of climate change may not be predictable, our risk management strategies may not be effective in mitigating climate risk exposure.

We are subject to a variety of continuously evolving and developing laws and regulations in the United States at the federal, state and local level regarding privacy, data protection and data security, including those related to the collection, storage, handling, use, disclosure, transfer, security and other processing of personal information. For example, at the federal level, we are subject to the GLBA and the FCRA, among other laws and regulations. Moreover, legislative changes have been proposed in the U.S. Congress for more comprehensive privacy, data protection and data security legislation, to which we may be subject if passed. The enactment of CIRCIA, once rulemaking is complete, will require, among other things, certain companies to report significant cyber incidents to the CISA within 72 hours from the time the company reasonably believes the incident occurred. At the state level, California has enacted the CPRA, and various other states also have enacted or are in the process of enacting state-level privacy, data protection and/or data security laws and regulations, with which we may be required to comply. Additionally, the Federal Banking Agencies, as well as the SEC and related self‐regulatory organizations, regularly issue guidance regarding cybersecurity that is intended to enhance cyber risk management among financial institutions. We also are, or may become, subject to continuously evolving and developing laws and regulations in other jurisdictions regarding privacy, data protection and data security. For example, in Canada we are subject to the Personal Information Protection and Electronic Documents Act (“PIPEDA”) and may become subject to additional privacy, data protection and data security laws and regulations in Canada, including those which may differ from PIPEDA, if passed. In addition, subject to 34Capital One Financial Corporation (COF) 34Capital One Financial Corporation (COF) 34Capital One Financial Corporation (COF) 34 Table of Contents Table of Contents limited exceptions, the EU General Data Protection Regulation (“EU GDPR”) applies EU data protection laws to certain companies processing personal data of individuals in the EU, regardless of the company’s location. We also are subject to the U.K. General Data Protection Regulation (“U.K. GDPR”), which is how the EU GDPR has been implemented into U.K. law. These laws and regulations, and similar laws and regulations in other jurisdictions, impose strict requirements regarding the collection, storage, handling, use, disclosure, transfer, security and other processing of personal information, which may have adverse consequences, including significant compliance costs and severe monetary penalties for non-compliance. Significant uncertainty exists as privacy, data protection, and data security laws may be interpreted and applied differently from country to country and may create inconsistent or conflicting requirements. Further, we make public statements about our use, collection, disclosure and other processing of personal information through our privacy policies, information provided on our website and press statements. Although we endeavor to comply with our public statements and documentation, we may at times fail to do so or be alleged to have failed to do so. The publication of our privacy policies and other statements that provide promises and assurances about privacy, data protection and data security can subject us to potential government or legal action if they are found to be deceptive, unfair or misrepresentative of our actual practices. Additional risks could arise in connection with any failure or perceived failure by us, our service providers or other third parties with which we do business to provide adequate disclosure or transparency to individuals, including our customers, about the personal information collected from them and its use, to receive, document or honor the privacy preferences expressed by individuals, to protect personal information from unauthorized disclosure, or to maintain proper training on privacy practices for all employees or third parties who have access to personal information in our possession or control. Our efforts to comply with GLBA, FCRA, CPRA, PIPEDA, EU GDPR, U.K. GDPR and other privacy, data protection and data security laws and regulations, as well as our posted privacy policies, and related contractual obligations to third parties, entail substantial expenses, may divert resources from other initiatives and projects, and could limit the services we are able to offer. Furthermore, enforcement actions and investigations by regulatory authorities related to data security incidents and privacy, data protection and data security violations continue to increase. The enactment of more restrictive laws or regulations, or future enforcement actions, litigation or investigations, could impact us through increased costs or restrictions on our business, and any noncompliance or perceived noncompliance could result in monetary or other penalties, harm to our reputation, distraction to our management and technical personnel and significant legal liability.

We are subject to a variety of continuously evolving and developing laws and regulations in the United States at the federal, state and local level regarding privacy, data protection and data security, including those related to the collection, storage, handling, use, disclosure, transfer, security and other processing of personal information. For example, at the federal level, we are subject to the GLBA, among other laws and regulations. Moreover, the U.S. Congress is currently considering various proposals for more comprehensive privacy, data protection and data security legislation, to which we may be subject if passed. In addition, in November 2021, the Federal Reserve, OCC, and FDIC issued a final rule that, among other things, requires all banking organizations in the United States to notify their primary federal regulators of certain material computer-security incidents as soon as possible and no later than 36 hours after determining that the incident has occurred. The enactment of CIRCIA, once rulemaking is complete, will require, among other things, certain companies to report significant cyber incidents to the CISA within 72 hours from the time the company reasonably believes the incident occurred, and a proposed rule by the SEC, if enacted, would mandate public disclosure of material cybersecurity incidents within four business days of determining that such an incident has occurred. At the state level, California has enacted the California Privacy Rights Act (“CPRA”), and various other states also have enacted or are in the process of enacting state-level privacy, data protection and/or data security laws and regulations, with which we may be required to comply. We also are, or may become, subject to continuously evolving and developing laws and regulations in other jurisdictions regarding privacy, data protection and data security. For example, in Canada we are subject to the Personal Information Protection and Electronic Documents Act (“PIPEDA”). In addition, subject to limited exceptions, the EU General Data Projection Regulation (“EU GDPR”) applies EU data protection law to all companies processing personal data of EU residents, regardless of the company’s location. We also are subject to the UK General Data Protection Regulation (“U.K. GDPR”), which is how the EU GDPR has been implemented into U.K. law. These laws and regulations, and similar laws and regulations in other jurisdictions, impose strict requirements regarding the collection, storage, handling, use, disclosure, transfer, security and other processing of personal information, which may have adverse consequences, including significant compliance costs and severe monetary penalties for non-compliance. Significant uncertainty exists as privacy, data protection, and data security laws may be interpreted and applied differently from country to country and may create inconsistent or conflicting requirements. Further, we make public statements about our use, collection, disclosure and other processing of personal information through our privacy policies, information provided on our website and press statements. Although we endeavor to comply with our public statements and documentation, we may at times fail to do so or be alleged to have failed to do so. The publication of our privacy policies and other statements that provide promises and assurances about privacy, data protection and data security can subject us to potential government or legal action if they are found to be deceptive, unfair or misrepresentative of our actual practices. Our efforts to comply with GLBA, CPRA, PIPEDA, EU GDPR, U.K. GDPR and other privacy, data protection and data security laws and regulations, as well as our posted privacy policies, and related contractual obligations to third parties, entail substantial expenses, may divert resources from other initiatives and projects, and could limit the services we are able to offer. Furthermore, enforcement actions and investigations by regulatory authorities related to data security incidents and privacy, data protection and data security violations continue to increase. The enactment of more restrictive laws or regulations, or future 30Capital One Financial Corporation (COF) 30Capital One Financial Corporation (COF) 30Capital One Financial Corporation (COF) 30 Table of Contents Table of Contents enforcement actions or investigations, could impact us through increased costs or restrictions on our business, and any noncompliance or perceived noncompliance could result in monetary or other penalties, harm to our reputation and significant legal liability.

Natural disasters, geopolitical events and other catastrophic events could harm our employees, business and infrastructure, including our information technology systems and third-party platforms. Our ability to conduct business may be adversely affected by a disruption in the infrastructure that supports our business and the communities where we are located, which are concentrated in the Northern Virginia and New York metropolitan areas, Richmond, Virginia and Plano, Texas. This may include a disruption involving damage or loss of access to a physical site, cyber-attacks and other security incidents, terrorist activities, the occurrence or worsening of disease outbreaks or pandemics, natural disasters, extreme weather events, electrical outage, environmental hazards, disruption to technological infrastructure, communications or other services we use, our employees or third parties with whom we conduct business. Our business, financial condition and results of operations may be impacted by any such disruption and our ability to implement corresponding response measures quickly. In addition, if a natural disaster or other catastrophic event occurs in certain regions where our business, customers or assets securing our loans are concentrated, such as the mid-Atlantic, New York, California or Texas metropolitan areas, or in regions where our third-party platforms are located, we could be disproportionately impacted as compared to our competitors. The impact of such events and other catastrophes on the overall economy and our physical and transition risks may also adversely affect our financial condition and results of operations.

