COF, §1A diff (2021 → 2022)
Added paragraphs (11611 words)
The following discussion sets forth what management currently believes could be the material risks and uncertainties that could impact our businesses, results of operations and financial condition. The events and consequences discussed in these risk factors could, in circumstances we may not be able to accurately predict, recognize, or control, have a material adverse effect on our business, growth, reputation, prospects, financial condition, operating results, cash flows, liquidity, and stock price. These risk factors do not identify all risks that we face; our operations could also be affected by factors, events, or uncertainties that are not presently known to us or that we currently do not consider to present significant risks to our operations. In addition, the global economic and political climate may amplify many of these risks.
The following is a summary of the Risk Factors disclosure in this Item 1A. This summary does not address all of the risks that we face. Additional discussion of the risks summarized in this risk factor summary, and other risks that we face, can be found below and should be carefully considered, together with other information in this Form 10-K and our other filings with the SEC, before making an investment decision regarding our securities.
•Fluctuations in market interest rates or volatility in the capital markets could adversely affect our business.
•We may experience increases or fluctuations in delinquencies and credit losses, inaccurate estimates and inadequate reserves.
•We may not be able to maintain adequate capital or liquidity levels or may become subject to revised capital or liquidity requirements, which could have a negative impact on our financial results and our ability to return capital to our stockholders.
•A cyber-attack or other security incident, including one that results in the theft, loss, manipulation or misuse of information (including personal information), or the disabling of systems and access to information critical to business operations, may result in increased costs, reductions in revenue, reputational damage, legal exposure and business disruptions.
•The transition away from London Interbank Offered Rate may adversely affect our business.
•Our business could be negatively affected if we are unable to attract, retain and motivate key senior leaders and skilled employees.
•We face risks from catastrophic events.
•Climate change manifesting as physical or transition risks could adversely affect our businesses, operations and customers.
Some of the risks we face in connection with adverse changes and instability in the macroeconomic environment and changes in consumer confidence levels and behavior, include the following:
•Monetary policies and actions taken by the Federal Reserve and other central banks or governmental authorities;
•Economic deterioration due to escalation of military hostilities or other geopolitical instabilities;
•Changes in payment patterns, increases or fluctuations in delinquencies and default rates, decreased consumer spending, inflation, fluctuation in interest rates, lower demand for credit and shifts in consumer behavior, including deposits and payments;
•Recent changes in usage of commercial real estate, which may have a sustained negative impact on utilization rates and values;
•Decreased reliability of the process and models, including those we use to estimate our allowance for credit losses, particularly if unexpected variations in key inputs and assumptions cause actual losses to diverge from the projections of our models and our estimates become increasingly subject to management’s judgment. See “We face risks resulting from the extensive use of models and data.”
The U.K. and the EU agreed to a free trade deal at the end of 2020 relating to the U.K.’s exit from the EU. Although this deal has provided greater near-term stability, there is still some degree of uncertainty as to the relationship between the U.K and the EU, which may increase volatility in the regional and global financial markets. In addition, the global economy, including economic conditions in the U.K., has been negatively impacted by the war between Russia and Ukraine. Continued escalation of geopolitical tensions related to the war, including increased trade barriers or restrictions on global trade, could further deteriorate international economic conditions. We continue to consider and monitor the potential impacts of the relationship between the U.K. and EU, as well as the war between Russia and Ukraine.
Fluctuations in market interest rates or volatility in the capital markets could adversely affect our business.
Like other financial institutions, our business is sensitive to interest rate movements and the performance of the capital markets.
We rely on access to the capital markets to fund our operations and to grow our business. Our ability to borrow from other financial institutions or to engage in funding transactions on favorable terms or at all could be adversely affected by disruptions, uncertainty or volatility in the capital markets or other events, including changing credit rating agency requirements. For example, a credit rating downgrade could affect our ability to access the capital markets, increase our funding costs and have a negative impact on our results of operations. Additionally, increased charge-offs, rising interest rates and other events may cause our securitization transactions to amortize earlier than scheduled or reduce the value of the securities that we hold for liquidity purposes, which could accelerate our need for additional funding from other sources.
Additionally, changes in interest rates could adversely affect the results of our operations and financial condition. For example, we borrow money from other institutions and depositors, which we use to make loans to customers and invest in debt securities and other interest-earning assets. We earn interest on these loans and assets and pay interest on the money we borrow from institutions and depositors. In response to inflationary pressures, the Federal Reserve has reversed its policy of maintaining the low benchmark federal funds interest rate over the last several years. In March 2022, the Federal Reserve began increasing the benchmark federal funds interest rate and has signaled its intention to continue to raise interest rates in an effort to tame
inflation. Thus, the amount of interest that we pay on certain borrowings has increased and could increase further. Additionally, a shrinking yield premium between short-term and long-term market interest rates and in the relationship between our funding basis rate and our lending basis rate and inflation could affect our profitability.
We assess our interest rate risk by estimating the effect on our earnings, economic value and capital under various scenarios that differ based on assumptions about the direction and the magnitude of interest rate changes. We take risk mitigation actions based on those assessments. We face the risk that changes in interest rates could materially reduce our net interest income and our earnings, especially if actual conditions turn out to be materially different than those we assumed. See “Part II—Item 7. MD&A—Market Risk Profile” for additional information.
Furthermore, interest rate fluctuations and competitor responses to those changes may affect the rate of customer prepayments for auto and other term loans and may affect the balances customers carry on their credit cards and their balances in the deposits accounts they have with us. For example, increases in interest rates increase debt service requirements for some of our borrowers, which may adversely affect those borrowers’ ability to pay as contractually obligated. This could result in additional or fluctuating delinquencies or charge-offs and negatively impact our results of operations. These changes can reduce the overall yield on our interest-earning asset portfolio. An inability to attract or maintain deposits could materially affect our ability to fund our business and our liquidity position. Many other financial institutions have increased their reliance on deposit funding and, as such, we expect continued competition in the deposit markets. We cannot predict how this competition will affect our costs. If we are required to offer higher interest rates to attract or maintain deposits, our funding costs will be adversely impacted. Changes in valuations in the debt and equity markets could have a negative impact on the assets we hold in our investment portfolio. Such market changes could also have a negative impact on the valuation of assets for which we provide servicing.
Although the global economy has begun to recover from the COVID-19 pandemic, certain adverse consequences of the pandemic, including labor shortages, disruptions of global supply chains and inflationary pressures, continue to impact the macroeconomic environment and could adversely affect our business. Should these ongoing effects of the pandemic continue for an extended period or worsen, our purchase volume, loan balances and the overall demand for our products and services may be significantly impacted, which could adversely affect our financial condition and other results of operations. In addition, we could experience higher credit losses in our loan portfolios and increases in our allowance for credit losses beyond current levels. We could also experience impairments of other financial assets and other negative impacts on our financial position, including possible constraints on liquidity and capital, as well as higher costs of capital. Long-term consequences of the COVID-19 pandemic on our business, results of operations and financial condition, as well as our capital and liquidity ratios and our ability to take capital actions, will depend on future developments that remain uncertain, including, for example, future actions taken by governmental authorities, central banks and other third parties in response to the pandemic and the effects on our customers, counterparties, associates and third-party service providers.
In the third quarter of 2022, we moved our associates to a hybrid work model. As a result we may experience increased costs and/or disruption as we experiment with hybrid work models, in addition to potential effects on our ability to operate effectively and maintain our corporate culture. We will continue to monitor local conditions to ensure the safety of our associates and customers while providing critical banking services. We may take further actions as required by government authorities or that we otherwise determine are in the best interests of our customers, associates and business partners. These measures could impair our ability to perform critical functions and may adversely impact our results of operations.
We may experience increases or fluctuations in delinquencies and credit losses, inaccurate estimates and inadequate reserves.
Like other lenders, we face the risk that our customers will not repay their loans. A customer’s ability and willingness to repay us can be adversely affected by decreases in the income of the borrower or increases in their payment obligations to other lenders, whether as a result of higher debt levels or rising interest rates, by rising levels of inflation, or by restricted availability of credit generally. We may fail to quickly identify and reduce our exposure to customers that are likely to default on their payment obligations, whether by closing credit lines or restricting authorizations. Our ability to manage credit risk also is affected by legal or regulatory changes (such as restrictions on collections, bankruptcy laws, minimum payment regulations and
re-age guidance), competitors’ actions and consumer behavior, and depends on the effectiveness of our collections staff, techniques and models.
Rising losses or leading indicators of rising losses (such as higher delinquencies, charge-offs, higher rates of nonperforming loans, higher bankruptcy rates, lower collateral values, elevated unemployment rates or changing market terms) may require us to increase our allowance for credit losses, which would decrease our profitability if we are unable to raise revenue or reduce costs to compensate for higher losses. In particular, we face the following risks in this area:
•Missed Payments: Our customers may miss payments. Loan charge-offs (including from bankruptcies) are generally preceded by missed payments or other indications of worsening financial condition for our customers. Historically, customers are more likely to miss payments during an economic downturn, recession, periods of high unemployment, or prolonged periods of slow economic growth. In addition, we face the risk that consumer and commercial customer behavior may change (for example, an increase in the unwillingness or inability of customers to repay debt, which may be heightened by increasing interest rates or levels of consumer debt), causing a long-term rise or fluctuations in delinquencies and charge-offs.
•Incorrect Estimates of Expected Losses: The credit quality of our portfolio can have a significant impact on our earnings. We allow for and reserve against credit risks based on our assessment of expected credit losses in our loan portfolios. This process, which is critical to our financial condition and results of operations, requires complex judgments, including forecasts of economic conditions. We may underestimate our expected losses and fail to hold an allowance for credit losses sufficient to account for these losses. Incorrect assumptions could lead to material underestimations of expected credit losses and an inadequate allowance for credit losses. See “We face risks resulting from the extensive use of models and data.”
•Business Mix: We engage in a diverse mix of businesses with a broad range of potential credit exposure. Because we originate a relatively greater proportion of consumer loans in our loan portfolio compared to other large bank peers and originate both prime and subprime credit card accounts and auto loans, we may experience higher delinquencies and a greater number of accounts charging off, as well as greater fluctuations in those metrics, compared to other large bank peers, which could result in increased credit losses, operating costs and regulatory scrutiny. Additionally, a change in this business mix over time to include proportionally more consumer loans or subprime credit card accounts or auto loans could adversely affect the credit quality of our portfolio.
•Increasing Charge-off Recognition/Allowance for Credit Losses: We account for the allowance for credit losses according to accounting and regulatory guidelines and rules, including Financial Accounting Standards Board (“FASB”) standards and the Federal Financial Institutions Examination Council (“FFIEC”) Account Management Guidance. We measure our allowance for credit losses under the CECL standard, which is based on management’s best estimate of expected lifetime credit losses. The impact of measuring our allowance for credit losses on our results will depend on the characteristics of our financial instruments, economic conditions, and our economic and loss forecasts. The application of the CECL standard may require us to increase reserves faster and to a higher level in an economic downturn, resulting in greater adverse impact to our results and our capital ratios than we would have experienced in similar circumstances prior to the adoption of CECL. In addition, because credit cards represent a significant portion of our product mix, we could be disproportionately affected by use of the CECL standard, as compared to our large bank peers with a different product mix.
•Geographic and Industry Concentration: Although our consumer lending is geographically diversified, approximately 40% of our commercial real estate loan portfolio is concentrated in the Northeast region. The regional economic conditions in the Northeast affect the demand for our commercial products and services as well as the ability of our customers to repay their commercial real estate loans and the value of the collateral securing these loans. An economic downturn or prolonged period of slow economic growth in, or a catastrophic event or natural disaster that disproportionately affects the Northeast region could have a material adverse effect on the performance of our commercial real estate loan portfolio and our results of operations. In addition, our Commercial Banking strategy includes an industry-specific focus. If any of the industries that we focus on experience changes, we may experience increased credit losses and our results of operations could be adversely impacted.
We may not be able to maintain adequate capital or liquidity levels or may become subject to revised capital or liquidity requirements, which could have a negative impact on our financial results and our ability to return capital to our stockholders.
Financial institutions are subject to extensive and complex capital and liquidity requirements, which are subject to change. These requirements affect our ability to lend, grow deposit balances, make acquisitions and distribute capital. Failure to maintain adequate capital or liquidity levels, whether due to adverse developments in our business or the economy or to changes in the applicable requirements, could subject us to a variety of restrictions and/or remedial actions imposed by our regulators. These include limitations on the ability to pay dividends and/or repurchase shares and the issuance of a capital directive to increase capital. Such limitations or capital directive could have a material adverse effect on our business and results of operations.
We consider various factors in the management of capital, including the impact of both internal and supervisory stress scenarios on our capital levels as determined by our internal modeling and the Federal Reserve’s estimation of losses in supervisory stress scenarios that are used to annually set our stress capital buffer requirement. There can be significant differences between our modeling and the Federal Reserve’s projections for a given supervisory stress scenario and between the capital needs suggested by our internal stress scenarios and the supervisory scenarios. Therefore, although our estimated capital levels under stress disclosed as part of the stress testing processes may suggest that we have a particular capacity to return capital to stockholders and remain well capitalized under stress, the Federal Reserve’s modeling, our internal modeling of another scenario and/or other factors related to our capital management process may reflect a lower capacity to return capital to stockholders than that indicated by the projections released in the stress testing processes. This in turn, could lead to restrictions on our ability to pay dividends and engage in share repurchases. See “Part I—Item 1. Business—Supervision and Regulation” for additional information.
We also consider various factors in the management of liquidity, including maintaining sufficient liquid assets to meet the requirements of several internal and regulatory stress tests. There can be significant differences in estimated liquidity needs between internal and regulatory stress testing, and liquidity resources required to meet regulatory requirements, such as applicable LCR and NSFR requirements, may exceed what would otherwise be required to satisfy internal liquidity metrics and stress testing. Regulatory liquidity stress testing and regulatory liquidity requirements may, therefore, require us to take actions to increase our liquid assets or alter our activities or funding sources, which could negatively affect our financial results or our
ability to return capital to our stockholders. See “Part I—Item 1. Business—Supervision and Regulation” for additional information.
In addition, changes to applicable capital and liquidity requirements could result in increased expenses or unexpected or new limitations on our ability to pay dividends and engage in share repurchases.
We are a separate and distinct legal entity from our subsidiaries, including the Bank and our broker-dealer subsidiaries. Dividends to us from these direct and indirect subsidiaries have represented a major source of funds for us to pay dividends on our common and preferred stock, repurchase common stock, make payments on corporate debt securities and meet other obligations. These capital distributions may be limited by law, regulation or supervisory policy. There are various federal law limitations on the extent to which the Bank can finance or otherwise supply funds to us through dividends and loans. These limitations include minimum regulatory capital requirements, federal banking law requirements concerning the payment of dividends out of net profits or surplus, and Sections 23A and 23B of the Federal Reserve Act and Regulation W governing transactions between an insured depository institution and its affiliates, as well as general federal regulatory oversight to prevent unsafe or unsound practices. Our broker-dealer subsidiaries are also subject to laws and regulations, including net capital requirements, that may limit their ability to pay dividends or make other distributions to us. If our subsidiaries’ earnings are not sufficient to make dividend payments to us while maintaining adequate capital levels, our liquidity may be affected and we may not be able to make dividend payments to our common or preferred stockholders, repurchase our common stock, make payments on outstanding corporate debt securities or meet other obligations, each and any of which could have a material adverse impact on our results of operations, our financial position or the perception of our financial health. The frequency and size of any future dividends to our stockholders and stock repurchases will depend upon regulatory limitations imposed by the Federal Banking Agencies and the SEC and our results of operations, financial condition, capital levels, cash requirements, future prospects, regulatory review and other factors as further described in “Part I—Item 1. Business—Supervision and Regulation.”
Our ability to retain and attract customers depends on our ability to develop, operate, and adapt our technology and organizational infrastructure in a rapidly changing environment. In addition, we must accurately process, record and monitor an increasingly large number of complex transactions. Digital technology, cloud-based services, data and software development are deeply embedded into our business model and how we work.
Similar to other large corporations in our industry, we are exposed to operational risk that can manifest itself in many ways, such as errors in execution, inadequate processes, inaccurate models, faulty or disabled technological infrastructure, malicious disruption and fraud by employees or persons outside of our company, whether through attacks on Capital One directly or on our customers. In addition, the increasing use of near real-time money movement solutions, among other risks, increases the complexity of preventing, detecting and recovering fraudulent transactions. In addition, we are heavily dependent on the security, capability, integrity and continuous availability of the technology systems that we use to manage our internal financial and other systems, monitor risk and compliance with regulatory requirements, provide services to our customers, develop and offer new products and communicate with stakeholders. We also face risk of adverse customer impacts and business disruption arising from the execution of strategic initiatives and operational plans we may pursue across our operations.
If we do not maintain the necessary operational, technological and organizational infrastructure to operate our business, including to maintain the resiliency and security of that infrastructure, our business and reputation could be materially adversely affected. We also are subject to disruptions to our systems arising from events that are wholly or partially beyond our control, which may include computer viruses, electrical or telecommunications outages, bugs, design flaws in foundational components or platforms, availability and quality of vulnerability patches from key vendors, cyber-attacks and other security incidents, natural disasters, other damage to property or physical assets, or events arising from local or larger scale politics, including terrorist acts. Any failure to maintain our infrastructure or prevent disruption of our systems and applications could diminish our ability to operate our businesses, service customer accounts and protect customers’ information, or result in potential liability to customers, reputational damage, regulatory intervention and customers’ loss of confidence in our businesses, any of which could result in a material adverse effect.
We also rely on the business infrastructure and systems of third parties with which we do business and to whom we outsource the operation, maintenance and development of our information technology and communications systems. We have substantially migrated all aspects of our core information technology systems and customer-facing applications to third-party cloud infrastructure platforms, principally AWS. If we fail to architect, administer or oversee these environments in a well-managed, secure and effective manner, or if such platforms become unavailable, are disrupted, fail to scale, do not operate as designed, or do not meet their service level agreements for any reason, we may experience unplanned service disruption or unforeseen costs which could result in material harm to our business and operations. We must successfully develop and maintain information, financial reporting, disclosure, privacy, data protection, data security and other controls adapted to our reliance on outside platforms and providers. In addition, AWS, or other service providers could experience system or telecommunication breakdowns or failures, outages, degradation in service, downtime, failure to scale, software bugs, cyber-attacks and other security incidents, adverse changes to financial condition, bankruptcy, or other adverse conditions, (including conditions which interfere with our access to and use of AWS), which could have a material adverse effect on our business and reputation. Thus, the substantial amount of our infrastructure that we outsource to AWS or to other third parties may increase our risk exposure.
A cyber-attack or other security incident, including one that results in the theft, loss, manipulation or misuse of information (including personal information), or the disabling of systems and access to information critical to business operations, may result in increased costs, reductions in revenue, reputational damage, legal exposure and business disruptions.
Our ability to provide our products and services, many of which are internet-based, and communicate with our customers, depends upon the management and safeguarding of information systems and infrastructure, networks, software, data, technology, methodologies and business secrets, including those of our service providers. Our products and services involve the collection, authentication, management, usage, storage, transmission and eventual destruction of sensitive and confidential information, including personal information, regarding our customers and their accounts, our employees, our partners and other third parties with which we do business. We also have arrangements in place with third parties through which we share and receive information about their customers who are or may become our customers. The financial services industry, including Capital One, is particularly at risk because of the use of and reliance on digital banking products and other digital services, including mobile banking products, such as mobile payments, and other internet- and cloud-based products and applications, and the development of additional remote connectivity solutions, which increase cybersecurity risks and exposure. Consumer acceptance and use of such digital banking products and services has substantially increased since the onset of the COVID pandemic.
Technologies, systems, networks, and other devices of Capital One, as well as those of our employees, service providers, partners and other third parties with whom we interact, have been and may continue to be the subject of cyber-attacks and other security incidents, including computer viruses, hacking, malware, ransomware, supply chain attacks, vulnerabilities, credential stuffing, or phishing or other forms of social engineering. Such cyber-attacks and other security incidents are designed to lead to various harmful outcomes, such as unauthorized transactions in Capital One accounts, unauthorized or unintended access to or release, gathering, monitoring, disclosure, loss, destruction, corruption, disablement, encryption, misuse, modification or other processing of confidential or sensitive information (including personal information), intellectual property, software, methodologies or business secrets, disruption, sabotage or degradation of service, systems or networks, or other damage. These threats may derive from, among other things, error, fraud or malice on the part of our employees, insiders, or third parties or may result from accidental technological failure or design flaws. Any of these parties may also attempt to fraudulently induce
employees, service providers, customers, partners or other third-party users of our systems or networks to disclose confidential or sensitive information (including personal information) in order to gain access to our systems, networks or data or that of our customers, partners, or third parties with whom we interact, or to unlawfully obtain monetary benefit through misdirected or otherwise improper payment. For instance, any party that obtains our confidential or sensitive information (including personal information) through a cyber-attack or other security incident may use this information for ransom, to be paid by us or a third party, as part of a fraudulent activity that is part of a broader criminal activity, or for other illicit purposes.
For example, on July 29, 2019, we announced that on March 22 and 23, 2019 an outside individual gained unauthorized access to our systems (the “Cybersecurity Incident”). This individual obtained certain types of personal information relating to people who had applied for our credit card products and to our credit card customers. While the Cybersecurity Incident has been remediated, it has resulted in fines, litigation, settlements, government investigations and other regulatory enforcement inquiries, as well as consent orders with the Federal Reserve and the OCC. On August 31, 2022, the OCC terminated its consent order. Cyber and information security risks for large financial institutions like us continue to increase due to the proliferation of new technologies, the industry-wide shift to reliance upon the internet to conduct financial transactions, and the increased sophistication and activities of malicious actors, organized crime, perpetrators of fraud, hackers, terrorists, activists, extremist parties, formal and informal instrumentalities of foreign governments, state-sponsored actors and other external parties. In addition, our customers access our products and services using personal devices that are necessarily external to our security control systems. There has also been a significant proliferation of consumer information available on the internet resulting from breaches of third-party entities, including personal information, log-in credentials and authentication data. While we were not directly involved in these third-party breach events, the stolen information can create a threat for our customers if their Capital One log-in credentials are the same as or similar to the credentials that have been compromised on other internet sites. This threat could include the risk of unauthorized account access, data loss and fraud. The use of artificial intelligence, “bots” or other automation software can increase the velocity and efficacy of these types of attacks. As our employees are currently operating under our hybrid work model, our remote interaction with service providers, partners and other third parties on systems, networks and environments over which we have less control increases our cybersecurity risk exposure. We will likely face an increasing number of attempted cyber-attacks as we expand our mobile and other internet-based products and services, as well as our usage of mobile and cloud technologies and as we provide more of these services to a greater number of retail banking customers.
