--- ticker: NTRS company: NTRS filing_type: 10-K year_current: 2024 year_prior: 2023 risks_added: 2 risks_removed: 1 risks_modified: 25 risks_unchanged: 25 source: SEC EDGAR url: https://riskdiff.com/ntrs/2024-vs-2023/ markdown_url: https://riskdiff.com/ntrs/2024-vs-2023/index.md generated: 2026-06-01 --- # NTRS: 10-K Risk Factor Changes 2024 vs 2023 > Source: U.S. Securities and Exchange Commission (EDGAR) > Generated: 2026-06-01 > All data extracted directly from official filings. No hallucinated content. ## Summary | Status | Count | |--------|-------| | New risks added | 2 | | Risks removed | 1 | | Risks modified | 25 | | Unchanged | 25 | --- ## New in Current Filing: We are highly dependent on information technology systems and networks, many of which are operated by third parties, and any failures of, or disruptions to, our or such third parties' technological systems or networks could materially and adversely affect our business. Our business is dependent on our and third parties' information technology systems and networks. Any failure, interruption or breach in the security of any such systems or networks could severely disrupt our operations and could subject us to liability claims, harm our reputation, interrupt our operations, or otherwise adversely affect our business, financial condition or results of operations. Additionally, our computer, communications, data processing, networks, backup, business continuity or other operating, information or technology systems, including those that we outsource to providers, may fail to operate properly or become disabled, overloaded or damaged as a result of a number of factors, including events that are wholly or partially beyond our control, which could have a negative effect on our ability to conduct our business activities. The third parties with which we do business also are susceptible to the foregoing risks (including regarding the third parties with which they are similarly interconnected or on which they otherwise rely), and our or their business operations and activities may therefore be affected adversely, perhaps materially, by failures, terminations, errors or malfeasance by, or attacks or constraints on, one or more financial, technology, infrastructure or government institutions or intermediaries with whom we or they are interconnected or conduct business. 2023 ANNUAL REPORT | NORTHERN TRUST CORPORATION 19 2023 ANNUAL REPORT | NORTHERN TRUST CORPORATION 19 2023 ANNUAL REPORT | NORTHERN TRUST CORPORATION 19 2023 ANNUAL REPORT | NORTHERN TRUST CORPORATION 19 Our business interruption insurance may be inadequate to compensate us for all losses that may occur as a result of any system, network or operational failure or disruption. --- ## New in Current Filing: We are subject to complex and evolving laws, regulations, rules, standards and contractual obligations regarding data privacy and security, which could increase the cost of doing business, compliance risks and potential liability. We are subject to complex and evolving laws, regulations, rules, standards and contractual obligations governing data privacy and security, which may differ and potentially conflict, in various jurisdictions, and any failure to comply with these laws, regulations, rules, standards and contractual obligations could expose us to liability and/or reputational damage. Regulators globally are introducing the potential for greater monetary fines on institutions that suffer from breaches leading to the loss, misappropriation or unauthorized access, use or disclosure of personal, confidential, proprietary or sensitive information. Most U.S. states, the EU and other non-U.S. jurisdictions also have adopted their own statutes and/or regulations concerning data privacy and security and notification of data breaches. These and other changes in laws or regulations associated with the enhanced protection of personal and other types of information could greatly increase compliance costs, the size of potential fines related to the protection of such information and reporting obligations in the case of cyber-attacks or other information security incidents. Compliance with these laws, regulations, rules and standards may require us to change and continuously update our policies, procedures and technology controls for information security, which could, among other things, make us more vulnerable to operational failures and to monetary penalties for breach of such laws, regulations, rules and standards. In the U.S., there are numerous federal, state and local data privacy and security laws and regulations governing the collection, sharing, use, retention, disclosure, security, storage, transfer and other processing of personal information. At the federal level, we are subject to, among other laws and regulations, the rules and regulations promulgated under the authority of the Federal Trade Commission and the Gramm-Leach-Bliley Act. Moreover, the U.S. Congress has recently considered, and is currently considering, various proposals for more comprehensive data privacy and security legislation, to which we may be subject if enacted. At the state level, we are subject to laws and regulations such as the CCPA. Numerous other states also have enacted, or are in the process of enacting or considering, comprehensive state-level data privacy and security laws and regulations that share similarities with the CCPA. Moreover, laws in all 50 U.S. states require businesses to provide notice under certain circumstances to consumers whose personal information has been disclosed as a result of a data breach. At the international level, we are subject to the GDPR and UK GDPR and similar laws are in effect or being considered in other jurisdictions in which we operate across the globe. While the GDPR and the UK GDPR remain substantially similar for the time being, the UK government has announced that it would seek to chart its own path on data protection and reform its relevant laws, including in ways that may differ from the GDPR, to an extent. Legal developments in the EEA and the UK also have created complexity and uncertainty regarding processing and transfers of 26 2023 ANNUAL REPORT | NORTHERN TRUST CORPORATION 26 2023 ANNUAL REPORT | NORTHERN TRUST CORPORATION 26 2023 ANNUAL REPORT | NORTHERN TRUST CORPORATION 26 2023 ANNUAL REPORT | NORTHERN TRUST CORPORATION personal data from the EEA and the UK to the U.S. and other so-called third countries outside the EEA and the UK that have not been determined by the relevant data protection authorities to provide an adequate level of protection for privacy rights. Importantly, significant monetary fines have been imposed since the introduction of such stringent privacy laws in the EU and the UK and regulatory expectations on governance and accountability in the protection of privacy and data continue to increase. Further, while we strive to publish and prominently display privacy notices and policies that are accurate, comprehensive, and compliant with applicable laws, regulations, rules and industry standards, we cannot ensure that our privacy policies and other statements regarding our practices will be considered sufficient to protect us from claims, proceedings, liability or adverse publicity relating to data privacy and security, considering the fast-evolving regulatory expectations. Although we endeavor to comply with our privacy policies, we may at times fail to do so or be alleged to have failed to do so. The publication of our privacy policies and other documentation that provide promises and assurances about data privacy and security can subject us to potential government or legal action if they are found to be deceptive, unfair, or misrepresentative of our actual practices. Any concerns about our data privacy and security practices, even if unfounded, could damage our reputation and adversely affect our business. Any failure or perceived failure by us to comply with our privacy policies, or applicable data privacy and security laws, regulations, rules, standards or contractual obligations, or any compromise of security that results in unauthorized access to, or unauthorized loss, destruction, use, modification, acquisition, disclosure, release or transfer of personal information, may result in requirements to modify or cease certain operations or practices, the expenditure of substantial costs, time and other resources, proceedings or actions against us, legal liability, governmental investigations, enforcement actions, claims, fines, judgments, awards, penalties, sanctions and costly litigation (including class actions). Any of the foregoing could harm our reputation, distract our management and technical personnel, increase our costs of doing business, adversely affect the demand for our products and services, and ultimately result in the imposition of liability, any of which could have a material adverse effect on our business, financial condition and results of operations. --- ## No Match in Current: The transition away from LIBOR or changes in the method pursuant to which other interest rate benchmarks are determined could adversely impact our business and results of operations. *This section from the 2023 filing does not have a high-confidence textual match in 2024. It may have been removed, merged, or substantially reworded.* Global regulators have taken steps to discontinue the publication and use of interbank offered rates (each, an IBOR), encourage the development and use of alternative reference rates, and examine the progress regulated entities such as Northern Trust are making to transition from IBORs to alternative reference rates. Publication of 1-week and 2-month USD LIBOR ceased as of December 31, 2021, and publication of the remaining USD LIBOR tenors are expected to continue until June 30, 2023. USD LIBOR historically has been a widely used interest rate benchmark and the reference rate for our floating-rate funding, certain of the products that we own, various lending and securities transactions in which we are involved, and certain of the derivatives that we use to manage our or our clients' risk. Some regulators have prohibited the use of any LIBOR benchmarks in new contracts and have required that regulated entities transition existing contracts to another benchmark prior to June 30, 2023. Although the setting of such LIBOR benchmarks may continue to be available, such prohibitions and requirements or any other change in the availability or 22 2022 ANNUAL REPORT | NORTHERN TRUST CORPORATION 22 2022 ANNUAL REPORT | NORTHERN TRUST CORPORATION 22 2022 ANNUAL REPORT | NORTHERN TRUST CORPORATION 22 2022 ANNUAL REPORT | NORTHERN TRUST CORPORATION calculation of LIBOR or other interest rate benchmarks may affect adversely the cost or availability of floating-rate funding; the yield on loans or securities held by us; the amounts received and paid on derivative instruments we have entered into; the value of loans, securities, or derivative instruments held by us or our clients, which, in the case of assets held by our clients, could also negatively impact the amount of fees we earn in relation to such assets; the trading market for securities based on LIBOR or other benchmarks; the terms of new loans being made using different or modified reference rates; or our ability to use derivative instruments to manage risk effectively. Various regulators, industry bodies and other market participants in the United States and other countries have developed and continue to refine alternative rate benchmarks for various financial products. While there is no consensus on what rate or rates may become accepted by market participants as alternatives to LIBOR for new contracts after LIBOR publication ceases, a group of large banks and the Alternative Reference Rate Committee (ARRC) identified, and the Federal Reserve Bank of New York in May 2018 started to publish, the Secured Overnight Finance Rate (SOFR) as its preferred alternative to LIBOR. The Adjustable Interest Rate (LIBOR) Act (the LIBOR Act) signed into law in March 2022, provides for the use of interest rates based on SOFR in certain contracts currently based on LIBOR and a safe harbor from liability for utilizing SOFR-based interest rates as a replacement for LIBOR. In December 2022, the Federal Reserve Board adopted a final rule implementing the LIBOR Act by identifying benchmark rates based on SOFR that will replace LIBOR in certain financial contracts after June 30, 2023. SOFR has different characteristics than LIBOR and may demonstrate less predictable behavior over time and across different monetary, market, and economic environments; therefore, it is unclear the extent to which SOFR will become a widely accepted replacement for LIBOR. We are working to facilitate an orderly transition from USD LIBOR to alternative interest rate benchmarks for us and our clients and, in accordance with guidance from U.S. regulators, including the Federal Reserve Board, we stopped offering USD LIBOR in new contracts and began offering SOFR as an alternative to USD LIBOR in 2021. While some existing USD LIBOR loans will mature or be prepaid, a portion of our loans will remain and potentially require us to name a replacement index before June 30, 2023, the date USD LIBOR ceases. We are currently in the process of evaluating all such transitions. The language in our USD LIBOR-based contracts and financial instruments has developed over time and may have various events that trigger when a successor rate to the designated rate would be selected. If a trigger is satisfied, contracts and financial instruments may give a party discretion to determine the substitute index or indices for the calculation of interest rates to be selected. Additionally, the transition to alternative rates may change our market risk profile, requiring changes to risk and pricing models. While some instruments may contemplate a scenario where LIBOR is no longer available by providing an alternative rate setting methodology, not all instruments may have such provisions and there is significant uncertainty regarding the effectiveness of any such alternative methodologies. There continues to be uncertainty regarding the effect that these developments, any discontinuance, modification or other reforms to LIBOR or any other interest rate benchmarks, or the establishment of alternative reference rates may have on LIBOR or other interest rate benchmarks. Further, the transition away from the use of LIBOR and the adoption of alternative interest rate benchmarks, and uncertainty related to any such transition or adoption, has caused, and may in the future cause, us to recognize additional costs. It may also cause us to experience operational disruptions or result in client disputes or litigation, which may negatively impact our business, financial condition or results of operations. --- ## Modified: Our dependence on technology, and the need to update frequently our technology infrastructure, exposes us to risks that also can result in losses. **Key changes:** - Reworded sentence: "Due to our dependence on technology and the important role it plays in our business operations, combined with the increasing sophistication and frequency of potential cyber-attacks and other information security incidents, we must constantly improve and update our information technology infrastructure." - Reworded sentence: "In recent years, there has been an acceleration in the transition from traditional to digital financial services and heightened customer expectations in this area, and this transition may require us to invest greater resources in technological advancements." - Added sentence: "2023 ANNUAL REPORT | NORTHERN TRUST CORPORATION 21 2023 ANNUAL REPORT | NORTHERN TRUST CORPORATION 21 2023 