Despite the business contingency plans we have in place, such plans do not fully mitigate all potential business continuity risks to us. Geopolitical events, natural disasters and other catastrophic events could harm our employees, business and infrastructure, including our information technology systems and third-party platforms. Our ability to conduct business may be adversely affected by a disruption in the infrastructure that supports our business and the communities where we are located, which are concentrated in the Northern Virginia and New York metropolitan areas, as well as Richmond, Virginia and Plano, Texas. This may include a disruption involving damage or loss of access to a physical site, cyber-attacks and other security incidents, terrorist activities, the occurrence or worsening of disease outbreaks or pandemics (including the COVID-19 pandemic), natural disasters, extreme weather events, electrical outage, environmental hazards, disruption to technological infrastructure, communications or other services we use, our employees or third parties with whom we conduct business. Our business, financial condition and results of operations may be impacted by any such disruption and our ability to implement corresponding response measures quickly. In addition, if a natural disaster or other catastrophic event occurs in certain regions 38Capital One Financial Corporation (COF) 38Capital One Financial Corporation (COF) 38Capital One Financial Corporation (COF) 38 Table of Contents Table of Contents where our business and customers are concentrated, such as the mid-Atlantic, New York, California or Texas metropolitan areas, or in regions where our third-party platforms are located, we could be disproportionately impacted as compared to our competitors. The impact of such events and other catastrophes on the overall economy and our physical and transition risks may also adversely affect our financial condition and results of operations.

Our ability to retain and attract customers depends on our ability to develop, operate, and adapt our technology and organizational infrastructure in a rapidly changing environment. In addition, we must accurately process, record and monitor an increasingly large number of complex transactions. Digital technology, cloud-based services, data and software development are deeply embedded into our business model and how we work. Similar to other large corporations in our industry, we are exposed to operational risk that can manifest itself in many ways, such as errors in execution, inadequate processes, inaccurate models, faulty or disabled technological infrastructure, malicious disruption and fraud by employees or persons outside of our company, whether through attacks on Capital One directly, or on our third-party service providers or customers. In addition, the increasing use of near real-time money movement solutions, 29Capital One Financial Corporation (COF) 29Capital One Financial Corporation (COF) 29Capital One Financial Corporation (COF) 29 Table of Contents Table of Contents among other risks, increases the complexity of preventing, detecting and recovering fraudulent transactions. We are also heavily dependent on the security, capability, integrity and continuous availability of the technology systems that we use to manage our internal financial and other systems, monitor risk and compliance with regulatory requirements, provide services to our customers, develop and offer new products and communicate with stakeholders. We also face risk of adverse customer impacts and business disruption arising from the execution of strategic initiatives and operational plans we may pursue across our operations. For example, when we launch a new product, service or platform for the delivery or distribution of products or services, acquire or invest in a business or make changes to an existing product, service or delivery platform, there is the risk of execution issues related to changes to operations or processes. These issues could be driven by insufficient mitigation of operational risks associated with the change implementation, inadequate training, failure to account for new or changed requirements, or failure to identify or address impacted downstream processes. In addition, we may experience increased costs and/or disruptions due to our hybrid work model, which could also affect our ability to operate effectively and maintain our corporate culture. If we do not maintain the necessary operational, technological and organizational infrastructure to operate our business, including to maintain the resiliency and security of that infrastructure, our business and reputation could be materially adversely affected. We also are subject to disruptions to our systems arising from events that are wholly or partially beyond our control, which may include computer viruses; computer, telecommunications, network, utility, electronic or physical infrastructure outages; bugs, errors, insider threats, design flaws in systems or platforms; availability and quality of vulnerability patches from key vendors, cyber-attacks and other security incidents, natural disasters, other damage to property or physical assets, or events arising from local or larger scale politics, including civil unrest, terrorist acts and military conflict. Any failure to maintain our infrastructure or prevent disruption of our systems and applications could diminish our ability to operate our businesses, service customer accounts and protect customers’ information, or result in potential liability to customers, reputational damage, regulatory intervention and customers’ loss of confidence in our businesses, any of which could result in a material adverse effect. We also rely on the business infrastructure and systems of third parties (and their supply chains) with which we do business and/or to whom we outsource the operation, maintenance and development of our information technology and communications systems. We have substantially migrated primarily all aspects of our core information technology systems and customer-facing applications to third-party cloud infrastructure platforms, principally AWS. If we fail to architect, administer or oversee these environments in a well-managed, secure and effective manner, or if such platforms become unavailable, are disrupted, fail to scale, do not operate as designed, or do not meet their service level agreements for any reason, we may experience unplanned service disruption or unforeseen costs which could result in material harm to our business and operations. We must successfully develop and maintain information, financial reporting, disclosure, privacy, data protection, data security and other controls adapted to our reliance on outside platforms and providers. In addition, AWS, or other service providers (including, without limitation, those who also rely on AWS) could experience system or telecommunication breakdowns or failures, outages, degradation in service, downtime, failure to scale, software bugs, design flaws, cyber-attacks and other security incidents, insider threats, adverse changes to financial condition, bankruptcy, or other adverse conditions, (including conditions which interfere with our access to and use of AWS), which could have a material adverse effect on our business and reputation. We also face a risk that our third-party service providers might be unable or unwilling to continue to provide these or other services to meet our current or future needs in an efficient, cost-effective, or favorable manner or may terminate or seek to terminate their contractual relationship with us. Any transition to alternative third-party service providers or internal solutions may be difficult to implement, may cause us to incur significant time and expense and may disrupt or degrade our ability to deliver our products and services. Thus, the substantial amount of our infrastructure that we outsource to AWS or to other third-party service providers may increase our risk exposure. Any disruptions, failures or inaccuracies of our operational processes, technology systems and models, including those associated with improvements or modifications to such technology systems and models, or failure to identify or effectively respond to operational risks in a timely manner and continue to deliver our services through an operational disruption, could cause us to be unable to market and manage our products and services, manage our risk, meet our regulatory obligations or report our financial results in a timely and accurate manner, all of which could have a negative impact on our results of operations. In addition, our ongoing investments in infrastructure, which are necessary to maintain a competitive business, integrate acquisitions and establish scalable operations, may increase our expenses. As our business develops, changes or expands, additional expenses can arise as a result of a reevaluation of business strategies or risks, management of outsourced services, asset purchases or other acquisitions, structural reorganization, compliance with new laws or regulations, the integration of newly acquired businesses, or the prevention or occurrence of cyber-attacks and other security incidents. If we are 30Capital One Financial Corporation (COF) 30Capital One Financial Corporation (COF) 30Capital One Financial Corporation (COF) 30 Table of Contents Table of Contents unable to successfully manage our expenses, our financial results will be negatively affected. Changes to our business, including those resulting from our strategic imperatives, also require robust governance to ensure that our objectives are executed as intended without adversely impacting our customers, associates, operations or financial performance. Ineffective change management oversight and governance over the execution of our key projects and initiatives could expose us to operational, strategic and reputational risk and could negatively impact customers or our financial performance.

