PNC Financial Services Group Inc.: 10-K Risk Factor Changes

We use financial and statistical models throughout many areas of our business, relying on them to inform decision making, automate processes, and estimate many financial values. Although it currently impacts a minority of the overall number of models that we use, we increasingly use models related to how we do business with customers and for internal process automation that leverage AI/machine learning algorithms. These models can be more predictive, but because of the complex way in which the many variables in AI/machine learning models interact, the results of these models are often less interpretable than traditional statistical models. Examples of model use include determining the pricing of various products, identifying potentially fraudulent or suspicious transactions, marketing to potential customers, grading loans and extending credit, measuring interest rate and other market risks, predicting or estimating losses, and assessing capital adequacy. We depend significantly on models for credit loss accounting under CECL, capital stress testing and estimating the value of items in our financial statements. Models generally predict or infer certain financial outcomes, leveraging historical data and assumptions as to the future, often with respect to macroeconomic conditions. Development and implementation of some of these models, such as the models for credit loss accounting under CECL, require us to make difficult, subjective and complex judgments. Other models are used to support decisions made regarding how we do business with customers. Poorly designed or implemented models present the risk that our business decisions based on information incorporating model output will be adversely affected due to the inadequacy of that information. For example, our models may not be effective if historical data does not accurately represent future events or environments or if our models rely on erroneous, incomplete, biased, or otherwise flawed data, formulas, algorithms or assumptions and our internal model review processes fail to detect and address these flaws. Models, if flawed, could cause information we provide to the public or to our regulators to be inaccurate, incomplete or misleading. Some of the decisions that our regulators make, including those related to capital distribution to our shareholders, would likely be affected adversely if they perceive that the quality of the relevant models we use is insufficient. Finally, flaws in our models that negatively impact our customers or our ability to comply with applicable laws and regulations could negatively affect our reputation or result in fines and penalties from our regulators. Moreover, our use of AI/machine learning algorithms is subject to a variety of existing laws and regulations, including intellectual property, privacy (including with respect to automated decision making), consumer protection and federal equal opportunity laws and regulations, and additional new laws and regulations, and new applications or interpretations of existing laws and regulations, related to AI/machine learning algorithms may impact our ability to develop, use and commercialize AI/machine learning algorithms. The PNC Financial Services Group, Inc. – 2025 Form 10-K 21 The PNC Financial Services Group, Inc. – 2025 Form 10-K 21 The PNC Financial Services Group, Inc. – 2025 Form 10-K 21

We use financial and statistical models throughout many areas of our business, relying on them to inform decision making, automate processes, and estimate many financial values. Although it currently impacts a minority of the overall number of models that we use, we increasingly use models related to how we do business with customers and for internal process automation that leverage AI/machine learning algorithms. These models can be more predictive, but because of the complex way in which the many variables in AI/machine learning models interact, the results of these models are often less interpretable than traditional statistical models. Examples of model uses include determining the pricing of various products, identifying potentially fraudulent or suspicious transactions, marketing to potential customers, grading loans and extending credit, measuring interest rate and other market risks, predicting or estimating losses, and assessing capital adequacy. We depend significantly on models for credit loss accounting under CECL, capital stress testing and estimating the value of items in our financial statements. Models generally predict or infer certain financial outcomes, leveraging historical data and assumptions as to the future, often with respect to macroeconomic conditions. Development and implementation of some of these models, such as the models for credit loss accounting under CECL, require us to make difficult, subjective and complex judgments. Other models are used to support decisions made regarding how we do business with customers. Poorly designed or implemented models present the risk that our business decisions based on information incorporating model output will be adversely affected due to the inadequacy of that information. For example, our models may not be effective if historical data does not accurately represent future events or environments or if our models rely on erroneous data, formulas, algorithms or assumptions and our internal model review processes fail to detect and address these flaws. Models, if flawed, could cause information we provide to the public or to our regulators to be inaccurate or misleading. Some of the decisions that our regulators make, including those related to capital distribution to our shareholders, would likely be affected adversely if they perceive that the quality of the relevant models we use is insufficient. Finally, flaws in our models that The PNC Financial Services Group, Inc. – 2024 Form 10-K 25 The PNC Financial Services Group, Inc. – 2024 Form 10-K 25 The PNC Financial Services Group, Inc. – 2024 Form 10-K 25 negatively impact our customers or our ability to comply with applicable laws and regulations could negatively affect our reputation or result in fines and penalties from our regulators.

Neither the occurrence nor the potential impact of natural and other disasters (including severe weather events), health emergencies, dislocations, geopolitical instabilities, terrorist activities, international hostilities or other extraordinary events beyond PNC’s control can be predicted. However, these occurrences could adversely impact us, for example, by causing significant damage to our facilities or preventing us from conducting our business in the ordinary course. Also, their impact on our borrowers, depositors, other customers, suppliers or other counterparties could result in indirect adverse effects on us. Other indirect adverse consequences from these occurrences could result from impacts to the financial markets, the economy in general or in any region, or key parts of the infrastructure (such as the power grid) on which we and our customers rely. These types of indirect effects, whether specific to our counterparties or more generally applicable, could lead, for example, to an increase in delinquencies, bankruptcies or defaults that could result in PNC experiencing higher levels of nonperforming assets, net charge-offs and provisions for credit losses. They could also cause a reduction in demand for lending or other services that we provide. The PNC Financial Services Group, Inc. – 2025 Form 10-K 25 The PNC Financial Services Group, Inc. – 2025 Form 10-K 25 The PNC Financial Services Group, Inc. – 2025 Form 10-K 25 Our ability to mitigate the adverse consequences of such occurrences is in part dependent on the quality of our resiliency planning. This includes our ability to anticipate the nature of any such event that might occur. There can be no assurance that PNC’s resiliency planning will fully mitigate all potential resiliency risks to PNC, its customers, and third parties with which it does business, or that its resiliency planning will be adequate to address the effects of simultaneous occurrences of multiple or extended events. The adverse impact of these occurrences also could be increased to the extent that there is a lack of preparedness on the part of national or regional emergency responders or on the part of other organizations and businesses that we deal with, many of which we depend on but have limited or no control over.

Neither the occurrence nor the potential impact of natural and other disasters (including severe weather events), health emergencies, dislocations, geopolitical instabilities, terrorist activities, international hostilities or other extraordinary events beyond PNC’s control can be predicted. However, these occurrences could adversely impact us, for example, by causing significant damage to our facilities or preventing us from conducting our business in the ordinary course. Also, their impact on our borrowers, depositors, other customers, suppliers or other counterparties could result in indirect adverse effects on us. Other indirect adverse consequences from these occurrences could result from impacts to the financial markets, the economy in general or in any region, or key parts of the infrastructure (such as the power grid) on which we and our customers rely. These types of indirect effects, whether specific to our counterparties or more generally applicable, could lead, for example, to an increase in delinquencies, bankruptcies or defaults that The PNC Financial Services Group, Inc. – 2024 Form 10-K 29 The PNC Financial Services Group, Inc. – 2024 Form 10-K 29 The PNC Financial Services Group, Inc. – 2024 Form 10-K 29 could result in PNC experiencing higher levels of nonperforming assets, net charge-offs and provisions for credit losses. They could also cause a reduction in demand for lending or other services that we provide. Our ability to mitigate the adverse consequences of such occurrences is in part dependent on the quality of our resiliency planning. This includes our ability to anticipate the nature of any such event that might occur. The adverse impact of these occurrences also could be increased to the extent that there is a lack of preparedness on the part of national or regional emergency responders or on the part of other organizations and businesses that we deal with, many of which we depend on but have limited or no control over.

