--- ticker: NTRS company: NTRS filing_type: 10-K year_current: 2026 year_prior: 2025 risks_added: 0 risks_removed: 0 risks_modified: 16 risks_unchanged: 35 source: SEC EDGAR url: https://riskdiff.com/ntrs/2026-vs-2025/ markdown_url: https://riskdiff.com/ntrs/2026-vs-2025/index.md generated: 2026-06-01 --- # NTRS: 10-K Risk Factor Changes 2026 vs 2025 > Source: U.S. Securities and Exchange Commission (EDGAR) > Generated: 2026-06-01 > All data extracted directly from official filings. No hallucinated content. ## Summary | Status | Count | |--------|-------| | New risks added | 0 | | Risks removed | 0 | | Risks modified | 16 | | Unchanged | 35 | --- ## Modified: Errors, breakdowns in controls or other mistakes in the provision of services to clients or in carrying out transactions for our own account can subject us to liability, result in losses or have a negative effect on our earnings in other ways. **Key changes:** - Added sentence: "20 2025 ANNUAL REPORT | NORTHERN TRUST CORPORATION 20 2025 ANNUAL REPORT | NORTHERN TRUST CORPORATION 20 2025 ANNUAL REPORT | NORTHERN TRUST CORPORATION 20 2025 ANNUAL REPORT | NORTHERN TRUST CORPORATION" **Prior (2025):** In our asset servicing, investment management, fiduciary administration and other business activities, we effect or process transactions for clients and for ourselves that involve very large amounts of money. Failure to manage or mitigate operational risks properly can have adverse consequences, and increased volatility in the financial markets may increase the magnitude of resulting losses. Further, remote working and other modified business practices initiated in recent years, combined with the increasing sophistication and frequency of potential cyber-attacks and other information security incidents, have heightened our operational and execution risk. Given the high volume of transactions we process, errors that affect earnings may be repeated or compounded before they are discovered and corrected. **Current (2026):** In our asset servicing, investment management, fiduciary administration and other business activities, we effect or process transactions for clients and for ourselves that involve very large amounts of money. Failure to manage or mitigate operational risks properly can have adverse consequences, and increased volatility in the financial markets may increase the magnitude of resulting losses. Further, remote working and other modified business practices initiated in recent years, combined with the increasing sophistication and frequency of potential cyber-attacks and other information security incidents, have heightened our operational and execution risk. Given the high volume of transactions we process, errors that affect earnings may be repeated or compounded before they are discovered and corrected. 20 2025 ANNUAL REPORT | NORTHERN TRUST CORPORATION 20 2025 ANNUAL REPORT | NORTHERN TRUST CORPORATION 20 2025 ANNUAL REPORT | NORTHERN TRUST CORPORATION 20 2025 ANNUAL REPORT | NORTHERN TRUST CORPORATION --- ## Modified: Pandemics, natural disasters, global climate change, acts of terrorism, geopolitical tensions, and global conflicts may have a negative impact on our business and operations. **Key changes:** - Reworded sentence: "Pandemics, natural disasters, global climate change, acts of terrorism, geopolitical tensions, global conflicts or other similar events, as well as government actions or other restrictions in connection with such events, have had in the past, or may in the future have, a negative impact on our business and operations." - Reworded sentence: "If the subcustodian or clearing agency were to become insolvent in circumstances not involving expropriation of assets or other sovereign risk events and/or factors or events beyond our reasonable control that excuse performance under force majeure or other contractual provisions, the risk of loss on such cash on deposit may potentially be incurred by us." **Prior (2025):** Pandemics, natural disasters, global climate change, acts of terrorism, geopolitical tensions, global conflicts (including the continuing military conflict between Ukraine and the Russian Federation, the conflict in the Middle East and tensions between the U.S. and China) or other similar events, as well as government actions or other restrictions in connection with such events, have had in the past, or may in the future have, a negative impact on our business and operations. While we have in place business continuity plans, such events may still damage our facilities, disrupt or delay the normal operations of our business (including communications and technology), result in harm to or cause travel limitations on our employees, impose significant compliance costs with new financial and economic sanctions regimes, and have a similar impact on our clients, suppliers, third-party vendors and counterparties. For example, in some jurisdictions such as the Russian Federation, local market restrictions, laws, sanctions programs or government intervention inhibit our clients' and our ability to access or transfer cash or securities held for clients through subcustodians and clearing agencies. When such client deposit liabilities are on our consolidated balance sheet, we maintain a corresponding amount of cash on deposit with the subcustodian or clearing agency, which increases our credit exposure to that entity and can accumulate over time based upon distributions on, or other activities related to, our clients' assets. If the subcustodian or clearing agency were to become insolvent in circumstances not involving expropriation of assets or other sovereign risk events and/or factors or 2024 ANNUAL REPORT | NORTHERN TRUST CORPORATION 21 2024 ANNUAL REPORT | NORTHERN TRUST CORPORATION 21 2024 ANNUAL REPORT | NORTHERN TRUST CORPORATION 21 2024 ANNUAL REPORT | NORTHERN TRUST CORPORATION 21 events beyond our reasonable control that excuse performance under force majeure or other contractual provisions, the risk of loss on such cash on deposit may potentially be incurred by us. As of December 31, 2024, we held cash that accumulates in relation to Russian securities with our subcustodian and/or clearing agencies for the benefit of certain clients in our Asset Servicing business which are subject to restrictions that inhibit our ability to access or transfer such deposits, and which amount is expected to increase significantly over time as long as the sanctions and other relevant restrictions remain in effect. Our subcustodian is also a subsidiary of a large, global financial institution with whom we have other credit exposures, which may limit the financial relationship we may have with this counterparty and has in the past made, and may in the future make, compliance with specific U.S. regulatory single counterparty credit limits more challenging. The foregoing or similar events also could impact us negatively to the extent that they result in reduced capital markets activity, lower asset price levels, or disruptions in general economic activity in the U.S. or abroad, or in financial market settlement functions. In addition, these or similar events may impact economic growth negatively, which could have an adverse effect on our business and operations, and may have other adverse effects on us in ways that we are unable to predict. Please see "Strategic Risks" in this "Risk Factors" section for further description of risks associated with climate change. **Current (2026):** Pandemics, natural disasters, global climate change, acts of terrorism, geopolitical tensions, global conflicts or other similar events, as well as government actions or other restrictions in connection with such events, have had in the past, or may in the future have, a negative impact on our business and operations. While we have in place business continuity plans, such events may still damage our facilities, disrupt or delay the normal operations of our business (including communications and technology), result in harm to or cause travel limitations on our employees, impose significant compliance costs with new financial and economic sanctions regimes, and have a similar impact on our clients, suppliers, third-party vendors and counterparties. For example, in some jurisdictions such as the Russian Federation, local market restrictions, laws, sanctions programs or government intervention inhibit our clients' and our ability to access or transfer cash or securities held for clients through subcustodians and clearing agencies. When such client deposit liabilities are on our consolidated balance sheet, we maintain a corresponding amount of cash on deposit with the subcustodian or clearing agency, which increases our credit exposure to that entity and can accumulate over time based upon distributions on, or other activities related to, our clients' assets. If the subcustodian or clearing agency were to become insolvent in circumstances not involving expropriation of assets or other sovereign risk events and/or factors or events beyond our reasonable control that excuse performance under force majeure or other contractual provisions, the risk of loss on such cash on deposit may potentially be incurred by us. As of December 31, 2025, we held cash that accumulates in relation to Russian securities with our subcustodian and/or clearing agencies for the benefit of certain clients in our Asset Servicing business which are subject to restrictions that inhibit our ability to access or transfer such deposits, and which amount is expected to increase significantly over time as long as the sanctions and other relevant restrictions remain in effect. The foregoing or similar events also could impact us negatively to the extent that they result in reduced capital markets activity, lower asset price levels, or disruptions in general economic activity in the U.S. or abroad, or in financial market settlement functions. In addition, these or similar events may impact economic growth negatively, which could have an adverse effect on our business and operations, and may have other adverse effects