← back to summary

COF, §1A diff (2020 → 2021)

Similarity1.00
Added+14927 words
Removed-14521 words

Added paragraphs (14927 words)

Item 1A. Risk Factors

This section highlights significant factors, events, and uncertainties that make an investment in our securities risky. The events and consequences discussed in these risk factors could, in circumstances we may not be able to accurately predict, recognize, or control, have a material adverse effect on our business, growth, reputation, prospects, financial condition, operating results, cash flows, liquidity, and stock price. These risk factors do not identify all risks that we face; our operations could also be affected by factors, events, or uncertainties that are not presently known to us or that we currently do not consider to present significant risks to our operations. In addition, the global economic and political climate may amplify many of these risks.

Summary of Risk Factors

Below is a summary of the principal factors that make an investment in our securities risky. This summary does not address all of the risks that we face. Additional discussion of the risks summarized in this risk factor summary, and other risks that we face, can be found below and should be carefully considered, together with other information in this Form 10-K and our other filings with the SEC, before making an investment decision regarding our common stock.

•Our results of operations may be adversely affected by the effects of the COVID-19 pandemic.

•Changes and instability in the macroeconomic environment, consumer confidence and customer behavior may adversely affect our business.

•Financial market instability and volatility could adversely affect our business.

•We may experience increased delinquencies, credit losses, inaccurate estimates and inadequate reserves.

•We may not be able to maintain adequate capital or liquidity levels, which could have a negative impact on our financial results and our ability to return capital to our stockholders.

21

Capital One Financial Corporation (COF)

Table of Contents

•Limitations on our ability to receive dividends from our subsidiaries could affect our liquidity and ability to pay dividends and repurchase common stock.

•We face risks related to our operational, technological and organizational infrastructure.

•A cyber-attack or other security incident, including one that results in the theft, loss or misuse of information (including personal information), or the disabling of systems and access to information critical to business operations, may result in increased costs, reductions in revenue, reputational damage, legal exposure and business disruptions.

•Our required compliance with applicable laws and regulations related to privacy, data protection and data security may increase our costs, reduce our revenue, increase our legal exposure and limit our ability to pursue business opportunities.

•We face risks resulting from the extensive use of models and data.

•Compliance with new and existing laws, regulations and regulatory expectations is costly and complex.

•Our businesses are subject to the risk of increased litigation, government investigations and regulatory enforcement.

•We face intense competition in all of our markets.

•Our business, financial condition and results of operations may be adversely affected by merchants’ increasing focus on the fees charged by credit and debit card networks and by legislation and regulation impacting such fees.

•If we are not able to invest successfully in and introduce digital and other technological developments across all our businesses, our financial performance may suffer.

•We may fail to realize the anticipated benefits of our mergers, acquisitions and strategic partnerships.

•Reputational risk and social factors may impact our results and damage our brand.

•If we are not able to protect our intellectual property, our revenue and profitability could be negatively affected.

•Our risk management strategies may not be fully effective in mitigating our risk exposures in all market environments or against all types of risk.

•Fluctuations in market interest rates or volatility in the capital markets could adversely affect our income and expense, the value of assets and obligations, our regulatory capital, cost of capital or liquidity.

•The transition away from London Interbank Offered Rate (“LIBOR”) may adversely affect our business.

•Our business could be negatively affected if we are unable to attract, retain and motivate skilled employees.

•We face risks from unpredictable catastrophic events.

•Climate change manifesting as physical or transition risks could adversely affect our operations, businesses and customers.

•We face risks from the use of or changes to assumptions or estimates in our financial statements.

•The soundness of other financial institutions and other third parties could adversely affect us.

General Economic and Market Risks

Our results of operations may be adversely affected by the effects of the COVID-19 pandemic.

Although the global economy has begun to recover from the COVID-19 pandemic and many health and safety restrictions have been lifted and vaccine distribution has increased, certain adverse consequences of the pandemic, especially as a result of the emergence of the Omicron variant in late 2021, continue to impact the macroeconomic environment and may persist for some time. Such adverse consequences include labor shortages and disruptions of global supply chains. The growth in economic activity and demand for goods and services, alongside labor shortages and supply chain complications, has also contributed to rising inflationary pressures and could adversely affect our business. Should these ongoing effects of the pandemic continue for

22

Capital One Financial Corporation (COF)

Table of Contents

an extended period or worsen, our purchase volume, loan balances and the overall demand for our products and services may be significantly impacted, which could adversely affect our revenue and other results of operations. In addition, we could experience higher credit losses in our loan portfolios and increases in our allowance for credit losses beyond current levels. We could also experience impairments of other financial assets and other negative impacts on our financial position, including possible constraints on liquidity and capital, as well as higher costs of capital. Even after the COVID-19 pandemic has subsided, we may continue to experience adverse impacts to our business and results of operations, which could be material, as a result of the macroeconomic impact and any recession that has occurred or may occur in the future.

The COVID-19 pandemic caused us to modify our business practices and operations, including providing a range of forbearance options to our customers in certain circumstances. We may need to further modify our practices and operations as the pandemic remains dynamic and the emergence of variants resistant to existing vaccines remains uncertain. We also implemented work-from-home policies for a vast majority of our employees, and social distancing plans for our employees who are working from Capital One facilities. Nearly all of our Cafés and bank branches across our network are open with increased safety precautions. We will continue to monitor local conditions to ensure the safety of our associates and customers while providing critical banking services. These measures could impair our ability to perform critical functions and may adversely impact our results of operations. In addition, these measures and other changes in consumer behavior as a result of the COVID-19 pandemic may require changes to retail distribution strategies and adversely impact our investments in our bank premises and equipment and other retail distribution assets, leading to increased costs and exposure to additional risks. We may take further actions as required by government authorities or that we otherwise determine are in the best interests of our customers, employees and business partners.

Since the inception of the COVID-19 pandemic, federal, state, local and foreign governmental authorities enacted regulations and protocols in response to the COVID-19 pandemic, including governmental programs intended to provide economic relief to businesses and individuals. We participated in certain of these programs, including participating as an eligible lender in the Small Business Administration’s Paycheck Protection Program. Our participation in and execution of any such programs may cause operational, compliance, reputational and credit risks, which could result in litigation, governmental action or other forms of loss. The extent of these impacts, which may be substantial, depends, in part, on the degree of our participation in these programs. There remains significant uncertainty regarding the measures that authorities will enact in the future and the ultimate impact of the legislation, regulations and protocols that have been and will be enacted. Moreover, we expect that the effects of the COVID-19 pandemic will heighten many of the other known risks described herein. See “Part I—Item 1.—Business—Overview—Coronavirus Disease 2019 (COVID-19) Pandemic”.

The extent to which the consequences of the COVID-19 pandemic affect our businesses, results of operations and financial condition, as well as our regulatory capital and liquidity ratios and our ability to take capital actions, will depend on future developments that remain uncertain, including, for example, the rate of distribution and administration of vaccines globally, the severity and duration of any resurgence of COVID-19 variants, future actions taken by governmental authorities, central banks and other third parties in response to the pandemic, and the effects on our customers, counterparties, employees and third-party service providers.

Changes and instability in the macroeconomic environment, consumer confidence and customer behavior may adversely affect our business.

We offer a broad array of financial products and services to consumers, small businesses and commercial clients. A prolonged period of economic volatility, slow growth, or a significant deterioration in economic conditions, in the U.S., Canada or the U.K., could have a material adverse effect on our financial condition and results of operations as customers default on their loans, maintain lower deposit levels or, in the case of credit card accounts, carry lower balances and reduce credit card purchase activity.

Some of the risks we face in connection with adverse changes and instability in the macroeconomic environment, including changes in consumer confidence levels and behavior, include the following:

•Changes in payment patterns, increases in delinquencies and default rates, decreased consumer spending, inflation, lower demand for credit and shifts in consumer payment behavior towards avoiding late fees, finance charges and other fees;

•Increases in our charge-off rate caused by bankruptcies and reduced ability to recover debt that we have previously charged-off;

23

Capital One Financial Corporation (COF)

•Decreased reliability of the process and models we use to estimate our allowance for loan and lease losses, particularly if unexpected variations in key inputs and assumptions cause actual losses to diverge from the projections of our models and our estimates become increasingly subject to management’s judgment. See “We face risks resulting from the extensive use of models and data.”

The U.K. and the European Union agreed to a free trade deal at the end of 2020 relating to the U.K.’s exit from the European Union. Although this deal provides greater near-term stability, there is still some degree of uncertainty as to the relationship between the U.K and the European Union, which may increase volatility in the regional and global financial markets. We continue to consider and monitor the potential impacts, and other factors that could also impact U.K. economic performance.

Financial market instability and volatility could adversely affect our business.

Our ability to borrow from other financial institutions or to engage in funding transactions on favorable terms or at all could be adversely affected by disruptions in the capital markets or other events, including actions by rating agencies and deteriorating investor expectations. In addition, fluctuations in interest rates, credit spreads and other market factors could negatively impact our results of operations. Both shorter-term and longer-term interest rates remain below long-term historical averages and the yield curve has been relatively flat compared to past periods. A flat yield curve combined with low interest rates generally leads to lower revenue and reduced margins because it can decrease the spread between asset yields and funding costs. Sustained periods of time with a flat yield curve coupled with low interest rates, or an inversion of the yield curve, could have a material adverse effect on our net interest margin and earnings.

Credit Risk

We may experience increased delinquencies, credit losses, inaccurate estimates and inadequate reserves.

Like other lenders, we face the risk that our customers will not repay their loans. A customer’s ability and willingness to repay us can be adversely affected by decreases in the income of the borrower or increases in their payment obligations to other lenders, whether as a result of higher debt levels or rising interest rates, by rising levels of inflation, or by restricted availability of credit generally. We may fail to quickly identify and reduce our exposure to customers that are likely to default on their payment obligations, whether by closing credit lines or restricting authorizations. Our ability to manage credit risk also is affected by legal or regulatory changes (such as restrictions on collections, bankruptcy laws, minimum payment regulations and re-age guidance), competitors’ actions and consumer behavior, and depends on the effectiveness of our collections staff, techniques and models.

Rising losses or leading indicators of rising losses (such as higher delinquencies, higher rates of nonperforming loans, higher bankruptcy rates, lower collateral values, elevated unemployment rates or changing market terms) may require us to increase our allowance for credit losses, which would decrease our profitability if we are unable to raise revenue or reduce costs to compensate for higher losses. In particular, we face the following risks in this area:

•Missed Payments: Our customers may miss payments. Loan charge-offs (including from bankruptcies) are generally preceded by missed payments or other indications of worsening financial condition for our customers. Historically, customers are more likely to miss payments during an economic downturn or prolonged periods of slow economic growth. In addition, we face the risk that consumer and commercial customer behavior may change (for example, an increase in the unwillingness or inability of customers to repay debt, which may be heightened by increasing interest rates or levels of consumer debt), causing a long-term rise in delinquencies and charge-offs.

•Incorrect Estimates of Expected Losses: The credit quality of our portfolio can have a significant impact on our earnings. We allow for and reserve against credit risks based on our assessment of expected credit losses in our loan portfolios. This process, which is critical to our financial condition and results of operations, requires complex judgments, including forecasts of economic conditions. We may underestimate our expected losses and fail to hold an allowance for credit losses sufficient to account for these losses. Incorrect assumptions could lead to material underestimations of expected credit losses and an inadequate allowance for credit losses.

•Inaccurate Underwriting: Our ability to accurately assess the creditworthiness of our customers may diminish, which could result in an increase in our credit losses and a deterioration of our returns. See “Our risk management strategies may not be fully effective in mitigating our risk exposures in all market environments or against all types of risk.”

24

Capital One Financial Corporation (COF)

•Business Mix: We engage in a diverse mix of businesses with a broad range of potential credit exposure. Because we originate a relatively greater proportion of consumer loans in our loan portfolio compared to other large bank peers and originate both prime and subprime credit card accounts and auto loans, we may experience higher delinquencies and a greater number of accounts charging off compared to other large bank peers, which could result in increased credit losses, operating costs and regulatory scrutiny. Additionally, a change in this business mix over time to include proportionally more consumer loans or subprime credit card accounts or auto loans could adversely affect the credit quality of our portfolio.

•Increasing Charge-off Recognition/Allowance for Credit Losses: We account for the allowance for credit losses according to accounting and regulatory guidelines and rules, including Financial Accounting Standards Board (“FASB”) standards and the Federal Financial Institutions Examination Council (“FFIEC”) Account Management Guidance. Effective as of January 1, 2020, we adopted the CECL standard which is based on expected lifetime losses rather than incurred losses. Adoption of the CECL standard has resulted and may continue to result in an increase to our reserves for credit losses on financial instruments with a resulting adverse impact on our financial condition. The continued impact of CECL on our results will depend on the characteristics of our financial instruments, economic conditions, and our economic and loss forecasts. The application of the CECL standard requires us to increase reserves faster and to a higher level in an economic downturn, resulting in greater impact to our results and our capital ratios than we would have experienced in similar circumstances prior to the adoption of CECL. In addition, because credit cards represent a significant portion of our product mix, we could be disproportionately affected by use of the CECL standard, as compared to our large bank peers with a different product mix.

•Insufficient Asset Values: The collateral we have on secured loans could be insufficient to compensate us for credit losses. When customers default on their secured loans, we attempt to recover collateral where permissible and appropriate. However, the value of the collateral may not be sufficient to compensate us for the amount of the unpaid loan, and we may be unsuccessful in recovering the remaining balance from our customers. Decreases in real estate and other asset values adversely affect the collateral value for our commercial lending activities, while the auto business is similarly exposed to collateral risks arising from the auction markets that determine used car prices. Borrowers may be less likely to continue making payments on loans if the value of the property used as collateral for the loan is less than what the borrower owes, even if the borrower is still financially able to make the payments. In that circumstance, the recovery of such property could be insufficient to compensate us for the value of these loans upon a default. In our auto business, business and economic conditions that negatively affect household incomes, housing prices and consumer behavior, as well as technological advances that make older cars obsolete faster, could decrease (i) the demand for new and used vehicles and (ii) the value of the collateral underlying our portfolio of auto loans, which could cause the number of consumers who become delinquent or default on their loans to increase.

•Geographic and Industry Concentration: Although our consumer lending is geographically diversified, approximately 45% of our commercial real estate loan portfolio is concentrated in the Northeast region. The regional economic conditions in the Northeast affect the demand for our commercial products and services as well as the ability of our customers to repay their commercial real estate loans and the value of the collateral securing these loans. An economic downturn or prolonged period of slow economic growth in, or a catastrophic event that disproportionately affects, including as a result of climate change, the Northeast region could have a material adverse effect on the performance of our commercial real estate loan portfolio and our results of operations. In addition, our Commercial Banking strategy includes an industry-specific focus. If any of the industries that we focus on experience changes, we may experience increased credit losses and our results of operations could be adversely impacted.

Capital and Liquidity Risk

We may not be able to maintain adequate capital or liquidity levels, which could have a negative impact on our financial results and our ability to return capital to our stockholders.

Financial institutions are subject to extensive and complex capital and liquidity requirements, which are subject to change. These requirements affect our ability to lend, grow deposit balances, make acquisitions and distribute capital. Failure to maintain adequate capital or liquidity levels, whether due to adverse developments in our business or the economy or to changes in the applicable requirements, could subject us to a variety of remedies available to our regulators. These include limitations on the ability to pay dividends and/or repurchase shares and the issuance of a capital directive to increase capital. Such limitations or capital directive could have a material adverse effect on our business and results of operations.

25

Capital One Financial Corporation (COF)

We consider various factors in the management of capital, including the impact of both internal and supervisory stress scenarios on our capital levels as determined by both our internal modeling and the Federal Reserve’s modeling of our capital position in supervisory stress tests. There can be significant differences between our modeling and the Federal Reserve’s projections for a given supervisory stress scenario and between the capital needs suggested by our internal stress scenarios relative to the supervisory scenarios. Therefore, although our estimated capital levels under stress disclosed as part of the stress testing processes may suggest that we have a particular capacity to return capital to stockholders and remain well capitalized under stress, the Federal Reserve’s modeling, our internal modeling of another scenario and/or other factors related to our capital management process may reflect a lower capacity to return capital to stockholders than that indicated by the projections released in the stress testing processes. This in turn, could lead to restrictions on our ability to pay dividends and engage in share repurchases. See “Part I—Item 1. Business—Supervision and Regulation” for additional information.

We also consider various factors in the management of liquidity, including maintaining sufficient liquid assets to meet the requirements of several internal and regulatory stress tests. There can be significant differences in estimated liquidity needs between internal and regulatory stress testing, and liquidity resources required to meet regulatory requirements, such as applicable LCR and NSFR requirements, may exceed what would otherwise be required to satisfy internal liquidity metrics and stress testing. Regulatory liquidity stress testing and regulatory liquidity requirements may, therefore, require us to take actions to increase our liquid assets or alter our activities or funding sources, which could negatively affect our financial results or our ability to return capital to our stockholders. See “Part I—Item 1. Business—Supervision and Regulation” for additional information.

In response to economic uncertainty due to the COVID-19 pandemic, the Federal Reserve required certain large BHCs, including us, to suspend share repurchases and cap common stock dividends and subsequently extended the restrictions into the first half of 2021 with certain modifications to permit resumptions of share repurchases. Although these temporary restrictions on our capital actions ended on June 30, 2021, it is possible that the Federal Reserve could impose similar restrictions in the future. Further changes to applicable capital and liquidity requirements could result in unexpected or new limitations on our ability to pay dividends and engage in share repurchases.

Limitations on our ability to receive dividends from our subsidiaries could affect our liquidity and ability to pay dividends and repurchase common stock.

We are a separate and distinct legal entity from our subsidiaries, including the Banks and our broker-dealer subsidiaries. Dividends to us from these direct and indirect subsidiaries have represented a major source of funds for us to pay dividends on our common and preferred stock, repurchase common stock, make payments on corporate debt securities and meet other obligations. There are various federal law limitations on the extent to which the Banks can finance or otherwise supply funds to us through dividends and loans. These limitations include minimum regulatory capital requirements, federal banking law requirements concerning the payment of dividends out of net profits or surplus, Sections 23A and 23B of the Federal Reserve Act and Regulation W governing transactions between an insured depository institution and its affiliates, as well as general federal regulatory oversight to prevent unsafe or unsound practices. Our broker-dealer subsidiaries are also subject to laws and regulations, including net capital requirements, that may limit their ability to pay dividends or make other distributions to us. If our subsidiaries’ earnings are not sufficient to make dividend payments to us while maintaining adequate capital levels, our liquidity may be affected and we may not be able to make dividend payments to our common or preferred stockholders, repurchase our common stock, make payments on outstanding corporate debt securities or meet other obligations, each and any of which could have a material adverse impact on our results of operations, our financial position or the perception of our financial health. See “Part I—Item 1. Business—Supervision and Regulation” for additional information regarding dividend limitations applicable to us and the Banks.

Operational Risk

We face risks related to our operational, technological and organizational infrastructure.

Our ability to retain and attract customers depends on our ability to develop, operate, and adapt our technology and organizational infrastructure in a rapidly changing environment. In addition, we must accurately process, record and monitor an increasingly large number of complex transactions. Digital technology, data and software development are deeply embedded into our business model and how we work.

Similar to other large corporations, we are exposed to operational risk that can manifest itself in many ways, such as errors in execution, inadequate processes, inaccurate models, faulty or disabled technological infrastructure, malicious disruption and

26

Capital One Financial Corporation (COF)

fraud by employees or persons outside of our company, whether through attacks on Capital One directly or on our customers. In addition, we are heavily dependent on the security, capability and continuous availability of the technology systems that we use to manage our internal financial and other systems, monitor risk and compliance with regulatory requirements, provide services to our customers, develop and offer new products and communicate with stakeholders. We also face risk of adverse customer impacts and business disruption arising from the execution of strategic initiatives we may pursue across our operations.

If we do not maintain the necessary operational, technological and organizational infrastructure to operate our business, including to maintain the resiliency and security of that infrastructure, our business and reputation could be materially adversely affected. We also are subject to disruptions to our systems arising from events that are wholly or partially beyond our control, which may include computer viruses, electrical or telecommunications outages, design flaws in foundational components or platforms, availability and quality of vulnerability patches from key vendors, cyber-attacks and other security incidents (including Distributed Denial of Service (“DDOS”) and other attacks on our infrastructure as discussed below), natural disasters, other damage to property or physical assets, or events arising from local or larger scale politics, including terrorist acts. Any failure to maintain our infrastructure or disruption of our systems and applications could diminish our ability to operate our businesses, service customer accounts and protect customers’ information, or result in potential liability to customers, reputational damage, regulatory intervention and customers’ loss of confidence in our businesses, any of which could result in a material adverse effect.

We also rely on the business infrastructure and systems of third parties with which we do business and to whom we outsource the operation, maintenance and development of our information technology and communications systems. We have migrated substantially all aspects of our core information technology systems and customer-facing applications to third-party cloud infrastructure platforms, principally AWS. If we fail to administer these new environments in a well-managed, secure and effective manner, or if such platforms become unavailable or do not meet their service level agreements for any reason, we may experience unplanned service disruption or unforeseen costs which could result in material harm to our business and results of operations. We must successfully develop and maintain information, financial reporting, disclosure, privacy, data-protection, data security and other controls adapted to our reliance on outside platforms and providers. In addition, AWS, or other service providers, could experience system breakdowns or failures, outages, downtime, cyber-attacks and other security incidents, adverse changes to financial condition, bankruptcy, or other adverse conditions, which could have a material adverse effect on our business and reputation. Thus, the substantial amount of our infrastructure that we outsource to AWS or to other third parties may increase our risk exposure.

Any disruptions, failures or inaccuracies of our operational processes, technology systems and models, including those associated with improvements or modifications to such technology systems and models, could cause us to be unable to market and manage our products and services, manage our risk, meet our regulatory obligations or report our financial results in a timely and accurate manner, all of which could have a negative impact on our results of operations. In addition, our ongoing investments in infrastructure, which are necessary to maintain a competitive business, integrate acquisitions and establish scalable operations, may increase our expenses. As our business develops, changes or expands, additional expenses can arise as a result of a reevaluation of business strategies, management of outsourced services, asset purchases or other acquisitions, structural reorganization, compliance with new laws or regulations, the integration of newly acquired businesses, or the prevention or occurrence of cyber-attacks and other security incidents. If we are unable to successfully manage our expenses, our financial results will be negatively affected. Changes to our business, including those resulting from our strategic objectives, also requires robust governance to ensure that our objectives are executed as intended without adversely impacting our customers, associates, operations or financial performance. Ineffective change management oversight and governance over the execution of our strategic objectives could expose us to operational, strategic and reputational risk and could negatively impact customers or our financial performance.

A cyber-attack or other security incident, including one that results in the theft, loss or misuse of information (including personal information), or the disabling of systems and access to information critical to business operations, may result in increased costs, reductions in revenue, reputational damage, legal exposure and business disruptions.

Our ability to provide our products and services, many of which are web-based, and communicate with our customers, depends upon the management and safeguarding of information systems and infrastructure, networks, software, data engineering, technology, methodologies and business secrets, including those of our service providers. Our products and services involve the collection, authentication, management, usage, storage, transmission and eventual destruction of sensitive and confidential information, including personal information, regarding our customers and their accounts, our employees, our partners and other

27

Capital One Financial Corporation (COF)

third parties with which we do business. We also have arrangements in place with third parties through which we share and receive information about their customers who are or may become our customers.

Technologies, systems, networks, and other devices of Capital One, as well as those of our employees, service providers, partners and other third parties with whom we interact, have been and may continue to be the subject of cyber-attacks and other security incidents, including DDOS attacks, computer viruses, hacking, malware, ransomware, credential stuffing, or phishing or other forms of social engineering. Such cyber-attacks and other security incidents are designed to lead to various harmful outcomes, such as unauthorized transactions in Capital One accounts, unauthorized or unintended access to or release, gathering, monitoring, disclosure, loss, destruction, corruption, disablement, encryption, misuse, modification or other processing of confidential or sensitive information (including personal information), intellectual property, software, methodologies or business secrets, disruption, sabotage or degradation of service, systems or networks, or other damage. These threats may derive from, among other things, error, fraud or malice on the part of our employees, insiders, or third parties or may result from accidental technological failure. Any of these parties may also attempt to fraudulently induce employees, service providers, customers, partners or other third-party users of our systems or networks to disclose confidential or sensitive information (including personal information) in order to gain access to our systems, networks or data or that of our customers, partners, or third parties with whom we interact, or to unlawfully obtain monetary benefit through misdirected or otherwise improper payment. For example, any party that obtains our confidential or sensitive information (including personal information) through a cyber-attack or other security incident may use this information for ransom, to be paid by us or a third party, as part of a fraudulent activity that is part of a broader criminal activity, or for other illicit purposes.

For example, on July 29, 2019, we announced that on March 22 and 23, 2019 an outside individual gained unauthorized access to our systems (the “Cybersecurity Incident”). This individual obtained certain types of personal information relating to people who had applied for our credit card products and to our credit card customers. While the Cybersecurity Incident has been remediated, it has resulted in fines, litigation, government investigations and other regulatory enforcement inquiries, as well as consent orders with certain regulatory agencies. Cyber and information security risks for large financial institutions like us continue to increase due to the proliferation of new technologies, the industry-wide shift to reliance upon the internet to conduct financial transactions, and the increased sophistication and activities of malicious actors, organized crime, perpetrators of fraud, hackers, terrorists, activists, formal and informal instrumentalities of foreign governments and other external parties. In addition, our customers access our products and services using personal devices that are necessarily external to our security control systems. There has also been a significant proliferation of consumer information available on the internet resulting from breaches of third-party entities, including personal information, log-in credentials and authentication data. While we were not directly involved in these third-party breach events, the stolen information can create a vulnerability for our customers if their Capital One log-in credentials are the same as or similar to the credentials that have been compromised on other sites. This vulnerability could include the risk of unauthorized account access, data loss and fraud. The use of artificial intelligence, “bots” or other automation software can increase the velocity and efficacy of these types of attacks. The ongoing COVID-19 pandemic also increases the risk that we may experience cyber incidents as a result of our employees, service providers, partners and other third parties with which we interact working remotely on systems, networks and environments over which we have less control.