ANNUAL REPORT | NORTHERN TRUST CORPORATION 21 2023 ANNUAL REPORT | NORTHERN TRUST CORPORATION 21" **Prior (2023):** Our businesses depend on information technology infrastructure, both internal and external, to record and process, among other things, a large volume of increasingly complex transactions and other data, in many currencies, on a daily basis, across numerous and diverse markets and jurisdictions. Due to our dependence on technology and the important role it plays in our business operations, combined with the increasing sophistication and frequency of potential cyber incidents, we must constantly improve and update our information technology infrastructure. Upgrading, replacing, and modernizing these systems can require significant resources and often involves implementation, integration and security risks that could cause financial, reputational, and operational harm. In some cases, the COVID-19 pandemic has accelerated the transition from traditional to digital financial services and heightened customer expectations in this area, and this transition may require us to invest greater resources in technological advancements. Failure to ensure adequate review and consideration of critical business and regulatory issues prior to and during the introduction and deployment of key technological systems or failure to align operational capabilities adequately with evolving client commitments and expectations may have a negative impact on our results of operations. The failure to respond properly to, and invest in, changes and advancements in technology and/or to compete for and retain employees with the necessary technical skills and expertise could limit our ability to attract and retain clients, prevent us from offering products and services comparable to those offered by our competitors, inhibit our ability to meet regulatory requirements or otherwise have a material adverse effect on our operations. **Current (2024):** Our businesses depend on information technology infrastructure, both internal and external, to record and process, among other things, a large volume of increasingly complex transactions and other data, in many currencies, on a daily basis, across numerous and diverse markets and jurisdictions. Due to our dependence on technology and the important role it plays in our business operations, combined with the increasing sophistication and frequency of potential cyber-attacks and other information security incidents, we must constantly improve and update our information technology infrastructure. Upgrading, replacing, and modernizing these systems can require significant resources and often involves implementation, integration and security risks that could cause financial, reputational, and operational harm. In recent years, there has been an acceleration in the transition from traditional to digital financial services and heightened customer expectations in this area, and this transition may require us to invest greater resources in technological advancements. Failure to ensure adequate review and consideration of critical business and regulatory issues prior to and during the introduction and deployment of key technological systems or networks or failure to align operational capabilities adequately with evolving client commitments and expectations may have a negative impact on our results of operations. The failure to respond properly to, and invest in, changes and advancements in technology and/or to compete for and retain employees with the necessary technical skills and expertise could limit our ability to attract and retain clients, prevent us from offering products and services comparable to those offered by our competitors, inhibit our ability to meet regulatory requirements or otherwise have a material adverse effect on our operations. 2023 ANNUAL REPORT | NORTHERN TRUST CORPORATION 21 2023 ANNUAL REPORT | NORTHERN TRUST CORPORATION 21 2023 ANNUAL REPORT | NORTHERN TRUST CORPORATION 21 2023 ANNUAL REPORT | NORTHERN TRUST CORPORATION 21 --- ## Modified: Changes in tax laws and interpretations and challenges to our tax positions may affect our earnings negatively. **Prior (2023):** Both U.S. and non-U.S. governments and tax authorities, including states and municipalities, from time to time issue new, or modify existing, tax laws and regulations. These authorities may also issue new, or modify existing, interpretations of those laws and regulations. These new laws, regulations or interpretations, and our actions taken in response to, or reliance upon, such changes in the tax laws may impact our tax position in a manner that affects our earnings negatively. In the course of our business, we are sometimes subject to challenges from U.S. and non-U.S. tax authorities, including states and municipalities, regarding the amount of taxes due. These challenges may result in adjustments to the timing or amount of taxable income, deductions, tax credits, or the allocation of income among tax jurisdictions, all of which may require a greater provision for taxes or otherwise affect earnings negatively. **Current (2024):** Both U.S. and non-U.S. governments and tax authorities, including states and municipalities, from time to time issue new, or modify existing, tax laws and regulations. These authorities may also issue new, or modify existing, interpretations of those laws and regulations. These new laws, regulations or interpretations, and our actions taken in response to, or reliance upon, such changes in the tax laws may impact our tax position in a manner that affects our earnings negatively. In the course of our business, we are sometimes subject to challenges from U.S. and non-U.S. tax authorities, including states and municipalities, regarding the amount of taxes due. These challenges may result in adjustments to the timing or amount of taxable income, deductions, tax credits, or the allocation of income among tax jurisdictions, all of which may require a greater provision for taxes or otherwise affect earnings negatively. --- ## Modified: Our operations, businesses and clients could be materially adversely affected by the effects of climate change or concerns related thereto. **Key changes:** - Reworded sentence: "The physical risks of climate change include rising average global temperatures, rising sea levels, and an increase in the frequency and severity of extreme weather events and natural disasters." - Reworded sentence: "Climate change could also result in transition risk arising from changes in policy, regulations, technology, business practices or market preferences toward a lower-carbon economy which could adversely impact us or our clients." - Reworded sentence: "We also face regulatory and liability risk associated with greenwashing claims, a failure to execute on our public climate-related commitments, or by association with individuals, entities, industries or products that may be inconsistent with our stated positions on climate change issues." - Reworded sentence: "Even as regulators begin to mandate additional disclosure of climate-related information by companies across sectors, methodologies and data used to conduct more robust climate-related risk analyses are still in development." **Prior (2023):** Risks related to climate change may impact our business, financial condition, and results of operations adversely. The physical risks of climate change include rising average global temperatures, rising sea levels, and an increase in the frequency and severity of extreme weather events. Such developments could disrupt our operations and resilience capabilities, those of our clients, or third parties on which we rely. Further, the consequences of climate change could negatively impact our clients' ability to pay outstanding loans, reduce the value of collateral, or result in insurance shortfalls. Climate change could also result in transition risk arising from changes in regulations or market preferences toward a low-carbon economy. Changes in consumer and/or investor preferences, new legislation, and expanded regulatory requirements related to climate risk could adversely impact us or our clients. Our reputation and business prospects may also be damaged if we do not, or are perceived not to, effectively prepare for the potential business and operational opportunities and risks associated with climate change, including through the development and marketing of effective and competitive new products and services designed to address our clients' climate risk-related needs. These risks include negative market perception, diminished sales effectiveness and regulatory and litigation consequences associated with greenwashing claims or a failure to execute on our public climate-related commitments or driven by association with individuals, entities, industries or products that may be inconsistent with our stated positions on climate change issues. At the same time, certain financial institutions have also been subject to significant scrutiny by regulatory agencies and government officials and other criticism and negative publicity as a result of their decisions to reduce their involvement in certain industries or projects perceived to be associated with climate change. If we do not identify, quantify, and mitigate such risks successfully, we may experience financial losses, litigation, reputational harm, and losses of investor and stakeholder confidence. Even as regulators begin to mandate additional disclosure of climate-related information by companies across sectors, there may continue to be a lack of information for more robust climate-related risk analyses. Third-party exposures to climate-related risks and other data generally are limited in availability and variable in quality. Modeling capabilities across the industry to analyze climate-related risks and interconnections are improving but remain incomplete. Legislative or regulatory uncertainties and changes regarding climate-related risk management and disclosures are likely to result in higher regulatory, compliance, credit, reputational and other risks and costs, and may subject us to evolving and potentially conflicting requirements in the various jurisdictions in which we operate. **Current (2024):** Risks related to climate change may impact our business, financial condition, and results of operations adversely. The physical risks of climate change include rising average global temperatures, rising sea levels, and an increase in the frequency and severity of extreme weather events and natural disasters. Such developments could disrupt our operations and resilience capabilities, those of our clients, or third parties on which we rely. Further, the consequences of climate change could negatively impact our clients' ability to pay outstanding loans, reduce the value of collateral, or result in insurance shortfalls. Climate change could also result in transition risk arising from changes in policy, regulations, technology, business practices or market preferences toward a lower-carbon economy which could adversely impact us or our clients. These impacts could result in increased operational or compliance costs, higher energy expenses, additional taxes, and the devaluation of assets. Our reputation and business prospects may also be damaged if we do not, or are perceived not to, effectively prepare for the potential business and operational opportunities and risks associated with climate change, including through the development and marketing of effective and competitive new products and services designed to address our clients' climate risk-related needs. We also face regulatory and liability risk associated with greenwashing claims, a failure to execute on our public climate-related commitments, or by association with individuals, entities, industries or products that may be inconsistent with our stated positions on climate change issues. At the same time, certain financial institutions have also been subject to significant scrutiny by regulatory agencies and government officials and other criticism and negative publicity as a result of their decisions to reduce their involvement in certain industries or projects perceived to be associated with climate change. If we do not identify, quantify, and mitigate such risks successfully, we may experience financial losses, litigation, reputational harm, and losses of investor and stakeholder confidence. Even as regulators begin to mandate additional disclosure of climate-related information by companies across sectors, methodologies and data used to conduct more robust climate-related risk analyses are still in development. Third‑party exposures, emissions, climate-related risks, and other data are limited in availability and variable in quality. Modeling capabilities across the industry to analyze climate-related risks and interconnections are improving but remain imperfect. These legislative and regulatory uncertainties along with inconsistencies and conflicts of policy across jurisdictions, and changes regarding climate-related risk management and disclosures are likely to result in higher regulatory, compliance, credit, reputational and other risks and costs. --- ## Modified: Pandemics, natural disasters, global climate change, acts of terrorism, geopolitical tensions, and global conflicts may have a negative impact on our business and operations. **Key changes:** - Reworded sentence: "Pandemics, natural disasters, global climate change, acts of terrorism, geopolitical tensions, global conflicts (including the continuing military conflicts involving Ukraine and the Russian Federation and Israel and Hamas) or other similar events, as well as government actions or other restrictions in connection with such events, have had in the past, or may in the future have, a negative impact on our business and operations." - Reworded sentence: "If the subcustodian or clearing agency were to become insolvent in circumstances not involving expropriation of assets or other sovereign risk events and/or factors or events beyond our reasonable control that excuse performance under force majeure or other contractual provisions, the risk of loss on such cash on deposit may potentially be incurred by us." **Prior (2023):** Pandemics, natural disasters, global climate change, acts of terrorism, geopolitical tensions, global conflicts (including the continuing military conflict involving Ukraine and the Russian Federation) or other similar events have had in the past, or may in the future have, a negative impact on our business and operations. While we have in place business continuity plans, such events may still damage our facilities, disrupt or delay the normal operations of our business (including communications and technology), result in harm to or cause travel limitations on our employees, impose significant compliance costs with new financial and economic sanctions regimes, and have a similar impact on our clients, suppliers, third-party vendors and counterparties. For example, in some jurisdictions such as the Russian Federation, local market restrictions, laws, sanctions programs or government intervention inhibit our clients' and our ability to access or transfer cash or securities held for clients through subcustodians and clearing agencies. When such client deposit liabilities are on our consolidated balance sheet, we maintain a corresponding amount of cash on deposit with the subcustodian or clearing agency, which increases our credit exposure to that entity and can accumulate over time based upon distributions on, or other activities related to, our clients' assets. If the subcustodian or clearing agency were to become insolvent in circumstances not involving expropriation of assets or other sovereign risk events and/or factors or