Our ability to retain and attract customers depends on our ability to develop, operate, and adapt our technology and organizational infrastructure in a rapidly changing environment. In addition, we must accurately process, record and monitor an increasingly large number of complex transactions. Digital technology, cloud-based services, data and software development are deeply embedded into our business model and how we work. Similar to other large corporations in our industry, we are exposed to operational risk that can manifest itself in many ways, such as errors in execution, inadequate processes, inaccurate models, faulty or disabled technological infrastructure, malicious disruption and fraud by employees or persons outside of our company, whether through attacks on Capital One directly or on our customers. In addition, the increasing use of near real-time money movement solutions, among other risks, increases the complexity of preventing, detecting and recovering fraudulent transactions. In addition, we are heavily dependent on the security, capability, integrity and continuous availability of the technology systems that we use to manage our internal financial and other systems, monitor risk and compliance with regulatory requirements, provide services to our customers, develop and offer new products and communicate with stakeholders. We also face risk of adverse customer impacts and business disruption arising from the execution of strategic initiatives and operational plans we may pursue across our operations. If we do not maintain the necessary operational, technological and organizational infrastructure to operate our business, including to maintain the resiliency and security of that infrastructure, our business and reputation could be materially adversely affected. We also are subject to disruptions to our systems arising from events that are wholly or partially beyond our control, which may include computer viruses, electrical or telecommunications outages, bugs, design flaws in foundational components or platforms, availability and quality of vulnerability patches from key vendors, cyber-attacks and other security incidents, natural disasters, other damage to property or physical assets, or events arising from local or larger scale politics, including terrorist acts. Any failure to maintain our infrastructure or prevent disruption of our systems and applications could diminish our ability to operate our businesses, service customer accounts and protect customers’ information, or result in potential liability to customers, reputational damage, regulatory intervention and customers’ loss of confidence in our businesses, any of which could result in a material adverse effect. 27Capital One Financial Corporation (COF) 27Capital One Financial Corporation (COF) 27Capital One Financial Corporation (COF) 27 Table of Contents Table of Contents We also rely on the business infrastructure and systems of third parties with which we do business and to whom we outsource the operation, maintenance and development of our information technology and communications systems. We have substantially migrated all aspects of our core information technology systems and customer-facing applications to third-party cloud infrastructure platforms, principally AWS. If we fail to architect, administer or oversee these environments in a well-managed, secure and effective manner, or if such platforms become unavailable, are disrupted, fail to scale, do not operate as designed, or do not meet their service level agreements for any reason, we may experience unplanned service disruption or unforeseen costs which could result in material harm to our business and operations. We must successfully develop and maintain information, financial reporting, disclosure, privacy, data protection, data security and other controls adapted to our reliance on outside platforms and providers. In addition, AWS, or other service providers could experience system or telecommunication breakdowns or failures, outages, degradation in service, downtime, failure to scale, software bugs, cyber-attacks and other security incidents, adverse changes to financial condition, bankruptcy, or other adverse conditions, (including conditions which interfere with our access to and use of AWS), which could have a material adverse effect on our business and reputation. Thus, the substantial amount of our infrastructure that we outsource to AWS or to other third parties may increase our risk exposure. Any disruptions, failures or inaccuracies of our operational processes, technology systems and models, including those associated with improvements or modifications to such technology systems and models, could cause us to be unable to market and manage our products and services, manage our risk, meet our regulatory obligations or report our financial results in a timely and accurate manner, all of which could have a negative impact on our results of operations. In addition, our ongoing investments in infrastructure, which are necessary to maintain a competitive business, integrate acquisitions and establish scalable operations, may increase our expenses. As our business develops, changes or expands, additional expenses can arise as a result of a reevaluation of business strategies, management of outsourced services, asset purchases or other acquisitions, structural reorganization, compliance with new laws or regulations, the integration of newly acquired businesses, or the prevention or occurrence of cyber-attacks and other security incidents. If we are unable to successfully manage our expenses, our financial results will be negatively affected. Changes to our business, including those resulting from our strategic objectives, also requires robust governance to ensure that our objectives are executed as intended without adversely impacting our customers, associates, operations or financial performance. Ineffective change management oversight and governance over the execution of our strategic objectives could expose us to operational, strategic and reputational risk and could negatively impact customers or our financial performance.

A wide array of laws and regulations, including banking and consumer lending laws and regulations, apply to every aspect of our business and these laws can be uncertain and evolving. We and our subsidiaries are also subject to supervision and examination by multiple regulators both in the U.S. and abroad, and the manner in which our regulators interpret applicable laws and regulations may affect how we comply with them. Failure to comply with these laws and regulations, even if the failure was inadvertent or reflects a difference in interpretation or conflicting legal requirements, could subject us to restrictions 33Capital One Financial Corporation (COF) 33Capital One Financial Corporation (COF) 33Capital One Financial Corporation (COF) 33 Table of Contents Table of Contents on our business activities, fines, criminal sanctions and other penalties, and/or damage to our reputation with regulators, our customers or the public. Hiring, training and retaining qualified compliance and legal personnel, and establishing and maintaining risk management and compliance-related systems, infrastructure and processes, is difficult and may lead to increased expenses. These efforts and the associated costs could limit our ability to invest in other business opportunities. In addition, actions, behaviors or practices by us, our employees or representatives that are illegal, unethical or contrary to our core values could harm us, our stockholders or customers or damage the integrity of the financial markets and are subject to regulatory scrutiny across jurisdictions. Violations of law by other financial institutions may also result in increased regulatory scrutiny of our business. Applicable rules and regulations may affect us disproportionately compared to our competitors or in an unforeseen manner. For example, we have a large number of customer accounts in our credit card and auto lending businesses and we have made the strategic choice to originate and service subprime credit card and auto loans, which typically have higher delinquencies and charge-offs than prime customer accounts. As a result, we have significant involvement with credit bureau reporting and the collection and recovery of delinquent and charged-off debt, primarily through customer communications, the filing of litigation against customers in default, the periodic sale of charged-off debt and vehicle repossession. These and other consumer lending activities are subject to enhanced legal and regulatory scrutiny from regulators, courts and legislators. Any future changes to or legal liabilities resulting from our business practices in these areas, including our debt collection practices and the fees we charge, whether mandated by regulators, courts, legislators or otherwise, could have a material adverse impact on our financial condition. The legislative and regulatory environment is beyond our control, may change rapidly and unpredictably, and may negatively influence our revenue, costs, earnings, growth, liquidity and capital levels. For example, the CFPB has announced several initiatives related to the amounts and types of fees financial institutions may charge, including by issuing a proposed rule that would, among other things, significantly lower the safe harbor amount for past due fees that a credit card issuer can charge on consumer credit card accounts. Such changes could affect our ability or willingness to provide certain products or services, necessitate changes to the our business practices, or reduce our revenues. There may also be future rulemaking in emerging regulatory areas such as climate-related risks and new technologies. Adoption of new technologies, such as distributed ledger technologies, tokenization, cloud computing, AI and machine learning technologies, can present unforeseen challenges in applying and relying on existing compliance systems. In addition, some laws and regulations may be subject to litigation or other challenges that delay or modify their implementation and impact on us. Certain laws and regulations, and any interpretations and applications with respect thereto, are generally intended to protect consumers, borrowers, depositors, the DIF, the U.S. banking and financial system, and financial markets as a whole, but not stockholders. Our success depends on our ability to maintain compliance with both existing and new laws and regulations. For a description of the material laws and regulations, including those related to the consumer lending business, to which we are subject, see “Item 1. Business—Supervision and Regulation.”