The methods and techniques employed by malicious actors change frequently, are increasingly sophisticated and often are not fully recognized or understood until after they have occurred, and some techniques could occur and persist for an extended period of time before being detected. For example, although we immediately fixed the configuration vulnerability that was exploited in the Cybersecurity Incident once we discovered the unauthorized access, a period of time elapsed between the occurrence of the unauthorized access and the time when we discovered it. In other circumstances, we and our service providers and other third parties with which we interact may be unable to anticipate or identify certain attack methods in order to implement effective preventative measures or mitigate or remediate the damages caused in a timely manner. We may also be unable to hire and develop talent capable of detecting, mitigating or remediating these risks. Although we seek to maintain a robust suite of authentication and layered information security controls, any one or combination of these controls could fail to detect, mitigate or remediate these risks in a timely manner. We will likely face an increasing number of attempted cyber-attacks as we expand our mobile and other internet-based products and services, as well as our usage of mobile and cloud technologies and as we provide more of these services to a greater number of retail clients.

A disruption or breach, including as a result of a cyber-attack such as the Cybersecurity Incident, or media reports of perceived security vulnerabilities at Capital One or at our service providers, could result in significant legal and financial exposure, regulatory intervention, litigation, remediation costs, card reissuance, supervisory liability, damage to our reputation or loss of confidence in the security of our systems, products and services that could adversely affect our business. There can be no assurance that unauthorized access or cyber incidents similar to the Cybersecurity Incident will not occur or that we will not

28

Capital One Financial Corporation (COF)

suffer material losses in the future. If future attacks are successful or if customers are unable to access their accounts online for other reasons, it could adversely impact our ability to service customer accounts or loans, complete financial transactions for our customers or otherwise operate any of our businesses or services. In addition, a breach or attack affecting one of our service providers or other third parties with which we interact could harm our business even if we do not control the service that is attacked.

Further, our ability to monitor our service providers’ cybersecurity practices is limited. Although we generally have agreements relating to cybersecurity and data privacy in place with our service providers, we cannot guarantee that such agreements will prevent a cyber incident impacting our systems or information or enable us to obtain adequate or any reimbursement from our service providers in the event we should suffer any such incidents. However, due to applicable laws and regulations or contractual obligations, we may be held responsible for cyber incidents attributed to our service providers as they relate to the information we share with them.

In addition, the increasing prevalence and the evolution of cyber-attacks and other efforts to breach or disrupt our systems or networks or those of our customers, service providers, partners or other third parties with which we interact has led, and will likely continue to lead, to increased costs to us with respect to preventing, mitigating and remediating these risks, as well as any related attempted fraud. In order to address ongoing and future risks, we must expend significant resources to support protective security measures, investigate and remediate any vulnerabilities of our information systems and infrastructure and invest in new technology designed to mitigate security risks. Further, high profile cyber incidents at Capital One or other large financial institutions could lead to a general loss of customer confidence in financial institutions that could negatively affect us, including harming the market perception of the effectiveness of our security measures or the financial system in general, which could result in reduced use of our financial products. We have insurance against some cyber risks and attacks; nonetheless, our insurance coverage may not be sufficient to offset the impact of a material loss event (including if our insurer denies coverage as to any particular claim in the future), and such insurance may increase in cost or cease to be available on commercially reasonable terms, or at all, in the future.

Our required compliance with applicable laws and regulations related to privacy, data protection and data security may increase our costs, reduce our revenue, increase our legal exposure and limit our ability to pursue business opportunities.

We are subject to a variety of continuously evolving and developing laws and regulations in the United States at the federal, state and local level regarding privacy, data protection and data security, including those related to the collection, storage, handling, use, disclosure, transfer, security and other processing of personal information. For example, at the federal level, we are subject to the GLBA, among other laws and regulations. In addition, in November 2021, the Federal Reserve, OCC, and FDIC issued a final rule that, among other things, requires all banking organizations in the United States to notify their primary federal regulators of certain material computer-security incidents as soon as possible and no later than 36 hours after determining that the incident has occurred. At the state level, the CCPA went into effect on January 1, 2020 and covers certain companies that process personal information of California residents. The CCPA was recently amended by the CPRA, which will become effective in most material respects on January 1, 2023. Numerous other states have also enacted or are in the process of enacting state-level privacy, data protection and/or data security laws and regulations.

We also are, or may become, subject to continuously evolving and developing laws and regulations in other jurisdictions regarding privacy, data protection and data security. For example, in Canada we are subject to the Personal Information Protection and Electronic Documents Act (“PIPEDA”). In addition, the EU GDPR applies EU data protection law to all companies processing data of EU residents, regardless of the company’s location. We also are subject to the U.K. GDPR (which is how GDPR has been implemented into U.K. law). These laws and regulations, and similar laws and regulations in other jurisdictions, impose strict requirements regarding the collection, storage, handling, use, disclosure, transfer, security and other processing of personal information, which may have adverse consequences, including significant compliance costs and severe monetary penalties for non-compliance. Significant uncertainty exists as privacy, data protection, and data security laws may be interpreted and applied differently from country to country and may create inconsistent or conflicting requirements.

Further, we make public statements about our use, collection, disclosure and other processing of personal information through our privacy policies, information provided on our website and press statements. Although we endeavor to comply with our public statements and documentation, we may at times fail to do so or be alleged to have failed to do so. The publication of our privacy policies and other statements that provide promises and assurances about privacy, data protection and data security can subject us to potential government or legal action if they are found to be deceptive, unfair or misrepresentative of our actual practices.

29

Capital One Financial Corporation (COF)

Our efforts to comply with PIPEDA, GLBA, GDPR, U.K. GDPR, CCPA, CPRA and other privacy, data protection and data security laws and regulations, as well as our posted privacy policies, and related contractual obligations to third parties, entail substantial expenses, may divert resources from other initiatives and projects, and could limit the services we are able to offer. Furthermore, enforcement actions and investigations by regulatory authorities related to data security incidents and privacy, data protection and data security violations continue to increase. The enactment of more restrictive laws or regulations, or future enforcement actions or investigations, could impact us through increased costs or restrictions on our business, and any noncompliance or perceived noncompliance could result in monetary or other penalties, harm to our reputation and significant legal liability.

We face risks resulting from the extensive use of models and data.

We rely on quantitative models, our ability to manage and aggregate data in an accurate and timely manner, assess and manage our various risk exposures, estimate certain financial values and manage compliance with regulatory capital requirements. Models may be used in such processes as determining the pricing of various products, grading loans and extending credit, measuring interest rate and other market risks, predicting deposit levels or loan losses, assessing capital adequacy and calculating managerial and regulatory capital levels, estimating the value of financial instruments and balance sheet items, and other operational functions. Our risk reporting and management, including business decisions based on information incorporating models, depend on the effectiveness of our models and our policies, programs, processes and practices governing how data is acquired, validated, stored, protected, processed and analyzed. Any issues with the quality or effectiveness of our data aggregation and validation procedures, as well as the quality and integrity of data inputs, formulas or algorithms, could result in inaccurate forecasts, ineffective risk management practices or inaccurate risk reporting. In addition, models based on historical data sets might not be accurate predictors of future outcomes and their ability to appropriately predict future outcomes may degrade over time. While we continuously update our policies, programs, processes and practices, many of our data management, aggregation and implementation processes are manual and subject to human error or system failure. Failure to manage data effectively and to aggregate data in an accurate and timely manner may limit our ability to manage current and emerging risk, to produce accurate financial, regulatory and operational reporting as well as to manage changing business needs. If our risk management framework is ineffective, we could suffer unexpected losses which could materially adversely affect our results of operation or financial condition. Also, any information we provide to the public or to our regulators based on poorly designed or implemented models could be inaccurate or misleading. Some of the decisions that our regulators make, including those related to capital distribution to our stockholders, could be affected adversely due to the perception that the quality of the models used to generate the relevant information is insufficient.

Legal and Regulatory Risk

Compliance with new and existing laws, regulations and regulatory expectations is costly and complex.

A wide array of laws and regulations, including banking and consumer lending laws and regulations, apply to almost every aspect of our business. We and our subsidiaries are also subject to supervision and examination by multiple regulators, and the manner in which our regulators interpret applicable laws and regulations may affect how we comply with them. Failure to comply with these laws and regulations, even if the failure was inadvertent or reflects a difference in interpretation, could subject us to restrictions on our business activities, fines, criminal sanctions and other penalties, and/or damage to our reputation with regulators, our customers or the public. Hiring, training and retaining qualified compliance and legal personnel, and establishing and maintaining risk management and compliance-related systems, infrastructure and processes, is difficult and may lead to increased expenses. These efforts and the associated costs could limit our ability to invest in other business opportunities.

Applicable rules and regulations may affect us disproportionately compared to our competitors or in an unforeseen manner. For example, we have a large number of customer accounts in our credit card and auto lending businesses and we have made the strategic choice to originate and service subprime credit card and auto loans, which typically have higher delinquencies and charge-offs than prime customer accounts. As a result, we have significant involvement with credit bureau reporting and the collection and recovery of delinquent and charged-off debt, primarily through customer communications, the filing of litigation against customers in default, the periodic sale of charged-off debt and vehicle repossession. These activities are subject to enhanced legal and regulatory scrutiny from regulators, courts and legislators. Any future changes to or legal liabilities resulting from our business practices in these areas, including our debt collection practices, whether mandated by regulators, courts, legislators or otherwise, could have a material adverse impact on our financial condition.

30

Capital One Financial Corporation (COF)

The legislative and regulatory environment is beyond our control, may change rapidly and unpredictably, and may negatively influence our revenue, costs, earnings, growth, liquidity and capital levels. For example, there may be future rulemaking in emerging regulatory areas such as climate-related risks and new technologies, including distributed ledger technology and cryptocurrencies. In addition, some rules and regulations may be subject to litigation or other challenges that delay or modify their implementation and impact on us. Adoption of new technologies, such as distributed ledger technologies, tokenization, cloud computing, artificial intelligence and machine learning technologies, can present unforeseen challenges in applying and relying on existing compliance systems.

Certain laws and regulations, and any interpretations and applications with respect thereto, are generally intended to protect consumers, borrowers, depositors, the DIF, the U.S. banking and financial system, and financial markets as a whole, but not stockholders. Our success depends on our ability to maintain compliance with both existing and new laws and regulations. For a description of the material laws and regulations to which we are subject, see “Part I—Item 1. Business—Supervision and Regulation.”

Our businesses are subject to the risk of increased litigation, government investigations and regulatory enforcement.

Our businesses are subject to increased litigation, government investigations and other regulatory enforcement risks as a result of a number of factors and from various sources, including the highly regulated nature of the financial services industry, the focus of state and federal prosecutors on banks and the financial services industry and the structure of the credit card industry.

Given the inherent uncertainties involved in litigation, government investigations and regulatory enforcement decisions, and the very large or indeterminate damages sought in some matters asserted against us, there can be significant uncertainty as to the ultimate liability we may incur from these kinds of matters. The finding, or even the assertion, of substantial legal liability against us could have a material adverse effect on our business and financial condition and could cause significant reputational harm to us, which could seriously harm our business. The Cybersecurity Incident has resulted in litigation, government investigations and other regulatory enforcement inquiries.

In addition, financial institutions, such as ourselves, face significant regulatory scrutiny, which can lead to public enforcement actions or nonpublic supervisory actions. We and our subsidiaries are subject to comprehensive regulation and periodic examination by, among other regulatory bodies, the Federal Banking Agencies, SEC, CFTC and CFPB. We have been subject to enforcement actions by many of these and other regulators and may continue to be involved in such actions, including governmental inquiries, investigations and enforcement proceedings, including by the OCC, Department of Justice, Financial Crimes Enforcement Network (“FinCEN”) and state Attorneys General.

Over the last several years, federal and state regulators have focused on compliance with AML and sanctions laws, privacy, data protection and data security, use of service providers, fair lending and other consumer protection issues. In August 2020, we entered into consent orders with the Federal Reserve and the OCC resulting from regulatory reviews of the Cybersecurity Incident and relating to ongoing enhancements of our cybersecurity and operational risk management processes, and we paid a civil monetary penalty as part of the OCC agreement. In January 2021, we also paid a civil monetary penalty assessed by FinCEN against CONA in connection with our AML program. Regulatory scrutiny is expected to continue in these areas, including as a result of implementation of the AML Act of 2020.

We expect that regulators and governmental enforcement bodies will continue taking formal enforcement actions against financial institutions in addition to addressing supervisory concerns through nonpublic supervisory and enforcement actions or findings, which could involve restrictions on our activities, or our ability to make acquisitions or otherwise expand our business, among other limitations that could adversely affect our business. In addition, a violation of law or regulation by another financial institution is likely to give rise to an investigation by regulators and other governmental agencies of the same or similar practices by us. Furthermore, a single event may give rise to numerous and overlapping investigations and proceedings. These and other initiatives from governmental authorities and officials may subject us to further judgments, settlements, fines or penalties, or cause us to restructure our operations and activities or to cease offering certain products or services, all of which could harm our reputation or lead to higher operational costs. Litigation, government investigations and other regulatory actions could generally subject us to significant fines, increased expenses, restrictions on our activities and damage to our reputation and our brand, and could adversely affect our business, financial condition and results of operations. For additional information regarding legal and regulatory proceedings to which we are subject, see “Note 18—Commitments, Contingencies, Guarantees and Others.”

31

Capital One Financial Corporation (COF)

Other Business Risks

We face intense competition in all of our markets.

We operate in a highly competitive environment across all of our lines of business, whether in making loans, attracting deposits or in the global payments industry, and we expect competitive conditions to continue to intensify with respect to most of our products particularly in our credit card and consumer banking business. We compete on the basis of the rates we pay on deposits and the rates and other terms we charge on the loans we originate or purchase, as well as the quality and range of our customer service, products, innovation and experience. This increasingly competitive environment is primarily a result of changes in technology, product delivery systems and regulation, as well as the emergence of new or significantly larger financial services providers, all of which may affect our customers’ expectations and demands. In addition to offering competitive products and services, we invest in and conduct marketing campaigns to attract and inform customers.

Some of our competitors, including new and emerging competitors in the digital and mobile payments space and other financial technology providers, are not subject to the same regulatory requirements or legislative scrutiny to which we are subject, which also could place us at a competitive disadvantage, in particular in the development of new technology platforms or the ability to rapidly innovate. We compete with many forms of payments offered by both bank and non-bank providers, including a variety of new and evolving alternative payment mechanisms, systems and products, such as aggregators and web-based and wireless payment platforms or technologies, digital or cryptocurrencies, prepaid systems and payment services targeting users of social networks, communications platforms and online gaming. If we are unable to continue to keep pace with innovation, do not effectively market our products and services or are prohibited from or unwilling to enter emerging areas of competition, our business and results of operations could be adversely affected.

Some of our competitors are substantially larger than we are, which may give those competitors advantages, including a more diversified product and customer base, the ability to reach more customers and potential customers, operational efficiencies, broad-based local distribution capabilities, lower-cost funding and larger existing branch networks. Many of our competitors are also focusing on cross-selling their products and developing new products or technologies, which could affect our ability to maintain or grow existing customer relationships or require us to offer lower interest rates or fees on our lending products or higher interest rates on deposits. Competition for loans could result in origination of fewer loans, earning less on our loans or an increase in loans that perform below expectations.

We operate as an online direct bank in the United States. While direct banking provides a significant opportunity to attract new customers that value greater and more flexible access to banking services at reduced costs, we face strong and increasing competition in the direct banking market. Aggressive pricing throughout the industry may adversely affect the retention of existing balances and the cost-efficient acquisition of new deposit funds and may affect our growth and profitability. Customers could also close their online accounts or reduce balances or deposits in favor of products and services offered by competitors for other reasons. These shifts, which could be rapid, could result from general dissatisfaction with our products or services, including concerns over pricing, online security or our reputation. The potential consequences of this competitive environment are exacerbated by the flexibility of direct banking and the financial and technological sophistication of our online customer base.

In our credit card business, competition for rewards customers may result in higher rewards expenses, or we may fail to attract new customers or retain existing rewards customers due to increasing competition for these consumers. As of December 31, 2021, we have a number of large partnerships in our credit card loan portfolio. The market for key business partners, especially in the credit card business, is very competitive, and we may not be able to grow or maintain these partner relationships. Additionally, partners themselves may face changes in their business, including market factors and ownership changes, that could impact the partnership. We face the risk that we could lose partner relationships, even after we have invested significant resources into acquiring and developing the relationships. The loss of any of our key business partners could have a negative impact on our results of operations, including lower returns, excess operating expense and excess funding capacity.

We depend on our partners to effectively promote our co-brand and private label products and integrate the use of our credit cards into their retail operations. The failure by our partners to effectively promote and support our products as well as changes they may make in their business models could adversely affect card usage and our ability to achieve the growth and profitability objectives of our partnerships. In addition, if our partners do not adhere to the terms of our program agreements and standards, or otherwise diminish the value of our brand, we may suffer reputational damage and customers may be less likely to use our products.

32

Capital One Financial Corporation (COF)

Some of our competitors have developed, or may develop, substantially greater financial and other resources than we have, may offer richer value propositions or a wider range of programs and services than we offer, or may use more effective advertising, marketing or cross-selling strategies to acquire and retain more customers, capture a greater share of spending and borrowings, attain and develop more attractive co-brand card programs and maintain greater merchant acceptance than we have. We may not be able to compete effectively against these threats or respond or adapt to changes in consumer spending habits as effectively as our competitors.

In such a competitive environment, we may lose entire accounts or may lose account balances to competing firms, or we may find it more costly to maintain our existing customer base. Customer attrition from any or all of our lending products, together with any lowering of interest rates or fees that we might implement to retain customers, could reduce our revenues and therefore our earnings. Similarly, unexpected customer attrition from our deposit products, in addition to an increase in rates or services that we may offer to retain deposits, may increase our expenses and therefore reduce our earnings.

Our business, financial condition and results of operations may be adversely affected by merchants’ increasing focus on the fees charged by credit and debit card networks and by legislation and regulation impacting such fees.

Interchange fees are generally one of the largest components of the costs that merchants pay in connection with the acceptance of credit and debit cards and are a meaningful source of revenue for our credit and debit card businesses. Interchange fees are the subject of significant and intense global legal, legislative and regulatory focus, and the resulting decisions, legislation and regulation may have a material adverse impact on our overall business, financial condition and results of operations.

Legislative and regulatory bodies in a number of countries are seeking to reduce interchange fees through legislation, competition-related regulatory proceedings, voluntary agreements, central bank regulation and/or litigation. For credit transactions, interchange reimbursement rates in the United States are set by credit card networks such as MasterCard and Visa. For debit transactions, Federal Reserve rules place limits on the interchange fees we may charge. For more information on these rules, including the Federal Reserve’s proposed amendments, please see “Part I—Item 1. Business—Supervision and Regulation.” In some jurisdictions, such as Canada and certain countries in Europe, including the U.K., interchange fees and related practices are subject to regulatory activity, including in some cases, imposing caps on permissible interchange fees. Our international card businesses have been impacted by these restrictions. For example, in the U.K., interchange fees are capped for both credit and debit card transactions. In addition, in Canada, Visa and Mastercard payment networks have, since 2014, entered into voluntary agreements with the Department of Finance Canada to maintain an agreed upon average interchange rate. Lowering interchange fees remains an area of domestic and international governmental focus. Legislators and regulators around the world are aware of each other’s approaches to the regulation of the payments industry. Consequently, a development in one country, state or region may influence regulatory approaches in another, such as our primary market, the United States.

In addition to this regulatory activity, merchants are also seeking avenues to reduce interchange fees. During the past few years, merchants and their trade groups have filed numerous lawsuits against Visa, MasterCard, American Express and their card-issuing banks, claiming that their practices toward merchants, including interchange and similar fees, violate federal antitrust laws. In 2005, a number of entities filed antitrust lawsuits against MasterCard and Visa and several member banks, including our subsidiaries and us, alleging among other things, that the defendants conspired to fix the level of interchange fees. In December 2013, the U.S. District Court for the Eastern District of New York granted final approval of the proposed class settlement. The settlement provided, among other things, that merchants would be entitled to join together to negotiate lower interchange fees. The settlement was appealed to the Second Circuit Court of Appeals, which rejected the settlement in June 2016; a revised settlement was reached in the second half of 2018, and the trial court issued its final approval of the settlement in December 2019. See “Note 18—Commitments, Contingencies, Guarantees and Others” for further details.

Some major retailers may have sufficient bargaining power to independently negotiate lower interchange fees with MasterCard and Visa, which could, in turn, result in lower interchange fees for us when our cardholders undertake purchase transactions with these retailers. In 2016, some of the largest merchants individually negotiated lower interchange rates with MasterCard and/or Visa. These and other merchants also continue to lobby aggressively for caps and restrictions on interchange fees and their efforts may be successful or they may in the future bring legal proceedings against us or other credit card and debit card issuers and networks.

Beyond pursuing litigation, legislation and regulation, merchants may also promote forms of payment with lower fees, such as ACH-based payments, or seek to impose surcharges at the point of sale for use of credit or debit cards. New payment systems, particularly mobile-based payment technologies, could also gain widespread adoption and lead to issuer transaction fees or the displacement of credit card accounts as a payment method.

33

Capital One Financial Corporation (COF)

The heightened focus by merchants and legislative and regulatory bodies on the fees charged by credit and debit card networks, and the ability of certain merchants to successfully negotiate discounts to interchange fees with MasterCard and Visa or develop alternative payment systems, could result in a reduction of interchange fees. Any resulting loss in income to us could have a material adverse effect on our business, financial condition and results of operations.

If we are not able to invest successfully in and introduce digital and other technological developments across all our businesses, our financial performance may suffer.

Our industry is subject to rapid and significant technological changes and our ability to meet our customers’ needs and expectations is key to our ability to grow revenue and earnings. We expect digital technologies to have a significant impact on banking over time. Consumers expect robust digital experiences from their financial services providers. The ability for customers to access their accounts and conduct financial transactions using digital technology, including mobile applications, is an important aspect of the financial services industry and financial institutions are rapidly introducing new digital and other technology-driven products and services that aim to offer a better customer experience and to reduce costs. We continue to invest in digital technology designed to attract new customers, facilitate the ability of existing customers to conduct financial transactions and enhance the customer experience related to our products and services.

Our continued success depends, in part, upon our ability to address the needs of our customers by using digital technology to provide products and services that meet their expectations. The development and launch of new digital products and services depends in large part on our capacity to invest in and build the technology platforms that can enable them, in a cost effective and timely manner. See “We face intense competition in all of our markets” and “We face risks related to our operational, technological and organizational infrastructure.”

Some of our competitors are substantially larger than we are, which may allow those competitors to invest more money into their technology infrastructure and digital innovation than we do. In addition, we face intense competition from smaller companies which experience lower cost structures and different regulatory requirements and scrutiny than we do, and which may allow them to innovate more rapidly than we can. See “We face intense competition in all of our markets.” Further, our success depends on our ability to attract and retain strong digital and technology leaders, engineers and other specialized personnel. The competition is intense and the compensation costs continue to increase for such talent. If we are unable to attract and retain digital and technology talent, our ability to offer digital products and services and build the necessary technology infrastructure could be negatively affected, which could negatively impact our business and financial results. A failure to maintain or enhance our competitive position with respect to digital products and services, whether because we fail to anticipate customer expectations or because our technological developments fail to perform as desired or are not implemented in a timely or successful manner, could negatively impact our business and financial results.

We may fail to realize the anticipated benefits of our mergers, acquisitions and strategic partnerships.

We have engaged in merger and acquisition activity and entered into strategic partnerships over the past several years. We continue to evaluate and anticipate engaging in, among other merger and acquisition activity, additional strategic partnerships and selected acquisitions of financial institutions and other businesses or assets, including credit card and other loan portfolios. We may not be able to identify and secure future acquisition targets on terms and conditions that are acceptable to us, or successfully complete within the anticipated time frame and achieve the anticipated benefits of proposed mergers, acquisitions and strategic partnerships, which could impair our growth.

Any merger, acquisition or strategic partnership we undertake entails certain risks, which may materially and adversely affect our results of operations. If we experience greater than anticipated costs to integrate acquired businesses into our existing operations, or are not able to achieve the anticipated benefits of any merger, acquisition or strategic partnership, including cost savings and other synergies, our business could be negatively affected. In addition, it is possible that the ongoing integration processes could result in the loss of key employees, errors or delays in systems implementation, exposure to cybersecurity risks associated with acquired businesses, exposure to additional regulatory oversight, the disruption of our ongoing businesses or inconsistencies in standards, controls, procedures and policies that adversely affect our ability to maintain relationships with partners, clients, customers, depositors and employees or to achieve the anticipated benefits of any merger, acquisition or strategic partnership. Integration efforts also may divert management attention and resources. These integration matters may have an adverse effect on us during any transition period.

34

Capital One Financial Corporation (COF)

In addition, we may face the following risks in connection with any merger, acquisition or strategic partnership:

•New Businesses and Geographic or Other Markets: Our merger, acquisition or strategic partnership activity may involve our entry into new businesses, or new geographic areas or other markets which present risks resulting from our relative inexperience in these new businesses or markets. These new businesses or markets may change the overall character of our consolidated portfolio of businesses and alter our exposure to economic and other external factors. We face the risk that we will not be successful in these new businesses or in these new markets.