The methods and techniques employed by malicious actors change frequently, are increasingly sophisticated and often are not fully recognized or understood until after they have occurred, and some techniques could occur and persist for an extended period of time before being detected and remediated. For example, although we immediately fixed the configuration vulnerability that was exploited in the Cybersecurity Incident once we discovered the unauthorized access, a period of time elapsed between the occurrence of the unauthorized access and the time when we discovered it. In other circumstances, we and our service providers and other third parties with which we interact may be unable to anticipate or identify certain attack methods or techniques in order to implement effective preventative or detective measures or mitigate or remediate the damages caused in a timely manner. We may also be unable to hire, develop and retain talent that keeps pace with the rapidly changing cyber threat landscape, and which are capable of preventing, detecting, mitigating or remediating these risks. Although we seek to maintain a robust suite of authentication and layered information security controls, any one or combination of these controls could fail to prevent, detect, mitigate or remediate these risks in a timely manner.
A disruption or breach, including as a result of a cyber-attack such as the Cybersecurity Incident, or media reports of perceived security vulnerabilities at Capital One or at our service providers, could result in significant legal and financial exposure, regulatory intervention, litigation, remediation costs, card reissuance, supervisory liability, damage to our reputation or loss of confidence in the security of our systems, products and services that could adversely affect our business. There can be no assurance that unauthorized access or cyber incidents similar to the Cybersecurity Incident will not occur or that we will not suffer material losses in the future. If future attacks are successful or if customers are unable to access their accounts online for other reasons, it could adversely impact our ability to service customer accounts or loans, complete financial transactions for our customers or otherwise operate any of our businesses or services. In addition, a breach or attack affecting one of our service providers or other third parties with which we interact could harm our business even if we do not control the service that is attacked.
Further, our ability to monitor our service providers’ cybersecurity practices is limited. Although the agreements that we have in place with our service providers generally include requirements relating to cybersecurity and data privacy, we cannot guarantee that such agreements will prevent a cyber incident impacting our systems or information or enable us to obtain adequate or any reimbursement from our service providers in the event we should suffer any such incidents. However, due to
applicable laws and regulations or contractual obligations, we may be held responsible for cyber incidents attributed to our service providers as they relate to the information we share with them.
In addition, the increasing prevalence and the evolution of cyber-attacks and other efforts to breach or disrupt our systems or networks or those of our customers, service providers, partners or other third parties with which we interact has led, and will likely continue to lead, to increased costs to us with respect to preventing, detecting, mitigating and remediating these risks, as well as any related attempted fraud. In order to address ongoing and future risks, we must expend significant resources to support protective security measures, investigate and remediate any vulnerabilities of our information systems and infrastructure and invest in new technology designed to mitigate security risks. Further, high profile cyber incidents at Capital One or other large financial institutions could lead to a general loss of customer confidence in financial institutions that could negatively affect us, including harming the market perception of the effectiveness of our security measures or the global financial system in general, which could result in reduced use of our financial products. We have insurance against some cyber risks and attacks; nonetheless, our insurance coverage may not be sufficient to offset the impact of a material loss event (including if our insurer denies coverage as to any particular claim in the future), and such insurance may increase in cost or cease to be available on commercially reasonable terms, or at all, in the future.
We are subject to a variety of continuously evolving and developing laws and regulations in the United States at the federal, state and local level regarding privacy, data protection and data security, including those related to the collection, storage, handling, use, disclosure, transfer, security and other processing of personal information. For example, at the federal level, we are subject to the GLBA, among other laws and regulations. Moreover, the U.S. Congress is currently considering various proposals for more comprehensive privacy, data protection and data security legislation, to which we may be subject if passed. In addition, in November 2021, the Federal Reserve, OCC, and FDIC issued a final rule that, among other things, requires all banking organizations in the United States to notify their primary federal regulators of certain material computer-security incidents as soon as possible and no later than 36 hours after determining that the incident has occurred. The enactment of CIRCIA, once rulemaking is complete, will require, among other things, certain companies to report significant cyber incidents to the CISA within 72 hours from the time the company reasonably believes the incident occurred, and a proposed rule by the SEC, if enacted, would mandate public disclosure of material cybersecurity incidents within four business days of determining that such an incident has occurred. At the state level, California has enacted the California Privacy Rights Act (“CPRA”), and various other states also have enacted or are in the process of enacting state-level privacy, data protection and/or data security laws and regulations, with which we may be required to comply.
We also are, or may become, subject to continuously evolving and developing laws and regulations in other jurisdictions regarding privacy, data protection and data security. For example, in Canada we are subject to the Personal Information Protection and Electronic Documents Act (“PIPEDA”). In addition, subject to limited exceptions, the EU General Data Projection Regulation (“EU GDPR”) applies EU data protection law to all companies processing personal data of EU residents, regardless of the company’s location. We also are subject to the UK General Data Protection Regulation (“U.K. GDPR”), which is how the EU GDPR has been implemented into U.K. law. These laws and regulations, and similar laws and regulations in other jurisdictions, impose strict requirements regarding the collection, storage, handling, use, disclosure, transfer, security and other processing of personal information, which may have adverse consequences, including significant compliance costs and severe monetary penalties for non-compliance. Significant uncertainty exists as privacy, data protection, and data security laws may be interpreted and applied differently from country to country and may create inconsistent or conflicting requirements.
Our efforts to comply with GLBA, CPRA, PIPEDA, EU GDPR, U.K. GDPR and other privacy, data protection and data security laws and regulations, as well as our posted privacy policies, and related contractual obligations to third parties, entail substantial expenses, may divert resources from other initiatives and projects, and could limit the services we are able to offer. Furthermore, enforcement actions and investigations by regulatory authorities related to data security incidents and privacy, data protection and data security violations continue to increase. The enactment of more restrictive laws or regulations, or future
enforcement actions or investigations, could impact us through increased costs or restrictions on our business, and any noncompliance or perceived noncompliance could result in monetary or other penalties, harm to our reputation and significant legal liability.
We rely on quantitative models and our ability to manage and aggregate data in an accurate and timely manner to assess and manage our various risk exposures, create estimates and forecasts, and manage compliance with regulatory capital requirements. Models may be used in processes such as determining the pricing of various products, grading loans and extending credit, measuring interest rate and other market risks, predicting deposit levels or loan losses, assessing capital adequacy, calculating managerial and regulatory capital levels, estimating the value of financial instruments and balance sheet items, and other operational functions. Our risk reporting and management, including business decisions based on information incorporating models, depend on the effectiveness of our models and our policies, programs, processes and practices governing how data or models, as applicable, are acquired, validated, stored, protected, processed and analyzed. Any issues with the quality or effectiveness of our data aggregation and validation procedures, as well as the quality and integrity of data inputs, formulas or algorithms, could result in inaccurate forecasts, ineffective risk management practices or inaccurate risk reporting. In addition, models based on historical data sets might not be accurate predictors of future outcomes and their ability to appropriately predict future outcomes may degrade over time. While we continuously update our policies, programs, processes and practices, many of our data management, modeling, aggregation and implementation processes are manual and may be subject to human error, data limitations, process delays or system failure. Failure to manage data effectively and to aggregate data in an accurate and timely manner may limit our ability to manage current and emerging risk, to produce accurate financial, regulatory and operational reporting as well as to manage changing business needs. If our Framework is ineffective, we could suffer unexpected losses which could materially adversely affect our results of operation or financial condition. Also, any information we provide to the public or to our regulators based on poorly designed or implemented models could be inaccurate or misleading. Some of the decisions that our regulators make, including those related to capital distribution to our stockholders, could be affected adversely due to the perception that the quality of the models used to generate the relevant information is insufficient.
A wide array of laws and regulations, including banking and consumer lending laws and regulations, apply to every aspect of our business. We and our subsidiaries are also subject to supervision and examination by multiple regulators, and the manner in which our regulators interpret applicable laws and regulations may affect how we comply with them. Failure to comply with these laws and regulations, even if the failure was inadvertent or reflects a difference in interpretation, could subject us to restrictions on our business activities, fines, criminal sanctions and other penalties, and/or damage to our reputation with regulators, our customers or the public. Hiring, training and retaining qualified compliance and legal personnel, and establishing and maintaining risk management and compliance-related systems, infrastructure and processes, is difficult and may lead to increased expenses. These efforts and the associated costs could limit our ability to invest in other business opportunities.
Applicable rules and regulations may affect us disproportionately compared to our competitors or in an unforeseen manner. For example, we have a large number of customer accounts in our credit card and auto lending businesses and we have made the strategic choice to originate and service subprime credit card and auto loans, which typically have higher delinquencies and charge-offs than prime customer accounts. As a result, we have significant involvement with credit bureau reporting and the collection and recovery of delinquent and charged-off debt, primarily through customer communications, the filing of litigation against customers in default, the periodic sale of charged-off debt and vehicle repossession. These and other consumer lending activities are subject to enhanced legal and regulatory scrutiny from regulators, courts and legislators. Any future changes to or legal liabilities resulting from our business practices in these areas, including our debt collection practices and the fees we charge, whether mandated by regulators, courts, legislators or otherwise, could have a material adverse impact on our financial condition.
The legislative and regulatory environment is beyond our control, may change rapidly and unpredictably, and may negatively influence our revenue, costs, earnings, growth, liquidity and capital levels. For example, there may be future rulemaking in emerging regulatory areas such as climate-related risks and new technologies. In addition, some rules and regulations may be subject to litigation or other challenges that delay or modify their implementation and impact on us. Adoption of new technologies, such as distributed ledger technologies, tokenization, cloud computing, artificial intelligence and machine learning technologies, can present unforeseen challenges in applying and relying on existing compliance systems.
Certain laws and regulations, and any interpretations and applications with respect thereto, are generally intended to protect consumers, borrowers, depositors, the DIF, the U.S. banking and financial system, and financial markets as a whole, but not stockholders. Our success depends on our ability to maintain compliance with both existing and new laws and regulations. For a description of the material laws and regulations, including those related to the consumer lending business, to which we are subject, see “Part I—Item 1. Business—Supervision and Regulation.”
Given the inherent uncertainties involved in litigation, government investigations and regulatory enforcement decisions, and the very large or indeterminate damages sought in some matters asserted against us, there can be significant uncertainty as to the ultimate liability we may incur from these kinds of matters. The finding, or even the assertion, of substantial legal liability against us could have a material adverse effect on our business and financial condition and could cause significant reputational harm to us, which could seriously harm our business. For example, the Cybersecurity Incident has resulted in litigation, settlements, government investigations and other regulatory enforcement inquiries.
Over the last several years, federal and state regulators have focused on compliance with AML and sanctions laws, privacy, data protection and data security, use of service providers, fair lending and other consumer protection issues. In August 2020, we entered into consent orders with the Federal Reserve and the OCC resulting from regulatory reviews of the Cybersecurity Incident and relating to ongoing enhancements of our cybersecurity and operational risk management processes, and we paid a civil monetary penalty as part of the OCC agreement. On August 31, 2022, the OCC terminated its consent order. In January 2021, we also paid a civil monetary penalty assessed by FinCEN against the Bank in connection with AML violations alleged to have occurred between 2008 and 2014. Regulatory scrutiny is expected to continue in these areas, including as a result of implementation of the AML Act of 2020.
We expect that regulators and governmental enforcement bodies will continue taking public enforcement actions against financial institutions in addition to addressing supervisory concerns through nonpublic supervisory actions or findings, which could involve restrictions on our activities, or our ability to make acquisitions or otherwise expand our business, among other limitations that could adversely affect our business. In addition, a violation of law or regulation by another financial institution is likely to give rise to an investigation by regulators and other governmental agencies of the same or similar practices by us. Furthermore, a single event may give rise to numerous and overlapping investigations and proceedings. These and other initiatives from governmental authorities and officials may subject us to further judgments, settlements, fines or penalties, or cause us to restructure our operations and activities or to cease offering certain products or services, all of which could harm our reputation or lead to higher operational costs. Litigation, government investigations and other regulatory actions could generally subject us to significant fines, increased expenses, restrictions on our activities and damage to our reputation and our brand, and could adversely affect our business, financial condition and results of operations. For additional information regarding legal and regulatory proceedings to which we are subject, see “Part II—Item 8. Financial Statements and Supplementary Data—Note 18—Commitments, Contingencies, Guarantees and Others.”
We operate in a highly competitive environment across all of our lines of business, whether in making loans, attracting deposits or in the global payments industry, and we expect competitive conditions to continue to intensify with respect to most of our products particularly in our credit card and consumer banking business. We compete on the basis of the rates we pay on deposits and the rates and other terms we charge on the loans we originate or purchase, as well as the quality and range of our
customer service, products, innovation and experience. This increasingly competitive environment is primarily a result of changes in technology, product delivery systems and regulation, as well as the emergence of new or significantly larger financial services providers, all of which may affect our customers’ expectations and demands. In addition to offering competitive products and services, we invest in and conduct marketing campaigns to attract and inform customers. If our marketing campaigns are unsuccessful, it may adversely impact our ability to attract new customers and grow market share.
Some of our competitors, including new and emerging competitors in the digital and mobile payments space and other financial technology providers, are not subject to the same regulatory requirements or scrutiny to which we are subject, which also could place us at a competitive disadvantage, in particular in the development of new technology platforms or the ability to rapidly innovate. We compete with many forms of payments offered by both bank and non-bank providers, including a variety of new and evolving alternative payment mechanisms, systems and products, such as aggregators and web-based and wireless payment platforms or technologies, digital or cryptocurrencies, prepaid systems and payment services targeting users of social networks, communications platforms and online gaming. If we are unable to continue to keep pace with innovation, do not effectively market our products and services or are prohibited from or unwilling to enter emerging areas of competition, our business and results of operations could be adversely affected.
In our credit card business, competition for rewards customers may result in higher rewards expenses, or we may fail to attract new customers or retain existing rewards customers due to increasing competition for these consumers. As of December 31, 2022, we have a number of large partnerships in our credit card loan portfolio. The market for key business partners, especially in the credit card business, is very competitive, and we may not be able to grow or maintain these partner relationships or assure that these relationships will be profitable or valued by our customers. Additionally, partners themselves may face changes in their business, including market factors and ownership changes, that could impact the partnership. We face the risk that we could lose partner relationships, even after we have invested significant resources into acquiring and developing the relationships. The loss of key business partners could have a negative impact on our results of operations, including lower returns, excess operating expense and excess funding capacity.
Legislative and regulatory bodies in a number of countries are seeking to reduce interchange fees through legislation, competition-related regulatory proceedings, voluntary agreements, central bank regulation and/or litigation. For credit transactions, interchange reimbursement rates in the United States are set by credit card networks such as MasterCard and Visa. For debit transactions, Federal Reserve rules place limits on the interchange fees we may charge. For more information on these rules, please see “Part I—Item 1. Business—Supervision and Regulation.” In some jurisdictions, such as Canada and certain countries in Europe, including the U.K., interchange fees and related practices are subject to regulatory activity, including in some cases, imposing caps on permissible interchange fees. Our international card businesses have been impacted by these restrictions. For example, in the U.K., interchange fees are capped for both credit and debit card transactions. In addition, in Canada, Visa and Mastercard payment networks have entered into voluntary agreements with the Department of Finance Canada to maintain an agreed upon average interchange rate. Lowering interchange fees remains an area of domestic and international governmental focus. Legislators and regulators around the world are aware of each other’s approaches to the regulation of the payments industry. Consequently, a development in one country, state or region may influence regulatory approaches in another, such as our primary market, the United States.
In addition to this regulatory activity, merchants are also seeking avenues to reduce interchange fees. In the past, merchants and their trade groups have filed numerous lawsuits against Visa, MasterCard, American Express and their card-issuing banks, claiming that their practices toward merchants, including interchange and similar fees, violate federal antitrust laws. In 2005, a number of entities filed antitrust lawsuits against MasterCard and Visa and several member banks, including our subsidiaries and us, alleging among other things, that the defendants conspired to fix the level of interchange fees. In December 2013, the U.S. District Court for the Eastern District of New York granted final approval of the proposed class settlement. The settlement provided, among other things, that merchants would be entitled to join together to negotiate lower interchange fees. The settlement was appealed to the Second Circuit Court of Appeals, which rejected the settlement in June 2016; a revised settlement was reached in the second half of 2018, and the trial court issued its final approval of the settlement in December 2019. See “Part II—Item 8. Financial Statements and Supplementary Data—Note 18—Commitments, Contingencies, Guarantees and Others” for further details.
Some major retailers have sufficient bargaining power to independently negotiate lower interchange fees with MasterCard and Visa, which could, in turn, result in lower interchange fees for us when our cardholders undertake purchase transactions with these retailers. Merchants also continue to lobby Congress aggressively for restrictions on interchange fees and their efforts may be successful. Retailers may in the future bring legal proceedings against us or other credit card and debit card issuers and networks.
Our industry is subject to rapid and significant technological changes and our ability to meet our customers’ needs and expectations is key to our ability to grow revenue and earnings. We expect digital technologies to continue to have a significant impact on banking over time. Consumers expect robust digital experiences from their financial services providers. The ability for customers to access their accounts and conduct financial transactions using digital technology, including mobile applications, is an important aspect of the financial services industry and financial institutions are rapidly introducing new digital and other technology-driven products and services that aim to offer a better customer experience and to reduce costs. We continue to invest in digital technology designed to attract new customers, facilitate the ability of existing customers to conduct financial transactions and enhance the customer experience related to our products and services.
Our continued success depends, in part, upon our ability to assess and address the needs of our customers by using digital technology to provide products and services that meet their expectations. The development and launch of new digital products and services depends in large part on our ability to invest in and build the technology platforms that can enable them, in a cost effective and timely manner. See “We face intense competition in all of our markets” and “We face risks related to our operational, technological and organizational infrastructure.”
Some of our competitors are substantially larger than we are, which may allow those competitors to invest more money into their technology infrastructure and digital innovation than we do. In addition, smaller competitors may experience lower cost structures and different regulatory requirements and scrutiny than we do, which may allow them to innovate more rapidly than we can. See “We face intense competition in all of our markets.” Further, our success depends on our ability to attract and retain strong digital and technology leaders, engineers and other specialized personnel. The competition is intense and the compensation costs continue to increase for such talent. If we are unable to attract and retain digital and technology talent, our ability to offer digital products and services and build the necessary technology infrastructure could be negatively affected, which could negatively impact our business and financial results. A failure to maintain or enhance our competitive position with respect to digital products and services, whether because we fail to anticipate customer expectations or because our technological developments fail to perform as desired or are not implemented in a timely or successful manner, could negatively impact our business and financial results.
We engage in merger and acquisition activity and enter into strategic partnerships from time to time. We continue to evaluate and anticipate engaging in, among other merger and acquisition activity, additional strategic partnerships and selected acquisitions of financial institutions and other businesses or assets, including credit card and other loan portfolios. We may not be able to identify and secure future acquisition targets on terms and conditions that are acceptable to us, or successfully complete and integrate the businesses within the anticipated time frame and achieve the anticipated benefits of proposed mergers, acquisitions and strategic partnerships, which could impair our growth.
•New Businesses and Geographic or Other Markets: Our merger, acquisition or strategic partnership activity may involve our entry into new businesses, or new geographic areas or markets which present risks resulting from our relative inexperience in these new businesses or markets. These new businesses or markets may change the overall character of our consolidated portfolio of businesses and alter our exposure to economic and other external factors. We face the risk that we will not be successful in these new businesses or in these new markets.
•Identification and Assessment of Merger and Acquisition Targets and Deployment of Acquired Assets: We may not be able to identify, acquire or partner with suitable targets. Further, our ability to achieve the anticipated benefits of any merger, acquisition or strategic partnership will depend on our ability to assess the asset quality, risks and value of the particular assets or institutions we partner with, merge with or acquire. We may be unable to profitably deploy any assets we acquire.
•Accuracy of Assumptions: In connection with any merger, acquisition or strategic partnership, we may make certain assumptions relating to the proposed merger, acquisition or strategic partnership that may be, or may prove to be, inaccurate, including as a result of the failure to anticipate the costs, timeline or ability to realize the expected benefits of any merger, acquisition or strategic partnership. The inaccuracy of any assumptions we may make could result in unanticipated consequences that could have a material adverse effect on our results of operations or financial condition.
•Conditions to Regulatory Approval: We may be required to obtain various governmental and regulatory approvals to consummate certain acquisitions. We cannot be certain whether, when or on what terms and conditions, such approvals may be granted. Consequently, we may not obtain governmental or regulatory approval for a proposed acquisition on acceptable terms or at all, in which case we would not be able to complete the acquisition despite investing resources in pursuing it.
In addition, a variety of social factors may cause changes in borrowing activity, including credit card use, payment patterns and the rate of defaults by account holders and borrowers domestically and internationally. These social factors include changes in consumer confidence levels, the public’s perception regarding the banking industry and consumer debt, including credit card use, and changing attitudes about the stigma of bankruptcy. There has also been increased focus by investor advocacy groups, investment funds and shareholder activists, among others, on topics related to environmental, social and corporate governance
policies, and our policies, practices and disclosure in these areas, including related to climate change. If these groups consider our efforts unsatisfactory, whether real or perceived, it could also harm our reputation. If consumers develop or maintain negative attitudes about incurring debt, or consumption trends decline or if we fail to maintain and enhance our brand, or we incur significant expenses to do so, our reputation and business and financial results could be materially and negatively affected.