events beyond our reasonable control that excuse performance under force majeure or other contractual provisions, the risk of loss on such 2022 ANNUAL REPORT | NORTHERN TRUST CORPORATION 21 2022 ANNUAL REPORT | NORTHERN TRUST CORPORATION 21 2022 ANNUAL REPORT | NORTHERN TRUST CORPORATION 21 2022 ANNUAL REPORT | NORTHERN TRUST CORPORATION 21 cash on deposit may potentially be incurred by us. As of December 31, 2022, we held cash that accumulates in relation to Russian securities with our subcustodian and/or clearing agencies for the benefit of certain clients in our Asset Servicing business which are subject to restrictions which inhibit our ability to access or transfer such deposits, and which amount is expected to increase significantly over time as long as the sanctions and other relevant restrictions remain in effect. The foregoing or similar events also could impact us negatively to the extent that they result in reduced capital markets activity, lower asset price levels, or disruptions in general economic activity in the United States or abroad, or in financial market settlement functions. In addition, these or similar events may impact economic growth negatively, which could have an adverse effect on our business and operations, and may have other adverse effects on us in ways that we are unable to predict. Please see "Strategic Risks" in this "Risk Factors" section for further description of risks associated with climate change. **Current (2024):** Pandemics, natural disasters, global climate change, acts of terrorism, geopolitical tensions, global conflicts (including the continuing military conflicts involving Ukraine and the Russian Federation and Israel and Hamas) or other similar events, as well as government actions or other restrictions in connection with such events, have had in the past, or may in the future have, a negative impact on our business and operations. While we have in place business continuity plans, such events may still damage our facilities, disrupt or delay the normal operations of our business (including communications and technology), result in harm to or cause travel limitations on our employees, impose significant compliance costs with new financial and economic sanctions regimes, and have a similar impact on our clients, suppliers, third-party vendors and counterparties. For example, in some jurisdictions such as the Russian Federation, local market restrictions, laws, sanctions programs or government intervention inhibit our clients' and our ability to access or transfer cash or securities held for clients through subcustodians and clearing agencies. When such client deposit liabilities are on our consolidated balance sheet, we maintain a corresponding amount of cash on deposit with the subcustodian or clearing agency, which increases our credit exposure to that entity and can accumulate over time based upon distributions on, or other activities related to, our clients' assets. If the subcustodian or clearing agency were to become insolvent in circumstances not involving expropriation of assets or other sovereign risk events and/or factors or events beyond our reasonable control that excuse performance under force majeure or other contractual provisions, the risk of loss on such cash on deposit may potentially be incurred by us. As of December 31, 2023, we held cash that accumulates in relation to Russian securities with our subcustodian and/or clearing agencies for the benefit of certain clients in our Asset Servicing business which are subject to restrictions that inhibit our ability to access or transfer such deposits, and which amount is expected to increase significantly over time as long as the sanctions and other relevant restrictions remain in effect. Our subcustodian is also a subsidiary of a large, global financial institution with whom we have other credit exposures, which may limit the financial relationship we may have with this counterparty and has in the past made, and may in the future make, compliance with specific U.S. regulatory single counterparty credit limits more challenging. The foregoing or similar events also could impact us negatively to the extent that they result in reduced capital markets activity, lower asset price levels, or disruptions in general economic activity in the U.S. or abroad, or in financial market settlement functions. In addition, these or similar events may impact economic growth negatively, which could have an adverse effect on our business and operations, and may have other adverse effects on us in ways that we are unable to predict. Please see "Strategic Risks" in this "Risk Factors" section for further description of risks associated with climate change. --- ## Modified: Operational Risks **Key changes:** - Reworded sentence: "•We are highly dependent on information technology systems, and networks, many of which are operated by third parties, and any failures of, or disruptions to, our or such third parties' technological systems or networks could materially and adversely affect our business." **Prior (2023):** •Many types of operational risks can affect our earnings negatively. •Failures of, or disruptions to, our technological systems or breaches of our security measures, including, but not limited to, those resulting from cyber-attacks, may result in losses. •Errors, breakdowns in controls or other mistakes in the provision of services to clients or in carrying out transactions for our own account can subject us to liability, result in losses or have a negative effect on our earnings in other ways. •Our dependence on technology, and the need to update frequently our technology infrastructure, exposes us to risks that also can result in losses. •A failure or circumvention of our controls and procedures could have a material adverse effect on our business, financial condition and results of operations. •Failure of any of our third-party vendors (or their vendors) to perform can result in losses. •We are subject to certain risks inherent in operating globally which may affect our business adversely. •Failure to control our costs and expenses adequately could affect our earnings negatively. •Pandemics, natural disasters, global climate change, acts of terrorism, geopolitical tensions, and global conflicts may have a negative impact on our business and operations. **Current (2024):** •Many types of operational risks can affect our earnings negatively. •We are highly dependent on information technology systems, and networks, many of which are operated by third parties, and any failures of, or disruptions to, our or such third parties' technological systems or networks could materially and adversely affect our business. •Breaches of our security measures, including, but not limited to, those resulting from cyber-attacks, or other information security incidents may result in losses. •Errors, breakdowns in controls or other mistakes in the provision of services to clients or in carrying out transactions for our own account can subject us to liability, result in losses or have a negative effect on our earnings in other ways. •Our dependence on technology, and the need to update frequently our technology infrastructure, exposes us to risks that also can result in losses. •A failure or circumvention of our controls and procedures could have a material adverse effect on our business, financial condition and results of operations. •Failure of any of our third-party vendors (or their vendors) to perform can result in losses. •We are subject to certain risks inherent in operating globally which may affect our business adversely. •Failure to control our costs and expenses adequately could affect our earnings negatively. •Pandemics, natural disasters, global climate change, acts of terrorism, geopolitical tensions, and global conflicts may have a negative impact on our business and operations. --- ## Modified: Failure to comply with regulations and/or supervisory expectations can result in penalties and regulatory constraints that restrict our ability to grow or even conduct our business, or that reduce earnings. **Key changes:** - Reworded sentence: "These regulations cover a variety of matters, including prohibited activities, required capital levels, resolution planning, human trafficking and modern slavery, and data privacy and security." - Removed sentence: "24 2022 ANNUAL REPORT | NORTHERN TRUST CORPORATION 24 2022 ANNUAL REPORT | NORTHERN TRUST CORPORATION 24 2022 ANNUAL REPORT | NORTHERN TRUST CORPORATION 24 2022 ANNUAL REPORT | NORTHERN TRUST CORPORATION" **Prior (2023):** Virtually every aspect of our business around the world is regulated, generally by domestic and foreign governmental agencies that have broad supervisory powers and the ability to impose sanctions. These regulations cover a variety of matters, including prohibited activities, required capital levels, resolution planning, human trafficking and modern slavery, and privacy and data protection. Some of these requirements are directed specifically at protecting depositors of the Bank, the federal deposit insurance fund and the banking system as a whole, not our stockholders or other security holders. Regulatory violations or the failure to meet formal or informal commitments made to regulators could generate penalties, require corrective actions that increase costs of conducting business, result in limitations on our ability to conduct business, restrict our ability to expand or impact our reputation adversely. Failure to obtain necessary approvals from regulatory agencies, whether formal or based upon supervisory expectations, on a timely basis could affect proposed business opportunities and results of operations adversely. Similarly, changes in laws or failure to comply with new requirements or with future changes in laws or regulations may impact our results of operations and financial condition negatively. 24 2022 ANNUAL REPORT | NORTHERN TRUST CORPORATION 24 2022 ANNUAL REPORT | NORTHERN TRUST CORPORATION 24 2022 ANNUAL REPORT | NORTHERN TRUST CORPORATION 24 2022 ANNUAL REPORT | NORTHERN TRUST CORPORATION **Current (2024):** Virtually every aspect of our business around the world is regulated, generally by domestic and foreign governmental agencies that have broad supervisory powers and the ability to impose sanctions. These regulations cover a variety of matters, including prohibited activities, required capital levels, resolution planning, human trafficking and modern slavery, and data privacy and security. Some of these requirements are directed specifically at protecting depositors of the Bank, the U.S. DIF and the banking system as a whole, not our stockholders or other security holders. Regulatory violations or the failure to meet formal or informal commitments made to regulators could generate penalties, require corrective actions that increase costs of conducting business, result in limitations on our ability to conduct business, restrict our ability to expand or impact our reputation adversely. Failure to obtain necessary approvals from regulatory agencies, whether formal or based upon supervisory expectations, on a timely basis could affect proposed business opportunities and results of operations adversely. Similarly, changes in laws or failure to comply with new requirements or with future changes in laws or regulations may impact our results of operations and financial condition negatively. --- ## Modified: The systems and models we employ to analyze, monitor and mitigate risks, as well as for other business purposes, are inherently limited, may not be effective in all cases and, in any case, cannot eliminate all risks that we face. **Key changes:** - Added sentence: "Models based on historical data sets might not be accurate predicators of future outcomes and their ability to appropriately predict future outcomes may degrade over time due to limited historical patterns, extreme or unanticipated market movements or customer behavior and liquidity, especially during severe market downturns or stress events (e.g., geopolitical or pandemic events)." - Reworded sentence: "2023 ANNUAL REPORT | NORTHERN TRUST CORPORATION 31 2023 ANNUAL REPORT | NORTHERN TRUST CORPORATION 31 2023 ANNUAL REPORT | NORTHERN TRUST CORPORATION 31 2023 ANNUAL REPORT | NORTHERN TRUST CORPORATION 31" **Prior (2023):** We use various systems and models in analyzing and monitoring several risk categories, as well as for other business purposes. While we assess and improve these systems and models on an ongoing basis, there can be no assurance that they, along with other related controls, will effectively mitigate risk under all circumstances, or that they will adequately mitigate any risk or loss to us. As with any systems and models, there are inherent limitations because they involve techniques and judgments that cannot anticipate every economic and financial outcome in the markets in which we operate, nor can they anticipate the specifics and timing of such outcomes. Further, these systems and models may fail to quantify accurately the magnitude of the risks we face or they may not be effective against all types of risk, including risks that are unidentified or unanticipated. Our measurement methodologies rely on many assumptions and historical analyses and correlations. These assumptions may be incorrect, and the historical correlations on which we rely may not continue to be relevant. Consequently, the measurements that we make may not adequately capture or express the true risk profiles of our businesses or provide accurate data for other business purposes, each of which ultimately could have a negative impact on our business, financial condition and results of operations. Errors in the underlying model or model assumptions, or inadequate model assumptions, could result in unanticipated and adverse consequences, including material loss or noncompliance with regulatory requirements or expectations. 2022 ANNUAL REPORT | NORTHERN TRUST CORPORATION 29 2022 ANNUAL REPORT | NORTHERN TRUST CORPORATION 29 2022 ANNUAL REPORT | NORTHERN TRUST CORPORATION 29 2022 ANNUAL REPORT | NORTHERN TRUST CORPORATION 29 **Current (2024):** We use various systems and models in analyzing and monitoring several risk categories, as well as for other business purposes. While we assess and improve these systems and models on an ongoing basis, there can be no assurance that they, along with other related controls, will effectively mitigate risk under all circumstances, or that they will adequately mitigate any risk or loss to us. As with any systems and models, there are inherent limitations because they involve techniques and judgments that cannot anticipate every economic and financial outcome in the markets in which we operate, nor can they anticipate the specifics and timing of such outcomes. Further, these systems and models may fail to quantify accurately the magnitude of the risks we face or they may not be effective against all types of risk, including risks that are unidentified or unanticipated. Our measurement methodologies rely on many assumptions and historical analyses and correlations. These assumptions may be incorrect, and the historical correlations on which we rely may not continue to be relevant. Models based on historical data sets might not be accurate predicators of future outcomes and their ability to appropriately predict future outcomes may degrade over time due to limited historical patterns, extreme or unanticipated market movements or customer behavior and liquidity, especially during severe market downturns or stress events (e.g., geopolitical or pandemic events). Consequently, the measurements that we make may not adequately capture or express the true risk profiles of our businesses or provide accurate data for other business purposes, each of which ultimately could have a negative impact on our business, financial condition and results of operations. Errors in the underlying model or model assumptions, or inadequate model assumptions, could result in unanticipated and adverse consequences, including material loss or noncompliance with regulatory requirements or expectations. 