A wide array of laws and regulations, including banking and consumer lending laws and regulations, apply to every aspect of our business. We and our subsidiaries are also subject to supervision and examination by multiple regulators, and the manner in which our regulators interpret applicable laws and regulations may affect how we comply with them. Failure to comply with these laws and regulations, even if the failure was inadvertent or reflects a difference in interpretation, could subject us to restrictions on our business activities, fines, criminal sanctions and other penalties, and/or damage to our reputation with regulators, our customers or the public. Hiring, training and retaining qualified compliance and legal personnel, and establishing and maintaining risk management and compliance-related systems, infrastructure and processes, is difficult and may lead to increased expenses. These efforts and the associated costs could limit our ability to invest in other business opportunities. Applicable rules and regulations may affect us disproportionately compared to our competitors or in an unforeseen manner. For example, we have a large number of customer accounts in our credit card and auto lending businesses and we have made the strategic choice to originate and service subprime credit card and auto loans, which typically have higher delinquencies and charge-offs than prime customer accounts. As a result, we have significant involvement with credit bureau reporting and the collection and recovery of delinquent and charged-off debt, primarily through customer communications, the filing of litigation against customers in default, the periodic sale of charged-off debt and vehicle repossession. These and other consumer lending activities are subject to enhanced legal and regulatory scrutiny from regulators, courts and legislators. Any future changes to or legal liabilities resulting from our business practices in these areas, including our debt collection practices and the fees we charge, whether mandated by regulators, courts, legislators or otherwise, could have a material adverse impact on our financial condition. The legislative and regulatory environment is beyond our control, may change rapidly and unpredictably, and may negatively influence our revenue, costs, earnings, growth, liquidity and capital levels. For example, there may be future rulemaking in emerging regulatory areas such as climate-related risks and new technologies. In addition, some rules and regulations may be subject to litigation or other challenges that delay or modify their implementation and impact on us. Adoption of new technologies, such as distributed ledger technologies, tokenization, cloud computing, artificial intelligence and machine learning technologies, can present unforeseen challenges in applying and relying on existing compliance systems. 31Capital One Financial Corporation (COF) 31Capital One Financial Corporation (COF) 31Capital One Financial Corporation (COF) 31 Table of Contents Table of Contents Certain laws and regulations, and any interpretations and applications with respect thereto, are generally intended to protect consumers, borrowers, depositors, the DIF, the U.S. banking and financial system, and financial markets as a whole, but not stockholders. Our success depends on our ability to maintain compliance with both existing and new laws and regulations. For a description of the material laws and regulations, including those related to the consumer lending business, to which we are subject, see “Part I—Item 1. Business—Supervision and Regulation.”

Our ability to attract and retain customers is highly dependent upon the perceptions of consumer and commercial borrowers and deposit holders and other external perceptions of our products, services, trustworthiness, business practices, workplace culture, compliance practices or our financial health. Capital One’s brand is one of our most important assets. Maintaining and enhancing our brand depends largely on our ability to continue to provide high-quality products and services. Adverse perceptions regarding our reputation in the consumer, commercial, and funding markets could lead to difficulties in generating, maintaining and financing accounts. In particular, negative public perceptions regarding our reputation, including negative perceptions regarding our ability to maintain the security of our technology systems and protect customer data, could lead to decreases in the levels of deposits that current and potential consumer and commercial customers choose to maintain with us. Negative perceptions may also significantly increase the costs of attracting and retaining customers. In addition, negative perceptions regarding certain industries, partners or clients could also prompt us to cease business activities associated with those entities in order to manage reputational risk. Negative public opinion or damage to our brand could also result from actual or alleged conduct in any number of activities or circumstances, including lending practices, regulatory compliance, cyber-attacks or other security incidents, corporate governance and sales and marketing, and from actions taken by regulators or other persons in response to such conduct. Such conduct could fall short of our customers’ and the public’s heightened expectations of companies of our size with rigorous privacy, data protection, data security and compliance practices, and could further harm our reputation. In addition, our co-brand and private label credit card partners or other third parties with whom we have important relationships may take actions over which we have limited control that could negatively impact perceptions about us or the financial services industry. The proliferation of social media may increase the likelihood that negative public opinion from any of the actual or alleged events discussed above could impact our reputation and business. In addition, a variety of economic or social factors may cause changes in borrowing activity, including credit card use, payment patterns and the rate of defaults by account holders and borrowers domestically and internationally. These economic and social factors include changes in consumer confidence levels, the public’s perception regarding the banking industry and consumer debt, including credit card use, and changing attitudes about the stigma of bankruptcy. If consumers develop or maintain negative attitudes about incurring debt, or consumption trends decline or if we fail to maintain and enhance our brand, or we incur significant expenses to do so, our reputation and business and financial results could be materially and negatively affected. There has also been an increased focus by investor advocacy groups, investment funds and shareholder activists, among others, on topics related to environmental, social and corporate governance policies, and our policies, practices and disclosure in these areas, including those related to climate change. Reputation risk related to corporate policies and practices on environmental, social and corporate governance topics is increasingly complex. Divergent ideological and social views may create competing stakeholder, legislative, and regulatory scrutiny that may impact our reputation. Furthermore, responding to environmental, social and corporate governance considerations and implementing our related goals and initiatives involve risk and uncertainties, require investments and depend in part on third-party performance or data that is outside of our control. There can be no assurance that we will achieve these goals and initiatives or that any such achievements will have the desired results. Our failure to achieve progress in these areas on a timely basis, if at all, could impact our reputation and public perceptions of our business.

Our ability to attract and retain customers is highly dependent upon the perceptions of consumer and commercial borrowers and deposit holders and other external perceptions of our products, services, trustworthiness, business practices, workplace culture, compliance practices or our financial health. In addition, our brand is very important to us. Maintaining and enhancing our brand depends largely on our ability to continue to provide high-quality products and services. Adverse perceptions regarding our reputation in the consumer, commercial and funding markets could lead to difficulties in generating and maintaining accounts as well as in financing them. In particular, negative public perceptions regarding our reputation, including negative perceptions regarding our ability to maintain the security of our technology systems and protect customer data, could lead to decreases in the levels of deposits that consumer and commercial customers and potential customers choose to maintain with us or significantly increase the costs of attracting and retaining customers. In addition, negative perceptions regarding certain industries, partners or clients could also prompt us to cease business activities associated with those entities. Negative public opinion or damage to our brand could also result from actual or alleged conduct in any number of activities or circumstances, including lending practices, regulatory compliance, security breaches (including the use and protection of customer data, such as resulting from the Cybersecurity Incident), corporate governance and sales and marketing, and from actions taken by regulators or other persons in response to such conduct. Such conduct could fall short of our customers’ and the public’s heightened expectations of companies of our size with rigorous privacy, data protection, data security and compliance practices, and could further harm our reputation. In addition, our co-brand and private label partners or other third parties with whom we have important relationships may take actions over which we have limited control that could negatively impact perceptions about us or the financial services industry. The proliferation of social media may increase the likelihood that negative public opinion from any of the events discussed above will impact our reputation and business. In addition, a variety of social factors may cause changes in borrowing activity, including credit card use, payment patterns and the rate of defaults by account holders and borrowers domestically and internationally. These social factors include changes in consumer confidence levels, the public’s perception regarding the banking industry and consumer debt, including credit card use, and changing attitudes about the stigma of bankruptcy. There has also been increased focus by investor advocacy groups, investment funds and shareholder activists, among others, on topics related to environmental, social and corporate governance 36Capital One Financial Corporation (COF) 36Capital One Financial Corporation (COF) 36Capital One Financial Corporation (COF) 36 Table of Contents Table of Contents policies, and our policies, practices and disclosure in these areas, including related to climate change. If these groups consider our efforts unsatisfactory, whether real or perceived, it could also harm our reputation. If consumers develop or maintain negative attitudes about incurring debt, or consumption trends decline or if we fail to maintain and enhance our brand, or we incur significant expenses to do so, our reputation and business and financial results could be materially and negatively affected.

