BANK OF AMERICA CORP /DE/ (BAC) Risk Factors

Item 1A. Risk Factors

The discussion below addresses our material risk factors of which we are aware. Any risk factor, either by itself or together with other risk factors, could materially and adversely affect our businesses, results of operations, cash flows and/or financial condition. References to third parties may include suppliers, service providers, counterparties, financial market utilities, exchanges and clearing houses, data aggregators and other partners and their upstream and downstream service providers (e.g., fourth parties, fifth parties) who may also contribute to our risks. Other factors not currently known to us or that we currently deem immaterial could also adversely affect our businesses, results of operations, cash flows and/or financial condition. Therefore, the risk factors below should not be considered all of the potential risks that we may face. For more information on how we manage risks, see Managing Risk in the MD&A beginning on page 45. For more information about the risks contained in this section, see Item 1. Business beginning on page 2, MD&A beginning on page 26 and Notes to Consolidated Financial Statements beginning on page 95.

Market

We may be adversely affected by the financial markets, fiscal, monetary, and regulatory policies, and economic conditions.

General economic, political, social and health conditions, including any prolonged economic downturn that may occur, in the U.S. and abroad affect financial markets and our businesses. In particular, global markets may be affected by the level and volatility of interest rates, availability and market conditions of financing, changes in gross domestic product (GDP), economic growth or its sustainability, inflation, supply chain disruptions, consumer spending, employment levels, labor market conditions, wage stagnation, federal government shutdowns, energy prices, home prices, commercial property values, bankruptcies and a default by a significant market participant or class of counterparties, including in emerging markets. Global markets also may be affected by adverse developments impacting the U.S. or global banking industry, including bank and nonbank financial institution failures and liquidity concerns, the actual or perceived impact of asset prices exceeding their underlying economic fundamentals, fluctuations or other significant changes in both debt and equity capital markets and currencies, the impact of the volatility of digital assets on the broader market, changing perceptions of the impact and profitability arising from emerging technologies, the rate of growth of global trade and commerce, trade policies, the availability and cost of capital and credit, disruption of communication, transportation or energy infrastructure, recessionary fears, investor sentiment and the U.S. and global election cycles, including stated, perceived or actual changes to policy and the geopolitical environment. Global markets, including energy and other commodity markets, may also be adversely affected by the current or anticipated impact of climate matters, extreme weather events or natural disasters, widespread health emergencies or pandemics, cyberattacks, military conflicts, terrorism or other geopolitical events. Market fluctuations may impact our margin requirements and liquidity.

Any sudden or prolonged market downturn, as a result of the above factors or otherwise, could reduce net interest income and noninterest income and adversely affect our results of operations and financial condition, including capital and liquidity levels. Elevated inflation and interest rate levels, monetary tightening by central banks and geopolitical developments could continue to adversely impact financial markets and

macroeconomic conditions, as well as result in increased market volatility and disruptions and recessionary risk.

Global uncertainties regarding fiscal and monetary policies continue to present economic challenges. High and rising debt levels in the U.S. and globally may contribute to interest rate volatility, which may constrain governments’ fiscal policies, potentially resulting in adverse economic outcomes. Actions taken by the Federal Reserve or central banks in other jurisdictions, including changes in target rates, balance sheet management and lending facilities, are beyond our control and difficult to predict, particularly in response to the uncertainty of inflationary paths. This can affect interest rates and the value of financial instruments and other assets, such as debt securities, and impact our borrowers and potentially increase delinquency rates and may also raise government debt levels, adversely affect businesses and household incomes, adversely impact the banking sector generally, and increase uncertainty surrounding monetary policy. While the Federal Reserve reduced policy rates in 2025, uncertainty remains regarding the pace and duration of the reduction of market interest rates. If inflation does not continue to decline toward the Federal Reserve’s target, the Federal Reserve may hold the fed funds rate steady or raise rates, resulting in a flat or inverted yield curve, volatility of equity and other markets, and volatility of the U.S. dollar, which could impact investor risk appetite and our borrowers, potentially increasing delinquency rates. Financial market volatility could also result from uncertainty about the timing and extent of any additional rate cuts by the Federal Reserve in response to moderating inflation, weakening economic conditions and/or labor market conditions. Any future change in monetary policy by the Federal Reserve, in an effort to stimulate the economy or otherwise, resulting in lower interest rates would typically result in lower revenue through lower net interest income, which could adversely affect our results of operations.

Also, changes to existing U.S. laws and regulatory policies and evolving priorities, including those related to financial regulation, taxation, international trade, fiscal policy and healthcare, may adversely impact U.S. or global economic activity and our clients’, our counterparties’ and our earnings and operations. High and rising federal debt levels, investor concerns about U.S. fiscal spending, changes to fiscal policy and uncertainty about the U.S. budget process could lead to lower investor appetite or market depth for future issuance of U.S. debt securities, higher interest rates, dollar depreciation and financial market volatility, potentially impacting broader economic activity. Further, if the U.S. government’s debt ceiling limit is not addressed and/or increased timely, the ramifications may result in market volatility, ratings downgrades and limit fiscal policy responses to recessionary conditions. This could have a negative and potentially severe impact on the U.S. and world economy and financial and capital markets, including higher interest rates, higher volatility, lower asset values, lower liquidity, downgrades to U.S. debt, and a weakened U.S. dollar, which could adversely affect our results of operations.

Changes to international trade and investment policies by the U.S. or other countries, and the uncertainty about potential changes, could negatively impact financial markets globally. Significant increases in tariff rates in the past year have generated heightened market volatility. Further increases or instability associated with tariffs, either broadly applied or targeted at specific goods or trading partners, could adversely impact economic conditions and/or result in higher inflation, which could result in financial market volatility as markets adjust to the incremental cost of doing business and/or new business models to reduce the impacts, as well as adversely

impact asset prices as experienced in early 2025. Also, the continuation or escalation of tensions between the U.S. and the People’s Republic of China (China), including tariff increases, could lead to further U.S. measures that adversely affect financial markets, disrupt world trade and commerce and lead to trade retaliation, including through the use of counter tariffs, foreign exchange measures or the large-scale sale of U.S. Treasury bonds.

These developments could adversely affect our businesses, clients, including demand for our products and services, our market-making activities, our and our clients’ securities and derivatives portfolios, including the risk of lower re-investment rates in those portfolios, our level of charge-offs and provision for credit losses, the carrying value of our deferred tax assets, our capital levels, our liquidity, our costs of running our businesses and our results of operations.

Increased market volatility and adverse changes in financial or capital market conditions may increase our market risk.

Our liquidity, competitive position, business, results of operations and financial condition are affected by market risks such as changes in interest and currency exchange rates, fluctuations in equity, commodity and futures prices, trading volumes and prices of securitized products, the implied volatility of interest rates and credit spreads, idiosyncratic market events and other economic and business factors. These market risks may adversely affect, among other things, the value of our securities, including our on- and off-balance sheet securities, trading assets and other financial instruments, the cost of debt capital and our access to credit markets, the value of assets under management (AUM), fee income relating to AUM, client allocation of capital among investment alternatives, the volume of client activity in our trading operations, investment banking, underwriting and other capital market fees and the general profitability and risk level of the transactions in which we engage and our competitiveness with respect to deposit pricing. The value of certain of our assets is sensitive to changes in market interest rates and/or spreads. If the Federal Reserve or a non-U.S. central bank changes or signals a change in monetary policy, market interest rates or credit spreads could be affected, which could adversely impact the value of such assets. Changes to fiscal policy, including expansion of U.S. federal deficit spending could also affect the market’s receptivity to debt issuance and market interest rates. If interest rates continue to decrease, our results of operations could be negatively impacted, including future revenue and earnings growth.