2023 ANNUAL REPORT | NORTHERN TRUST CORPORATION 31 2023 ANNUAL REPORT | NORTHERN TRUST CORPORATION 31 2023 ANNUAL REPORT | NORTHERN TRUST CORPORATION 31 2023 ANNUAL REPORT | NORTHERN TRUST CORPORATION 31 --- ## Modified: Credit Risks **Key changes:** - Removed sentence: "•The transition away from LIBOR or changes in the method pursuant to which other interest rate benchmarks are determined could adversely impact our business and results of operations." **Prior (2023):** •Failure to evaluate accurately the prospects for repayment when we extend credit or maintain an adequate allowance for credit losses can result in losses or the need to make additional provisions for credit losses, both of which reduce our earnings. •Market volatility and/or weak economic conditions can result in losses or the need for additional provisions for credit losses, both of which reduce our earnings. •The failure or perceived weakness of any of our significant counterparties could expose us to loss. •The transition away from LIBOR or changes in the method pursuant to which other interest rate benchmarks are determined could adversely impact our business and results of operations. **Current (2024):** •Failure to evaluate accurately the prospects for repayment when we extend credit or maintain an adequate allowance for credit losses can result in losses or the need to make additional provisions for credit losses, both of which reduce our earnings. •Market volatility and/or weak economic conditions can result in losses or the need for additional provisions for credit losses, both of which reduce our earnings. •The failure or perceived weakness of any of our significant counterparties could expose us to loss. --- ## Modified: We may fail to set aside adequate reserves for, or otherwise underestimate our liability relating to, pending and threatened claims, with a negative effect on our earnings. **Key changes:** - Removed sentence: "2022 ANNUAL REPORT | NORTHERN TRUST CORPORATION 25 2022 ANNUAL REPORT | NORTHERN TRUST CORPORATION 25 2022 ANNUAL REPORT | NORTHERN TRUST CORPORATION 25 2022 ANNUAL REPORT | NORTHERN TRUST CORPORATION 25" **Prior (2023):** We estimate our potential liability for pending and threatened claims and record reserves when appropriate pursuant to generally accepted accounting principles (GAAP). The process is inherently subject to risk, including the risks that a judge or jury could decide a case contrary to our evaluation of the law or the facts or that a court could change or modify existing law on a particular issue important to the case. Our earnings will be adversely affected if our reserves are not adequate. 2022 ANNUAL REPORT | NORTHERN TRUST CORPORATION 25 2022 ANNUAL REPORT | NORTHERN TRUST CORPORATION 25 2022 ANNUAL REPORT | NORTHERN TRUST CORPORATION 25 2022 ANNUAL REPORT | NORTHERN TRUST CORPORATION 25 **Current (2024):** We estimate our potential liability for pending and threatened claims and record reserves when appropriate pursuant to generally accepted accounting principles (GAAP). The process is inherently subject to risk, including the risks that a judge or jury could decide a case contrary to our evaluation of the law or the facts or that a court could change or modify existing law on a particular issue important to the case. Our earnings will be adversely affected if our reserves are not adequate. --- ## Modified: If we are not able to attract, retain and motivate personnel, our business could be negatively affected. **Key changes:** - Reworded sentence: "These laws and regulations may not apply in the same manner to all financial institutions and other companies, which therefore may subject us to more restrictions than other institutions and companies with which we compete for talent and may also hinder our ability to compete for talent with other industries." - Reworded sentence: "The unexpected loss of services of necessary personnel, both in businesses and corporate functions, could have a material adverse impact on our business because of their skills; knowledge of our markets, operations and clients; years of industry experience; and, in some cases, the difficulty of promptly finding qualified replacement personnel." - Reworded sentence: "A competitive labor market may also have the effect of heightening many of these risks." **Prior (2023):** Our success depends, in large part, on our ability to attract new employees, retain and motivate our existing employees, and continue to compensate our employees competitively. Competition for the best employees in most activities in which we engage can be intense, and there can be no assurance that we will be successful in our efforts to recruit and retain necessary personnel. Factors that affect our ability to attract and retain talented and diverse employees include our compensation and benefits programs, our profitability and our reputation for rewarding and promoting qualified employees. Our ability to attract and retain key executives and other employees may be hindered as a result of existing and potential regulations applicable to incentive compensation and other aspects of our compensation programs. These regulations may not apply to some of our competitors and to other institutions with which we compete for talent. In addition, our current or future approach to in-office and remote work arrangements may not meet the needs or expectations of our current or prospective employees, may not be perceived as favorable as compared to the arrangements offered by competitors and may not be conducive to a collaborative working environment, which could adversely affect our ability to attract, retain and motivate employees. The unexpected loss of services of necessary personnel, both in businesses and corporate functions, could have a material adverse impact on our business because of their skills, knowledge of our markets, operations and clients, years of industry experience and, in some cases, the difficulty of promptly finding qualified replacement personnel. Similarly, the loss of necessary employees, either individually or as a group, could affect our clients' perception of our abilities adversely. The current competitive labor market may also have the effect of heightening many of these risks. 26 2022 ANNUAL REPORT | NORTHERN TRUST CORPORATION 26 2022 ANNUAL REPORT | NORTHERN TRUST CORPORATION 26 2022 ANNUAL REPORT | NORTHERN TRUST CORPORATION 26 2022 ANNUAL REPORT | NORTHERN TRUST CORPORATION **Current (2024):** Our success depends, in large part, on our ability to attract new employees, retain and motivate our existing employees, and continue to compensate our employees competitively. Competition for the best employees in most activities in which we engage can be intense, and there can be no assurance that we will be successful in our efforts to recruit and retain necessary personnel. Factors that affect our ability to attract and retain talented and diverse employees include our compensation and benefits programs, our profitability and our reputation for rewarding and promoting qualified employees. Our ability to attract and retain key executives and other employees may be hindered as a result of existing and potential regulations applicable to incentive compensation and other aspects of our compensation programs. These laws and regulations may not apply in the same manner to all financial institutions and other companies, which therefore may subject us to more restrictions than other institutions and companies with which we compete for talent and may also hinder our ability to compete for talent with other industries. In addition, our current or future approach to in-office and remote work arrangements may not meet the needs or expectations of our current or prospective employees, may not be perceived as favorable as compared to the arrangements offered by competitors and may not be conducive to a collaborative working environment, which could adversely affect our ability to attract, retain and motivate employees. The unexpected loss of services of necessary personnel, both in businesses and corporate functions, could have a material adverse impact on our business because of their skills; knowledge of our markets, operations and clients; years of industry experience; and, in some cases, the difficulty of promptly finding qualified replacement personnel. Similarly, the loss of necessary employees, either individually or as a group, could affect our clients' perception of our abilities adversely. A competitive labor market may also have the effect of heightening many of these risks. 28 2023 ANNUAL REPORT | NORTHERN TRUST CORPORATION 28 2023 ANNUAL REPORT | NORTHERN TRUST CORPORATION 28 2023 ANNUAL REPORT | NORTHERN TRUST CORPORATION 28 2023 ANNUAL REPORT | NORTHERN TRUST CORPORATION --- ## Modified: We may take actions to maintain client satisfaction that result in losses or reduced earnings. **Key changes:** - Added sentence: "30 2023 ANNUAL REPORT | NORTHERN TRUST CORPORATION 30 2023 ANNUAL REPORT | NORTHERN TRUST CORPORATION 30 2023 ANNUAL REPORT | NORTHERN TRUST CORPORATION 30 2023 ANNUAL REPORT | NORTHERN TRUST CORPORATION" **Prior (2023):** We may take action or incur expenses in order to maintain client satisfaction or preserve the usefulness of investments or investment vehicles we manage in light of changes in security ratings, liquidity or valuation issues or other developments, even though we are not required to do so by law or the terms of governing instruments. The risk that we will decide to take actions to maintain client satisfaction that result in losses or reduced earnings is greater in periods when credit or equity markets are deteriorating in value or are particularly volatile and liquidity in markets is disrupted. **Current (2024):** We may take action or incur expenses in order to maintain client satisfaction or preserve the usefulness of investments or investment vehicles we manage in light of changes in security ratings, liquidity or valuation issues or other developments, even though we are not required to do so by law or the terms of governing instruments. The risk that we will decide to take actions to maintain client satisfaction that result in losses or reduced earnings is greater in periods when credit or equity markets are deteriorating in value or are particularly volatile and liquidity in markets is disrupted. 30 2023 ANNUAL REPORT | NORTHERN TRUST CORPORATION 30 2023 ANNUAL REPORT | NORTHERN TRUST CORPORATION 30 2023 ANNUAL REPORT | NORTHERN TRUST CORPORATION 30 2023 ANNUAL REPORT | NORTHERN TRUST CORPORATION --- ## Modified: Regulatory and Legal Risks **Key changes:** - Added sentence: "•We are subject to extensive and evolving government regulation and supervision that impacts our operations." - Added sentence: "•We are subject to complex and evolving laws, regulations, rules, standards and contractual obligations regarding data privacy and security, which could increase the cost of doing business, compliance risks and potential liability." - Reworded sentence: "•The ultimate impact on us of regulatory divergence between the United Kingdom and the European Union remains uncertain." **Prior (2023):** •Failure to comply with regulations and/or supervisory expectations can result in penalties and regulatory constraints that restrict our ability to grow or even conduct our business, or that reduce earnings. •Changes by the U.S. and other governments to laws, regulations and policies applicable to the financial services industry may heighten the challenges we face and make regulatory compliance more difficult and costly. •We may be impacted adversely by claims or litigation, including claims or litigation relating to our fiduciary responsibilities. •We may be impacted adversely by supervisory and/or regulatory enforcement matters. •We may fail to set aside adequate reserves for, or otherwise underestimate our liability relating to, pending and threatened claims, with a negative effect on our earnings. •The ultimate impact on us of the United Kingdom's withdrawal from the European Union remains uncertain. •If we fail to comply with legal standards, we could incur liability to our clients or lose clients, which could affect our earnings negatively. **Current (2024):** •Failure to comply with regulations and/or supervisory expectations can result in penalties and regulatory constraints that restrict our ability to grow or even conduct our business, or that reduce earnings. •We are subject to extensive and evolving government regulation and supervision that impacts our operations. Changes by the U.S. and other governments to laws, regulations and policies applicable to the financial services industry may heighten the challenges we face and make regulatory compliance more difficult and costly. •We are subject to complex and evolving laws, regulations, rules, standards and contractual obligations regarding data privacy and security, which could increase the cost of doing business, compliance risks and potential liability. •We may be impacted adversely by claims or litigation, including claims or litigation relating to our fiduciary responsibilities. •We may be impacted adversely by supervisory and/or regulatory enforcement matters. •We may fail to set aside adequate reserves for, or otherwise underestimate our liability relating to, pending and threatened claims, with a negative effect on our earnings. •The ultimate impact on us of regulatory divergence between the United Kingdom and the European Union remains uncertain. •If we fail to comply with legal standards, we could incur liability to our clients or lose clients, which could affect our earnings negatively. --- ## Modified: Market volatility and/or weak economic conditions can result in losses or the need for additional provisions for credit losses, both of which reduce our earnings. **Key changes:** - Reworded sentence: "Adverse changes in the financial performance or condition of our borrowers resulting from market volatility, elevated interest rates, and/or weakened economic conditions could impact the borrowers' abilities to repay outstanding loans, which could in turn impact our financial condition and results of operations negatively." **Prior (2023):** Credit risk levels and our earnings can be affected by market volatility and/or weakness in the economy in general and in the particular locales in which we extend credit, a deterioration in credit quality, or a reduced demand for credit. Adverse changes in the financial performance or condition of our borrowers resulting from market volatility and/or weakened economic conditions could impact the borrowers' abilities to repay outstanding loans, which could in turn impact our financial condition and results of operations negatively. **Current (2024):** Credit risk levels and our earnings can be affected by market volatility and/or weakness in the economy in general and in the particular locales in which we extend credit, a deterioration in credit quality, or a reduced demand for credit. Adverse changes in the financial performance or condition of our borrowers resulting from market volatility, elevated interest rates, and/or weakened economic conditions could impact the borrowers' abilities to repay outstanding loans, which could in turn impact our financial condition and results of operations negatively. 