We rely on a variety of measures to protect and enhance our intellectual property, including copyrights, trademarks, trade secrets, patents and certain restrictions on disclosure, solicitation and competition. We also undertake other measures to control access to and distribution of our other proprietary and confidential information. These measures may not prevent misappropriation of our proprietary or confidential information or infringement, misappropriation or other violations of our intellectual property rights and a resulting loss of competitive advantage. In addition, our competitors or other third parties may obtain patents for innovations that are used in our industry or allege that our systems, processes or technologies infringe, misappropriate or violate their intellectual property rights. Given the complex, rapidly changing and competitive technological and business environments in which we operate, if our competitors or other third parties are successful in obtaining such patents or prevail in intellectual property-related litigation against us, we could lose significant revenues, incur significant license, royalty, technology development or other expenses, or pay significant damages.
Management of market, credit, liquidity, strategic, reputational, operational and compliance risk requires, among other things, policies and procedures to properly record and verify a large number of transactions and events. See “Part II—Item 7. MD&A—Risk Management” for further details. We maintain an enterprise Framework that is designed to identify, measure, assess, monitor, test, control, report, escalate, and mitigate the risks that we face. Even though we continue to devote significant resources to developing our Framework, our risk management strategies may not be fully effective in identifying and mitigating our risk exposure in all market environments or against all types of risk, including risks that are unidentified or unanticipated.
Some of our methods of managing these risks are based upon our use of observed historical market behavior, the use of analytical and/or forecasting models and management’s judgment. These methods may not accurately predict future exposures, which could be significantly greater than the historical measures or models indicate and market conditions, particularly during a period of financial market stress, can involve unprecedented dislocations. For example, credit risk is inherent in the financial services business and results from, among other things, extending credit to customers. Our ability to assess the creditworthiness of our customers may be impaired if the models and approaches we use to select, manage and underwrite our consumer and commercial customers become less predictive of future charge-offs due, for example, to rapid changes in the economy, or degradation in the predictive nature of credit bureau and other data used in underwriting.
A transition away from the use of LIBOR to alternative rates and other potential interest rate benchmark reforms is not yet complete. These reforms have caused and may in the future cause such rates to perform differently than in the past, or to disappear entirely, or have other consequences which cannot be predicted.
Given LIBOR’s extensive use across financial markets, the ongoing transition away from LIBOR presents several risks and challenges to the financial markets and financial institutions, including Capital One. While we have substantially decreased our exposure to LIBOR, we have certain loans, derivative contracts, securitizations, and other contracts with attributes that are either directly or indirectly dependent on LIBOR. Our ability to transition those exposures away from LIBOR could be affected by market and customer acceptance of and the specific terms and parameters for alternative reference rates. The Secured Overnight Financing Rate (“SOFR”) has been recommended by the Alternative Reference Rates Committee (“ARRC”) as an alternative to U.S. dollar LIBOR. Nevertheless, the transition away from LIBOR could result in loss of market share in certain
products, adverse tax or accounting impacts, compliance, legal or operational costs and risks associated with client disclosures, as well as systems disruption, model disruption and other business continuity issues for us.
In addition, risks will remain for us with respect to outstanding instruments which rely on LIBOR. Those risks arise in connection with transitioning such instruments to a new reference rate, the taking of discretionary actions (for example, under fallback provisions) or the negotiation of fallback provisions and final amendments to existing LIBOR based agreements. Payments under contracts referencing new reference rates may significantly differ from those referencing LIBOR. The Adjustable Interest Rate (LIBOR) Act passed by Congress in March 2022 (“LIBOR Act”) is intended to minimize legal and economic uncertainty following U.S. dollar LIBOR’s cessation by replacing LIBOR references in certain contracts under certain circumstances with a SOFR-based rate identified in a Federal Reserve rule that incorporates a spread adjustment specified in the statute. For some instruments, the method of transitioning to a new reference rate may be challenging, especially if parties to an instrument cannot agree as to how to effect that transition and the LIBOR Act does not apply. In addition, prior to LIBOR cessation, instruments that continue to refer to LIBOR may be impacted if there is a change in the availability or calculation of LIBOR. The transition from LIBOR to an alternative reference rate has changed our market risk profile and required changes to risk and pricing models, valuation tools, product design, information technology systems, reporting infrastructure, operational processes and controls, and hedging strategies, and may result in or require further such changes in the future. In many cases, we are and may in the future be dependent on third parties to upgrade systems, software and other critical functions that could materially disrupt our readiness if they are not done on a timely basis or otherwise fail. While we have largely remediated the majority of our exposures, our effort to remediate the remaining exposures remains ongoing. Failure to adequately manage the transition could have a material adverse effect on our reputation, business, financial condition and results of operations. See “Part II—Item 7. MD&A—Market Risk Profile” for additional information.
Our business could be negatively affected if we are unable to attract, retain and motivate key senior leaders and skilled employees.
Our success depends, in large part, on our ability to retain key senior leaders and to attract and retain skilled employees, particularly employees with advanced expertise in credit, risk, digital and technology skills. We depend on our senior leaders and skilled employees to oversee simultaneous, transformative initiatives across the enterprise and execute on our business plans in an efficient and effective manner. Competition for such senior leaders and employees, and the costs associated with attracting and retaining them, is high and competitive. While we engage in robust succession planning, our key senior leaders have deep and broad industry experience and could be difficult to replace without some degree of disruption.
Our ability to attract and retain qualified employees also is affected by perceptions of our culture and management, including our position on remote and hybrid work arrangements, our profile in the regions where we have offices and the professional opportunities we offer. Regulation or regulatory guidance restricting executive compensation, as well as evolving investor expectations, may limit the types of compensation arrangements that we may enter into with our most senior leaders and could have a negative impact on our ability to attract, retain and motivate such leaders in support of our long-term strategy. These laws and regulations may not apply in the same manner to all financial institutions and technology companies, which therefore may subject us to more restrictions than other institutions and companies with which we compete for talent and may also hinder our ability to compete for talent with other industries. We rely upon our senior leaders not only for business success, but also to lead with integrity. To the extent our senior leaders behave in a manner that does not comport with our values, the consequences to our brand and reputation could be severe and could adversely affect our financial condition and results of operations. If we are unable to attract, develop and retain talented senior leadership and employees, or to implement appropriate succession plans for our senior leadership, our business could be negatively affected.
We face risks from catastrophic events.
Despite the business contingency plans we have in place, such plans do not fully mitigate all potential business continuity risks to us. Geopolitical events, natural disasters and other catastrophic events could harm our employees, business and infrastructure, including our information technology systems and third-party platforms. Our ability to conduct business may be adversely affected by a disruption in the infrastructure that supports our business and the communities where we are located, which are concentrated in the Northern Virginia and New York metropolitan areas, as well as Richmond, Virginia and Plano, Texas. This may include a disruption involving damage or loss of access to a physical site, cyber-attacks and other security incidents, terrorist activities, the occurrence or worsening of disease outbreaks or pandemics (including the COVID-19 pandemic), natural disasters, extreme weather events, electrical outage, environmental hazards, disruption to technological infrastructure, communications or other services we use, our employees or third parties with whom we conduct business. Our business, financial condition and results of operations may be impacted by any such disruption and our ability to implement corresponding response measures quickly. In addition, if a natural disaster or other catastrophic event occurs in certain regions
where our business and customers are concentrated, such as the mid-Atlantic, New York, California or Texas metropolitan areas, or in regions where our third-party platforms are located, we could be disproportionately impacted as compared to our competitors. The impact of such events and other catastrophes on the overall economy and our physical and transition risks may also adversely affect our financial condition and results of operations.
Climate change manifesting as physical or transition risks could adversely affect our businesses, operations and customers.
Climate change risks can manifest as physical or transition risks.
Physical risks are the risks from the effects of climate change arising from acute, climate-related events, such as, hurricanes and wildfires, and chronic shifts in climate, such as sea level rise and higher average temperatures. Such events could lead to financial losses or disrupt our operations or those of our customers or third parties on which we rely, including through direct damage to assets and indirect impacts from supply chain disruption and market volatility.
Transition risks are the risks resulting from the shift toward a lower-carbon economy arising from the changes in policy, consumer and business sentiment or technologies in regards to limiting climate change. Transition risks, including changes in consumer preferences and additional regulatory requirements or taxes, could increase our expenses, affect credit performance, and impact our strategies or those of our customers. For more information on climate-related regulatory developments, see “Part I—Item 1. Business—Supervision and Regulation” for additional information.
Physical and transition risks could also affect the financial health of certain customers in impacted industries or geographies. In addition, we face reputational risk as a result of our policies, practices, disclosures and decisions related to climate change and the environment, or the practices or involvement of our clients or vendors and suppliers, in certain industries or projects associated with causing or exacerbating climate change.
As climate risk is interconnected with many risk types, we continue to enhance processes to embed evolving climate risk considerations into our existing risk management strategies; however, because the timing and severity of climate change may not be predictable, our risk management strategies may not be effective in mitigating climate risk exposure.
Pursuant to generally accepted accounting principles in the U.S. (“U.S. GAAP”), we are required to use certain assumptions and estimates in preparing our financial statements, including determining our allowance for credit losses, the fair value of certain assets and liabilities, and goodwill impairment, among other items. In addition, the FASB, the SEC and other regulatory bodies may change the financial accounting and reporting standards, including those related to assumptions and estimates we use to prepare our financial statements, in ways that we cannot predict and that could impact our financial statements. If actual results differ from the assumptions or estimates underlying our financial statements or if financial accounting and reporting standards are changed, we may experience unexpected material losses. For a discussion of our use of estimates in the preparation of our consolidated financial statements, see “Part II—Item 7. MD&A—Critical Accounting Policies and Estimates” and “Part II—Item 8. Financial Statements and Supplementary Data—Note 1—Summary of Significant Accounting Policies.”
Likewise, adverse developments affecting the overall strength and soundness of our competitors, the financial services industry as a whole and the general economic climate and the U.S. Treasury market could have a negative impact on perceptions about the strength and soundness of our business even if we are not subject to the same adverse developments. In addition, adverse
39
developments with respect to third parties with whom we have important relationships also could negatively impact perceptions about us. These perceptions about us could cause our business to be negatively affected and exacerbate the other risks that we face.
Removed paragraphs (11591 words)
This section highlights significant factors, events, and uncertainties that make an investment in our securities risky. The events and consequences discussed in these risk factors could, in circumstances we may not be able to accurately predict, recognize, or control, have a material adverse effect on our business, growth, reputation, prospects, financial condition, operating results, cash flows, liquidity, and stock price. These risk factors do not identify all risks that we face; our operations could also be affected by factors, events, or uncertainties that are not presently known to us or that we currently do not consider to present significant risks to our operations. In addition, the global economic and political climate may amplify many of these risks.
Below is a summary of the principal factors that make an investment in our securities risky. This summary does not address all of the risks that we face. Additional discussion of the risks summarized in this risk factor summary, and other risks that we face, can be found below and should be carefully considered, together with other information in this Form 10-K and our other filings with the SEC, before making an investment decision regarding our common stock.
•Financial market instability and volatility could adversely affect our business.
•We may experience increased delinquencies, credit losses, inaccurate estimates and inadequate reserves.
•We may not be able to maintain adequate capital or liquidity levels, which could have a negative impact on our financial results and our ability to return capital to our stockholders.
•A cyber-attack or other security incident, including one that results in the theft, loss or misuse of information (including personal information), or the disabling of systems and access to information critical to business operations, may result in increased costs, reductions in revenue, reputational damage, legal exposure and business disruptions.
•Fluctuations in market interest rates or volatility in the capital markets could adversely affect our income and expense, the value of assets and obligations, our regulatory capital, cost of capital or liquidity.
•The transition away from London Interbank Offered Rate (“LIBOR”) may adversely affect our business.
•Our business could be negatively affected if we are unable to attract, retain and motivate skilled employees.
•We face risks from unpredictable catastrophic events.
•Climate change manifesting as physical or transition risks could adversely affect our operations, businesses and customers.
Although the global economy has begun to recover from the COVID-19 pandemic and many health and safety restrictions have been lifted and vaccine distribution has increased, certain adverse consequences of the pandemic, especially as a result of the emergence of the Omicron variant in late 2021, continue to impact the macroeconomic environment and may persist for some time. Such adverse consequences include labor shortages and disruptions of global supply chains. The growth in economic activity and demand for goods and services, alongside labor shortages and supply chain complications, has also contributed to rising inflationary pressures and could adversely affect our business. Should these ongoing effects of the pandemic continue for
an extended period or worsen, our purchase volume, loan balances and the overall demand for our products and services may be significantly impacted, which could adversely affect our revenue and other results of operations. In addition, we could experience higher credit losses in our loan portfolios and increases in our allowance for credit losses beyond current levels. We could also experience impairments of other financial assets and other negative impacts on our financial position, including possible constraints on liquidity and capital, as well as higher costs of capital. Even after the COVID-19 pandemic has subsided, we may continue to experience adverse impacts to our business and results of operations, which could be material, as a result of the macroeconomic impact and any recession that has occurred or may occur in the future.
The COVID-19 pandemic caused us to modify our business practices and operations, including providing a range of forbearance options to our customers in certain circumstances. We may need to further modify our practices and operations as the pandemic remains dynamic and the emergence of variants resistant to existing vaccines remains uncertain. We also implemented work-from-home policies for a vast majority of our employees, and social distancing plans for our employees who are working from Capital One facilities. Nearly all of our Cafés and bank branches across our network are open with increased safety precautions. We will continue to monitor local conditions to ensure the safety of our associates and customers while providing critical banking services. These measures could impair our ability to perform critical functions and may adversely impact our results of operations. In addition, these measures and other changes in consumer behavior as a result of the COVID-19 pandemic may require changes to retail distribution strategies and adversely impact our investments in our bank premises and equipment and other retail distribution assets, leading to increased costs and exposure to additional risks. We may take further actions as required by government authorities or that we otherwise determine are in the best interests of our customers, employees and business partners.
Since the inception of the COVID-19 pandemic, federal, state, local and foreign governmental authorities enacted regulations and protocols in response to the COVID-19 pandemic, including governmental programs intended to provide economic relief to businesses and individuals. We participated in certain of these programs, including participating as an eligible lender in the Small Business Administration’s Paycheck Protection Program. Our participation in and execution of any such programs may cause operational, compliance, reputational and credit risks, which could result in litigation, governmental action or other forms of loss. The extent of these impacts, which may be substantial, depends, in part, on the degree of our participation in these programs. There remains significant uncertainty regarding the measures that authorities will enact in the future and the ultimate impact of the legislation, regulations and protocols that have been and will be enacted. Moreover, we expect that the effects of the COVID-19 pandemic will heighten many of the other known risks described herein. See “Part I—Item 1.—Business—Overview—Coronavirus Disease 2019 (COVID-19) Pandemic”.
The extent to which the consequences of the COVID-19 pandemic affect our businesses, results of operations and financial condition, as well as our regulatory capital and liquidity ratios and our ability to take capital actions, will depend on future developments that remain uncertain, including, for example, the rate of distribution and administration of vaccines globally, the severity and duration of any resurgence of COVID-19 variants, future actions taken by governmental authorities, central banks and other third parties in response to the pandemic, and the effects on our customers, counterparties, employees and third-party service providers.
Some of the risks we face in connection with adverse changes and instability in the macroeconomic environment, including changes in consumer confidence levels and behavior, include the following:
•Changes in payment patterns, increases in delinquencies and default rates, decreased consumer spending, inflation, lower demand for credit and shifts in consumer payment behavior towards avoiding late fees, finance charges and other fees;
•Decreased reliability of the process and models we use to estimate our allowance for loan and lease losses, particularly if unexpected variations in key inputs and assumptions cause actual losses to diverge from the projections of our models and our estimates become increasingly subject to management’s judgment. See “We face risks resulting from the extensive use of models and data.”
The U.K. and the European Union agreed to a free trade deal at the end of 2020 relating to the U.K.’s exit from the European Union. Although this deal provides greater near-term stability, there is still some degree of uncertainty as to the relationship between the U.K and the European Union, which may increase volatility in the regional and global financial markets. We continue to consider and monitor the potential impacts, and other factors that could also impact U.K. economic performance.
Financial market instability and volatility could adversely affect our business.
Our ability to borrow from other financial institutions or to engage in funding transactions on favorable terms or at all could be adversely affected by disruptions in the capital markets or other events, including actions by rating agencies and deteriorating investor expectations. In addition, fluctuations in interest rates, credit spreads and other market factors could negatively impact our results of operations. Both shorter-term and longer-term interest rates remain below long-term historical averages and the yield curve has been relatively flat compared to past periods. A flat yield curve combined with low interest rates generally leads to lower revenue and reduced margins because it can decrease the spread between asset yields and funding costs. Sustained periods of time with a flat yield curve coupled with low interest rates, or an inversion of the yield curve, could have a material adverse effect on our net interest margin and earnings.
We may experience increased delinquencies, credit losses, inaccurate estimates and inadequate reserves.
Like other lenders, we face the risk that our customers will not repay their loans. A customer’s ability and willingness to repay us can be adversely affected by decreases in the income of the borrower or increases in their payment obligations to other lenders, whether as a result of higher debt levels or rising interest rates, by rising levels of inflation, or by restricted availability of credit generally. We may fail to quickly identify and reduce our exposure to customers that are likely to default on their payment obligations, whether by closing credit lines or restricting authorizations. Our ability to manage credit risk also is affected by legal or regulatory changes (such as restrictions on collections, bankruptcy laws, minimum payment regulations and re-age guidance), competitors’ actions and consumer behavior, and depends on the effectiveness of our collections staff, techniques and models.
Rising losses or leading indicators of rising losses (such as higher delinquencies, higher rates of nonperforming loans, higher bankruptcy rates, lower collateral values, elevated unemployment rates or changing market terms) may require us to increase our allowance for credit losses, which would decrease our profitability if we are unable to raise revenue or reduce costs to compensate for higher losses. In particular, we face the following risks in this area:
•Missed Payments: Our customers may miss payments. Loan charge-offs (including from bankruptcies) are generally preceded by missed payments or other indications of worsening financial condition for our customers. Historically, customers are more likely to miss payments during an economic downturn or prolonged periods of slow economic growth. In addition, we face the risk that consumer and commercial customer behavior may change (for example, an increase in the unwillingness or inability of customers to repay debt, which may be heightened by increasing interest rates or levels of consumer debt), causing a long-term rise in delinquencies and charge-offs.
•Incorrect Estimates of Expected Losses: The credit quality of our portfolio can have a significant impact on our earnings. We allow for and reserve against credit risks based on our assessment of expected credit losses in our loan portfolios. This process, which is critical to our financial condition and results of operations, requires complex judgments, including forecasts of economic conditions. We may underestimate our expected losses and fail to hold an allowance for credit losses sufficient to account for these losses. Incorrect assumptions could lead to material underestimations of expected credit losses and an inadequate allowance for credit losses.
•Business Mix: We engage in a diverse mix of businesses with a broad range of potential credit exposure. Because we originate a relatively greater proportion of consumer loans in our loan portfolio compared to other large bank peers and originate both prime and subprime credit card accounts and auto loans, we may experience higher delinquencies and a greater number of accounts charging off compared to other large bank peers, which could result in increased credit losses, operating costs and regulatory scrutiny. Additionally, a change in this business mix over time to include proportionally more consumer loans or subprime credit card accounts or auto loans could adversely affect the credit quality of our portfolio.
•Increasing Charge-off Recognition/Allowance for Credit Losses: We account for the allowance for credit losses according to accounting and regulatory guidelines and rules, including Financial Accounting Standards Board (“FASB”) standards and the Federal Financial Institutions Examination Council (“FFIEC”) Account Management Guidance. Effective as of January 1, 2020, we adopted the CECL standard which is based on expected lifetime losses rather than incurred losses. Adoption of the CECL standard has resulted and may continue to result in an increase to our reserves for credit losses on financial instruments with a resulting adverse impact on our financial condition. The continued impact of CECL on our results will depend on the characteristics of our financial instruments, economic conditions, and our economic and loss forecasts. The application of the CECL standard requires us to increase reserves faster and to a higher level in an economic downturn, resulting in greater impact to our results and our capital ratios than we would have experienced in similar circumstances prior to the adoption of CECL. In addition, because credit cards represent a significant portion of our product mix, we could be disproportionately affected by use of the CECL standard, as compared to our large bank peers with a different product mix.
•Geographic and Industry Concentration: Although our consumer lending is geographically diversified, approximately 45% of our commercial real estate loan portfolio is concentrated in the Northeast region. The regional economic conditions in the Northeast affect the demand for our commercial products and services as well as the ability of our customers to repay their commercial real estate loans and the value of the collateral securing these loans. An economic downturn or prolonged period of slow economic growth in, or a catastrophic event that disproportionately affects, including as a result of climate change, the Northeast region could have a material adverse effect on the performance of our commercial real estate loan portfolio and our results of operations. In addition, our Commercial Banking strategy includes an industry-specific focus. If any of the industries that we focus on experience changes, we may experience increased credit losses and our results of operations could be adversely impacted.
We may not be able to maintain adequate capital or liquidity levels, which could have a negative impact on our financial results and our ability to return capital to our stockholders.
Financial institutions are subject to extensive and complex capital and liquidity requirements, which are subject to change. These requirements affect our ability to lend, grow deposit balances, make acquisitions and distribute capital. Failure to maintain adequate capital or liquidity levels, whether due to adverse developments in our business or the economy or to changes in the applicable requirements, could subject us to a variety of remedies available to our regulators. These include limitations on the ability to pay dividends and/or repurchase shares and the issuance of a capital directive to increase capital. Such limitations or capital directive could have a material adverse effect on our business and results of operations.
We consider various factors in the management of capital, including the impact of both internal and supervisory stress scenarios on our capital levels as determined by both our internal modeling and the Federal Reserve’s modeling of our capital position in supervisory stress tests. There can be significant differences between our modeling and the Federal Reserve’s projections for a given supervisory stress scenario and between the capital needs suggested by our internal stress scenarios relative to the supervisory scenarios. Therefore, although our estimated capital levels under stress disclosed as part of the stress testing processes may suggest that we have a particular capacity to return capital to stockholders and remain well capitalized under stress, the Federal Reserve’s modeling, our internal modeling of another scenario and/or other factors related to our capital management process may reflect a lower capacity to return capital to stockholders than that indicated by the projections released in the stress testing processes. This in turn, could lead to restrictions on our ability to pay dividends and engage in share repurchases. See “Part I—Item 1. Business—Supervision and Regulation” for additional information.