•Identification and Assessment of Merger and Acquisition Targets and Deployment of Acquired Assets: We may not be able to identify, acquire or partner with suitable targets. Further, our ability to achieve the anticipated benefits of any merger, acquisition or strategic partnership will depend on our ability to assess the asset quality and value of the particular assets or institutions we partner with, merge with or acquire. We may be unable to profitably deploy any assets we acquire.

•Accuracy of Assumptions: In connection with any merger, acquisition or strategic partnership, we may make certain assumptions relating to the proposed merger, acquisition or strategic partnership that may be, or may prove to be, inaccurate, including as a result of the failure to realize the expected benefits of any merger, acquisition or strategic partnership. The inaccuracy of any assumptions we may make could result in unanticipated consequences that could have a material adverse effect on our results of operations or financial condition.

•Target-specific Risk: Assets and companies that we acquire, or companies that we enter into strategic partnerships with, will have their own risks that are specific to a particular asset or company. These risks include, but are not limited to, particular or specific regulatory, accounting, operational, reputational and industry risks, any of which could have a material adverse effect on our results of operations or financial condition. For example, we may face challenges associated with integrating other companies due to differences in corporate culture, compliance systems or standards of conduct. Indemnification rights, if any, may be insufficient to compensate us for any losses or damages resulting from such risks. In addition to regulatory approvals discussed below, certain of our merger, acquisition or partnership activity may require third-party consents in order for us to fully realize the anticipated benefits of any such transaction.

•Conditions to Regulatory Approval: We may be required to obtain regulatory approvals to consummate certain acquisitions. We cannot be certain whether, when or on what terms and conditions, such approvals may be granted. Consequently, we may not obtain regulatory approval for a proposed acquisition on acceptable terms or at all, in which case we would not be able to complete the acquisition despite investing resources in pursuing it.

Reputational risk and social factors may impact our results and damage our brand.

Our ability to attract and retain customers is highly dependent upon the perceptions of consumer and commercial borrowers and deposit holders and other external perceptions of our products, services, trustworthiness, business practices, workplace culture, compliance practices or our financial health. In addition, our brand is very important to us. Maintaining and enhancing our brand depends largely on our ability to continue to provide high-quality products and services. Adverse perceptions regarding our reputation in the consumer, commercial and funding markets could lead to difficulties in generating and maintaining accounts as well as in financing them. In particular, negative public perceptions regarding our reputation, including negative perceptions regarding our ability to maintain the security of our technology systems and protect customer data, could lead to decreases in the levels of deposits that consumer and commercial customers and potential customers choose to maintain with us or significantly increase the costs of attracting and retaining customers. In addition, negative perceptions regarding certain industries, partners or clients could also prompt us to cease business activities associated with those entities.

Negative public opinion or damage to our brand could also result from actual or alleged conduct in any number of activities or circumstances, including lending practices, regulatory compliance, security breaches (including the use and protection of customer data, such as resulting from the Cybersecurity Incident), corporate governance and sales and marketing, and from actions taken by regulators or other persons in response to such conduct. Such conduct could fall short of our customers’ and the public’s heightened expectations of companies of our size with rigorous privacy, data protection, data security and compliance practices, and could further harm our reputation. In addition, our co-brand and private label partners or other third parties with whom we have important relationships may take actions over which we have limited control that could negatively impact perceptions about us or the financial services industry. The proliferation of social media may increase the likelihood that negative public opinion from any of the events discussed above will impact our reputation and business.

35

Capital One Financial Corporation (COF)

In addition, a variety of social factors may cause changes in borrowing activity, including credit card use, payment patterns and the rate of defaults by account holders and borrowers domestically and internationally. These social factors include changes in consumer confidence levels, the public’s perception regarding the banking industry and consumer debt, including credit card use, and changing attitudes about the stigma of bankruptcy. If consumers develop or maintain negative attitudes about incurring debt, or if consumption trends decline or if we fail to maintain and enhance our brand, or we incur significant expenses to do so, our business and financial results could be materially and negatively affected.

If we are not able to protect our intellectual property, our revenue and profitability could be negatively affected.

We rely on a variety of measures to protect and enhance our intellectual property, including copyrights, trademarks, trade secrets, patents and certain restrictions on disclosure, solicitation and competition. We also undertake other measures to control access to and distribution of our other proprietary information. These measures may not prevent misappropriation of our proprietary information or infringement of our intellectual property rights and a resulting loss of competitive advantage. In addition, our competitors or other third parties may obtain patents for innovations that are used in our industry or allege that our systems, processes or technologies infringe on their intellectual property rights. If our competitors or other third parties are successful in obtaining such patents or prevail in intellectual property-related litigation against us, we could lose significant revenues, incur significant license, royalty or technology development expenses, or pay significant damages.

Our risk management strategies may not be fully effective in mitigating our risk exposures in all market environments or against all types of risk.

Management of market, credit, liquidity, operational and compliance risk requires, among other things, policies and procedures to properly record and verify a large number of transactions and events. See “MD&A—Risk Management” for further details. Even though we continue to devote significant resources to developing our risk management framework, our risk management strategies may not be fully effective in identifying and mitigating our risk exposure in all market environments or against all types of risk, including risks that are unidentified or unanticipated.

Some of our methods of managing these risks are based upon our use of observed historical market behavior and management’s judgment. These methods may not accurately predict future exposures, which could be significantly greater than the historical measures indicate and market conditions, particularly during a period of financial market stress, can involve unprecedented dislocations. For example, credit risk is inherent in the financial services business and results from, among other things, extending credit to customers. Our ability to assess the creditworthiness of our customers may be impaired if the models and approaches we use to select, manage and underwrite our consumer and commercial customers become less predictive of future charge-offs due, for example, to rapid changes in the economy, or degradation in the predictive nature of credit bureau and other data used in underwriting.

While we employ a broad and diversified set of risk monitoring and risk mitigation techniques, those techniques and the judgments that accompany their application cannot anticipate every economic and financial outcome or the timing of such outcomes. For example, our ability to implement our risk management strategies may be hindered by adverse changes in the volatility or liquidity conditions in certain markets and as a result, may limit our ability to distribute such risks (for instance, when we seek to syndicate exposure in bridge financing transactions we have underwritten). We may, therefore, incur losses in the course of our risk management or investing activities.

Fluctuations in market interest rates or volatility in the capital markets could adversely affect our income and expense, the value of assets and obligations, our regulatory capital, cost of capital or liquidity.

Like other financial institutions, our business is sensitive to market interest rate movements and the performance of the capital markets. Disruptions, uncertainty or volatility across the capital markets could negatively impact market liquidity, limit our access to the funding and capital required to operate and grow our business and adversely affect our results of operations and financial condition. In addition, changes in interest rates or in valuations in the debt or equity markets could directly impact us. For example, we borrow money from other institutions and depositors, which we use to make loans to customers and invest in debt securities and other interest-earning assets. We earn interest on these loans and assets and pay interest on the money we borrow from institutions and depositors. The interest rates that we pay on the securities we have issued are also influenced by, among other things, applicable credit ratings from recognized rating agencies. A downgrade to any of these credit ratings could affect our ability to access the capital markets, increase our borrowing costs and have a negative impact on our results of operations. Increased charge-offs, rising interest rates and other events may cause our securitization transactions to amortize earlier than scheduled, which could accelerate our need for additional funding from other sources. Fluctuations in interest rates,

36

Capital One Financial Corporation (COF)

including changes in the relationship between short-term rates and long-term rates and in the relationship between our funding basis rate and our lending basis rate, may have negative impacts on our net interest income and therefore our earnings.

In addition, interest rate fluctuations and competitor responses to those changes may affect the rate of customer prepayments for auto and other term loans and may affect the balances customers carry on their credit cards. For example, increases in interest rates increase debt service requirements for some of our borrowers, which may adversely affect those borrowers’ ability to pay as contractually obligated. This could result in additional delinquencies or charge-offs and negatively impact our results of operations. These changes can reduce the overall yield on our interest-earning asset portfolio. Changes in interest rates and competitor responses to these changes may also impact customer decisions to maintain balances in the deposit accounts they have with us. An inability to attract or maintain deposits could materially affect our ability to fund our business and our liquidity position. Many other financial institutions have increased their reliance on deposit funding and, as such, we expect continued competition in the deposit markets. We cannot predict how this competition will affect our costs. If we are required to offer higher interest rates to attract or maintain deposits, our funding costs will be adversely impacted. Changes in valuations in the debt and equity markets could have a negative impact on the assets we hold in our investment portfolio. Such market changes could also have a negative impact on the valuation of assets for which we provide servicing.

We assess our interest rate risk by estimating the effect on our earnings, economic value and capital under various scenarios that differ based on assumptions about the direction and the magnitude of interest rate changes. We take risk mitigation actions based on those assessments. We face the risk that changes in interest rates could materially reduce our net interest income and our earnings, especially if actual conditions turn out to be materially different than those we assumed. See “MD&A—Market Risk Profile” for additional information.

The transition away from LIBOR may adversely affect our business.

Central banks around the world, including the Federal Reserve, have commissioned committees and working groups of market participants and official sector representatives to replace LIBOR and replace or reform other interest rate benchmarks. The publication of non-U.S. dollar LIBOR rates on a representative basis, as well as the publication of the lesser used 1-week and 2-month U.S. dollar LIBOR tenors, ceased as of the end of December 2021. While the most commonly used U.S. dollar LIBOR tenors are expected to continue to be published until June 30, 2023, the U.S. banking agencies issued guidance that banking organizations should cease using U.S. dollar LIBOR as a reference rate in new contracts in any event by December 31, 2021. A transition away from the widespread use of LIBOR to alternative rates and other potential interest rate benchmark reforms has begun and is continuing. These reforms have caused and may in the future cause such rates to perform differently than in the past, or to disappear entirely, or have other consequences which cannot be predicted.

Given LIBOR’s extensive use across financial markets, the transition away from LIBOR presents several risks and challenges to the financial markets and financial institutions, including Capital One. We have loans, derivative contracts, unsecured debt, securitizations, vendor agreements and other instruments with attributes that are either directly or indirectly dependent on LIBOR. Uncertainty as to the nature of potential changes, alternative reference rates (including the pace of transition to, the specific terms and parameters for, and market acceptance of, such rates), or other reforms may adversely affect market liquidity, the pricing of LIBOR-based instruments, and the availability and cost of associated hedging instruments and borrowings. The Secured Overnight Financing Rate (“SOFR”) has been recommended by the Alternative Reference Rates Committee (“ARRC”) as an alternative to U.S. dollar LIBOR. Nevertheless, the transition away from LIBOR could result in loss of market share in certain products, adverse tax or accounting impacts, compliance, legal or operational costs and risks associated with client disclosures, as well as systems disruption, model disruption and other business continuity issues for us.

In addition, risks will remain for us with respect to outstanding instruments which rely on LIBOR. Those risks arise in connection with transitioning such instruments to a new reference rate, the taking of discretionary actions (for example, under fallback provisions) or the negotiation of fallback provisions and final amendments to existing LIBOR based agreements. Payments under contracts referencing new reference rates may significantly differ from those referencing LIBOR. For some instruments, the method of transitioning to a new reference rate may be challenging, especially if parties to an instrument cannot agree as to how to effect that transition. If a contract is not transitioned to a new reference rate and LIBOR ceases to exist, the impact on our obligations is likely to vary by contract. In addition, prior to LIBOR cessation, instruments that continue to refer to LIBOR may be impacted if there is a change in the availability or calculation of LIBOR. The transition from LIBOR to an alternative reference rate has changed our market risk profile and required changes to risk and pricing models, valuation tools, product design, information technology systems, reporting infrastructure, operational processes and controls, and hedging strategies, and may result in or require further such changes in the future. In many cases, we are and may in the future be dependent on third parties to upgrade systems, software and other critical functions that could materially disrupt our

37

Capital One Financial Corporation (COF)

readiness if they are not done on a timely basis or otherwise fail. Our assessment of the ultimate impact of, and our planning for, the transition from LIBOR remains ongoing. Failure to adequately manage the transition could have a material adverse effect on our reputation, business, financial condition and results of operations. See “MD&A—Market Risk Profile” for additional information.

Our business could be negatively affected if we are unable to attract, retain and motivate skilled employees.

Our success depends, in large part, on our ability to retain key senior leaders and to attract and retain skilled employees, particularly employees with advanced expertise in credit, risk, digital and technology skills. We depend on our senior leaders and skilled employees to oversee simultaneous, transformative initiatives across the enterprise and execute on our business plans in an efficient and effective manner. Competition for such senior leaders and employees, and the costs associated with attracting and retaining them, is high and made even more competitive as a result of the external environment, including increasing rates of job transition and low unemployment. Our ability to attract and retain qualified employees also is affected by perceptions of our culture and management, our profile in the regions where we have offices and the professional opportunities we offer. Regulation or regulatory guidance restricting executive compensation, as well as evolving investor expectations, may limit the types of compensation arrangements that we may enter into with our most senior leaders and could have a negative impact on our ability to attract, retain and motivate such leaders in support of our long-term strategy. These laws and regulations may not apply in the same manner to all financial institutions and technology companies, which therefore may subject us to more restrictions than other institutions and companies with which we compete for talent and may also hinder our ability to compete for talent with other industries. We rely upon our senior leaders not only for business success, but also to lead with integrity. To the extent our senior leaders behave in a manner that does not comport with our values, the consequences to our brand and reputation could be severe and could adversely affect our financial condition and results of operations. If we are unable to attract, develop and retain talented senior leadership and employees, or to implement appropriate succession plans for our senior leadership, our business could be negatively affected.

We face risks from unpredictable catastrophic events.

Despite the business contingency plans we have in place, such plans do not fully mitigate all potential business continuity risks to us. Natural disasters and other catastrophic events could harm our employees, business and infrastructure, including our information technology systems and third-party platforms. Our ability to conduct business may be adversely affected by a disruption in the infrastructure that supports our business and the communities where we are located, which are concentrated in the Northern Virginia and New York metropolitan areas, as well as Richmond, Virginia and Plano, Texas. This may include a disruption involving damage or loss of access to a physical site, cyber-attacks and other security incidents, terrorist activities, the occurrence or worsening of disease outbreaks or pandemics (including the COVID-19 pandemic), natural disasters, extreme weather events (including as a result of climate change), electrical outage, environmental hazards, disruption to technological infrastructure, communications or other services we use, our employees or third parties with whom we conduct business. Our business, financial condition and results of operations may be impacted by any such disruption and our ability to implement corresponding response measures quickly, including, for example, our ability to respond effectively to a remote work environment as a result of the ongoing COVID-19 pandemic and related response measures. In addition, if a natural disaster or other catastrophic event occurs in certain regions where our business and customers are concentrated, such as the mid-Atlantic, New York, California or Texas metropolitan areas, we could be disproportionately impacted as compared to our competitors. The impact of such events and other catastrophes on the overall economy may also adversely affect our financial condition and results of operations.

Climate change manifesting as physical or transition risks could adversely affect our operations, businesses and customers.

The physical risks of climate change include discrete events, such as flooding and wildfires, and longer-term shifts in climate patterns, such as extreme heat, sea level rise, and more frequent and prolonged drought. Such events could disrupt our operations or those of our customers or third parties on which we rely, including through direct damage to assets and indirect impacts from supply chain disruption and market volatility. Additionally, transitioning to a low-carbon economy may entail significant policy, legal, technology and market initiatives. Transition risks, including changes in consumer preferences and additional regulatory requirements or taxes, could increase our expenses and impact our strategies or those of our customers. Physical and transition risks could also affect the financial health of certain customers in impacted industries or geographies. In addition, our reputation and client relationships may be damaged as a result of our practices and decisions related to climate change and the environment, or the practices or involvement of our clients, in certain industries or projects associated with causing or exacerbating climate change. Climate risk is interconnected with many risk types. We continue to enhance processes to embed evolving climate risk considerations into our risk management strategies established for risks such as market, credit

38

Capital One Financial Corporation (COF)

and operational risks; however, because the timing and severity of climate change may not be predictable, our risk management strategies may not be effective in mitigating climate risk exposure.

We face risks from the use of or changes to assumptions or estimates in our financial statements.

Pursuant to generally accepted accounting principles in the U.S. (“U.S. GAAP”), we are required to use certain assumptions and estimates in preparing our financial statements, including determining our allowance for credit losses, the fair value of certain assets and liabilities, and goodwill impairment, among other items. In addition, the FASB, the SEC and other regulatory bodies may change the financial accounting and reporting standards, including those related to assumptions and estimates we use to prepare our financial statements, in ways that we cannot predict and that could impact our financial statements. If actual results differ from the assumptions or estimates underlying our financial statements or if financial accounting and reporting standards are changed, we may experience unexpected material losses. For a discussion of our use of estimates in the preparation of our consolidated financial statements, see “MD&A—Critical Accounting Policies and Estimates” and “Note 1—Summary of Significant Accounting Policies.”

The soundness of other financial institutions and other third parties could adversely affect us.

Our ability to engage in routine funding and other transactions could be adversely affected by the stability and actions of other financial services institutions. Financial services institutions are interrelated as a result of trading, clearing, servicing, counterparty and other relationships. We have exposure to financial institutions, intermediaries and counterparties that are exposed to risks over which we have little or no control.

In addition, we routinely execute transactions with counterparties in the financial services industry, including brokers and dealers, commercial banks, investment banks, mutual and hedge funds and other institutional clients, resulting in a significant credit concentration with respect to the financial services industry overall. As a result, defaults by, or even rumors or questions about, one or more financial services institutions, or the financial services industry generally, have led to market-wide liquidity problems and could lead to losses or defaults by us or by other institutions.

Likewise, adverse developments affecting the overall strength and soundness of our competitors, the financial services industry as a whole and the general economic climate or sovereign debt could have a negative impact on perceptions about the strength and soundness of our business even if we are not subject to the same adverse developments. In addition, adverse developments with respect to third parties with whom we have important relationships also could negatively impact perceptions about us. These perceptions about us could cause our business to be negatively affected and exacerbate the other risks that we face.

Removed paragraphs (14521 words)