Interchange fees are the amounts established by credit and debit card networks for the purpose of compensating debit and credit card issuers for their role in facilitating card transactions and are a meaningful source of revenue for our credit and debit card businesses. Interchange fees are a revenue source that, for example, covers the issuer’s costs associated with credit and debit card payments, fund rewards programs, offset fraud, management and dispute costs and fund competition and innovation. Interchange fees continue to be the subject of significant and intense global legal, legislative and regulatory focus, and the resulting decisions, legislation and regulation may have a material adverse impact on our overall business, financial condition and results of operations. Legislative and regulatory bodies in a number of countries have sought, or are currently seeking, to reduce interchange fees through legislation, competition-related regulatory proceedings, voluntary agreements, central bank regulation and/or litigation. For credit transactions, interchange reimbursement rates in the United States are set by credit card networks such as MasterCard and Visa. In some jurisdictions, such as Canada and certain countries in Europe, including the U.K., interchange fees and related practices are subject to regulatory activity, including in some cases, imposing caps on permissible interchange fees. Our international card businesses have been impacted by these restrictions. For example, in the U.K., interchange fees are capped for both credit and debit card transactions. In addition, in Canada, Visa and MasterCard payment networks have entered into voluntary 37Capital One Financial Corporation (COF) 37Capital One Financial Corporation (COF) 37Capital One Financial Corporation (COF) 37 Table of Contents Table of Contents agreements with the Department of Finance Canada to maintain an agreed upon average interchange rate. Lowering interchange fees remains an area of domestic and international governmental attention by certain parties. In addition to this regulatory activity, merchants are also seeking avenues to reduce interchange fees. Merchants and their trade groups have filed numerous lawsuits against payment card networks and banks that issue cards on those networks, claiming that their practices toward merchants, including interchange fees, violate federal antitrust laws. In 2005, a number of entities filed antitrust lawsuits against MasterCard and Visa and several member banks, including our subsidiaries and us, alleging among other things, that the defendants conspired to fix the level of interchange fees. For additional information about the lawsuits, see “Part II—Item 8. Financial Statements and Supplementary Data—Note 18—Commitments, Contingencies, Guarantees and Others” for further details. Some major retailers or industry sectors could independently negotiate lower interchange fees with MasterCard and Visa, which could, in turn, result in lower interchange fees for us when our cardholders undertake purchase transactions with these retailers. Merchants continue to lobby Congress aggressively for legislation that would require additional routing requirements for credit cards that are issued on four-party networks, like Visa or MasterCard, which could create a downward pressure on interchange fees should their efforts be successful. Retailers may continue to bring legal proceedings against us or other credit card and debit card issuers and networks in the future. For debit transactions, Regulation II (Debit Card Interchange Fees and Routing) which was issued by the Federal Reserve in 2011, place limits on the interchange fees we may charge and requires additional routing requirements for debit cards issued on four-party networks, like Visa or Mastercard. On October 25, 2023, the Federal Reserve released a notice of proposed rulemaking to revise Regulation II to further reduce the interchange fee cap that debit card issuers covered by Regulation II can receive for debit card transactions. For more information on these rules, please see “Item 1. Business—Supervision and Regulation.” Beyond pursuing litigation, legislation and regulation, merchants may also promote forms of payment with lower fees or seek to impose surcharges or discounts at the point of sale for use of credit or debit cards. New payment systems, particularly mobile-based payment technologies, could also gain widespread adoption and lead to issuer transaction fees or the displacement of credit or debit cards as a payment method. The heightened focus by merchants and legislative and regulatory bodies on the fees charged by credit and debit card networks, and the ability of certain merchants to successfully negotiate discounts to interchange fees with MasterCard and Visa or develop alternative payment systems, could result in a loss of income. Any resulting loss in income to us could have a material adverse effect on our business, financial condition and results of operations.

Interchange fees are generally one of the largest components of the costs that merchants pay in connection with the acceptance of credit and debit cards and are a meaningful source of revenue for our credit and debit card businesses. Interchange fees are the subject of significant and intense global legal, legislative and regulatory focus, and the resulting decisions, legislation and regulation may have a material adverse impact on our overall business, financial condition and results of operations. Legislative and regulatory bodies in a number of countries are seeking to reduce interchange fees through legislation, competition-related regulatory proceedings, voluntary agreements, central bank regulation and/or litigation. For credit transactions, interchange reimbursement rates in the United States are set by credit card networks such as MasterCard and Visa. For debit transactions, Federal Reserve rules place limits on the interchange fees we may charge. For more information on these rules, please see “Part I—Item 1. Business—Supervision and Regulation.” In some jurisdictions, such as Canada and certain countries in Europe, including the U.K., interchange fees and related practices are subject to regulatory activity, including in some cases, imposing caps on permissible interchange fees. Our international card businesses have been impacted by these restrictions. For example, in the U.K., interchange fees are capped for both credit and debit card transactions. In addition, in Canada, Visa and Mastercard payment networks have entered into voluntary agreements with the Department of Finance Canada to maintain an agreed upon average interchange rate. Lowering interchange fees remains an area of domestic and international governmental focus. Legislators and regulators around the world are aware of each other’s approaches to the regulation of the payments industry. Consequently, a development in one country, state or region may influence regulatory approaches in another, such as our primary market, the United States. In addition to this regulatory activity, merchants are also seeking avenues to reduce interchange fees. In the past, merchants and their trade groups have filed numerous lawsuits against Visa, MasterCard, American Express and their card-issuing banks, claiming that their practices toward merchants, including interchange and similar fees, violate federal antitrust laws. In 2005, a number of entities filed antitrust lawsuits against MasterCard and Visa and several member banks, including our subsidiaries and us, alleging among other things, that the defendants conspired to fix the level of interchange fees. In December 2013, the U.S. District Court for the Eastern District of New York granted final approval of the proposed class settlement. The settlement provided, among other things, that merchants would be entitled to join together to negotiate lower interchange fees. The settlement was appealed to the Second Circuit Court of Appeals, which rejected the settlement in June 2016; a revised settlement was reached in the second half of 2018, and the trial court issued its final approval of the settlement in December 2019. See “Part II—Item 8. Financial Statements and Supplementary Data—Note 18—Commitments, Contingencies, Guarantees and Others” for further details. Some major retailers have sufficient bargaining power to independently negotiate lower interchange fees with MasterCard and Visa, which could, in turn, result in lower interchange fees for us when our cardholders undertake purchase transactions with these retailers. Merchants also continue to lobby Congress aggressively for restrictions on interchange fees and their efforts may be successful. Retailers may in the future bring legal proceedings against us or other credit card and debit card issuers and networks. Beyond pursuing litigation, legislation and regulation, merchants may also promote forms of payment with lower fees, such as ACH-based payments, or seek to impose surcharges at the point of sale for use of credit or debit cards. New payment systems, particularly mobile-based payment technologies, could also gain widespread adoption and lead to issuer transaction fees or the displacement of credit card accounts as a payment method. The heightened focus by merchants and legislative and regulatory bodies on the fees charged by credit and debit card networks, and the ability of certain merchants to successfully negotiate discounts to interchange fees with MasterCard and Visa or develop alternative payment systems, could result in a reduction of interchange fees. Any resulting loss in income to us could have a material adverse effect on our business, financial condition and results of operations. 34Capital One Financial Corporation (COF) 34Capital One Financial Corporation (COF) 34Capital One Financial Corporation (COF) 34 Table of Contents Table of Contents