We also consider various factors in the management of liquidity, including maintaining sufficient liquid assets to meet the requirements of several internal and regulatory stress tests. There can be significant differences in estimated liquidity needs between internal and regulatory stress testing, and liquidity resources required to meet regulatory requirements, such as applicable LCR and NSFR requirements, may exceed what would otherwise be required to satisfy internal liquidity metrics and stress testing. Regulatory liquidity stress testing and regulatory liquidity requirements may, therefore, require us to take actions to increase our liquid assets or alter our activities or funding sources, which could negatively affect our financial results or our ability to return capital to our stockholders. See “Part I—Item 1. Business—Supervision and Regulation” for additional information.
In response to economic uncertainty due to the COVID-19 pandemic, the Federal Reserve required certain large BHCs, including us, to suspend share repurchases and cap common stock dividends and subsequently extended the restrictions into the first half of 2021 with certain modifications to permit resumptions of share repurchases. Although these temporary restrictions on our capital actions ended on June 30, 2021, it is possible that the Federal Reserve could impose similar restrictions in the future. Further changes to applicable capital and liquidity requirements could result in unexpected or new limitations on our ability to pay dividends and engage in share repurchases.
We are a separate and distinct legal entity from our subsidiaries, including the Banks and our broker-dealer subsidiaries. Dividends to us from these direct and indirect subsidiaries have represented a major source of funds for us to pay dividends on our common and preferred stock, repurchase common stock, make payments on corporate debt securities and meet other obligations. There are various federal law limitations on the extent to which the Banks can finance or otherwise supply funds to us through dividends and loans. These limitations include minimum regulatory capital requirements, federal banking law requirements concerning the payment of dividends out of net profits or surplus, Sections 23A and 23B of the Federal Reserve Act and Regulation W governing transactions between an insured depository institution and its affiliates, as well as general federal regulatory oversight to prevent unsafe or unsound practices. Our broker-dealer subsidiaries are also subject to laws and regulations, including net capital requirements, that may limit their ability to pay dividends or make other distributions to us. If our subsidiaries’ earnings are not sufficient to make dividend payments to us while maintaining adequate capital levels, our liquidity may be affected and we may not be able to make dividend payments to our common or preferred stockholders, repurchase our common stock, make payments on outstanding corporate debt securities or meet other obligations, each and any of which could have a material adverse impact on our results of operations, our financial position or the perception of our financial health. See “Part I—Item 1. Business—Supervision and Regulation” for additional information regarding dividend limitations applicable to us and the Banks.
Our ability to retain and attract customers depends on our ability to develop, operate, and adapt our technology and organizational infrastructure in a rapidly changing environment. In addition, we must accurately process, record and monitor an increasingly large number of complex transactions. Digital technology, data and software development are deeply embedded into our business model and how we work.
Similar to other large corporations, we are exposed to operational risk that can manifest itself in many ways, such as errors in execution, inadequate processes, inaccurate models, faulty or disabled technological infrastructure, malicious disruption and
fraud by employees or persons outside of our company, whether through attacks on Capital One directly or on our customers. In addition, we are heavily dependent on the security, capability and continuous availability of the technology systems that we use to manage our internal financial and other systems, monitor risk and compliance with regulatory requirements, provide services to our customers, develop and offer new products and communicate with stakeholders. We also face risk of adverse customer impacts and business disruption arising from the execution of strategic initiatives we may pursue across our operations.
If we do not maintain the necessary operational, technological and organizational infrastructure to operate our business, including to maintain the resiliency and security of that infrastructure, our business and reputation could be materially adversely affected. We also are subject to disruptions to our systems arising from events that are wholly or partially beyond our control, which may include computer viruses, electrical or telecommunications outages, design flaws in foundational components or platforms, availability and quality of vulnerability patches from key vendors, cyber-attacks and other security incidents (including Distributed Denial of Service (“DDOS”) and other attacks on our infrastructure as discussed below), natural disasters, other damage to property or physical assets, or events arising from local or larger scale politics, including terrorist acts. Any failure to maintain our infrastructure or disruption of our systems and applications could diminish our ability to operate our businesses, service customer accounts and protect customers’ information, or result in potential liability to customers, reputational damage, regulatory intervention and customers’ loss of confidence in our businesses, any of which could result in a material adverse effect.
We also rely on the business infrastructure and systems of third parties with which we do business and to whom we outsource the operation, maintenance and development of our information technology and communications systems. We have migrated substantially all aspects of our core information technology systems and customer-facing applications to third-party cloud infrastructure platforms, principally AWS. If we fail to administer these new environments in a well-managed, secure and effective manner, or if such platforms become unavailable or do not meet their service level agreements for any reason, we may experience unplanned service disruption or unforeseen costs which could result in material harm to our business and results of operations. We must successfully develop and maintain information, financial reporting, disclosure, privacy, data-protection, data security and other controls adapted to our reliance on outside platforms and providers. In addition, AWS, or other service providers, could experience system breakdowns or failures, outages, downtime, cyber-attacks and other security incidents, adverse changes to financial condition, bankruptcy, or other adverse conditions, which could have a material adverse effect on our business and reputation. Thus, the substantial amount of our infrastructure that we outsource to AWS or to other third parties may increase our risk exposure.
A cyber-attack or other security incident, including one that results in the theft, loss or misuse of information (including personal information), or the disabling of systems and access to information critical to business operations, may result in increased costs, reductions in revenue, reputational damage, legal exposure and business disruptions.
Our ability to provide our products and services, many of which are web-based, and communicate with our customers, depends upon the management and safeguarding of information systems and infrastructure, networks, software, data engineering, technology, methodologies and business secrets, including those of our service providers. Our products and services involve the collection, authentication, management, usage, storage, transmission and eventual destruction of sensitive and confidential information, including personal information, regarding our customers and their accounts, our employees, our partners and other
third parties with which we do business. We also have arrangements in place with third parties through which we share and receive information about their customers who are or may become our customers.
Technologies, systems, networks, and other devices of Capital One, as well as those of our employees, service providers, partners and other third parties with whom we interact, have been and may continue to be the subject of cyber-attacks and other security incidents, including DDOS attacks, computer viruses, hacking, malware, ransomware, credential stuffing, or phishing or other forms of social engineering. Such cyber-attacks and other security incidents are designed to lead to various harmful outcomes, such as unauthorized transactions in Capital One accounts, unauthorized or unintended access to or release, gathering, monitoring, disclosure, loss, destruction, corruption, disablement, encryption, misuse, modification or other processing of confidential or sensitive information (including personal information), intellectual property, software, methodologies or business secrets, disruption, sabotage or degradation of service, systems or networks, or other damage. These threats may derive from, among other things, error, fraud or malice on the part of our employees, insiders, or third parties or may result from accidental technological failure. Any of these parties may also attempt to fraudulently induce employees, service providers, customers, partners or other third-party users of our systems or networks to disclose confidential or sensitive information (including personal information) in order to gain access to our systems, networks or data or that of our customers, partners, or third parties with whom we interact, or to unlawfully obtain monetary benefit through misdirected or otherwise improper payment. For example, any party that obtains our confidential or sensitive information (including personal information) through a cyber-attack or other security incident may use this information for ransom, to be paid by us or a third party, as part of a fraudulent activity that is part of a broader criminal activity, or for other illicit purposes.
For example, on July 29, 2019, we announced that on March 22 and 23, 2019 an outside individual gained unauthorized access to our systems (the “Cybersecurity Incident”). This individual obtained certain types of personal information relating to people who had applied for our credit card products and to our credit card customers. While the Cybersecurity Incident has been remediated, it has resulted in fines, litigation, government investigations and other regulatory enforcement inquiries, as well as consent orders with certain regulatory agencies. Cyber and information security risks for large financial institutions like us continue to increase due to the proliferation of new technologies, the industry-wide shift to reliance upon the internet to conduct financial transactions, and the increased sophistication and activities of malicious actors, organized crime, perpetrators of fraud, hackers, terrorists, activists, formal and informal instrumentalities of foreign governments and other external parties. In addition, our customers access our products and services using personal devices that are necessarily external to our security control systems. There has also been a significant proliferation of consumer information available on the internet resulting from breaches of third-party entities, including personal information, log-in credentials and authentication data. While we were not directly involved in these third-party breach events, the stolen information can create a vulnerability for our customers if their Capital One log-in credentials are the same as or similar to the credentials that have been compromised on other sites. This vulnerability could include the risk of unauthorized account access, data loss and fraud. The use of artificial intelligence, “bots” or other automation software can increase the velocity and efficacy of these types of attacks. The ongoing COVID-19 pandemic also increases the risk that we may experience cyber incidents as a result of our employees, service providers, partners and other third parties with which we interact working remotely on systems, networks and environments over which we have less control.
The methods and techniques employed by malicious actors change frequently, are increasingly sophisticated and often are not fully recognized or understood until after they have occurred, and some techniques could occur and persist for an extended period of time before being detected. For example, although we immediately fixed the configuration vulnerability that was exploited in the Cybersecurity Incident once we discovered the unauthorized access, a period of time elapsed between the occurrence of the unauthorized access and the time when we discovered it. In other circumstances, we and our service providers and other third parties with which we interact may be unable to anticipate or identify certain attack methods in order to implement effective preventative measures or mitigate or remediate the damages caused in a timely manner. We may also be unable to hire and develop talent capable of detecting, mitigating or remediating these risks. Although we seek to maintain a robust suite of authentication and layered information security controls, any one or combination of these controls could fail to detect, mitigate or remediate these risks in a timely manner. We will likely face an increasing number of attempted cyber-attacks as we expand our mobile and other internet-based products and services, as well as our usage of mobile and cloud technologies and as we provide more of these services to a greater number of retail clients.
A disruption or breach, including as a result of a cyber-attack such as the Cybersecurity Incident, or media reports of perceived security vulnerabilities at Capital One or at our service providers, could result in significant legal and financial exposure, regulatory intervention, litigation, remediation costs, card reissuance, supervisory liability, damage to our reputation or loss of confidence in the security of our systems, products and services that could adversely affect our business. There can be no assurance that unauthorized access or cyber incidents similar to the Cybersecurity Incident will not occur or that we will not
suffer material losses in the future. If future attacks are successful or if customers are unable to access their accounts online for other reasons, it could adversely impact our ability to service customer accounts or loans, complete financial transactions for our customers or otherwise operate any of our businesses or services. In addition, a breach or attack affecting one of our service providers or other third parties with which we interact could harm our business even if we do not control the service that is attacked.
Further, our ability to monitor our service providers’ cybersecurity practices is limited. Although we generally have agreements relating to cybersecurity and data privacy in place with our service providers, we cannot guarantee that such agreements will prevent a cyber incident impacting our systems or information or enable us to obtain adequate or any reimbursement from our service providers in the event we should suffer any such incidents. However, due to applicable laws and regulations or contractual obligations, we may be held responsible for cyber incidents attributed to our service providers as they relate to the information we share with them.
In addition, the increasing prevalence and the evolution of cyber-attacks and other efforts to breach or disrupt our systems or networks or those of our customers, service providers, partners or other third parties with which we interact has led, and will likely continue to lead, to increased costs to us with respect to preventing, mitigating and remediating these risks, as well as any related attempted fraud. In order to address ongoing and future risks, we must expend significant resources to support protective security measures, investigate and remediate any vulnerabilities of our information systems and infrastructure and invest in new technology designed to mitigate security risks. Further, high profile cyber incidents at Capital One or other large financial institutions could lead to a general loss of customer confidence in financial institutions that could negatively affect us, including harming the market perception of the effectiveness of our security measures or the financial system in general, which could result in reduced use of our financial products. We have insurance against some cyber risks and attacks; nonetheless, our insurance coverage may not be sufficient to offset the impact of a material loss event (including if our insurer denies coverage as to any particular claim in the future), and such insurance may increase in cost or cease to be available on commercially reasonable terms, or at all, in the future.
We are subject to a variety of continuously evolving and developing laws and regulations in the United States at the federal, state and local level regarding privacy, data protection and data security, including those related to the collection, storage, handling, use, disclosure, transfer, security and other processing of personal information. For example, at the federal level, we are subject to the GLBA, among other laws and regulations. In addition, in November 2021, the Federal Reserve, OCC, and FDIC issued a final rule that, among other things, requires all banking organizations in the United States to notify their primary federal regulators of certain material computer-security incidents as soon as possible and no later than 36 hours after determining that the incident has occurred. At the state level, the CCPA went into effect on January 1, 2020 and covers certain companies that process personal information of California residents. The CCPA was recently amended by the CPRA, which will become effective in most material respects on January 1, 2023. Numerous other states have also enacted or are in the process of enacting state-level privacy, data protection and/or data security laws and regulations.
We also are, or may become, subject to continuously evolving and developing laws and regulations in other jurisdictions regarding privacy, data protection and data security. For example, in Canada we are subject to the Personal Information Protection and Electronic Documents Act (“PIPEDA”). In addition, the EU GDPR applies EU data protection law to all companies processing data of EU residents, regardless of the company’s location. We also are subject to the U.K. GDPR (which is how GDPR has been implemented into U.K. law). These laws and regulations, and similar laws and regulations in other jurisdictions, impose strict requirements regarding the collection, storage, handling, use, disclosure, transfer, security and other processing of personal information, which may have adverse consequences, including significant compliance costs and severe monetary penalties for non-compliance. Significant uncertainty exists as privacy, data protection, and data security laws may be interpreted and applied differently from country to country and may create inconsistent or conflicting requirements.
Our efforts to comply with PIPEDA, GLBA, GDPR, U.K. GDPR, CCPA, CPRA and other privacy, data protection and data security laws and regulations, as well as our posted privacy policies, and related contractual obligations to third parties, entail substantial expenses, may divert resources from other initiatives and projects, and could limit the services we are able to offer. Furthermore, enforcement actions and investigations by regulatory authorities related to data security incidents and privacy, data protection and data security violations continue to increase. The enactment of more restrictive laws or regulations, or future enforcement actions or investigations, could impact us through increased costs or restrictions on our business, and any noncompliance or perceived noncompliance could result in monetary or other penalties, harm to our reputation and significant legal liability.
We rely on quantitative models, our ability to manage and aggregate data in an accurate and timely manner, assess and manage our various risk exposures, estimate certain financial values and manage compliance with regulatory capital requirements. Models may be used in such processes as determining the pricing of various products, grading loans and extending credit, measuring interest rate and other market risks, predicting deposit levels or loan losses, assessing capital adequacy and calculating managerial and regulatory capital levels, estimating the value of financial instruments and balance sheet items, and other operational functions. Our risk reporting and management, including business decisions based on information incorporating models, depend on the effectiveness of our models and our policies, programs, processes and practices governing how data is acquired, validated, stored, protected, processed and analyzed. Any issues with the quality or effectiveness of our data aggregation and validation procedures, as well as the quality and integrity of data inputs, formulas or algorithms, could result in inaccurate forecasts, ineffective risk management practices or inaccurate risk reporting. In addition, models based on historical data sets might not be accurate predictors of future outcomes and their ability to appropriately predict future outcomes may degrade over time. While we continuously update our policies, programs, processes and practices, many of our data management, aggregation and implementation processes are manual and subject to human error or system failure. Failure to manage data effectively and to aggregate data in an accurate and timely manner may limit our ability to manage current and emerging risk, to produce accurate financial, regulatory and operational reporting as well as to manage changing business needs. If our risk management framework is ineffective, we could suffer unexpected losses which could materially adversely affect our results of operation or financial condition. Also, any information we provide to the public or to our regulators based on poorly designed or implemented models could be inaccurate or misleading. Some of the decisions that our regulators make, including those related to capital distribution to our stockholders, could be affected adversely due to the perception that the quality of the models used to generate the relevant information is insufficient.
A wide array of laws and regulations, including banking and consumer lending laws and regulations, apply to almost every aspect of our business. We and our subsidiaries are also subject to supervision and examination by multiple regulators, and the manner in which our regulators interpret applicable laws and regulations may affect how we comply with them. Failure to comply with these laws and regulations, even if the failure was inadvertent or reflects a difference in interpretation, could subject us to restrictions on our business activities, fines, criminal sanctions and other penalties, and/or damage to our reputation with regulators, our customers or the public. Hiring, training and retaining qualified compliance and legal personnel, and establishing and maintaining risk management and compliance-related systems, infrastructure and processes, is difficult and may lead to increased expenses. These efforts and the associated costs could limit our ability to invest in other business opportunities.
Applicable rules and regulations may affect us disproportionately compared to our competitors or in an unforeseen manner. For example, we have a large number of customer accounts in our credit card and auto lending businesses and we have made the strategic choice to originate and service subprime credit card and auto loans, which typically have higher delinquencies and charge-offs than prime customer accounts. As a result, we have significant involvement with credit bureau reporting and the collection and recovery of delinquent and charged-off debt, primarily through customer communications, the filing of litigation against customers in default, the periodic sale of charged-off debt and vehicle repossession. These activities are subject to enhanced legal and regulatory scrutiny from regulators, courts and legislators. Any future changes to or legal liabilities resulting from our business practices in these areas, including our debt collection practices, whether mandated by regulators, courts, legislators or otherwise, could have a material adverse impact on our financial condition.
The legislative and regulatory environment is beyond our control, may change rapidly and unpredictably, and may negatively influence our revenue, costs, earnings, growth, liquidity and capital levels. For example, there may be future rulemaking in emerging regulatory areas such as climate-related risks and new technologies, including distributed ledger technology and cryptocurrencies. In addition, some rules and regulations may be subject to litigation or other challenges that delay or modify their implementation and impact on us. Adoption of new technologies, such as distributed ledger technologies, tokenization, cloud computing, artificial intelligence and machine learning technologies, can present unforeseen challenges in applying and relying on existing compliance systems.
Certain laws and regulations, and any interpretations and applications with respect thereto, are generally intended to protect consumers, borrowers, depositors, the DIF, the U.S. banking and financial system, and financial markets as a whole, but not stockholders. Our success depends on our ability to maintain compliance with both existing and new laws and regulations. For a description of the material laws and regulations to which we are subject, see “Part I—Item 1. Business—Supervision and Regulation.”
Given the inherent uncertainties involved in litigation, government investigations and regulatory enforcement decisions, and the very large or indeterminate damages sought in some matters asserted against us, there can be significant uncertainty as to the ultimate liability we may incur from these kinds of matters. The finding, or even the assertion, of substantial legal liability against us could have a material adverse effect on our business and financial condition and could cause significant reputational harm to us, which could seriously harm our business. The Cybersecurity Incident has resulted in litigation, government investigations and other regulatory enforcement inquiries.
Over the last several years, federal and state regulators have focused on compliance with AML and sanctions laws, privacy, data protection and data security, use of service providers, fair lending and other consumer protection issues. In August 2020, we entered into consent orders with the Federal Reserve and the OCC resulting from regulatory reviews of the Cybersecurity Incident and relating to ongoing enhancements of our cybersecurity and operational risk management processes, and we paid a civil monetary penalty as part of the OCC agreement. In January 2021, we also paid a civil monetary penalty assessed by FinCEN against CONA in connection with our AML program. Regulatory scrutiny is expected to continue in these areas, including as a result of implementation of the AML Act of 2020.
We expect that regulators and governmental enforcement bodies will continue taking formal enforcement actions against financial institutions in addition to addressing supervisory concerns through nonpublic supervisory and enforcement actions or findings, which could involve restrictions on our activities, or our ability to make acquisitions or otherwise expand our business, among other limitations that could adversely affect our business. In addition, a violation of law or regulation by another financial institution is likely to give rise to an investigation by regulators and other governmental agencies of the same or similar practices by us. Furthermore, a single event may give rise to numerous and overlapping investigations and proceedings. These and other initiatives from governmental authorities and officials may subject us to further judgments, settlements, fines or penalties, or cause us to restructure our operations and activities or to cease offering certain products or services, all of which could harm our reputation or lead to higher operational costs. Litigation, government investigations and other regulatory actions could generally subject us to significant fines, increased expenses, restrictions on our activities and damage to our reputation and our brand, and could adversely affect our business, financial condition and results of operations. For additional information regarding legal and regulatory proceedings to which we are subject, see “Note 18—Commitments, Contingencies, Guarantees and Others.”
We operate in a highly competitive environment across all of our lines of business, whether in making loans, attracting deposits or in the global payments industry, and we expect competitive conditions to continue to intensify with respect to most of our products particularly in our credit card and consumer banking business. We compete on the basis of the rates we pay on deposits and the rates and other terms we charge on the loans we originate or purchase, as well as the quality and range of our customer service, products, innovation and experience. This increasingly competitive environment is primarily a result of changes in technology, product delivery systems and regulation, as well as the emergence of new or significantly larger financial services providers, all of which may affect our customers’ expectations and demands. In addition to offering competitive products and services, we invest in and conduct marketing campaigns to attract and inform customers.
Some of our competitors, including new and emerging competitors in the digital and mobile payments space and other financial technology providers, are not subject to the same regulatory requirements or legislative scrutiny to which we are subject, which also could place us at a competitive disadvantage, in particular in the development of new technology platforms or the ability to rapidly innovate. We compete with many forms of payments offered by both bank and non-bank providers, including a variety of new and evolving alternative payment mechanisms, systems and products, such as aggregators and web-based and wireless payment platforms or technologies, digital or cryptocurrencies, prepaid systems and payment services targeting users of social networks, communications platforms and online gaming. If we are unable to continue to keep pace with innovation, do not effectively market our products and services or are prohibited from or unwilling to enter emerging areas of competition, our business and results of operations could be adversely affected.
In our credit card business, competition for rewards customers may result in higher rewards expenses, or we may fail to attract new customers or retain existing rewards customers due to increasing competition for these consumers. As of December 31, 2021, we have a number of large partnerships in our credit card loan portfolio. The market for key business partners, especially in the credit card business, is very competitive, and we may not be able to grow or maintain these partner relationships. Additionally, partners themselves may face changes in their business, including market factors and ownership changes, that could impact the partnership. We face the risk that we could lose partner relationships, even after we have invested significant resources into acquiring and developing the relationships. The loss of any of our key business partners could have a negative impact on our results of operations, including lower returns, excess operating expense and excess funding capacity.