Our models and strategies to assess and control our market risk exposures are subject to inherent limitations. In times of market stress or other unforeseen circumstances, previously uncorrelated indicators may become correlated. Such changes to the relationship between market parameters may limit the effectiveness of our hedging strategies and cause us to incur significant losses. Changes in correlation can be exacerbated where market participants use risk or trading models with assumptions or algorithms similar to ours. In these and other cases, it may be difficult to reduce our risk positions due to activity of other market participants or widespread market dislocations, including circumstances where asset values are declining significantly or no market exists. Where we own securities that do not have an established liquid trading market or are otherwise subject to restrictions on sale or hedging, or where the degree of accessible liquidity declines significantly, we may not be able to reduce our positions and risks associated with such holdings, so we may suffer larger than expected losses when adverse price movements take place.

This risk can be exacerbated where we hold a position that is large relative to the available liquidity.

If asset values decline, we may incur losses and negative impacts, including to capital and liquidity positions and requirements.

We have a large portfolio of financial instruments, including loans and loan commitments, securities financing agreements, asset-backed secured financings, derivative assets and liabilities, debt securities, marketable equity securities and certain other assets and liabilities that we measure at fair value and are subject to valuation and impairment assessments. We determine these values based on applicable accounting guidance, which, for financial instruments measured at fair value, requires an entity to base fair value on exit price and to maximize the use of observable inputs and minimize the use of unobservable inputs in fair value measurements. The fair values of these financial instruments include adjustments for market liquidity, credit quality, funding impact on certain derivatives and other transaction-specific factors, where appropriate.

Gains or losses on these instruments can have a direct impact on our results of operations, unless we have effectively mitigated the risk of our exposures. Increases in interest rates may cause decreases in residential mortgage loan originations and could impact the origination of corporate debt. In addition, increases in interest rates or changes in spreads may adversely impact the fair value of our debt securities and, accordingly, for debt securities classified as available-for-sale (AFS), adversely affect accumulated other comprehensive income and, thus, our capital levels. Increases in interest rates or changes in spreads could also adversely impact our regulatory liquidity position and requirements, which include eligible AFS debt securities and held-to-maturity (HTM) debt securities. As our liquidity is dependent on the fair value of these assets, increases in market interest rates and/or wider spreads, have adversely impacted and may continue to adversely impact the fair value of debt securities, adversely affecting liquidity levels.

Fair values may be impacted by declining values of the underlying assets or the prices at which observable market transactions occur and the continued availability of these transactions or indices. The financial strength of counterparties, with whom we have economically hedged some of our exposure to these assets, also will affect the fair value of these assets. Sudden declines and volatility in the prices of assets may curtail or eliminate trading activities in these assets, which may make it difficult to sell, hedge or value these assets. The inability to sell or effectively hedge assets reduces our ability to limit losses in such positions, and the difficulty in valuing assets may increase our risk-weighted assets (RWA), which requires us to maintain additional capital and increases our funding costs. Values of AUM also impact revenues in our wealth management and related advisory businesses for asset-based management and performance fees. Declines in values of AUM can result in lower fees earned for managing such assets.

Liquidity

If we are unable to access capital markets, we experience sustained net deposit outflows, or our borrowing costs increase, our liquidity and competitive position may be negatively affected.

Liquidity is essential to our businesses and is primarily supported by globally sourced deposits in our bank entities, as well as secured and unsecured liabilities transacted in the capital markets. We rely on certain secured funding sources, such as repo markets, which are typically short-term and may be credit-sensitive. We also engage in asset securitization transactions, including with the government-sponsored

9 Bank of America

enterprises (GSEs), to help fund a portion of our consumer lending activities. Our liquidity could be adversely affected by any inability to access the capital markets, illiquidity or volatility in the capital markets, the decrease in value of eligible collateral or increased collateral requirements (including as a result of credit concerns for short-term borrowing), changes to our relationships with our funding providers based on real or perceived changes in our risk profile, prolonged federal government shutdowns, or uncertainty regarding the impact of potential GSE privatization.

Also, our liquidity or cost of funds may be negatively impacted by the unwillingness or inability of the Federal Reserve to act as lender of last resort, unexpected simultaneous draws on credit lines or deposits, slower client payment rates, restricted access to the assets of prime brokerage clients, the failure to attract or retain client deposits or invested funds, including large-scale deposit migration (e.g., from attrition resulting from clients seeking higher yielding deposits or to an alternative financial institution perceived to be safer, changing investment preferences or securities products, moving balances into digital assets (e.g., stablecoin) or other alternative non-bank financial platforms, changes to spending behavior due to inflation, a decline in the economy or other drivers resulting in an increased need for cash), increased regulatory liquidity, capital and margin requirements for our U.S. or international banks and their nonbank subsidiaries, which could result in the inability to transfer liquidity internally, changes in patterns of intraday liquidity usage resulting from a counterparty or technology failure or other idiosyncratic event or failure, the default by a significant market participant or third party (including clearing agents, custodians, central banks or central counterparty clearinghouses (CCPs)) or the inability to sell assets due to illiquid markets (e.g., no market exists or market saturation). These factors may increase our borrowing costs and negatively impact our liquidity.

Several of these factors may arise from circumstances beyond our control, such as general market volatility, disruption, shock or stress, stress in sovereign debt markets, the emergence of widespread health emergencies or pandemics, sanctions and geopolitical events and/or turmoil (including military conflicts). Federal Reserve policy decisions (including fluctuations in interest rates or Federal Reserve balance sheet composition), negative views or loss of confidence about us, the financial services industry or the U.S. monetary system generally, or due to a specific news event (e.g., bank failures), the further development and acceptance of nonbank digital asset ecosystems (e.g., stablecoin), changes in the regulatory environment or governmental fiscal or monetary policies, actions by credit rating agencies or an operational problem that affects third parties or us. The impact of these potentially sudden events, whether within our control or not, could result in our inability to sell assets or redeem investments, unforeseen outflows of cash, draws on liquidity facilities, reduced financing balances, the loss of equity secured funding, debt repurchases to support the secondary market or meet client requests, the need for additional funding for commitments and contingencies and unexpected collateral calls, among other things, the result of which could be increased costs, a liquidity shortfall and/or impact on our liquidity coverage ratio and net stable funding ratio.

Our liquidity and cost of funds may be impacted by reputational damage, investor behavior and confidence, debt market disruption, firm specific concerns or prevailing market conditions, including changes in interest and currency exchange rates, significant fluctuations in equity and futures prices, lower

trading volumes and prices of securitized products and our credit spreads. Increases in interest rates and our credit spreads can increase funding costs and result in mark-to-market or credit valuation adjustment exposures. Credit spread changes are market driven and may be influenced by market perceptions of our creditworthiness, including credit rating changes or changes in broader financial market and macroeconomic conditions. Changes to interest rates and our credit spreads occur continuously and may be unpredictable and highly volatile. We may also experience net interest margin compression from offering higher than expected deposit rates in order to attract and maintain deposits or otherwise. Concentrations within our funding profile, such as by maturity, currency or counterparty, can also reduce our funding efficiency.

Reduction in our credit ratings could limit our access to funding or the capital markets, increase borrowing costs or trigger additional collateral or funding requirements.

Our credit ratings directly affect our borrowing costs and access to funding. Credit ratings are also important to investors, clients or counterparties when we compete in certain markets and seek to engage in certain transactions, including over-the-counter (OTC) derivatives. Rating agencies conduct ongoing reviews of our credit ratings based on a number of financial and nonfinancial factors, including our franchise, financial strength, performance and prospects, management, governance, risk management practices, capital adequacy, asset quality and operations, among other criteria, as well as factors beyond our control, such as regulatory developments, macroeconomic and geopolitical conditions, changes in rating methodologies or U.S. sovereign debt ratings.

Rating agencies could adjust our credit ratings at any time and there can be no assurance as to whether or when a downgrade could occur. A downgrade could widen our credit spread, negatively affect our access to credit markets, the related cost of funds, our businesses and certain trading revenues, particularly in those businesses where counterparty creditworthiness is critical. Downgrades of short-term credit ratings of our parent company or bank or broker-dealer subsidiaries, could reduce or eliminate access to short-term funding sources such as repo financing, and/or incur increased cost of funds and increased collateral requirements. Under the terms of certain OTC derivative contracts and other trading agreements, a credit rating downgrade could require us or our subsidiaries to post additional collateral or permit counterparties to terminate these contracts or agreements.