The PNC Financial Services Group, Inc. is a BHC and an FHC, with the Federal Reserve as its primary regulator. PNC Bank is a federally chartered bank, with the OCC as its primary regulator. In addition, our businesses are subject to regulation by multiple other banking, consumer protection, securities and derivatives regulatory bodies. We are also subject to the jurisdiction of criminal and civil 12 The PNC Financial Services Group, Inc. – 2025 Form 10-K 12 The PNC Financial Services Group, Inc. – 2025 Form 10-K 12 The PNC Financial Services Group, Inc. – 2025 Form 10-K enforcement authorities. As a result, we are subject to numerous laws and regulations intended to promote the safety and soundness of financial institutions, the stability of the U.S. banking and financial system (including protection of the DIF)), the transparency and liquidity of financial markets, and consumer protection that are not primarily intended to protect PNC security holders. We are also subject to foreign regulation to a limited extent as a result of our business activities outside the U.S. Applicable laws and regulations restrict our permissible activities and require compliance with provisions designed to protect loan, deposit, brokerage, fiduciary, and other customers, and for the protection of customer information, among other things. We also are subject to laws and regulations designed to combat money laundering and terrorist financing, and restrict transactions with persons, companies or foreign governments designated by U.S. authorities. Over time, the scope of the laws and regulations affecting our businesses, as well as the number of requirements or limitations imposed by legislative or regulatory actions, has increased, and we expect to continue to face substantial regulatory oversight and new or revised regulatory requirements or initiatives. As we expand our product and service offerings into additional markets, domestic or foreign, either through organic growth or acquisition, we have faced and will continue to face increases in state or foreign regulation affecting our operations. Different approaches to regulation by different jurisdictions, including potentially conflicting federal and state regulations or state level regulations where we operate, could materially increase our compliance costs or risks of non-compliance. Legislative or regulatory actions can result in increased compliance costs, reduced business opportunities, or requirements and limitations on how we conduct our business. In particular, the financial services industry continues to face heightened scrutiny, including with respect to BSA/AML, know-your-customer and export and sanctions compliance requirements, consumer compliance and protection matters, and capital, liquidity and resolution planning. Although the presidential administration has indicated an intent to pursue the regulation of the financial services industry differently than was the case under the previous administration, there is uncertainty regarding the direction this administration will continue to take and its ability to implement its policies and objectives, as well as the ultimate impact on potential new regulatory initiatives and the enforcement of existing laws and regulations. It is possible the expected changes in regulation do not occur or are reversed by a subsequent administration, or the regulatory measures that are ultimately enacted deliver significant competitive advantages to financial services that are structured differently or serve different markets than PNC. Federal banking regulators possess substantial supervisory and enforcement powers and have assumed an active oversight, examination and enforcement role across the financial services industry. The results of supervisory or examination activities by our regulators, including actual or perceived compliance failures, could result in limitations on our ability to enter into certain transactions, engage in new activities, expand geographically, make acquisitions or obtain necessary regulatory approvals in connection therewith, or otherwise require us to modify our businesses practices in a manner that materially impacts our financial condition or results of operations. These activities also could result in significant fines, penalties or required corrective actions, some of which could be expensive, difficult to implement or materially impact our business or financial condition. In addition, another financial institution’s violation of law or regulation may give rise to an investigation of the same or similar activities of PNC. Further, the Federal Reserve requires a BHC to act as a source of financial and managerial strength for its subsidiary banks. The Federal Reserve could require PNC to commit resources to PNC Bank when doing so is not otherwise in the interests of PNC or its shareholders or creditors. We also rely on third parties who may expose us to compliance risk. A failure to comply with regulatory requirements or deficiencies in risk management practices could be incorporated in our confidential supervisory ratings, which could limit PNC’s ability to expand or require additional approvals before engaging in certain business activities. See the immediately following Risk Factor for a discussion of risks associated with capital and liquidity regulation and the Supervision and Regulation section in Item 1 of this Report and Note 19 Regulatory Matters for more information concerning the regulation of PNC.

The PNC Financial Services Group, Inc. is a BHC and a financial holding company, with the Federal Reserve as its primary regulator. PNC Bank is a federally chartered bank, with the OCC as its primary regulator. In addition, our businesses are subject to regulation by multiple other banking, consumer protection, securities and derivatives regulatory bodies. We are also subject to the jurisdiction of criminal and civil enforcement authorities. As a result, we are subject to numerous laws and regulations, with multiple regulators or agencies having supervisory or enforcement oversight over aspects of our business activities. These laws, regulations and supervisory activities are intended to promote the safety and soundness of financial institutions, financial market stability, the transparency and liquidity of financial markets, consumer protection and to prevent money laundering and terrorist financing and are not primarily 16 The PNC Financial Services Group, Inc. – 2024 Form 10-K 16 The PNC Financial Services Group, Inc. – 2024 Form 10-K 16 The PNC Financial Services Group, Inc. – 2024 Form 10-K intended to protect PNC security holders. In addition to regulation in the U.S., we are also subject to foreign regulation to a limited extent as a result of our business activities outside the U.S. Applicable laws and regulations restrict our permissible activities and require compliance with provisions designed to protect loan, deposit, brokerage, fiduciary, and other customers, and for the protection of customer information, among other things. We also are subject to laws and regulations designed to combat money laundering, terrorist financing, and transactions with persons, companies or foreign governments designated by U.S. authorities. Over time, the scope of the laws and regulations affecting our businesses, as well as the number of requirements or limitations imposed by legislative or regulatory actions, has increased, and we expect to continue to face substantial regulatory oversight and new or revised regulatory requirements or initiatives, including those related to requirements for the orderly resolution of financial institutions. As we expand our product and service offerings into additional markets, domestic or foreign, either through organic growth or acquisition, we have faced and will continue to face increases in state or foreign regulation affecting our operations. Different approaches to regulation by different jurisdictions, including potentially conflicting state-level regulation, could materially increase our compliance costs or risks of non-compliance. Legislative or regulatory actions can result in increased compliance costs, reduced business opportunities, or requirements and limitations on how we conduct our business. In particular, the financial services industry continues to face heightened scrutiny, including with respect to BSA/AML, know-your-customer and export and sanctions compliance requirements, consumer compliance and protection matters (such as with respect to overdraft and other fees), and capital, liquidity and resolution planning in response to systemic events in the banking industry. In addition, heightened standards under proposed and recently finalized rules, such as those implementing the Community Reinvestment Act, may result in increased obligations and compliance costs, and may factor into our ability to expand and engage in new actions. Although the new presidential administration has indicated an intent to pursue the regulation of the financial services industry differently than was the case under the previous administration, there is significant uncertainty regarding the direction this administration will take and its ability to implement its policies and objectives, as well as the ultimate impact on potential new regulatory initiatives and the enforcement of existing laws and regulations. Federal law grants substantial supervisory and enforcement powers to federal banking regulators, and they have assumed an active oversight, examination and enforcement role across the financial services industry. The results of supervisory or examination activities by our regulators, including actual or perceived compliance failures, could result in limitations on our ability to enter into certain transactions, engage in new activities, expand geographically, make acquisitions or obtain necessary regulatory approvals in connection therewith, or otherwise require us to modify our businesses practices in a manner that materially impacts our financial condition or results of operations. These activities also could result in significant fines, penalties or required corrective actions, some of which could be expensive, difficult to implement or materially impact our business or financial condition. In addition, another financial institution’s violation of law or regulation may give rise to an investigation of the same or similar activities of PNC. Further, the Federal Reserve requires a BHC to act as a source of financial and managerial strength for its subsidiary banks. The Federal Reserve could require PNC to commit resources to PNC Bank when doing so is not otherwise in the interests of PNC or its shareholders or creditors. A failure to comply, or to have adequate policies and procedures designed to comply, with regulatory requirements and expectations exposes us to the risk of damages, fines and regulatory penalties and other regulatory or enforcement actions or consequences, such as limitations on activities otherwise permissible for us or additional requirements for engaging in new activities and could also injure our reputation with customers and others with whom we do business. We also rely on third parties who may expose us to compliance risk. A failure to comply with regulatory requirements or deficiencies in risk management practices could be incorporated in our confidential supervisory ratings, which could limit PNC’s ability to expand or require additional approvals before engaging in certain business activities. See the immediately following Risk Factor for a discussion of risks associated with capital and liquidity regulation. Also see the Supervision and Regulation section in Item 1 of this Report and Note 19 Regulatory Matters for more information concerning the regulation of PNC, including those areas that have been receiving a high level of regulatory focus.