Legislative and regulatory bodies in a number of countries are seeking to reduce interchange fees through legislation, competition-related regulatory proceedings, voluntary agreements, central bank regulation and/or litigation. For credit transactions, interchange reimbursement rates in the United States are set by credit card networks such as MasterCard and Visa. For debit transactions, Federal Reserve rules place limits on the interchange fees we may charge. For more information on these rules, including the Federal Reserve’s proposed amendments, please see “Part I—Item 1. Business—Supervision and Regulation.” In some jurisdictions, such as Canada and certain countries in Europe, including the U.K., interchange fees and related practices are subject to regulatory activity, including in some cases, imposing caps on permissible interchange fees. Our international card businesses have been impacted by these restrictions. For example, in the U.K., interchange fees are capped for both credit and debit card transactions. In addition, in Canada, Visa and Mastercard payment networks have, since 2014, entered into voluntary agreements with the Department of Finance Canada to maintain an agreed upon average interchange rate. Lowering interchange fees remains an area of domestic and international governmental focus. Legislators and regulators around the world are aware of each other’s approaches to the regulation of the payments industry. Consequently, a development in one country, state or region may influence regulatory approaches in another, such as our primary market, the United States.
In addition to this regulatory activity, merchants are also seeking avenues to reduce interchange fees. During the past few years, merchants and their trade groups have filed numerous lawsuits against Visa, MasterCard, American Express and their card-issuing banks, claiming that their practices toward merchants, including interchange and similar fees, violate federal antitrust laws. In 2005, a number of entities filed antitrust lawsuits against MasterCard and Visa and several member banks, including our subsidiaries and us, alleging among other things, that the defendants conspired to fix the level of interchange fees. In December 2013, the U.S. District Court for the Eastern District of New York granted final approval of the proposed class settlement. The settlement provided, among other things, that merchants would be entitled to join together to negotiate lower interchange fees. The settlement was appealed to the Second Circuit Court of Appeals, which rejected the settlement in June 2016; a revised settlement was reached in the second half of 2018, and the trial court issued its final approval of the settlement in December 2019. See “Note 18—Commitments, Contingencies, Guarantees and Others” for further details.
Some major retailers may have sufficient bargaining power to independently negotiate lower interchange fees with MasterCard and Visa, which could, in turn, result in lower interchange fees for us when our cardholders undertake purchase transactions with these retailers. In 2016, some of the largest merchants individually negotiated lower interchange rates with MasterCard and/or Visa. These and other merchants also continue to lobby aggressively for caps and restrictions on interchange fees and their efforts may be successful or they may in the future bring legal proceedings against us or other credit card and debit card issuers and networks.
Our industry is subject to rapid and significant technological changes and our ability to meet our customers’ needs and expectations is key to our ability to grow revenue and earnings. We expect digital technologies to have a significant impact on banking over time. Consumers expect robust digital experiences from their financial services providers. The ability for customers to access their accounts and conduct financial transactions using digital technology, including mobile applications, is an important aspect of the financial services industry and financial institutions are rapidly introducing new digital and other technology-driven products and services that aim to offer a better customer experience and to reduce costs. We continue to invest in digital technology designed to attract new customers, facilitate the ability of existing customers to conduct financial transactions and enhance the customer experience related to our products and services.
Our continued success depends, in part, upon our ability to address the needs of our customers by using digital technology to provide products and services that meet their expectations. The development and launch of new digital products and services depends in large part on our capacity to invest in and build the technology platforms that can enable them, in a cost effective and timely manner. See “We face intense competition in all of our markets” and “We face risks related to our operational, technological and organizational infrastructure.”
Some of our competitors are substantially larger than we are, which may allow those competitors to invest more money into their technology infrastructure and digital innovation than we do. In addition, we face intense competition from smaller companies which experience lower cost structures and different regulatory requirements and scrutiny than we do, and which may allow them to innovate more rapidly than we can. See “We face intense competition in all of our markets.” Further, our success depends on our ability to attract and retain strong digital and technology leaders, engineers and other specialized personnel. The competition is intense and the compensation costs continue to increase for such talent. If we are unable to attract and retain digital and technology talent, our ability to offer digital products and services and build the necessary technology infrastructure could be negatively affected, which could negatively impact our business and financial results. A failure to maintain or enhance our competitive position with respect to digital products and services, whether because we fail to anticipate customer expectations or because our technological developments fail to perform as desired or are not implemented in a timely or successful manner, could negatively impact our business and financial results.
We have engaged in merger and acquisition activity and entered into strategic partnerships over the past several years. We continue to evaluate and anticipate engaging in, among other merger and acquisition activity, additional strategic partnerships and selected acquisitions of financial institutions and other businesses or assets, including credit card and other loan portfolios. We may not be able to identify and secure future acquisition targets on terms and conditions that are acceptable to us, or successfully complete within the anticipated time frame and achieve the anticipated benefits of proposed mergers, acquisitions and strategic partnerships, which could impair our growth.
•New Businesses and Geographic or Other Markets: Our merger, acquisition or strategic partnership activity may involve our entry into new businesses, or new geographic areas or other markets which present risks resulting from our relative inexperience in these new businesses or markets. These new businesses or markets may change the overall character of our consolidated portfolio of businesses and alter our exposure to economic and other external factors. We face the risk that we will not be successful in these new businesses or in these new markets.
•Identification and Assessment of Merger and Acquisition Targets and Deployment of Acquired Assets: We may not be able to identify, acquire or partner with suitable targets. Further, our ability to achieve the anticipated benefits of any merger, acquisition or strategic partnership will depend on our ability to assess the asset quality and value of the particular assets or institutions we partner with, merge with or acquire. We may be unable to profitably deploy any assets we acquire.
•Accuracy of Assumptions: In connection with any merger, acquisition or strategic partnership, we may make certain assumptions relating to the proposed merger, acquisition or strategic partnership that may be, or may prove to be, inaccurate, including as a result of the failure to realize the expected benefits of any merger, acquisition or strategic partnership. The inaccuracy of any assumptions we may make could result in unanticipated consequences that could have a material adverse effect on our results of operations or financial condition.
•Conditions to Regulatory Approval: We may be required to obtain regulatory approvals to consummate certain acquisitions. We cannot be certain whether, when or on what terms and conditions, such approvals may be granted. Consequently, we may not obtain regulatory approval for a proposed acquisition on acceptable terms or at all, in which case we would not be able to complete the acquisition despite investing resources in pursuing it.
In addition, a variety of social factors may cause changes in borrowing activity, including credit card use, payment patterns and the rate of defaults by account holders and borrowers domestically and internationally. These social factors include changes in consumer confidence levels, the public’s perception regarding the banking industry and consumer debt, including credit card use, and changing attitudes about the stigma of bankruptcy. If consumers develop or maintain negative attitudes about incurring debt, or if consumption trends decline or if we fail to maintain and enhance our brand, or we incur significant expenses to do so, our business and financial results could be materially and negatively affected.
We rely on a variety of measures to protect and enhance our intellectual property, including copyrights, trademarks, trade secrets, patents and certain restrictions on disclosure, solicitation and competition. We also undertake other measures to control access to and distribution of our other proprietary information. These measures may not prevent misappropriation of our proprietary information or infringement of our intellectual property rights and a resulting loss of competitive advantage. In addition, our competitors or other third parties may obtain patents for innovations that are used in our industry or allege that our systems, processes or technologies infringe on their intellectual property rights. If our competitors or other third parties are successful in obtaining such patents or prevail in intellectual property-related litigation against us, we could lose significant revenues, incur significant license, royalty or technology development expenses, or pay significant damages.
Management of market, credit, liquidity, operational and compliance risk requires, among other things, policies and procedures to properly record and verify a large number of transactions and events. See “MD&A—Risk Management” for further details. Even though we continue to devote significant resources to developing our risk management framework, our risk management strategies may not be fully effective in identifying and mitigating our risk exposure in all market environments or against all types of risk, including risks that are unidentified or unanticipated.
Some of our methods of managing these risks are based upon our use of observed historical market behavior and management’s judgment. These methods may not accurately predict future exposures, which could be significantly greater than the historical measures indicate and market conditions, particularly during a period of financial market stress, can involve unprecedented dislocations. For example, credit risk is inherent in the financial services business and results from, among other things, extending credit to customers. Our ability to assess the creditworthiness of our customers may be impaired if the models and approaches we use to select, manage and underwrite our consumer and commercial customers become less predictive of future charge-offs due, for example, to rapid changes in the economy, or degradation in the predictive nature of credit bureau and other data used in underwriting.
Fluctuations in market interest rates or volatility in the capital markets could adversely affect our income and expense, the value of assets and obligations, our regulatory capital, cost of capital or liquidity.
Like other financial institutions, our business is sensitive to market interest rate movements and the performance of the capital markets. Disruptions, uncertainty or volatility across the capital markets could negatively impact market liquidity, limit our access to the funding and capital required to operate and grow our business and adversely affect our results of operations and financial condition. In addition, changes in interest rates or in valuations in the debt or equity markets could directly impact us. For example, we borrow money from other institutions and depositors, which we use to make loans to customers and invest in debt securities and other interest-earning assets. We earn interest on these loans and assets and pay interest on the money we borrow from institutions and depositors. The interest rates that we pay on the securities we have issued are also influenced by, among other things, applicable credit ratings from recognized rating agencies. A downgrade to any of these credit ratings could affect our ability to access the capital markets, increase our borrowing costs and have a negative impact on our results of operations. Increased charge-offs, rising interest rates and other events may cause our securitization transactions to amortize earlier than scheduled, which could accelerate our need for additional funding from other sources. Fluctuations in interest rates,
including changes in the relationship between short-term rates and long-term rates and in the relationship between our funding basis rate and our lending basis rate, may have negative impacts on our net interest income and therefore our earnings.
In addition, interest rate fluctuations and competitor responses to those changes may affect the rate of customer prepayments for auto and other term loans and may affect the balances customers carry on their credit cards. For example, increases in interest rates increase debt service requirements for some of our borrowers, which may adversely affect those borrowers’ ability to pay as contractually obligated. This could result in additional delinquencies or charge-offs and negatively impact our results of operations. These changes can reduce the overall yield on our interest-earning asset portfolio. Changes in interest rates and competitor responses to these changes may also impact customer decisions to maintain balances in the deposit accounts they have with us. An inability to attract or maintain deposits could materially affect our ability to fund our business and our liquidity position. Many other financial institutions have increased their reliance on deposit funding and, as such, we expect continued competition in the deposit markets. We cannot predict how this competition will affect our costs. If we are required to offer higher interest rates to attract or maintain deposits, our funding costs will be adversely impacted. Changes in valuations in the debt and equity markets could have a negative impact on the assets we hold in our investment portfolio. Such market changes could also have a negative impact on the valuation of assets for which we provide servicing.
We assess our interest rate risk by estimating the effect on our earnings, economic value and capital under various scenarios that differ based on assumptions about the direction and the magnitude of interest rate changes. We take risk mitigation actions based on those assessments. We face the risk that changes in interest rates could materially reduce our net interest income and our earnings, especially if actual conditions turn out to be materially different than those we assumed. See “MD&A—Market Risk Profile” for additional information.
Central banks around the world, including the Federal Reserve, have commissioned committees and working groups of market participants and official sector representatives to replace LIBOR and replace or reform other interest rate benchmarks. The publication of non-U.S. dollar LIBOR rates on a representative basis, as well as the publication of the lesser used 1-week and 2-month U.S. dollar LIBOR tenors, ceased as of the end of December 2021. While the most commonly used U.S. dollar LIBOR tenors are expected to continue to be published until June 30, 2023, the U.S. banking agencies issued guidance that banking organizations should cease using U.S. dollar LIBOR as a reference rate in new contracts in any event by December 31, 2021. A transition away from the widespread use of LIBOR to alternative rates and other potential interest rate benchmark reforms has begun and is continuing. These reforms have caused and may in the future cause such rates to perform differently than in the past, or to disappear entirely, or have other consequences which cannot be predicted.
Given LIBOR’s extensive use across financial markets, the transition away from LIBOR presents several risks and challenges to the financial markets and financial institutions, including Capital One. We have loans, derivative contracts, unsecured debt, securitizations, vendor agreements and other instruments with attributes that are either directly or indirectly dependent on LIBOR. Uncertainty as to the nature of potential changes, alternative reference rates (including the pace of transition to, the specific terms and parameters for, and market acceptance of, such rates), or other reforms may adversely affect market liquidity, the pricing of LIBOR-based instruments, and the availability and cost of associated hedging instruments and borrowings. The Secured Overnight Financing Rate (“SOFR”) has been recommended by the Alternative Reference Rates Committee (“ARRC”) as an alternative to U.S. dollar LIBOR. Nevertheless, the transition away from LIBOR could result in loss of market share in certain products, adverse tax or accounting impacts, compliance, legal or operational costs and risks associated with client disclosures, as well as systems disruption, model disruption and other business continuity issues for us.
In addition, risks will remain for us with respect to outstanding instruments which rely on LIBOR. Those risks arise in connection with transitioning such instruments to a new reference rate, the taking of discretionary actions (for example, under fallback provisions) or the negotiation of fallback provisions and final amendments to existing LIBOR based agreements. Payments under contracts referencing new reference rates may significantly differ from those referencing LIBOR. For some instruments, the method of transitioning to a new reference rate may be challenging, especially if parties to an instrument cannot agree as to how to effect that transition. If a contract is not transitioned to a new reference rate and LIBOR ceases to exist, the impact on our obligations is likely to vary by contract. In addition, prior to LIBOR cessation, instruments that continue to refer to LIBOR may be impacted if there is a change in the availability or calculation of LIBOR. The transition from LIBOR to an alternative reference rate has changed our market risk profile and required changes to risk and pricing models, valuation tools, product design, information technology systems, reporting infrastructure, operational processes and controls, and hedging strategies, and may result in or require further such changes in the future. In many cases, we are and may in the future be dependent on third parties to upgrade systems, software and other critical functions that could materially disrupt our
readiness if they are not done on a timely basis or otherwise fail. Our assessment of the ultimate impact of, and our planning for, the transition from LIBOR remains ongoing. Failure to adequately manage the transition could have a material adverse effect on our reputation, business, financial condition and results of operations. See “MD&A—Market Risk Profile” for additional information.
Our business could be negatively affected if we are unable to attract, retain and motivate skilled employees.
Our success depends, in large part, on our ability to retain key senior leaders and to attract and retain skilled employees, particularly employees with advanced expertise in credit, risk, digital and technology skills. We depend on our senior leaders and skilled employees to oversee simultaneous, transformative initiatives across the enterprise and execute on our business plans in an efficient and effective manner. Competition for such senior leaders and employees, and the costs associated with attracting and retaining them, is high and made even more competitive as a result of the external environment, including increasing rates of job transition and low unemployment. Our ability to attract and retain qualified employees also is affected by perceptions of our culture and management, our profile in the regions where we have offices and the professional opportunities we offer. Regulation or regulatory guidance restricting executive compensation, as well as evolving investor expectations, may limit the types of compensation arrangements that we may enter into with our most senior leaders and could have a negative impact on our ability to attract, retain and motivate such leaders in support of our long-term strategy. These laws and regulations may not apply in the same manner to all financial institutions and technology companies, which therefore may subject us to more restrictions than other institutions and companies with which we compete for talent and may also hinder our ability to compete for talent with other industries. We rely upon our senior leaders not only for business success, but also to lead with integrity. To the extent our senior leaders behave in a manner that does not comport with our values, the consequences to our brand and reputation could be severe and could adversely affect our financial condition and results of operations. If we are unable to attract, develop and retain talented senior leadership and employees, or to implement appropriate succession plans for our senior leadership, our business could be negatively affected.
We face risks from unpredictable catastrophic events.
Despite the business contingency plans we have in place, such plans do not fully mitigate all potential business continuity risks to us. Natural disasters and other catastrophic events could harm our employees, business and infrastructure, including our information technology systems and third-party platforms. Our ability to conduct business may be adversely affected by a disruption in the infrastructure that supports our business and the communities where we are located, which are concentrated in the Northern Virginia and New York metropolitan areas, as well as Richmond, Virginia and Plano, Texas. This may include a disruption involving damage or loss of access to a physical site, cyber-attacks and other security incidents, terrorist activities, the occurrence or worsening of disease outbreaks or pandemics (including the COVID-19 pandemic), natural disasters, extreme weather events (including as a result of climate change), electrical outage, environmental hazards, disruption to technological infrastructure, communications or other services we use, our employees or third parties with whom we conduct business. Our business, financial condition and results of operations may be impacted by any such disruption and our ability to implement corresponding response measures quickly, including, for example, our ability to respond effectively to a remote work environment as a result of the ongoing COVID-19 pandemic and related response measures. In addition, if a natural disaster or other catastrophic event occurs in certain regions where our business and customers are concentrated, such as the mid-Atlantic, New York, California or Texas metropolitan areas, we could be disproportionately impacted as compared to our competitors. The impact of such events and other catastrophes on the overall economy may also adversely affect our financial condition and results of operations.
Climate change manifesting as physical or transition risks could adversely affect our operations, businesses and customers.
The physical risks of climate change include discrete events, such as flooding and wildfires, and longer-term shifts in climate patterns, such as extreme heat, sea level rise, and more frequent and prolonged drought. Such events could disrupt our operations or those of our customers or third parties on which we rely, including through direct damage to assets and indirect impacts from supply chain disruption and market volatility. Additionally, transitioning to a low-carbon economy may entail significant policy, legal, technology and market initiatives. Transition risks, including changes in consumer preferences and additional regulatory requirements or taxes, could increase our expenses and impact our strategies or those of our customers. Physical and transition risks could also affect the financial health of certain customers in impacted industries or geographies. In addition, our reputation and client relationships may be damaged as a result of our practices and decisions related to climate change and the environment, or the practices or involvement of our clients, in certain industries or projects associated with causing or exacerbating climate change. Climate risk is interconnected with many risk types. We continue to enhance processes to embed evolving climate risk considerations into our risk management strategies established for risks such as market, credit
and operational risks; however, because the timing and severity of climate change may not be predictable, our risk management strategies may not be effective in mitigating climate risk exposure.
Pursuant to generally accepted accounting principles in the U.S. (“U.S. GAAP”), we are required to use certain assumptions and estimates in preparing our financial statements, including determining our allowance for credit losses, the fair value of certain assets and liabilities, and goodwill impairment, among other items. In addition, the FASB, the SEC and other regulatory bodies may change the financial accounting and reporting standards, including those related to assumptions and estimates we use to prepare our financial statements, in ways that we cannot predict and that could impact our financial statements. If actual results differ from the assumptions or estimates underlying our financial statements or if financial accounting and reporting standards are changed, we may experience unexpected material losses. For a discussion of our use of estimates in the preparation of our consolidated financial statements, see “MD&A—Critical Accounting Policies and Estimates” and “Note 1—Summary of Significant Accounting Policies.”
Likewise, adverse developments affecting the overall strength and soundness of our competitors, the financial services industry as a whole and the general economic climate or sovereign debt could have a negative impact on perceptions about the strength and soundness of our business even if we are not subject to the same adverse developments. In addition, adverse developments with respect to third parties with whom we have important relationships also could negatively impact perceptions about us. These perceptions about us could cause our business to be negatively affected and exacerbate the other risks that we face.
Current §1A text (2022)
Show full section (14940 words)
Item 1A. Risk Factors
The following discussion sets forth what management currently believes could be the material risks and uncertainties that could impact our businesses, results of operations and financial condition. The events and consequences discussed in these risk factors could, in circumstances we may not be able to accurately predict, recognize, or control, have a material adverse effect on our business, growth, reputation, prospects, financial condition, operating results, cash flows, liquidity, and stock price. These risk factors do not identify all risks that we face; our operations could also be affected by factors, events, or uncertainties that are not presently known to us or that we currently do not consider to present significant risks to our operations. In addition, the global economic and political climate may amplify many of these risks.
Summary of Risk Factors
The following is a summary of the Risk Factors disclosure in this Item 1A. This summary does not address all of the risks that we face. Additional discussion of the risks summarized in this risk factor summary, and other risks that we face, can be found below and should be carefully considered, together with other information in this Form 10-K and our other filings with the SEC, before making an investment decision regarding our securities.
•Changes and instability in the macroeconomic environment, consumer confidence and customer behavior may adversely affect our business.
•Fluctuations in market interest rates or volatility in the capital markets could adversely affect our business.
•Our results of operations may be adversely affected by the effects of the COVID-19 pandemic.
21
Capital One Financial Corporation (COF)
Table of Contents
•We may experience increases or fluctuations in delinquencies and credit losses, inaccurate estimates and inadequate reserves.
•We may not be able to maintain adequate capital or liquidity levels or may become subject to revised capital or liquidity requirements, which could have a negative impact on our financial results and our ability to return capital to our stockholders.
•Limitations on our ability to receive dividends from our subsidiaries could affect our liquidity and ability to pay dividends and repurchase common stock.
•We face risks related to our operational, technological and organizational infrastructure.
•A cyber-attack or other security incident, including one that results in the theft, loss, manipulation or misuse of information (including personal information), or the disabling of systems and access to information critical to business operations, may result in increased costs, reductions in revenue, reputational damage, legal exposure and business disruptions.
•Our required compliance with applicable laws and regulations related to privacy, data protection and data security may increase our costs, reduce our revenue, increase our legal exposure and limit our ability to pursue business opportunities.
•We face risks resulting from the extensive use of models and data.
•Compliance with new and existing laws, regulations and regulatory expectations is costly and complex.
•Our businesses are subject to the risk of increased litigation, government investigations and regulatory enforcement.
•We face intense competition in all of our markets.
•Our business, financial condition and results of operations may be adversely affected by merchants’ increasing focus on the fees charged by credit and debit card networks and by legislation and regulation impacting such fees.
•If we are not able to invest successfully in and introduce digital and other technological developments across all our businesses, our financial performance may suffer.
•We may fail to realize the anticipated benefits of our mergers, acquisitions and strategic partnerships.
•Reputational risk and social factors may impact our results and damage our brand.
•If we are not able to protect our intellectual property, our revenue and profitability could be negatively affected.
•Our risk management strategies may not be fully effective in mitigating our risk exposures in all market environments or against all types of risk.
•The transition away from London Interbank Offered Rate may adversely affect our business.
•Our business could be negatively affected if we are unable to attract, retain and motivate key senior leaders and skilled employees.
•We face risks from catastrophic events.
•Climate change manifesting as physical or transition risks could adversely affect our businesses, operations and customers.