While certain potential impacts are contractual and quantifiable, the full consequences of a credit rating downgrade are inherently uncertain and depend upon numerous dynamic, complex and inter-related factors and assumptions, including the relationship between long-term and short-term credit ratings and the behaviors of clients, investors and counterparties.

Bank of America Corporation is a holding company, is dependent on its subsidiaries for liquidity and may be restricted from transferring funds from subsidiaries.

Bank of America Corporation, as the parent company, is a separate and distinct legal entity from its bank and nonbank subsidiaries. We evaluate and manage liquidity on a legal entity basis. Legal entity liquidity is an important consideration as there are legal, regulatory, contractual and other limitations on our ability to utilize liquidity from one legal entity to satisfy the liquidity requirements of another, including the parent company, which could result in adverse liquidity events. The parent company depends on dividends, distributions, loans and other payments from our bank and nonbank subsidiaries to fund dividend payments on our common and preferred stock and to

fund payments on our other obligations, including debt obligations. Any inability of our subsidiaries to transfer funds, pay dividends or make payments to the parent company may adversely affect our cash flow, liquidity and financial condition.

Many subsidiaries, including bank and broker-dealer subsidiaries, are subject to laws that restrict dividend payments, or authorize regulatory bodies to block or reduce the flow of funds from those subsidiaries to the parent company or other subsidiaries. Our bank and broker-dealer subsidiaries are subject to restrictions on their ability to lend or transact with affiliates, minimum regulatory capital and liquidity requirements and restrictions on their ability to use funds deposited with them in bank or brokerage accounts to fund their businesses. Intercompany arrangements in connection with our resolution planning submissions could restrict the amount of subsidiary funding available to the parent company from our subsidiaries under certain adverse conditions.

Additional restrictions on transactions with certain related parties, increased capital and liquidity requirements and additional limitations on the use of funds on deposit in bank or brokerage accounts, as well as lower earnings, can reduce the amount of funds available to meet the obligations of the parent company and may require the parent company to provide additional funding to such subsidiaries. Regulatory action that requires additional liquidity at our subsidiaries could impede access to funds we need to pay our obligations or pay dividends. In addition, our right to participate in a distribution of assets upon a subsidiary’s liquidation or reorganization is subject to prior claims of the subsidiary’s creditors.

Bank of America Corporation’s liquidity and financial condition, and the ability to pay dividends and obligations, could be adversely affected in the event of a resolution.

Bank of America Corporation, our parent holding company, is required to submit a plan to the FDIC and Federal Reserve every two years describing its resolution strategy under the U.S. Bankruptcy Code in the event of material financial distress or failure. Bank of America Corporation’s preferred resolution strategy is a “single point of entry” strategy, whereby only the parent holding company would file for bankruptcy under the U.S. Bankruptcy Code. Certain key operating subsidiaries would be provided with sufficient capital and liquidity to operate through severe stress and to enable such subsidiaries to continue operating or be wound down in a solvent manner following a bankruptcy of the parent holding company. Bank of America Corporation has entered into intercompany arrangements resulting in the contribution of most of its capital and liquidity to key subsidiaries. Pursuant to these arrangements, if Bank of America Corporation’s liquidity resources deteriorate so severely that resolution becomes imminent, it will no longer be able to draw liquidity from its key subsidiaries and will be required to contribute its remaining financial assets to a wholly-owned holding company subsidiary. This could adversely affect our liquidity and financial condition, including the ability to meet our payment obligations, and our ability to pay dividends and/or repurchase our common stock.

If the FDIC and Federal Reserve jointly determine that Bank of America Corporation’s resolution plan is not credible, they could impose more stringent capital or liquidity requirements or restrictions on our growth, activities or operations. We could also be required to take certain actions that could impose operating costs and result in the divestiture of assets or restructuring of businesses and subsidiaries.

When a G-SIB such as Bank of America Corporation is in default or danger of default, the FDIC may be appointed receiver to conduct an orderly liquidation, and could, among other things,

invoke the orderly liquidation authority, instead of the U.S. Bankruptcy Code, if the Secretary of the Treasury makes certain financial distress and systemic risk determinations. Also, the FDIC could replace Bank of America Corporation with a bridge holding company, which could continue operations and result in an orderly resolution of the underlying bank, but whose equity would be held solely for the benefit of our creditors. The FDIC’s “single point of entry” strategy may result in our security holders suffering greater losses than would have been the case under a bankruptcy proceeding or a different resolution strategy.

If the Corporation is resolved under the U.S. Bankruptcy Code or the FDIC’s orderly liquidation authority, third-party creditors of our subsidiaries may receive significant or full recoveries on their claims, while security holders of Bank of America Corporation could face significant or complete losses.

Credit

Economic or market disruptions and insufficient credit loss reserves may result in a higher provision for credit losses.

A number of our products expose us to credit risk, including loans, letters of credit, derivatives, debt securities, trading account assets and assets held-for-sale. Deterioration in the financial condition of our consumer and commercial borrowers, counterparties or underlying collateral could adversely affect our results of operations and financial condition.

Our credit portfolios may be impacted by U.S. and global macroeconomic and market conditions and uncertainties, events and disruptions, including declines in GDP, consumer spending or property values, asset price corrections, increasing consumer and corporate leverage, increases in corporate bond spreads, government shutdowns or policies such as tax changes, changes in international trade policy including tariff rates, rising or elevated unemployment levels, elevated inflation or cost of living expenses, fluctuations in foreign exchange or interest rates, as well as the emergence of widespread health emergencies or pandemics, extreme weather events and natural disasters. Significant economic or market stresses and disruptions typically have a negative impact on the business environment and financial markets, which could impact the underlying credit quality of our borrowers and counterparties and asset values. Property value declines or asset price corrections could increase the risk of borrowers or counterparties defaulting or becoming delinquent in their obligations to us, and could decrease the value of the collateral we hold, which could increase credit losses. Credit risk could also be magnified by lending to leveraged borrowers or as a result of declining asset prices, including property or collateral values. Simultaneous drawdowns on lines of credit and/or an increase in a borrower’s leverage in a weakening economic environment, or otherwise, could result in deterioration in our credit portfolio, should borrowers be unable to fulfill competing financial obligations. Increased delinquency and default rates could adversely affect our credit portfolios and increase charge-offs and provisions for credit losses.

A recessionary environment and/or a rise in unemployment could adversely impact the ability of our consumer and/or commercial borrowers or counterparties to meet their financial obligations and negatively impact our credit portfolio. Consumers have been and may continue to be negatively impacted by inflation and/or a higher cost of living, potentially resulting in drawdowns of savings or increases in household debt. Elevated interest rates over the past several years, which have increased debt servicing costs for some businesses and households, may adversely impact credit quality, particularly in recessionary environments. Certain sectors also remain at risk

11 Bank of America

(e.g., commercial real estate, particularly office) as a result of shifts in demand and tight financial and credit conditions. Globally, conditions of slow growth or recession could further contribute to weaker credit conditions. If the macroeconomic environment or certain sectors worsen, our credit portfolio, net charge-offs, provision and allowance for credit losses could be adversely impacted.

We establish an allowance for credit losses, which includes the allowance for loan and lease losses and the reserve for unfunded lending commitments, based on management's best estimate of lifetime current expected credit losses (CECL) inherent in our relevant financial assets. The process to determine the allowance for credit losses uses models and assumptions that require us to make difficult and complex judgments that are often interrelated, including forecasting how borrowers or counterparties may perform in changing economic conditions. The ability of our borrowers or counterparties to repay their obligations may be impacted by changes in future economic conditions, which in turn could impact the accuracy of our loss forecasts and allowance estimates. There is also the possibility that we have failed or will fail to accurately identify the appropriate economic indicators or accurately estimate their impacts to our borrowers or counterparties, which could impact the accuracy of our loss forecasts and allowance estimates.