In the ordinary course of business, we often have heightened credit exposure to a particular industry, geography, asset class or financial market. As an example, loans secured by real estate typically represent a significant percentage of our overall credit portfolio. It also represents a portion of the assets underlying our investment securities. While there are limitations on the extent of total exposure to an individual consumer or business borrower, events adversely affecting some of our clients or counterparties, based on individual factors or the nature or location of their business, or asset classes or financial markets in which we are involved, could materially and adversely affect us. Declining economic conditions also may impact commercial borrowers more than consumer borrowers, or vice versa. In addition, we execute transactions with counterparties in the financial services industry. Financial services institutions are interconnected because of trading, funding, clearing or other relationships. As a result, uncertainty about the stability of other financial services institutions could lead to market-wide losses and defaults. Thus, the concentration and mix of our assets may affect the severity of the impact of recessions or other economic downturns on us.

In the ordinary course of business, we often have heightened credit exposure to a particular industry, geography, asset class or financial market. As an example, loans secured by real estate typically represent a significant percentage of our overall credit portfolio. It also represents a portion of the assets underlying our investment securities. While there are limitations on the extent of total exposure to an individual consumer or business borrower, events adversely affecting some of our clients or counterparties, based on individual factors or the nature or location of their business, or asset classes or financial markets in which we are involved, could materially and adversely affect us. As described elsewhere in these Risk Factors, the fundamental shift in office demand combined with higher interest rates contributes to decreased property values and harms the creditworthiness of some of our office commercial real estate customers. Declining economic conditions also may impact commercial borrowers more than consumer borrowers, or vice versa. In addition, we execute transactions with counterparties in the financial services industries. Financial services institutions are interrelated because of trading, funding, clearing or other relationships. As a result, uncertainty about the stability of other financial services institutions could lead to market-wide losses and defaults. Thus, the concentration and mix of our assets may affect the severity of the impact of recessions or other economic downturns on us. The PNC Financial Services Group, Inc. – 2024 Form 10-K 23 The PNC Financial Services Group, Inc. – 2024 Form 10-K 23 The PNC Financial Services Group, Inc. – 2024 Form 10-K 23

Our business and overall financial performance are affected to a significant extent by economic conditions, primarily in the U.S. Declining or adverse economic conditions and adverse changes in investor, consumer and business sentiment generally result in reduced business activity, which may decrease the demand for our products and services or reduce the number of creditworthy borrowers. The ability of borrowers to repay loans is often weakened as a result of economic downturns, higher inflation and unemployment. In addition, adverse economic conditions may limit the availability of, or increase the costs of, capital and labor, erode customer purchasing power, confidence and spending and may also reduce our tolerance for extending credit. Increases in costs or expenses impacting our customers’ operations and financial performance, such as the interest rates payable on their debt obligations, could increase our credit risk or decrease the demand for our products and services. We operate in an uncertain economic environment due to sustained inflationary pressures, including higher prices and lower housing affordability, and fluctuating trade policies (including tariffs), combined with geopolitical tensions. These conditions have led and may continue to lead to turmoil and volatility in financial markets, often with at least some financial asset categories losing value. Financial market volatility could also result from uncertainty about the timing and extent of rate cuts by the Federal Reserve. Any of these effects would likely have an adverse impact on our operations and financial performance, with the significance of the impact generally The PNC Financial Services Group, Inc. – 2025 Form 10-K 11 The PNC Financial Services Group, Inc. – 2025 Form 10-K 11 The PNC Financial Services Group, Inc. – 2025 Form 10-K 11 depending on the nature and severity of the adverse economic conditions. Even when economic conditions are relatively good or stable, specific economic factors can negatively affect our business and performance. This can be especially true when the factors relate to particular segments of the economy and impact our customers whose operations or financial conditions directly or indirectly depend on good or stable conditions in those segments. For example, underutilization of commercial real estate space, combined with higher interest rates, has harmed some customers’ creditworthiness and ability to refinance maturing loans, and decreased the demand for financial services in that sector. Our foreign business activities and operations continue to be a relatively small part of our overall business. As a result, the direct impact on our business and financial performance from economic conditions outside the U.S. is not likely to be significant, although the impact would increase if we expanded our foreign business and operations more than nominally. We are, however, susceptible to the risk that foreign economic conditions, trade policies (including tariffs) and geopolitical tensions could negatively affect our business and financial performance. Primarily, this risk results from the possibility that poor economic conditions or financial market disruptions affecting other major economies would also affect the U.S.

Our business and overall financial performance are affected to a significant extent by economic conditions, primarily in the U.S. Declining or adverse economic conditions and adverse changes in investor, consumer and business sentiment generally result in reduced business activity, which may decrease the demand for our products and services or reduce the number of creditworthy borrowers. The ability of borrowers to repay loans is often weakened as a result of economic downturns, higher inflation and unemployment. In addition, adverse economic conditions may limit the availability of, or increase the costs of, capital and labor, erode consumer and customer purchasing power, confidence and spending and may also reduce our tolerance for extending credit. Increases in costs or expenses impacting our customers’ operations and financial performance, such as the interest rates payable on their debt obligations, could increase our credit risk or decrease the demand for our products and services. We operate in an uncertain economic environment due to sustained inflationary pressures, including higher prices and lower housing affordability, and structural and secular changes arising from the pandemic for certain sectors of the economy combined with geopolitical tensions. These conditions have led and may continue to lead to turmoil and volatility in financial markets, often with at least some financial asset categories losing value. Financial market volatility could also result from uncertainty about the timing and extent of rate cuts by the Federal Reserve. Any of these effects would likely have an adverse impact on our operations and financial performance, with the significance of the impact generally depending on the nature and severity of the adverse economic conditions. Even when economic conditions are relatively good or stable, specific economic factors can negatively affect our business and performance. This can be especially true when the factors relate to particular segments of the economy and impact our customers whose operations or financial conditions are directly or indirectly dependent on good or stable conditions in those segments. For example, given the fundamental change in office demand driven by the acceptance of remote work, commercial real estate space remains underutilized. This, combined with higher interest rates, likely decreases demand for financial services in that sector and may make it more difficult for borrowers to refinance maturing loans, contributes to decreased property values and harms the creditworthiness of some of our office commercial real estate customers, as well as businesses whose customers have historically been office workers. The PNC Financial Services Group, Inc. – 2024 Form 10-K 15 The PNC Financial Services Group, Inc. – 2024 Form 10-K 15 The PNC Financial Services Group, Inc. – 2024 Form 10-K 15 Our foreign business activities and operations continue to be a relatively small part of our overall business. As a result, the direct impact on our business and financial performance from economic conditions outside the U.S. is not likely to be significant, although the impact would increase if we expanded our foreign business and operations more than nominally. We are, however, susceptible to the risk that foreign economic conditions and geopolitical tensions could negatively affect our business and financial performance. Primarily, this risk results from the possibility that poor economic conditions or financial market disruptions affecting other major economies would also affect the U.S. Throughout the remainder of this Risk Factors section, we address specific ways in which economic issues could create risk for us and result in adverse impacts on our business and financial performance.

Our performance and competitive position depend on our ability to attract, develop and retain high-performing employees. We face significant competition for these employees across many of our businesses and support areas. This presents greater risk as we expand into new markets, develop new product lines, or enhance staffing in certain areas, particularly technology. Competition for qualified personnel leads to increased expenses in affected business areas. Differences in demands, expectations and priorities of the workforce may require us to modify our recruiting and retention strategies to attract and retain employees. Limitations on the way regulated The PNC Financial Services Group, Inc. – 2025 Form 10-K 23 The PNC Financial Services Group, Inc. – 2025 Form 10-K 23 The PNC Financial Services Group, Inc. – 2025 Form 10-K 23 financial institutions can compensate their officers and employees may make it more difficult for regulated financial institutions, including PNC, to compete with other companies for talent.