•We face risks from the use of or changes to assumptions or estimates in our financial statements.
•The soundness of other financial institutions and other third parties could adversely affect us.
22
Capital One Financial Corporation (COF)
Table of Contents
General Economic and Market Risks
Changes and instability in the macroeconomic environment, consumer confidence and customer behavior may adversely affect our business.
We offer a broad array of financial products and services to consumers, small businesses and commercial clients. A prolonged period of economic volatility, slow growth, or a significant deterioration in economic conditions, in the U.S., Canada or the U.K., could have a material adverse effect on our financial condition and results of operations as customers default on their loans, maintain lower deposit levels or, in the case of credit card accounts, carry lower balances and reduce credit card purchase activity.
Some of the risks we face in connection with adverse changes and instability in the macroeconomic environment and changes in consumer confidence levels and behavior, include the following:
•Monetary policies and actions taken by the Federal Reserve and other central banks or governmental authorities;
•Economic deterioration due to escalation of military hostilities or other geopolitical instabilities;
•Changes in payment patterns, increases or fluctuations in delinquencies and default rates, decreased consumer spending, inflation, fluctuation in interest rates, lower demand for credit and shifts in consumer behavior, including deposits and payments;
•Increases in our charge-off rate caused by bankruptcies and reduced ability to recover debt that we have previously charged-off;
•Recent changes in usage of commercial real estate, which may have a sustained negative impact on utilization rates and values;
•Decreased reliability of the process and models, including those we use to estimate our allowance for credit losses, particularly if unexpected variations in key inputs and assumptions cause actual losses to diverge from the projections of our models and our estimates become increasingly subject to management’s judgment. See “We face risks resulting from the extensive use of models and data.”
The U.K. and the EU agreed to a free trade deal at the end of 2020 relating to the U.K.’s exit from the EU. Although this deal has provided greater near-term stability, there is still some degree of uncertainty as to the relationship between the U.K and the EU, which may increase volatility in the regional and global financial markets. In addition, the global economy, including economic conditions in the U.K., has been negatively impacted by the war between Russia and Ukraine. Continued escalation of geopolitical tensions related to the war, including increased trade barriers or restrictions on global trade, could further deteriorate international economic conditions. We continue to consider and monitor the potential impacts of the relationship between the U.K. and EU, as well as the war between Russia and Ukraine.
Fluctuations in market interest rates or volatility in the capital markets could adversely affect our business.
Like other financial institutions, our business is sensitive to interest rate movements and the performance of the capital markets.
We rely on access to the capital markets to fund our operations and to grow our business. Our ability to borrow from other financial institutions or to engage in funding transactions on favorable terms or at all could be adversely affected by disruptions, uncertainty or volatility in the capital markets or other events, including changing credit rating agency requirements. For example, a credit rating downgrade could affect our ability to access the capital markets, increase our funding costs and have a negative impact on our results of operations. Additionally, increased charge-offs, rising interest rates and other events may cause our securitization transactions to amortize earlier than scheduled or reduce the value of the securities that we hold for liquidity purposes, which could accelerate our need for additional funding from other sources.
Additionally, changes in interest rates could adversely affect the results of our operations and financial condition. For example, we borrow money from other institutions and depositors, which we use to make loans to customers and invest in debt securities and other interest-earning assets. We earn interest on these loans and assets and pay interest on the money we borrow from institutions and depositors. In response to inflationary pressures, the Federal Reserve has reversed its policy of maintaining the low benchmark federal funds interest rate over the last several years. In March 2022, the Federal Reserve began increasing the benchmark federal funds interest rate and has signaled its intention to continue to raise interest rates in an effort to tame
23
Capital One Financial Corporation (COF)
inflation. Thus, the amount of interest that we pay on certain borrowings has increased and could increase further. Additionally, a shrinking yield premium between short-term and long-term market interest rates and in the relationship between our funding basis rate and our lending basis rate and inflation could affect our profitability.
We assess our interest rate risk by estimating the effect on our earnings, economic value and capital under various scenarios that differ based on assumptions about the direction and the magnitude of interest rate changes. We take risk mitigation actions based on those assessments. We face the risk that changes in interest rates could materially reduce our net interest income and our earnings, especially if actual conditions turn out to be materially different than those we assumed. See “Part II—Item 7. MD&A—Market Risk Profile” for additional information.
Furthermore, interest rate fluctuations and competitor responses to those changes may affect the rate of customer prepayments for auto and other term loans and may affect the balances customers carry on their credit cards and their balances in the deposits accounts they have with us. For example, increases in interest rates increase debt service requirements for some of our borrowers, which may adversely affect those borrowers’ ability to pay as contractually obligated. This could result in additional or fluctuating delinquencies or charge-offs and negatively impact our results of operations. These changes can reduce the overall yield on our interest-earning asset portfolio. An inability to attract or maintain deposits could materially affect our ability to fund our business and our liquidity position. Many other financial institutions have increased their reliance on deposit funding and, as such, we expect continued competition in the deposit markets. We cannot predict how this competition will affect our costs. If we are required to offer higher interest rates to attract or maintain deposits, our funding costs will be adversely impacted. Changes in valuations in the debt and equity markets could have a negative impact on the assets we hold in our investment portfolio. Such market changes could also have a negative impact on the valuation of assets for which we provide servicing.
Our results of operations may be adversely affected by the effects of the COVID-19 pandemic.
Although the global economy has begun to recover from the COVID-19 pandemic, certain adverse consequences of the pandemic, including labor shortages, disruptions of global supply chains and inflationary pressures, continue to impact the macroeconomic environment and could adversely affect our business. Should these ongoing effects of the pandemic continue for an extended period or worsen, our purchase volume, loan balances and the overall demand for our products and services may be significantly impacted, which could adversely affect our financial condition and other results of operations. In addition, we could experience higher credit losses in our loan portfolios and increases in our allowance for credit losses beyond current levels. We could also experience impairments of other financial assets and other negative impacts on our financial position, including possible constraints on liquidity and capital, as well as higher costs of capital. Long-term consequences of the COVID-19 pandemic on our business, results of operations and financial condition, as well as our capital and liquidity ratios and our ability to take capital actions, will depend on future developments that remain uncertain, including, for example, future actions taken by governmental authorities, central banks and other third parties in response to the pandemic and the effects on our customers, counterparties, associates and third-party service providers.
In the third quarter of 2022, we moved our associates to a hybrid work model. As a result we may experience increased costs and/or disruption as we experiment with hybrid work models, in addition to potential effects on our ability to operate effectively and maintain our corporate culture. We will continue to monitor local conditions to ensure the safety of our associates and customers while providing critical banking services. We may take further actions as required by government authorities or that we otherwise determine are in the best interests of our customers, associates and business partners. These measures could impair our ability to perform critical functions and may adversely impact our results of operations.
Credit Risk
We may experience increases or fluctuations in delinquencies and credit losses, inaccurate estimates and inadequate reserves.
Like other lenders, we face the risk that our customers will not repay their loans. A customer’s ability and willingness to repay us can be adversely affected by decreases in the income of the borrower or increases in their payment obligations to other lenders, whether as a result of higher debt levels or rising interest rates, by rising levels of inflation, or by restricted availability of credit generally. We may fail to quickly identify and reduce our exposure to customers that are likely to default on their payment obligations, whether by closing credit lines or restricting authorizations. Our ability to manage credit risk also is affected by legal or regulatory changes (such as restrictions on collections, bankruptcy laws, minimum payment regulations and
24
Capital One Financial Corporation (COF)
re-age guidance), competitors’ actions and consumer behavior, and depends on the effectiveness of our collections staff, techniques and models.
Rising losses or leading indicators of rising losses (such as higher delinquencies, charge-offs, higher rates of nonperforming loans, higher bankruptcy rates, lower collateral values, elevated unemployment rates or changing market terms) may require us to increase our allowance for credit losses, which would decrease our profitability if we are unable to raise revenue or reduce costs to compensate for higher losses. In particular, we face the following risks in this area:
•Missed Payments: Our customers may miss payments. Loan charge-offs (including from bankruptcies) are generally preceded by missed payments or other indications of worsening financial condition for our customers. Historically, customers are more likely to miss payments during an economic downturn, recession, periods of high unemployment, or prolonged periods of slow economic growth. In addition, we face the risk that consumer and commercial customer behavior may change (for example, an increase in the unwillingness or inability of customers to repay debt, which may be heightened by increasing interest rates or levels of consumer debt), causing a long-term rise or fluctuations in delinquencies and charge-offs.
•Incorrect Estimates of Expected Losses: The credit quality of our portfolio can have a significant impact on our earnings. We allow for and reserve against credit risks based on our assessment of expected credit losses in our loan portfolios. This process, which is critical to our financial condition and results of operations, requires complex judgments, including forecasts of economic conditions. We may underestimate our expected losses and fail to hold an allowance for credit losses sufficient to account for these losses. Incorrect assumptions could lead to material underestimations of expected credit losses and an inadequate allowance for credit losses. See “We face risks resulting from the extensive use of models and data.”
•Inaccurate Underwriting: Our ability to accurately assess the creditworthiness of our customers may diminish, which could result in an increase in our credit losses and a deterioration of our returns. See “Our risk management strategies may not be fully effective in mitigating our risk exposures in all market environments or against all types of risk.”
•Business Mix: We engage in a diverse mix of businesses with a broad range of potential credit exposure. Because we originate a relatively greater proportion of consumer loans in our loan portfolio compared to other large bank peers and originate both prime and subprime credit card accounts and auto loans, we may experience higher delinquencies and a greater number of accounts charging off, as well as greater fluctuations in those metrics, compared to other large bank peers, which could result in increased credit losses, operating costs and regulatory scrutiny. Additionally, a change in this business mix over time to include proportionally more consumer loans or subprime credit card accounts or auto loans could adversely affect the credit quality of our portfolio.
•Increasing Charge-off Recognition/Allowance for Credit Losses: We account for the allowance for credit losses according to accounting and regulatory guidelines and rules, including Financial Accounting Standards Board (“FASB”) standards and the Federal Financial Institutions Examination Council (“FFIEC”) Account Management Guidance. We measure our allowance for credit losses under the CECL standard, which is based on management’s best estimate of expected lifetime credit losses. The impact of measuring our allowance for credit losses on our results will depend on the characteristics of our financial instruments, economic conditions, and our economic and loss forecasts. The application of the CECL standard may require us to increase reserves faster and to a higher level in an economic downturn, resulting in greater adverse impact to our results and our capital ratios than we would have experienced in similar circumstances prior to the adoption of CECL. In addition, because credit cards represent a significant portion of our product mix, we could be disproportionately affected by use of the CECL standard, as compared to our large bank peers with a different product mix.
25
Capital One Financial Corporation (COF)
•Insufficient Asset Values: The collateral we have on secured loans could be insufficient to compensate us for credit losses. When customers default on their secured loans, we attempt to recover collateral where permissible and appropriate. However, the value of the collateral may not be sufficient to compensate us for the amount of the unpaid loan, and we may be unsuccessful in recovering the remaining balance from our customers. Decreases in real estate and other asset values adversely affect the collateral value for our commercial lending activities, while the auto business is similarly exposed to collateral risks arising from the auction markets that determine used car prices. Borrowers may be less likely to continue making payments on loans if the value of the property used as collateral for the loan is less than what the borrower owes, even if the borrower is still financially able to make the payments. In that circumstance, the recovery of such property could be insufficient to compensate us for the value of these loans upon a default. In our auto business, business and economic conditions that negatively affect household incomes, housing prices and consumer behavior, as well as technological advances that make older cars obsolete faster, could decrease (i) the demand for new and used vehicles and (ii) the value of the collateral underlying our portfolio of auto loans, which could cause the number of consumers who become delinquent or default on their loans to increase.
•Geographic and Industry Concentration: Although our consumer lending is geographically diversified, approximately 40% of our commercial real estate loan portfolio is concentrated in the Northeast region. The regional economic conditions in the Northeast affect the demand for our commercial products and services as well as the ability of our customers to repay their commercial real estate loans and the value of the collateral securing these loans. An economic downturn or prolonged period of slow economic growth in, or a catastrophic event or natural disaster that disproportionately affects the Northeast region could have a material adverse effect on the performance of our commercial real estate loan portfolio and our results of operations. In addition, our Commercial Banking strategy includes an industry-specific focus. If any of the industries that we focus on experience changes, we may experience increased credit losses and our results of operations could be adversely impacted.
Capital and Liquidity Risk
We may not be able to maintain adequate capital or liquidity levels or may become subject to revised capital or liquidity requirements, which could have a negative impact on our financial results and our ability to return capital to our stockholders.
Financial institutions are subject to extensive and complex capital and liquidity requirements, which are subject to change. These requirements affect our ability to lend, grow deposit balances, make acquisitions and distribute capital. Failure to maintain adequate capital or liquidity levels, whether due to adverse developments in our business or the economy or to changes in the applicable requirements, could subject us to a variety of restrictions and/or remedial actions imposed by our regulators. These include limitations on the ability to pay dividends and/or repurchase shares and the issuance of a capital directive to increase capital. Such limitations or capital directive could have a material adverse effect on our business and results of operations.
We consider various factors in the management of capital, including the impact of both internal and supervisory stress scenarios on our capital levels as determined by our internal modeling and the Federal Reserve’s estimation of losses in supervisory stress scenarios that are used to annually set our stress capital buffer requirement. There can be significant differences between our modeling and the Federal Reserve’s projections for a given supervisory stress scenario and between the capital needs suggested by our internal stress scenarios and the supervisory scenarios. Therefore, although our estimated capital levels under stress disclosed as part of the stress testing processes may suggest that we have a particular capacity to return capital to stockholders and remain well capitalized under stress, the Federal Reserve’s modeling, our internal modeling of another scenario and/or other factors related to our capital management process may reflect a lower capacity to return capital to stockholders than that indicated by the projections released in the stress testing processes. This in turn, could lead to restrictions on our ability to pay dividends and engage in share repurchases. See “Part I—Item 1. Business—Supervision and Regulation” for additional information.
We also consider various factors in the management of liquidity, including maintaining sufficient liquid assets to meet the requirements of several internal and regulatory stress tests. There can be significant differences in estimated liquidity needs between internal and regulatory stress testing, and liquidity resources required to meet regulatory requirements, such as applicable LCR and NSFR requirements, may exceed what would otherwise be required to satisfy internal liquidity metrics and stress testing. Regulatory liquidity stress testing and regulatory liquidity requirements may, therefore, require us to take actions to increase our liquid assets or alter our activities or funding sources, which could negatively affect our financial results or our
26
Capital One Financial Corporation (COF)
ability to return capital to our stockholders. See “Part I—Item 1. Business—Supervision and Regulation” for additional information.
In addition, changes to applicable capital and liquidity requirements could result in increased expenses or unexpected or new limitations on our ability to pay dividends and engage in share repurchases.
Limitations on our ability to receive dividends from our subsidiaries could affect our liquidity and ability to pay dividends and repurchase common stock.
We are a separate and distinct legal entity from our subsidiaries, including the Bank and our broker-dealer subsidiaries. Dividends to us from these direct and indirect subsidiaries have represented a major source of funds for us to pay dividends on our common and preferred stock, repurchase common stock, make payments on corporate debt securities and meet other obligations. These capital distributions may be limited by law, regulation or supervisory policy. There are various federal law limitations on the extent to which the Bank can finance or otherwise supply funds to us through dividends and loans. These limitations include minimum regulatory capital requirements, federal banking law requirements concerning the payment of dividends out of net profits or surplus, and Sections 23A and 23B of the Federal Reserve Act and Regulation W governing transactions between an insured depository institution and its affiliates, as well as general federal regulatory oversight to prevent unsafe or unsound practices. Our broker-dealer subsidiaries are also subject to laws and regulations, including net capital requirements, that may limit their ability to pay dividends or make other distributions to us. If our subsidiaries’ earnings are not sufficient to make dividend payments to us while maintaining adequate capital levels, our liquidity may be affected and we may not be able to make dividend payments to our common or preferred stockholders, repurchase our common stock, make payments on outstanding corporate debt securities or meet other obligations, each and any of which could have a material adverse impact on our results of operations, our financial position or the perception of our financial health. The frequency and size of any future dividends to our stockholders and stock repurchases will depend upon regulatory limitations imposed by the Federal Banking Agencies and the SEC and our results of operations, financial condition, capital levels, cash requirements, future prospects, regulatory review and other factors as further described in “Part I—Item 1. Business—Supervision and Regulation.”
Operational Risk
We face risks related to our operational, technological and organizational infrastructure.
Our ability to retain and attract customers depends on our ability to develop, operate, and adapt our technology and organizational infrastructure in a rapidly changing environment. In addition, we must accurately process, record and monitor an increasingly large number of complex transactions. Digital technology, cloud-based services, data and software development are deeply embedded into our business model and how we work.
Similar to other large corporations in our industry, we are exposed to operational risk that can manifest itself in many ways, such as errors in execution, inadequate processes, inaccurate models, faulty or disabled technological infrastructure, malicious disruption and fraud by employees or persons outside of our company, whether through attacks on Capital One directly or on our customers. In addition, the increasing use of near real-time money movement solutions, among other risks, increases the complexity of preventing, detecting and recovering fraudulent transactions. In addition, we are heavily dependent on the security, capability, integrity and continuous availability of the technology systems that we use to manage our internal financial and other systems, monitor risk and compliance with regulatory requirements, provide services to our customers, develop and offer new products and communicate with stakeholders. We also face risk of adverse customer impacts and business disruption arising from the execution of strategic initiatives and operational plans we may pursue across our operations.
If we do not maintain the necessary operational, technological and organizational infrastructure to operate our business, including to maintain the resiliency and security of that infrastructure, our business and reputation could be materially adversely affected. We also are subject to disruptions to our systems arising from events that are wholly or partially beyond our control, which may include computer viruses, electrical or telecommunications outages, bugs, design flaws in foundational components or platforms, availability and quality of vulnerability patches from key vendors, cyber-attacks and other security incidents, natural disasters, other damage to property or physical assets, or events arising from local or larger scale politics, including terrorist acts. Any failure to maintain our infrastructure or prevent disruption of our systems and applications could diminish our ability to operate our businesses, service customer accounts and protect customers’ information, or result in potential liability to customers, reputational damage, regulatory intervention and customers’ loss of confidence in our businesses, any of which could result in a material adverse effect.
27
Capital One Financial Corporation (COF)
We also rely on the business infrastructure and systems of third parties with which we do business and to whom we outsource the operation, maintenance and development of our information technology and communications systems. We have substantially migrated all aspects of our core information technology systems and customer-facing applications to third-party cloud infrastructure platforms, principally AWS. If we fail to architect, administer or oversee these environments in a well-managed, secure and effective manner, or if such platforms become unavailable, are disrupted, fail to scale, do not operate as designed, or do not meet their service level agreements for any reason, we may experience unplanned service disruption or unforeseen costs which could result in material harm to our business and operations. We must successfully develop and maintain information, financial reporting, disclosure, privacy, data protection, data security and other controls adapted to our reliance on outside platforms and providers. In addition, AWS, or other service providers could experience system or telecommunication breakdowns or failures, outages, degradation in service, downtime, failure to scale, software bugs, cyber-attacks and other security incidents, adverse changes to financial condition, bankruptcy, or other adverse conditions, (including conditions which interfere with our access to and use of AWS), which could have a material adverse effect on our business and reputation. Thus, the substantial amount of our infrastructure that we outsource to AWS or to other third parties may increase our risk exposure.
Any disruptions, failures or inaccuracies of our operational processes, technology systems and models, including those associated with improvements or modifications to such technology systems and models, could cause us to be unable to market and manage our products and services, manage our risk, meet our regulatory obligations or report our financial results in a timely and accurate manner, all of which could have a negative impact on our results of operations. In addition, our ongoing investments in infrastructure, which are necessary to maintain a competitive business, integrate acquisitions and establish scalable operations, may increase our expenses. As our business develops, changes or expands, additional expenses can arise as a result of a reevaluation of business strategies, management of outsourced services, asset purchases or other acquisitions, structural reorganization, compliance with new laws or regulations, the integration of newly acquired businesses, or the prevention or occurrence of cyber-attacks and other security incidents. If we are unable to successfully manage our expenses, our financial results will be negatively affected. Changes to our business, including those resulting from our strategic objectives, also requires robust governance to ensure that our objectives are executed as intended without adversely impacting our customers, associates, operations or financial performance. Ineffective change management oversight and governance over the execution of our strategic objectives could expose us to operational, strategic and reputational risk and could negatively impact customers or our financial performance.
A cyber-attack or other security incident, including one that results in the theft, loss, manipulation or misuse of information (including personal information), or the disabling of systems and access to information critical to business operations, may result in increased costs, reductions in revenue, reputational damage, legal exposure and business disruptions.
Our ability to provide our products and services, many of which are internet-based, and communicate with our customers, depends upon the management and safeguarding of information systems and infrastructure, networks, software, data, technology, methodologies and business secrets, including those of our service providers. Our products and services involve the collection, authentication, management, usage, storage, transmission and eventual destruction of sensitive and confidential information, including personal information, regarding our customers and their accounts, our employees, our partners and other third parties with which we do business. We also have arrangements in place with third parties through which we share and receive information about their customers who are or may become our customers. The financial services industry, including Capital One, is particularly at risk because of the use of and reliance on digital banking products and other digital services, including mobile banking products, such as mobile payments, and other internet- and cloud-based products and applications, and the development of additional remote connectivity solutions, which increase cybersecurity risks and exposure. Consumer acceptance and use of such digital banking products and services has substantially increased since the onset of the COVID pandemic.