If the models, estimates and assumptions we use to establish reserves or the judgments we make in extending credit to our borrowers or counterparties, which are more sensitive due to the current uncertain macroeconomic and geopolitical environment, prove inaccurate in predicting future events, we may suffer losses in excess of our CECL. In addition, changes to external factors can negatively impact our recognition of credit losses in our portfolios and allowance for credit losses.

The allowance for credit losses is our best estimate of CECL, but there is no guarantee that it will be sufficient to address credit losses, particularly if the economic outlook deteriorates significantly, quickly or unexpectedly. As circumstances change, we may increase our allowance, which would reduce earnings. If economic conditions worsen, impacting our consumer and commercial borrowers, counterparties or underlying collateral, and credit losses are unexpectedly worse, we may increase our provision for credit losses, which could adversely affect our results of operations and financial condition.

Our concentrations of credit risk could adversely affect our credit losses, results of operations and financial condition.

We have been in the past and may in the future be subject to concentrations of credit risk because of a common characteristic or common sensitivity to economic, financial, public health or business developments. Concentrations of credit risk may reside in a particular industry, geography, product, asset class, counterparty or within any pool of exposures with a common risk characteristic. A deterioration in the financial condition or prospects of a particular industry, geographic location, product or asset class, or a failure or downgrade of, or default by, any particular entity or group of entities could negatively affect our businesses, and it is possible our limits and credit monitoring exposure controls will not function as anticipated.

We execute a high volume of transactions and have significant credit concentrations with respect to the financial services industry, predominantly comprised of broker-dealers, commercial banks, investment banks, insurance companies, mutual funds, hedge funds, CCPs, alternative asset managers and other institutional clients or finance companies. Financial services institutions and other counterparties are inter-related because of trading, funding, clearing or other relationships.

Defaults by one or more counterparties, or market uncertainty about the financial stability of one or more financial services institutions, or the financial services industry generally, could lead to market-wide liquidity disruptions, losses, defaults and related disputes and litigation.

Our credit risk may also be heightened by market risk when the collateral held by us cannot be liquidated or is liquidated at prices not sufficient to recover the full amount of the loan or derivatives exposure, which may occur from events that impact the value of the collateral, such as a sudden change in asset price or fraud. Disputes with obligors as to the valuation of collateral could increase with significant market stress, volatility or illiquidity, and we could suffer losses if we are unable to realize the fair value of the collateral or manage declines in the value of collateral. Our counterparty credit risk can increase if margin posted by counterparties is insufficient to cover exposures and elevated counterparty exposure is accompanied by an increase in the counterparty’s likelihood of default.

We have concentrations of credit risk, including with respect to our consumer real estate and consumer credit card exposure, as well as our commercial real estate, finance companies and asset managers and funds portfolios, which represent a significant percentage of our overall credit portfolio. Declining home price valuations and demand where we have large concentrations could result in increased servicing advances and expenses, defaults, delinquencies or credit losses. The increasing frequency and severity of extreme weather events and natural disasters, including earthquakes, droughts, floods, wildfires and hurricanes, could negatively impact collateral, the valuations of home or commercial real estate or our clients’ ability and/or willingness to pay fees, outstanding loans or afford new products. This could also cause insurability risk and/or increased insurance costs to clients. Economic weaknesses, increased or sustained elevated inflation, adverse business conditions, market disruptions, adverse economic or market events, rising interest or capitalization rates, declining asset prices, greater volatility in areas where we have concentrated credit risk or deterioration in real estate values or household incomes may cause us to experience higher credit losses in our portfolios or write down the value of certain assets. We could also experience continued and long-term negative impacts to commercial credit exposure and increased credit losses in industries that may be permanently impacted by changes in consumer preferences, tariffs or other industry disruptions, including from emerging technologies.

We also enter into transactions with sovereign nations, U.S. states and municipalities. Uncertain economic or political conditions or policies, such as economic sanctions or increased tariffs, disruptions to capital markets, currency fluctuations, changes in commodity prices and social instability, could adversely impact the operating budgets or credit ratings of government entities and expose us to credit and liquidity risk.

Liquidity disruptions in the financial markets may result in our inability to sell, syndicate or realize the value of our positions, increasing concentrations, which could increase RWA and the credit and market risk associated with our positions, and increase operational and litigation costs.

We may be adversely affected by weaknesses in the U.S. housing market.

During 2025, the U.S. housing market continued to be impacted by elevated mortgage rates, including 30-year fixed-rate mortgages that more than doubled from 2021. In addition, while U.S. home prices have experienced meaningful appreciation over the past several years and remained generally stable in 2025, there has been some regional dispersion in

housing prices since the beginning of 2025, which we have been closely monitoring. These trends have negatively impacted housing affordability generally, and therefore the demand for some of our products. A downturn in the U.S. housing market could result in significant write-downs of asset values in several asset classes, notably our held-for-investment residential mortgage and home equity portfolio. If the U.S. housing market weakens and real estate values decline, we could experience increased credit losses and delinquent servicing expenses, negatively affecting our allowance for credit losses and representations and warranties exposures, and adversely affecting our results of operations and financial condition.

Our derivatives businesses may expose us to unexpected risks, which may result in losses and adversely affect liquidity.

We are party to a large number of derivatives transactions that may expose us to unexpected market, credit and operational risks that could cause us to suffer unexpected losses. Fluctuations in asset values or rates or an unanticipated credit event, including unforeseen circumstances that may cause previously uncorrelated factors to become correlated, may lead to losses resulting from risks not taken into account or anticipated in the development, structuring or pricing of a derivative instrument. Certain derivative contracts and other trading agreements provide that upon the occurrence of certain specified events, such as a change to our or our affiliates’ credit ratings, we may be required to provide additional collateral or take other remedial actions, and we could experience increased difficulty obtaining funding or hedging risks. In some cases our counterparties may have the right to terminate or otherwise diminish our rights under these contracts or agreements upon the occurrence of such events.

We are also a member of various CCPs, which results in credit risk exposure to those CCPs. In the event that one or more members of a CCP defaults on their obligations, we may be required to pay a portion of any losses incurred by such CCP. A CCP may also, at its discretion, modify the margin we are required to post, which could mean unexpected and increased funding costs and exposure to that CCP. As a clearing member, we are exposed to the risk of non-performance by our clients for which we clear transactions, which may not be covered by available collateral. Also, default by a significant market participant may result in further risk and potential losses.

Geopolitical

We are subject to numerous political, economic, market, reputational, operational, compliance, legal, regulatory and other risks in the jurisdictions in which we operate.

We do business globally, including in emerging markets. Economic or geopolitical stress in one or more countries could have a negative impact regionally or globally, resulting in, among other things, market volatility, valuation declines and declines in economic output. Our liquidity and credit risk could be adversely impacted by, and our businesses and revenues derived from non-U.S. jurisdictions are subject to, risk of loss from financial, social or judicial instability, economic sanctions, government leadership changes, including from electoral outcomes or otherwise, governmental or central bank policy changes, expropriation, nationalization and/or confiscation of assets, price controls, high inflation, weather events, natural disasters, widespread health emergencies or pandemics, capital controls, currency re-denomination risk from a country exiting the EU or otherwise, currency fluctuations, foreign exchange controls or movements (caused by devaluation or de-pegging), unfavorable political and diplomatic developments, oil price fluctuations and

changes in legislation. These risks are heightened in emerging markets.

Political and economic interactions between the U.S. and important trading partners, including China, but also more broadly across Asia, Europe, Latin America and North America, have become increasingly fragmented and complex and may result in sanctions, further tariff increases or other restrictive actions on cross-border trade, investment and transfer of data and information technology. Such actions, which may also include actions taken against other countries to enforce trade restrictions, could reduce trade volumes, result in supply chain disruptions, increase costs for producers, and adversely affect our businesses and revenues, as well as our clients and counterparties, including their credit quality.