Item 1A. Risk Factors This section highlights significant factors, events, and uncertainties that make an investment in our securities risky. The events and consequences discussed in these risk factors could, in circumstances we may not be able to accurately predict, recognize, or control, have a material adverse effect on our business, growth, reputation, prospects, financial condition, operating results, cash flows, liquidity, and stock price. These risk factors do not identify all risks that we face; our operations could also be affected by factors, events, or uncertainties that are not presently known to us or that we currently do not consider to present significant risks to our operations. In addition, the global economic and political climate may amplify many of these risks. Summary of Risk Factors Below is a summary of the principal factors that make an investment in our securities risky. This summary does not address all of the risks that we face. Additional discussion of the risks summarized in this risk factor summary, and other risks that we face, can be found below and should be carefully considered, together with other information in this Form 10-K and our other filings with the SEC, before making an investment decision regarding our common stock. •The COVID-19 pandemic has adversely impacted our business and financial results, and the extent to which the pandemic and measures taken in response to the pandemic could materially and adversely impact our business, financial condition, liquidity, capital and results of operations will depend on future developments, which are highly uncertain and are difficult to predict. •Changes and instability in the macroeconomic environment, consumer confidence and customer behavior may adversely affect our business. •Financial market instability and volatility could adversely affect our business. •We may experience increased delinquencies, credit losses, inaccurate estimates and inadequate reserves. •We may not be able to maintain adequate capital or liquidity levels, which could have a negative impact on our financial results and our ability to return capital to our stockholders. •We face risks related to our operational, technological and organizational infrastructure. •Theft, loss or misuse of information as a result of a cyber-attack may result in increased costs, reductions in revenue, reputational damage and business disruptions. •Potential data protection and privacy incidents, and our required compliance with regulations related to these areas, may increase our costs, reduce our revenue and limit our ability to pursue business opportunities. •Compliance with new and existing laws, regulations and regulatory expectations is costly and complex. •Our businesses are subject to the risk of increased litigation, government investigations and regulatory enforcement. •We face intense competition in all of our markets. •Our business, financial condition and results of operations may be adversely affected by merchants’ increasing focus on the fees charged by credit card networks and by legislation and regulation impacting such fees. •If we are not able to invest successfully in and introduce digital and other technological developments across all our businesses, our financial performance may suffer. •We may fail to realize all of the anticipated benefits of our mergers, acquisitions and strategic partnerships. •Reputational risk and social factors may impact our results and damage our brand. •If we are not able to protect our intellectual property, our revenue and profitability could be negatively affected. •Our risk management strategies may not be fully effective in mitigating our risk exposures in all market environments or against all types of risk. •Fluctuations in market interest rates or volatility in the capital markets could adversely affect our income and expense, the value of assets and obligations, our regulatory capital, cost of capital or liquidity. •Uncertainty regarding, and transition away from, LIBOR may adversely affect our business. •Our business could be negatively affected if we are unable to attract, retain and motivate skilled employees. •We face risks from unpredictable catastrophic events. •We face risks from the use of or changes to assumptions or estimates in our financial statements. •Limitations on our ability to receive dividends from our subsidiaries could affect our liquidity and ability to pay dividends and repurchase common stock. •The soundness of other financial institutions and other third parties could adversely affect us. General Economic and Market Risks The COVID-19 pandemic has adversely impacted our business and financial results, and the extent to which the pandemic and measures taken in response to the pandemic could materially and adversely impact our business, financial condition, liquidity, capital and results of operations will depend on future developments, which are highly uncertain and are difficult to predict. Global health concerns relating to the COVID-19 pandemic and related government actions taken to reduce the spread of the virus have impacted the macroeconomic environment, significantly increased economic uncertainty and reduced economic activity. The pandemic has also caused governmental authorities to implement numerous measures to try to contain the virus, including travel bans and restrictions, quarantines, shelter-in-place orders, and business limitations and shutdowns. These measures have negatively impacted and may further negatively impact consumer and business payment and spending patterns. The COVID-19 pandemic has adversely impacted, and may continue to adversely impact, our business, operations, financial condition, capital and results of operations. The extent of these impacts depends on future developments, which are highly uncertain and difficult to predict, including, but not limited to, the duration and magnitude of the pandemic, the actions taken to contain the virus or treat its impact, the effectiveness of economic stimulus measures in the United States, and how quickly and to what extent economic and operating conditions and consumer and business spending can return to their pre-pandemic levels. As of December 31, 2020, several vaccines have been authorized for limited distribution. The plan for larger community-based distribution is being developed and may begin during the second quarter of 2021. However, the timing and extent of any such widespread distribution of vaccines remains uncertain. As a result of this uncertainty, our purchase volume, loan growth and the overall demand for our products and services may be significantly impacted, which could adversely affect our revenue and other results of operations. In addition, we could experience higher credit losses in our loan portfolios and increases in our allowance for credit losses beyond current levels. For example, as a result of the significant uncertainty due to the COVID-19 pandemic, we realized a substantial build in our allowance for credit losses for the first two quarters of 2020. We could also experience impairments of other financial assets and other negative impacts on our financial position, including possible constraints on liquidity and capital, as well as higher costs of capital. Even after the COVID-19 pandemic has subsided, we may continue to experience adverse impacts to our business and results of operations, which could be material, as a result of the macroeconomic impact and any recession that has occurred or may occur in the future. The spread of COVID-19 has caused us to modify our business practices and operations, including providing a range of forbearance options to our customers in certain circumstances, which could impact our credit metrics, financial condition, capital and results of operations. We may need to further modify our practices and operations as this event unfolds. We have also implemented work-from-home policies for a vast majority of our employees, and social distancing plans for our employees who are working from Capital One facilities. Nearly all of our Cafés and bank branches across our network are open with increased safety precautions. We will continue to monitor local conditions to ensure the safety of our associates and customers while providing critical banking services. These measures could impair our ability to perform critical functions and may adversely impact our results of operations. In addition, these measures and other changes in consumer behavior as a result of the COVID-19 pandemic may require changes to retail distribution strategies and adversely impact our investments in our bank premises and equipment and other retail distribution assets, leading to increased costs and exposure to additional risks. We may take further actions as required by government authorities or that we otherwise determine are in the best interests of our customers, employees and business partners. Federal, state, local and foreign governmental authorities have enacted, and may enact in the future, legislation, regulations and protocols in response to the COVID-19 pandemic, including governmental programs intended to provide economic relief to businesses and individuals. We have participated in certain of these programs, including participating as an eligible lender in the Small Business Administration’s Paycheck Protection Program. Our participation in and execution of any such programs may cause operational, compliance, reputational and credit risks, which could result in litigation, governmental action or other forms of loss. The extent of these impacts, which may be substantial, will depend on the degree of our participation in these programs. There remains significant uncertainty regarding the measures that authorities will enact in the future and the ultimate impact of the legislation, regulations and protocols that have been and will be enacted. Moreover, we expect that the effects of the COVID-19 pandemic will heighten many of the other known risks described herein. See Part I-Item 1.-Business-Overview-Coronavirus Disease 2019 (COVID-19) Pandemic. Changes and instability in the macroeconomic environment, consumer confidence and customer behavior may adversely affect our business. We offer a broad array of financial products and services to consumers, small businesses and commercial clients. A prolonged period of economic volatility, slow growth, or a significant deterioration in economic conditions, in the U.S., Canada or the U.K., could have a material adverse effect on our financial condition and results of operations as customers default on their loans, maintain lower deposit levels or, in the case of credit card accounts, carry lower balances and reduce credit card purchase activity. Some of the risks we face in connection with adverse changes and instability in the macroeconomic environment, including changes in consumer confidence levels and behavior, include the following: •Changes in payment patterns, increases in delinquencies and default rates, decreased consumer spending, lower demand for credit and shifts in consumer payment behavior towards avoiding late fees, finance charges and other fees; •Increases in our charge-off rate caused by bankruptcies and reduced ability to recover debt that we have previously charged-off; •Decreased reliability of the process and models we use to estimate our allowance for loan and lease losses, particularly if unexpected variations in key inputs and assumptions cause actual losses to diverge from the projections of our models and our estimates become increasingly subject to management’s judgment. See “We face risks resulting from the extensive use of models and data.” The U.K. and the European Union agreed to a free trade deal at the end of 2020 relating to the U.K.’s exit from the European Union (“Brexit”). While this deal provides greater near-term stability, the on-going impact of Brexit and its full effects on the U.K. economy and our business related thereto remain uncertain. We continue to consider and monitor the potential impacts, and other factors, including the COVID-19 pandemic, that could also impact U.K. economic performance. Financial market instability and volatility could adversely affect our business. Our ability to borrow from other financial institutions or to engage in funding transactions on favorable terms or at all could be adversely affected by disruptions in the capital markets or other events, including actions by rating agencies and deteriorating investor expectations, which could limit our access to funding. In addition, fluctuations in interest rates, credit spreads and other market factors could negatively impact our results of operations. Both shorter-term and longer-term interest rates remain below long-term historical averages and the yield curve has been relatively flat compared to past periods. A flat yield curve combined with low interest rates generally leads to lower revenue and reduced margins because it tends to limit our ability to increase the spread between asset yields and funding costs. Sustained periods of time with a flat yield curve coupled with low interest rates, or an inversion of the yield curve, could have a material adverse effect on our net interest margin and earnings. In response to the economic consequences of the COVID-19 pandemic, the Federal Reserve lowered its target for the federal funds rate to a range of 0% to 0.25%. Such low rates increase the risk in the U.S. of a negative interest rate environment in which interest rates drop below zero, either broadly or for some types of instruments. For example, yields on one-month and three-month Treasuries briefly dropped below zero in March 2020. Such an occurrence would likely further reduce the interest we earn on loans and other interest-earning assets, while also likely requiring us to pay to maintain our deposits with the Federal Reserve. Our systems may not be able to handle adequately a negative interest rate environment and not all variable rate instruments are designed for such a circumstance. We cannot predict the nature or timing of future changes in monetary policies in response to the COVID-19 pandemic or the precise effects that they may have on our activities and financial results. Credit Risk We may experience increased delinquencies, credit losses, inaccurate estimates and inadequate reserves. Like other lenders, we face the risk that our customers will not repay their loans. A customer’s ability and willingness to repay us can be adversely affected by increases in their payment obligations to other lenders, whether as a result of higher debt levels or rising interest rates, by restricted availability of credit generally, or by the revenue and income of the borrower. We may fail to quickly identify and reduce our exposure to customers that are likely to default on their payment obligations, whether by closing credit lines or restricting authorizations. Our ability to manage credit risk also is affected by legal or regulatory changes (such as restrictions on collections, bankruptcy laws, minimum payment regulations and re-age guidance), competitors’ actions and consumer behavior, and depends on the effectiveness of our collections staff, techniques and models. Rising losses or leading indicators of rising losses (such as higher delinquencies, higher rates of nonperforming loans, higher bankruptcy rates, lower collateral values, elevated unemployment rates or changing market terms) may require us to increase our allowance for credit losses, which may degrade our profitability if we are unable to raise revenue or reduce costs to compensate for higher losses. In particular, we face the following risks in this area: •Missed Payments: Our customers may miss payments. Loan charge-offs (including from bankruptcies) are generally preceded by missed payments or other indications of worsening financial condition for our customers. Historically, customers are more likely to miss payments during an economic downturn or prolonged periods of slow economic growth. In addition, we face the risk that consumer and commercial customer behavior may change (for example, an increase in the unwillingness or inability of customers to repay debt, which may be heightened by increasing interest rates or levels of consumer debt), causing a long-term rise in delinquencies and charge-offs. •Incorrect Estimates of Expected Losses: The credit quality of our portfolio can have a significant impact on our earnings. We allow for and reserve against credit risks based on our assessment of expected credit losses in our loan portfolios. This process, which is critical to our financial condition and results of operations, requires complex judgments, including forecasts of economic conditions. We may underestimate our expected losses and fail to hold an allowance for credit losses sufficient to account for these losses. Incorrect assumptions could lead to material underestimations of expected credit losses and an inadequate allowance for credit losses. •Inaccurate Underwriting: Our ability to accurately assess the creditworthiness of our customers may diminish, which could result in an increase in our credit losses and a deterioration of our returns. See “Our risk management strategies may not be fully effective in mitigating our risk exposures in all market environments or against all types of risk.” •Business Mix: We engage in a diverse mix of businesses with a broad range of potential credit exposure. Because we originate a relatively greater proportion of consumer loans in our loan portfolio compared to other large bank peers and originate both prime and subprime credit card accounts and auto loans, we may experience higher delinquencies and a greater number of accounts charging off compared to other large bank peers, which could result in increased credit losses, operating costs and regulatory scrutiny. Additionally, a change in this business mix over time to include proportionally more consumer loans or subprime credit card accounts or auto loans could adversely affect the credit quality of our portfolio. •Increasing Charge-off Recognition/Allowance for Credit Losses: We account for the allowance for credit losses according to accounting and regulatory guidelines and rules, including Financial Accounting Standards Board (“FASB”) standards and the Federal Financial Institutions Examination Council (“FFIEC”) Account Management Guidance. Effective as of January 1, 2020, we adopted the CECL standard which is based on expected lifetime losses rather than incurred losses. Adoption of the CECL standard has resulted and may continue to result in an increase to our reserves for credit losses on financial instruments with a resulting adverse impact on our financial condition. The continued impact of CECL on our future results will depend on the characteristics of our financial instruments, economic conditions, and our economic and loss forecasts. The application of the CECL standard requires us to increase reserves faster and to a higher level in an economic downturn, resulting in greater impact to our results and our capital ratios than we would have experienced in similar circumstances prior to the adoption of CECL. In addition, because credit cards represent a significant portion of our product mix, we could be disproportionately affected by use of the CECL standard, as compared to our large bank peers with a different product mix. See “MD&A-Accounting Changes and Developments” for additional information. •Insufficient Asset Values: The collateral we have on secured loans could be insufficient to compensate us for credit losses. When customers default on their secured loans, we attempt to recover collateral where permissible and appropriate. However, the value of the collateral may not be sufficient to compensate us for the amount of the unpaid loan, and we may be unsuccessful in recovering the remaining balance from our customers. Decreases in real estate and other asset values adversely affect the collateral value for our commercial lending activities, while the auto business is similarly exposed to collateral risks arising from the auction markets that determine used car prices. Borrowers may be less likely to continue making payments on loans if the value of the property used as collateral for the loan is less than what the borrower owes, even if the borrower is still financially able to make the payments. In that circumstance, the recovery of such property could be insufficient to compensate us for the value of these loans upon a default. In our auto business, business and economic conditions that negatively affect household incomes, housing prices and consumer behavior, as well as technological advances that make older cars obsolete faster, could decrease (i) the demand for new and used vehicles and (ii) the value of the collateral underlying our portfolio of auto loans, which could cause the number of consumers who become delinquent or default on their loans to increase. •Geographic and Industry Concentration: Although our consumer lending is geographically diversified, approximately 27% of our commercial loan portfolio is concentrated in the tri-state area of New York, New Jersey and Connecticut. The regional economic conditions in the tri-state area affect the demand for our commercial products and services as well as the ability of our customers to repay their commercial loans and the value of the collateral securing these loans. An economic downturn or prolonged period of slow economic growth in, or a catastrophic event that disproportionately affects, the tri-state area could have a material adverse effect on the performance of our commercial loan portfolio and our results of operations. In addition, our Commercial Banking strategy includes an industry-specific focus. If any of the industries that we focus on experience changes, we may experience increased credit losses and our results of operations could be adversely impacted. For example, as of December 31, 2020, healthcare and healthcare-related real estate loans represented approximately 19% of our total commercial loan portfolio. If healthcare-related industries or any of the other industries that we focus on experience adverse changes, we may experience increased credit losses and our results of operations could be adversely impacted. Capital and Liquidity Risk We may not be able to maintain adequate capital or liquidity levels, which could have a negative impact on our financial results and our ability to return capital to our stockholders. Financial institutions are subject to extensive and complex capital and liquidity requirements. These requirements affect our ability to lend, grow deposit balances, make acquisitions and make most capital distributions. Failure to maintain adequate capital or liquidity levels, whether due to adverse developments in our business or the economy or to changes in the applicable requirements, could subject us to a variety of remedies available to our regulators. These include limitations on the ability to pay dividends, repurchase shares and the issuance of a capital directive to increase capital. Such limitations could have a material adverse effect on our business and results of operations. We consider various factors in the management of capital, including the impact of stress on our capital levels, as determined by both our internal modeling and the Federal Reserve’s modeling of our capital position in supervisory stress tests and CCAR. There can be significant differences between our modeling and the Federal Reserve’s estimates for a given scenario and between the capital needs suggested by our internal bank holding company scenarios relative to the supervisory scenarios. Therefore, although our estimated capital levels under stress disclosed as part of the CCAR or DFAST processes may suggest that we have substantial capacity to return capital to stockholders and remain well capitalized under stress, the Federal Reserve’s modeling, our internal modeling of another scenario or other factors related to our capital management process may result in a materially lower capacity to return capital to stockholders than that indicated by the projections released in the CCAR or DFAST processes. This in turn, could lead to restrictions on our ability to pay dividends and engage in share repurchase transactions. See “Part I-Item 1. Business-Supervision and Regulation” for additional information. In addition, the current capital and liquidity requirements are subject to change. The Federal Banking Agencies finalized the Tailoring Rule in the fourth quarter of 2019. Under the Tailoring Rule, we are a Category III institution, and are no longer subject to the Basel III Advanced Approaches and associated capital requirements, but we continue to be subject to the countercyclical capital buffer and supplementary leverage ratio. In March 2020, the Federal Reserve issued a final rule to implement the stress capital buffer requirement. This final rule became effective in May 2020. Pursuant to the Stress Capital Buffer Rule, the Federal Reserve will use the results of its supervisory stress test to determine the size of a large banking institution’s stress capital buffer requirement, which replaces the previous 2.5% capital conservation buffer under the Basel III Standardized Approach. Our stress capital buffer requirement is 5.6% for the period from October 1, 2020 through September 30, 2021, at which point a revised stress capital buffer requirement will be applicable to us based on our 2021 stress testing results. In addition, on June 25, 2020 the Federal Reserve introduced measures to ensure that large BHCs maintained a high level of capital resilience. Specifically, the Federal Reserve required certain large BHCs, including us, to suspend share repurchases and cap common dividends during the third and fourth quarters of 2020. Consistent with the Federal Reserve’s capital distribution restrictions, we reduced our quarterly dividend on our common stock from $0.40 per share to $0.10 per share for the third quarter of 2020, which we maintained into the fourth quarter of 2020. The Federal Banking Agencies also finalized rules to implement the NSFR in October 2020. The NSFR is designed to ensure that banking organizations maintain a stable, long-term funding profile in relation to their asset composition and off-balance sheet activities and its requirements will become effective as of July 1, 2021. On December 18, 2020, the Federal Reserve extended the capital distribution restrictions for all participating BHCs to the first quarter of 2021, with certain modifications. In particular, for the first quarter of 2021, participating BHCs may resume share repurchases however the aggregate amount of dividend payments and share repurchases will be limited to an amount based on net income earned in the preceding four calendar quarters. See “Part I-Item 1. Business-Supervision and Regulation” for additional information. Further changes to applicable capital and liquidity requirements could result in unexpected or new limitations on our ability to pay dividends and engage in share repurchases. Operational Risk We face risks related to our operational, technological and organizational infrastructure. Our ability to retain and attract customers depends on our ability to develop, operate, and adapt our technology and organizational infrastructure in a rapidly changing environment. In addition, we must accurately process, record and monitor an increasingly large number of complex transactions. Digital technology, data and software development are deeply embedded into our business model and how we work. Similar to other large corporations, we are exposed to operational risk that can manifest itself in many ways, such as errors in execution, inadequate processes, inaccurate models, faulty or disabled technological infrastructure, and fraud by employees or persons outside of our company. In addition, we are heavily dependent on the security, capability and continuous availability of the technology systems that we use to manage our internal financial and other systems, monitor risk and compliance with regulatory requirements, provide services to our customers, develop and offer new products and communicate with stakeholders. We also face risk of adverse customer impacts and business disruption arising from the execution of strategic initiatives we may pursue across our operations. If we do not maintain the necessary operational, technological and organizational infrastructure to operate our business, including to maintain the security of that infrastructure, our business and reputation could be materially adversely affected. We also are subject to disruptions to our operating systems arising from events that are wholly or partially beyond our control, which may include computer viruses, electrical or telecommunications outages, design flaws in foundational components or platforms, availability and quality of vulnerability patches from key vendors, cyber-attacks (including Distributed Denial of Service (“DDOS”) and other attacks on our infrastructure as discussed below), natural disasters, other damage to property or physical assets, or events arising from local or larger scale politics, including terrorist acts. Any failure to maintain our infrastructure or disruption of our operating systems and applications could diminish our ability to operate our businesses, service customer accounts and protect customers’ information, or result in potential liability to customers, reputational damage, regulatory intervention and customers’ loss of confidence in our businesses, any of which could result in a material adverse effect. We also rely on the business infrastructure and systems of third parties with which we do business and to whom we outsource the operation, maintenance and development of our information technology and communications systems. We have migrated substantially all, and intend to migrate all, of our core information technology systems and customer-facing applications to third-party cloud infrastructure platforms, principally AWS. If we do not complete the transition or fail to administer these new environments in a well-managed, secure and effective manner, or if AWS platforms become unavailable or do not meet their service level agreements for any reason, we may experience unplanned service disruption or unforeseen costs which could result in material harm to our business and results of operations. We must successfully develop and maintain information, financial reporting, disclosure, data-protection and other controls adapted to our reliance on outside platforms and providers. In addition, AWS, or other service providers, could experience system breakdowns or failures, outages, downtime, cyber-attacks, adverse changes to financial condition, bankruptcy, or other adverse conditions, which could have a material adverse effect on our business and reputation. Thus, the substantial amount of our infrastructure that we outsource to AWS or to other third parties may increase our risk exposure. Any disruptions, failures or inaccuracies of our operational and technology systems and models, including those associated with improvements or modifications to such systems and models, could cause us to be unable to market and manage our products and services, manage our risk, meet our regulatory obligations or report our financial results in a timely and accurate manner, all of which could have a negative impact on our results of operations. In addition, our ongoing investments in infrastructure, which are necessary to maintain a competitive business, integrate acquisitions and establish scalable operations, may increase our expenses. As our business develops, changes or expands, additional expenses can arise as a result of a reevaluation of business strategies, management of outsourced services, asset purchases or other acquisitions, structural reorganization, compliance with new laws or regulations, or the integration of newly acquired businesses, or the prevention or occurrence of data security incidents. If we are unable to successfully manage our expenses, our financial results will be negatively affected. Changes to our business, including as a result of our strategic objectives, also requires robust governance to ensure that our objectives are executed as intended without adversely impacting our customers, associates, operations or financial performance. Ineffective change management oversight and governance over the execution of our strategic objectives could expose us to operational, strategic and reputational risk and could negatively impact customers or our financial performance. Theft, loss or misuse of information as a result of a cyber-attack may result in increased costs, reductions in revenue, reputational damage and business disruptions. Our products and services involve the gathering, authenticating, managing, processing, and the storing and transmission of sensitive and confidential information regarding our customers and their accounts, our employees and third parties with which we do business. Our ability to provide such products and services, many of which are web-based, depends upon the management and safeguarding of information, software, methodologies and business secrets. To provide these products and services to, as well as communicate with, our customers, we rely on information systems and infrastructure, including software and data engineering, and information security personnel, digital technologies, computer and email systems, software, networks and other web-based technologies. We also have arrangements in place with third parties through which we share and receive information about their customers who are or may become our customers. Technologies, systems, networks and devices of Capital One or our employees, service providers or other third parties with whom we interact may continue to be the subject of attempted unauthorized access, mishandling or misuse of information, denial-of-service attacks, computer viruses, website defacement, hacking, malware, ransomware, phishing or other forms of social engineering, and other forms of cyber-attacks designed to obtain confidential information, destroy data, disrupt or degrade service, sabotage systems or cause other damage, and other events. These threats, such as the Cybersecurity Incident, may derive from error, fraud or malice on the part of our employees, insiders or third parties or may result from accidental technological failure. Any of these parties may also attempt to fraudulently induce employees, customers or other third-party users of our systems to disclose sensitive information in order to gain access to our data or that of our customers or third parties with whom we interact, or to unlawfully obtain monetary benefit through misdirected or otherwise improper payment. Further, cyber and information security risks for large financial institutions like us continue to increase due to the proliferation of new technologies, the use of the internet to conduct financial transactions, and the increased sophistication and activities of organized crime, perpetrators of fraud, hackers, terrorists, activists, formal and informal instrumentalities of foreign governments and other external parties. In addition, our customers access our products and services using computers, smartphones, tablets and other mobile devices that are beyond our security control systems. The methods and techniques employed by perpetrators of fraud and others to attack, disable, degrade or sabotage platforms, systems and applications change frequently, are increasingly sophisticated and often are not fully recognized or understood until after they have occurred, and some techniques could occur and persist for an extended period of time before being detected. For example, although we immediately fixed the configuration vulnerability that was exploited in the Cybersecurity Incident once we discovered the unauthorized access, a period of time elapsed between the occurrence of the unauthorized access and the time when we discovered it. In other circumstances, we and our third-party service providers and partners may be unable to anticipate or identify certain attack methods in order to implement effective preventative measures or mitigate or remediate the damages caused in a timely manner. We may also be unable to hire and develop talent capable of detecting, mitigating or remediating these risks. Although we seek to maintain a robust suite of authentication and layered information security controls, including our cyber threat analytics, data encryption and tokenization technologies, anti-malware defenses and vulnerability management program, any one or combination of these controls could fail to detect, mitigate or remediate these risks in a timely manner. We will likely face an increasing number of attempted cyber-attacks as we expand our mobile and other internet-based products and services, as well as our usage of mobile and cloud technologies and as we provide more of these services to a greater number of retail clients. A disruption or breach, including as a result of a cyber-attack such as the Cybersecurity Incident, or media reports of perceived security vulnerabilities at Capital One or at our third-party service providers, could result in significant legal and financial exposure, regulatory intervention, litigation and remediation costs, card reissuance, supervisory liability, damage to our reputation or loss of confidence in the security of our systems, products and services that could adversely affect our business. We and other U.S. financial services providers continue to be targeted with evolving and adaptive cybersecurity threats from sophisticated third parties. We are continuing to assess the impact of the Cybersecurity Incident and there can be no assurance that additional unauthorized access or cyber incidents will not occur or that we will not suffer material losses in the future. Unauthorized access or cybersecurity incidents could occur more frequently and on a more significant scale. If future attacks like these are successful or if customers are unable to access their accounts online for other reasons, it could adversely impact our ability to service customer accounts or loans, complete financial transactions for our customers or otherwise operate any of our businesses or services. In addition, a breach or attack affecting one of our third-party service providers or partners could harm our business even if we do not control the service that is attacked. In addition, the increasing prevalence and the evolution of cyber-attacks and other efforts to breach or disrupt our systems or those of our partners, retailers or other market participants has led, and will likely continue to lead, to increased costs to us with respect to preventing, mitigating and remediating these risks, as well as any related attempted fraud. In order to address ongoing and future risks, including from the Cybersecurity Incident, we must expend significant resources to support protective security measures, investigate and remediate any vulnerabilities of our information systems and infrastructure and invest in new technology designed to mitigate security risks. The Cybersecurity Incident, or successful cyber-attacks at other large financial institutions or other market participants (whether or not we are impacted), could lead to a general loss of customer confidence in financial institutions that could negatively affect us, including harming the market perception of the effectiveness of our security measures or the financial system in general which could result in reduced use of our financial products. We have insurance against some cyber-risks and attacks, including insurance that is expected to cover certain costs associated with the Cybersecurity Incident; nonetheless, our insurance coverage may not be sufficient to offset the impact of a material loss event, and such insurance may increase in cost or cease to be available on commercial terms in the future. Potential data protection and privacy incidents, and our required compliance with regulations related to these areas, may increase our costs, reduce our revenue and limit our ability to pursue business opportunities. A breach, failure or other disruption of our information systems or infrastructure or data management processes, or those of our customers, partners, service providers or other market participants, could lead, depending on the nature of the incident, to the unauthorized or unintended access to and release, gathering, monitoring, misuse, loss or destruction of personal or confidential data about our customers, employees or other third parties in our possession. Any party that obtains this personal or confidential data through a breach or disruption may use this information for ransom, to be paid by us or a third-party, as part of a fraudulent activity that is part of a broader criminal activity, or for other illicit purposes. Further, such disruption or breach could also result in unauthorized access to our proprietary information, intellectual property, software, methodologies and business secrets and in unauthorized transactions in Capital One accounts or unauthorized access to personal or confidential information maintained by those entities. There has been a significant proliferation of consumer information available on the internet resulting from breaches of third-party entities, including personal information, log-in credentials and authentication data. While we were not directly involved in these third-party breach events, the stolen information can create a vulnerability for our customers if their Capital One log-in credentials are the same as or similar to the credentials that have been compromised on other sites. This vulnerability could include the risk of unauthorized account access, data loss and fraud. The use of artificial intelligence, “bots” or other automation software, can increase the velocity and efficacy of these types of attacks. We are continuing to assess the impact of the Cybersecurity Incident. The Cybersecurity Incident, other data security incidents we may experience in the future, or media reports of perceived security vulnerabilities at Capital One or at third-party service providers, could result in significant legal and financial exposure, regulatory intervention, remediation costs, card reissuance, supervisory liability, damage to our reputation or loss of confidence in the security of our systems, products and services that could adversely affect our business. We are subject to a variety of continuously evolving and developing laws and regulations in the United States and abroad regarding privacy, data protection and data security, including those related to the collection, storage, handling, use, disclosure, transfer and security of personal data. Significant uncertainty exists as privacy and data protection laws may be interpreted and applied differently from country to country and may create inconsistent or conflicting requirements. For example, in Canada we are subject to the Personal Information Protection and Electronic Documents Act (“PIPEDA”). In addition, the General Data Protection Regulation (“GDPR”) applies EU data protection law to all companies processing data of EU residents, regardless of the company’s location. More recently, on January 1, 2020, the CCPA went into effect for companies doing business in California. These laws impose strict requirements regarding the collection, storage, handling, use, disclosure, transfer and security of personal data, which may have adverse consequences, including severe monetary penalties. Our efforts to comply with PIPEDA, GDPR, CCPA and other privacy and data protection laws entail substantial expenses, may divert resources from other initiatives and projects, and could limit the services we are able to offer. Furthermore, enforcement actions and investigations by regulatory authorities related to data security incidents and privacy violations continue to increase. The enactment of more restrictive laws, rules, regulations, or future enforcement actions or investigations could impact us through increased costs or restrictions on our business, and noncompliance could result in monetary or other penalties and significant legal liability. We face risks resulting from the extensive use of models and data. We rely on quantitative models, and our ability to manage data and aggregate data in an accurate and timely manner, assess and manage our various risk exposures, estimate certain financial values and manage compliance with required regulatory capital requirements. Models may be used in such processes as determining the pricing of various products, grading loans and extending credit, measuring interest rate and other market risks, predicting deposit levels or loan losses, assessing capital adequacy and calculating economic and regulatory capital levels, estimating the value of financial instruments and balance sheet items, and other operational functions. Our risk reporting and management, including business decisions based on information incorporating models, depend on the effectiveness of our models and our policies, programs, processes and practices governing how data is acquired, validated, stored, protected, processed and analyzed. Any issues with the quality or effectiveness of our data aggregation and validation procedures, as well as the quality and integrity of data inputs, formulas or algorithms, could result in inaccurate forecasts, ineffective risk management practices or inaccurate risk reporting. In addition, models based on historical data sets might not be accurate predictors of future outcomes and their ability to appropriately predict future outcomes may degrade over time. While we continuously update our policies, programs, processes and practices, many of our data management, aggregation and implementation processes are manual and subject to human error or system failure. Failure to manage data effectively and to aggregate data in an accurate and timely manner may limit our ability to manage current and emerging risk, to produce accurate financial, regulatory and operational reporting as well as to manage changing business needs. If our risk management framework is ineffective, we could suffer unexpected losses which could materially adversely affect our results of operation or financial condition. Also, any information we provide to the public or to our regulators based on poorly designed or implemented models could be inaccurate or misleading. Some of the decisions that our regulators make, including those related to capital distribution to our stockholders, could be affected adversely due to the perception that the quality of the models used to generate the relevant information is insufficient. Legal and Regulatory Risk Compliance with new and existing laws, regulations and regulatory expectations is costly and complex. We are subject to extensive regulatory oversight by the federal banking regulators to ensure that we build systems and processes that are commensurate with the nature of our business and that meet the risk management and prudential standards issued by our regulators. A wide array of banking and consumer lending laws apply to almost every aspect of our business. Failure to comply with these laws and regulations could result in financial, structural and operational penalties, including significant fines and criminal sanctions, and/or damage to our reputation with regulators, our customers or the public. Hiring, training and retaining qualified compliance and legal personnel, and establishing and maintaining compliance-related systems, infrastructure and processes, is difficult and these efforts could limit our ability to invest in other business opportunities. Furthermore, applicable rules and regulations may affect us in an unforeseen manner, or may have a disproportionate impact on us as compared to our competitors. Over the last several years, state and federal regulators have focused on compliance with the Bank Secrecy Act and anti-money laundering (“AML”) laws, data integrity and security, use of service providers, fair lending and other consumer protection issues. For example, in July 2015, Capital One entered into a consent order with the OCC to address concerns about our AML program and in October 2018, Capital One paid a civil monetary penalty assessed by the OCC relating to our AML program. The OCC lifted the AML consent order in November 2019. In addition, in