on us in ways that we are unable to predict. Please see "Strategic Risks" in this "Risk Factors" section for further description of risks associated with climate change. --- ## Modified: The systems and models we employ to analyze, monitor and mitigate risks, as well as for other business purposes, are inherently limited, may not be effective in all cases and, in any case, cannot eliminate all risks that we face. **Key changes:** - Reworded sentence: "Models based on historical data sets might not be accurate predictors of future outcomes and their ability to appropriately predict future outcomes may degrade over time due to limited historical patterns, extreme or unanticipated market movements or customer behavior and liquidity, especially during severe market downturns or stress events (e.g., geopolitical events or pandemics)." - Reworded sentence: "For example, generative AI has been known to produce false or "hallucinatory" inferences or output, and certain generative AI uses machine learning and predictive analytics, which can create inaccurate, incomplete, or misleading content, unintended biases, and other discriminatory or unexpected results, errors or inadequacies, any of which may not be easily detectable." - Reworded sentence: "Despite internal policies in place with respect to the usage of AI, if any of our employees or service providers were to use any third-party AI-powered software in connection with our business or the services they provide to us, it may lead to the inadvertent disclosure or incorporation of our confidential information into publicly available training set, which may impact our ability to realize the benefit of, or adequately maintain, protect and enforce our intellectual property or confidential information, harming our competitive position and business." - Added sentence: "32 2025 ANNUAL REPORT | NORTHERN TRUST CORPORATION 32 2025 ANNUAL REPORT | NORTHERN TRUST CORPORATION 32 2025 ANNUAL REPORT | NORTHERN TRUST CORPORATION 32 2025 ANNUAL REPORT | NORTHERN TRUST CORPORATION" **Prior (2025):** We use various systems and models, including AI-powered solutions, in analyzing and monitoring several risk categories, as well as for other business purposes. While we assess and improve these systems and models on an ongoing basis, there can be no assurance that they, along with other related controls, will effectively mitigate risk under all circumstances, or that they will adequately mitigate any risk or loss to us. As with any systems and models, there are inherent limitations because they involve techniques and judgments that cannot anticipate every economic and financial outcome in the markets in which we operate, nor can they anticipate the specifics and timing of such outcomes. Further, these systems and models may fail to quantify accurately the magnitude of the risks we face or they may not be effective against all types of risk, including risks that are unidentified or unanticipated. Our measurement methodologies rely on many assumptions and historical analyses and correlations. These assumptions may be incorrect, and the historical correlations on which we rely may not continue to be relevant. Models based on historical data sets might not be accurate predicators of future outcomes and their ability to appropriately predict future outcomes may degrade over time due to limited historical patterns, extreme or unanticipated market movements or customer behavior and liquidity, especially during severe market downturns or stress events (e.g., geopolitical events or pandemics). Consequently, the measurements that we make may not adequately capture or express the true risk profiles of our businesses or provide accurate data for other business purposes, each of which ultimately could have a negative impact on our business, financial condition and results of operations. Errors in the underlying model or model assumptions, or inadequate model assumptions, could result in unanticipated and adverse consequences, including material loss or noncompliance with regulatory requirements or expectations. In addition, the use of generative AI, a relatively new and emerging technology in the early stages of commercial use, exposes us to additional risks, such as damage to our reputation, competitive position, and business, legal and regulatory risks and additional costs. 30 2024 ANNUAL REPORT | NORTHERN TRUST CORPORATION 30 2024 ANNUAL REPORT | NORTHERN TRUST CORPORATION 30 2024 ANNUAL REPORT | NORTHERN TRUST CORPORATION 30 2024 ANNUAL REPORT | NORTHERN TRUST CORPORATION For example, generative AI has been known to produce false or "hallucinatory" inferences or output, and certain generative AI uses machine learning and predictive analytics, which can create inaccurate, incomplete, or misleading content, unintended biases, and other discriminatory or unexpected results, errors or inadequacies, any of which may not be easily detectable. Additionally, to the extent that we do not have sufficient rights to use the data or other material or content used in or produced by the AI tools used in our business, or if we experience cybersecurity incidents in connection with our use of AI, it could adversely affect our reputation and expose us to legal liability or regulatory risk, including with respect to third-party intellectual property, privacy, data protection and cybersecurity, publicity, contractual or other rights. Further, our competitors or other third parties may incorporate AI into their products more quickly or more successfully than us, which could impair our ability to compete effectively. As the utilization of AI becomes more prevalent, we anticipate that it will continue to present new or unanticipated ethical, reputational, technical, operational, legal, competitive, and regulatory issues, among others. As a result, the challenges presented with our use of AI could adversely affect our business, financial condition, and results of operations. **Current (2026):** We use various systems and models, including AI-powered solutions, in analyzing and monitoring several risk categories, as well as for other business purposes. While we assess and improve these systems and models on an ongoing basis, there can be no assurance that they, along with other related controls, will effectively mitigate risk under all circumstances, or that they will adequately mitigate any risk or loss to us. As with any systems and models, there are inherent limitations because they involve techniques and judgments that cannot anticipate every economic and financial outcome in the markets in which we operate, nor can they anticipate the specifics and timing of such outcomes. Further, these systems and models may fail to quantify accurately the magnitude of the risks we face or they may not be effective against all types of risk, including risks that are unidentified or unanticipated. Our measurement methodologies rely on many assumptions and historical analyses and correlations. These assumptions may be incorrect, and the historical correlations on which we rely may not continue to be relevant. Models based on historical data sets might not be accurate predictors of future outcomes and their ability to appropriately predict future outcomes may degrade over time due to limited historical patterns, extreme or unanticipated market movements or customer behavior and liquidity, especially during severe market downturns or stress events (e.g., geopolitical events or pandemics). Consequently, the measurements that we make may not adequately capture or express the true risk profiles of our businesses or provide accurate data for other business purposes, each of which ultimately could have a negative impact on our business, financial condition and results of operations. Errors in the underlying model or model assumptions, or inadequate model assumptions, could result in unanticipated and adverse consequences, including material loss or noncompliance with regulatory requirements or expectations. In addition, the use of generative AI, a relatively new and emerging technology in the early stages of commercial use, exposes us to additional risks, such as damage to our reputation, competitive position, and business, legal and regulatory risks and additional costs. For example, generative AI has been known to produce false or "hallucinatory" inferences or output, and certain generative AI uses machine learning and predictive analytics, which can create inaccurate, incomplete, or misleading content, unintended biases, and other discriminatory or unexpected results, errors or inadequacies, any of which may not be easily detectable. Additionally, to the extent that we do not have sufficient rights to use the data or other material or content used in or produced by the AI tools used in our business, or if we experience cybersecurity incidents in connection with our use of AI, it could adversely affect our reputation and expose us to legal liability or regulatory risk, including with respect to third-party intellectual property, privacy, data protection and cybersecurity, publicity, contractual or other rights. Despite internal policies in place with respect to the usage of AI, if any of our employees or service providers were to use any third-party AI-powered software in connection with our business or the services they provide to us, it may lead to the inadvertent disclosure or incorporation of our confidential information into publicly available training set, which may impact our ability to realize the benefit of, or adequately maintain, protect and enforce our intellectual property or confidential information, harming our competitive position and business. We may not be able to sufficiently mitigate or detect any of the foregoing limitations or risks given our and other market participant's lack of experience with using AI, the pace of technological change, and rapid adoption of AI by our business partners and competitors. As the utilization of AI becomes more prevalent, we anticipate that it will continue to present new or unanticipated ethical, reputational, technical, operational, legal, competitive, and regulatory issues, among others. As a result, the challenges presented with our use of AI could adversely affect our business, financial condition, and results of operations. 