Part of our ability to compete effectively depends on our ability to attract new employees and retain and develop our existing employees. We face significant competition for these employees across many of our businesses and support areas. This presents greater risk as we expand into new markets, develop new product lines, or enhance staffing in certain areas, particularly technology. This competition leads to increased expenses in affected business areas. Differences in demands, expectations and priorities of the The PNC Financial Services Group, Inc. – 2024 Form 10-K 27 The PNC Financial Services Group, Inc. – 2024 Form 10-K 27 The PNC Financial Services Group, Inc. – 2024 Form 10-K 27 workforce (such as remote work expectations) may require us to modify our recruiting and retention strategies to attract and retain employees. Limitations on the way regulated financial institutions can compensate their officers and employees may make it more difficult for regulated financial institutions, including PNC, to compete with other companies for talent.

Legislative and regulatory efforts to protect the privacy and enhance the portability of personal data have evolved over time. Individuals whose personal information may be protected by law may include our customers, prospective customers, job applicants, employees and third parties. These initiatives, among other things, limit how companies can gather, maintain, use, transmit and otherwise process personal data and impose obligations on companies in their management of such data, including requiring companies like PNC to make available to consumers and authorized third parties certain data relating to transactions and accounts and establishing obligations for accessing such data. Financial services companies such as PNC necessarily gather, maintain, use, transmit and otherwise process a significant amount of personal data. These types of initiatives increase compliance complexity and related costs, may result in significant financial penalties for compliance failures, and may limit our ability to develop new products or respond to technological changes. This is particularly true as we expand our business and operations into new markets. Also, we are, or may become, subject to evolving and developing data privacy and security laws and regulations in other jurisdictions, including foreign jurisdictions even where our presence in such jurisdictions is minimal. Such legal and regulatory requirements also could heighten the reputational impact of actual or perceived misuses of personal data by us, our vendors or others who gain unauthorized access to our personal data. Other jurisdictions may adopt similar requirements that impose different and potentially inconsistent compliance burdens. The impacts will be greater to the extent requirements vary across jurisdictions.

Over time, there has been an increase in legislative and regulatory efforts to protect the privacy and enhance the portability of personal data. Individuals whose personal information may be protected by law may include our customers, prospective customers, job applicants, employees and third parties. These initiatives, among other things, limit how companies can use personal data and impose obligations on companies in their management of such data, including requiring companies like PNC to make available to consumers and authorized third parties certain data relating to transactions and accounts and establishing obligations for accessing such data. Financial services companies such as PNC necessarily gather, maintain and use a significant amount of personal data. These types of initiatives increase compliance complexity and related costs, may result in significant financial penalties for compliance failures, and may limit our ability to develop new products or respond to technological changes. This is particularly true as we expand our business and operations into new markets. We are, or may become, subject to regularly evolving and developing data privacy and security laws and regulations in other jurisdictions, including foreign jurisdictions even where our presence in such jurisdictions is minimal. Such legal requirements also could heighten the reputational impact of perceived misuses of personal data by us, our vendors or others who gain unauthorized access to our personal data. Other jurisdictions may adopt similar requirements that impose different and potentially inconsistent compliance burdens. The impacts will be greater to the extent requirements vary across jurisdictions. 18 The PNC Financial Services Group, Inc. – 2024 Form 10-K 18 The PNC Financial Services Group, Inc. – 2024 Form 10-K 18 The PNC Financial Services Group, Inc. – 2024 Form 10-K

Most corporate and commercial financial transactions are now handled electronically, and our customers increasingly use online access as well as mobile and cloud technologies to access our products and services. The ability to conduct business with us in this manner depends on the gathering, maintenance, use, transmission and other processing of vast amounts of digital information in electronic form. As a result, in the ordinary course of business, we gather, maintain, use, transmit and otherwise process vast amounts of digital information about us, our customers and our employees. This information tends to be confidential or proprietary and much of it is highly sensitive and personal. Such confidential, proprietary, sensitive and personal information includes information sufficient 16 The PNC Financial Services Group, Inc. – 2025 Form 10-K 16 The PNC Financial Services Group, Inc. – 2025 Form 10-K 16 The PNC Financial Services Group, Inc. – 2025 Form 10-K to support identity theft and includes personal health information, as well as information regarding business plans and financial performance that has not been made public. As a result, efforts by bad actors to engage in various types of cyber attacks and breaches, including by way of computer viruses, hacking, ransomware and other malware, denial of service attacks, credential staffing, phishing, social engineering, account takeovers, insider threats and supply chain attacks pose serious risks to our business and reputation. We are faced with ongoing, nearly continual, efforts by others to breach data security at financial institutions or with respect to financial transactions. The effectiveness of these efforts may be enhanced using AI. These efforts may be to obtain access to confidential information, often with the intent of stealing from or defrauding us or our customers, or to disrupt our ability to conduct our business, including by destroying or impairing access to information gathered, maintained, used, transmitted or otherwise processed by us. Some of these involve efforts to enter our technology directly by going through or around our security protections. Others involve the use of social engineering schemes to gain access to confidential information from our employees, customers or vendors. The modernization of the payment systems, including near real-time movement solutions, increases the complexity of preventing and detecting these attacks and recovering fraudulent transactions. Our risk and exposure to cyber attacks and breaches is heightened because of our expanded digital products and services, geographic footprint and dispersed workforce, which results in more access points to our network. The same risks are presented by attacks potentially affecting information held by third parties on our behalf or accessed by third parties, including those offering financial applications, on behalf of our customers. These risks also arise when third parties with whom we do business, or their vendors or other entities with whom they do business, are themselves subject to cyber attacks and breaches, which has impacted our business and may do so in the future. Our ability to protect confidential information is even more limited with respect to such information gathered, maintained, used, transmitted or otherwise processed by these parties. For example, we are likely to be limited in our ability to identify and quickly resolve cyber attacks and breaches that may impact our business the further removed an entity is from our business, such as when a cyber attack or other data security breach occurs at vendors of our vendors. We may suffer reputational damage or legal liability for unauthorized access to customer information gathered, maintained, used, transmitted or otherwise processed by other parties, even if we were not responsible for preventing such access and had no reasonable way of preventing it. Our customers often use their own devices, such as computers, smartphones and tablets, to do business with us and may provide their customer information (including passwords and other confidential information) to a third party in connection with obtaining services from that third party, including those offering financial applications. Although we take steps to provide safety and security for our customers’ transactions with us and their customer information, to the extent they utilize their own devices or provide third parties access to their accounts, our ability to assure such safety and security is necessarily limited. These risks are heightened as we and others continue to expand mobile applications, cloud solutions and other internet-based financial product offerings. For example, a number of our customers use financial applications to help manage their finances and investments, including through the aggregation of banking or other financial information that may require our customer to provide their secure banking credentials or account-identifying information to the financial application to aggregate this financial data. In some instances, third-party data aggregators are used by the financial application to access customers’ accounts and obtain the customers’ data and may be obtaining secure banking credentials or account-identifying information from our customers which has the potential to facilitate fraud if it is not properly protected. This has resulted in incidences of fraud, including automated clearing house fraud, credit card fraud and wire fraud, enabled through the use of synthetic identities and through account takeovers via these platforms. In addition, transactions by customers on financial applications that facilitate payments and fund transfers have also been fraudulently induced. These transactions occur when a customer authorizes payment to a recipient that fraudulently induced the customer into transferring a payment to such recipient. PNC has and may continue to face increased financial exposure due to activity associated with the increased use of these applications and data aggregators. Even where PNC does not have financial exposure for losses, PNC and the third parties with whom we do business could suffer increased reputational harm or regulatory scrutiny when such losses occur. As our customers regularly use PNC-issued credit and debit cards to pay for transactions with retailers and other businesses, there is also the risk of cyber attacks and other data security breaches at those other businesses covering PNC account information. When our customers use PNC-issued cards to make purchases from those businesses, card account information often is provided to such businesses. If a business’s systems that gather, maintain, use, transmit and otherwise process card account information are subject to a cyber attack or other data security breach, holders of our cards who have made purchases from that business may experience fraud on their card accounts. We can be responsible for reimbursing our customers for such fraudulent transactions on customers’ card accounts, as well as for other costs related to cyber attacks and breaches, such as replacing cards associated with compromised card accounts. In addition, we provide card transaction processing services to some merchant customers under agreements we have with payment networks such as Visa and Mastercard. Under these agreements, we may be responsible for certain losses and penalties if one of our merchant customers suffers a cyber attack or other data security breach. Moreover, to the extent more confidential information becomes available to bad actors through the cumulative effect of cyber attacks breaches at companies generally, bad actors may find it easier to use such information to gain access to our customer accounts. Other cyber attacks and data security breaches are not focused on gaining access to credit card or user credential information, but instead seek access to a range of other types of confidential information, such as internal emails and other forms of customer financial information, and this information may be used to support a ransomware attack. Ransomware attacks have sought to deny access to data and possibly shut down systems and devices maintained by target companies. In a ransomware attack, system data is encrypted, stolen or extorted, or access is otherwise denied, accompanied by a demand for ransom to restore access to the data or to prevent The PNC Financial Services Group, Inc. – 2025 Form 10-K 17 The PNC Financial Services Group, Inc. – 2025 Form 10-K 17 The PNC Financial Services Group, Inc. – 2025 Form 10-K 17 public disclosure of confidential information. Cyber attacks and data security breaches have also been conducted through business email compromise scams that involve using social engineering to cause employees to wire funds to the perpetrators in the mistaken belief that the requests were made by a company executive or established vendor. These types of phishing attacks have increased over time, and they have evolved to include other types of attacks like vishing (through voice messages) and smishing (through SMS text). Other cyber attacks and data security breaches have included distributed denial of service attacks, in which individuals or organizations flood commercial websites with extraordinarily high volumes of traffic with the goal of disrupting the ability of commercial enterprises to process transactions and possibly making their websites unavailable to customers for extended periods of time. Similarly, cyber attacks and breaches have been conducted through application program interfaces where bad actors seek to exploit the interfaces between mobile or web applications. We (as well as other financial services companies) have been subject to such cyber attacks and breaches. Recent cyber attacks and breaches have also included the insertion of malware into software updates and the infection of software while it is under assembly, known as a “supply chain attack.” Cyber attacks and breaches affecting our customers may put these relationships at risk, particularly if customers’ ability to continue operations is impaired due to the losses suffered. The techniques used in cyber attacks and breaches change rapidly and are increasingly sophisticated, including through the use of generative AI and deepfakes, and we expect in the future through the use of quantum computing, and we may not be able to anticipate cyber attacks or other data security breaches. Additionally, cyber attacks and breaches in some cases appear to be supported by foreign governments or other well-financed entities and often originate from less regulated and remote areas of the world. We have seen a higher volume and complexity of attacks during times of increased geopolitical tensions. In addition to threats from external sources, insider threats represent a significant risk to us. Insiders, including those having legitimate access to our information, communications systems and other technology and the information contained therein, have the easiest opportunity to make inappropriate use of their access. Addressing that risk requires understanding not only how to protect us from unauthorized use and disclosure of data, but also how to engage behavioral analytics and other tools to identify potential internal threats before any damage is done. As more work is conducted outside of PNC’s facilities, the risk of improper access to PNC’s network or confidential information has increased, including for reasons such as a failure by an employee or contractor to secure a device with PNC access. Cyber attacks and breaches often are not recognized until launched against a target and may go undetected for a period of time (or remain undetected), with the adverse consequences likely greater the longer it takes to discover the problem. As a result, we may be unable to implement adequate preventative measures to address these methods in advance of such cyber attacks and breaches. We have been and expect to continue to be the target of some of these types of cyber attacks and breaches. To date, none of these types of cyber attacks or other data security breaches has had a material impact on us. Nonetheless, we cannot entirely block efforts by bad actors to harm us, and there can be no assurance that future cyber attacks or other data security breaches will not be material. Attacks on others, some of which have led to serious adverse consequences, demonstrate the risks posed by new and evolving types of cyber attacks and breaches.