Slowing growth, recessionary conditions, adverse geopolitical conditions and political or civil unrest, foreign trade competition, employment levels, wage pressures and elevated inflation in certain countries may pose challenges, including from volatility in financial markets. Foreign exchange rates against the U.S. dollar remain uncertain and potentially volatile, and depreciation could increase our financial risks with clients that deal in non-U.S. currencies but have U.S. dollar-denominated debt.

We invest or trade in the securities of corporations and governments located in non-U.S. jurisdictions, including emerging markets. Revenues from the trading of non-U.S. securities may be subject to negative fluctuations as a result of the above factors. Furthermore, the impact of these fluctuations could be magnified because non-U.S. trading markets, particularly in emerging markets, are generally smaller, less liquid and more volatile than U.S. trading markets. Risks in one nation can limit our opportunities for portfolio growth and negatively affect our operations in other nations, including our U.S. operations. Market and economic disruptions may affect consumer confidence levels and spending, corporate investment and job creation, bankruptcy rates, levels of incurrence and default on consumer and corporate debt, economic growth rates and asset values, among other factors.

Elevated government debt levels raise the risk of volatility, significant valuation changes and political tensions regarding fiscal policy or defaults on or devaluation of sovereign debt, all of which could expose us to substantial losses. Financial markets have been and may continue to be sensitive to government budget processes and changes to fiscal policy, as well as any resulting political turmoil.

Our non-U.S. businesses are also subject to extensive regulation by governments, securities exchanges and regulators, central banks and other regulatory bodies. In many countries, the LRRs applicable to the financial services and securities industries are less predictable, prone to change and uncertainty, regularly evolving and may conflict with similar LRRs in the U.S. We spend significant resources on understanding and monitoring foreign LRRs, some with less predictable legal and regulatory frameworks, as well as managing our relationships with multiple regulators in various jurisdictions. Failure to comply with local laws and manage our relationships with regulators could result in increased expenses, changes to our organizational structure and adversely affect our businesses, reputation and results of operations in that market.

We are also subject to complex and extensive U.S. and non-U.S. LRRs, which subject us to costs and risks relating to bribery and corruption, know-your-customer requirements, anti-money laundering, embargo programs and economic sanctions, which can vary or conflict across jurisdictions. These LRRs require implementation of complex operational capabilities and compliance programs. Claims regarding non-compliance,

13 Bank of America

including improper implementation, and/or violations could result in increasing operational and compliance costs, enforcement actions and civil and criminal penalties against us and our employees, and result in operational restrictions and reputational harm. The increasing speed and novel ways in which funds circulate could make it more challenging to track such movement and heighten financial crimes risk. Compliance with evolving regulatory regimes and legal requirements depends on our ability to improve and/or evolve our processes, controls, surveillance, detection, reporting and analytics, and could be adversely impacted by operational failures.

We are also subject to other geopolitical risks, including acts or threats of international or domestic terrorism, including responses by the U.S. or other governments thereto, corporate espionage, civil unrest and/or military conflicts, including the escalation of tensions between China and Taiwan, which could adversely affect business, market trade and general economic conditions abroad and in the U.S. Adverse developments in or expansions of existing military conflicts (e.g., Russia/Ukraine, Middle East) or new military conflicts could also negatively impact commodity and other financial markets, as well as economic conditions. Widening regional conflicts resulting in the involvement of neighboring countries and/or North Atlantic Treaty Organization member countries and/or military conflicts in other areas of the world could result in additional economic disruptions, financial market volatility, higher inflation and changes to asset valuations, which could disrupt our operations and adversely affect our results of operations. Also, the use of cyberattacks or campaigns, cyberespionage or other unauthorized access to networks and systems by nation states or their proxies, including utilizing emerging technologies such as AI, has increased and threatens our and our third parties’ operations and information systems, and the financial systems and infrastructure upon which we rely.

The uncertainty around the U.S. government’s debt levels and ceiling and a growing federal budget deficit could lead to further credit rating downgrades and/or defaults on its debt. The recurrence of a prolonged government shutdown could weaken the U.S. dollar, cause market volatility, negatively impact the global economy and banking system and adversely affect our financial condition, including our liquidity. Also, changes in fiscal, monetary, regulatory, trade and/or foreign policy, employment levels, wage pressures, supply chain disruptions and higher inflation, could increase our compliance costs and adversely affect our business operations, organizational structure and results of operations. Emerging market currency values and monetary policy settings are particularly sensitive to such changes in U.S. monetary policy. Also, fluctuations in U.S. interest rates and/or tariff rates, could result in additional currency volatility in a number of non-U.S. markets.

Business Operations

A failure in or breach of our operations or information systems, or those of third parties or the financial services industry, could cause disruptions, adversely impact our businesses, results of operations and financial condition, and cause legal or reputational harm.

Operational risk exposure exists throughout our organization, including risks arising from our operations and information systems, which comprise the hardware, software, infrastructure, backup systems and other technology that we own or use to collect, process, maintain, use, share, transmit or dispose of information, including personal and/or confidential employee, client and third-party information, which are integral to the performance of our businesses. Our extensive interactions with,

and reliance on, third parties and the financial services industry, including the processing and reporting of a large number of complex transactions at increasing speeds in many currencies and jurisdictions, creates additional operational risk.

Our operations and information systems and components thereof, and those of our third parties, have been, and in the future may be, ineffective or fail to operate properly or become disabled or damaged as a result of a number of factors, including events that may be wholly or partially beyond our or such third party’s control. Such events have adversely affected, and in the future could adversely affect, physical site access of our operations, the safeguarding of information and our ability to process transactions, provide services to our clients and perform other operations, including reporting and decision-making. Short-term or prolonged disruptions to our or our third parties’ critical business operations and client services are possible, such as due to computer, telecommunications, network, utility, electronic or physical infrastructure outages, including from abuse or failure of our electronic trading and algorithmic platforms, significant unplanned increases in client transactions, fraudulent transactions, cyberattacks, extortion attempts, aging information systems, newly introduced or identified vulnerabilities or defects in hardware and software, failure of or defects in infrastructure or manual processes, technology project implementation challenges and deficiencies, including from the use of emerging technologies such as AI, and supply chain disruptions. Operational disruptions and prolonged operational outages could also result from events arising from natural disasters, including earthquakes and acute and chronic weather events, such as wildfires, tornadoes, hurricanes and floods, some of which are happening with more frequency and severity, as well as local or larger scale political or social matters, including civil unrest, terrorist acts and military conflict.

We continue to have greater reliance on our and our third parties’ remote access tools and technology, and employees’ personal systems and increased data utilization and dependence upon our information systems to operate our businesses, including from evolving client preferences, which has led to increased reliance on digital banking and other digital services provided by our businesses. Effective management of our business continuity increasingly depends on the security, reliability and adequacy of such systems.

We also rely on our employees, representatives and third parties in our day-to-day operations, who may, due to illness, unavailability, the emergence of widespread health emergencies or pandemics, human error, social engineering, misconduct (e.g., errors in judgment, malice, fraud or illegal activity), malfeasance or a failure, breach or misuse of information systems, cause disruptions to our organization and expose us to operational losses, regulatory risk and reputational harm. Our and our third parties’ inability to properly introduce, deploy and manage operational or technology changes and continuously alter, improve and automate processes and systems, including related controls, such as regarding internal financial and governance processes, existing products and services, and new product innovations and technology, could also result in additional operational, information security, reputational and regulatory risk, including from the use of AI.

Regardless of the measures we have taken to implement training, procedures, controls, backup systems and other safeguards to support our operations and bolster our operational resilience, our ability to conduct business may be adversely affected by significant failures or disruptions to us or to third parties with whom we interact and rely upon. This includes localized or systemic cyber events or other technology

incidents that result in outages or unavailability of information systems, part or all of the internet, cloud services and/or the financial services industry, networks, platforms, systems and infrastructure (e.g., funds transfers, electronic trading and algorithmic platforms and critical banking activities), which could be exacerbated by the interconnectivity and concentration of technology or service offerings in a small number of providers or models, including AI and cloud services, and result in systemic operational impact to us and across the financial services industry or beyond. Our ability to implement backup systems and other safeguards is more limited with respect to third-party systems and the financial services industry infrastructure. Weakness in and/or the inability to simplify and improve our and our third parties’ processes or controls could impact our ability to deliver products or services to our clients and expose us to regulatory, reputational and operational risks.