August 2020 we entered into consent orders with the Federal Reserve and the OCC resulting from regulatory reviews of the Cybersecurity Incident and relating to ongoing enhancements of our cybersecurity and operational risk management processes, and we paid a civil monetary penalty as part of the OCC agreement. In January 2021, we also paid a civil monetary penalty assessed by the Financial Crimes Enforcement Network (“FinCEN”) against CONA in connection with our AML program. Failure to maintain compliance with laws and regulations could result in significant additional governmental fines or penalties. We have a large number of customer accounts in our credit card and auto lending businesses and we have made the strategic choice to originate and service subprime credit card and auto loans, which typically have higher delinquencies and charge-offs than prime customers. As a result, we have significant involvement with credit bureau reporting and the collection and recovery of delinquent and charged-off debt, primarily through customer communications, the filing of litigation against customers in default, the periodic sale of charged-off debt and vehicle repossession. These activities are subject to enhanced legal and regulatory scrutiny from regulators, courts and legislators. Any future changes to our business practices in these areas, including our debt collection practices, whether mandated by regulators, courts, legislators or otherwise, or any legal liabilities resulting from our business practices, including our debt collection practices, could have a material adverse impact on our financial condition. The legislative and regulatory environment is beyond our control, may change rapidly and unpredictably and may negatively influence our revenue, costs, earnings, growth, liquidity and capital levels. In addition, some rules and regulations may be subject to litigation or other challenges that delay or modify their implementation and impact on us. Adoption of new technologies, such as distributed ledger technologies, artificial intelligence and machine learning technologies, can present unforeseen challenges in applying and relying on existing compliance systems. Certain laws and regulations, and any interpretations and applications with respect thereto, are generally intended to protect consumers, borrowers, depositors, the DIF, the U.S. banking and financial system, and financial markets as a whole, but not stockholders. Our success depends on our ability to maintain compliance with both existing and new laws and regulations. For a description of the material laws and regulations to which we are subject, see “Part I-Item 1. Business-Supervision and Regulation.” Our businesses are subject to the risk of increased litigation, government investigations and regulatory enforcement. Our businesses are subject to increased litigation, government investigations and other regulatory enforcement risks as a result of a number of factors and from various sources, including the highly regulated nature of the financial services industry, the focus of state and federal prosecutors on banks and the financial services industry and the structure of the credit card industry. Given the inherent uncertainties involved in litigation, government investigations and regulatory enforcement decisions, and the very large or indeterminate damages sought in some matters asserted against us, there can be significant uncertainty as to the ultimate liability we may incur from these kinds of matters. The finding, or even the assertion, of substantial legal liability against us could have a material adverse effect on our business and financial condition and could cause significant reputational harm to us, which could seriously harm our business. The Cybersecurity Incident has resulted in litigation, government investigations and other regulatory enforcement inquiries. In addition, financial institutions, such as ourselves, face significant regulatory scrutiny, which can lead to public enforcement actions or non-public supervisory actions. We and our subsidiaries are subject to comprehensive regulation and periodic examination by, among other regulatory bodies, the Federal Reserve, the SEC, OCC, FDIC and CFPB. We have been subject to enforcement actions by many of these and other regulators and may continue to be involved in such actions, including governmental inquiries, investigations and enforcement proceedings, including by the OCC, Department of Justice, FinCEN and state Attorneys General. We expect that regulators and governmental enforcement bodies will continue taking formal enforcement actions against financial institutions in addition to addressing supervisory concerns through non-public supervisory actions or findings, which could involve restrictions on our activities, or our ability to make acquisitions or otherwise expand our business, among other limitations that could adversely affect our business. In addition, a violation of law or regulation by another financial institution is likely to give rise to an investigation by regulators and other governmental agencies of the same or similar practices by us. Furthermore, a single event may give rise to numerous and overlapping investigations and proceedings. These and other initiatives from governmental authorities and officials may subject us to further judgments, settlements, fines or penalties, or cause us to restructure our operations and activities or to cease offering certain products or services, all of which could harm our reputation or lead to higher operational costs. Litigation, government investigations and other regulatory actions could involve restrictions on our activities, generally subject us to significant fines, increased expenses, restrictions on our activities and damage to our reputation and our brand, and could adversely affect our business, financial condition and results of operations. For additional information regarding legal and regulatory proceedings that we are subject to, see “Note 18-Commitments, Contingencies, Guarantees and Others.” Other Business Risks We face intense competition in all of our markets. We operate in a highly competitive environment, whether in making loans, attracting deposits or in the global payments industry, and we expect competitive conditions to continue to intensify with respect to most of our products. We compete on the basis of the rates we pay on deposits and the rates and other terms we charge on the loans we originate or purchase, as well as the quality and range of our customer service, products, innovation and experience. This increasingly competitive environment is primarily a result of changes in technology, product delivery systems and regulation, as well as the emergence of new or significantly larger financial services providers, all of which may affect our customers’ expectations and demands. In addition to offering competitive products and services, we invest in and conduct marketing campaigns to attract and inform customers. Some of our competitors, including new and emerging competitors in the digital and mobile payments space and other financial technology providers, are not subject to the same regulatory requirements or legislative scrutiny to which we are subject, which also could place us at a competitive disadvantage, in particular in the development of new technology platforms or the ability to rapidly innovate. We compete with many forms of payments offered by both bank and non-bank providers, including a variety of new and evolving alternative payment mechanisms, systems and products, such as aggregators and web-based and wireless payment platforms or technologies, digital or “crypto” currencies, prepaid systems and payment services targeting users of social networks, communications platforms and online gaming. If we are unable to continue to keep pace with innovation, do not effectively market our products and services or are prohibited from or unwilling to enter emerging areas of competition, our business and results of operations could be adversely affected. Some of our competitors are substantially larger than we are, which may give those competitors advantages, including a more diversified product and customer base, the ability to reach more customers and potential customers, operational efficiencies, broad-based local distribution capabilities, lower-cost funding and larger existing branch networks. Many of our competitors are also focusing on cross-selling their products and developing new products or technologies, which could affect our ability to maintain or grow existing customer relationships or require us to offer lower interest rates or fees on our lending products or higher interest rates on deposits. Competition for loans could result in origination of fewer loans, earning less on our loans or an increase in loans that perform below expectations. As of December 31, 2020, we operate as one of the largest online direct banks in the United States by deposits. While direct banking provides a significant opportunity to attract new customers that value greater and more flexible access to banking services at reduced costs, we face strong and increasing competition in the direct banking market. Aggressive pricing throughout the industry may adversely affect the retention of existing balances and the cost-efficient acquisition of new deposit funds and may affect our growth and profitability. Customers could also close their online accounts or reduce balances or deposits in favor of products and services offered by competitors for other reasons. These shifts, which could be rapid, could result from general dissatisfaction with our products or services, including concerns over pricing, online security or our reputation. The potential consequences of this competitive environment are exacerbated by the flexibility of direct banking and the financial and technological sophistication of our online customer base. In our credit card business, competition for rewards customers may result in higher rewards expenses, or we may fail to attract new customers or retain existing rewards customers due to increasing competition for these consumers. As of December 31, 2020, we have a number of large partnerships in our credit card loan portfolio. The market for key business partners, especially in the credit card business, is very competitive, and we may not be able to grow or maintain these partner relationships. We face the risk that we could lose partner relationships, even after we have invested significant resources into acquiring and developing the relationships. The loss of any of our key business partners could have a negative impact on our results of operations, including lower returns, excess operating expense and excess funding capacity. We depend on our partners to effectively promote our cobrand and private label products and integrate the use of our credit cards into their retail operations. The failure by our partners to effectively promote and support our products as well as changes they may make in their business models could adversely affect card usage and our ability to achieve the growth and profitability objectives of our partnerships. In addition, if our partners do not adhere to the terms of our program agreements and standards, or otherwise diminish the value of our brand, we may suffer reputational damage and customers may be less likely to use our products. Some of our competitors have developed, or may develop, substantially greater financial and other resources than we have, may offer richer value propositions or a wider range of programs and services than we offer or may use more effective advertising, marketing or cross-selling strategies to acquire and retain more customers, capture a greater share of spending and borrowings, attain and develop more attractive cobrand card programs and maintain greater merchant acceptance than we have. We may not be able to compete effectively against these threats or respond or adapt to changes in consumer spending habits as effectively as our competitors. In such a competitive environment, we may lose entire accounts or may lose account balances to competing firms, or we may find it more costly to maintain our existing customer base. Customer attrition from any or all of our lending products, together with any lowering of interest rates or fees that we might implement to retain customers, could reduce our revenues and therefore our earnings. Similarly, unexpected customer attrition from our deposit products, in addition to an increase in rates or services that we may offer to retain deposits, may increase our expenses and therefore reduce our earnings. Our business, financial condition and results of operations may be adversely affected by merchants’ increasing focus on the fees charged by credit card networks and by legislation and regulation impacting such fees. Credit card interchange fees are generally one of the largest components of the costs that merchants pay in connection with the acceptance of credit cards and are a meaningful source of revenue for our credit card businesses. Interchange fees are the subject of significant and intense global legal, legislative and regulatory focus, and the resulting decisions, legislation and regulation may have a material adverse impact on our overall business, financial condition and results of operations. Legislative and regulatory bodies in a number of countries are seeking to reduce credit card interchange fees through legislation, competition-related regulatory proceedings, central bank regulation and or litigation. Interchange reimbursement rates in the United States are set by credit card networks such as MasterCard and Visa. In some jurisdictions, such as Canada and certain countries in the EU, interchange fees and related practices are subject to regulatory activity that has limited the ability of certain networks to establish default rates, including in some cases imposing caps on permissible interchange fees. We have already experienced these impacts in our international card businesses. Legislators and regulators around the world are aware of each other’s approaches to the regulation of the payments industry. Consequently, a development in one country, state or region may influence regulatory approaches in another, such as our primary market, the United States. In addition to this regulatory activity, merchants are also seeking avenues to reduce interchange fees. During the past few years, merchants and their trade groups have filed numerous lawsuits against Visa, MasterCard, American Express and their card- issuing banks, claiming that their practices toward merchants, including interchange and similar fees, violate federal antitrust laws. In 2005, a number of entities filed antitrust lawsuits against MasterCard and Visa and several member banks, including our subsidiaries and us, alleging among other things, that the defendants conspired to fix the level of interchange fees. In December 2013, the U.S. District Court for the Eastern District of New York granted final approval of the proposed class settlement. The settlement provided, among other things, that merchants would be entitled to join together to negotiate lower interchange fees. The settlement was appealed to the Second Circuit Court of Appeals, which rejected the settlement in June 2016; a revised settlement was reached in the second half of 2018, and the trial court issued its final approval of the settlement in December 2019. See “Note 18-Commitments, Contingencies, Guarantees and Others” for further details. Some major retailers may have sufficient bargaining power to independently negotiate lower interchange fees with MasterCard and Visa, which could, in turn, result in lower interchange fees for us when our cardholders undertake purchase transactions with these retailers. In 2016, some of the largest merchants individually negotiated lower interchange rates with MasterCard and/or Visa. These and other merchants also continue to lobby aggressively for caps and restrictions on interchange fees and their efforts may be successful or they may in the future bring legal proceedings against us or other credit card and debit card issuers and networks. Beyond pursuing litigation, legislation and regulation, merchants may also promote forms of payment with lower fees, such as ACH-based payments, or seek to impose surcharges at the point of sale for use of credit or debit cards. New payment systems, particularly mobile-based payment technologies, could also gain widespread adoption and lead to issuer transaction fees or the displacement of credit card accounts as a payment method. The heightened focus by merchants and legislative and regulatory bodies on the fees charged by credit and debit card networks, and the ability of certain merchants to successfully negotiate discounts to interchange fees with MasterCard and Visa or develop alternative payment systems, could result in a reduction of interchange fees. Any resulting loss in income to us could have a material adverse effect on our business, financial condition and results of operations. If we are not able to invest successfully in and introduce digital and other technological developments across all our businesses, our financial performance may suffer. Our industry is subject to rapid and significant technological changes and our ability to meet our customers’ needs and expectations is key to our ability to grow revenue and earnings. We expect digital technologies to have a significant impact on banking over time. Consumers expect robust digital experiences from their financial services providers. The ability for customers to access their accounts and conduct financial transactions using digital technology, including mobile applications, is an important aspect of the financial services industry and financial institutions are rapidly introducing new digital and other technology-driven products and services that aim to offer a better customer experience and to reduce costs. We continue to invest in digital technology designed to attract new customers, facilitate the ability of existing customers to conduct financial transactions and enhance the customer experience related to our products and services. Our continued success depends, in part, upon our ability to address the needs of our customers by using digital technology to provide products and services that meet their expectations. The development and launch of new digital products and services depends in large part on our capacity to invest in and build the technology platforms that can enable them, in a cost effective and timely manner. See “We face intense competition in all of our markets” and “We face risks related to our operational, technological and organizational infrastructure.” Some of our competitors are substantially larger than we are, which may allow those competitors to invest more money into their technology infrastructure and digital innovation than we do. In addition, we face intense competition from smaller companies which experience lower cost structures and different regulatory requirements and scrutiny than we do, and which may allow them to innovate more rapidly than we can. See “We face intense competition in all of our markets.” Further, our success depends on our ability to attract and retain strong digital and technology leaders, engineers and other specialized personnel. The competition is intense, and the compensation costs continue to increase for such talent. If we are unable to attract and retain digital and technology talent, our ability to offer digital products and services and build the necessary technology infrastructure could be negatively affected, which could negatively impact our business and financial results. A failure to maintain or enhance our competitive position with respect to digital products and services, whether because we fail to anticipate customer expectations or because our technological developments fail to perform as desired or are not implemented in a timely or successful manner, could negatively impact our business and financial results. We may fail to realize all of the anticipated benefits of our mergers, acquisitions and strategic partnerships. We have engaged in merger and acquisition activity and entered into strategic partnerships over the past several years. We continue to evaluate and anticipate engaging in, among other merger and acquisition activity, additional strategic partnerships and selected acquisitions of financial institutions and other acquisition targets, including credit card and other loan portfolios. We may not be able to identify and secure future acquisition targets on terms and conditions that are acceptable to us, or successfully complete within the anticipated time frame and achieve the anticipated benefits of proposed mergers, acquisitions and strategic partnerships, which could impair our growth. Any merger, acquisition or strategic partnership we undertake entails certain risks, which may materially and adversely affect our results of operations. If we experience greater than anticipated costs to integrate acquired businesses into our existing operations, or are not able to achieve the anticipated benefits of any merger, acquisition or strategic partnership, including cost savings and other synergies, our business could be negatively affected. In addition, it is possible that the ongoing integration processes could result in the loss of key employees, errors or delays in systems implementation, exposure to cybersecurity risks associated with acquired businesses, exposure to additional regulatory oversight, the disruption of our ongoing businesses or inconsistencies in standards, controls, procedures and policies that adversely affect our ability to maintain relationships with partners, clients, customers, depositors and employees or to achieve the anticipated benefits of any merger, acquisition or strategic partnership. Integration efforts also may divert management attention and resources. These integration matters may have an adverse effect on us during any transition period. In addition, we may face the following risks in connection with any merger, acquisition or strategic partnership: •New Businesses and Geographic or Other Markets: Our merger, acquisition or strategic partnership activity may involve our entry into new businesses and new geographic areas or other markets which present risks resulting from our relative inexperience in these new businesses or markets. These new businesses or markets may change the overall character of our consolidated portfolio of businesses and alter our exposure to economic and other external factors. We face the risk that we will not be successful in these new businesses or in these new markets. •Identification and Assessment of Merger and Acquisition Targets and Deployment of Acquired Assets: We may not be able to identify, acquire or partner with suitable targets. Further, our ability to achieve the anticipated benefits of any merger, acquisition or strategic partnership will depend on our ability to assess the asset quality and value of the particular assets or institutions we partner with, merge with or acquire. We may be unable to profitably deploy any assets we acquire. •Accuracy of Assumptions: In connection with any merger, acquisition or strategic partnership, we may make certain assumptions relating to the proposed merger, acquisition or strategic partnership that may be, or may prove to be, inaccurate, including as a result of the failure to realize the expected benefits of any merger, acquisition or strategic partnership. The inaccuracy of any assumptions we may make could result in unanticipated consequences that could have a material adverse effect on our results of operations or financial condition. •Target-specific Risk: Assets and companies that we acquire, or companies that we enter into strategic partnerships with, will have their own risks that are specific to a particular asset or company. These risks include, but are not limited to, particular or specific regulatory, accounting, operational, reputational and industry risks, any of which could have a material adverse effect on our results of operations or financial condition. For example, we may face challenges associated with integrating other companies due to differences in corporate culture, compliance systems or standards of conduct. Indemnification rights, if any, may be insufficient to compensate us for any losses or damages resulting from such risks. In addition to regulatory approvals discussed below, certain of our merger, acquisition or partnership activity may require third-party consents in order for us to fully realize the anticipated benefits of any such transaction. •Conditions to Regulatory Approval: Certain acquisitions may not be consummated without obtaining approvals from one or more of our regulators. We cannot be certain when or if, or on what terms and conditions, any required regulatory approvals will be granted. Consequently, we might be required to sell portions of acquired assets or our own assets as a condition to receiving regulatory approval or we may not obtain regulatory approval for a proposed acquisition on acceptable terms or at all, in which case we would not be able to complete the acquisition despite the time and expenses invested in pursuing it. Reputational risk and social factors may impact our results and damage our brand. Our ability to attract and retain customers is highly dependent upon the perceptions of consumer and commercial borrowers and deposit holders and other external perceptions of our products, services, trustworthiness, business practices, workplace culture, compliance practices or our financial health. In addition, our brand is very important to us. Maintaining and enhancing our brand depends largely on our ability to continue to provide high-quality products and services. Adverse perceptions regarding our reputation in the consumer, commercial and funding markets could lead to difficulties in generating and maintaining accounts as well as in financing them. In particular, negative public perceptions regarding our reputation, including negative perceptions regarding our ability to maintain the security of our technology systems and protect customer data, could lead to decreases in the levels of deposits that consumer and commercial customers and potential customers choose to maintain with us or significantly increase the costs of attracting and retaining customers. In addition, negative perceptions regarding certain industries, partners or clients could also prompt us to cease business activities associated with those entities. Negative public opinion or damage to our brand could also result from actual or alleged conduct in any number of activities or circumstances, including lending practices, regulatory compliance, security breaches (including the use and protection of customer information, such as resulting from the Cybersecurity Incident), corporate governance and sales and marketing, and from actions taken by regulators or other persons in response to such conduct. Such conduct could fall short of our customers’ and the public’s heightened expectations of companies of our size with rigorous data, privacy and compliance practices, and could further harm our reputation. In addition, our cobrand and private label partners or other third parties with whom we have important relationships may take actions over which we have limited control that could negatively impact perceptions about us or the financial services industry. The proliferation of social media may increase the likelihood that negative public opinion from any of the events discussed above will impact our reputation and business. In addition, a variety of social factors may cause changes in borrowing activity, including credit card use, payment patterns and the rate of defaults by account holders and borrowers domestically and internationally. These social factors include changes in consumer confidence levels, the public’s perception regarding the banking industry and consumer debt, including credit card use, and changing attitudes about the stigma of bankruptcy. If consumers develop or maintain negative attitudes about incurring debt, or if consumption trends decline or if we fail to maintain and enhance our brand, or we incur significant expenses to do so, our business and financial results could be materially and negatively affected. If we are not able to protect our intellectual property, our revenue and profitability could be negatively affected. We rely on a variety of measures to protect and enhance our intellectual property, including copyrights, trademarks, trade secrets, patents and certain restrictions on disclosure, solicitation and competition. We also undertake other measures to control access to and distribution of our other proprietary information. These measures may not prevent misappropriation of our proprietary information or infringement of our intellectual property rights and a resulting loss of competitive advantage. In addition, our competitors or other third parties may file patent applications for innovations that are used in our industry or allege that our systems, processes or technologies infringe on their intellectual property rights. If our competitors or other third parties are successful in obtaining such patents or prevail in intellectual property-related litigation against us, we could lose significant revenues, incur significant license, royalty or technology development expenses, or pay significant damages. Our risk management strategies may not be fully effective in mitigating our risk exposures in all market environments or against all types of risk. Management of market, credit, liquidity, operational and compliance risk requires, among other things, policies and procedures to properly record and verify a large number of transactions and events. See “MD&A-Risk Management” for further details. Even though we continue to devote significant resources to developing our risk management framework, our risk management strategies may not be fully effective in identifying and mitigating our risk exposure in all market environments or against all types of risk, including risks that are unidentified or unanticipated. Some of our methods of managing these risks are based upon our use of observed historical market behavior and management’s judgment. These methods may not accurately predict future exposures, which could be significantly greater than the historical measures indicate and market conditions, particularly during a period of financial market stress, can involve unprecedented dislocations. Credit risk is inherent in the financial services business and results from, among other things, extending credit to customers. Our ability to assess the creditworthiness of our customers may be impaired if the models and approaches we use to select, manage and underwrite our consumer and commercial customers become less predictive of future charge-offs due, for example, to rapid changes in the economy, including rapid changes in tariff rates and international trade relations. While we employ a broad and diversified set of risk monitoring and risk mitigation techniques, those techniques and the judgments that accompany their application cannot anticipate every economic and financial outcome or the timing of such outcomes. For example, our ability to implement our risk management strategies may be hindered by adverse changes in the volatility or liquidity conditions in certain markets and as a result, may limit our ability to distribute such risks (for instance, when we seek to syndicate exposure in bridge financing transactions we have underwritten). We may, therefore, incur losses in the course of our risk management or investing activities. Fluctuations in market interest rates or volatility in the capital markets could adversely affect our income and expense, the value of assets and obligations, our regulatory capital, cost of capital or liquidity. Like other financial institutions, our business is sensitive to market interest rate movements and the performance of the capital markets. Disruptions, uncertainty or volatility across the capital markets could negatively impact market liquidity and limit our access to the funding required to operate and grow our business. In addition, changes in interest rates or in valuations in the debt or equity markets could directly impact us. For example, we borrow money from other institutions and depositors, which we use to make loans to customers and invest in debt securities and other interest-earning assets. We earn interest on these loans and assets and pay interest on the money we borrow from institutions and depositors. The interest rates that we pay on the securities we have issued are also influenced by, among other things, applicable credit ratings from recognized rating agencies. A downgrade to any of these credit ratings could affect our ability to access the capital markets, increase our borrowing costs and have a negative impact on our results of operations. Increased charge-offs, rising LIBOR or other applicable reference rates and other events may cause our securitization transactions to amortize earlier than scheduled, which could accelerate our need for additional funding from other sources. Fluctuations in interest rates, including changes in the relationship between short-term rates and long-term rates and in the relationship between our funding basis rate and our lending basis rate, may have negative impacts on our net interest income and therefore our earnings. In addition, interest rate fluctuations and competitor responses to those changes may affect the rate of customer prepayments for auto and other term loans and may affect the balances customers carry on their credit cards. For example, increases in interest rates increase debt service requirements for some of our borrowers, which may adversely affect those borrowers’ ability to pay as contractually obligated. This could result in additional delinquencies or charge-offs and negatively impact our results of operations. These changes can reduce the overall yield on our interest-earning asset portfolio. Changes in interest rates and competitor responses to these changes may also impact customer decisions to maintain balances in the deposit accounts they have with us. An inability to attract or maintain deposits could materially affect our ability to fund our business and our liquidity position. Many other financial institutions have increased their reliance on deposit funding and, as such, we expect continued competition in the deposit markets. We cannot predict how this competition will affect our costs. If we are required to offer higher interest rates to attract or maintain deposits, our funding costs will be adversely impacted. Changes in valuations in the debt and equity markets could have a negative impact on the assets we hold in our investment portfolio. Such market changes could also have a negative impact on the valuation of assets for which we provide servicing. We assess our interest rate risk by estimating the effect on our earnings, economic value and capital under various scenarios that differ based on assumptions about the direction and the magnitude of interest rate changes. We take risk mitigation actions based on those assessments. We face the risk that changes in interest rates could materially reduce our net interest income and our earnings, especially if actual conditions turn out to be materially different than those we assumed. See “MD&A-Market Risk Profile” for additional information. Uncertainty regarding, and transition away from, LIBOR may adversely affect our business. The U.K. FCA, which regulates LIBOR, has announced that it will no longer compel banks to contribute data for the calculation of LIBOR after December 31, 2021. It is likely that banks will no longer continue to contribute submissions for the calculation of LIBOR after that date, which creates significant uncertainty around the publication of LIBOR beyond 2021 and whether LIBOR will continue to be viewed as a reliable market benchmark. In November 2020, the ICE Benchmark Administration (IBA), the administrator of LIBOR, announced that it will consult on its intention to cease publication of the 1-week and 2-month USD LIBOR settings immediately following the LIBOR publication on December 31, 2021, and the remaining USD LIBOR tenors (Overnight, 1, 3, 6, and 12 Months) immediately following the LIBOR publication on June 30, 2023. The consultation closed on January 25, 2021 and we will continue to engage with industry experts to better understand the proposed IBA's extension announcement and its impact on the markets and our transition plans. It remains unclear what rate or rates may develop as accepted alternatives to LIBOR, or what the effect of such changes will be on the markets for LIBOR-based financial instruments. The Secured Overnight Financing Rate (“SOFR”) has been recommended by the Alternative Reference Rates Committee as an alternative for USD LIBOR, but issues and uncertainty remain with respect to its implementation. Given LIBOR’s extensive use across financial markets, the transition away from LIBOR presents several risks and challenges to the financial markets and financial institutions, including Capital One. We have loans, derivative contracts, unsecured debt, securitizations, vendor agreements and other instruments with attributes that are either directly or indirectly dependent on LIBOR. Uncertainty as to the nature of potential changes, alternative reference rates such as SOFR, or other reforms may adversely affect market liquidity, the pricing of LIBOR-based instruments, and the availability and cost of associated hedging instruments and borrowings. If SOFR or another rate does not achieve wide acceptance as the alternative to LIBOR, there likely will be disruption to the markets relying on the availability of a broadly accepted reference rate. In addition, uncertainty regarding LIBOR could result in loss of market share in certain products, adverse tax or accounting impacts, compliance, legal or operational costs and risks associated with client disclosures, as well as systems disruption, model disruption and other business continuity issues for us. Even if SOFR or another reference rate becomes a widely acceptable replacement for LIBOR, risks will remain for us with respect to outstanding instruments which rely on LIBOR. Those risks arise in connection with transitioning such instruments to a new reference rate, the taking of discretionary actions or the negotiation of fallback provisions and final amendments to existing LIBOR based agreements. Payments under contracts referencing new reference rates may significantly differ from those referencing LIBOR. For some instruments, the method of transitioning to a new reference rate may be challenging, especially if parties to an instrument cannot agree as to how to effect that transition. If a contract is not transitioned to a new reference rate and LIBOR ceases to exist, the impact on our obligations is likely to vary by contract. In addition, prior to LIBOR cessation, instruments that continue to refer to LIBOR may be impacted if there is a change in the availability or calculation of LIBOR. The transition from LIBOR to an alternative reference rate may change our market risk profile and require changes to risk and pricing models, valuation tools, product design, information technology systems, reporting infrastructure, operational processes and controls, and hedging strategies. In many cases, we may be dependent on third parties to upgrade systems, software and other critical functions that could materially disrupt our readiness if they are not done on a timely basis or otherwise fail. Our assessment of the ultimate impact of, and our planning for, the transition from LIBOR remains ongoing. Failure to adequately manage the transition could have a material adverse effect on our reputation, business, financial condition and results of operations. See “MD&A-Market Risk Profile” for additional information. Our business could be negatively affected if we are unable to attract, retain and motivate skilled employees. Our success depends, in large part, on our ability to retain key senior leaders and to attract and retain skilled employees, particularly employees with advanced expertise in credit, risk, digital and technology skills. We depend on our senior leaders and skilled employees to oversee simultaneous, transformative initiatives across the enterprise and execute on our business plans in an efficient and effective manner. Competition for such senior leaders and employees, and the costs associated with attracting and retaining them, is high. Our ability to attract and retain qualified employees also is affected by perceptions of our culture and management, our profile in the regions where we have offices and the professional opportunities we offer. Regulation or regulatory guidance restricting executive compensation, as well as evolving investor expectations, may limit the types of compensation arrangements that we may enter into with our most senior leaders and could have a negative impact on our ability to attract, retain and motivate such leaders in support of our long-term strategy. These laws and regulations may not apply in the same manner to all financial institutions, and we therefore may face more restrictions than other institutions and companies with which we compete for talent. These laws and regulations may also hinder our ability to compete for talent with other industries. We rely upon our senior leaders not only for business success, but also to lead with integrity. To the extent our senior leaders behave in a manner that does not comport with our values, the consequences to our brand and reputation could be severe and could adversely affect our financial condition and results of operations. If we are unable to attract, develop and retain talented senior leadership and employees, or to implement appropriate succession plans for our senior leadership, our business could be negatively affected. We face risks from unpredictable catastrophic events. Despite the business contingency plans we have in place, such plans do not fully mitigate all potential business continuity risks to us. Natural disasters and other catastrophic events could harm our business and infrastructure, including our information technology systems and third-party platforms. Our ability to conduct business may be adversely affected by a disruption in the infrastructure that supports our business and the communities where we are located, which are concentrated in the Northern Virginia and New York metropolitan areas, as well as Richmond, Virginia and Plano, Texas. This may include a disruption involving damage or loss of access to a physical site, cyber incidents, terrorist activities, the occurrence or worsening of disease outbreaks or pandemics (including the COVID-19 pandemic), natural disasters, extreme weather events, electrical outage, environmental hazard, technological infrastructure, communications or other services we use, our employees or third parties with whom we conduct business. Our business, financial condition and results of operations may be impacted by any such disruption and our ability to implement corresponding response measures, including, for example, our ability to adapt to a remote work environment as a result of the ongoing COVID-19 pandemic and related response measures. In addition, if a natural disaster or other catastrophic event occurs in certain regions where our business and customers are concentrated, such as the mid-Atlantic, New York or Texas metropolitan areas, we could be disproportionately impacted as compared to our competitors. The impact of such events and other catastrophes on the overall economy may also adversely affect our financial condition and results of operations. We face risks from the use of or changes to assumptions or estimates in our financial statements. Pursuant to generally accepted accounting principles in the U.S. (“U.S. GAAP”), we are required to use certain assumptions and estimates in preparing our financial statements, including determining our allowance for credit losses, the fair value of certain assets and liabilities, and asset impairment, among other items. In addition, the FASB, the SEC and other regulatory bodies may change the financial accounting and reporting standards, including those related to assumptions and estimates we use to prepare our financial statements, in ways that we cannot predict and that could impact our financial statements. If actual results differ from the assumptions or estimates underlying our financial statements or if financial accounting and reporting standards are changed, we may experience unexpected material losses. For a discussion of our use of estimates in the preparation of our consolidated financial statements, see “MD&A-Critical Accounting Policies and Estimates” and “Note 1-Summary of Significant Accounting Policies.” Limitations on our ability to receive dividends from our subsidiaries could affect our liquidity and ability to pay dividends and repurchase common stock. We are a separate and distinct legal entity from our subsidiaries, including the Banks. Dividends to us from our direct and indirect subsidiaries, including the Banks, have represented a major source of funds for us to pay dividends on our common and preferred stock, repurchase common stock, make payments on corporate debt securities and meet other obligations. There are various federal law limitations on the extent to which the Banks can finance or otherwise supply funds to us through dividends and loans. These limitations include minimum regulatory capital requirements, federal banking law requirements concerning the payment of dividends out of net profits or surplus, Sections 23A and 23B of the Federal Reserve Act and Regulation W governing transactions between an insured depository institution and its affiliates, as well as general federal regulatory oversight to prevent unsafe or unsound practices. If our subsidiaries’ earnings are not sufficient to make dividend payments to us while maintaining adequate capital levels, our liquidity may be affected and we may not be able to make dividend payments to our common or preferred stockholders, repurchase our common stock, make payments on outstanding corporate debt securities or meet other obligations, each and any of which could have a material adverse impact on our results of operations, financial position or perception of financial health. See “Part I-Item 1.Business-Supervision and Regulation” for additional information regarding dividend limitations applicable to us and the Banks. The soundness of other financial institutions and other third parties could adversely affect us. Our ability to engage in routine funding and other transactions could be adversely affected by the stability and actions of other financial services institutions. Financial services institutions are interrelated as a result of trading, clearing, servicing, counterparty and other relationships. We have exposure to financial institutions, intermediaries and counterparties that are exposed to risks over which we have little or no control. In addition, we routinely execute transactions with counterparties in the financial services industry, including brokers and dealers, commercial banks, investment banks, mutual and hedge funds and other institutional clients, resulting in a significant credit concentration with respect to the financial services industry overall. As a result, defaults by, or even rumors or questions about, one or more financial services institutions, or the financial services industry generally, have led to market-wide liquidity problems and could lead to losses or defaults by us or by other institutions. Likewise, adverse developments affecting the overall strength and soundness of our competitors, the financial services industry as a whole and the general economic climate or sovereign debt could have a negative impact on perceptions about the strength and soundness of our business even if we are not subject to the same adverse developments. In addition, adverse developments with respect to third parties with whom we have important relationships also could negatively impact perceptions about us. These perceptions about us could cause our business to be negatively affected and exacerbate the other risks that we face. Item 1B.