Most corporate and commercial financial transactions are now handled electronically, and our commercial and retail customers increasingly use online access as well as mobile and cloud technologies to bank with us. The ability to conduct business with us in this manner depends on the transmission and storage of confidential information in electronic form. As a result, in the ordinary course of business, we maintain and process vast amounts of digital information about us, our customers and our employees. This information tends to be confidential or proprietary and much of it is highly sensitive. Such highly sensitive information includes information sufficient to support identity theft and personal health information, as well as information regarding business plans and financial performance that has not been made public. As a result, efforts by bad actors to engage in various types of cyber attacks pose serious risks to our business and reputation. We are faced with ongoing, nearly continual, efforts by others to breach data security at financial institutions or with respect to financial transactions. The effectiveness of these efforts may be enhanced using AI. These efforts may be to obtain access to confidential or proprietary information, often with the intent of stealing from or defrauding us or our customers, or to disrupt our ability to conduct our business, including by destroying or impairing access to information maintained by us. Some of these involve efforts to enter our systems directly by going through or around our security protections. Others involve the use of social engineering schemes to gain access to confidential information from our employees, customers or vendors. Our risk and exposure to data security breaches is heightened because of our expanded digital products and services, geographic footprint and continued remote work environment, which results in more access points to our network. The same risks are presented by attacks potentially affecting information held by third parties on our behalf or accessed by third parties, including those offering financial applications, on behalf of our customers. These risks also arise when third parties with whom we do business, or their vendors or other entities with whom they do business, are themselves subject to breaches and attacks, which has impacted our business and may do so in the future. Our ability to protect confidential or proprietary information is even more limited with respect to information held by these parties. For example, we are likely to be limited in our ability to identify and quickly resolve breaches and attacks that may impact our business the further removed an entity is from our business, such as when a breach or attack occurs at vendors of our vendors. We may suffer reputational damage or legal liability for unauthorized access to customer information held by other parties, even if we were not responsible for preventing such access and had no reasonable way of preventing it. Our customers often use their own devices, such as computers, smartphones and tablets, to do business with us and may provide their PNC customer information (including passwords) to a third party in connection with obtaining services from that third party, including those offering financial applications. Although we take steps to provide safety and security for our customers’ transactions with us and their customer information, to the extent they utilize their own devices or provide third parties access to their accounts, our ability to assure such safety and security is necessarily limited. These risks are heightened as we and others continue to expand mobile applications, cloud solutions, and other internet-based financial product offerings. For example, a number of our customers choose to use financial applications that allow them to view, access and aggregate banking and other financial account information on a single platform, to monitor the performance of their investments, to compare financial and investment products, to make payments or transfer funds, and otherwise to help manage their finances and investments. Some financial applications ask users to provide their secure banking log-in information, credentials or other account-identifying information so the applications can link to users’ accounts at financial institutions. Companies offering these applications frequently use third-party data aggregators, which are behind-the-scenes technology companies that serve as data-gathering service providers, to deliver customer financial data that is then used by the financial applications. To do this, data aggregators may be obtaining customers’ log-in information, credentials or other account-identifying information, which allow the aggregators to access the customers’ account information and “scrape” or obtain the customers’ data, often on a daily or even more frequent basis. That same information has the potential to facilitate fraud if it is not properly protected. This has resulted in incidences of fraud, including automated clearing house fraud, credit card fraud, and wire fraud, enabled through the use of synthetic identities and through account takeovers via these platforms. In addition, transactions by customers on financial applications that facilitate payments and fund transfers have also been fraudulently induced. These transactions occur when a customer authorizes payment to a recipient that fraudulently induced the customer into transferring a payment to such recipient. PNC has and may continue to face increased financial exposure due to activity associated with the increased use of these applications and data aggregators. Even where PNC does not have financial exposure for losses, PNC and the third parties with whom we do business could suffer increased reputational harm or regulatory scrutiny when such losses occur. As our customers regularly use PNC-issued credit and debit cards to pay for transactions with retailers and other businesses, there is also the risk of data security breaches at those other businesses covering PNC account information. When our customers use PNC-issued cards to make purchases from those businesses, card account information often is provided to such businesses. If a business’s systems that process or store card account information are subject to a data security breach, holders of our cards who have made purchases from that business may experience fraud on their card accounts. We can be responsible for reimbursing our customers for such fraudulent transactions on customers’ card accounts, as well as for other costs related to data security compromise events, such as replacing cards associated with compromised card accounts. In addition, we provide card transaction processing services to some merchant customers under agreements we have with payment networks such as Visa and Mastercard. Under these agreements, we may be responsible for certain losses and penalties if one of our merchant customers suffers a data security breach. Moreover, to the extent The PNC Financial Services Group, Inc. – 2024 Form 10-K 21 The PNC Financial Services Group, Inc. – 2024 Form 10-K 21 The PNC Financial Services Group, Inc. – 2024 Form 10-K 21 more consumer confidential information becomes available to bad actors through the cumulative effect of data breaches at companies generally, bad actors may find it easier to use such information to gain access to our customer accounts. Other cyber attacks are not focused on gaining access to credit card or user credential information, but instead seek access to a range of other types of confidential information, such as internal emails and other forms of customer financial information, and this information may be used to support a ransomware attack. Ransomware attacks have sought to deny access to data and possibly shut down systems and devices maintained by target companies. In a ransomware attack, system data is encrypted, stolen or extorted, or access is otherwise denied, accompanied by a demand for ransom to restore access to the data or to prevent public disclosure of confidential information. Attacks have also been conducted through business email compromise scams that involve using social engineering to cause employees to wire funds to the perpetrators in the mistaken belief that the requests were made by a company executive or established vendor. These types of phishing attacks have increased over time, and they have evolved to include other types of attacks like vishing (through voice messages) and smishing (through SMS text). Other attacks have included distributed denial of service cyber attacks, in which individuals or organizations flood commercial websites with extraordinarily high volumes of traffic with the goal of disrupting the ability of commercial enterprises to process transactions and possibly making their websites unavailable to customers for extended periods of time. Similarly, attacks have been conducted through application program interfaces where cyber attackers seek to exploit the interfaces between mobile or web applications. We (as well as other financial services companies) have been subject to such attacks. Recent cyber attacks have also included the insertion of malware into software updates and the infection of software while it is under assembly, known as a “supply chain attack.” Attacks on our customers may put these relationships at risk, particularly if customers’ ability to continue operations is impaired due to the losses suffered. The techniques used in cyber attacks change rapidly and are increasingly sophisticated, including through the use of generative AI and deepfakes, and we expect in the future through the use of quantum computing, and we may not be able to anticipate cyber attacks or data security breaches. In addition to threats from external sources, insider threats represent a significant risk to us. Insiders, including those having legitimate access to our systems and the information contained in them, have the easiest opportunity to make inappropriate use of the systems and information. Addressing that risk requires understanding not only how to protect us from unauthorized use and disclosure of data, but also how to engage behavioral analytics and other tools to identify potential internal threats before any damage is done. In addition, due to the number of employees who work remotely, the opportunity for insiders to grant access to third parties or to disclose confidential information of PNC or its customers has increased. As more work is conducted outside of PNC’s facilities, the risk of improper access to PNC’s network or confidential information has increased, including for reasons such as a failure by an employee or contractor to secure a device with PNC access. We have been and expect to continue to be the target of some of these types of cyber attacks. To date, none of these types of cyber attacks has had a material impact on us. Nonetheless, we cannot entirely block efforts by bad actors to harm us, and there can be no assurance that future cyber attacks will not be material. While we maintain insurance coverage that may cover certain aspects of cyber risks, such insurance coverage may be insufficient to cover all losses. As a result, we could suffer material financial and reputational losses in the future from any of these or other types of attacks or the public perception that such an attack on our systems has been successful, whether or not this perception is correct. Attacks on others, some of which have led to serious adverse consequences, demonstrate the risks posed by new and evolving types of cyber attacks.