32 2025 ANNUAL REPORT | NORTHERN TRUST CORPORATION 32 2025 ANNUAL REPORT | NORTHERN TRUST CORPORATION 32 2025 ANNUAL REPORT | NORTHERN TRUST CORPORATION 32 2025 ANNUAL REPORT | NORTHERN TRUST CORPORATION --- ## Modified: We are subject to complex and evolving laws, regulations, rules, standards and contractual obligations regarding data privacy and security, which could increase the cost of doing business, compliance risks and potential liability. **Key changes:** - Removed sentence: "In the U.S., there are numerous federal, state and local data privacy and security laws and regulations governing the collection, sharing, use, retention, disclosure, security, storage, transfer and other processing of personal information." - Removed sentence: "At the federal level, we are subject to, among other laws and regulations, the rules and regulations promulgated under the authority of the Federal Trade Commission and the Gramm-Leach-Bliley Act." - Removed sentence: "Congress has considered, and may in the future consider, various proposals for more comprehensive data privacy and security legislation, to which we may be subject if enacted." - Removed sentence: "At the state level, we are subject to laws and regulations such as the CCPA." - Removed sentence: "Numerous other states also have enacted, or are in the process of enacting or considering, comprehensive state-level data privacy and security laws and regulations that share similarities with the CCPA." **Prior (2025):** We are subject to complex and evolving laws, regulations, rules, standards and contractual obligations governing data privacy and security, which may differ and potentially conflict, in various jurisdictions, and any failure to comply with these laws, regulations, rules, standards and contractual obligations could expose us to liability and/or reputational damage. Regulators globally are introducing the potential for greater monetary fines on institutions that suffer from breaches leading to the loss, misappropriation or unauthorized access, use or disclosure of personal, confidential, proprietary or sensitive information. Most U.S. states, the EU and other non-U.S. jurisdictions also have adopted their own statutes and/or regulations concerning data privacy and security and notification of data breaches. These and other changes in laws or regulations associated with the enhanced protection of personal and other types of information could greatly increase compliance costs, the size of potential fines related to the protection of such information and reporting obligations in the case of cyber-attacks or other information security incidents. Compliance with these laws, regulations, rules and standards may require us to change and continuously update our policies, procedures and technology controls for information security, which could, among other things, make us more vulnerable to operational failures and to monetary penalties for breach of such laws, regulations, rules and standards. In the U.S., there are numerous federal, state and local data privacy and security laws and regulations governing the collection, sharing, use, retention, disclosure, security, storage, transfer and other processing of personal information. At the federal level, we are subject to, among other laws and regulations, the rules and regulations promulgated under the authority of the Federal Trade Commission and the Gramm-Leach-Bliley Act. Moreover, the U.S. Congress has considered, and may in the future consider, various proposals for more comprehensive data privacy and security legislation, to which we may be subject if enacted. At the state level, we are subject to laws and regulations such as the CCPA. Numerous other states also have enacted, or are in the process of enacting or considering, comprehensive state-level data privacy and security laws and regulations that share similarities with the CCPA. Moreover, laws in all 50 U.S. states require businesses to provide notice under certain circumstances to consumers whose personal information has been disclosed as a result of a data breach. At the international level, we are subject to the GDPR and UK GDPR and similar laws are in effect or being considered in other jurisdictions in which we operate across the globe. While the GDPR and the UK GDPR remain substantially similar for the time being, the UK government has announced that it would seek to chart its own path on data protection and reform its relevant laws, including in ways that may differ from the GDPR, to an extent. Legal developments in the EEA and the UK also have created complexity and uncertainty regarding processing and transfers of personal data from the EEA and the UK to the U.S. and other so-called third countries outside the EEA and the UK that have not been determined by the relevant data protection authorities to provide an adequate level of protection for privacy rights. Importantly, significant monetary fines have been imposed since the introduction of such stringent privacy laws in 2024 ANNUAL REPORT | NORTHERN TRUST CORPORATION 25 2024 ANNUAL REPORT | NORTHERN TRUST CORPORATION 25 2024 ANNUAL REPORT | NORTHERN TRUST CORPORATION 25 2024 ANNUAL REPORT | NORTHERN TRUST CORPORATION 25 the EU and the UK and regulatory expectations of governance and accountability with respect to the protection of personal, proprietary, confidential and sensitive information continue to expand and evolve. Further, while we strive to publish and prominently display privacy notices and policies that are accurate, comprehensive, and compliant with applicable laws, regulations, rules and industry standards, we cannot ensure that our privacy policies and other statements regarding our practices will be considered sufficient to protect us from claims, proceedings, liability or adverse publicity relating to data privacy and security, considering the fast-evolving regulatory landscape. Although we endeavor to comply with our privacy policies, we may at times fail to do so or be alleged to have failed to do so. The publication of our privacy policies and other documentation that provide promises and assurances about data privacy and security can subject us to potential government or legal action if they are found to be deceptive, unfair, or misrepresentative of our actual practices. Any concerns about our data privacy and security practices, even if unfounded, could damage our reputation and adversely affect our business. Any failure or perceived failure by us to comply with our privacy policies, or applicable data privacy and security laws, regulations, rules, standards or contractual obligations, or any compromise of security that results in unauthorized access to, or unauthorized loss, destruction, use, modification, acquisition, disclosure, release or transfer of personal information, may result in requirements to modify or cease certain operations or practices, the expenditure of substantial costs, time and other resources, proceedings or actions against us, legal liability, governmental investigations, enforcement actions, claims, fines, judgments, awards, penalties, sanctions and costly litigation (including class actions). Any of the foregoing could harm our reputation, distract our management and technical personnel, increase our costs of doing business, adversely affect the demand for our products and services, and ultimately result in the imposition of liability, any of which could have a material adverse effect on our business, financial condition and results of operations. **Current (2026):** We are subject to complex and evolving laws, regulations, rules, standards and contractual obligations governing data privacy and security, which may differ and potentially conflict, in various jurisdictions, and any failure to comply with these laws, regulations, rules, standards and contractual obligations could expose us to liability and/or reputational damage. Regulators globally are introducing the potential for greater monetary fines on institutions that suffer from breaches leading to the loss, misappropriation or unauthorized access, use or disclosure of personal, confidential, proprietary or sensitive information. Most U.S. states, the EU and other non-U.S. jurisdictions also have adopted their own statutes and/or regulations concerning data privacy and security and notification of data breaches. These and other changes in laws or regulations associated with the enhanced protection of personal and other types of information could greatly increase compliance costs, the size of potential fines related to the protection of such information and reporting obligations in the case of cyber-attacks or other information security incidents. Compliance with these laws, regulations, rules and standards may require us to change and continuously update our policies, procedures and technology controls for information security, which could, among other things, make us more vulnerable to operational failures and to monetary penalties for breach of such laws, regulations, rules and standards. Legal developments in the EEA and the UK also have created complexity and uncertainty regarding processing and transfers of personal data from the EEA and the UK to the U.S. and other so-called third countries outside the EEA and the UK that have not been determined by the relevant data protection authorities to provide an adequate level of protection for privacy rights. Importantly, significant monetary fines have been imposed since the introduction of such stringent privacy laws in the EU and the UK and regulatory expectations of governance and accountability with respect to the protection of personal, proprietary, confidential and sensitive information continue to expand and evolve. For more information on regulations regarding data privacy and security, see "Supervision and