The following is a summary of the Risk Factors disclosure in this Item 1A. This summary does not address all of the risks that we face. Additional discussion of the risks summarized in this risk factor summary, and other risks that we face, can be found below and should be carefully considered, together with other information in this Form 10-K and our other filings with the SEC, before making an investment decision regarding our securities. •The Transaction is contingent upon a number of conditions, including stockholder and regulatory approvals, which may fail to be satisfied or which may delay the consummation of the Transaction or result in the imposition of conditions that could reduce the anticipated benefits from the Transaction or cause the parties to abandon the Transaction. •We are expected to incur substantial expenses related to the Transaction and to the integration of Discover. •We may fail to realize all of the anticipated benefits of the Transaction or those benefits may take longer, or be more difficult, to realize than expected. •Our future results may suffer if we do not effectively manage our expanded operations following the Transaction. •We will be subject to business uncertainties and contractual restrictions while the Transaction is pending. •Changes and instability in the macroeconomic environment could disrupt capital markets, reduce consumer and business activity, and weaken the labor market, all of which could impact borrowers’ ability to service their debt obligations and adversely impact our financial results. •Fluctuations in interest rates or volatility in the capital markets could adversely affect our business, results of operations and financial condition. •We may experience increases or fluctuations in delinquencies and credit losses, or we may incorrectly estimate expected losses, which could result in inadequate reserves. •We may not be able to maintain adequate capital or liquidity levels or may become subject to revised capital or liquidity requirements, which could have a negative impact on our financial results and our ability to return capital to our stockholders. •Limitations on our ability to receive dividends from our subsidiaries could affect our liquidity and ability to pay dividends and repurchase our common stock. •A downgrade in our credit ratings could significantly impact our liquidity, funding costs and access to the capital markets. •We face risks related to our operational, technological and organizational infrastructure. •A cyber-attack or other security incident on us or third parties (including their supply chains) with which we conduct business, including an incident that results in the theft, loss, manipulation or misuse of information (including personal information), or the disabling of systems and access to information critical to business operations, may result in increased costs, reductions in revenue, reputational damage, legal exposure and business disruptions. •We face risks resulting from the extensive use of models, AI, and data. 22Capital One Financial Corporation (COF) 22Capital One Financial Corporation (COF) 22Capital One Financial Corporation (COF) 22 Table of Contents Table of Contents •Compliance with new and existing domestic and foreign laws, regulations and regulatory expectations is costly and complex. •Our required compliance with applicable laws and regulations related to privacy, data protection and data security, in addition to compliance with our own privacy policies and contractual obligations to third parties, may increase our costs, reduce our revenue, increase our legal exposure and limit our ability to pursue business opportunities. •Our businesses are subject to the risk of increased litigation, government investigations and regulatory enforcement. •We face intense competition in all of our markets, which could have a material adverse effect on our business and results of operations. •Our business, financial condition and results of operations may be adversely affected by merchants’ efforts to reduce the fees charged by credit and debit card networks to facilitate card transactions, and by legislation and regulation impacting such fees. •If we are not able to invest successfully in and introduce digital and other technological developments across all our businesses, our financial performance may suffer. •We may fail to realize the anticipated benefits of our mergers, acquisitions and strategic partnerships. •Reputational risk and social factors may impact our results and damage our brand. •If we are not able to protect our intellectual property, our revenue and profitability could be negatively affected. •Our risk management strategies may not be fully effective in mitigating our risk exposures in all market environments or against all types of risk. •Our business could be negatively affected if we are unable to attract, develop, retain and motivate key senior leaders and skilled employees. •We face risks from catastrophic events. •Climate change manifesting as physical or transition risks could adversely affect our businesses, operations and customers and result in increased costs. •We face risks from the use of or changes to assumptions or estimates in our financial statements. •The soundness of other financial institutions and other third parties, actual or perceived, could adversely affect us.

The following is a summary of the Risk Factors disclosure in this Item 1A. This summary does not address all of the risks that we face. Additional discussion of the risks summarized in this risk factor summary, and other risks that we face, can be found below and should be carefully considered, together with other information in this Form 10-K and our other filings with the SEC, before making an investment decision regarding our securities. •Changes and instability in the macroeconomic environment, consumer confidence and customer behavior may adversely affect our business. •Fluctuations in market interest rates or volatility in the capital markets could adversely affect our business. •Our results of operations may be adversely affected by the effects of the COVID-19 pandemic. 21Capital One Financial Corporation (COF) 21Capital One Financial Corporation (COF) 21Capital One Financial Corporation (COF) 21 Table of Contents Table of Contents •We may experience increases or fluctuations in delinquencies and credit losses, inaccurate estimates and inadequate reserves. •We may not be able to maintain adequate capital or liquidity levels or may become subject to revised capital or liquidity requirements, which could have a negative impact on our financial results and our ability to return capital to our stockholders. •Limitations on our ability to receive dividends from our subsidiaries could affect our liquidity and ability to pay dividends and repurchase common stock. •We face risks related to our operational, technological and organizational infrastructure. •A cyber-attack or other security incident, including one that results in the theft, loss, manipulation or misuse of information (including personal information), or the disabling of systems and access to information critical to business operations, may result in increased costs, reductions in revenue, reputational damage, legal exposure and business disruptions. •Our required compliance with applicable laws and regulations related to privacy, data protection and data security may increase our costs, reduce our revenue, increase our legal exposure and limit our ability to pursue business opportunities. •We face risks resulting from the extensive use of models and data. •Compliance with new and existing laws, regulations and regulatory expectations is costly and complex. •Our businesses are subject to the risk of increased litigation, government investigations and regulatory enforcement. •We face intense competition in all of our markets. •Our business, financial condition and results of operations may be adversely affected by merchants’ increasing focus on the fees charged by credit and debit card networks and by legislation and regulation impacting such fees. •If we are not able to invest successfully in and introduce digital and other technological developments across all our businesses, our financial performance may suffer. •We may fail to realize the anticipated benefits of our mergers, acquisitions and strategic partnerships. •Reputational risk and social factors may impact our results and damage our brand. •If we are not able to protect our intellectual property, our revenue and profitability could be negatively affected. •Our risk management strategies may not be fully effective in mitigating our risk exposures in all market environments or against all types of risk. •The transition away from London Interbank Offered Rate may adversely affect our business. •Our business could be negatively affected if we are unable to attract, retain and motivate key senior leaders and skilled employees. •We face risks from catastrophic events. •Climate change manifesting as physical or transition risks could adversely affect our businesses, operations and customers. •We face risks from the use of or changes to assumptions or estimates in our financial statements. •The soundness of other financial institutions and other third parties could adversely affect us. 22Capital One Financial Corporation (COF) 22Capital One Financial Corporation (COF) 22Capital One Financial Corporation (COF) 22 Table of Contents Table of Contents

Like other financial institutions, our business is sensitive to interest rate movements and the performance of the capital markets. We rely on access to the capital markets to fund our operations and to grow our business. Our ability to borrow from other financial institutions or to engage in funding transactions on favorable terms or at all could be adversely affected by disruptions, uncertainty or volatility in the capital markets. Additionally, increased charge-offs, rising interest rates, increased refinancing activity and other events may cause our securitization transactions to amortize earlier than scheduled or reduce the value of the securities that we hold for liquidity purposes, which could accelerate our need for additional funding from other sources. We could also experience impairments of other financial assets and other negative impacts on our financial position, including possible constraints on liquidity and capital, as well as higher costs of capital. Additionally, changes in interest rates could adversely affect the results of our operations and financial condition. For example, if inflation were to remain elevated or begin to increase, interest rates could increase further. Higher interest rates increase our borrowing costs and may require us to increase the interest we pay on funds deposited with us and may reduce the market value of our securities holdings. If interest rates continue to increase or if higher interest rates persist for an extended period of time, our expenses may increase further. If the rate of economic growth decreased sharply, causing the Federal Reserve to lower interest rates, our net income could be adversely affected. Additionally, a shrinking yield premium between short-term and long-term market interest rates could adversely impact the rates that we pay on our liabilities and the rates that we earn on our assets and thus affect our profitability. We assess our interest rate risk by estimating the effect on our earnings, economic value and capital under various scenarios that differ based on assumptions about the direction and the magnitude of interest rate changes. We take risk mitigation actions based on those assessments. We face the risk that changes in interest rates could materially reduce our net interest income and our earnings, especially if actual conditions turn out to be materially different than those we assumed. Furthermore, interest rate fluctuations and competitor responses to those changes may have a material adverse effect on our financial condition and results of operations, as customers or commercial clients default on their loans, maintain lower deposit levels or, in the case of credit card accounts, reduce demand for credit or (for existing customers) the level of borrowing or purchase activity. For example, increases in interest rates increase debt service requirements for some of our borrowers, which may adversely affect those borrowers’ ability to pay as contractually obligated. This could result in additional or fluctuating delinquencies or charge-offs and negatively impact our results of operations. These changes could reduce the overall yield on our interest-earning asset portfolio. An inability to attract or maintain deposits could materially affect our ability to fund our business and our liquidity position. Many other financial institutions have increased their reliance on deposit funding and, as such, we expect continued competition in the deposit markets. We cannot predict how this competition will affect our costs. If we are required to offer higher interest rates to attract or maintain deposits, our funding costs will be adversely impacted. 26Capital One Financial Corporation (COF) 26Capital One Financial Corporation (COF) 26Capital One Financial Corporation (COF) 26 Table of Contents Table of Contents Changes in valuations in the debt and equity markets could have a negative impact on the assets we hold in our investment portfolio. Such market changes could also have a negative impact on the valuation of assets for which we provide servicing. See “Part II—Item 7. MD&A—Market Risk Profile” and “We face intense competition in all of our markets” for additional information.