In some cases, we develop internally the intellectual property embedded in the technology we use. In others, we or our vendors license the use of intellectual property from others. Where we rely on access to third-party intellectual property, whether now or in the future, it may not be available to us on commercially reasonable terms or at all. If we fail to comply with any applicable obligations under our license agreements, or another person or entity were deemed to own intellectual property rights infringed, misappropriated or otherwise violated by our activities, we could be responsible for significant damages covering past activities and substantial fees to continue to engage in these types of activities. Our third-party licensors may also have the right to terminate the license, which may cause us to lose valuable rights, and could disrupt our operations. It also is possible that we could be prevented from using technology important to our business for at least some period of time. In such circumstances, there may be no alternative technology for us to use or it might be expensive to obtain. We could also suffer significant reputational damage in these circumstances. Protections offered by those from whom we license technology against these risks may be inadequate to cover any losses in full, and the measures we take to obtain, enforce and defend our intellectual property rights may not be successful in every jurisdiction or prevent infringement, misappropriation or other violation of our intellectual property rights. Over time, there have been and continue to be instances where technology used by PNC has been alleged to have infringed, misappropriated or otherwise violated intellectual property rights held by others, and, in some cases, we have suffered related losses. In certain situations, we may be compelled to engage in intellectual property-related litigation to enforce or defend our intellectual property rights, which may incur significant expenses and may be perceived negatively by customers or industry peers. The PNC Financial Services Group, Inc. – 2025 Form 10-K 15 The PNC Financial Services Group, Inc. – 2025 Form 10-K 15 The PNC Financial Services Group, Inc. – 2025 Form 10-K 15

In some cases, we develop internally the intellectual property embedded in the technology we use. In others, we or our vendors license the use of intellectual property from others. Where we rely on access to third-party intellectual property, it may not be available to us on commercially reasonably terms or at all. Regardless of the source of the intellectual property, if another person or entity were deemed to own intellectual property rights infringed by our activities, we could be responsible for significant damages covering past activities and substantial fees to continue to engage in these types of activities. It also is possible that we could be prevented from using technology important to our business for at least some period of time. In such circumstances, there may be no alternative technology for us to use or an appropriate alternative technology might be expensive to obtain. We could also suffer significant reputational damage in these circumstances. Protections offered by those from whom we license technology against these risks may be inadequate to cover any losses in full. Over time, there have been and continue to be instances where technology used by PNC has been alleged to have infringed patents held by others, and, in some cases, we have suffered related losses.

There continues to be concern, including on the part of certain stakeholders and in certain jurisdictions where we do business or have operations, regarding climate-related risks and impacts (including physical risk and transition risk). These concerns have led and may continue to lead to efforts to mitigate those impacts. We and our customers may face cost increases, asset value reductions, the reduced availability of insurance or sufficient insurance to cover losses, operations disruptions and changes and other impacts because of climate change (including because of the increased frequency or severity of acute weather events and long-term shifts in the climate) and related governmental actions or societal responses to climate change. The impact on our customers will likely vary depending on their specific attributes, including their reliance on or role in carbon intensive activities and their transition plans, as well as their exposure to the effects of climate change. Consumers and businesses may also change their behaviors because of these concerns which creates transition risk for PNC arising from adjusting to these concerns. PNC and its customers will need to respond to any new laws and regulations as well as any changes in consumer and business preferences related to climate change. Among the impacts to PNC could be a drop in demand for our products and services, particularly in certain sectors if our products or services do 14 The PNC Financial Services Group, Inc. – 2025 Form 10-K 14 The PNC Financial Services Group, Inc. – 2025 Form 10-K 14 The PNC Financial Services Group, Inc. – 2025 Form 10-K not support the environmental goals of our customers, or increased losses due to the impact of climate change on the collateral that secures customer borrowings. Our risk management needs to continue to evolve, or it may not be effective in identifying, measuring, monitoring and controlling climate risk exposure, particularly given that the timing, nature and severity of the impacts of climate change may not be predictable. Additionally, the federal government has altered and may continue to alter climate policies or requirements in a way that conflicts with certain state-level policies or investor expectations. Such changes may present risk to PNC due to inconsistent expectations, requirements or costs. Environmental regulations or changes in the supply, demand or available sources of energy or other resources may affect the availability or cost of goods and services necessary to run our business and our customers’ businesses. We have been and may continue to be subject to conflicting pressure from stakeholders and activists regarding how or when we take climate-related risks and impacts into account in our business practices or risk management. Further, there is ongoing scrutiny of climate-related policies, goals, including our use of and ability to achieve them, and disclosures, as well as conflicting pressure regarding the way in which climate may or should be considered by the financial sector, which could result in additional costs, reputational harm as a result of public sentiment, litigation and regulatory scrutiny (including from U.S. federal and state governments, policymakers and regulators), litigation and reduced investor and stakeholder confidence. The Risk Factor headed “We are at risk of an adverse impact on our business due to damage to our reputation” further discusses risks associated with our management of these matters.