2023 ANNUAL REPORT | NORTHERN TRUST CORPORATION 23 2023 ANNUAL REPORT | NORTHERN TRUST CORPORATION 23 2023 ANNUAL REPORT | NORTHERN TRUST CORPORATION 23 2023 ANNUAL REPORT | NORTHERN TRUST CORPORATION 23 --- ## Modified: We may need to raise additional capital in the future, which may not be available to us or may only be available on unfavorable terms. **Key changes:** - Reworded sentence: "For example, in the event of future turmoil in the banking 24 2023 ANNUAL REPORT | NORTHERN TRUST CORPORATION 24 2023 ANNUAL REPORT | NORTHERN TRUST CORPORATION 24 2023 ANNUAL REPORT | NORTHERN TRUST CORPORATION 24 2023 ANNUAL REPORT | NORTHERN TRUST CORPORATION industry or other idiosyncratic events, there is no guarantee that the U.S." **Prior (2023):** We may need to raise additional capital to provide sufficient resources to meet our business needs and commitments, to accommodate the transaction and cash management needs of our clients, to maintain our credit ratings in response to regulatory changes, including capital rules, or for other purposes. However, our ability to access the capital markets, if needed, will depend on a number of factors, including the state of the financial markets. Rising interest rates, disruptions in financial markets, negative perceptions of our business or our financial strength, or other factors may impact our ability to raise additional capital, if needed, on terms acceptable to us. Any diminished ability to raise additional capital, if needed, could subject us to liability, restrict our ability to grow, require us to take actions that would affect our earnings negatively or otherwise affect our business and our ability to implement our business plan, capital plan and strategic goals adversely. **Current (2024):** We may need to raise additional capital to provide sufficient resources to meet our business needs and commitments, to accommodate the transaction and cash management needs of our clients, to maintain our credit ratings in response to regulatory changes, including capital rules, or for other purposes. However, our ability to access the capital markets, if needed, will depend on a number of factors, including the state of the financial markets. Rising interest rates, disruptions in financial markets, negative perceptions of our business or our financial strength, or other factors may impact our ability to raise additional capital, if needed, on terms acceptable to us. For example, in the event of future turmoil in the banking 24 2023 ANNUAL REPORT | NORTHERN TRUST CORPORATION 24 2023 ANNUAL REPORT | NORTHERN TRUST CORPORATION 24 2023 ANNUAL REPORT | NORTHERN TRUST CORPORATION 24 2023 ANNUAL REPORT | NORTHERN TRUST CORPORATION industry or other idiosyncratic events, there is no guarantee that the U.S. government will invoke the systemic risk exception, create additional liquidity programs, or take any other action to stabilize the banking industry or provide liquidity. Any diminished ability to access short-term funding or capital markets to raise additional capital, if needed, could subject us to liability, restrict our ability to grow, require us to take actions that would affect our earnings negatively or otherwise affect our business and our ability to implement our business plan, capital plan and strategic goals adversely. --- ## Modified: Failure of any of our third-party vendors (or their vendors) to perform can result in losses. **Key changes:** - Reworded sentence: "While we have established risk management processes and continuity plans, any disruptions in service from a key vendor for any reason or poor performance of services have in the past and could in the future have a negative effect on our ability to deliver products and services to our clients and conduct our business." **Prior (2023):** Third-party vendors provide key components of our business operations such as data processing, recording and monitoring transactions, online banking interfaces and services, and network access. Our use of third-party vendors exposes us to the risk that such vendors (or their vendors) may not comply with their servicing and other contractual obligations, including with respect to indemnification and information security, and to the risk that we may not satisfy applicable regulatory responsibilities regarding the management and oversight of third parties and outsourcing providers. While we have established risk management processes and continuity plans, any disruptions in service from a key vendor for any reason or poor performance of services could have a negative effect on our ability to deliver products and services to our clients and conduct our business. Replacing these third-party vendors or performing the tasks they perform for ourselves could create significant delay and expense. 20 2022 ANNUAL REPORT | NORTHERN TRUST CORPORATION 20 2022 ANNUAL REPORT | NORTHERN TRUST CORPORATION 20 2022 ANNUAL REPORT | NORTHERN TRUST CORPORATION 20 2022 ANNUAL REPORT | NORTHERN TRUST CORPORATION **Current (2024):** Third-party vendors provide key components of our business operations such as data processing, recording and monitoring transactions, online banking interfaces and services, and network access. Our use of third-party vendors exposes us to the risk that such vendors (or their vendors) may not comply with their servicing and other contractual obligations, including with respect to indemnification and information security, and to the risk that we may not satisfy applicable regulatory responsibilities regarding the management and oversight of third parties and outsourcing providers. While we have established risk management processes and continuity plans, any disruptions in service from a key vendor for any reason or poor performance of services have in the past and could in the future have a negative effect on our ability to deliver products and services to our clients and conduct our business. Replacing these third-party vendors or performing the tasks they perform for ourselves has in the past and could in the future create significant delay and expense. --- ## Modified: Changes in the monetary, trade and other policies of various regulatory authorities, central banks, governments and international agencies may reduce our earnings and affect our growth prospects negatively. **Key changes:** - Reworded sentence: "For example, the Federal Reserve Board regulates the supply of money and credit in the U.S." **Prior (2023):** The monetary, trade and other policies of U.S. and international governments, agencies and regulatory bodies have a significant impact on economic conditions and overall financial market performance. For example, the Federal Reserve Board regulates the supply of money and credit in the United States, and its policies determine in large part the level of interest rates and our cost of funds for lending and investing, and play a role in contributing to or moderating levels of inflation, all of which meaningfully impact our earnings. Recent actions of the Federal Reserve Board and other regulatory authorities have reduced the value of financial instruments we hold and may continue to do so in the future. Further, their policies can affect our borrowers by increasing interest rates or making sources of funding less available, which may 16 2022 ANNUAL REPORT | NORTHERN TRUST CORPORATION 16 2022 ANNUAL REPORT | NORTHERN TRUST CORPORATION 16 2022 ANNUAL REPORT | NORTHERN TRUST CORPORATION 16 2022 ANNUAL REPORT | NORTHERN TRUST CORPORATION increase the risk that borrowers fail to repay their loans from us. Changes in monetary, trade and other governmental policies are beyond our control and can be difficult to predict, and we cannot determine the ultimate effect that any such changes would have upon our business, financial condition or results of operations. **Current (2024):** The monetary, trade and other policies of U.S. and international governments, agencies and regulatory bodies have a significant impact on economic conditions and overall financial market performance. For example, the Federal Reserve Board regulates the supply of money and credit in the U.S. through quantitative tightening and/or easing, and its policies determine in large part the level of interest rates and our cost of funds for lending and investing, and play a role in contributing to or moderating levels of inflation, all of which meaningfully impact our earnings. Further, their policies can affect our borrowers by increasing interest rates or making sources of funding less available, which may increase the risk that borrowers fail to repay their loans from us. Changes in monetary, trade and other governmental policies are beyond our 2023 ANNUAL REPORT | NORTHERN TRUST CORPORATION 17 2023 ANNUAL REPORT | NORTHERN TRUST CORPORATION 17 2023 ANNUAL REPORT | NORTHERN TRUST CORPORATION 17 2023 ANNUAL REPORT | NORTHERN TRUST CORPORATION 17 control and can be difficult to predict, and we cannot determine the ultimate effect that any such changes would have upon our business, financial condition or results of operations. --- ## Modified: Breaches of our security measures, including, but not limited to, those resulting from cyber-attacks or other information security incidents, may result in losses. **Key changes:** - Reworded sentence: "Our systems involve the storage, transmission and other processing of clients' and our personal, proprietary, confidential and sensitive information, and security breaches, including cyber-attacks or other information security incidents, could expose us to a risk of theft, loss, destruction, gathering, monitoring, dissemination, misappropriation, misuse, alteration, or unauthorized disclosure of or unauthorized access to this information." - Reworded sentence: "Data privacy and security risks for large financial institutions like us are significant in part because of the evolving proliferation of new technologies, the use of internet-based solutions, mobile devices, and cloud technologies to conduct financial transactions and the increased sophistication and rapidly evolving techniques of hackers, terrorists, organized crime and other external parties, including foreign state actors and state-sponsored actors, any of which may see their effectiveness enhanced by the use of artificial intelligence." - Reworded sentence: "Reliance on mobile or cloud technology or any failure by mobile technology and cloud service providers to adequately safeguard their systems and networks and prevent cyber-attacks or other information security incidents could disrupt our operations or the operations of our or their service providers and result in misappropriation, corruption or loss of personal, confidential, proprietary, or other sensitive information or the inability to conduct ordinary business operations." - Added sentence: "A vulnerability in our service providers' software or systems, a failure of our service providers' safeguards, policies or procedures, or a cyber-attack or other information security incident affecting any of these third parties could harm our business." - Reworded sentence: "We and our clients have been, and expect to continue to be, subject to a wide variety of cyber-attacks and other similar threats, including computer viruses, ransomware and other malicious code, distributed denial-of-service attacks, and phishing and vishing attacks, and it is possible that we could suffer material losses resulting from a breach." **Prior (2023):** Our business is dependent on our and third parties' information technology systems. Despite our implementation of a variety of security measures, our computer systems, networks, and data could be subject to cyber-attacks and unauthorized access, use, alteration, or destruction, such as from physical and electronic break-ins or unauthorized tampering, malware and computer virus attacks, or system failures and disruptions. Any failure, interruption or breach in the security of our systems could severely disrupt our operations and could subject us to liability claims, harm our reputation, interrupt our operations, or otherwise adversely affect our business, financial condition or results of operations. Our systems involve the processing, storage and transmission of clients' and our proprietary and confidential information, and security breaches, including cyber-attacks, could expose us to a risk of theft, loss or other misappropriation of this information. Our security measures may be breached due to the actions of outside parties, employee error, failure of our controls with respect to access to our systems, malfeasance or otherwise, and, as a result, an unauthorized party may obtain access to our or our clients' proprietary and confidential information, resulting in the theft, loss, destruction, gathering, monitoring, dissemination, or other misappropriation of this information. Additionally, our computer, communications, data processing, networks, backup, business continuity or other operating, information or technology systems, including those that we outsource to other providers, may fail to operate properly or become disabled, overloaded or damaged as a result of a number of factors, including events that are wholly or partially beyond our control, which could have a negative effect on our ability to conduct our business activities. 18 2022 ANNUAL REPORT | NORTHERN TRUST CORPORATION 18 2022 ANNUAL REPORT | NORTHERN TRUST CORPORATION 18 2022 ANNUAL REPORT | NORTHERN TRUST CORPORATION 18 2022 ANNUAL REPORT | NORTHERN TRUST CORPORATION Additionally, we are subject to complex and evolving laws and regulations governing cybersecurity, data privacy and data protection, which may differ and potentially conflict, in various jurisdictions. Regulators globally are introducing the potential for greater monetary fines on institutions that suffer from breaches leading to the misappropriation of such information. Most states, the EU and other non-U.S. jurisdictions also have adopted their own statutes and/or regulations concerning data privacy and security and notification of data breaches. These and other changes in laws or regulations associated with the enhanced protection of personal and other types of information could greatly increase compliance costs and the size of potential fines related to the protection of such information. Information security and data privacy risks for large financial institutions like us are significant in part because of the evolving proliferation of new technologies, the use of internet-based solutions, mobile devices, and cloud technologies to conduct financial transactions and the increased sophistication and rapidly evolving techniques of hackers, terrorists, organized crime and other external parties, including foreign state actors. If we fail to continue to upgrade our technology infrastructure to ensure effective information security and data privacy relative to the type, size and complexity of our operations, we could become more vulnerable to cyber-attack and, consequently, subject to significant regulatory penalties and reputational damage. Also, like many large enterprises, in response to the COVID-19 pandemic in recent years, a significant portion of our workforce has shifted to a hybrid work environment that includes a combination of in-office and remote work. The increase in remote work and remote access to our systems, initially driven by the COVID-19 pandemic, also introduces potential vulnerabilities to cyber threats. The third parties with which we do business also are susceptible to the foregoing risks (including regarding the third parties with which they are similarly interconnected or on which they otherwise rely), and our or their business operations and activities may therefore be affected adversely, perhaps materially, by failures, terminations, errors or malfeasance by, or attacks or constraints on, one or more