Technologies, systems, networks, and other devices of Capital One, as well as those of our employees, service providers, partners and other third parties with whom we interact, have been and may continue to be the subject of cyber-attacks and other security incidents, including computer viruses, hacking, malware, ransomware, supply chain attacks, vulnerabilities, credential stuffing, or phishing or other forms of social engineering. Such cyber-attacks and other security incidents are designed to lead to various harmful outcomes, such as unauthorized transactions in Capital One accounts, unauthorized or unintended access to or release, gathering, monitoring, disclosure, loss, destruction, corruption, disablement, encryption, misuse, modification or other processing of confidential or sensitive information (including personal information), intellectual property, software, methodologies or business secrets, disruption, sabotage or degradation of service, systems or networks, or other damage. These threats may derive from, among other things, error, fraud or malice on the part of our employees, insiders, or third parties or may result from accidental technological failure or design flaws. Any of these parties may also attempt to fraudulently induce
28
Capital One Financial Corporation (COF)
employees, service providers, customers, partners or other third-party users of our systems or networks to disclose confidential or sensitive information (including personal information) in order to gain access to our systems, networks or data or that of our customers, partners, or third parties with whom we interact, or to unlawfully obtain monetary benefit through misdirected or otherwise improper payment. For instance, any party that obtains our confidential or sensitive information (including personal information) through a cyber-attack or other security incident may use this information for ransom, to be paid by us or a third party, as part of a fraudulent activity that is part of a broader criminal activity, or for other illicit purposes.
For example, on July 29, 2019, we announced that on March 22 and 23, 2019 an outside individual gained unauthorized access to our systems (the “Cybersecurity Incident”). This individual obtained certain types of personal information relating to people who had applied for our credit card products and to our credit card customers. While the Cybersecurity Incident has been remediated, it has resulted in fines, litigation, settlements, government investigations and other regulatory enforcement inquiries, as well as consent orders with the Federal Reserve and the OCC. On August 31, 2022, the OCC terminated its consent order. Cyber and information security risks for large financial institutions like us continue to increase due to the proliferation of new technologies, the industry-wide shift to reliance upon the internet to conduct financial transactions, and the increased sophistication and activities of malicious actors, organized crime, perpetrators of fraud, hackers, terrorists, activists, extremist parties, formal and informal instrumentalities of foreign governments, state-sponsored actors and other external parties. In addition, our customers access our products and services using personal devices that are necessarily external to our security control systems. There has also been a significant proliferation of consumer information available on the internet resulting from breaches of third-party entities, including personal information, log-in credentials and authentication data. While we were not directly involved in these third-party breach events, the stolen information can create a threat for our customers if their Capital One log-in credentials are the same as or similar to the credentials that have been compromised on other internet sites. This threat could include the risk of unauthorized account access, data loss and fraud. The use of artificial intelligence, “bots” or other automation software can increase the velocity and efficacy of these types of attacks. As our employees are currently operating under our hybrid work model, our remote interaction with service providers, partners and other third parties on systems, networks and environments over which we have less control increases our cybersecurity risk exposure. We will likely face an increasing number of attempted cyber-attacks as we expand our mobile and other internet-based products and services, as well as our usage of mobile and cloud technologies and as we provide more of these services to a greater number of retail banking customers.
The methods and techniques employed by malicious actors change frequently, are increasingly sophisticated and often are not fully recognized or understood until after they have occurred, and some techniques could occur and persist for an extended period of time before being detected and remediated. For example, although we immediately fixed the configuration vulnerability that was exploited in the Cybersecurity Incident once we discovered the unauthorized access, a period of time elapsed between the occurrence of the unauthorized access and the time when we discovered it. In other circumstances, we and our service providers and other third parties with which we interact may be unable to anticipate or identify certain attack methods or techniques in order to implement effective preventative or detective measures or mitigate or remediate the damages caused in a timely manner. We may also be unable to hire, develop and retain talent that keeps pace with the rapidly changing cyber threat landscape, and which are capable of preventing, detecting, mitigating or remediating these risks. Although we seek to maintain a robust suite of authentication and layered information security controls, any one or combination of these controls could fail to prevent, detect, mitigate or remediate these risks in a timely manner.
A disruption or breach, including as a result of a cyber-attack such as the Cybersecurity Incident, or media reports of perceived security vulnerabilities at Capital One or at our service providers, could result in significant legal and financial exposure, regulatory intervention, litigation, remediation costs, card reissuance, supervisory liability, damage to our reputation or loss of confidence in the security of our systems, products and services that could adversely affect our business. There can be no assurance that unauthorized access or cyber incidents similar to the Cybersecurity Incident will not occur or that we will not suffer material losses in the future. If future attacks are successful or if customers are unable to access their accounts online for other reasons, it could adversely impact our ability to service customer accounts or loans, complete financial transactions for our customers or otherwise operate any of our businesses or services. In addition, a breach or attack affecting one of our service providers or other third parties with which we interact could harm our business even if we do not control the service that is attacked.
Further, our ability to monitor our service providers’ cybersecurity practices is limited. Although the agreements that we have in place with our service providers generally include requirements relating to cybersecurity and data privacy, we cannot guarantee that such agreements will prevent a cyber incident impacting our systems or information or enable us to obtain adequate or any reimbursement from our service providers in the event we should suffer any such incidents. However, due to
29
Capital One Financial Corporation (COF)
applicable laws and regulations or contractual obligations, we may be held responsible for cyber incidents attributed to our service providers as they relate to the information we share with them.
In addition, the increasing prevalence and the evolution of cyber-attacks and other efforts to breach or disrupt our systems or networks or those of our customers, service providers, partners or other third parties with which we interact has led, and will likely continue to lead, to increased costs to us with respect to preventing, detecting, mitigating and remediating these risks, as well as any related attempted fraud. In order to address ongoing and future risks, we must expend significant resources to support protective security measures, investigate and remediate any vulnerabilities of our information systems and infrastructure and invest in new technology designed to mitigate security risks. Further, high profile cyber incidents at Capital One or other large financial institutions could lead to a general loss of customer confidence in financial institutions that could negatively affect us, including harming the market perception of the effectiveness of our security measures or the global financial system in general, which could result in reduced use of our financial products. We have insurance against some cyber risks and attacks; nonetheless, our insurance coverage may not be sufficient to offset the impact of a material loss event (including if our insurer denies coverage as to any particular claim in the future), and such insurance may increase in cost or cease to be available on commercially reasonable terms, or at all, in the future.
Our required compliance with applicable laws and regulations related to privacy, data protection and data security may increase our costs, reduce our revenue, increase our legal exposure and limit our ability to pursue business opportunities.
We are subject to a variety of continuously evolving and developing laws and regulations in the United States at the federal, state and local level regarding privacy, data protection and data security, including those related to the collection, storage, handling, use, disclosure, transfer, security and other processing of personal information. For example, at the federal level, we are subject to the GLBA, among other laws and regulations. Moreover, the U.S. Congress is currently considering various proposals for more comprehensive privacy, data protection and data security legislation, to which we may be subject if passed. In addition, in November 2021, the Federal Reserve, OCC, and FDIC issued a final rule that, among other things, requires all banking organizations in the United States to notify their primary federal regulators of certain material computer-security incidents as soon as possible and no later than 36 hours after determining that the incident has occurred. The enactment of CIRCIA, once rulemaking is complete, will require, among other things, certain companies to report significant cyber incidents to the CISA within 72 hours from the time the company reasonably believes the incident occurred, and a proposed rule by the SEC, if enacted, would mandate public disclosure of material cybersecurity incidents within four business days of determining that such an incident has occurred. At the state level, California has enacted the California Privacy Rights Act (“CPRA”), and various other states also have enacted or are in the process of enacting state-level privacy, data protection and/or data security laws and regulations, with which we may be required to comply.
We also are, or may become, subject to continuously evolving and developing laws and regulations in other jurisdictions regarding privacy, data protection and data security. For example, in Canada we are subject to the Personal Information Protection and Electronic Documents Act (“PIPEDA”). In addition, subject to limited exceptions, the EU General Data Projection Regulation (“EU GDPR”) applies EU data protection law to all companies processing personal data of EU residents, regardless of the company’s location. We also are subject to the UK General Data Protection Regulation (“U.K. GDPR”), which is how the EU GDPR has been implemented into U.K. law. These laws and regulations, and similar laws and regulations in other jurisdictions, impose strict requirements regarding the collection, storage, handling, use, disclosure, transfer, security and other processing of personal information, which may have adverse consequences, including significant compliance costs and severe monetary penalties for non-compliance. Significant uncertainty exists as privacy, data protection, and data security laws may be interpreted and applied differently from country to country and may create inconsistent or conflicting requirements.
Further, we make public statements about our use, collection, disclosure and other processing of personal information through our privacy policies, information provided on our website and press statements. Although we endeavor to comply with our public statements and documentation, we may at times fail to do so or be alleged to have failed to do so. The publication of our privacy policies and other statements that provide promises and assurances about privacy, data protection and data security can subject us to potential government or legal action if they are found to be deceptive, unfair or misrepresentative of our actual practices.
Our efforts to comply with GLBA, CPRA, PIPEDA, EU GDPR, U.K. GDPR and other privacy, data protection and data security laws and regulations, as well as our posted privacy policies, and related contractual obligations to third parties, entail substantial expenses, may divert resources from other initiatives and projects, and could limit the services we are able to offer. Furthermore, enforcement actions and investigations by regulatory authorities related to data security incidents and privacy, data protection and data security violations continue to increase. The enactment of more restrictive laws or regulations, or future
30
Capital One Financial Corporation (COF)
enforcement actions or investigations, could impact us through increased costs or restrictions on our business, and any noncompliance or perceived noncompliance could result in monetary or other penalties, harm to our reputation and significant legal liability.
We face risks resulting from the extensive use of models and data.
We rely on quantitative models and our ability to manage and aggregate data in an accurate and timely manner to assess and manage our various risk exposures, create estimates and forecasts, and manage compliance with regulatory capital requirements. Models may be used in processes such as determining the pricing of various products, grading loans and extending credit, measuring interest rate and other market risks, predicting deposit levels or loan losses, assessing capital adequacy, calculating managerial and regulatory capital levels, estimating the value of financial instruments and balance sheet items, and other operational functions. Our risk reporting and management, including business decisions based on information incorporating models, depend on the effectiveness of our models and our policies, programs, processes and practices governing how data or models, as applicable, are acquired, validated, stored, protected, processed and analyzed. Any issues with the quality or effectiveness of our data aggregation and validation procedures, as well as the quality and integrity of data inputs, formulas or algorithms, could result in inaccurate forecasts, ineffective risk management practices or inaccurate risk reporting. In addition, models based on historical data sets might not be accurate predictors of future outcomes and their ability to appropriately predict future outcomes may degrade over time. While we continuously update our policies, programs, processes and practices, many of our data management, modeling, aggregation and implementation processes are manual and may be subject to human error, data limitations, process delays or system failure. Failure to manage data effectively and to aggregate data in an accurate and timely manner may limit our ability to manage current and emerging risk, to produce accurate financial, regulatory and operational reporting as well as to manage changing business needs. If our Framework is ineffective, we could suffer unexpected losses which could materially adversely affect our results of operation or financial condition. Also, any information we provide to the public or to our regulators based on poorly designed or implemented models could be inaccurate or misleading. Some of the decisions that our regulators make, including those related to capital distribution to our stockholders, could be affected adversely due to the perception that the quality of the models used to generate the relevant information is insufficient.
Legal and Regulatory Risk
Compliance with new and existing laws, regulations and regulatory expectations is costly and complex.
A wide array of laws and regulations, including banking and consumer lending laws and regulations, apply to every aspect of our business. We and our subsidiaries are also subject to supervision and examination by multiple regulators, and the manner in which our regulators interpret applicable laws and regulations may affect how we comply with them. Failure to comply with these laws and regulations, even if the failure was inadvertent or reflects a difference in interpretation, could subject us to restrictions on our business activities, fines, criminal sanctions and other penalties, and/or damage to our reputation with regulators, our customers or the public. Hiring, training and retaining qualified compliance and legal personnel, and establishing and maintaining risk management and compliance-related systems, infrastructure and processes, is difficult and may lead to increased expenses. These efforts and the associated costs could limit our ability to invest in other business opportunities.
Applicable rules and regulations may affect us disproportionately compared to our competitors or in an unforeseen manner. For example, we have a large number of customer accounts in our credit card and auto lending businesses and we have made the strategic choice to originate and service subprime credit card and auto loans, which typically have higher delinquencies and charge-offs than prime customer accounts. As a result, we have significant involvement with credit bureau reporting and the collection and recovery of delinquent and charged-off debt, primarily through customer communications, the filing of litigation against customers in default, the periodic sale of charged-off debt and vehicle repossession. These and other consumer lending activities are subject to enhanced legal and regulatory scrutiny from regulators, courts and legislators. Any future changes to or legal liabilities resulting from our business practices in these areas, including our debt collection practices and the fees we charge, whether mandated by regulators, courts, legislators or otherwise, could have a material adverse impact on our financial condition.
The legislative and regulatory environment is beyond our control, may change rapidly and unpredictably, and may negatively influence our revenue, costs, earnings, growth, liquidity and capital levels. For example, there may be future rulemaking in emerging regulatory areas such as climate-related risks and new technologies. In addition, some rules and regulations may be subject to litigation or other challenges that delay or modify their implementation and impact on us. Adoption of new technologies, such as distributed ledger technologies, tokenization, cloud computing, artificial intelligence and machine learning technologies, can present unforeseen challenges in applying and relying on existing compliance systems.
31
Capital One Financial Corporation (COF)
Certain laws and regulations, and any interpretations and applications with respect thereto, are generally intended to protect consumers, borrowers, depositors, the DIF, the U.S. banking and financial system, and financial markets as a whole, but not stockholders. Our success depends on our ability to maintain compliance with both existing and new laws and regulations. For a description of the material laws and regulations, including those related to the consumer lending business, to which we are subject, see “Part I—Item 1. Business—Supervision and Regulation.”
Our businesses are subject to the risk of increased litigation, government investigations and regulatory enforcement.
Our businesses are subject to increased litigation, government investigations and other regulatory enforcement risks as a result of a number of factors and from various sources, including the highly regulated nature of the financial services industry, the focus of state and federal prosecutors on banks and the financial services industry and the structure of the credit card industry.
Given the inherent uncertainties involved in litigation, government investigations and regulatory enforcement decisions, and the very large or indeterminate damages sought in some matters asserted against us, there can be significant uncertainty as to the ultimate liability we may incur from these kinds of matters. The finding, or even the assertion, of substantial legal liability against us could have a material adverse effect on our business and financial condition and could cause significant reputational harm to us, which could seriously harm our business. For example, the Cybersecurity Incident has resulted in litigation, settlements, government investigations and other regulatory enforcement inquiries.
In addition, financial institutions, such as ourselves, face significant regulatory scrutiny, which can lead to public enforcement actions or nonpublic supervisory actions. We and our subsidiaries are subject to comprehensive regulation and periodic examination by, among other regulatory bodies, the Federal Banking Agencies, SEC, CFTC and CFPB. We have been subject to enforcement actions by many of these and other regulators and may continue to be involved in such actions, including governmental inquiries, investigations and enforcement proceedings, including by the OCC, Department of Justice, Financial Crimes Enforcement Network (“FinCEN”) and state Attorneys General.
Over the last several years, federal and state regulators have focused on compliance with AML and sanctions laws, privacy, data protection and data security, use of service providers, fair lending and other consumer protection issues. In August 2020, we entered into consent orders with the Federal Reserve and the OCC resulting from regulatory reviews of the Cybersecurity Incident and relating to ongoing enhancements of our cybersecurity and operational risk management processes, and we paid a civil monetary penalty as part of the OCC agreement. On August 31, 2022, the OCC terminated its consent order. In January 2021, we also paid a civil monetary penalty assessed by FinCEN against the Bank in connection with AML violations alleged to have occurred between 2008 and 2014. Regulatory scrutiny is expected to continue in these areas, including as a result of implementation of the AML Act of 2020.
We expect that regulators and governmental enforcement bodies will continue taking public enforcement actions against financial institutions in addition to addressing supervisory concerns through nonpublic supervisory actions or findings, which could involve restrictions on our activities, or our ability to make acquisitions or otherwise expand our business, among other limitations that could adversely affect our business. In addition, a violation of law or regulation by another financial institution is likely to give rise to an investigation by regulators and other governmental agencies of the same or similar practices by us. Furthermore, a single event may give rise to numerous and overlapping investigations and proceedings. These and other initiatives from governmental authorities and officials may subject us to further judgments, settlements, fines or penalties, or cause us to restructure our operations and activities or to cease offering certain products or services, all of which could harm our reputation or lead to higher operational costs. Litigation, government investigations and other regulatory actions could generally subject us to significant fines, increased expenses, restrictions on our activities and damage to our reputation and our brand, and could adversely affect our business, financial condition and results of operations. For additional information regarding legal and regulatory proceedings to which we are subject, see “Part II—Item 8. Financial Statements and Supplementary Data—Note 18—Commitments, Contingencies, Guarantees and Others.”
Other Business Risks
We face intense competition in all of our markets.
We operate in a highly competitive environment across all of our lines of business, whether in making loans, attracting deposits or in the global payments industry, and we expect competitive conditions to continue to intensify with respect to most of our products particularly in our credit card and consumer banking business. We compete on the basis of the rates we pay on deposits and the rates and other terms we charge on the loans we originate or purchase, as well as the quality and range of our
32
Capital One Financial Corporation (COF)
customer service, products, innovation and experience. This increasingly competitive environment is primarily a result of changes in technology, product delivery systems and regulation, as well as the emergence of new or significantly larger financial services providers, all of which may affect our customers’ expectations and demands. In addition to offering competitive products and services, we invest in and conduct marketing campaigns to attract and inform customers. If our marketing campaigns are unsuccessful, it may adversely impact our ability to attract new customers and grow market share.
Some of our competitors, including new and emerging competitors in the digital and mobile payments space and other financial technology providers, are not subject to the same regulatory requirements or scrutiny to which we are subject, which also could place us at a competitive disadvantage, in particular in the development of new technology platforms or the ability to rapidly innovate. We compete with many forms of payments offered by both bank and non-bank providers, including a variety of new and evolving alternative payment mechanisms, systems and products, such as aggregators and web-based and wireless payment platforms or technologies, digital or cryptocurrencies, prepaid systems and payment services targeting users of social networks, communications platforms and online gaming. If we are unable to continue to keep pace with innovation, do not effectively market our products and services or are prohibited from or unwilling to enter emerging areas of competition, our business and results of operations could be adversely affected.
Some of our competitors are substantially larger than we are, which may give those competitors advantages, including a more diversified product and customer base, the ability to reach more customers and potential customers, operational efficiencies, broad-based local distribution capabilities, lower-cost funding and larger existing branch networks. Many of our competitors are also focusing on cross-selling their products and developing new products or technologies, which could affect our ability to maintain or grow existing customer relationships or require us to offer lower interest rates or fees on our lending products or higher interest rates on deposits. Competition for loans could result in origination of fewer loans, earning less on our loans or an increase in loans that perform below expectations.
We operate as an online direct bank in the United States. While direct banking provides a significant opportunity to attract new customers that value greater and more flexible access to banking services at reduced costs, we face strong and increasing competition in the direct banking market. Aggressive pricing throughout the industry may adversely affect the retention of existing balances and the cost-efficient acquisition of new deposit funds and may affect our growth and profitability. Customers could also close their online accounts or reduce balances or deposits in favor of products and services offered by competitors for other reasons. These shifts, which could be rapid, could result from general dissatisfaction with our products or services, including concerns over pricing, online security or our reputation. The potential consequences of this competitive environment are exacerbated by the flexibility of direct banking and the financial and technological sophistication of our online customer base.
In our credit card business, competition for rewards customers may result in higher rewards expenses, or we may fail to attract new customers or retain existing rewards customers due to increasing competition for these consumers. As of December 31, 2022, we have a number of large partnerships in our credit card loan portfolio. The market for key business partners, especially in the credit card business, is very competitive, and we may not be able to grow or maintain these partner relationships or assure that these relationships will be profitable or valued by our customers. Additionally, partners themselves may face changes in their business, including market factors and ownership changes, that could impact the partnership. We face the risk that we could lose partner relationships, even after we have invested significant resources into acquiring and developing the relationships. The loss of key business partners could have a negative impact on our results of operations, including lower returns, excess operating expense and excess funding capacity.
We depend on our partners to effectively promote our co-brand and private label products and integrate the use of our credit cards into their retail operations. The failure by our partners to effectively promote and support our products as well as changes they may make in their business models could adversely affect card usage and our ability to achieve the growth and profitability objectives of our partnerships. In addition, if our partners do not adhere to the terms of our program agreements and standards, or otherwise diminish the value of our brand, we may suffer reputational damage and customers may be less likely to use our products.
Some of our competitors have developed, or may develop, substantially greater financial and other resources than we have, may offer richer value propositions or a wider range of programs and services than we offer, or may use more effective advertising, marketing or cross-selling strategies to acquire and retain more customers, capture a greater share of spending and borrowings, attain and develop more attractive co-brand card programs and maintain greater merchant acceptance than we have. We may not be able to compete effectively against these threats or respond or adapt to changes in consumer spending habits as effectively as our competitors.
33
Capital One Financial Corporation (COF)
In such a competitive environment, we may lose entire accounts or may lose account balances to competing firms, or we may find it more costly to maintain our existing customer base. Customer attrition from any or all of our lending products, together with any lowering of interest rates or fees that we might implement to retain customers, could reduce our revenues and therefore our earnings. Similarly, unexpected customer attrition from our deposit products, in addition to an increase in rates or services that we may offer to retain deposits, may increase our expenses and therefore reduce our earnings.
Our business, financial condition and results of operations may be adversely affected by merchants’ increasing focus on the fees charged by credit and debit card networks and by legislation and regulation impacting such fees.
Interchange fees are generally one of the largest components of the costs that merchants pay in connection with the acceptance of credit and debit cards and are a meaningful source of revenue for our credit and debit card businesses. Interchange fees are the subject of significant and intense global legal, legislative and regulatory focus, and the resulting decisions, legislation and regulation may have a material adverse impact on our overall business, financial condition and results of operations.
Legislative and regulatory bodies in a number of countries are seeking to reduce interchange fees through legislation, competition-related regulatory proceedings, voluntary agreements, central bank regulation and/or litigation. For credit transactions, interchange reimbursement rates in the United States are set by credit card networks such as MasterCard and Visa. For debit transactions, Federal Reserve rules place limits on the interchange fees we may charge. For more information on these rules, please see “Part I—Item 1. Business—Supervision and Regulation.” In some jurisdictions, such as Canada and certain countries in Europe, including the U.K., interchange fees and related practices are subject to regulatory activity, including in some cases, imposing caps on permissible interchange fees. Our international card businesses have been impacted by these restrictions. For example, in the U.K., interchange fees are capped for both credit and debit card transactions. In addition, in Canada, Visa and Mastercard payment networks have entered into voluntary agreements with the Department of Finance Canada to maintain an agreed upon average interchange rate. Lowering interchange fees remains an area of domestic and international governmental focus. Legislators and regulators around the world are aware of each other’s approaches to the regulation of the payments industry. Consequently, a development in one country, state or region may influence regulatory approaches in another, such as our primary market, the United States.