There continues to be concern, including on the part of certain regulators and in certain jurisdictions where we do business or have operations, regarding climate change and its impacts over the short-, medium- and long-term horizons. These concerns over the impacts of climate change (including physical risk and transition risk) have led and may continue to lead to efforts to mitigate those impacts. We and our customers may face cost increases, asset value reductions, the reduced availability of insurance or sufficient insurance to cover losses, operations disruptions and changes and other impacts because of climate change (including because of the increased frequency or severity of acute weather events and long-term shifts in the climate) and governmental actions or societal responses to climate change. The impact on our customers will likely vary depending on their specific attributes, including their reliance on or role in carbon intensive activities and their transition plans, as well as their exposure to the effects of climate change. Consumers and businesses may also change their behaviors because of these concerns. Changed consumer and business behavior because of climate change concerns creates transition risk for PNC arising from the process of adjusting to these concerns. PNC and its customers will need to respond to any new laws and regulations as well as any changes in consumer and business preferences related to climate change. Among the impacts to PNC could be a drop in demand for our products and services, particularly in certain sectors if our products or services do not support the environmental goals of our customers, or increased losses due to the impact of climate change on the collateral that secures customer borrowings. In addition, we could face reductions in creditworthiness on the part of some customers or in the value of assets securing loans. We are currently subject to climate-related regulatory expectations and could be subject to additional regulatory restrictions or costs associated with providing products or services to certain companies or sectors. Additionally, the federal government may alter climate policies or requirements in a way that significantly conflicts with certain state-level policies or investor expectations. Such changes may present risk to PNC due to inconsistent expectations, requirements or costs. Environmental regulations or changes in the supply, demand or available sources of energy or other resources may affect the availability or cost of goods and services necessary to run our business. Our efforts to take these risks into account in making lending and other decisions may not be effective in protecting us from the negative impact of any new laws and regulations or any changes in consumer or business behavior, including those resulting from activist pressure. Our risk management needs to continue to evolve, or it may not be effective in identifying, measuring, monitoring and controlling climate risk exposure, particularly given that the timing, nature and severity of the impacts of climate change may not be predictable. We have been and may continue to be subject to conflicting pressure from individuals, groups and governmental entities to cease doing business, or to maintain business, with certain companies or sectors, in particular those involved with fossil fuels, because of concerns related to climate change. Further, there is increased scrutiny of climate change-related policies, goals and disclosures, including with regard to inaccurate or misleading statements regarding these practices (often referred to as “greenwashing”), which could result in litigation and regulatory investigations and actions. Our stakeholders may disagree with these policies and goals or, conversely, believe that these policies and goals are, and our related progress in accomplishing such goals and implementing such policies is, insufficient. This may lead to a decrease in demand for our products and services or damage to our reputation. We may also incur additional costs and require additional resources as we evolve our strategy, practices and related disclosures with respect to these matters. In addition, there are and will continue to be challenges related to capturing, verifying, analyzing and disclosing climate-related data that is subject to measurement uncertainties. The Risk Factor headed “We are at risk for an adverse impact on our business due to damage to our reputation” further discusses risks associated with our management of these matters, including related activist pressure.

The need to ensure proper functioning and resiliency of our information and communications systems and other technology has become more important and challenging, and the costs involved in that effort continue to be high. Our ability to create, obtain, maintain and report on information in an accurate, timely and secure manner is a foundational component of our business. Effective management of our expanded digital products and services, geographic footprint and dispersed workforce heightens our need for secure, reliable and adequate information and communication systems and other technology. The risks of failures and interruptions result from a variety of factors. We are vulnerable to the impact of failures and interruptions of our technology to operate as needed or intended. Failures and interruptions leading to materially adverse impacts could include those resulting from human error, unexpected transaction volumes, or overall security, design or performance issues. In addition, our ability to use our technology effectively could be impacted due to design flaws, software bugs, errors, hardware failures, outages, bad weather, disasters, bad actors, terrorism, civil unrest, military conflict and the like. Such events could affect our technology directly or limit our use due to effects on key underlying infrastructure. Although we regularly update and replace technology that we depend on as our needs evolve and technology improves, we continue to utilize some older technology that may not be as reliable as newer ones. In addition, the implementation of and transition to new or updated technology creates risks related to associated timing and costs, disruptions in functionality for us or for customers, including the ability to perform functions critical to our business and operations, and longer-term failures to achieve desired improvements. Our ability to maintain, timely update and replace technology can become more challenging as the speed, frequency, volume, interconnectivity and complexity of information on technology increases. In some cases, the risk results from the potential for bad acts on the part of others, discussed in more detail in the Risk Factor headed “We are vulnerable to the risk of cyber attacks and breaches affecting the functioning of technology or the confidentiality of information that could adversely affect our customers and our business.” We rely on technology maintained by other companies. We use other companies both to provide products and services directly to us and to assist us in providing products and services to our customers. Others provide the infrastructure that supports, for example, communications, payment, clearing and settlement systems, or information processing and storage. These companies range from those providing highly sophisticated information processing to those that provide fundamental services, such as electric power and telecommunications. In some cases, these other companies themselves utilize third parties to support their delivery of products and services to us and our customers. Technology maintained by or for these other companies is generally subject to many of the same risks we face with respect to our technology and thus their issues could have a negative impact on PNC. We have less ability to provide oversight over other companies’ technology. Any delays in receiving timely information from impacted companies upon whom we rely can affect our ability to detect, mitigate and remediate any failures or interruptions, including our ability to fully meet applicable disclosure requirements for a given incident. We may also be held responsible for failures and interruptions, including our ability to fully meet applicable disclosure requirements for a given incident. We may also be held responsible for failures and interruptions attributed to such other companies upon whom we rely as they relate to the information we share with them. We also face a risk that such other companies may be unable or unwilling to continue to provide products or services to meet our current or future needs, including in an efficient, cost-effective or favorable manner. Any transition to alternative products or services may be difficult to implement, may cause us to incur significant time and expense and may disrupt or degrade our ability to deliver our products and services. The occurrence of any failure or interruption of any of our information or communications systems or other system, or those of other companies on which we rely, including those where there is not a reasonably available alternative, could result in a wide variety of adverse consequences to us. This risk is greater if the issue is widespread, extends for a significant period of time, or results in financial losses to our customers. The consequences include our ability to use our accounting, deposit, loan, payment and other systems, errors in transactions or impaired system functionality with customers, vendors or other parties, damage to our reputation or a loss of customer business (which could occur even if the negative impact on customers was de minimis) and litigation or additional regulatory scrutiny relating to such events (which in turn could lead to liability or other sanctions, including fines and penalties or reimbursement of adversely affected customers). In order to address ongoing and future risks, we may need to expend significant resources to support protective security measures and investigate, mitigate and remediate any vulnerabilities of our technology. Even if we do not suffer any material adverse consequences as a result of events affecting us directly, failures or interruptions at financial institutions, whether at PNC or others, could lead to a general loss of customer confidence in financial institutions, including us, and broadly increase legislative, regulatory and customer concerns regarding the functioning, safety and security of such technology. In that case, we would expect to incur even higher levels of costs with respect to prevention, mitigation and remediation of these risks.