Current §1A text (2021)

Show full section (14923 words)

Item 1A. Risk Factors

This section highlights significant factors, events, and uncertainties that make an investment in our securities risky. The events and consequences discussed in these risk factors could, in circumstances we may not be able to accurately predict, recognize, or control, have a material adverse effect on our business, growth, reputation, prospects, financial condition, operating results, cash flows, liquidity, and stock price. These risk factors do not identify all risks that we face; our operations could also be affected by factors, events, or uncertainties that are not presently known to us or that we currently do not consider to present significant risks to our operations. In addition, the global economic and political climate may amplify many of these risks.

Summary of Risk Factors

Below is a summary of the principal factors that make an investment in our securities risky. This summary does not address all of the risks that we face. Additional discussion of the risks summarized in this risk factor summary, and other risks that we face, can be found below and should be carefully considered, together with other information in this Form 10-K and our other filings with the SEC, before making an investment decision regarding our common stock.

•Our results of operations may be adversely affected by the effects of the COVID-19 pandemic.

•Changes and instability in the macroeconomic environment, consumer confidence and customer behavior may adversely affect our business.

•Financial market instability and volatility could adversely affect our business.

•We may experience increased delinquencies, credit losses, inaccurate estimates and inadequate reserves.

•We may not be able to maintain adequate capital or liquidity levels, which could have a negative impact on our financial results and our ability to return capital to our stockholders.

21

Capital One Financial Corporation (COF)

Table of Contents

•Limitations on our ability to receive dividends from our subsidiaries could affect our liquidity and ability to pay dividends and repurchase common stock.

•We face risks related to our operational, technological and organizational infrastructure.

•A cyber-attack or other security incident, including one that results in the theft, loss or misuse of information (including personal information), or the disabling of systems and access to information critical to business operations, may result in increased costs, reductions in revenue, reputational damage, legal exposure and business disruptions.

•Our required compliance with applicable laws and regulations related to privacy, data protection and data security may increase our costs, reduce our revenue, increase our legal exposure and limit our ability to pursue business opportunities.

•We face risks resulting from the extensive use of models and data.

•Compliance with new and existing laws, regulations and regulatory expectations is costly and complex.

•Our businesses are subject to the risk of increased litigation, government investigations and regulatory enforcement.

•We face intense competition in all of our markets.

•Our business, financial condition and results of operations may be adversely affected by merchants’ increasing focus on the fees charged by credit and debit card networks and by legislation and regulation impacting such fees.

•If we are not able to invest successfully in and introduce digital and other technological developments across all our businesses, our financial performance may suffer.

•We may fail to realize the anticipated benefits of our mergers, acquisitions and strategic partnerships.

•Reputational risk and social factors may impact our results and damage our brand.

•If we are not able to protect our intellectual property, our revenue and profitability could be negatively affected.

•Our risk management strategies may not be fully effective in mitigating our risk exposures in all market environments or against all types of risk.

•Fluctuations in market interest rates or volatility in the capital markets could adversely affect our income and expense, the value of assets and obligations, our regulatory capital, cost of capital or liquidity.

•The transition away from London Interbank Offered Rate (“LIBOR”) may adversely affect our business.

•Our business could be negatively affected if we are unable to attract, retain and motivate skilled employees.

•We face risks from unpredictable catastrophic events.

•Climate change manifesting as physical or transition risks could adversely affect our operations, businesses and customers.

•We face risks from the use of or changes to assumptions or estimates in our financial statements.

•The soundness of other financial institutions and other third parties could adversely affect us.

General Economic and Market Risks

Our results of operations may be adversely affected by the effects of the COVID-19 pandemic.

Although the global economy has begun to recover from the COVID-19 pandemic and many health and safety restrictions have been lifted and vaccine distribution has increased, certain adverse consequences of the pandemic, especially as a result of the emergence of the Omicron variant in late 2021, continue to impact the macroeconomic environment and may persist for some time. Such adverse consequences include labor shortages and disruptions of global supply chains. The growth in economic activity and demand for goods and services, alongside labor shortages and supply chain complications, has also contributed to rising inflationary pressures and could adversely affect our business. Should these ongoing effects of the pandemic continue for

22

Capital One Financial Corporation (COF)

Table of Contents

an extended period or worsen, our purchase volume, loan balances and the overall demand for our products and services may be significantly impacted, which could adversely affect our revenue and other results of operations. In addition, we could experience higher credit losses in our loan portfolios and increases in our allowance for credit losses beyond current levels. We could also experience impairments of other financial assets and other negative impacts on our financial position, including possible constraints on liquidity and capital, as well as higher costs of capital. Even after the COVID-19 pandemic has subsided, we may continue to experience adverse impacts to our business and results of operations, which could be material, as a result of the macroeconomic impact and any recession that has occurred or may occur in the future.

The COVID-19 pandemic caused us to modify our business practices and operations, including providing a range of forbearance options to our customers in certain circumstances. We may need to further modify our practices and operations as the pandemic remains dynamic and the emergence of variants resistant to existing vaccines remains uncertain. We also implemented work-from-home policies for a vast majority of our employees, and social distancing plans for our employees who are working from Capital One facilities. Nearly all of our Cafés and bank branches across our network are open with increased safety precautions. We will continue to monitor local conditions to ensure the safety of our associates and customers while providing critical banking services. These measures could impair our ability to perform critical functions and may adversely impact our results of operations. In addition, these measures and other changes in consumer behavior as a result of the COVID-19 pandemic may require changes to retail distribution strategies and adversely impact our investments in our bank premises and equipment and other retail distribution assets, leading to increased costs and exposure to additional risks. We may take further actions as required by government authorities or that we otherwise determine are in the best interests of our customers, employees and business partners.

Since the inception of the COVID-19 pandemic, federal, state, local and foreign governmental authorities enacted regulations and protocols in response to the COVID-19 pandemic, including governmental programs intended to provide economic relief to businesses and individuals. We participated in certain of these programs, including participating as an eligible lender in the Small Business Administration’s Paycheck Protection Program. Our participation in and execution of any such programs may cause operational, compliance, reputational and credit risks, which could result in litigation, governmental action or other forms of loss. The extent of these impacts, which may be substantial, depends, in part, on the degree of our participation in these programs. There remains significant uncertainty regarding the measures that authorities will enact in the future and the ultimate impact of the legislation, regulations and protocols that have been and will be enacted. Moreover, we expect that the effects of the COVID-19 pandemic will heighten many of the other known risks described herein. See “Part I—Item 1.—Business—Overview—Coronavirus Disease 2019 (COVID-19) Pandemic”.

The extent to which the consequences of the COVID-19 pandemic affect our businesses, results of operations and financial condition, as well as our regulatory capital and liquidity ratios and our ability to take capital actions, will depend on future developments that remain uncertain, including, for example, the rate of distribution and administration of vaccines globally, the severity and duration of any resurgence of COVID-19 variants, future actions taken by governmental authorities, central banks and other third parties in response to the pandemic, and the effects on our customers, counterparties, employees and third-party service providers.

Changes and instability in the macroeconomic environment, consumer confidence and customer behavior may adversely affect our business.

We offer a broad array of financial products and services to consumers, small businesses and commercial clients. A prolonged period of economic volatility, slow growth, or a significant deterioration in economic conditions, in the U.S., Canada or the U.K., could have a material adverse effect on our financial condition and results of operations as customers default on their loans, maintain lower deposit levels or, in the case of credit card accounts, carry lower balances and reduce credit card purchase activity.

Some of the risks we face in connection with adverse changes and instability in the macroeconomic environment, including changes in consumer confidence levels and behavior, include the following:

•Changes in payment patterns, increases in delinquencies and default rates, decreased consumer spending, inflation, lower demand for credit and shifts in consumer payment behavior towards avoiding late fees, finance charges and other fees;

•Increases in our charge-off rate caused by bankruptcies and reduced ability to recover debt that we have previously charged-off;

23

Capital One Financial Corporation (COF)

•Decreased reliability of the process and models we use to estimate our allowance for loan and lease losses, particularly if unexpected variations in key inputs and assumptions cause actual losses to diverge from the projections of our models and our estimates become increasingly subject to management’s judgment. See “We face risks resulting from the extensive use of models and data.”

The U.K. and the European Union agreed to a free trade deal at the end of 2020 relating to the U.K.’s exit from the European Union. Although this deal provides greater near-term stability, there is still some degree of uncertainty as to the relationship between the U.K and the European Union, which may increase volatility in the regional and global financial markets. We continue to consider and monitor the potential impacts, and other factors that could also impact U.K. economic performance.

Financial market instability and volatility could adversely affect our business.

Our ability to borrow from other financial institutions or to engage in funding transactions on favorable terms or at all could be adversely affected by disruptions in the capital markets or other events, including actions by rating agencies and deteriorating investor expectations. In addition, fluctuations in interest rates, credit spreads and other market factors could negatively impact our results of operations. Both shorter-term and longer-term interest rates remain below long-term historical averages and the yield curve has been relatively flat compared to past periods. A flat yield curve combined with low interest rates generally leads to lower revenue and reduced margins because it can decrease the spread between asset yields and funding costs. Sustained periods of time with a flat yield curve coupled with low interest rates, or an inversion of the yield curve, could have a material adverse effect on our net interest margin and earnings.

Credit Risk

We may experience increased delinquencies, credit losses, inaccurate estimates and inadequate reserves.

Like other lenders, we face the risk that our customers will not repay their loans. A customer’s ability and willingness to repay us can be adversely affected by decreases in the income of the borrower or increases in their payment obligations to other lenders, whether as a result of higher debt levels or rising interest rates, by rising levels of inflation, or by restricted availability of credit generally. We may fail to quickly identify and reduce our exposure to customers that are likely to default on their payment obligations, whether by closing credit lines or restricting authorizations. Our ability to manage credit risk also is affected by legal or regulatory changes (such as restrictions on collections, bankruptcy laws, minimum payment regulations and re-age guidance), competitors’ actions and consumer behavior, and depends on the effectiveness of our collections staff, techniques and models.

Rising losses or leading indicators of rising losses (such as higher delinquencies, higher rates of nonperforming loans, higher bankruptcy rates, lower collateral values, elevated unemployment rates or changing market terms) may require us to increase our allowance for credit losses, which would decrease our profitability if we are unable to raise revenue or reduce costs to compensate for higher losses. In particular, we face the following risks in this area:

•Missed Payments: Our customers may miss payments. Loan charge-offs (including from bankruptcies) are generally preceded by missed payments or other indications of worsening financial condition for our customers. Historically, customers are more likely to miss payments during an economic downturn or prolonged periods of slow economic growth. In addition, we face the risk that consumer and commercial customer behavior may change (for example, an increase in the unwillingness or inability of customers to repay debt, which may be heightened by increasing interest rates or levels of consumer debt), causing a long-term rise in delinquencies and charge-offs.

•Incorrect Estimates of Expected Losses: The credit quality of our portfolio can have a significant impact on our earnings. We allow for and reserve against credit risks based on our assessment of expected credit losses in our loan portfolios. This process, which is critical to our financial condition and results of operations, requires complex judgments, including forecasts of economic conditions. We may underestimate our expected losses and fail to hold an allowance for credit losses sufficient to account for these losses. Incorrect assumptions could lead to material underestimations of expected credit losses and an inadequate allowance for credit losses.

•Inaccurate Underwriting: Our ability to accurately assess the creditworthiness of our customers may diminish, which could result in an increase in our credit losses and a deterioration of our returns. See “Our risk management strategies may not be fully effective in mitigating our risk exposures in all market environments or against all types of risk.”

24

Capital One Financial Corporation (COF)

•Business Mix: We engage in a diverse mix of businesses with a broad range of potential credit exposure. Because we originate a relatively greater proportion of consumer loans in our loan portfolio compared to other large bank peers and originate both prime and subprime credit card accounts and auto loans, we may experience higher delinquencies and a greater number of accounts charging off compared to other large bank peers, which could result in increased credit losses, operating costs and regulatory scrutiny. Additionally, a change in this business mix over time to include proportionally more consumer loans or subprime credit card accounts or auto loans could adversely affect the credit quality of our portfolio.

•Increasing Charge-off Recognition/Allowance for Credit Losses: We account for the allowance for credit losses according to accounting and regulatory guidelines and rules, including Financial Accounting Standards Board (“FASB”) standards and the Federal Financial Institutions Examination Council (“FFIEC”) Account Management Guidance. Effective as of January 1, 2020, we adopted the CECL standard which is based on expected lifetime losses rather than incurred losses. Adoption of the CECL standard has resulted and may continue to result in an increase to our reserves for credit losses on financial instruments with a resulting adverse impact on our financial condition. The continued impact of CECL on our results will depend on the characteristics of our financial instruments, economic conditions, and our economic and loss forecasts. The application of the CECL standard requires us to increase reserves faster and to a higher level in an economic downturn, resulting in greater impact to our results and our capital ratios than we would have experienced in similar circumstances prior to the adoption of CECL. In addition, because credit cards represent a significant portion of our product mix, we could be disproportionately affected by use of the CECL standard, as compared to our large bank peers with a different product mix.

•Insufficient Asset Values: The collateral we have on secured loans could be insufficient to compensate us for credit losses. When customers default on their secured loans, we attempt to recover collateral where permissible and appropriate. However, the value of the collateral may not be sufficient to compensate us for the amount of the unpaid loan, and we may be unsuccessful in recovering the remaining balance from our customers. Decreases in real estate and other asset values adversely affect the collateral value for our commercial lending activities, while the auto business is similarly exposed to collateral risks arising from the auction markets that determine used car prices. Borrowers may be less likely to continue making payments on loans if the value of the property used as collateral for the loan is less than what the borrower owes, even if the borrower is still financially able to make the payments. In that circumstance, the recovery of such property could be insufficient to compensate us for the value of these loans upon a default. In our auto business, business and economic conditions that negatively affect household incomes, housing prices and consumer behavior, as well as technological advances that make older cars obsolete faster, could decrease (i) the demand for new and used vehicles and (ii) the value of the collateral underlying our portfolio of auto loans, which could cause the number of consumers who become delinquent or default on their loans to increase.

•Geographic and Industry Concentration: Although our consumer lending is geographically diversified, approximately 45% of our commercial real estate loan portfolio is concentrated in the Northeast region. The regional economic conditions in the Northeast affect the demand for our commercial products and services as well as the ability of our customers to repay their commercial real estate loans and the value of the collateral securing these loans. An economic downturn or prolonged period of slow economic growth in, or a catastrophic event that disproportionately affects, including as a result of climate change, the Northeast region could have a material adverse effect on the performance of our commercial real estate loan portfolio and our results of operations. In addition, our Commercial Banking strategy includes an industry-specific focus. If any of the industries that we focus on experience changes, we may experience increased credit losses and our results of operations could be adversely impacted.

Capital and Liquidity Risk

We may not be able to maintain adequate capital or liquidity levels, which could have a negative impact on our financial results and our ability to return capital to our stockholders.

Financial institutions are subject to extensive and complex capital and liquidity requirements, which are subject to change. These requirements affect our ability to lend, grow deposit balances, make acquisitions and distribute capital. Failure to maintain adequate capital or liquidity levels, whether due to adverse developments in our business or the economy or to changes in the applicable requirements, could subject us to a variety of remedies available to our regulators. These include limitations on the ability to pay dividends and/or repurchase shares and the issuance of a capital directive to increase capital. Such limitations or capital directive could have a material adverse effect on our business and results of operations.

25

Capital One Financial Corporation (COF)

We consider various factors in the management of capital, including the impact of both internal and supervisory stress scenarios on our capital levels as determined by both our internal modeling and the Federal Reserve’s modeling of our capital position in supervisory stress tests. There can be significant differences between our modeling and the Federal Reserve’s projections for a given supervisory stress scenario and between the capital needs suggested by our internal stress scenarios relative to the supervisory scenarios. Therefore, although our estimated capital levels under stress disclosed as part of the stress testing processes may suggest that we have a particular capacity to return capital to stockholders and remain well capitalized under stress, the Federal Reserve’s modeling, our internal modeling of another scenario and/or other factors related to our capital management process may reflect a lower capacity to return capital to stockholders than that indicated by the projections released in the stress testing processes. This in turn, could lead to restrictions on our ability to pay dividends and engage in share repurchases. See “Part I—Item 1. Business—Supervision and Regulation” for additional information.

We also consider various factors in the management of liquidity, including maintaining sufficient liquid assets to meet the requirements of several internal and regulatory stress tests. There can be significant differences in estimated liquidity needs between internal and regulatory stress testing, and liquidity resources required to meet regulatory requirements, such as applicable LCR and NSFR requirements, may exceed what would otherwise be required to satisfy internal liquidity metrics and stress testing. Regulatory liquidity stress testing and regulatory liquidity requirements may, therefore, require us to take actions to increase our liquid assets or alter our activities or funding sources, which could negatively affect our financial results or our ability to return capital to our stockholders. See “Part I—Item 1. Business—Supervision and Regulation” for additional information.

In response to economic uncertainty due to the COVID-19 pandemic, the Federal Reserve required certain large BHCs, including us, to suspend share repurchases and cap common stock dividends and subsequently extended the restrictions into the first half of 2021 with certain modifications to permit resumptions of share repurchases. Although these temporary restrictions on our capital actions ended on June 30, 2021, it is possible that the Federal Reserve could impose similar restrictions in the future. Further changes to applicable capital and liquidity requirements could result in unexpected or new limitations on our ability to pay dividends and engage in share repurchases.

Limitations on our ability to receive dividends from our subsidiaries could affect our liquidity and ability to pay dividends and repurchase common stock.