Regulation" in Item 1, "Business." Further, while we strive to publish and prominently display privacy notices and policies that are accurate, comprehensive, and compliant with applicable laws, regulations, rules and industry standards, we cannot ensure that our privacy policies and other statements regarding our practices will be considered sufficient to protect us from claims, proceedings, liability or adverse publicity relating to data privacy and security, considering the fast-evolving regulatory landscape. Although we endeavor to comply with our privacy policies, we may at times fail to do so or be alleged to have failed to do so. The publication of our privacy policies and other documentation that provide promises and assurances about data privacy and security can subject us to potential government or legal action if they are found to be deceptive, unfair, or misrepresentative of our actual practices. Any concerns about our data privacy and security practices, even if unfounded, could damage our reputation and adversely affect our business. Any failure or perceived failure by us to comply with our privacy policies, or applicable data privacy and security laws, regulations, rules, standards or contractual obligations, or any compromise of security that results in unauthorized access to, or unauthorized loss, destruction, use, modification, acquisition, disclosure, release or transfer of personal information, may result in requirements to modify or cease certain operations or practices, the expenditure of substantial costs, time and other resources, proceedings or actions against us, legal liability, governmental investigations, enforcement actions, claims, fines, judgments, awards, penalties, sanctions and costly litigation (including class actions). Any of the foregoing could harm our reputation, distract our management and technical personnel, increase our costs of doing business, adversely affect the demand for our products and services, and ultimately result in the imposition of liability, any of which could have a material adverse effect on our business, financial condition and results of operations. --- ## Modified: The ultimate impact on us of regulatory divergence between the United Kingdom and the European Union remains uncertain. **Key changes:** - Removed sentence: "In December 2020, the UK and the EU agreed on a trade and cooperation agreement that entered into force on May 1, 2021." - Removed sentence: "While the trade and cooperation agreement covers the general objectives and framework of the relationship between the UK and the EU, it generally does not address the regulation of financial services." - Removed sentence: "Instead, in March 2021, the UK and the EU agreed upon a framework for voluntary regulatory cooperation and dialogue on financial services issues between the parties in a memorandum of understanding, which was signed on June 27, 2023." **Prior (2025):** While regulatory standards remain largely aligned following the UK's withdrawal from the EU, commonly referred to as "Brexit," it is possible that future divergence may occur between the UK and EU; therefore, the final impact remains uncertain. In December 2020, the UK and the EU agreed on a trade and cooperation agreement that entered into force on May 1, 2021. While the trade and cooperation agreement covers the general objectives and framework of the relationship between the UK and the EU, it generally does not address the regulation of financial services. Instead, in March 2021, the UK and the EU agreed upon a framework for voluntary regulatory cooperation and dialogue on financial services issues between the parties in a memorandum of understanding, which was signed on June 27, 2023. Since the UK's withdrawal from the EU on December 31, 2020, the UK government has embarked on a program of significant regulatory reform. In particular, the Financial Services and Markets Act 2023 contains provisions that will eventually repeal all EU rules and regulations relating to financial services that were incorporated into UK law following Brexit. The UK government and the UK financial services regulatory authorities has been consulting on a number of measures that will replace the current EU-based rules and regulations with measures that reflect the particular needs of the UK market and policy objectives of the UK's regulatory authorities. Consequently, over time it is likely that the rules and regulations relating to financial services will diverge, which may result in additional compliance costs for our UK and EU businesses. **Current (2026):** While regulatory standards remain largely aligned following the UK's withdrawal from the EU, commonly referred to as "Brexit," it is possible that future divergence may occur between the UK and EU; therefore, the final impact remains uncertain. Since the UK's withdrawal from the EU on December 31, 2020, the UK government has embarked on a program of significant regulatory reform. In particular, the Financial Services and Markets Act 2023 contains provisions that will eventually repeal all EU rules and regulations relating to financial services that were incorporated into UK law following Brexit. The UK government and the UK financial services regulatory authorities has been consulting on a number of measures that will replace the current EU-based rules and regulations with measures that reflect the particular needs of the UK market and policy objectives of the UK's regulatory authorities. Consequently, over time it is likely that the rules and regulations relating to financial services will diverge, which may result in additional compliance costs for our UK and EU businesses. --- ## Modified: We may take actions to maintain client satisfaction that could result in losses or reduced earnings. **Key changes:** - Removed sentence: "2024 ANNUAL REPORT | NORTHERN TRUST CORPORATION 29 2024 ANNUAL REPORT | NORTHERN TRUST CORPORATION 29 2024 ANNUAL REPORT | NORTHERN TRUST CORPORATION 29 2024 ANNUAL REPORT | NORTHERN TRUST CORPORATION 29" **Prior (2025):** We may take action or incur expenses in order to maintain client satisfaction or preserve the usefulness of investments or investment vehicles we manage in light of changes in security ratings, liquidity or valuation issues or other developments, even though we are not required to do so by law or the terms of governing instruments. The risk that we will decide to take actions to maintain client satisfaction that result in losses or reduced earnings is greater in periods when credit or equity markets are deteriorating in value or are particularly volatile and liquidity in markets is disrupted. 2024 ANNUAL REPORT | NORTHERN TRUST CORPORATION 29 2024 ANNUAL REPORT | NORTHERN TRUST CORPORATION 29 2024 ANNUAL REPORT | NORTHERN TRUST CORPORATION 29 2024 ANNUAL REPORT | NORTHERN TRUST CORPORATION 29 **Current (2026):** We may take action or incur expenses in order to maintain client satisfaction or preserve the usefulness of investments or investment vehicles we manage in light of changes in security ratings, liquidity or valuation issues or other developments, even though we are not required to do so by law or the terms of governing instruments. The risk that we will decide to take actions to maintain client satisfaction that result in losses or reduced earnings is greater in periods when credit or equity markets are deteriorating in value or are particularly volatile and liquidity in markets is disrupted. --- ## Modified: Our operations, businesses and clients could be materially adversely affected by the effects of climate change or concerns related thereto. **Key changes:** - Reworded sentence: "Risks related to climate change could adversely impact our business, financial condition, and results of operations." - Reworded sentence: "Further, physical risks from climate change could negatively impact our clients' ability to pay outstanding loans, reduce the value of collateral, or result in insurance shortfalls." - Reworded sentence: "While these changes could create opportunities, they could also adversely impact us and our clients." - Reworded sentence: "2025 ANNUAL REPORT | NORTHERN TRUST CORPORATION 31 2025 ANNUAL REPORT | NORTHERN TRUST CORPORATION 31 2025 ANNUAL REPORT | NORTHERN TRUST CORPORATION 31 2025 ANNUAL REPORT | NORTHERN TRUST CORPORATION 31 Our reputation and business prospects may also be damaged if we do not, or are perceived not to, effectively prepare for the potential business and operational opportunities and risks associated with climate change." - Reworded sentence: "We also face regulatory and liability risk associated with not meeting regulatory expectations on climate risks, greenwashing claims, a failure to execute on our public climate-related commitments, or through association with individuals, entities, industries or products connected to climate change issues." **Prior (2025):** Risks related to climate change could impact our business, financial condition, and results of operations adversely. The physical risks of climate change include harm to people and property arising from acute climate-related events, such as floods, hurricanes, heatwaves, droughts and wildfires, and chronic, longer-term shifts in climate patterns, such as rising average global temperatures, rising sea levels, and an increase in the frequency and severity of extreme weather events and natural disasters. Such developments could disrupt our operations and resilience capabilities, those of our clients, or third parties on which we rely. Further, the consequences of climate change could negatively impact our clients' ability to pay outstanding loans, reduce the value of collateral, or result in insurance shortfalls. Climate change could also result in transition risk arising from changes in policy, regulations, technology, business practices or market preferences toward a lower-carbon economy. While these changes could create opportunities, they could also adversely impact us or our clients. These impacts could result in increased operational or compliance costs, higher