The need to ensure proper functioning and resiliency of our information systems and other technology has become more important and challenging, and the costs involved in that effort continue to be high. Our ability to create, obtain, maintain and report on information in an accurate, timely and secure manner is a foundational component of our business. Effective management of our expanded digital products and services, geographic footprint and continued remote work environment heightens our need for secure, reliable and adequate information systems and technology. The risks of operational failures in the use of these systems result from a variety of factors. We are vulnerable to the impact of failures of our systems to operate as needed or intended. Failures leading to materially adverse impacts could include those resulting from human error, unexpected transaction volumes, or overall security, design or performance issues. In addition, our ability to use our technology effectively could be impacted due to outages, bad weather, disasters, bad actors, terrorism and the like. Such events could affect our systems directly or limit our ability to use our technology due to effects on key underlying infrastructure. Although we regularly update and replace systems that we depend on as our needs evolve and technology improves, we continue to utilize some older systems that may not be as reliable as newer ones. In addition, the implementation of and transition to new or updated systems creates risks related to associated timing and costs, disruptions in functionality for us or for customers, including the ability to perform functions critical to our business and operations, and longer-term failures to achieve desired improvements. Our ability to maintain, timely update and replace systems can become more challenging as the speed, frequency, volume, interconnectivity and complexity of information on these systems increases. In some cases, the risk results from the potential for bad acts on the part of others, discussed in more detail in the Risk Factor headed “We are vulnerable to the risk of breaches of data security affecting the functioning of systems or the confidentiality of information that could adversely affect our customers and our business.” We rely on information systems maintained by other companies. We use other companies both to provide products and services directly to us and to assist us in providing products and services to our customers. Others provide the infrastructure that supports, for example, communications, payment, clearing and settlement systems, or information processing and storage. These companies range from those providing highly sophisticated information processing to those that provide fundamental services, such as electric power and telecommunications. In some cases, these other companies themselves utilize third parties to support their delivery of products and services to us and our customers. Systems maintained by or for these other companies are generally subject to many of the same risks we face with respect to our systems and thus their issues could have a negative impact on PNC. We necessarily have less ability to provide oversight over other companies’ information systems. The occurrence of any failure, interruption or security breach of any of our information or communications systems, or the systems of other companies on which we rely, including those where there is not a reasonably available alternative, could result in a wide variety of adverse consequences to us. This risk is greater if the issue is widespread, extends for a significant period of time, or results in financial losses to our customers. The consequences of failures to operate systems properly can result in disruptions to our critical business operations, including our ability to use our accounting, deposit, loan, payment and other systems. Such events could also cause errors in transactions or impair system functionality with customers, vendors or other parties. Possible adverse consequences also include damage to our reputation or a loss of customer business, which could occur even if the negative impact on customers was de minimis. We also could face litigation or additional regulatory scrutiny relating to such events. This in turn could lead to liability or other sanctions, including fines and penalties or reimbursement of adversely affected customers. Even if we do not suffer any material adverse consequences as a result of events affecting us directly, information systems issues at other financial institutions could lead to a general loss of customer confidence in financial institutions, including us. Also, system problems, including those resulting from third-party attacks, whether at PNC or at our competitors, may broadly increase legislative, regulatory and customer concerns regarding the functioning, safety and security of such systems. In that case, we would expect to incur even higher levels of costs with respect to prevention and mitigation of these risks. 20 The PNC Financial Services Group, Inc. – 2024 Form 10-K 20 The PNC Financial Services Group, Inc. – 2024 Form 10-K 20 The PNC Financial Services Group, Inc. – 2024 Form 10-K

We have policies, procedures, systems and programs (including cybersecurity and business continuity programs) designed to prevent, mitigate and remediate the effect of failures, interruptions and security breaches in our technology. We continue to devote appropriate resources toward improving the reliability of our policies, procedures, systems and programs and their security against external and internal threats and expect to continue to do so in the future. We design our business continuity and other information and technology risk management programs to allow us to provide services in the case of an event resulting in material disruptions of business activities affecting our employees, facilities, technology or suppliers. We cannot guarantee the effectiveness of our policies, procedures, systems and programs to protect us in any future situation, nor can we guarantee the effectiveness of our oversight of risk arising from third parties upon whom we rely. Although we have policies, procedures, systems and programs designed to mitigate third-party risk, our ability to implement policies, procedures, systems and programs designed to prevent or limit the effect of possible failures, interruptions or security breaches impacting third-party technology, including the financial services industry infrastructure generally, is necessarily limited. Should such an adverse event occur, we may not have financial protection from the other third-party sufficient to compensate us or otherwise protect us from the consequences. While we maintain insurance coverage that may cover certain aspects of cyber risks, such insurance coverage may be insufficient to cover all losses or any losses at all, and there can be no guarantee that our insurer will not deny coverage to any particular claim in the future or that such insurance will continue to be available on commercially reasonable terms or at all. As a result, we could suffer material financial and reputational losses in the future from any failures, interruptions or security breaches or the perceptions thereof, whether or not this perception is correct. We may be unable to implement adequate preventive or mitigating measures to address failures, interruptions and security breaches in advance. Even with our proactive and defensive measures in place, such adverse events are likely to occur, and there remains the risk that one or more such events would be material to PNC. Our ability to mitigate and remediate the adverse consequences of such events is in part dependent on the quality of our business continuity planning, our ability to identify and understand threats to us from a holistic perspective, our ability to anticipate the timing and nature of any such event that occurs, with novel or unusual events posing a greater risk, and our ability to identify and quickly resolve vulnerabilities in our technology and those of third parties upon which we rely. Cyber attacks and breaches often are not recognized until launched against a target and may go undetected for a period of time, 18 The PNC Financial Services Group, Inc. – 2025 Form 10-K 18 The PNC Financial Services Group, Inc. – 2025 Form 10-K 18 The PNC Financial Services Group, Inc. – 2025 Form 10-K with the adverse consequences likely greater the longer it takes to discover the problem. In many cases, it also depends on the preparedness and responses of national or regional governments, including emergency responders, or on the part of other organizations and businesses with which we deal. Additionally, our failure to communicate failures, interruptions and security breaches appropriately to relevant parties could result in regulatory, legal, operational and reputational risk. See Item 1C Cybersecurity of this Report for more information on our cybersecurity risk management program.

We have policies, procedures and systems (including cybersecurity and business continuity programs) designed to prevent or limit the effect of possible failures, interruptions or breaches in security of information systems. We continue to devote appropriate resources toward improving the reliability of our systems and their security against external and internal threats and expect to continue to do so in the future. We design our business continuity and other information and technology risk management programs to allow us to provide services in the case of an event resulting in material disruptions of business activities affecting our employees, facilities, technology or suppliers. We cannot guarantee the effectiveness of our policies, procedures and systems to protect us in any future situation, nor the effectiveness of our oversight of risk at third parties. Although we have policies, procedures and systems designed to mitigate third-party risk, our ability to implement policies, procedures and systems designed to prevent or limit the effect of possible failures, interruptions or breaches in security of information systems with respect to third-party systems and the financial services industry infrastructure is necessarily limited. Should an adverse event affecting another company’s systems occur, we may not have financial protection from the other company sufficient to compensate us or otherwise protect us from the consequences. Methods used by others to attack information systems change frequently (with generally increasing sophistication). A new method of attack often is not recognized until launched against a target. Attacks in some cases appear to be supported by foreign governments or other well-financed entities and often originate from less regulated and remote areas around the world. We have seen a higher volume and complexity of attacks during times of increased geopolitical tensions. As a result, we may be unable to implement adequate preventive measures to address these methods in advance of attacks. Even with our proactive and defensive measures in place, adverse events are likely to occur, and there remains the risk that one or more such events would be material to PNC. Our ability to mitigate the adverse consequences of such occurrences is in part dependent on the quality of our business continuity planning, our ability to identify and understand threats to us from a holistic perspective, our ability to anticipate the timing and nature of any such event that 22 The PNC Financial Services Group, Inc. – 2024 Form 10-K 22 The PNC Financial Services Group, Inc. – 2024 Form 10-K 22 The PNC Financial Services Group, Inc. – 2024 Form 10-K occurs, with novel or unusual events posing a greater risk, and our ability to identify and quickly resolve vulnerabilities in our information systems and those of third parties upon which we rely. It is also the case that a vulnerability or an adverse event may go undetected for a period of time, with the adverse consequences likely greater the longer it takes to discover the problem. In many cases, it also depends on the preparedness and responses of national or regional governments, including emergency responders, or on the part of other organizations and businesses with which we deal. Additionally, our failure to communicate cyber incidents appropriately to relevant parties could result in regulatory, legal, operational and reputational risk.