We use, and expect to increasingly use, emerging technologies, including AI, across our operations, including business processes, services and products, and we expect greater AI adoption by our third parties, clients, counterparties, clearinghouses and financial intermediaries. Expanded use of AI, including emerging third‑party AI services and autonomous AI agents, may result in increased data risk, unpredictable system interactions, inadequate controls or safeguards, AI failure, or produce unintended operations or consequences. AI services used by our clients or third parties may interact with our systems or communicate directly with our employees, and may act without authorization, make execution errors, behave unpredictably or be misaligned with intended outcomes, which could result in additional operational, legal and regulatory risk, and reputational harm.

There can be no assurance that our resiliency, business continuity, technology change and information security response plans will effectively mitigate our operational risks. Any backup systems or manual processes may not process data accurately and/or as quickly or effectively as our primary systems, and some data might not be available or backed up. Also, the speed at which we are able to remediate any failure or disruption of our operations and/or information systems may vary across jurisdictions. We regularly update the operational processes and information systems we rely on to support our operations and growth, including as part of our efforts to comply with all applicable LRRs globally. This updating entails significant costs and creates risks associated with implementing new or modified operational processes and information systems and integrating them with existing information systems, including business interruptions, failures or ineffectiveness.

Increasing reliance on our information systems and frequency of weather events and other natural disasters heighten our risk of operational loss. Any failure or disruption of our or our third parties’ operations or information systems resulting in disruption to our critical business operations and client services, a failure to identify or effectively respond to operational risks timely and/or a failure to continue to deliver our services through an operational failure or disruption could impact the confidentiality, integrity or availability of data and information, and expose us to various risks, including market abuse, fraud, financial losses and other costs, misappropriation and corruption, loss of trust or confidence in us and/or the financial services industry, client attrition, regulatory (e.g., LRR compliance), market, privacy and liquidity risk, adversely impact our results of operations and financial condition and cause legal, regulatory or reputational harm.

The Corporation and third parties with whom we interact and/or on whom we rely, are subject to cybersecurity incidents,

information and security breaches, and technology failures that have and in the future could adversely affect our ability to conduct our businesses, result in the alteration, unavailability, misuse, destruction or disclosure of information, damage our reputation, increase our regulatory and legal risks, result in additional costs or financial losses and/or otherwise adversely impact our businesses and results of operations.

Our business is highly dependent on the security, controls and efficacy of our information systems, and the information systems of our clients and third parties (e.g., providers of products and services, law firms, other financial institutions, financial counterparties, financial data aggregators, the financial services industry, financial intermediaries (e.g., such as clearing agents, exchanges and clearing houses), U.S. and non-U.S. federal and state governments and regulators, providers of outsourced software, services and infrastructure (e.g., internet access, cloud service providers and electrical power) and retailers for whom we process transactions) with whom we interact, on whom we rely or who have access to our clients’ information and other sensitive data. We rely on effective access management and the secure collection, processing, maintenance, use, transmission, storage, dissemination and disposition of information in our and our third parties’ information systems. Our cybersecurity risk and exposure remains heightened, including because of our prominent size and scale, high-profile brand, global presence and role in the financial services industry and the broader economy.

We and our employees, regulators, clients and third parties are ongoing targets of an increasing number of cybersecurity threats and cyberattacks. The tactics, techniques and procedures used in cyberattacks are pervasive, sophisticated, rapidly evolving and designed to evade security measures. Cybersecurity threats, including computer viruses, malicious or destructive code (such as ransomware), social engineering, real and virtual impersonation, denial of service or information attacks and other security breach tactics targeting us or third parties have and in the future are likely to result in disruptions to our businesses and operations, loss of funds, including from attempts to defraud us and/or our clients, and impacts to the confidentiality, integrity or availability of our systems and information (e.g., intellectual property and the personal and/or confidential information of our employees, clients and third parties). Cyberattacks are carried out globally by a growing number of actors, including organized crime groups, hackers, terrorist organizations, hostile foreign governments and their proxies, state-sponsored actors, activists, disgruntled employees and other persons or entities.

Our risk from cybersecurity threats and incidents, information and security breaches and technology failures continues to increase due to the acceptance and use of digital banking and other digital products and services, including mobile banking products, and reliance on remote access tools and other technology, which have resulted in increased reliance on virtual or digital interactions, a growing number of access points to our information systems and greater amounts of information being available for access. Greater demand on our information systems and security tools and processes are expected.

Emerging technologies, such as AI and quantum computing, are expected to increase these risks. For example, AI lowers the entry barriers to plan and execute cyberattacks, enables more personalized and harder to detect social engineering, and improves vulnerability discovery, which may result in the increased likelihood of exploitation and the speed, scope, scale, and sophistication of cyberattacks. Advances in quantum computing may introduce cryptography risks that threaten the

15 Bank of America

security of our information and systems and strengthen threat actor capabilities in ways that are difficult to anticipate. These technologies, alone or in combination with others, may amplify the risks they pose.

We also face significant third-party technology, cybersecurity and operational risks relating to the large number of clients and third parties on whom we rely to operate our business. Third-party information systems extend beyond our security and control systems, and such third parties have varying levels of security and cybersecurity resources, expertise, safeguards, controls and capabilities and in some cases may be more vulnerable to cyberattacks. Threat actors may actively seek to exploit third-party security and cybersecurity weaknesses. The relationships of our third parties with us may increase the risk that they are targeted by the same threats we face, and such third parties may be less prepared for such threats. Also, we are at risk from critical third-party information security and open-source or proprietary software defects and vulnerabilities. We must rely on our third parties to detect and promptly report cybersecurity incidents, vulnerabilities and technology failures. Their failure could impair our ability to report or respond to such incidents, vulnerabilities and failures effectively or timely.

Due to increasing consolidation, interdependence and complexity of financial entities and technology and information systems, a cybersecurity threat or incident, information or security breach or technology failure that significantly exposes, degrades, destroys, renders unavailable or compromises the information systems or information of one or more financial entities or other third parties, including cloud service providers, could adversely impact us and increase the risk of operational failure and loss, as disparate information systems need to be integrated, often on an accelerated basis. Also, any similar events affecting our information systems or information could adversely impact third parties and the critical infrastructure of the financial services industry, creating additional risk to us.

Cybersecurity incidents or information or security breaches could persist for an extended period of time prior to detection, and it often takes additional time to determine the scope, extent, amount and type of impact, including the information altered, destroyed, accessed or otherwise compromised, following which the measures to recover and restore to a business-as-usual state may be difficult to assess and require notification to our clients, government officials and regulators. We have spent and expect to continue to spend significant resources to modify and enhance our protective measures and our capabilities to respond and recover, investigate and remediate software and network defects and vulnerabilities, and defend against, detect and respond to cybersecurity threats and incidents, whether to us, third parties, the industry or businesses generally. Regardless of the efforts we take to protect the integrity and resilience of our information systems and implement controls, processes, policies, employee training and other protective measures, we cannot anticipate and detect all cybersecurity threats and incidents and/or develop or implement effective preventive or defensive measures designed to prevent, respond to or mitigate all cybersecurity threats and incidents. Internal access management or other technology failures could impact the confidentiality, integrity or availability of data and information. Our vulnerability increases if employees fail to exercise sound judgment and vigilance when targeted with social engineering or other cyberattacks.

While we and our third parties have experienced cybersecurity incidents, information and security breaches and technology failures, as well as adverse impacts from such events, including as described in this risk factor, we have not

experienced material losses or other material consequences relating to cybersecurity incidents, information or security breaches or technology failures, whether directed at us or our third parties. However, we expect to continue to experience such events and impacts ourself and at our third parties with increased frequency and severity due to the evolving threat environment. There can be no assurance that future cybersecurity incidents, information and security breaches and technology failures, including those experienced by our third parties, will not have a material adverse impact on us, including our businesses, results of operations and financial condition.