energy expenses, additional taxes, and the devaluation of assets. Our reputation and business prospects may also be damaged if we do not, or are perceived not to, effectively prepare for the potential business and operational opportunities and risks associated with climate change. This includes the development and marketing of effective and competitive new products, objectively understanding how climate changes might impact the financial performance of direct and indirect client investments, and other services designed to address our clients' climate related needs. We also face regulatory and liability risk associated with not meeting regulatory expectations on climate risks, greenwashing claims, a failure to execute on our public climate-related commitments, or by association with individuals, entities, industries or products that may be inconsistent with our stated positions on climate change issues. At the same time, certain financial institutions have also been subject to external scrutiny from regulatory agencies, government officials, and others. This can be in relation to a number of climate change areas and can lead to negative publicity and reputational damage. For example, questions on how the impacts of climate change are being reflected in business and investment decisions and the decision to reduce involvement in certain industries or projects associated with climate change. Due to the divergent views of stakeholders, we are at increased risk that any action, or lack thereof, by us concerning our response to climate change will be perceived negatively by some stakeholders, which could adversely impact our reputation and business. If we do not identify, quantify, and mitigate such risks successfully, we may experience financial losses, litigation, reputational harm, and losses of investor and stakeholder confidence. Even as regulators begin to mandate additional disclosure of climate-related information by companies across sectors, methodologies and data used to conduct more robust climate-related risk analyses are still in development. Third‑party exposures, emissions, climate-related risks, and other data are limited in availability and variable in quality. Modeling capabilities across the industry to analyze climate-related risks and interconnections are improving but remain imperfect. These legislative and regulatory uncertainties along with inconsistencies and conflicts of policy across jurisdictions, and changes regarding climate-related risk management and disclosures are likely to result in higher regulatory, compliance, credit, reputational and other risks and costs. **Current (2026):** Risks related to climate change could adversely impact our business, financial condition, and results of operations. The physical risks of climate change include harm to people and property. These arise from acute climate-related events, such as floods, hurricanes, heatwaves, droughts and wildfires. They also arise from chronic, longer-term shifts in climate patterns, such as rising average global temperatures, rising sea levels, and an increase in the frequency and severity of extreme weather events and natural disasters. Such developments could disrupt our operations and resilience capabilities, those of our clients, or third parties on which we rely. Further, physical risks from climate change could negatively impact our clients' ability to pay outstanding loans, reduce the value of collateral, or result in insurance shortfalls. Climate change could also result in transition risk arising from changes in policy, regulations, technology, business practices or market preferences toward a lower-carbon economy. While these changes could create opportunities, they could also adversely impact us and our clients. These impacts could result in increased operational or compliance costs, higher energy expenses, additional taxes, and the devaluation of assets. 2025 ANNUAL REPORT | NORTHERN TRUST CORPORATION 31 2025 ANNUAL REPORT | NORTHERN TRUST CORPORATION 31 2025 ANNUAL REPORT | NORTHERN TRUST CORPORATION 31 2025 ANNUAL REPORT | NORTHERN TRUST CORPORATION 31 Our reputation and business prospects may also be damaged if we do not, or are perceived not to, effectively prepare for the potential business and operational opportunities and risks associated with climate change. This includes the development and marketing of effective and competitive new products, objectively understanding how climate changes might impact the financial performance of direct and indirect client investments, and other services designed to address our clients' climate related needs. We also face regulatory and liability risk associated with not meeting regulatory expectations on climate risks, greenwashing claims, a failure to execute on our public climate-related commitments, or through association with individuals, entities, industries or products connected to climate change issues. At the same time, financial institutions have also been subject to external scrutiny from stakeholders, including some regulatory agencies, government officials, and clients in relation to areas our business decisions, public commitments and affiliations associated with climate change. Due to the divergent views of stakeholders, there is an increased risk that any action, or lack thereof, by us concerning our response to climate change will be perceived negatively by some stakeholders. If we do not identify, quantify, and mitigate such risks successfully, we may experience financial losses, litigation, reputational harm, and losses of investor and stakeholder confidence. Methodologies and data used to conduct more robust climate-related risk analyses are being developed. Modeling capabilities across the industry to analyze climate-related risks and interconnections are improving but remain imperfect, for example, third-party exposures, emissions and other data are limited in availability and variable in quality. However, legislative and regulatory uncertainties along with inconsistencies and conflicts of policy across jurisdictions could result in higher costs and regulatory, compliance, credit, and reputational risks. --- ## Modified: Failure of any of our third-party vendors (or their vendors) to perform can result in losses. **Key changes:** - Reworded sentence: "2025 ANNUAL REPORT | NORTHERN TRUST CORPORATION 21 2025 ANNUAL REPORT | NORTHERN TRUST CORPORATION 21 2025 ANNUAL REPORT | NORTHERN TRUST CORPORATION 21 2025 ANNUAL REPORT | NORTHERN TRUST CORPORATION 21" **Prior (2025):** Third-party vendors provide key components of our business operations such as data processing, recording and monitoring transactions, online banking interfaces and services, and network access. Our use of third-party vendors exposes us to the risk that such vendors (or their vendors) may not comply with their servicing and other contractual obligations, including with respect to indemnification and information security, and to the risk that we may not satisfy applicable regulatory responsibilities regarding the management and oversight of third parties and outsourcing providers. While we have established risk management processes and continuity plans, any disruptions in service from a key vendor for any reason or poor performance of services have in the past and could in the future have a negative effect on our ability to deliver products and services to our clients and conduct our business. Replacing these third-party vendors or performing the tasks they perform for ourselves has in the past and could in the future create significant delay and expense. 20 2024 ANNUAL REPORT | NORTHERN TRUST CORPORATION 20 2024 ANNUAL REPORT | NORTHERN TRUST CORPORATION 20 2024 ANNUAL REPORT | NORTHERN TRUST CORPORATION 20 2024 ANNUAL REPORT | NORTHERN TRUST CORPORATION **Current (2026):** Third-party vendors provide key components of our business operations such as data processing, recording and monitoring transactions, online banking interfaces and services, and network access. Our use of third-party vendors exposes us to the risk that such vendors (or their vendors) may not comply with their servicing and other contractual obligations, including with respect to indemnification and information security, and to the risk that we may not satisfy applicable regulatory responsibilities regarding the management and oversight of third parties and outsourcing providers. While we have established risk management processes and continuity plans, any disruptions in service from a key vendor for any reason or poor performance of services have in the past and could in the future have a negative effect on our ability to deliver products and services to our clients and conduct our business. Replacing these third-party vendors or performing the tasks they perform for ourselves has in the past and could in the future create significant delay and expense. 2025 ANNUAL REPORT | NORTHERN TRUST CORPORATION 21 2025 ANNUAL REPORT | NORTHERN TRUST CORPORATION 21 2025 ANNUAL REPORT | NORTHERN TRUST CORPORATION 21 2025 ANNUAL REPORT | NORTHERN TRUST CORPORATION 21 --- ## Modified: Market volatility and/or weak economic conditions can result in losses or the need for additional provisions for credit losses, both of which reduce our earnings. **Key changes:** - Added sentence: "2025 ANNUAL REPORT | NORTHERN TRUST CORPORATION 23 2025 ANNUAL REPORT | NORTHERN TRUST CORPORATION 23 2025 ANNUAL REPORT | NORTHERN TRUST CORPORATION 23 2025 ANNUAL REPORT | NORTHERN TRUST CORPORATION 23" **Prior (2025):** Credit risk levels and our earnings can be affected by market volatility and/or weakness in the economy in general and in the particular locales in which we extend credit, a deterioration in credit quality, or a reduced demand for credit. Adverse changes in the financial performance or condition of our borrowers resulting from market volatility, elevated interest rates, and/or weakened economic conditions could impact the borrowers' abilities to repay outstanding loans, which could in turn impact our financial condition and results of operations negatively. **Current (2026):** Credit risk levels and our earnings can be affected by market volatility and/or weakness in the economy in general and in the particular locales in which we extend credit, a deterioration in credit quality, or a reduced demand for credit. Adverse changes in the financial performance or condition of our borrowers resulting from market volatility, elevated interest rates, and/or weakened economic conditions could impact the borrowers' abilities to repay outstanding loans, which could in turn impact our financial condition and results of operations negatively. 