financial, technology, infrastructure or government institutions or intermediaries with whom we or they are interconnected or conduct business. While we conduct security assessments on third-party vendors, we cannot be certain that their information security protocols are sufficient to withstand a cyber-attack or other security breach. In addition, our clients often use personal devices, such as computers, smart phones and tablets, which are particularly vulnerable to loss and theft, as well as third parties with whom they share information used for authentication, to access our systems and manage their accounts, which may heighten the risk of system failures, interruptions or security breaches. Moreover, the increased use of mobile and cloud technologies could heighten these and other operational risks. Reliance on mobile or cloud technology or any failure by mobile technology and cloud service providers to adequately safeguard their systems and prevent cyber-attacks could disrupt our operations or the operations of our or their service providers and result in misappropriation, corruption or loss of personal, confidential or proprietary information or the inability to conduct ordinary business operations. In addition, there is a risk that encryption and other protective measures may be circumvented, particularly to the extent that new computing technologies increase the speed and computing power available. In recent years, several financial services firms suffered successful cyber-attacks launched both domestically and from abroad, resulting in the disruption of services to clients, loss or misappropriation of sensitive or private information, and reputational harm. We and our clients have been, and expect to continue to be, subject to a wide variety of cyber-attacks and threats, including computer viruses, ransomware and other malicious code, distributed denial of service attacks, and phishing and vishing attacks, and it is possible that we could suffer material losses resulting from a breach. Because the techniques used to obtain unauthorized access, disable or degrade service or sabotage systems change frequently and often are not recognized until launched against a target, we may be unable to anticipate these techniques, to implement adequate preventative measures, or to address them until they are discovered. In addition, successful cyber-attacks may persist for an extended period of time before being detected. Because any investigation of an information security incident would be inherently unpredictable, the extent of a particular information security incident and the path of investigating the incident may not be immediately clear. It may take a significant amount of time before such an investigation can be completed and full and reliable information about the incident is known. While such an investigation is ongoing, we may not necessarily know the extent of the harm or how best to remediate it, certain errors or actions could be repeated or compounded before they are discovered and remediated, and communication to the public, regulators, clients and other stakeholders may be inaccurate, any or all of which could further increase the costs and consequences of an information security incident. We could be the subject of legal claims or proceedings related to security incidents, including regulatory investigations and actions. Further, the market perception of the effectiveness of our security measures could be harmed, our reputation could suffer and we could lose clients in conjunction with security incidents, each of which could have a negative effect on our business, financial condition and results of operations. A breach of our security also may affect adversely our ability to effect transactions, service our clients, manage our exposure to risk or expand our business. An event that results in the loss of information also may require us to reconstruct lost data or reimburse clients for data and credit monitoring services, which could be costly and have a negative impact on our business and reputation. Although we maintain insurance coverage in the event of information theft, damage, or destruction from cyber breach incidents, there can be no assurance 2022 ANNUAL REPORT | NORTHERN TRUST CORPORATION 19 2022 ANNUAL REPORT | NORTHERN TRUST CORPORATION 19 2022 ANNUAL REPORT | NORTHERN TRUST CORPORATION 19 2022 ANNUAL REPORT | NORTHERN TRUST CORPORATION 19 that liabilities or losses we may incur will be covered under such policies or that the amount of insurance will be adequate to cover such losses. Further, even if not directed at us, attacks on financial or other institutions important to the overall functioning of the financial system or on our counterparties could affect, directly or indirectly, aspects of our business. **Current (2024):** Our systems involve the storage, transmission and other processing of clients' and our personal, proprietary, confidential and sensitive information, and security breaches, including cyber-attacks or other information security incidents, could expose us to a risk of theft, loss, destruction, gathering, monitoring, dissemination, misappropriation, misuse, alteration, or unauthorized disclosure of or unauthorized access to this information. Despite our implementation of a variety of security measures, our computer systems, networks, and data, including clients' or our personal, proprietary, confidential and sensitive information, could be subject to cyber-attacks or other information security incidents, such as, among other things, from physical and electronic break-ins or unauthorized tampering, malware and computer virus attacks, ransomware attacks, social engineering attacks (including phishing attacks) or denial-of-service attacks. Our security measures also may be breached due to the actions of outside parties, employee error, failure of our controls with respect to access to our systems, malfeasance or otherwise. Any failure, interruption or breach in the security of our systems could severely disrupt our operations and could subject us to liability claims, harm our reputation, interrupt our operations, or otherwise adversely affect our business, financial condition or results of operations. Data privacy and security risks for large financial institutions like us are significant in part because of the evolving proliferation of new technologies, the use of internet-based solutions, mobile devices, and cloud technologies to conduct financial transactions and the increased sophistication and rapidly evolving techniques of hackers, terrorists, organized crime and other external parties, including foreign state actors and state-sponsored actors, any of which may see their effectiveness enhanced by the use of artificial intelligence. Data privacy and security risks also may derive from fraud or malice on the part of our employees or third parties, or may result from human error, software bugs, server malfunctions, software or hardware failure or other technological failure. If we fail to continue to upgrade our technology infrastructure to ensure effective data privacy and security relative to the type, size and complexity of our operations, we could become more vulnerable to cyber-attacks and other information security incidents and, consequently, subject to significant regulatory penalties and reputational damage. Also, like many large enterprises, the trend in the past several years toward a hybrid work environment that includes a combination of in-office and remote work creates a broader attack surface for, and potential vulnerabilities from, cyber threats. While we generally conduct security assessments on third-party vendors, we cannot be certain that their information security protocols are sufficient to withstand a cyber-attack or other information security incident. Some of our vendors may store or have access to our data and may not have effective controls, processes, or practices to protect our information from loss, unauthorized disclosure, unauthorized use or misappropriation, cyber-attacks or other information security incidents. In addition, our clients often use personal devices, such as computers, smart phones and tablets, which are particularly vulnerable to loss and theft, as well as third parties with whom they share information used for authentication, to access our systems and networks and manage their accounts, which may heighten the risk of system failures, interruptions or security breaches. Moreover, the increased use of mobile and cloud technologies could heighten these and other operational risks. Reliance on mobile or cloud technology or any failure by mobile technology and cloud service providers to adequately safeguard their systems and networks and prevent cyber-attacks or other information security incidents could disrupt our operations or the operations of our or their service providers and result in misappropriation, corruption or loss of personal, confidential, proprietary, or other sensitive information or the inability to conduct ordinary business operations. In addition, there is a risk that encryption and other protective measures may be circumvented, particularly to the extent that new computing technologies increase the speed and computing power available. A vulnerability in our service providers' software or systems, a failure of our service providers' safeguards, policies or procedures, or a cyber-attack or other information security incident affecting any of these third parties could harm our business. In recent years, several financial services firms suffered successful cyber-attacks launched both domestically and from abroad, resulting in the disruption of services to clients, loss or misappropriation of sensitive or private information, and reputational harm. We and our clients have been, and expect to continue to be, subject to a wide variety of cyber-attacks and other similar threats, including computer viruses, ransomware and other malicious code, distributed denial-of-service attacks, and phishing and vishing attacks, and it is possible that we could suffer material losses resulting from a breach. Because the techniques used to obtain unauthorized access, disable or degrade service or sabotage systems and networks change frequently and often are not recognized until launched against a target, we may be unable to anticipate these techniques, to implement adequate preventative measures, or to address them until they are discovered. In addition, successful cyber-attacks may persist for an extended period of time before being detected. Because any investigation of an information security incident would be inherently unpredictable, the extent of a particular information security incident and the path of investigating the incident may not be immediately clear. It may take a significant amount of time before such an 20 2023 ANNUAL REPORT | NORTHERN TRUST CORPORATION 20 2023 ANNUAL REPORT | NORTHERN TRUST CORPORATION 20 2023 ANNUAL REPORT | NORTHERN TRUST CORPORATION 20 2023 ANNUAL REPORT | NORTHERN TRUST CORPORATION investigation can be completed and full and reliable information about the incident is known. While such an investigation is ongoing, we may not necessarily know the extent of the harm or how best to remediate it, certain errors or actions could be repeated or compounded before they are discovered and remediated, and communication to the public, regulators, clients and other stakeholders may be inaccurate, any or all of which could further increase the costs and consequences of an information security incident. We could be the subject of legal claims or proceedings related to information security incidents, including regulatory investigations and other legal actions, carrying the potential for damages, fines, sanctions or other penalties, injunctive relief requiring costly compliance measures and reputational damage. Further, the market perception of the effectiveness of our information security measures could be harmed, our reputation could suffer and we could lose clients in conjunction with security incidents, each of which could have a negative effect on our business, financial condition and results of operations. A breach of our security also may affect adversely our ability to effect transactions, service our clients, manage our exposure to risk or expand our business. An event that results in the loss of information also may require us to reconstruct lost data or reimburse clients for data and credit monitoring services, which could be costly and have a negative impact on our business and reputation. Although we maintain insurance coverage in the event of information theft, damage, or destruction from cyber-attacks or other information security incidents, there can be no assurance that liabilities or losses we may incur will be covered under such policies, that the amount of insurance will be adequate to cover such losses, that insurance will continue to be available to us on economically reasonable terms, or at all, or that our insurer will not deny coverage as to any future claim. Further, even if not directed at us, attacks on financial or other institutions important to the overall functioning of the financial system or on our counterparties could affect, directly or indirectly, aspects of our business. --- ## Modified: Changes in a number of particular market conditions can affect our earnings negatively. **Key changes:** - Reworded sentence: "18 2023 ANNUAL REPORT | NORTHERN TRUST CORPORATION 18 2023 ANNUAL REPORT | NORTHERN TRUST CORPORATION 18 2023 ANNUAL REPORT | NORTHERN TRUST CORPORATION 18 2023 ANNUAL REPORT | NORTHERN TRUST CORPORATION" **Prior (2023):** In past periods, reductions in the volatility of currency-trading markets, the level of cross-border investing activity, and the demand for borrowing securities or willingness to lend such securities have affected our earnings from activities such as foreign exchange trading and securities lending negatively. If these conditions occur in the future, our earnings from these activities may be affected negatively. In certain of our businesses, such as securities lending, our fee is calculated as a percentage of our clients' earnings, such that market and other factors that reduce our clients' earnings from investments or trading activities also reduce our revenues. 2022 ANNUAL REPORT | NORTHERN TRUST CORPORATION 17 2022 ANNUAL REPORT | NORTHERN TRUST CORPORATION 17 2022 ANNUAL REPORT | NORTHERN TRUST CORPORATION 17 2022 ANNUAL REPORT | NORTHERN TRUST CORPORATION 17 **Current (2024):** In past periods, reductions in the volatility of currency-trading markets, the level of cross-border investing activity, and the demand for borrowing securities or willingness to lend such securities have affected our earnings from activities such as foreign exchange trading and securities lending negatively. If these conditions occur in the future, our earnings from these activities may be affected negatively. In certain of our businesses, such as securities lending, our fee is calculated as a percentage of our clients' earnings, such that market and other factors that reduce our clients' earnings from investments or trading activities also reduce our revenues. 