Future cybersecurity incidents, information or security breaches or technology failures suffered by us or our third parties could result in disruption to our day-to-day business activities and an inability to effect transactions, execute trades, service our clients, safeguard information, manage our exposure to risk, expand our businesses, detect and prevent fraudulent or unauthorized transactions, and maintain information systems and telecommunication access, business operations, and client services, in the U.S. and/or globally. Also, we could experience the loss of clients and business opportunities, the withdrawal of client deposits, the misappropriation, alteration or destruction of our or our third parties’ intellectual property or confidential information, the unauthorized access to or temporary or permanent destruction, loss or theft of information (e.g., of our employees and clients), significant lost revenue, increased risk of fraudulent transactions, misappropriation of funds, losses and claims brought by third parties, violations of applicable privacy, cybersecurity and other LRRs, litigation exposure, economic sanctions, enforcement actions, government fines, penalties or intervention and other negative consequences. Although we maintain cyber insurance, there can be no assurance that liabilities or losses we may incur will be covered under such policies or that the amount of insurance will be adequate. In the case of any cybersecurity incident, information or security breach or technology failure arising from third-party systems impacting us, any third-party indemnification may not be applicable or sufficient to address the impact of such cybersecurity incidents, information or security breaches or technology failures, including monetary losses. Any actual or perceived occurrence of the events described above could adversely impact our businesses, results of operations, liquidity and financial condition, and cause reputational harm.

Failure to satisfy our obligations as servicer for residential mortgage securitizations, loans owned by other entities and other related losses could adversely impact our reputation, servicing costs or results of operations.

We service mortgage loans on behalf of third-party securitization vehicles and other investors. If a material breach of our obligations as servicer or master servicer is committed, we may be subject to termination if the breach is not cured timely following notice, which could cause us to lose servicing income. We may also have liability for any failure by us or a third party, as a servicer or master servicer to adhere to or perform the required servicing obligation in accordance with the terms of the servicing agreements that result in impairment or loss to the loans’ owner. If any such breach was found to have occurred, it may harm our reputation, increase our servicing costs or losses due to potential indemnification obligations, result in litigation or regulatory action or adversely impact our results of operations. Also, foreclosures may result in costs, litigation or losses due to irregularities in the underlying documentation, or if the validity of a foreclosure action is challenged by a borrower or overturned by a court because of errors or deficiencies in the foreclosure process. We may also incur costs or losses relating to delays or

alleged deficiencies in processing documents necessary to comply with state law governing foreclosure.

Changes in the structure of and relationship among the GSEs could adversely impact our business.

We rely on the GSEs to guarantee or purchase certain mortgage loans that meet their conforming loan requirements. During 2025, we sold approximately $2.3 billion of loans to GSEs, primarily Freddie Mac (FHLMC). FHLMC and Fannie Mae are currently in conservatorship, with the Federal Housing Finance Agency acting as conservator. While there have been periodic proposals to remove or exit the GSEs from conservatorship and eliminate the perceived “implicit guarantee” associated with the GSEs, none have yet to be executed successfully. We cannot predict the future prospects of the GSEs, including the timing of any recapitalization or release from conservatorship, or any legislative or rulemaking proposals regarding the GSEs’ status in the housing market. If the GSEs take a reduced role in the marketplace, including by limiting the mortgage products they offer, we could be required to seek alternative funding sources, retain additional loans on our balance sheet, secure funding through the Federal Home Loan Bank system, or securitize the loans through Private Label Securitization, which could increase our cost of funds related to the origination of new mortgage loans, increase credit risk and/or impact our capacity to originate new mortgage loans. These developments could adversely affect our securities portfolios, capital levels, liquidity and results of operations.

Our risk management framework may not be effective in mitigating risk and reducing the potential for losses.

Our risk management framework is designed to minimize our risk and loss. We seek to effectively and consistently identify, measure, monitor, report and control the risk types to which we are subject, including the seven key risk types we face. Risks also may span across multiple key risk types, including cybersecurity risk, legal risk, financial risk associated with concentration and climate risk. While we employ a broad and diversified set of controls and risk mitigation techniques, including modeling and forecasting, hedging strategies and techniques seeking to balance our ability to profit from trading positions with our exposure to potential losses, we are inherently limited by our ability to identify and measure all risks, including emerging and unknown risks, anticipate the timing and impact of risks, apply effective hedging strategies, make correct assumptions, manage and aggregate data correctly and efficiently, identify changes in markets or client behaviors not historically reflected and develop risk management models and forecasts to assess and control risk.

Our risk management depends on our ability to consistently execute all elements of our risk management program, develop and maintain a culture of managing risk well throughout the Corporation and manage third-party risks, including providers of products and services, to allow for effective risk management and help confirm that risks are appropriately considered, evaluated and responded to timely. Uncertain economic and geopolitical conditions, widespread health emergencies and pandemics, heightened legislative and regulatory scrutiny of and change within the financial services industry, the pace of technological changes, including AI and quantum computing, accounting, tax and market developments, the failure of employees, representatives and third parties to comply with our policies and Risk Framework and the overall complexity of our operations, among other developments, have in the past and may in the future, result in a heightened level of risk, including operational, reputational and compliance risk. Failure to manage evolving risks or properly anticipate, escalate, control or mitigate

risks could result in further legal and regulatory risk and losses and adversely affect our reputation and results of operations.

Regulatory, Compliance and Legal

We are highly regulated and subject to evolving government legislation and regulations and certain settlements, orders and agreements with government authorities from time to time.

We operate in a highly regulated industry and are subject to evolving and comprehensive federal, state and foreign LRRs and Executive Branch Actions. This significantly affects and has the potential to increase our compliance and operational costs, restrict the scope of our existing businesses, impact potential relationships with our clients, require changes to our employment practices, business strategies, risk management, governance processes and controls and procedures, require us to hold more capital, limit our ability to pursue certain business opportunities, including the products and services we offer, reduce certain fees and rates and/or make our products and services more expensive for our clients. We are also required to file various financial and nonfinancial regulatory reports to comply with LRRs in the jurisdictions in which we operate, which results in additional compliance and operational risk.

We continue to adjust our business and operations, legal entity structure, systems, disclosure, policies, procedures, processes, controls and governance, including with regard to capital and liquidity management, risk management and data management, in an effort to comply with LRRs, and evolving expectations, guidance and interpretation by regulatory authorities, including the Department of Treasury (e.g., the Internal Revenue Service (IRS) and OFAC), Financial Crimes Enforcement Network, Federal Reserve, OCC, CFPB, Financial Stability Oversight Council, FDIC, Department of Labor, SEC and CFTC in the U.S., foreign regulators, other government authorities and self-regulatory organizations. We expect to become subject to future LRRs, including beyond those currently proposed, adopted or contemplated in the U.S. or abroad, and evolving interpretations of existing and future LRRs, and may be subject to Executive Branch Actions, which may include FDIC assessments, loss allocations between financial institutions and clients regarding the use of our products and services, including electronic payments, employment practices, fair access to banking products and services, the terms of our products and services and climate and environmental risk management and sustainability reporting and disclosure. LRRs related to emerging technologies, such as AI, cybersecurity and data management, are also rapidly evolving across jurisdictions and could require changes related to deployments and operational processes and increase compliance costs and regulatory, compliance and legal risks.

The cumulative effect of all of the current and possible future legislation and regulations, as well as related interpretations, on our litigation and regulatory exposure, businesses, operations, including our ability to compete, and profitability remains uncertain and necessitates that we make certain assumptions with respect to the scope and requirements of existing, prospective and proposed LRRs in our business planning and strategies. If these assumptions prove incorrect, we could be subject to increased regulatory, legal and compliance risks and costs, and potential reputational harm. Also, regulatory initiatives in the U.S. and abroad may overlap, and non-U.S. regulations and initiatives may be inconsistent or conflict with current or proposed U.S. regulations or with each other, which could lead to compliance risks and higher costs.