Like other financial institutions, our business is sensitive to interest rate movements and the performance of the capital markets. We rely on access to the capital markets to fund our operations and to grow our business. Our ability to borrow from other financial institutions or to engage in funding transactions on favorable terms or at all could be adversely affected by disruptions, uncertainty or volatility in the capital markets or other events, including changing credit rating agency requirements. For example, a credit rating downgrade could affect our ability to access the capital markets, increase our funding costs and have a negative impact on our results of operations. Additionally, increased charge-offs, rising interest rates and other events may cause our securitization transactions to amortize earlier than scheduled or reduce the value of the securities that we hold for liquidity purposes, which could accelerate our need for additional funding from other sources. Additionally, changes in interest rates could adversely affect the results of our operations and financial condition. For example, we borrow money from other institutions and depositors, which we use to make loans to customers and invest in debt securities and other interest-earning assets. We earn interest on these loans and assets and pay interest on the money we borrow from institutions and depositors. In response to inflationary pressures, the Federal Reserve has reversed its policy of maintaining the low benchmark federal funds interest rate over the last several years. In March 2022, the Federal Reserve began increasing the benchmark federal funds interest rate and has signaled its intention to continue to raise interest rates in an effort to tame 23Capital One Financial Corporation (COF) 23Capital One Financial Corporation (COF) 23Capital One Financial Corporation (COF) 23 Table of Contents Table of Contents inflation. Thus, the amount of interest that we pay on certain borrowings has increased and could increase further. Additionally, a shrinking yield premium between short-term and long-term market interest rates and in the relationship between our funding basis rate and our lending basis rate and inflation could affect our profitability. We assess our interest rate risk by estimating the effect on our earnings, economic value and capital under various scenarios that differ based on assumptions about the direction and the magnitude of interest rate changes. We take risk mitigation actions based on those assessments. We face the risk that changes in interest rates could materially reduce our net interest income and our earnings, especially if actual conditions turn out to be materially different than those we assumed. See “Part II—Item 7. MD&A—Market Risk Profile” for additional information. Furthermore, interest rate fluctuations and competitor responses to those changes may affect the rate of customer prepayments for auto and other term loans and may affect the balances customers carry on their credit cards and their balances in the deposits accounts they have with us. For example, increases in interest rates increase debt service requirements for some of our borrowers, which may adversely affect those borrowers’ ability to pay as contractually obligated. This could result in additional or fluctuating delinquencies or charge-offs and negatively impact our results of operations. These changes can reduce the overall yield on our interest-earning asset portfolio. An inability to attract or maintain deposits could materially affect our ability to fund our business and our liquidity position. Many other financial institutions have increased their reliance on deposit funding and, as such, we expect continued competition in the deposit markets. We cannot predict how this competition will affect our costs. If we are required to offer higher interest rates to attract or maintain deposits, our funding costs will be adversely impacted. Changes in valuations in the debt and equity markets could have a negative impact on the assets we hold in our investment portfolio. Such market changes could also have a negative impact on the valuation of assets for which we provide servicing.

42Capital One Financial Corporation (COF) 42Capital One Financial Corporation (COF) 42Capital One Financial Corporation (COF) 42 Table of Contents Table of Contents Our ability to engage in routine funding and other transactions could be adversely affected by the stability and actions of other financial services institutions. Financial services institutions are interrelated as a result of trading, clearing, servicing, counterparty and other relationships. We have exposure to financial institutions, intermediaries and counterparties that are exposed to risks over which we have little or no control. Recently, several financial services institutions have failed or required outside liquidity support, in many cases, as a result of the inability of the institutions to obtain needed liquidity. For example, during 2023, Silicon Valley Bank, Signature Bank and First Republic Bank were closed and placed under FDIC receivership. This has led to additional risk for other financial services institutions and the financial services industry generally as a result of increased lack of confidence in the financial sector. The failure of other banks and financial institutions and the measures taken by governments, businesses and other organizations in response to these events could adversely impact our business, financial condition and results of operations. For information on the FDIC’s special assessment following the closures of Silicon Valley Bank and Signature Bank, see “Item 1. Business—Supervision and Regulation.” In addition, we routinely execute transactions with counterparties in the financial services industry, including brokers and dealers, commercial banks, investment banks, mutual and hedge funds and other institutional clients, resulting in a significant credit concentration with respect to the financial services industry overall. As a result, defaults by, or even rumors or questions about, one or more financial services institutions, or the financial services industry generally, have led to market-wide liquidity problems and could lead to losses or defaults by us or by other institutions. Likewise, adverse developments affecting the overall strength and soundness of our competitors, the financial services industry as a whole and the general economic climate and the U.S. Treasury market could have a negative impact on perceptions about the strength and soundness of our business even if we are not subject to the same adverse developments. In addition, adverse developments with respect to third parties with whom we have important relationships also could negatively impact perceptions about us. These perceptions about us could cause our business to be negatively affected and exacerbate the other risks that we face. Moreover, the speed with which information spreads through social media, enhanced technology and other news sources on the Internet and the ease with which customers transact may amplify the onset and negative effects from such perceptions.

Our ability to engage in routine funding and other transactions could be adversely affected by the stability and actions of other financial services institutions. Financial services institutions are interrelated as a result of trading, clearing, servicing, counterparty and other relationships. We have exposure to financial institutions, intermediaries and counterparties that are exposed to risks over which we have little or no control. In addition, we routinely execute transactions with counterparties in the financial services industry, including brokers and dealers, commercial banks, investment banks, mutual and hedge funds and other institutional clients, resulting in a significant credit concentration with respect to the financial services industry overall. As a result, defaults by, or even rumors or questions about, one or more financial services institutions, or the financial services industry generally, have led to market-wide liquidity problems and could lead to losses or defaults by us or by other institutions. Likewise, adverse developments affecting the overall strength and soundness of our competitors, the financial services industry as a whole and the general economic climate and the U.S. Treasury market could have a negative impact on perceptions about the strength and soundness of our business even if we are not subject to the same adverse developments. In addition, adverse 39Capital One Financial Corporation (COF) 39Capital One Financial Corporation (COF) 39Capital One Financial Corporation (COF) 39 Table of Contents Table of Contents developments with respect to third parties with whom we have important relationships also could negatively impact perceptions about us. These perceptions about us could cause our business to be negatively affected and exacerbate the other risks that we face.