18 2023 ANNUAL REPORT | NORTHERN TRUST CORPORATION 18 2023 ANNUAL REPORT | NORTHERN TRUST CORPORATION 18 2023 ANNUAL REPORT | NORTHERN TRUST CORPORATION 18 2023 ANNUAL REPORT | NORTHERN TRUST CORPORATION --- ## Modified: Damage to our reputation could have a direct and negative effect on our ability to compete, grow and generate revenue. **Key changes:** - Reworded sentence: "Our ability to compete effectively, to attract and retain clients and employees, and to grow our business is dependent on maintaining our reputation." - Reworded sentence: "Our reputation may be significantly damaged by adverse publicity or negative information regarding the Corporation and the Bank, whether true or not, that may be published or broadcast by the media or posted on social media, non-mainstream news services or other parts of the internet." **Prior (2023):** The failure or perceived failure to meet or appropriately address client expectations or fiduciary or other obligations, operational failures, legal and regulatory requirements, potential conflicts of interest, cybersecurity and privacy, social and sustainability concerns related to our business activities or any other of the risks discussed in this Item 1A could materially and adversely affect our reputation as well as our ability to attract and retain clients or employees. Additionally, the actual or alleged actions of our affiliates, vendors or other third parties with which we do business, the actual or alleged actions or statements of our employees or adverse publicity could negatively impact our reputation and significantly harm our business prospects. Damage to our reputation for delivery of a high level of service could undermine the confidence of clients and prospects in our ability to serve them and accordingly affect our earnings negatively. Damage to our reputation also could affect the confidence of rating agencies, regulators, stockholders and other parties in a wide range of transactions that are important to our business and the performance of our common stock. Failure to maintain our reputation ultimately could have an adverse effect on our ability to manage our balance sheet or grow our business. Actions by the financial services industry generally or by other members of or individuals in the financial services industry also could impact our reputation negatively or lead to a general loss of confidence in, or impact market perception of, financial institutions that could negatively affect us. Further, whereas negative public opinion once was driven primarily by adverse news coverage in traditional media, the proliferation of social media channels utilized by us and third parties, as well as the personal use of social media by our employees and others, may increase the risk of negative publicity, including through the rapid dissemination of inaccurate, misleading or false information, which could harm our reputation or have other negative consequences. **Current (2024):** Our ability to compete effectively, to attract and retain clients and employees, and to grow our business is dependent on maintaining our reputation. Damage to our reputation can therefore cause significant harm to our business and prospects, and can arise from various sources, including, among others, the failure or perceived failure to meet or appropriately address client expectations or fiduciary or other obligations; operational failures; legal and regulatory requirements; potential conflicts of interest; data privacy and security; social and sustainability concerns related to our business activities; or any other of the risks discussed in this Item 1A. Additionally, the actual or alleged actions of our affiliates, vendors or other third parties with which we do business, the actual or alleged actions or statements of our employees or adverse publicity could negatively impact our reputation and significantly harm our business prospects. Damage to our reputation for delivery of a high level of service could undermine the confidence of clients and prospects in our ability to serve them and accordingly affect our earnings negatively. Damage to our reputation also could affect the confidence of rating agencies, regulators, stockholders and other parties in a wide range of transactions that are important to our business and the performance of our common stock. Failure to maintain our reputation ultimately could have an adverse effect on our ability to manage our balance sheet or grow our business. Actions by the financial services industry generally or by other members of or individuals in the financial services industry also could impact our reputation negatively or lead to a general loss of confidence in, or impact market perception of, financial institutions that could negatively affect us. Our reputation may be significantly damaged by adverse publicity or negative information regarding the Corporation and the Bank, whether true or not, that may be published or broadcast by the media or posted on social media, non-mainstream news services or other parts of the internet. The proliferation of social media channels utilized by us and third parties, as well as the personal use of social media by our employees and others, may increase the risk of negative publicity, including through the rapid dissemination of inaccurate, misleading or false information, which could harm our reputation or have other negative consequences. Furthermore, ESG-related issues have been the subject of increased focus by regulators and stakeholders, including outside the U.S., and particularly in Europe. Any inability to meet applicable requirements or expectations, including those from conflicting U.S. and non-U.S. global expectations, may adversely 2023 ANNUAL REPORT | NORTHERN TRUST CORPORATION 29 2023 ANNUAL REPORT | NORTHERN TRUST CORPORATION 29 2023 ANNUAL REPORT | NORTHERN TRUST CORPORATION 29 2023 ANNUAL REPORT | NORTHERN TRUST CORPORATION 29 impact our reputation. Additionally, various stakeholders have divergent views on ESG-related matters, including in the countries in which we operate and invest, as well as states and localities where we serve public sector clients. In the case of proxy voting, there is the inherent risk of misalignment between the proxy votes we cast on behalf of clients and all of our clients' values and preferences. This divergence increases the risk that any action or lack thereof by us on such matters will be perceived negatively by some stakeholders and could adversely impact our reputation and business. --- ## Modified: If we do not manage our liquidity effectively, our business could suffer. **Key changes:** - Added sentence: "We also manage investment products that, while not obligations of ours, may be exposed to liquidity risks." - Added sentence: "These products, such as money market and other short-term investments provide clients a right to the return of cash or assets on limited notice." - Added sentence: "If clients demand a return of their cash or assets, particularly on limited notice, and these investment products do not have the liquidity to support those demands, we could be forced to sell investment securities held by these investment products at unfavorable prices potentially damaging our reputation with the investment community." - Removed sentence: "2022 ANNUAL REPORT | NORTHERN TRUST CORPORATION 23 2022 ANNUAL REPORT | NORTHERN TRUST CORPORATION 23 2022 ANNUAL REPORT | NORTHERN TRUST CORPORATION 23 2022 ANNUAL REPORT | NORTHERN TRUST CORPORATION 23" **Prior (2023):** Liquidity is essential for the operation of our business. Market conditions, unforeseen outflows of funds or other events could have a negative effect on our level or cost of funding, affecting our ongoing ability to accommodate liability maturities and deposit withdrawals, meet contractual obligations, and fund new business transactions at a reasonable cost and in a timely manner. If our access to stable and low-cost sources of funding, such as customer deposits, is reduced, we may need to use alternative funding, which could be more expensive or of limited availability. Further evolution in the regulatory requirements relating to liquidity and risk management also may impact us negatively. Additional regulations may impose more stringent liquidity requirements for large financial institutions, including the Corporation and the Bank. Given the overlap and complex interactions of these regulations with other regulatory changes, the full impact of the adopted and proposed regulations remains uncertain until their full implementation. In addition, a significant portion of our business involves providing certain services to large, complex clients, which, by their nature, require substantial liquidity. Our failure to manage successfully the liquidity and balance sheet issues attendant to this portion of our business may have a negative impact on our ability to meet client needs and grow. For more information on regulations and other regulatory changes relating to liquidity, see "Supervision and Regulation - Liquidity Standards" in Item 1, "Business." Any substantial, unexpected or prolonged changes in the level or cost of liquidity could affect our business adversely. 2022 ANNUAL REPORT | NORTHERN TRUST CORPORATION 23 2022 ANNUAL REPORT | NORTHERN TRUST CORPORATION 23 2022 ANNUAL REPORT | NORTHERN TRUST CORPORATION 23 2022 ANNUAL REPORT | NORTHERN TRUST CORPORATION 23 **Current (2024):** Liquidity is essential for the operation of our business. Market conditions, unforeseen outflows of funds or other events could have a negative effect on our level or cost of funding, affecting our ongoing ability to accommodate liability maturities and deposit withdrawals, meet contractual obligations, and fund new business transactions at a reasonable cost and in a timely manner. If our access to stable and low-cost sources of funding, such as customer deposits, is reduced, we may need to use alternative funding, which could be more expensive or of limited availability. Further evolution in the regulatory requirements relating to liquidity and risk management also may impact us negatively. Additional regulations may impose more stringent liquidity requirements for large financial institutions, including the Corporation and the Bank. Given the overlap and complex interactions of these regulations with other regulatory changes, the full impact of the adopted and proposed regulations remains uncertain until their full implementation. In addition, a significant portion of our business involves providing certain services to large, complex clients, which, by their nature, require substantial liquidity. Our failure to manage successfully the liquidity and balance sheet issues attendant to this portion of our business may have a negative impact on our ability to meet client needs and grow. We also manage investment products that, while not obligations of ours, may be exposed to liquidity risks. These products, such as money market and other short-term investments provide clients a right to the return of cash or assets on limited notice. If clients demand a return of their cash or assets, particularly on limited notice, and these investment products do not have the liquidity to support those demands, we could be forced to sell investment securities held by these investment products at unfavorable prices potentially damaging our reputation with the investment community. For more information on regulations and other regulatory changes relating to liquidity, see "Supervision and Regulation - Liquidity Standards" in Item 1, "Business." Any substantial, unexpected or prolonged changes in the level or cost of liquidity could affect our business adversely. --- ## Modified: Other Risks **Key changes:** - Reworded sentence: "•Changes in tax laws and interpretations and challenges to our tax positions may affect our earnings negatively." - Reworded sentence: "16 2023 ANNUAL REPORT | NORTHERN TRUST CORPORATION 16 2023 ANNUAL REPORT | NORTHERN TRUST CORPORATION 16 2023 ANNUAL REPORT | NORTHERN TRUST CORPORATION 16 2023 ANNUAL REPORT | NORTHERN TRUST CORPORATION" **Prior (2023):** •The systems and models we employ to analyze, monitor and mitigate risks, as well as for other business purposes, are inherently limited, may not be effective in all cases and, in any case, cannot eliminate all risks that we face. •Changes in tax laws and interpretations and tax challenges may affect our earnings negatively. •Changes in accounting standards may be difficult to predict and could have a material impact on our consolidated financial statements. •Our ability to return capital to stockholders is subject to the discretion of our Board of Directors and may be limited by U.S. banking laws and regulations, applicable provisions of Delaware law, or our failure to pay full and timely dividends on our preferred stock and the terms of our outstanding debt. 2022 ANNUAL REPORT | NORTHERN TRUST CORPORATION 15 2022 ANNUAL REPORT | NORTHERN TRUST CORPORATION 15 2022 ANNUAL REPORT | NORTHERN TRUST CORPORATION 15 2022 ANNUAL REPORT | NORTHERN TRUST CORPORATION 15 **Current (2024):** •The systems and models we employ to analyze, monitor and mitigate risks, as well as for other business purposes, are inherently limited, may not be effective in all cases and, in any case, cannot eliminate all risks that we face. •Changes in tax laws and interpretations and challenges to our tax positions may affect our earnings negatively. •Changes in accounting standards may be difficult to predict and could have a material impact on our consolidated financial statements. •Our ability to return capital to stockholders is subject to the discretion of our Board of Directors and may be limited by U.S. banking laws and regulations, applicable provisions of Delaware law, or our failure to pay full and timely dividends on our preferred stock and the terms of our outstanding debt. 16 2023 ANNUAL REPORT | NORTHERN TRUST CORPORATION 16 2023 ANNUAL REPORT | NORTHERN TRUST CORPORATION 16 2023 ANNUAL REPORT | NORTHERN TRUST CORPORATION 16 2023 ANNUAL REPORT | NORTHERN TRUST CORPORATION --- ## Modified: The ultimate impact on us of regulatory divergence between the United Kingdom and the European Union remains uncertain. **Key changes:** - Reworded sentence: "While regulatory standards remain largely aligned following the UK's withdrawal from the EU, commonly referred to as "Brexit," it is possible that future divergence may occur between the UK and EU; therefore, the final impact remains uncertain." - Reworded sentence: "Instead, in March 2021, the UK and the EU agreed upon a framework for voluntary regulatory cooperation and dialogue on financial services issues between the parties in a memorandum of understanding, which was signed on June 27, 2023." **Prior (2023):** While the UK's withdrawal from the EU, commonly referred to as "Brexit," officially became effective on December 31, 2020, certain items remain to be negotiated; therefore, the final impact remains uncertain. In December 2020, the UK and the EU agreed on a trade and cooperation agreement that entered into force on May 1, 2021. While the trade and cooperation agreement covers the general objectives and framework of the relationship between the UK and the EU, it generally does not address the regulation of financial services. Instead, in March 2021, the UK and the EU agreed upon a framework for voluntary regulatory cooperation and dialogue on financial services issues between the parties in a memorandum of understanding, which is expected to be signed after certain formal steps are completed, although this has not yet occurred. Consequently, the ultimate impact of Brexit on the Corporation and the Bank remains uncertain and will depend on the terms of the post-Brexit relationships that remain to be negotiated between the UK and other EU nations, particularly in the area of financial services. We have incurred, and may in the future continue to incur, costs associated with Brexit planning measures, while unforeseen political, regulatory, or other developments related to Brexit, or operational issues associated with any organizational restructuring related thereto, may result in additional costs and disruption to our UK and EU businesses. A failure to agree to a sustainable and practical financial services regulatory relationship