We are a separate and distinct legal entity from our subsidiaries, including the Banks and our broker-dealer subsidiaries. Dividends to us from these direct and indirect subsidiaries have represented a major source of funds for us to pay dividends on our common and preferred stock, repurchase common stock, make payments on corporate debt securities and meet other obligations. There are various federal law limitations on the extent to which the Banks can finance or otherwise supply funds to us through dividends and loans. These limitations include minimum regulatory capital requirements, federal banking law requirements concerning the payment of dividends out of net profits or surplus, Sections 23A and 23B of the Federal Reserve Act and Regulation W governing transactions between an insured depository institution and its affiliates, as well as general federal regulatory oversight to prevent unsafe or unsound practices. Our broker-dealer subsidiaries are also subject to laws and regulations, including net capital requirements, that may limit their ability to pay dividends or make other distributions to us. If our subsidiaries’ earnings are not sufficient to make dividend payments to us while maintaining adequate capital levels, our liquidity may be affected and we may not be able to make dividend payments to our common or preferred stockholders, repurchase our common stock, make payments on outstanding corporate debt securities or meet other obligations, each and any of which could have a material adverse impact on our results of operations, our financial position or the perception of our financial health. See “Part I—Item 1. Business—Supervision and Regulation” for additional information regarding dividend limitations applicable to us and the Banks.

Operational Risk

We face risks related to our operational, technological and organizational infrastructure.

Our ability to retain and attract customers depends on our ability to develop, operate, and adapt our technology and organizational infrastructure in a rapidly changing environment. In addition, we must accurately process, record and monitor an increasingly large number of complex transactions. Digital technology, data and software development are deeply embedded into our business model and how we work.

Similar to other large corporations, we are exposed to operational risk that can manifest itself in many ways, such as errors in execution, inadequate processes, inaccurate models, faulty or disabled technological infrastructure, malicious disruption and

26

Capital One Financial Corporation (COF)

fraud by employees or persons outside of our company, whether through attacks on Capital One directly or on our customers. In addition, we are heavily dependent on the security, capability and continuous availability of the technology systems that we use to manage our internal financial and other systems, monitor risk and compliance with regulatory requirements, provide services to our customers, develop and offer new products and communicate with stakeholders. We also face risk of adverse customer impacts and business disruption arising from the execution of strategic initiatives we may pursue across our operations.

If we do not maintain the necessary operational, technological and organizational infrastructure to operate our business, including to maintain the resiliency and security of that infrastructure, our business and reputation could be materially adversely affected. We also are subject to disruptions to our systems arising from events that are wholly or partially beyond our control, which may include computer viruses, electrical or telecommunications outages, design flaws in foundational components or platforms, availability and quality of vulnerability patches from key vendors, cyber-attacks and other security incidents (including Distributed Denial of Service (“DDOS”) and other attacks on our infrastructure as discussed below), natural disasters, other damage to property or physical assets, or events arising from local or larger scale politics, including terrorist acts. Any failure to maintain our infrastructure or disruption of our systems and applications could diminish our ability to operate our businesses, service customer accounts and protect customers’ information, or result in potential liability to customers, reputational damage, regulatory intervention and customers’ loss of confidence in our businesses, any of which could result in a material adverse effect.

We also rely on the business infrastructure and systems of third parties with which we do business and to whom we outsource the operation, maintenance and development of our information technology and communications systems. We have migrated substantially all aspects of our core information technology systems and customer-facing applications to third-party cloud infrastructure platforms, principally AWS. If we fail to administer these new environments in a well-managed, secure and effective manner, or if such platforms become unavailable or do not meet their service level agreements for any reason, we may experience unplanned service disruption or unforeseen costs which could result in material harm to our business and results of operations. We must successfully develop and maintain information, financial reporting, disclosure, privacy, data-protection, data security and other controls adapted to our reliance on outside platforms and providers. In addition, AWS, or other service providers, could experience system breakdowns or failures, outages, downtime, cyber-attacks and other security incidents, adverse changes to financial condition, bankruptcy, or other adverse conditions, which could have a material adverse effect on our business and reputation. Thus, the substantial amount of our infrastructure that we outsource to AWS or to other third parties may increase our risk exposure.

Any disruptions, failures or inaccuracies of our operational processes, technology systems and models, including those associated with improvements or modifications to such technology systems and models, could cause us to be unable to market and manage our products and services, manage our risk, meet our regulatory obligations or report our financial results in a timely and accurate manner, all of which could have a negative impact on our results of operations. In addition, our ongoing investments in infrastructure, which are necessary to maintain a competitive business, integrate acquisitions and establish scalable operations, may increase our expenses. As our business develops, changes or expands, additional expenses can arise as a result of a reevaluation of business strategies, management of outsourced services, asset purchases or other acquisitions, structural reorganization, compliance with new laws or regulations, the integration of newly acquired businesses, or the prevention or occurrence of cyber-attacks and other security incidents. If we are unable to successfully manage our expenses, our financial results will be negatively affected. Changes to our business, including those resulting from our strategic objectives, also requires robust governance to ensure that our objectives are executed as intended without adversely impacting our customers, associates, operations or financial performance. Ineffective change management oversight and governance over the execution of our strategic objectives could expose us to operational, strategic and reputational risk and could negatively impact customers or our financial performance.

A cyber-attack or other security incident, including one that results in the theft, loss or misuse of information (including personal information), or the disabling of systems and access to information critical to business operations, may result in increased costs, reductions in revenue, reputational damage, legal exposure and business disruptions.

Our ability to provide our products and services, many of which are web-based, and communicate with our customers, depends upon the management and safeguarding of information systems and infrastructure, networks, software, data engineering, technology, methodologies and business secrets, including those of our service providers. Our products and services involve the collection, authentication, management, usage, storage, transmission and eventual destruction of sensitive and confidential information, including personal information, regarding our customers and their accounts, our employees, our partners and other

27

Capital One Financial Corporation (COF)

third parties with which we do business. We also have arrangements in place with third parties through which we share and receive information about their customers who are or may become our customers.

Technologies, systems, networks, and other devices of Capital One, as well as those of our employees, service providers, partners and other third parties with whom we interact, have been and may continue to be the subject of cyber-attacks and other security incidents, including DDOS attacks, computer viruses, hacking, malware, ransomware, credential stuffing, or phishing or other forms of social engineering. Such cyber-attacks and other security incidents are designed to lead to various harmful outcomes, such as unauthorized transactions in Capital One accounts, unauthorized or unintended access to or release, gathering, monitoring, disclosure, loss, destruction, corruption, disablement, encryption, misuse, modification or other processing of confidential or sensitive information (including personal information), intellectual property, software, methodologies or business secrets, disruption, sabotage or degradation of service, systems or networks, or other damage. These threats may derive from, among other things, error, fraud or malice on the part of our employees, insiders, or third parties or may result from accidental technological failure. Any of these parties may also attempt to fraudulently induce employees, service providers, customers, partners or other third-party users of our systems or networks to disclose confidential or sensitive information (including personal information) in order to gain access to our systems, networks or data or that of our customers, partners, or third parties with whom we interact, or to unlawfully obtain monetary benefit through misdirected or otherwise improper payment. For example, any party that obtains our confidential or sensitive information (including personal information) through a cyber-attack or other security incident may use this information for ransom, to be paid by us or a third party, as part of a fraudulent activity that is part of a broader criminal activity, or for other illicit purposes.

For example, on July 29, 2019, we announced that on March 22 and 23, 2019 an outside individual gained unauthorized access to our systems (the “Cybersecurity Incident”). This individual obtained certain types of personal information relating to people who had applied for our credit card products and to our credit card customers. While the Cybersecurity Incident has been remediated, it has resulted in fines, litigation, government investigations and other regulatory enforcement inquiries, as well as consent orders with certain regulatory agencies. Cyber and information security risks for large financial institutions like us continue to increase due to the proliferation of new technologies, the industry-wide shift to reliance upon the internet to conduct financial transactions, and the increased sophistication and activities of malicious actors, organized crime, perpetrators of fraud, hackers, terrorists, activists, formal and informal instrumentalities of foreign governments and other external parties. In addition, our customers access our products and services using personal devices that are necessarily external to our security control systems. There has also been a significant proliferation of consumer information available on the internet resulting from breaches of third-party entities, including personal information, log-in credentials and authentication data. While we were not directly involved in these third-party breach events, the stolen information can create a vulnerability for our customers if their Capital One log-in credentials are the same as or similar to the credentials that have been compromised on other sites. This vulnerability could include the risk of unauthorized account access, data loss and fraud. The use of artificial intelligence, “bots” or other automation software can increase the velocity and efficacy of these types of attacks. The ongoing COVID-19 pandemic also increases the risk that we may experience cyber incidents as a result of our employees, service providers, partners and other third parties with which we interact working remotely on systems, networks and environments over which we have less control.

The methods and techniques employed by malicious actors change frequently, are increasingly sophisticated and often are not fully recognized or understood until after they have occurred, and some techniques could occur and persist for an extended period of time before being detected. For example, although we immediately fixed the configuration vulnerability that was exploited in the Cybersecurity Incident once we discovered the unauthorized access, a period of time elapsed between the occurrence of the unauthorized access and the time when we discovered it. In other circumstances, we and our service providers and other third parties with which we interact may be unable to anticipate or identify certain attack methods in order to implement effective preventative measures or mitigate or remediate the damages caused in a timely manner. We may also be unable to hire and develop talent capable of detecting, mitigating or remediating these risks. Although we seek to maintain a robust suite of authentication and layered information security controls, any one or combination of these controls could fail to detect, mitigate or remediate these risks in a timely manner. We will likely face an increasing number of attempted cyber-attacks as we expand our mobile and other internet-based products and services, as well as our usage of mobile and cloud technologies and as we provide more of these services to a greater number of retail clients.

A disruption or breach, including as a result of a cyber-attack such as the Cybersecurity Incident, or media reports of perceived security vulnerabilities at Capital One or at our service providers, could result in significant legal and financial exposure, regulatory intervention, litigation, remediation costs, card reissuance, supervisory liability, damage to our reputation or loss of confidence in the security of our systems, products and services that could adversely affect our business. There can be no assurance that unauthorized access or cyber incidents similar to the Cybersecurity Incident will not occur or that we will not

28

Capital One Financial Corporation (COF)

suffer material losses in the future. If future attacks are successful or if customers are unable to access their accounts online for other reasons, it could adversely impact our ability to service customer accounts or loans, complete financial transactions for our customers or otherwise operate any of our businesses or services. In addition, a breach or attack affecting one of our service providers or other third parties with which we interact could harm our business even if we do not control the service that is attacked.

Further, our ability to monitor our service providers’ cybersecurity practices is limited. Although we generally have agreements relating to cybersecurity and data privacy in place with our service providers, we cannot guarantee that such agreements will prevent a cyber incident impacting our systems or information or enable us to obtain adequate or any reimbursement from our service providers in the event we should suffer any such incidents. However, due to applicable laws and regulations or contractual obligations, we may be held responsible for cyber incidents attributed to our service providers as they relate to the information we share with them.

In addition, the increasing prevalence and the evolution of cyber-attacks and other efforts to breach or disrupt our systems or networks or those of our customers, service providers, partners or other third parties with which we interact has led, and will likely continue to lead, to increased costs to us with respect to preventing, mitigating and remediating these risks, as well as any related attempted fraud. In order to address ongoing and future risks, we must expend significant resources to support protective security measures, investigate and remediate any vulnerabilities of our information systems and infrastructure and invest in new technology designed to mitigate security risks. Further, high profile cyber incidents at Capital One or other large financial institutions could lead to a general loss of customer confidence in financial institutions that could negatively affect us, including harming the market perception of the effectiveness of our security measures or the financial system in general, which could result in reduced use of our financial products. We have insurance against some cyber risks and attacks; nonetheless, our insurance coverage may not be sufficient to offset the impact of a material loss event (including if our insurer denies coverage as to any particular claim in the future), and such insurance may increase in cost or cease to be available on commercially reasonable terms, or at all, in the future.

Our required compliance with applicable laws and regulations related to privacy, data protection and data security may increase our costs, reduce our revenue, increase our legal exposure and limit our ability to pursue business opportunities.

We are subject to a variety of continuously evolving and developing laws and regulations in the United States at the federal, state and local level regarding privacy, data protection and data security, including those related to the collection, storage, handling, use, disclosure, transfer, security and other processing of personal information. For example, at the federal level, we are subject to the GLBA, among other laws and regulations. In addition, in November 2021, the Federal Reserve, OCC, and FDIC issued a final rule that, among other things, requires all banking organizations in the United States to notify their primary federal regulators of certain material computer-security incidents as soon as possible and no later than 36 hours after determining that the incident has occurred. At the state level, the CCPA went into effect on January 1, 2020 and covers certain companies that process personal information of California residents. The CCPA was recently amended by the CPRA, which will become effective in most material respects on January 1, 2023. Numerous other states have also enacted or are in the process of enacting state-level privacy, data protection and/or data security laws and regulations.

We also are, or may become, subject to continuously evolving and developing laws and regulations in other jurisdictions regarding privacy, data protection and data security. For example, in Canada we are subject to the Personal Information Protection and Electronic Documents Act (“PIPEDA”). In addition, the EU GDPR applies EU data protection law to all companies processing data of EU residents, regardless of the company’s location. We also are subject to the U.K. GDPR (which is how GDPR has been implemented into U.K. law). These laws and regulations, and similar laws and regulations in other jurisdictions, impose strict requirements regarding the collection, storage, handling, use, disclosure, transfer, security and other processing of personal information, which may have adverse consequences, including significant compliance costs and severe monetary penalties for non-compliance. Significant uncertainty exists as privacy, data protection, and data security laws may be interpreted and applied differently from country to country and may create inconsistent or conflicting requirements.

Further, we make public statements about our use, collection, disclosure and other processing of personal information through our privacy policies, information provided on our website and press statements. Although we endeavor to comply with our public statements and documentation, we may at times fail to do so or be alleged to have failed to do so. The publication of our privacy policies and other statements that provide promises and assurances about privacy, data protection and data security can subject us to potential government or legal action if they are found to be deceptive, unfair or misrepresentative of our actual practices.

29

Capital One Financial Corporation (COF)

Our efforts to comply with PIPEDA, GLBA, GDPR, U.K. GDPR, CCPA, CPRA and other privacy, data protection and data security laws and regulations, as well as our posted privacy policies, and related contractual obligations to third parties, entail substantial expenses, may divert resources from other initiatives and projects, and could limit the services we are able to offer. Furthermore, enforcement actions and investigations by regulatory authorities related to data security incidents and privacy, data protection and data security violations continue to increase. The enactment of more restrictive laws or regulations, or future enforcement actions or investigations, could impact us through increased costs or restrictions on our business, and any noncompliance or perceived noncompliance could result in monetary or other penalties, harm to our reputation and significant legal liability.

We face risks resulting from the extensive use of models and data.

We rely on quantitative models, our ability to manage and aggregate data in an accurate and timely manner, assess and manage our various risk exposures, estimate certain financial values and manage compliance with regulatory capital requirements. Models may be used in such processes as determining the pricing of various products, grading loans and extending credit, measuring interest rate and other market risks, predicting deposit levels or loan losses, assessing capital adequacy and calculating managerial and regulatory capital levels, estimating the value of financial instruments and balance sheet items, and other operational functions. Our risk reporting and management, including business decisions based on information incorporating models, depend on the effectiveness of our models and our policies, programs, processes and practices governing how data is acquired, validated, stored, protected, processed and analyzed. Any issues with the quality or effectiveness of our data aggregation and validation procedures, as well as the quality and integrity of data inputs, formulas or algorithms, could result in inaccurate forecasts, ineffective risk management practices or inaccurate risk reporting. In addition, models based on historical data sets might not be accurate predictors of future outcomes and their ability to appropriately predict future outcomes may degrade over time. While we continuously update our policies, programs, processes and practices, many of our data management, aggregation and implementation processes are manual and subject to human error or system failure. Failure to manage data effectively and to aggregate data in an accurate and timely manner may limit our ability to manage current and emerging risk, to produce accurate financial, regulatory and operational reporting as well as to manage changing business needs. If our risk management framework is ineffective, we could suffer unexpected losses which could materially adversely affect our results of operation or financial condition. Also, any information we provide to the public or to our regulators based on poorly designed or implemented models could be inaccurate or misleading. Some of the decisions that our regulators make, including those related to capital distribution to our stockholders, could be affected adversely due to the perception that the quality of the models used to generate the relevant information is insufficient.

Legal and Regulatory Risk

Compliance with new and existing laws, regulations and regulatory expectations is costly and complex.

A wide array of laws and regulations, including banking and consumer lending laws and regulations, apply to almost every aspect of our business. We and our subsidiaries are also subject to supervision and examination by multiple regulators, and the manner in which our regulators interpret applicable laws and regulations may affect how we comply with them. Failure to comply with these laws and regulations, even if the failure was inadvertent or reflects a difference in interpretation, could subject us to restrictions on our business activities, fines, criminal sanctions and other penalties, and/or damage to our reputation with regulators, our customers or the public. Hiring, training and retaining qualified compliance and legal personnel, and establishing and maintaining risk management and compliance-related systems, infrastructure and processes, is difficult and may lead to increased expenses. These efforts and the associated costs could limit our ability to invest in other business opportunities.

Applicable rules and regulations may affect us disproportionately compared to our competitors or in an unforeseen manner. For example, we have a large number of customer accounts in our credit card and auto lending businesses and we have made the strategic choice to originate and service subprime credit card and auto loans, which typically have higher delinquencies and charge-offs than prime customer accounts. As a result, we have significant involvement with credit bureau reporting and the collection and recovery of delinquent and charged-off debt, primarily through customer communications, the filing of litigation against customers in default, the periodic sale of charged-off debt and vehicle repossession. These activities are subject to enhanced legal and regulatory scrutiny from regulators, courts and legislators. Any future changes to or legal liabilities resulting from our business practices in these areas, including our debt collection practices, whether mandated by regulators, courts, legislators or otherwise, could have a material adverse impact on our financial condition.

30

Capital One Financial Corporation (COF)

The legislative and regulatory environment is beyond our control, may change rapidly and unpredictably, and may negatively influence our revenue, costs, earnings, growth, liquidity and capital levels. For example, there may be future rulemaking in emerging regulatory areas such as climate-related risks and new technologies, including distributed ledger technology and cryptocurrencies. In addition, some rules and regulations may be subject to litigation or other challenges that delay or modify their implementation and impact on us. Adoption of new technologies, such as distributed ledger technologies, tokenization, cloud computing, artificial intelligence and machine learning technologies, can present unforeseen challenges in applying and relying on existing compliance systems.

Certain laws and regulations, and any interpretations and applications with respect thereto, are generally intended to protect consumers, borrowers, depositors, the DIF, the U.S. banking and financial system, and financial markets as a whole, but not stockholders. Our success depends on our ability to maintain compliance with both existing and new laws and regulations. For a description of the material laws and regulations to which we are subject, see “Part I—Item 1. Business—Supervision and Regulation.”

Our businesses are subject to the risk of increased litigation, government investigations and regulatory enforcement.

Our businesses are subject to increased litigation, government investigations and other regulatory enforcement risks as a result of a number of factors and from various sources, including the highly regulated nature of the financial services industry, the focus of state and federal prosecutors on banks and the financial services industry and the structure of the credit card industry.

Given the inherent uncertainties involved in litigation, government investigations and regulatory enforcement decisions, and the very large or indeterminate damages sought in some matters asserted against us, there can be significant uncertainty as to the ultimate liability we may incur from these kinds of matters. The finding, or even the assertion, of substantial legal liability against us could have a material adverse effect on our business and financial condition and could cause significant reputational harm to us, which could seriously harm our business. The Cybersecurity Incident has resulted in litigation, government investigations and other regulatory enforcement inquiries.

In addition, financial institutions, such as ourselves, face significant regulatory scrutiny, which can lead to public enforcement actions or nonpublic supervisory actions. We and our subsidiaries are subject to comprehensive regulation and periodic examination by, among other regulatory bodies, the Federal Banking Agencies, SEC, CFTC and CFPB. We have been subject to enforcement actions by many of these and other regulators and may continue to be involved in such actions, including governmental inquiries, investigations and enforcement proceedings, including by the OCC, Department of Justice, Financial Crimes Enforcement Network (“FinCEN”) and state Attorneys General.

Over the last several years, federal and state regulators have focused on compliance with AML and sanctions laws, privacy, data protection and data security, use of service providers, fair lending and other consumer protection issues. In August 2020, we entered into consent orders with the Federal Reserve and the OCC resulting from regulatory reviews of the Cybersecurity Incident and relating to ongoing enhancements of our cybersecurity and operational risk management processes, and we paid a civil monetary penalty as part of the OCC agreement. In January 2021, we also paid a civil monetary penalty assessed by FinCEN against CONA in connection with our AML program. Regulatory scrutiny is expected to continue in these areas, including as a result of implementation of the AML Act of 2020.

We expect that regulators and governmental enforcement bodies will continue taking formal enforcement actions against financial institutions in addition to addressing supervisory concerns through nonpublic supervisory and enforcement actions or findings, which could involve restrictions on our activities, or our ability to make acquisitions or otherwise expand our business, among other limitations that could adversely affect our business. In addition, a violation of law or regulation by another financial institution is likely to give rise to an investigation by regulators and other governmental agencies of the same or similar practices by us. Furthermore, a single event may give rise to numerous and overlapping investigations and proceedings. These and other initiatives from governmental authorities and officials may subject us to further judgments, settlements, fines or penalties, or cause us to restructure our operations and activities or to cease offering certain products or services, all of which could harm our reputation or lead to higher operational costs. Litigation, government investigations and other regulatory actions could generally subject us to significant fines, increased expenses, restrictions on our activities and damage to our reputation and our brand, and could adversely affect our business, financial condition and results of operations. For additional information regarding legal and regulatory proceedings to which we are subject, see “Note 18—Commitments, Contingencies, Guarantees and Others.”

31

Capital One Financial Corporation (COF)

Other Business Risks

We face intense competition in all of our markets.

We operate in a highly competitive environment across all of our lines of business, whether in making loans, attracting deposits or in the global payments industry, and we expect competitive conditions to continue to intensify with respect to most of our products particularly in our credit card and consumer banking business. We compete on the basis of the rates we pay on deposits and the rates and other terms we charge on the loans we originate or purchase, as well as the quality and range of our customer service, products, innovation and experience. This increasingly competitive environment is primarily a result of changes in technology, product delivery systems and regulation, as well as the emergence of new or significantly larger financial services providers, all of which may affect our customers’ expectations and demands. In addition to offering competitive products and services, we invest in and conduct marketing campaigns to attract and inform customers.

Some of our competitors, including new and emerging competitors in the digital and mobile payments space and other financial technology providers, are not subject to the same regulatory requirements or legislative scrutiny to which we are subject, which also could place us at a competitive disadvantage, in particular in the development of new technology platforms or the ability to rapidly innovate. We compete with many forms of payments offered by both bank and non-bank providers, including a variety of new and evolving alternative payment mechanisms, systems and products, such as aggregators and web-based and wireless payment platforms or technologies, digital or cryptocurrencies, prepaid systems and payment services targeting users of social networks, communications platforms and online gaming. If we are unable to continue to keep pace with innovation, do not effectively market our products and services or are prohibited from or unwilling to enter emerging areas of competition, our business and results of operations could be adversely affected.

Some of our competitors are substantially larger than we are, which may give those competitors advantages, including a more diversified product and customer base, the ability to reach more customers and potential customers, operational efficiencies, broad-based local distribution capabilities, lower-cost funding and larger existing branch networks. Many of our competitors are also focusing on cross-selling their products and developing new products or technologies, which could affect our ability to maintain or grow existing customer relationships or require us to offer lower interest rates or fees on our lending products or higher interest rates on deposits. Competition for loans could result in origination of fewer loans, earning less on our loans or an increase in loans that perform below expectations.

We operate as an online direct bank in the United States. While direct banking provides a significant opportunity to attract new customers that value greater and more flexible access to banking services at reduced costs, we face strong and increasing competition in the direct banking market. Aggressive pricing throughout the industry may adversely affect the retention of existing balances and the cost-efficient acquisition of new deposit funds and may affect our growth and profitability. Customers could also close their online accounts or reduce balances or deposits in favor of products and services offered by competitors for other reasons. These shifts, which could be rapid, could result from general dissatisfaction with our products or services, including concerns over pricing, online security or our reputation. The potential consequences of this competitive environment are exacerbated by the flexibility of direct banking and the financial and technological sophistication of our online customer base.

In our credit card business, competition for rewards customers may result in higher rewards expenses, or we may fail to attract new customers or retain existing rewards customers due to increasing competition for these consumers. As of December 31, 2021, we have a number of large partnerships in our credit card loan portfolio. The market for key business partners, especially in the credit card business, is very competitive, and we may not be able to grow or maintain these partner relationships. Additionally, partners themselves may face changes in their business, including market factors and ownership changes, that could impact the partnership. We face the risk that we could lose partner relationships, even after we have invested significant resources into acquiring and developing the relationships. The loss of any of our key business partners could have a negative impact on our results of operations, including lower returns, excess operating expense and excess funding capacity.

We depend on our partners to effectively promote our co-brand and private label products and integrate the use of our credit cards into their retail operations. The failure by our partners to effectively promote and support our products as well as changes they may make in their business models could adversely affect card usage and our ability to achieve the growth and profitability objectives of our partnerships. In addition, if our partners do not adhere to the terms of our program agreements and standards, or otherwise diminish the value of our brand, we may suffer reputational damage and customers may be less likely to use our products.

32

Capital One Financial Corporation (COF)

Some of our competitors have developed, or may develop, substantially greater financial and other resources than we have, may offer richer value propositions or a wider range of programs and services than we offer, or may use more effective advertising, marketing or cross-selling strategies to acquire and retain more customers, capture a greater share of spending and borrowings, attain and develop more attractive co-brand card programs and maintain greater merchant acceptance than we have. We may not be able to compete effectively against these threats or respond or adapt to changes in consumer spending habits as effectively as our competitors.