2025 ANNUAL REPORT | NORTHERN TRUST CORPORATION 23 2025 ANNUAL REPORT | NORTHERN TRUST CORPORATION 23 2025 ANNUAL REPORT | NORTHERN TRUST CORPORATION 23 2025 ANNUAL REPORT | NORTHERN TRUST CORPORATION 23 --- ## Modified: We are subject to extensive and evolving government regulation and supervision that impacts our operations. Changes by the U.S. and other governments to laws, regulations and policies applicable to the financial services industry could heighten the challenges we face and make regulatory compliance more difficult and costly. **Key changes:** - Reworded sentence: "Congress and the presidential administration have introduced and may continue to introduce changes in the laws or policies applicable to us and the agencies that regulate us, including their interpretations of rules and guidelines." - Reworded sentence: "For more information on these proposals, see "Supervision and Regulation" in Item 1, "Business." In addition, regulatory responses in connection with severe market downturns or unforeseen stress events could alter or disrupt our planned future strategies and actions." - Added sentence: "26 2025 ANNUAL REPORT | NORTHERN TRUST CORPORATION 26 2025 ANNUAL REPORT | NORTHERN TRUST CORPORATION 26 2025 ANNUAL REPORT | NORTHERN TRUST CORPORATION 26 2025 ANNUAL REPORT | NORTHERN TRUST CORPORATION" **Prior (2025):** We operate in a highly regulated environment, and are subject to a comprehensive statutory and regulatory regime affecting all aspects of our business and operations, including oversight by governmental agencies both inside and outside the United States. Various regulatory bodies have demonstrated heightened scrutiny of financial institutions through many regulatory initiatives. These initiatives have increased compliance costs and regulatory risks and may lead to financial and reputational damage in the event of a compliance violation, even if the failure to comply was inadvertent or reflected a difference in interpretation. Although we have programs in place, including policies, training and various forms of monitoring, designed to ensure compliance with legislative and regulatory requirements, we cannot provide assurance that these programs and policies are or will be adequate to identify and manage internal and external compliance risks. For example, our business may be adversely impacted by actual or alleged misconduct by an employee or other negative outcomes caused by human error. In addition, changes to statutes, regulations or regulatory and supervisory policies or their interpretation or implementation and the continued heightening of regulatory and supervisory requirements could affect us in substantial and unpredictable ways. For example, governments and regulators could take actions that increase intervention in the normal operation of our businesses and the businesses of our competitors in the financial services industry, and these likely would involve additional legislative and regulatory requirements imposed on banks and other financial services companies. Any such actions could increase compliance costs and regulatory risks, lead to financial and reputational damage in the event of a violation, affect our ability to compete successfully or limit how we conduct our business, and also could impact the nature and level of competition in the industry in unpredictable ways. The full scope and impact of possible legislative or regulatory changes and the extent of regulatory activity is uncertain and difficult to predict. For example, given the current rapid pace of change, we are unable to predict what, if any, changes to the laws and regulations applicable to the financial services industry may be enacted by the new U.S. Congress in conjunction with the new U.S. presidential administration under unified party control, and what the impact of any such changes will be upon our business, financial condition, and results of operations. We expect the current U.S. presidential administration will seek to implement a regulatory reform agenda that is significantly different than that of the prior administration, impacting the rulemaking, supervision, examination and enforcement priorities of the federal banking agencies. Moreover, the turnover of the U.S. presidential administration is expected to result in certain changes in the leadership and senior staffs of the federal banking agencies which are likely to impact the rulemaking, supervision, examination and enforcement priorities and policies of such agencies, the potential impacts of which, if any, we cannot predict at this time. 24 2024 ANNUAL REPORT | NORTHERN TRUST CORPORATION 24 2024 ANNUAL REPORT | NORTHERN TRUST CORPORATION 24 2024 ANNUAL REPORT | NORTHERN TRUST CORPORATION 24 2024 ANNUAL REPORT | NORTHERN TRUST CORPORATION Further, the regulatory framework for AI and similar technologies, and automated decision making, is changing rapidly. It is possible that new laws and regulations will be adopted in the U.S. and in non-U.S. jurisdictions, or that existing laws and regulations may be interpreted, in ways that would affect the operation of our products and services and the way in which we use AI and similar technologies. For more information on regulations regarding AI, see "Supervision and Regulation" in Item 1, "Business." The evolving regulatory and supervisory environment and uncertainty about the timing and scope of future laws, regulations and policies may contribute to decisions we may make to suspend, reduce or withdraw from existing businesses, activities or initiatives, which may result in potential lost revenue or significant restructuring or related costs or exposures. We also face the risk of becoming subject to new or more stringent requirements in connection with the introduction of new regulations or modification of existing regulations, which could require us to hold more capital or liquidity or have other adverse effects on our businesses or profitability. For example, proposed changes to applicable capital and liquidity requirements, such as the Basel III Endgame Proposal and the long-term debt proposal, could result in increased expenses or cost of funding, which could negatively affect our financial results or our ability to pay dividends and engage in share repurchases. For more information concerning our legal and regulatory obligations with respect to Basel III and long-term debt requirements, see "Supervision and Regulation" in Item 1, "Business." In addition, regulatory responses in connection with severe market downturns or unforeseen stress events could alter or disrupt our planned future strategies and actions. Adverse developments affecting the overall strength and soundness of other financial institutions, the financial services industry as a whole and the general economic climate and the U.S. Treasury market could have a negative impact on perceptions about the strength and soundness of our business even if we are not subject to the same adverse developments. For example, during 2023, the FDIC took control and was appointed receiver of Silicon Valley Bank, Signature Bank, and First Republic Bank. The failure of other banks and financial institutions and the measures taken by governments and regulators in response to these events could adversely impact our business, financial condition and results of operations. **Current (2026):** We operate in a highly regulated environment, and are subject to a comprehensive statutory and regulatory regime affecting all aspects of our business and operations, including oversight by governmental agencies both inside and outside the United States. Various regulatory bodies have demonstrated heightened scrutiny of financial institutions through many regulatory initiatives. These initiatives have increased compliance costs and regulatory risks and may lead to financial and reputational damage in the event of a compliance violation, even if the failure to comply was inadvertent or reflected a difference in interpretation. Although we have programs in place, including policies, training and various forms of monitoring, designed to ensure compliance with legislative and regulatory requirements, we cannot provide assurance that these programs and policies are or will be adequate to identify and manage internal and external compliance risks. For example, our business may be adversely impacted by actual or alleged misconduct by an employee or other negative outcomes caused by human error. In addition, changes to statutes, regulations or regulatory and supervisory policies or their interpretation or implementation and the continued heightening of regulatory and supervisory requirements could affect us in substantial and unpredictable ways. For example, governments and regulators could take actions that increase intervention in the normal operation of our businesses and the businesses of our competitors in the financial services industry, and these likely would involve additional legislative and regulatory requirements imposed on banks and other financial services companies. Any such actions could increase compliance costs and regulatory risks, lead to financial and reputational damage in the event of a violation, affect our ability to compete successfully or limit how we conduct our business, and also could impact the nature and level of competition in the industry in unpredictable ways. The full scope and impact of possible legislative or regulatory changes and the extent of regulatory