between the UK and the EU, whether on the basis of equivalence, mutual recognition or otherwise, could harm our business, financial condition and results of operations. Any further exits from the EU, or the possibility of such exits, would likely cause additional market disruption globally and introduce new legal and regulatory uncertainties. **Current (2024):** While regulatory standards remain largely aligned following the UK's withdrawal from the EU, commonly referred to as "Brexit," it is possible that future divergence may occur between the UK and EU; therefore, the final impact remains uncertain. In December 2020, the UK and the EU agreed on a trade and cooperation agreement that entered into force on May 1, 2021. While the trade and cooperation agreement covers the general objectives and framework of the relationship between the UK and the EU, it generally does not address the regulation of financial services. Instead, in March 2021, the UK and the EU agreed upon a framework for voluntary regulatory cooperation and dialogue on financial services issues between the parties in a memorandum of understanding, which was signed on June 27, 2023. Since the UK's withdrawal from the EU on December 31, 2020, the UK government has embarked on a program of significant regulatory reform. In particular, the recently enacted Financial Services and Markets Act 2023 contains provisions that will eventually repeal all EU rules and regulations relating to financial services that were incorporated into UK law following Brexit. The UK government and the UK financial services regulatory authorities has been consulting on a number of measures that will replace the current EU-based rules and regulations with measures that reflect the particular needs of the UK market and policy objectives of the UK's regulatory authorities. Consequently, over time it is likely that the rules and regulations relating to financial services will diverge, which may result in additional compliance costs for our UK and EU businesses. --- ## Modified: Liquidity Risks **Key changes:** - Reworded sentence: "2023 ANNUAL REPORT | NORTHERN TRUST CORPORATION 15 2023 ANNUAL REPORT | NORTHERN TRUST CORPORATION 15 2023 ANNUAL REPORT | NORTHERN TRUST CORPORATION 15 2023 ANNUAL REPORT | NORTHERN TRUST CORPORATION 15" **Prior (2023):** •If we do not manage our liquidity effectively, our business could suffer. •If the Bank is unable to supply the Corporation with funds over time, the Corporation could be unable to meet its various obligations. •We may need to raise additional capital in the future, which may not be available to us or may only be available on unfavorable terms. •Any downgrades in our credit ratings, or an actual or perceived reduction in our financial strength, could affect our borrowing costs, capital costs and liquidity adversely. 14 2022 ANNUAL REPORT | NORTHERN TRUST CORPORATION 14 2022 ANNUAL REPORT | NORTHERN TRUST CORPORATION 14 2022 ANNUAL REPORT | NORTHERN TRUST CORPORATION 14 2022 ANNUAL REPORT | NORTHERN TRUST CORPORATION **Current (2024):** •If we do not manage our liquidity effectively, our business could suffer. •If the Bank is unable to supply the Corporation with funds over time, the Corporation could be unable to meet its various obligations. •We may need to raise additional capital in the future, which may not be available to us or may only be available on unfavorable terms. •Any downgrades in our credit ratings, or an actual or perceived reduction in our financial strength, could affect our borrowing costs, capital costs and liquidity adversely. 2023 ANNUAL REPORT | NORTHERN TRUST CORPORATION 15 2023 ANNUAL REPORT | NORTHERN TRUST CORPORATION 15 2023 ANNUAL REPORT | NORTHERN TRUST CORPORATION 15 2023 ANNUAL REPORT | NORTHERN TRUST CORPORATION 15 --- ## Modified: We are subject to extensive and evolving government regulation and supervision that impacts our operations. Changes by the U.S. and other governments to laws, regulations and policies applicable to the financial services industry may heighten the challenges we face and make regulatory compliance more difficult and costly. **Key changes:** - Reworded sentence: "We operate in a highly regulated environment, and are subject to a comprehensive statutory and regulatory regime affecting all aspects of our business and operations, including oversight by governmental agencies both inside and outside the U.S." - Reworded sentence: "The evolving regulatory and supervisory environment and uncertainty about the timing and scope of future laws, regulations and policies may contribute to decisions we may make to suspend, reduce or withdraw from existing businesses, activities or initiatives, which may result in potential lost revenue or significant restructuring or related costs or exposures." **Prior (2023):** Various regulatory bodies have demonstrated heightened enforcement scrutiny of financial institutions through many regulatory initiatives. These initiatives have increased compliance costs and regulatory risks and may lead to financial and reputational damage in the event of a compliance violation. While we have programs in place, including policies, training and various forms of monitoring, designed to ensure compliance with legislative and regulatory requirements, these programs and policies may not always protect us from conduct by individual employees. Governments and regulatory agencies may take further actions to change significantly the way financial institutions are regulated, either through new legislation, new regulations, new applications of existing regulations or a combination of all of these methods. We cannot currently predict the impact, if any, of these changes to our business. Additionally, governments and regulators may take actions that increase intervention in the normal operation of our businesses and the businesses of our competitors in the financial services industry, and these likely would involve additional legislative and regulatory requirements imposed on banks and other financial services companies. Any such actions could increase compliance costs and regulatory risks, lead to financial and reputational damage in the event of a violation, affect our ability to compete successfully, and also may impact the nature and level of competition in the industry in unpredictable ways. The full scope and impact of possible legislative or regulatory changes and the extent of regulatory activity is uncertain and difficult to predict. For example, we are unable to predict what, if any, changes to financial services laws and regulations applicable to the financial services industry may be enacted by the U.S. Congress and what the impact of any such changes will be upon our business, financial condition, and results of operations. Moreover, the current U.S. presidential administration has made, and is expected to make further, changes in the leadership and senior staffs of the federal banking agencies which are likely to impact the rulemaking, supervision, examination and enforcement priorities and policies of such agencies, the potential impacts of which, if any, we cannot predict with certainty at this time. **Current (2024):** We operate in a highly regulated environment, and are subject to a comprehensive statutory and regulatory regime affecting all aspects of our business and operations, including oversight by governmental agencies both inside and outside the U.S. Various regulatory bodies have demonstrated heightened scrutiny of financial institutions through many regulatory initiatives. These initiatives have increased compliance costs and regulatory risks and may lead to financial and reputational damage in the event of a compliance violation, even if the failure to comply was inadvertent or reflects a difference in interpretation. We have programs in place, including policies, training and various forms of monitoring, designed to ensure compliance with legislative and regulatory requirements. We cannot provide assurance that these programs and policies are or will be adequate to identify and manage internal and external compliance risks. For example, our business may be adversely impacted by actual or alleged misconduct by an employee or other negative outcomes caused by human error. Changes to statutes, regulations or regulatory and supervisory policies or their interpretation or implementation and the continued heightening of regulatory and supervisory requirements could affect us in substantial and unpredictable ways. 2023 ANNUAL REPORT | NORTHERN TRUST CORPORATION 25 2023 ANNUAL REPORT | NORTHERN TRUST CORPORATION 25 2023 ANNUAL REPORT | NORTHERN TRUST CORPORATION 25 2023 ANNUAL REPORT | NORTHERN TRUST CORPORATION 25 Additionally, governments and regulators may take actions that increase intervention in the normal operation of our businesses and the businesses of our competitors in the financial services industry, and these likely would involve additional legislative and regulatory requirements imposed on banks and other financial services companies. Any such actions could increase compliance costs and regulatory risks, lead to financial and reputational damage in the event of a violation, affect our ability to compete successfully, and also may impact the nature and level of competition in the industry in unpredictable ways. The full scope and impact of possible legislative or regulatory changes and the extent of regulatory activity is uncertain and difficult to predict. For example, we are unable to predict what, if any, changes to financial services laws and regulations applicable to the financial services industry may be enacted by the U.S. Congress and what the impact of any such changes will be upon our business, financial condition, and results of operations. The evolving regulatory and supervisory environment and uncertainty about the timing and scope of future laws, regulations and policies may contribute to decisions we may make to suspend, reduce or withdraw from existing businesses, activities or initiatives, which may result in potential lost revenue or significant restructuring or related costs or exposures. We also face the risk of becoming subject to new or more stringent requirements in connection with the introduction of new regulations or modification of existing regulations, which could require us to hold more capital or liquidity or have other adverse effects on our businesses or profitability. For example, proposed changes to applicable capital and liquidity requirements, such as the Basel III Endgame Proposal and the long-term debt proposal, could result in increased expenses or cost of funding, which could negatively affect our financial results or our ability to pay dividends and engage in share repurchases. For more information concerning our legal and regulatory obligations with respect to Basel III and long-term debt requirements, see "Supervision and Regulation" in Item 1, "Business." In addition, regulatory responses in connection with severe market downturns or unforeseen stress events may alter or disrupt our planned future strategies and actions. Adverse developments affecting the overall strength and soundness of other financial institutions, the financial services industry as a whole and the general economic climate and the U.S. Treasury market could have a negative impact on perceptions about the strength and soundness of our business even if we are not subject to the same adverse developments. For example, during 2023, the FDIC took control and was appointed receiver of Silicon Valley Bank, Signature Bank, and First Republic Bank. The failure of other banks and financial institutions and the measures taken by governments and regulators in response to these events could adversely impact our business, financial condition and results of operations. --- ## Modified: We may be impacted adversely by supervisory and/or regulatory enforcement matters. **Key changes:** - Reworded sentence: "The complexity of the federal and state regulatory, supervisory and enforcement regimes in the U.S., coupled with the global scope of our operations and the increased aggressiveness of the tax and regulatory environment worldwide, also means that a single event may give risk to a large number of overlapping investigations and regulatory proceedings, either by multiple agencies in the U.S." **Prior (2023):** In the ordinary course of our business, we are subject to various governmental enforcement inquiries, supervisory examinations, investigations and subpoenas. These may be directed generally to participants in the businesses in which we are involved or may be directed specifically at us. In conjunction with both supervisory and enforcement matters, we may face limits on our ability to conduct or expand our business, be required to implement corrective actions that increase the costs of conducting business, or become subject to civil or criminal penalties or other remedial sanctions, any of which could result in reputational damage or otherwise have an adverse impact on us. For example, the current U.S. presidential administration, or future administrations, could support an enhanced regulatory enforcement agenda or propose new regulations that impose greater costs on financial services companies. Any such heightened enforcement activity or new regulations could have a material adverse effect on our business, financial condition and results of operations. **Current (2024):** In the ordinary course of our business, we are subject to various governmental enforcement inquiries, supervisory examinations, investigations and subpoenas. These may be directed generally to participants in the businesses in which we are involved or may be directed specifically at us. In conjunction with both supervisory and enforcement matters, we may face limits on our ability to conduct or expand our business, be required to implement corrective actions that increase the costs of conducting business, or become subject to civil or criminal penalties or other remedial sanctions, any of which could result in reputational damage or otherwise have an adverse impact on us. The complexity of the federal and state regulatory, supervisory and enforcement regimes in the U.S., coupled with the global scope of our operations and the increased aggressiveness of the tax and regulatory environment worldwide, also means that a single event may give risk to a large number of overlapping investigations and regulatory proceedings, either by multiple agencies in the U.S. or by multiple regulators and other governmental entities or tax authorities in different jurisdictions. Responding to inquiries, investigations, and proceedings, regardless of the outcome of the matter, is time consuming and expensive and can divert the attention of our senior management from our business. The outcome of such proceedings may be difficult to predict or estimate until late in the proceedings, which may last a number of years. The number of regulatory and governmental investigations and proceedings, as well as the amount of penalties and fines sought, has remained elevated for many firms in the financial services industry. The Corporation and other financial 2023 ANNUAL REPORT | NORTHERN TRUST CORPORATION 27 2023 ANNUAL REPORT | NORTHERN TRUST CORPORATION 27 2023 ANNUAL REPORT | NORTHERN TRUST CORPORATION 27 2023 ANNUAL REPORT | NORTHERN TRUST CORPORATION 27 institutions have become subject to increased scrutiny, more intense supervision and regulation, and a higher risk of enforcement action, which we expect to continue. Any such heightened enforcement activity or new regulations could have a material adverse effect on our business, financial condition and results of operations. --- *Data sourced from SEC EDGAR. Last updated 2026-06-01.*