In such a competitive environment, we may lose entire accounts or may lose account balances to competing firms, or we may find it more costly to maintain our existing customer base. Customer attrition from any or all of our lending products, together with any lowering of interest rates or fees that we might implement to retain customers, could reduce our revenues and therefore our earnings. Similarly, unexpected customer attrition from our deposit products, in addition to an increase in rates or services that we may offer to retain deposits, may increase our expenses and therefore reduce our earnings.

Our business, financial condition and results of operations may be adversely affected by merchants’ increasing focus on the fees charged by credit and debit card networks and by legislation and regulation impacting such fees.

Interchange fees are generally one of the largest components of the costs that merchants pay in connection with the acceptance of credit and debit cards and are a meaningful source of revenue for our credit and debit card businesses. Interchange fees are the subject of significant and intense global legal, legislative and regulatory focus, and the resulting decisions, legislation and regulation may have a material adverse impact on our overall business, financial condition and results of operations.

Legislative and regulatory bodies in a number of countries are seeking to reduce interchange fees through legislation, competition-related regulatory proceedings, voluntary agreements, central bank regulation and/or litigation. For credit transactions, interchange reimbursement rates in the United States are set by credit card networks such as MasterCard and Visa. For debit transactions, Federal Reserve rules place limits on the interchange fees we may charge. For more information on these rules, including the Federal Reserve’s proposed amendments, please see “Part I—Item 1. Business—Supervision and Regulation.” In some jurisdictions, such as Canada and certain countries in Europe, including the U.K., interchange fees and related practices are subject to regulatory activity, including in some cases, imposing caps on permissible interchange fees. Our international card businesses have been impacted by these restrictions. For example, in the U.K., interchange fees are capped for both credit and debit card transactions. In addition, in Canada, Visa and Mastercard payment networks have, since 2014, entered into voluntary agreements with the Department of Finance Canada to maintain an agreed upon average interchange rate. Lowering interchange fees remains an area of domestic and international governmental focus. Legislators and regulators around the world are aware of each other’s approaches to the regulation of the payments industry. Consequently, a development in one country, state or region may influence regulatory approaches in another, such as our primary market, the United States.

In addition to this regulatory activity, merchants are also seeking avenues to reduce interchange fees. During the past few years, merchants and their trade groups have filed numerous lawsuits against Visa, MasterCard, American Express and their card-issuing banks, claiming that their practices toward merchants, including interchange and similar fees, violate federal antitrust laws. In 2005, a number of entities filed antitrust lawsuits against MasterCard and Visa and several member banks, including our subsidiaries and us, alleging among other things, that the defendants conspired to fix the level of interchange fees. In December 2013, the U.S. District Court for the Eastern District of New York granted final approval of the proposed class settlement. The settlement provided, among other things, that merchants would be entitled to join together to negotiate lower interchange fees. The settlement was appealed to the Second Circuit Court of Appeals, which rejected the settlement in June 2016; a revised settlement was reached in the second half of 2018, and the trial court issued its final approval of the settlement in December 2019. See “Note 18—Commitments, Contingencies, Guarantees and Others” for further details.

Some major retailers may have sufficient bargaining power to independently negotiate lower interchange fees with MasterCard and Visa, which could, in turn, result in lower interchange fees for us when our cardholders undertake purchase transactions with these retailers. In 2016, some of the largest merchants individually negotiated lower interchange rates with MasterCard and/or Visa. These and other merchants also continue to lobby aggressively for caps and restrictions on interchange fees and their efforts may be successful or they may in the future bring legal proceedings against us or other credit card and debit card issuers and networks.

Beyond pursuing litigation, legislation and regulation, merchants may also promote forms of payment with lower fees, such as ACH-based payments, or seek to impose surcharges at the point of sale for use of credit or debit cards. New payment systems, particularly mobile-based payment technologies, could also gain widespread adoption and lead to issuer transaction fees or the displacement of credit card accounts as a payment method.

33

Capital One Financial Corporation (COF)

The heightened focus by merchants and legislative and regulatory bodies on the fees charged by credit and debit card networks, and the ability of certain merchants to successfully negotiate discounts to interchange fees with MasterCard and Visa or develop alternative payment systems, could result in a reduction of interchange fees. Any resulting loss in income to us could have a material adverse effect on our business, financial condition and results of operations.

If we are not able to invest successfully in and introduce digital and other technological developments across all our businesses, our financial performance may suffer.

Our industry is subject to rapid and significant technological changes and our ability to meet our customers’ needs and expectations is key to our ability to grow revenue and earnings. We expect digital technologies to have a significant impact on banking over time. Consumers expect robust digital experiences from their financial services providers. The ability for customers to access their accounts and conduct financial transactions using digital technology, including mobile applications, is an important aspect of the financial services industry and financial institutions are rapidly introducing new digital and other technology-driven products and services that aim to offer a better customer experience and to reduce costs. We continue to invest in digital technology designed to attract new customers, facilitate the ability of existing customers to conduct financial transactions and enhance the customer experience related to our products and services.

Our continued success depends, in part, upon our ability to address the needs of our customers by using digital technology to provide products and services that meet their expectations. The development and launch of new digital products and services depends in large part on our capacity to invest in and build the technology platforms that can enable them, in a cost effective and timely manner. See “We face intense competition in all of our markets” and “We face risks related to our operational, technological and organizational infrastructure.”

Some of our competitors are substantially larger than we are, which may allow those competitors to invest more money into their technology infrastructure and digital innovation than we do. In addition, we face intense competition from smaller companies which experience lower cost structures and different regulatory requirements and scrutiny than we do, and which may allow them to innovate more rapidly than we can. See “We face intense competition in all of our markets.” Further, our success depends on our ability to attract and retain strong digital and technology leaders, engineers and other specialized personnel. The competition is intense and the compensation costs continue to increase for such talent. If we are unable to attract and retain digital and technology talent, our ability to offer digital products and services and build the necessary technology infrastructure could be negatively affected, which could negatively impact our business and financial results. A failure to maintain or enhance our competitive position with respect to digital products and services, whether because we fail to anticipate customer expectations or because our technological developments fail to perform as desired or are not implemented in a timely or successful manner, could negatively impact our business and financial results.

We may fail to realize the anticipated benefits of our mergers, acquisitions and strategic partnerships.

We have engaged in merger and acquisition activity and entered into strategic partnerships over the past several years. We continue to evaluate and anticipate engaging in, among other merger and acquisition activity, additional strategic partnerships and selected acquisitions of financial institutions and other businesses or assets, including credit card and other loan portfolios. We may not be able to identify and secure future acquisition targets on terms and conditions that are acceptable to us, or successfully complete within the anticipated time frame and achieve the anticipated benefits of proposed mergers, acquisitions and strategic partnerships, which could impair our growth.

Any merger, acquisition or strategic partnership we undertake entails certain risks, which may materially and adversely affect our results of operations. If we experience greater than anticipated costs to integrate acquired businesses into our existing operations, or are not able to achieve the anticipated benefits of any merger, acquisition or strategic partnership, including cost savings and other synergies, our business could be negatively affected. In addition, it is possible that the ongoing integration processes could result in the loss of key employees, errors or delays in systems implementation, exposure to cybersecurity risks associated with acquired businesses, exposure to additional regulatory oversight, the disruption of our ongoing businesses or inconsistencies in standards, controls, procedures and policies that adversely affect our ability to maintain relationships with partners, clients, customers, depositors and employees or to achieve the anticipated benefits of any merger, acquisition or strategic partnership. Integration efforts also may divert management attention and resources. These integration matters may have an adverse effect on us during any transition period.

34

Capital One Financial Corporation (COF)

In addition, we may face the following risks in connection with any merger, acquisition or strategic partnership:

•New Businesses and Geographic or Other Markets: Our merger, acquisition or strategic partnership activity may involve our entry into new businesses, or new geographic areas or other markets which present risks resulting from our relative inexperience in these new businesses or markets. These new businesses or markets may change the overall character of our consolidated portfolio of businesses and alter our exposure to economic and other external factors. We face the risk that we will not be successful in these new businesses or in these new markets.

•Identification and Assessment of Merger and Acquisition Targets and Deployment of Acquired Assets: We may not be able to identify, acquire or partner with suitable targets. Further, our ability to achieve the anticipated benefits of any merger, acquisition or strategic partnership will depend on our ability to assess the asset quality and value of the particular assets or institutions we partner with, merge with or acquire. We may be unable to profitably deploy any assets we acquire.

•Accuracy of Assumptions: In connection with any merger, acquisition or strategic partnership, we may make certain assumptions relating to the proposed merger, acquisition or strategic partnership that may be, or may prove to be, inaccurate, including as a result of the failure to realize the expected benefits of any merger, acquisition or strategic partnership. The inaccuracy of any assumptions we may make could result in unanticipated consequences that could have a material adverse effect on our results of operations or financial condition.

•Target-specific Risk: Assets and companies that we acquire, or companies that we enter into strategic partnerships with, will have their own risks that are specific to a particular asset or company. These risks include, but are not limited to, particular or specific regulatory, accounting, operational, reputational and industry risks, any of which could have a material adverse effect on our results of operations or financial condition. For example, we may face challenges associated with integrating other companies due to differences in corporate culture, compliance systems or standards of conduct. Indemnification rights, if any, may be insufficient to compensate us for any losses or damages resulting from such risks. In addition to regulatory approvals discussed below, certain of our merger, acquisition or partnership activity may require third-party consents in order for us to fully realize the anticipated benefits of any such transaction.

•Conditions to Regulatory Approval: We may be required to obtain regulatory approvals to consummate certain acquisitions. We cannot be certain whether, when or on what terms and conditions, such approvals may be granted. Consequently, we may not obtain regulatory approval for a proposed acquisition on acceptable terms or at all, in which case we would not be able to complete the acquisition despite investing resources in pursuing it.

Reputational risk and social factors may impact our results and damage our brand.

Our ability to attract and retain customers is highly dependent upon the perceptions of consumer and commercial borrowers and deposit holders and other external perceptions of our products, services, trustworthiness, business practices, workplace culture, compliance practices or our financial health. In addition, our brand is very important to us. Maintaining and enhancing our brand depends largely on our ability to continue to provide high-quality products and services. Adverse perceptions regarding our reputation in the consumer, commercial and funding markets could lead to difficulties in generating and maintaining accounts as well as in financing them. In particular, negative public perceptions regarding our reputation, including negative perceptions regarding our ability to maintain the security of our technology systems and protect customer data, could lead to decreases in the levels of deposits that consumer and commercial customers and potential customers choose to maintain with us or significantly increase the costs of attracting and retaining customers. In addition, negative perceptions regarding certain industries, partners or clients could also prompt us to cease business activities associated with those entities.

Negative public opinion or damage to our brand could also result from actual or alleged conduct in any number of activities or circumstances, including lending practices, regulatory compliance, security breaches (including the use and protection of customer data, such as resulting from the Cybersecurity Incident), corporate governance and sales and marketing, and from actions taken by regulators or other persons in response to such conduct. Such conduct could fall short of our customers’ and the public’s heightened expectations of companies of our size with rigorous privacy, data protection, data security and compliance practices, and could further harm our reputation. In addition, our co-brand and private label partners or other third parties with whom we have important relationships may take actions over which we have limited control that could negatively impact perceptions about us or the financial services industry. The proliferation of social media may increase the likelihood that negative public opinion from any of the events discussed above will impact our reputation and business.

35

Capital One Financial Corporation (COF)

In addition, a variety of social factors may cause changes in borrowing activity, including credit card use, payment patterns and the rate of defaults by account holders and borrowers domestically and internationally. These social factors include changes in consumer confidence levels, the public’s perception regarding the banking industry and consumer debt, including credit card use, and changing attitudes about the stigma of bankruptcy. If consumers develop or maintain negative attitudes about incurring debt, or if consumption trends decline or if we fail to maintain and enhance our brand, or we incur significant expenses to do so, our business and financial results could be materially and negatively affected.

If we are not able to protect our intellectual property, our revenue and profitability could be negatively affected.

We rely on a variety of measures to protect and enhance our intellectual property, including copyrights, trademarks, trade secrets, patents and certain restrictions on disclosure, solicitation and competition. We also undertake other measures to control access to and distribution of our other proprietary information. These measures may not prevent misappropriation of our proprietary information or infringement of our intellectual property rights and a resulting loss of competitive advantage. In addition, our competitors or other third parties may obtain patents for innovations that are used in our industry or allege that our systems, processes or technologies infringe on their intellectual property rights. If our competitors or other third parties are successful in obtaining such patents or prevail in intellectual property-related litigation against us, we could lose significant revenues, incur significant license, royalty or technology development expenses, or pay significant damages.

Our risk management strategies may not be fully effective in mitigating our risk exposures in all market environments or against all types of risk.

Management of market, credit, liquidity, operational and compliance risk requires, among other things, policies and procedures to properly record and verify a large number of transactions and events. See “MD&A—Risk Management” for further details. Even though we continue to devote significant resources to developing our risk management framework, our risk management strategies may not be fully effective in identifying and mitigating our risk exposure in all market environments or against all types of risk, including risks that are unidentified or unanticipated.

Some of our methods of managing these risks are based upon our use of observed historical market behavior and management’s judgment. These methods may not accurately predict future exposures, which could be significantly greater than the historical measures indicate and market conditions, particularly during a period of financial market stress, can involve unprecedented dislocations. For example, credit risk is inherent in the financial services business and results from, among other things, extending credit to customers. Our ability to assess the creditworthiness of our customers may be impaired if the models and approaches we use to select, manage and underwrite our consumer and commercial customers become less predictive of future charge-offs due, for example, to rapid changes in the economy, or degradation in the predictive nature of credit bureau and other data used in underwriting.

While we employ a broad and diversified set of risk monitoring and risk mitigation techniques, those techniques and the judgments that accompany their application cannot anticipate every economic and financial outcome or the timing of such outcomes. For example, our ability to implement our risk management strategies may be hindered by adverse changes in the volatility or liquidity conditions in certain markets and as a result, may limit our ability to distribute such risks (for instance, when we seek to syndicate exposure in bridge financing transactions we have underwritten). We may, therefore, incur losses in the course of our risk management or investing activities.

Fluctuations in market interest rates or volatility in the capital markets could adversely affect our income and expense, the value of assets and obligations, our regulatory capital, cost of capital or liquidity.

Like other financial institutions, our business is sensitive to market interest rate movements and the performance of the capital markets. Disruptions, uncertainty or volatility across the capital markets could negatively impact market liquidity, limit our access to the funding and capital required to operate and grow our business and adversely affect our results of operations and financial condition. In addition, changes in interest rates or in valuations in the debt or equity markets could directly impact us. For example, we borrow money from other institutions and depositors, which we use to make loans to customers and invest in debt securities and other interest-earning assets. We earn interest on these loans and assets and pay interest on the money we borrow from institutions and depositors. The interest rates that we pay on the securities we have issued are also influenced by, among other things, applicable credit ratings from recognized rating agencies. A downgrade to any of these credit ratings could affect our ability to access the capital markets, increase our borrowing costs and have a negative impact on our results of operations. Increased charge-offs, rising interest rates and other events may cause our securitization transactions to amortize earlier than scheduled, which could accelerate our need for additional funding from other sources. Fluctuations in interest rates,

36

Capital One Financial Corporation (COF)

including changes in the relationship between short-term rates and long-term rates and in the relationship between our funding basis rate and our lending basis rate, may have negative impacts on our net interest income and therefore our earnings.

In addition, interest rate fluctuations and competitor responses to those changes may affect the rate of customer prepayments for auto and other term loans and may affect the balances customers carry on their credit cards. For example, increases in interest rates increase debt service requirements for some of our borrowers, which may adversely affect those borrowers’ ability to pay as contractually obligated. This could result in additional delinquencies or charge-offs and negatively impact our results of operations. These changes can reduce the overall yield on our interest-earning asset portfolio. Changes in interest rates and competitor responses to these changes may also impact customer decisions to maintain balances in the deposit accounts they have with us. An inability to attract or maintain deposits could materially affect our ability to fund our business and our liquidity position. Many other financial institutions have increased their reliance on deposit funding and, as such, we expect continued competition in the deposit markets. We cannot predict how this competition will affect our costs. If we are required to offer higher interest rates to attract or maintain deposits, our funding costs will be adversely impacted. Changes in valuations in the debt and equity markets could have a negative impact on the assets we hold in our investment portfolio. Such market changes could also have a negative impact on the valuation of assets for which we provide servicing.

We assess our interest rate risk by estimating the effect on our earnings, economic value and capital under various scenarios that differ based on assumptions about the direction and the magnitude of interest rate changes. We take risk mitigation actions based on those assessments. We face the risk that changes in interest rates could materially reduce our net interest income and our earnings, especially if actual conditions turn out to be materially different than those we assumed. See “MD&A—Market Risk Profile” for additional information.

The transition away from LIBOR may adversely affect our business.

Central banks around the world, including the Federal Reserve, have commissioned committees and working groups of market participants and official sector representatives to replace LIBOR and replace or reform other interest rate benchmarks. The publication of non-U.S. dollar LIBOR rates on a representative basis, as well as the publication of the lesser used 1-week and 2-month U.S. dollar LIBOR tenors, ceased as of the end of December 2021. While the most commonly used U.S. dollar LIBOR tenors are expected to continue to be published until June 30, 2023, the U.S. banking agencies issued guidance that banking organizations should cease using U.S. dollar LIBOR as a reference rate in new contracts in any event by December 31, 2021. A transition away from the widespread use of LIBOR to alternative rates and other potential interest rate benchmark reforms has begun and is continuing. These reforms have caused and may in the future cause such rates to perform differently than in the past, or to disappear entirely, or have other consequences which cannot be predicted.

Given LIBOR’s extensive use across financial markets, the transition away from LIBOR presents several risks and challenges to the financial markets and financial institutions, including Capital One. We have loans, derivative contracts, unsecured debt, securitizations, vendor agreements and other instruments with attributes that are either directly or indirectly dependent on LIBOR. Uncertainty as to the nature of potential changes, alternative reference rates (including the pace of transition to, the specific terms and parameters for, and market acceptance of, such rates), or other reforms may adversely affect market liquidity, the pricing of LIBOR-based instruments, and the availability and cost of associated hedging instruments and borrowings. The Secured Overnight Financing Rate (“SOFR”) has been recommended by the Alternative Reference Rates Committee (“ARRC”) as an alternative to U.S. dollar LIBOR. Nevertheless, the transition away from LIBOR could result in loss of market share in certain products, adverse tax or accounting impacts, compliance, legal or operational costs and risks associated with client disclosures, as well as systems disruption, model disruption and other business continuity issues for us.

In addition, risks will remain for us with respect to outstanding instruments which rely on LIBOR. Those risks arise in connection with transitioning such instruments to a new reference rate, the taking of discretionary actions (for example, under fallback provisions) or the negotiation of fallback provisions and final amendments to existing LIBOR based agreements. Payments under contracts referencing new reference rates may significantly differ from those referencing LIBOR. For some instruments, the method of transitioning to a new reference rate may be challenging, especially if parties to an instrument cannot agree as to how to effect that transition. If a contract is not transitioned to a new reference rate and LIBOR ceases to exist, the impact on our obligations is likely to vary by contract. In addition, prior to LIBOR cessation, instruments that continue to refer to LIBOR may be impacted if there is a change in the availability or calculation of LIBOR. The transition from LIBOR to an alternative reference rate has changed our market risk profile and required changes to risk and pricing models, valuation tools, product design, information technology systems, reporting infrastructure, operational processes and controls, and hedging strategies, and may result in or require further such changes in the future. In many cases, we are and may in the future be dependent on third parties to upgrade systems, software and other critical functions that could materially disrupt our

37

Capital One Financial Corporation (COF)

readiness if they are not done on a timely basis or otherwise fail. Our assessment of the ultimate impact of, and our planning for, the transition from LIBOR remains ongoing. Failure to adequately manage the transition could have a material adverse effect on our reputation, business, financial condition and results of operations. See “MD&A—Market Risk Profile” for additional information.

Our business could be negatively affected if we are unable to attract, retain and motivate skilled employees.

Our success depends, in large part, on our ability to retain key senior leaders and to attract and retain skilled employees, particularly employees with advanced expertise in credit, risk, digital and technology skills. We depend on our senior leaders and skilled employees to oversee simultaneous, transformative initiatives across the enterprise and execute on our business plans in an efficient and effective manner. Competition for such senior leaders and employees, and the costs associated with attracting and retaining them, is high and made even more competitive as a result of the external environment, including increasing rates of job transition and low unemployment. Our ability to attract and retain qualified employees also is affected by perceptions of our culture and management, our profile in the regions where we have offices and the professional opportunities we offer. Regulation or regulatory guidance restricting executive compensation, as well as evolving investor expectations, may limit the types of compensation arrangements that we may enter into with our most senior leaders and could have a negative impact on our ability to attract, retain and motivate such leaders in support of our long-term strategy. These laws and regulations may not apply in the same manner to all financial institutions and technology companies, which therefore may subject us to more restrictions than other institutions and companies with which we compete for talent and may also hinder our ability to compete for talent with other industries. We rely upon our senior leaders not only for business success, but also to lead with integrity. To the extent our senior leaders behave in a manner that does not comport with our values, the consequences to our brand and reputation could be severe and could adversely affect our financial condition and results of operations. If we are unable to attract, develop and retain talented senior leadership and employees, or to implement appropriate succession plans for our senior leadership, our business could be negatively affected.

We face risks from unpredictable catastrophic events.

Despite the business contingency plans we have in place, such plans do not fully mitigate all potential business continuity risks to us. Natural disasters and other catastrophic events could harm our employees, business and infrastructure, including our information technology systems and third-party platforms. Our ability to conduct business may be adversely affected by a disruption in the infrastructure that supports our business and the communities where we are located, which are concentrated in the Northern Virginia and New York metropolitan areas, as well as Richmond, Virginia and Plano, Texas. This may include a disruption involving damage or loss of access to a physical site, cyber-attacks and other security incidents, terrorist activities, the occurrence or worsening of disease outbreaks or pandemics (including the COVID-19 pandemic), natural disasters, extreme weather events (including as a result of climate change), electrical outage, environmental hazards, disruption to technological infrastructure, communications or other services we use, our employees or third parties with whom we conduct business. Our business, financial condition and results of operations may be impacted by any such disruption and our ability to implement corresponding response measures quickly, including, for example, our ability to respond effectively to a remote work environment as a result of the ongoing COVID-19 pandemic and related response measures. In addition, if a natural disaster or other catastrophic event occurs in certain regions where our business and customers are concentrated, such as the mid-Atlantic, New York, California or Texas metropolitan areas, we could be disproportionately impacted as compared to our competitors. The impact of such events and other catastrophes on the overall economy may also adversely affect our financial condition and results of operations.

Climate change manifesting as physical or transition risks could adversely affect our operations, businesses and customers.

The physical risks of climate change include discrete events, such as flooding and wildfires, and longer-term shifts in climate patterns, such as extreme heat, sea level rise, and more frequent and prolonged drought. Such events could disrupt our operations or those of our customers or third parties on which we rely, including through direct damage to assets and indirect impacts from supply chain disruption and market volatility. Additionally, transitioning to a low-carbon economy may entail significant policy, legal, technology and market initiatives. Transition risks, including changes in consumer preferences and additional regulatory requirements or taxes, could increase our expenses and impact our strategies or those of our customers. Physical and transition risks could also affect the financial health of certain customers in impacted industries or geographies. In addition, our reputation and client relationships may be damaged as a result of our practices and decisions related to climate change and the environment, or the practices or involvement of our clients, in certain industries or projects associated with causing or exacerbating climate change. Climate risk is interconnected with many risk types. We continue to enhance processes to embed evolving climate risk considerations into our risk management strategies established for risks such as market, credit

38

Capital One Financial Corporation (COF)

and operational risks; however, because the timing and severity of climate change may not be predictable, our risk management strategies may not be effective in mitigating climate risk exposure.

We face risks from the use of or changes to assumptions or estimates in our financial statements.

Pursuant to generally accepted accounting principles in the U.S. (“U.S. GAAP”), we are required to use certain assumptions and estimates in preparing our financial statements, including determining our allowance for credit losses, the fair value of certain assets and liabilities, and goodwill impairment, among other items. In addition, the FASB, the SEC and other regulatory bodies may change the financial accounting and reporting standards, including those related to assumptions and estimates we use to prepare our financial statements, in ways that we cannot predict and that could impact our financial statements. If actual results differ from the assumptions or estimates underlying our financial statements or if financial accounting and reporting standards are changed, we may experience unexpected material losses. For a discussion of our use of estimates in the preparation of our consolidated financial statements, see “MD&A—Critical Accounting Policies and Estimates” and “Note 1—Summary of Significant Accounting Policies.”

The soundness of other financial institutions and other third parties could adversely affect us.

Our ability to engage in routine funding and other transactions could be adversely affected by the stability and actions of other financial services institutions. Financial services institutions are interrelated as a result of trading, clearing, servicing, counterparty and other relationships. We have exposure to financial institutions, intermediaries and counterparties that are exposed to risks over which we have little or no control.

In addition, we routinely execute transactions with counterparties in the financial services industry, including brokers and dealers, commercial banks, investment banks, mutual and hedge funds and other institutional clients, resulting in a significant credit concentration with respect to the financial services industry overall. As a result, defaults by, or even rumors or questions about, one or more financial services institutions, or the financial services industry generally, have led to market-wide liquidity problems and could lead to losses or defaults by us or by other institutions.

Likewise, adverse developments affecting the overall strength and soundness of our competitors, the financial services industry as a whole and the general economic climate or sovereign debt could have a negative impact on perceptions about the strength and soundness of our business even if we are not subject to the same adverse developments. In addition, adverse developments with respect to third parties with whom we have important relationships also could negatively impact perceptions about us. These perceptions about us could cause our business to be negatively affected and exacerbate the other risks that we face.