activity is uncertain and difficult to predict. Congress and the presidential administration have introduced and may continue to introduce changes in the laws or policies applicable to us and the agencies that regulate us, including their interpretations of rules and guidelines. These changes may subject financial institutions like us to change in regulation, supervision and enforcement that are difficult to predict and uncertain for a period of time and may create the possibility of significant impacts on business activity in the United States and globally, including impacts relating to the trade policies (including tariffs) of the United States or other countries. Some of the regulations finalized in the prior administration that are applicable to financial institutions were modified, rescinded or withdrawn or are subject to reevaluation, creating further uncertainty. Moreover, political and policy goals of elected and appointed officials may change over time, which could impact the rulemaking, supervision, examination, and enforcement priorities of the federal banking agencies. It is possible the expected changed in law, regulation and policy do not occur or are reversed subsequently, or the regulatory measures that are ultimately enacted deliver significant competitive advantages to financial services that are structured differently or serve different markets than us. Further, the regulatory framework for AI and similar technologies, and automated decision making, is changing rapidly. It is possible that new laws and regulations will be adopted in the U.S. and in non-U.S. jurisdictions, or that existing laws and regulations may be interpreted, in ways that would affect the operation of our products and services and the way in which we use AI and similar technologies. For more information on regulations regarding AI, see "Supervision and Regulation" in Item 1, "Business." The evolving regulatory and supervisory environment and uncertainty about the timing and scope of future laws, regulations and policies may contribute to decisions we may make to suspend, reduce or withdraw from existing businesses, activities or initiatives, which may result in potential lost revenue or significant restructuring or related costs or exposures. We also face the risk of becoming subject to new or more stringent requirements in connection with the introduction of new regulations or modification of existing regulations, which could require us to hold more capital or liquidity or have other adverse effects on our businesses or profitability. For more information on these proposals, see "Supervision and Regulation" in Item 1, "Business." In addition, regulatory responses in connection with severe market downturns or unforeseen stress events could alter or disrupt our planned future strategies and actions. Adverse developments affecting the overall strength and soundness of other financial institutions, the financial services industry as a whole and the general economic climate and the U.S. Treasury market could have a negative impact on perceptions about the strength and soundness of our business even if we are not subject to the same adverse developments. For example, during 2023, the FDIC took control and was appointed receiver of Silicon Valley Bank, Signature Bank, and First Republic Bank. The failure of other banks and financial institutions and the measures taken by governments and regulators in response to these events could adversely impact our business, financial condition and results of operations. 26 2025 ANNUAL REPORT | NORTHERN TRUST CORPORATION 26 2025 ANNUAL REPORT | NORTHERN TRUST CORPORATION 26 2025 ANNUAL REPORT | NORTHERN TRUST CORPORATION 26 2025 ANNUAL REPORT | NORTHERN TRUST CORPORATION --- ## Modified: Failure to control our costs and expenses adequately could affect our earnings negatively. **Key changes:** - Added sentence: "22 2025 ANNUAL REPORT | NORTHERN TRUST CORPORATION 22 2025 ANNUAL REPORT | NORTHERN TRUST CORPORATION 22 2025 ANNUAL REPORT | NORTHERN TRUST CORPORATION 22 2025 ANNUAL REPORT | NORTHERN TRUST CORPORATION" **Prior (2025):** Our success in controlling the costs and expenses of our business operations also impacts operating results. Through various parts of our business strategy, we aim to produce efficiencies in operations that help reduce and control costs and expenses, including the costs of losses associated with operating risks attributable to servicing and managing financial assets. Increased expenses have affected - and a failure to control our costs and expenses in the future, whether as a result of inflation or otherwise, could affect - our earnings negatively. **Current (2026):** Our success in controlling the costs and expenses of our business operations also impacts operating results. Through various parts of our business strategy, we aim to produce efficiencies in operations that help reduce and control costs and expenses, including the costs of losses associated with operating risks attributable to servicing and managing financial assets. Increased expenses have affected - and a failure to control our costs and expenses in the future, whether as a result of inflation or otherwise, could affect - our earnings negatively. 22 2025 ANNUAL REPORT | NORTHERN TRUST CORPORATION 22 2025 ANNUAL REPORT | NORTHERN TRUST CORPORATION 22 2025 ANNUAL REPORT | NORTHERN TRUST CORPORATION 22 2025 ANNUAL REPORT | NORTHERN TRUST CORPORATION --- ## Modified: Regulatory and Legal Risks **Key changes:** - Reworded sentence: "•We may be impacted adversely by claims or litigation, including claims or litigation relating to our fiduciary responsibilities." **Prior (2025):** •Failure to comply with regulations and/or supervisory expectations can result in penalties and regulatory constraints that restrict our ability to grow or even conduct our business, or that reduce earnings. •We are subject to extensive and evolving government regulation and supervision that impacts our operations. Changes by the U.S. and other governments to laws, regulations and policies applicable to the financial services industry may heighten the challenges we face and make regulatory compliance more difficult and costly. •We are subject to complex and evolving laws, regulations, rules, standards and contractual obligations regarding data privacy and security, which could increase the cost of doing business, compliance risks and potential liability. 14 2024 ANNUAL REPORT | NORTHERN TRUST CORPORATION 14 2024 ANNUAL REPORT | NORTHERN TRUST CORPORATION 14 2024 ANNUAL REPORT | NORTHERN TRUST CORPORATION 14 2024 ANNUAL REPORT | NORTHERN TRUST CORPORATION •We may be impacted adversely by claims or litigation, including claims or litigation relating to our fiduciary responsibilities. •We may be impacted adversely by supervisory and/or regulatory enforcement matters. •We may fail to set aside adequate reserves for, or otherwise underestimate our liability relating to, pending and threatened claims, with a negative effect on our earnings. •The ultimate impact on us of regulatory divergence between the United Kingdom and the European Union remains uncertain. •If we fail to comply with legal standards, we could incur liability to our clients or lose clients, which could affect our earnings negatively. **Current (2026):** •Failure to comply with regulations and/or supervisory expectations can result in penalties and regulatory constraints that restrict our ability to grow or even conduct our business, or that reduce earnings. •We are subject to extensive and evolving government regulation and supervision that impacts our operations. Changes by the U.S. and other governments to laws, regulations and policies applicable to the financial services industry may heighten the challenges we face and make regulatory compliance more difficult and costly. •We are subject to complex and evolving laws, regulations, rules, standards and contractual obligations regarding data privacy and security, which could increase the cost of doing business, compliance risks and potential liability. •We may be impacted adversely by claims or litigation, including claims or litigation relating to our fiduciary responsibilities. •We may be impacted adversely by supervisory and/or regulatory enforcement matters. •We may fail to set aside adequate reserves for, or otherwise underestimate our liability relating to, pending and threatened claims, with a negative effect on our earnings. •The ultimate impact on us of regulatory divergence between the United Kingdom and the European Union remains uncertain. •If we fail to comply with legal standards, we could incur liability to our clients or lose clients, which could affect our earnings negatively. --- ## Modified: If we fail to comply with legal standards, we could incur liability to our clients or lose clients, which could affect our earnings negatively. **Key changes:** - Added sentence: "28 2025 ANNUAL REPORT | NORTHERN TRUST CORPORATION 28 2025 ANNUAL REPORT | NORTHERN TRUST CORPORATION 28 2025 ANNUAL REPORT | NORTHERN TRUST CORPORATION 28 2025 ANNUAL REPORT | NORTHERN TRUST CORPORATION" **Prior (2025):** Managing or servicing assets with reasonable prudence in accordance with the terms of governing documents and applicable laws is an important part of our business. Failure to comply with the terms of governing documents and applicable laws, manage adequately the risks or manage appropriately the differing interests often involved in the exercise of fiduciary responsibilities may subject us to liability or cause client dissatisfaction, which could impact negatively our earnings and growth. **Current (2026):** Managing or servicing assets with reasonable prudence in accordance with the terms of governing documents and applicable laws is an important part of our business. Failure to comply with the terms of governing documents and applicable laws, manage adequately the risks or manage appropriately the differing interests often involved in the exercise of fiduciary responsibilities may subject us to liability or cause client dissatisfaction, which could impact negatively our earnings and growth. 