We rely on quantitative models and the use of AI, as well as our ability to manage and aggregate data in an accurate and timely manner, to assess and manage our various risk exposures, create estimates and forecasts, and manage compliance with regulatory capital requirements. We continue to invest in building new capabilities that employ new AI technologies such as generative AI, and we expect our use of these technologies to increase over time. However, there are significant risks involved in utilizing models and AI and no assurance can be provided that our use will produce only intended or beneficial results. AI may subject us to new or heightened legal, regulatory, ethical, or other challenges; and negative public opinion of AI could impair the acceptance of AI solutions. If the models or AI solutions that we create or use are deficient, inaccurate or controversial, we could incur operational inefficiencies, competitive harm, legal liability, brand or reputational harm, or other adverse impacts on our business and financial results. We also may incur liability through the violation of applicable laws and regulations, third-party intellectual property, privacy or other rights, or contracts to which we are a party. We may use models and AI in processes such as determining the pricing of various products, identifying potentially fraudulent transactions, grading loans and extending credit, measuring interest rate and other market risks, predicting deposit levels or loan losses, assessing capital adequacy, calculating managerial and regulatory capital levels, estimating the value of financial instruments and balance sheet items, and other operational functions. Development and implementation of some of these models , such as the models for credit loss accounting under CECL, require us to make difficult, subjective and complex judgments. Our risk reporting and management, including business decisions based on information incorporating models and the use of AI, depend on the effectiveness of our models and AI and our policies, programs, processes and practices governing how data, models and AI, as applicable, are acquired, validated, stored, protected, processed and analyzed. Any issues with the quality or effectiveness of our data aggregation and validation procedures, as well as the quality and integrity of data inputs, formulas or algorithms, could result in inaccurate forecasts, ineffective risk management practices or inaccurate risk reporting. In addition, models and AI based on historical data sets might not be accurate predictors of future outcomes and their ability to appropriately predict future outcomes may degrade over time due to limited historical patterns, extreme or unanticipated market movements or customer behavior and liquidity, especially during severe market downturns or stress events (e.g., geopolitical or pandemic events). While we continuously update our policies, programs, processes and practices, many of our data management, modeling, AI, aggregation and implementation processes are manual and may be subject to human error, data limitations, process delays or system failure. Failure to manage data effectively and to aggregate data in an accurate and timely manner may limit our ability to manage current and emerging risk, to produce accurate financial, regulatory and operational reporting as well as to manage changing business needs. If our Framework is ineffective, we could suffer unexpected losses which could materially adversely affect our results of operation or financial condition. Also, any information we provide to the public or to our regulators based on incorrectly designed or implemented models or AI could be inaccurate or misleading. Some of the decisions that our regulators make, including those related to capital distribution to our stockholders, could be affected adversely due to the perception that the quality of the data, models and AI used to generate the relevant information is insufficient. In addition, regulation of AI is rapidly evolving worldwide as legislators and regulators are increasingly focused on these powerful emerging technologies. The technologies underlying AI and its uses are subject to a variety of laws and regulations, including intellectual property, privacy, data protection and information security, consumer protection, competition, and equal opportunity laws, and are expected to be subject to increased regulation and new laws or new applications of existing laws and regulations. AI is the subject of ongoing review by various U.S. governmental and regulatory agencies, and various U.S. states and other foreign jurisdictions are applying, or are considering applying, their platform moderation, privacy, data protection and data security laws and regulations to AI or are considering general legal frameworks for AI. We may not be able to anticipate how to respond to these rapidly evolving frameworks, and we may need to expend resources to adjust our offerings in certain jurisdictions if the legal frameworks are inconsistent across jurisdictions. Furthermore, because AI technology itself is highly complex and rapidly developing, it is not possible to predict all of the legal, operational or technological risks that may arise relating to the use of AI.

We rely on quantitative models and our ability to manage and aggregate data in an accurate and timely manner to assess and manage our various risk exposures, create estimates and forecasts, and manage compliance with regulatory capital requirements. Models may be used in processes such as determining the pricing of various products, grading loans and extending credit, measuring interest rate and other market risks, predicting deposit levels or loan losses, assessing capital adequacy, calculating managerial and regulatory capital levels, estimating the value of financial instruments and balance sheet items, and other operational functions. Our risk reporting and management, including business decisions based on information incorporating models, depend on the effectiveness of our models and our policies, programs, processes and practices governing how data or models, as applicable, are acquired, validated, stored, protected, processed and analyzed. Any issues with the quality or effectiveness of our data aggregation and validation procedures, as well as the quality and integrity of data inputs, formulas or algorithms, could result in inaccurate forecasts, ineffective risk management practices or inaccurate risk reporting. In addition, models based on historical data sets might not be accurate predictors of future outcomes and their ability to appropriately predict future outcomes may degrade over time. While we continuously update our policies, programs, processes and practices, many of our data management, modeling, aggregation and implementation processes are manual and may be subject to human error, data limitations, process delays or system failure. Failure to manage data effectively and to aggregate data in an accurate and timely manner may limit our ability to manage current and emerging risk, to produce accurate financial, regulatory and operational reporting as well as to manage changing business needs. If our Framework is ineffective, we could suffer unexpected losses which could materially adversely affect our results of operation or financial condition. Also, any information we provide to the public or to our regulators based on poorly designed or implemented models could be inaccurate or misleading. Some of the decisions that our regulators make, including those related to capital distribution to our stockholders, could be affected adversely due to the perception that the quality of the models used to generate the relevant information is insufficient.

Changes and instability in the macroeconomic environment may lead to changes in payment patterns, increases or fluctuations in delinquencies and default rates and decrease consumer spending. Because we offer a broad array of financial products and services to consumers, small businesses and commercial clients, our financial results are impacted by the level of consumer and business activity and the demand for our products and services. A prolonged period of economic weakness, volatility, slow growth, or a significant deterioration in economic conditions, in the U.S., Canada or the U.K., could have a material adverse effect on our financial condition and results of operations as customers or commercial clients default on their loans, maintain lower deposit levels or, in the case of credit card accounts, carry lower balances and reduce credit card purchase activity. Some of the factors that could disrupt capital markets, reduce consumer and business activity, and weaken the labor market include the following: •Monetary policy actions, such as changes to interest rates, taken by the Federal Reserve and other central banks, such as the central banks in the United Kingdom and Canada; •Geopolitical conflicts or instabilities, such as the war between Ukraine and Russia and the war between Israel and Hamas, and increased geopolitical tensions between the U.S. and China; 25Capital One Financial Corporation (COF) 25Capital One Financial Corporation (COF) 25Capital One Financial Corporation (COF) 25 Table of Contents Table of Contents •Trade wars, tariffs, labor shortages and disruptions of global supply chains; •The effects of divided government in the U.S., including government shutdowns whether recurring, prolonged or otherwise, and developments related to the U.S. federal debt ceiling; •Inflation and deflation, including the effects of related governmental responses; •Concerns over a potential recession, which may lead to adjustments in spending patterns; •Lower demand for credit and shifts in consumer behavior, including shifts away from using credit cards, changes in deposit practices, and changes in and payment patterns; and •Ongoing changes in usage of commercial real estate, which may have a sustained negative impact on utilization rates and values. Decreases in overall business activity and changes in customer behavior may lead to increases in our charge-off rate caused by bankruptcies and may reduce our ability to recover debt that we have previously charged-off. Such changes may also decrease the reliability of our internal processes and models, including those we use to estimate our allowance for credit losses, particularly if unexpected variations in key inputs and assumptions cause actual losses to diverge from the projections of our models and our estimates become increasingly subject to management’s judgment. See “We face risks resulting from the extensive use of models, AI, and data.”

We offer a broad array of financial products and services to consumers, small businesses and commercial clients. A prolonged period of economic volatility, slow growth, or a significant deterioration in economic conditions, in the U.S., Canada or the U.K., could have a material adverse effect on our financial condition and results of operations as customers default on their loans, maintain lower deposit levels or, in the case of credit card accounts, carry lower balances and reduce credit card purchase activity. Some of the risks we face in connection with adverse changes and instability in the macroeconomic environment and changes in consumer confidence levels and behavior, include the following: •Monetary policies and actions taken by the Federal Reserve and other central banks or governmental authorities; •Economic deterioration due to escalation of military hostilities or other geopolitical instabilities; •Changes in payment patterns, increases or fluctuations in delinquencies and default rates, decreased consumer spending, inflation, fluctuation in interest rates, lower demand for credit and shifts in consumer behavior, including deposits and payments; •Increases in our charge-off rate caused by bankruptcies and reduced ability to recover debt that we have previously charged-off; •Recent changes in usage of commercial real estate, which may have a sustained negative impact on utilization rates and values; •Decreased reliability of the process and models, including those we use to estimate our allowance for credit losses, particularly if unexpected variations in key inputs and assumptions cause actual losses to diverge from the projections of our models and our estimates become increasingly subject to management’s judgment. See “We face risks resulting from the extensive use of models and data.” The U.K. and the EU agreed to a free trade deal at the end of 2020 relating to the U.K.’s exit from the EU. Although this deal has provided greater near-term stability, there is still some degree of uncertainty as to the relationship between the U.K and the EU, which may increase volatility in the regional and global financial markets. In addition, the global economy, including economic conditions in the U.K., has been negatively impacted by the war between Russia and Ukraine. Continued escalation of geopolitical tensions related to the war, including increased trade barriers or restrictions on global trade, could further deteriorate international economic conditions. We continue to consider and monitor the potential impacts of the relationship between the U.K. and EU, as well as the war between Russia and Ukraine.