In addition to this regulatory activity, merchants are also seeking avenues to reduce interchange fees. In the past, merchants and their trade groups have filed numerous lawsuits against Visa, MasterCard, American Express and their card-issuing banks, claiming that their practices toward merchants, including interchange and similar fees, violate federal antitrust laws. In 2005, a number of entities filed antitrust lawsuits against MasterCard and Visa and several member banks, including our subsidiaries and us, alleging among other things, that the defendants conspired to fix the level of interchange fees. In December 2013, the U.S. District Court for the Eastern District of New York granted final approval of the proposed class settlement. The settlement provided, among other things, that merchants would be entitled to join together to negotiate lower interchange fees. The settlement was appealed to the Second Circuit Court of Appeals, which rejected the settlement in June 2016; a revised settlement was reached in the second half of 2018, and the trial court issued its final approval of the settlement in December 2019. See “Part II—Item 8. Financial Statements and Supplementary Data—Note 18—Commitments, Contingencies, Guarantees and Others” for further details.
Some major retailers have sufficient bargaining power to independently negotiate lower interchange fees with MasterCard and Visa, which could, in turn, result in lower interchange fees for us when our cardholders undertake purchase transactions with these retailers. Merchants also continue to lobby Congress aggressively for restrictions on interchange fees and their efforts may be successful. Retailers may in the future bring legal proceedings against us or other credit card and debit card issuers and networks.
Beyond pursuing litigation, legislation and regulation, merchants may also promote forms of payment with lower fees, such as ACH-based payments, or seek to impose surcharges at the point of sale for use of credit or debit cards. New payment systems, particularly mobile-based payment technologies, could also gain widespread adoption and lead to issuer transaction fees or the displacement of credit card accounts as a payment method.
The heightened focus by merchants and legislative and regulatory bodies on the fees charged by credit and debit card networks, and the ability of certain merchants to successfully negotiate discounts to interchange fees with MasterCard and Visa or develop alternative payment systems, could result in a reduction of interchange fees. Any resulting loss in income to us could have a material adverse effect on our business, financial condition and results of operations.
34
Capital One Financial Corporation (COF)
If we are not able to invest successfully in and introduce digital and other technological developments across all our businesses, our financial performance may suffer.
Our industry is subject to rapid and significant technological changes and our ability to meet our customers’ needs and expectations is key to our ability to grow revenue and earnings. We expect digital technologies to continue to have a significant impact on banking over time. Consumers expect robust digital experiences from their financial services providers. The ability for customers to access their accounts and conduct financial transactions using digital technology, including mobile applications, is an important aspect of the financial services industry and financial institutions are rapidly introducing new digital and other technology-driven products and services that aim to offer a better customer experience and to reduce costs. We continue to invest in digital technology designed to attract new customers, facilitate the ability of existing customers to conduct financial transactions and enhance the customer experience related to our products and services.
Our continued success depends, in part, upon our ability to assess and address the needs of our customers by using digital technology to provide products and services that meet their expectations. The development and launch of new digital products and services depends in large part on our ability to invest in and build the technology platforms that can enable them, in a cost effective and timely manner. See “We face intense competition in all of our markets” and “We face risks related to our operational, technological and organizational infrastructure.”
Some of our competitors are substantially larger than we are, which may allow those competitors to invest more money into their technology infrastructure and digital innovation than we do. In addition, smaller competitors may experience lower cost structures and different regulatory requirements and scrutiny than we do, which may allow them to innovate more rapidly than we can. See “We face intense competition in all of our markets.” Further, our success depends on our ability to attract and retain strong digital and technology leaders, engineers and other specialized personnel. The competition is intense and the compensation costs continue to increase for such talent. If we are unable to attract and retain digital and technology talent, our ability to offer digital products and services and build the necessary technology infrastructure could be negatively affected, which could negatively impact our business and financial results. A failure to maintain or enhance our competitive position with respect to digital products and services, whether because we fail to anticipate customer expectations or because our technological developments fail to perform as desired or are not implemented in a timely or successful manner, could negatively impact our business and financial results.
We may fail to realize the anticipated benefits of our mergers, acquisitions and strategic partnerships.
We engage in merger and acquisition activity and enter into strategic partnerships from time to time. We continue to evaluate and anticipate engaging in, among other merger and acquisition activity, additional strategic partnerships and selected acquisitions of financial institutions and other businesses or assets, including credit card and other loan portfolios. We may not be able to identify and secure future acquisition targets on terms and conditions that are acceptable to us, or successfully complete and integrate the businesses within the anticipated time frame and achieve the anticipated benefits of proposed mergers, acquisitions and strategic partnerships, which could impair our growth.
Any merger, acquisition or strategic partnership we undertake entails certain risks, which may materially and adversely affect our results of operations. If we experience greater than anticipated costs to integrate acquired businesses into our existing operations, or are not able to achieve the anticipated benefits of any merger, acquisition or strategic partnership, including cost savings and other synergies, our business could be negatively affected. In addition, it is possible that the ongoing integration processes could result in the loss of key employees, errors or delays in systems implementation, exposure to cybersecurity risks associated with acquired businesses, exposure to additional regulatory oversight, the disruption of our ongoing businesses or inconsistencies in standards, controls, procedures and policies that adversely affect our ability to maintain relationships with partners, clients, customers, depositors and employees or to achieve the anticipated benefits of any merger, acquisition or strategic partnership. Integration efforts also may divert management attention and resources. These integration matters may have an adverse effect on us during any transition period.
In addition, we may face the following risks in connection with any merger, acquisition or strategic partnership:
•New Businesses and Geographic or Other Markets: Our merger, acquisition or strategic partnership activity may involve our entry into new businesses, or new geographic areas or markets which present risks resulting from our relative inexperience in these new businesses or markets. These new businesses or markets may change the overall character of our consolidated portfolio of businesses and alter our exposure to economic and other external factors. We face the risk that we will not be successful in these new businesses or in these new markets.
35
Capital One Financial Corporation (COF)
•Identification and Assessment of Merger and Acquisition Targets and Deployment of Acquired Assets: We may not be able to identify, acquire or partner with suitable targets. Further, our ability to achieve the anticipated benefits of any merger, acquisition or strategic partnership will depend on our ability to assess the asset quality, risks and value of the particular assets or institutions we partner with, merge with or acquire. We may be unable to profitably deploy any assets we acquire.
•Accuracy of Assumptions: In connection with any merger, acquisition or strategic partnership, we may make certain assumptions relating to the proposed merger, acquisition or strategic partnership that may be, or may prove to be, inaccurate, including as a result of the failure to anticipate the costs, timeline or ability to realize the expected benefits of any merger, acquisition or strategic partnership. The inaccuracy of any assumptions we may make could result in unanticipated consequences that could have a material adverse effect on our results of operations or financial condition.
•Target-specific Risk: Assets and companies that we acquire, or companies that we enter into strategic partnerships with, will have their own risks that are specific to a particular asset or company. These risks include, but are not limited to, particular or specific regulatory, accounting, operational, reputational and industry risks, any of which could have a material adverse effect on our results of operations or financial condition. For example, we may face challenges associated with integrating other companies due to differences in corporate culture, compliance systems or standards of conduct. Indemnification rights, if any, may be insufficient to compensate us for any losses or damages resulting from such risks. In addition to regulatory approvals discussed below, certain of our merger, acquisition or partnership activity may require third-party consents in order for us to fully realize the anticipated benefits of any such transaction.
•Conditions to Regulatory Approval: We may be required to obtain various governmental and regulatory approvals to consummate certain acquisitions. We cannot be certain whether, when or on what terms and conditions, such approvals may be granted. Consequently, we may not obtain governmental or regulatory approval for a proposed acquisition on acceptable terms or at all, in which case we would not be able to complete the acquisition despite investing resources in pursuing it.
Reputational risk and social factors may impact our results and damage our brand.
Our ability to attract and retain customers is highly dependent upon the perceptions of consumer and commercial borrowers and deposit holders and other external perceptions of our products, services, trustworthiness, business practices, workplace culture, compliance practices or our financial health. In addition, our brand is very important to us. Maintaining and enhancing our brand depends largely on our ability to continue to provide high-quality products and services. Adverse perceptions regarding our reputation in the consumer, commercial and funding markets could lead to difficulties in generating and maintaining accounts as well as in financing them. In particular, negative public perceptions regarding our reputation, including negative perceptions regarding our ability to maintain the security of our technology systems and protect customer data, could lead to decreases in the levels of deposits that consumer and commercial customers and potential customers choose to maintain with us or significantly increase the costs of attracting and retaining customers. In addition, negative perceptions regarding certain industries, partners or clients could also prompt us to cease business activities associated with those entities.
Negative public opinion or damage to our brand could also result from actual or alleged conduct in any number of activities or circumstances, including lending practices, regulatory compliance, security breaches (including the use and protection of customer data, such as resulting from the Cybersecurity Incident), corporate governance and sales and marketing, and from actions taken by regulators or other persons in response to such conduct. Such conduct could fall short of our customers’ and the public’s heightened expectations of companies of our size with rigorous privacy, data protection, data security and compliance practices, and could further harm our reputation. In addition, our co-brand and private label partners or other third parties with whom we have important relationships may take actions over which we have limited control that could negatively impact perceptions about us or the financial services industry. The proliferation of social media may increase the likelihood that negative public opinion from any of the events discussed above will impact our reputation and business.
In addition, a variety of social factors may cause changes in borrowing activity, including credit card use, payment patterns and the rate of defaults by account holders and borrowers domestically and internationally. These social factors include changes in consumer confidence levels, the public’s perception regarding the banking industry and consumer debt, including credit card use, and changing attitudes about the stigma of bankruptcy. There has also been increased focus by investor advocacy groups, investment funds and shareholder activists, among others, on topics related to environmental, social and corporate governance
36
Capital One Financial Corporation (COF)
policies, and our policies, practices and disclosure in these areas, including related to climate change. If these groups consider our efforts unsatisfactory, whether real or perceived, it could also harm our reputation. If consumers develop or maintain negative attitudes about incurring debt, or consumption trends decline or if we fail to maintain and enhance our brand, or we incur significant expenses to do so, our reputation and business and financial results could be materially and negatively affected.
If we are not able to protect our intellectual property, our revenue and profitability could be negatively affected.
We rely on a variety of measures to protect and enhance our intellectual property, including copyrights, trademarks, trade secrets, patents and certain restrictions on disclosure, solicitation and competition. We also undertake other measures to control access to and distribution of our other proprietary and confidential information. These measures may not prevent misappropriation of our proprietary or confidential information or infringement, misappropriation or other violations of our intellectual property rights and a resulting loss of competitive advantage. In addition, our competitors or other third parties may obtain patents for innovations that are used in our industry or allege that our systems, processes or technologies infringe, misappropriate or violate their intellectual property rights. Given the complex, rapidly changing and competitive technological and business environments in which we operate, if our competitors or other third parties are successful in obtaining such patents or prevail in intellectual property-related litigation against us, we could lose significant revenues, incur significant license, royalty, technology development or other expenses, or pay significant damages.
Our risk management strategies may not be fully effective in mitigating our risk exposures in all market environments or against all types of risk.
Management of market, credit, liquidity, strategic, reputational, operational and compliance risk requires, among other things, policies and procedures to properly record and verify a large number of transactions and events. See “Part II—Item 7. MD&A—Risk Management” for further details. We maintain an enterprise Framework that is designed to identify, measure, assess, monitor, test, control, report, escalate, and mitigate the risks that we face. Even though we continue to devote significant resources to developing our Framework, our risk management strategies may not be fully effective in identifying and mitigating our risk exposure in all market environments or against all types of risk, including risks that are unidentified or unanticipated.
Some of our methods of managing these risks are based upon our use of observed historical market behavior, the use of analytical and/or forecasting models and management’s judgment. These methods may not accurately predict future exposures, which could be significantly greater than the historical measures or models indicate and market conditions, particularly during a period of financial market stress, can involve unprecedented dislocations. For example, credit risk is inherent in the financial services business and results from, among other things, extending credit to customers. Our ability to assess the creditworthiness of our customers may be impaired if the models and approaches we use to select, manage and underwrite our consumer and commercial customers become less predictive of future charge-offs due, for example, to rapid changes in the economy, or degradation in the predictive nature of credit bureau and other data used in underwriting.
While we employ a broad and diversified set of risk monitoring and risk mitigation techniques, those techniques and the judgments that accompany their application cannot anticipate every economic and financial outcome or the timing of such outcomes. For example, our ability to implement our risk management strategies may be hindered by adverse changes in the volatility or liquidity conditions in certain markets and as a result, may limit our ability to distribute such risks (for instance, when we seek to syndicate exposure in bridge financing transactions we have underwritten). We may, therefore, incur losses in the course of our risk management or investing activities.
The transition away from LIBOR may adversely affect our business.
A transition away from the use of LIBOR to alternative rates and other potential interest rate benchmark reforms is not yet complete. These reforms have caused and may in the future cause such rates to perform differently than in the past, or to disappear entirely, or have other consequences which cannot be predicted.
Given LIBOR’s extensive use across financial markets, the ongoing transition away from LIBOR presents several risks and challenges to the financial markets and financial institutions, including Capital One. While we have substantially decreased our exposure to LIBOR, we have certain loans, derivative contracts, securitizations, and other contracts with attributes that are either directly or indirectly dependent on LIBOR. Our ability to transition those exposures away from LIBOR could be affected by market and customer acceptance of and the specific terms and parameters for alternative reference rates. The Secured Overnight Financing Rate (“SOFR”) has been recommended by the Alternative Reference Rates Committee (“ARRC”) as an alternative to U.S. dollar LIBOR. Nevertheless, the transition away from LIBOR could result in loss of market share in certain
37
Capital One Financial Corporation (COF)
products, adverse tax or accounting impacts, compliance, legal or operational costs and risks associated with client disclosures, as well as systems disruption, model disruption and other business continuity issues for us.
In addition, risks will remain for us with respect to outstanding instruments which rely on LIBOR. Those risks arise in connection with transitioning such instruments to a new reference rate, the taking of discretionary actions (for example, under fallback provisions) or the negotiation of fallback provisions and final amendments to existing LIBOR based agreements. Payments under contracts referencing new reference rates may significantly differ from those referencing LIBOR. The Adjustable Interest Rate (LIBOR) Act passed by Congress in March 2022 (“LIBOR Act”) is intended to minimize legal and economic uncertainty following U.S. dollar LIBOR’s cessation by replacing LIBOR references in certain contracts under certain circumstances with a SOFR-based rate identified in a Federal Reserve rule that incorporates a spread adjustment specified in the statute. For some instruments, the method of transitioning to a new reference rate may be challenging, especially if parties to an instrument cannot agree as to how to effect that transition and the LIBOR Act does not apply. In addition, prior to LIBOR cessation, instruments that continue to refer to LIBOR may be impacted if there is a change in the availability or calculation of LIBOR. The transition from LIBOR to an alternative reference rate has changed our market risk profile and required changes to risk and pricing models, valuation tools, product design, information technology systems, reporting infrastructure, operational processes and controls, and hedging strategies, and may result in or require further such changes in the future. In many cases, we are and may in the future be dependent on third parties to upgrade systems, software and other critical functions that could materially disrupt our readiness if they are not done on a timely basis or otherwise fail. While we have largely remediated the majority of our exposures, our effort to remediate the remaining exposures remains ongoing. Failure to adequately manage the transition could have a material adverse effect on our reputation, business, financial condition and results of operations. See “Part II—Item 7. MD&A—Market Risk Profile” for additional information.
Our business could be negatively affected if we are unable to attract, retain and motivate key senior leaders and skilled employees.
Our success depends, in large part, on our ability to retain key senior leaders and to attract and retain skilled employees, particularly employees with advanced expertise in credit, risk, digital and technology skills. We depend on our senior leaders and skilled employees to oversee simultaneous, transformative initiatives across the enterprise and execute on our business plans in an efficient and effective manner. Competition for such senior leaders and employees, and the costs associated with attracting and retaining them, is high and competitive. While we engage in robust succession planning, our key senior leaders have deep and broad industry experience and could be difficult to replace without some degree of disruption.
Our ability to attract and retain qualified employees also is affected by perceptions of our culture and management, including our position on remote and hybrid work arrangements, our profile in the regions where we have offices and the professional opportunities we offer. Regulation or regulatory guidance restricting executive compensation, as well as evolving investor expectations, may limit the types of compensation arrangements that we may enter into with our most senior leaders and could have a negative impact on our ability to attract, retain and motivate such leaders in support of our long-term strategy. These laws and regulations may not apply in the same manner to all financial institutions and technology companies, which therefore may subject us to more restrictions than other institutions and companies with which we compete for talent and may also hinder our ability to compete for talent with other industries. We rely upon our senior leaders not only for business success, but also to lead with integrity. To the extent our senior leaders behave in a manner that does not comport with our values, the consequences to our brand and reputation could be severe and could adversely affect our financial condition and results of operations. If we are unable to attract, develop and retain talented senior leadership and employees, or to implement appropriate succession plans for our senior leadership, our business could be negatively affected.
We face risks from catastrophic events.
Despite the business contingency plans we have in place, such plans do not fully mitigate all potential business continuity risks to us. Geopolitical events, natural disasters and other catastrophic events could harm our employees, business and infrastructure, including our information technology systems and third-party platforms. Our ability to conduct business may be adversely affected by a disruption in the infrastructure that supports our business and the communities where we are located, which are concentrated in the Northern Virginia and New York metropolitan areas, as well as Richmond, Virginia and Plano, Texas. This may include a disruption involving damage or loss of access to a physical site, cyber-attacks and other security incidents, terrorist activities, the occurrence or worsening of disease outbreaks or pandemics (including the COVID-19 pandemic), natural disasters, extreme weather events, electrical outage, environmental hazards, disruption to technological infrastructure, communications or other services we use, our employees or third parties with whom we conduct business. Our business, financial condition and results of operations may be impacted by any such disruption and our ability to implement corresponding response measures quickly. In addition, if a natural disaster or other catastrophic event occurs in certain regions
38
Capital One Financial Corporation (COF)
where our business and customers are concentrated, such as the mid-Atlantic, New York, California or Texas metropolitan areas, or in regions where our third-party platforms are located, we could be disproportionately impacted as compared to our competitors. The impact of such events and other catastrophes on the overall economy and our physical and transition risks may also adversely affect our financial condition and results of operations.
Climate change manifesting as physical or transition risks could adversely affect our businesses, operations and customers.
Climate change risks can manifest as physical or transition risks.
Physical risks are the risks from the effects of climate change arising from acute, climate-related events, such as, hurricanes and wildfires, and chronic shifts in climate, such as sea level rise and higher average temperatures. Such events could lead to financial losses or disrupt our operations or those of our customers or third parties on which we rely, including through direct damage to assets and indirect impacts from supply chain disruption and market volatility.
Transition risks are the risks resulting from the shift toward a lower-carbon economy arising from the changes in policy, consumer and business sentiment or technologies in regards to limiting climate change. Transition risks, including changes in consumer preferences and additional regulatory requirements or taxes, could increase our expenses, affect credit performance, and impact our strategies or those of our customers. For more information on climate-related regulatory developments, see “Part I—Item 1. Business—Supervision and Regulation” for additional information.
Physical and transition risks could also affect the financial health of certain customers in impacted industries or geographies. In addition, we face reputational risk as a result of our policies, practices, disclosures and decisions related to climate change and the environment, or the practices or involvement of our clients or vendors and suppliers, in certain industries or projects associated with causing or exacerbating climate change.
As climate risk is interconnected with many risk types, we continue to enhance processes to embed evolving climate risk considerations into our existing risk management strategies; however, because the timing and severity of climate change may not be predictable, our risk management strategies may not be effective in mitigating climate risk exposure.
We face risks from the use of or changes to assumptions or estimates in our financial statements.
Pursuant to generally accepted accounting principles in the U.S. (“U.S. GAAP”), we are required to use certain assumptions and estimates in preparing our financial statements, including determining our allowance for credit losses, the fair value of certain assets and liabilities, and goodwill impairment, among other items. In addition, the FASB, the SEC and other regulatory bodies may change the financial accounting and reporting standards, including those related to assumptions and estimates we use to prepare our financial statements, in ways that we cannot predict and that could impact our financial statements. If actual results differ from the assumptions or estimates underlying our financial statements or if financial accounting and reporting standards are changed, we may experience unexpected material losses. For a discussion of our use of estimates in the preparation of our consolidated financial statements, see “Part II—Item 7. MD&A—Critical Accounting Policies and Estimates” and “Part II—Item 8. Financial Statements and Supplementary Data—Note 1—Summary of Significant Accounting Policies.”
The soundness of other financial institutions and other third parties could adversely affect us.
Our ability to engage in routine funding and other transactions could be adversely affected by the stability and actions of other financial services institutions. Financial services institutions are interrelated as a result of trading, clearing, servicing, counterparty and other relationships. We have exposure to financial institutions, intermediaries and counterparties that are exposed to risks over which we have little or no control.
In addition, we routinely execute transactions with counterparties in the financial services industry, including brokers and dealers, commercial banks, investment banks, mutual and hedge funds and other institutional clients, resulting in a significant credit concentration with respect to the financial services industry overall. As a result, defaults by, or even rumors or questions about, one or more financial services institutions, or the financial services industry generally, have led to market-wide liquidity problems and could lead to losses or defaults by us or by other institutions.
Likewise, adverse developments affecting the overall strength and soundness of our competitors, the financial services industry as a whole and the general economic climate and the U.S. Treasury market could have a negative impact on perceptions about the strength and soundness of our business even if we are not subject to the same adverse developments. In addition, adverse
39
Capital One Financial Corporation (COF)
developments with respect to third parties with whom we have important relationships also could negatively impact perceptions about us. These perceptions about us could cause our business to be negatively affected and exacerbate the other risks that we face.