28 2025 ANNUAL REPORT | NORTHERN TRUST CORPORATION 28 2025 ANNUAL REPORT | NORTHERN TRUST CORPORATION 28 2025 ANNUAL REPORT | NORTHERN TRUST CORPORATION 28 2025 ANNUAL REPORT | NORTHERN TRUST CORPORATION --- ## Modified: We need to invest in innovation constantly, and the inability or failure to do so may affect our businesses and earnings negatively. **Key changes:** - Added sentence: "Widespread adoption and rapid evolution of emerging technologies, including with respect to digital assets, such as stablecoins, as well as developments in the regulatory landscape relating to emerging technologies, such as the enactment and implementation of the Guiding and Establishing National Innovation for U.S." - Added sentence: "Stablecoins Act of 2025 (GENIUS ACT) and potential enactment of the Digital Asst Market Clarity Act of 2025 (CLARITY Act) or similar market structure legislation, may affect our clients' needs and expectations for products and services." - Added sentence: "Further, our competitors or other third parties may incorporate AI into their products more quickly or more successfully than us, which could impair our ability to compete effectively." - Added sentence: "30 2025 ANNUAL REPORT | NORTHERN TRUST CORPORATION 30 2025 ANNUAL REPORT | NORTHERN TRUST CORPORATION 30 2025 ANNUAL REPORT | NORTHERN TRUST CORPORATION 30 2025 ANNUAL REPORT | NORTHERN TRUST CORPORATION" **Prior (2025):** Our success in the competitive environment in which we operate requires consistent investment of capital and human resources in innovation, particularly in light of the current "FinTech" environment, in which the financial services industry is undergoing rapid technological changes and financial institutions are investing significantly in evaluating new technologies, such as AI, machine learning, blockchain and other distributed ledger technologies, and developing potentially industry-changing new products, services and industry standards. Our investment is directed at generating new products and services, and adapting existing products and services to the evolving standards and demands of the marketplace. Among other things, investing in innovation helps us maintain a mix of products and services that keeps pace with our competitors and achieve acceptable margins. Our investment also focuses on enhancing the delivery of our products and services in order to compete successfully for new clients or gain additional business from existing clients. Effectively identifying gaps or weaknesses in our product offerings is important to our success. Failure to keep pace with our competition in any of these areas could affect our business opportunities, growth and earnings adversely. There are substantial risks and uncertainties associated with innovation efforts, including an increased risk that new and emerging technologies may expose us to increased data privacy and security and other information technology threats. We must invest significant time and resources in developing and marketing new products and services, and expected timetables for the introduction and development of new products or services may not be achieved and price and profitability targets may not be met. Further, our revenues and costs may fluctuate because new products and services generally require start-up costs while corresponding revenues take time to develop or may not develop at all. **Current (2026):** Our success in the competitive environment in which we operate requires consistent investment of capital and human resources in innovation, particularly in light of the current "FinTech" environment, in which the financial services industry is undergoing rapid technological changes and financial institutions are investing significantly in evaluating new technologies, such as AI, machine learning, blockchain and other distributed ledger technologies, and developing potentially industry-changing new products, services and industry standards. Widespread adoption and rapid evolution of emerging technologies, including with respect to digital assets, such as stablecoins, as well as developments in the regulatory landscape relating to emerging technologies, such as the enactment and implementation of the Guiding and Establishing National Innovation for U.S. Stablecoins Act of 2025 (GENIUS ACT) and potential enactment of the Digital Asst Market Clarity Act of 2025 (CLARITY Act) or similar market structure legislation, may affect our clients' needs and expectations for products and services. Our investment is directed at generating new products and services, and adapting existing products and services to the evolving standards and demands of the marketplace. Among other things, investing in innovation helps us maintain a mix of products and services that keeps pace with our competitors and achieve acceptable margins. Our investment also focuses on enhancing the delivery of our products and services in order to compete successfully for new clients or gain additional business from existing clients. Further, our competitors or other third parties may incorporate AI into their products more quickly or more successfully than us, which could impair our ability to compete effectively. Effectively identifying gaps or weaknesses in our product offerings is important to our success. Failure to keep pace with our competition in any of these areas could affect our business opportunities, growth and earnings adversely. There are substantial risks and uncertainties associated with innovation efforts, including an increased risk that new and emerging technologies may expose us to increased data privacy and security and other information technology threats. We must invest significant time and resources in developing and marketing new products and services, and expected timetables for the introduction and development of new products or services may not be achieved and price and profitability targets may not be met. Further, our revenues and costs may fluctuate because new products and services generally require start-up costs while corresponding revenues take time to develop or may not develop at all. 30 2025 ANNUAL REPORT | NORTHERN TRUST CORPORATION 30 2025 ANNUAL REPORT | NORTHERN TRUST CORPORATION 30 2025 ANNUAL REPORT | NORTHERN TRUST CORPORATION 30 2025 ANNUAL REPORT | NORTHERN TRUST CORPORATION --- ## Modified: Other Risks **Key changes:** - Added sentence: "2025 ANNUAL REPORT | NORTHERN TRUST CORPORATION 15 2025 ANNUAL REPORT | NORTHERN TRUST CORPORATION 15 2025 ANNUAL REPORT | NORTHERN TRUST CORPORATION 15 2025 ANNUAL REPORT | NORTHERN TRUST CORPORATION 15" **Prior (2025):** •The systems and models we employ to analyze, monitor and mitigate risks, as well as for other business purposes, are inherently limited, may not be effective in all cases and, in any case, cannot eliminate all risks that we face. •Changes in tax laws and interpretations and challenges to our tax positions may affect our earnings negatively. •Changes in accounting standards may be difficult to predict and could have a material impact on our consolidated financial statements. •Our ability to return capital to stockholders is subject to the discretion of our Board of Directors and may be limited by U.S. banking laws and regulations, applicable provisions of Delaware law, or our failure to pay full and timely dividends on our preferred stock and the terms of our outstanding debt. **Current (2026):** •The systems and models we employ to analyze, monitor and mitigate risks, as well as for other business purposes, are inherently limited, may not be effective in all cases and, in any case, cannot eliminate all risks that we face. •Changes in tax laws and interpretations and challenges to our tax positions may affect our earnings negatively. •Changes in accounting standards may be difficult to predict and could have a material impact on our consolidated financial statements. •Our ability to return capital to stockholders is subject to the discretion of our Board of Directors and may be limited by U.S. banking laws and regulations, applicable provisions of Delaware law, or our failure to pay full and timely dividends on our preferred stock and the terms of our outstanding debt. 2025 ANNUAL REPORT | NORTHERN TRUST CORPORATION 15 2025 ANNUAL REPORT | NORTHERN TRUST CORPORATION 15 2025 ANNUAL REPORT | NORTHERN TRUST CORPORATION 15 2025 ANNUAL REPORT | NORTHERN TRUST CORPORATION 15 --- ## Modified: Liquidity Risks **Key changes:** - Added sentence: "14 2025 ANNUAL REPORT | NORTHERN TRUST CORPORATION 14 2025 ANNUAL REPORT | NORTHERN TRUST CORPORATION 14 2025 ANNUAL REPORT | NORTHERN TRUST CORPORATION 14 2025 ANNUAL REPORT | NORTHERN TRUST CORPORATION" **Prior (2025):** •If we do not manage our liquidity effectively, our business could suffer. •If the Bank is unable to supply the Corporation with funds over time, the Corporation could be unable to meet its various obligations. •We may need to raise additional capital in the future, which may not be available to us or may only be available on unfavorable terms. •Any downgrades in our credit ratings, or an actual or perceived reduction in our financial strength, could affect our borrowing costs, capital costs and liquidity adversely. **Current (2026):** •If we do not manage our liquidity effectively, our business could suffer. •If the Bank is unable to supply the Corporation with funds over time, the Corporation could be unable to meet its various obligations. •We may need to raise additional capital in the future, which may not be available to us or may only be available on unfavorable terms. •Any downgrades in our credit ratings, or an actual or perceived reduction in our financial strength, could affect our borrowing costs, capital costs and liquidity adversely. 14 2025 ANNUAL REPORT | NORTHERN TRUST CORPORATION 14 2025 ANNUAL REPORT | NORTHERN TRUST CORPORATION 14 2025 ANNUAL REPORT | NORTHERN TRUST CORPORATION 14 2025 ANNUAL REPORT | NORTHERN TRUST CORPORATION --- *Data sourced from SEC EDGAR. Last updated 2026-06-01.*