Our regulators’ prudential and supervisory authority gives them broad power and discretion to direct our actions, and they

17 Bank of America

have an active oversight, inspection and investigatory role across the financial services industry. Regulatory focus is not limited to LRRs applicable to the financial services industry, but includes other significant LRRs that apply across industries and jurisdictions, including those related to anti-money laundering, anti-bribery, anti-corruption know-your-customer requirements, embargoes and economic sanctions.

We are also subject to existing and potential LRRs in the U.S. and abroad, including the CCPA and GDPR, regarding privacy and the disclosure, collection, use, sharing and safeguarding of personally identifiable information, including our employees, clients, suppliers, counterparties and other third parties. Violations could result in litigation, regulatory fines, enforcement actions and operational loss. Expected new and evolving data privacy laws globally may increase compliance costs, litigation, regulatory fines and enforcement actions. There remains complexity and uncertainty, including potential suspension or prohibition, regarding data transfer because of concerns over compliance with LRRs for cross-border flows and transfers of personal data globally, and resulting from judicial and regulatory guidance. Other jurisdictions have commenced or may commence consultation efforts or enacted new legislation or regulations to establish standards for personal data transfers. If cross-border personal data transfers are suspended or restricted or we are required to implement distinct processes for each jurisdiction’s standards, this could result in operational disruptions to our businesses, additional costs, increased enforcement activity, new contract negotiations with third parties, and/or modification of such data management.

As part of their enforcement authority, our regulators and other government authorities have the authority to, among other things, conduct a wide range of investigations and legal and regulatory proceedings, pursue enforcement actions, assess civil or criminal monetary fines, penalties or restitution, require remediation, issue cease and desist orders, limit business activities and restrict operations, suspend or withdraw licenses and authorizations, initiate injunctive action, apply regulatory sanctions or cause us to enter into consent orders. Costs to settle, remediate or comply with enforcement actions have been substantial and may increase. In some cases, governmental authorities have required criminal pleas or other extraordinary terms as part of such resolutions, which could have significant consequences, including reputational harm, loss of clients, restrictions on accessing capital markets, and the inability to operate businesses or offer products. Responses to regulators and other government authorities often are time-consuming, expensive and divert management attention. Any matter may take years to resolve and be difficult to predict or estimate.

The terms of settlements, orders and agreements that we have entered into with government entities and regulatory authorities have also imposed, or could impose, significant operational and compliance costs, including enhancements to our procedures and controls, losses with respect to fraudulent transactions perpetrated against our clients, expansion of our risk and control functions within our lines of business, investment in technology and the hiring of significant numbers of additional risk, control and compliance personnel. For example, in December 2024, the OCC issued a Consent Order against BANA relating to certain aspects of its BSA, anti-money laundering and economic sanctions compliance programs, and we continue to respond to requests for information about similar aspects of such programs from other regulators. Failure to meet the requirements of such settlements, orders or agreements, or, more generally, the failure to maintain risk and control procedures and processes that meet the heightened standards

established by our regulators and other government authorities, could result in further settlements, orders or agreements and additional fines, penalties or judgments, or material regulatory restrictions on our businesses.

Actual or perceived misconduct by us, our employees or representatives that are illegal, unethical or contrary to our core values, including the handling of fiduciary obligations, conflicts of interest and the misuse of confidential information, could harm us, our shareholders or clients or damage the integrity of the financial markets, and are subject to increasing regulatory scrutiny across jurisdictions. Given the complexity of the regulatory and enforcement regimes across jurisdictions and coupled with the global scope of our operations, a single event or practice or a series of related events or practices may give rise to a significant number of overlapping investigations and regulatory proceedings by multiple federal, state and foreign regulators and government authorities. Actions by other financial institutions in businesses in which we operate may result in regulatory investigations adversely affecting us.

While we believe that we have an appropriate approach to developing and implementing risk management and compliance programs, compliance risks will continue to exist, particularly as we anticipate and adapt to new and evolving LRRs, shifting priorities of our U.S. and non-U.S. regulators and government authorities and evolving interpretations, and potential misconduct by bad actors globally. We also rely upon third parties who may expose us to compliance and legal risk, including from their failure to timely address regulatory changes. Future executive, legislative or regulatory actions, and any required changes to our business or operations or strategy, or those of third parties upon whom we rely, resulting from such developments and actions could result in a significant loss of revenue, impose additional compliance and other costs or otherwise reduce our profitability, limit the products and services that we offer or our ability to pursue certain businesses and business opportunities, require us to dispose of certain businesses or assets, affect the value of assets held, require changes in training, testing, governance, controls and procedures and compensation practices, require us to increase prices and therefore reduce demand for our products, reduce fees or otherwise adversely affect our businesses.

We are subject to significant financial and reputational harm from potential liability arising from lawsuits and regulatory and government action.

We face significant legal risks in our business, with a high volume of claims against us, including related to various products, services and markets. The amount of damages, penalties and fines that private litigants, including clients and other counterparties, and regulators seek from us and other financial institutions continues to be significant and unpredictable.

U.S. federal and state regulators and government agencies, state attorneys general and regulators in foreign jurisdictions regularly pursue enforcement claims and litigation against financial institutions, including us, for alleged violations of law and client harm, including under the Financial Institutions Reform, Recovery, and Enforcement Act, the federal securities laws, the False Claims Act, fair lending laws and regulations (e.g., the Equal Credit Opportunity Act and the Fair Housing Act), the FCPA, the BSA, regulations issued by OFAC, Home Mortgage Disclosure Act, antitrust laws, and consumer protection laws and regulations related to products and services such as overdraft and sales practices, including prohibitions on unfair, deceptive, and/or abusive acts and practices (UDAAP) under the Consumer Financial Protection Act and the Federal Trade

Commission Act, and EFTA, as well as other enforcement action taken by prudential regulators with respect to safety, soundness and appropriateness of our business practices. Such claims may require substantial remediation and carry significant penalties, restitution and, in certain cases, treble damages. The ultimate resolution of regulatory inquiries, investigations and other proceedings which we are subject to is difficult to predict.

We and our regulators have an increased focus on privacy, information security and emerging technologies, such as AI. This includes cybersecurity incidents perpetrated against us, our clients, providers of products and services, counterparties and other third parties, the collection, use and sharing of data, and safeguarding of personally identifiable information and corporate data, as well as the development, implementation, use and management of emerging technologies, which have resulted in, and will likely continue to result in, related litigation (including class actions) or government enforcement, including with regard to compliance with U.S. and global LRRs, and could subject us to fines, judgments and/or settlements and involve reputational losses. The interconnectedness and complexity of AI models may complicate oversight and compliance, and reliance on third‑party AI models further increases our risks due to limited visibility into their training data, methodologies and safeguards. Inaccurate AI outputs, unintended or unauthorized exposure of confidential information, biases and possible infringement of intellectual property rights through the use of AI increase this risk. Also, increasing scrutiny regarding sustainability-related policies, goals, targets and disclosure could result in litigation, regulatory investigations and actions.

In addition to the consent order regarding BSA/anti-money laundering and economic sanctions compliance programs, in recent years we have entered into orders or settlements with certain government agencies regarding the rates paid on uninvested cash in brokerage and investment advisory accounts that is swept into interest-paying bank deposits, credit card sales and marketing practices and representment fee practices and our participation in implementing COVID-19-related government relief measures and other federal and state government assistance programs, including unemployment benefit processing for California and certain other states. We are, or may become subject to related litigation or investigations by other regulators related to the conduct that resulted in these orders, or orders or investigations we become subject to in the future, which may result in judgments and/or settlements. Also, we may be adversely impacted by matters related to fraud perpetrated against our clients in connection with their use of electronic payments (including Zelle) and other similar products and services, which could result in judgments or settlements, and adversely affect our businesses and strategies.

Misconduct, or perceived misconduct, by our employees, third parties and other representatives, including conflicts of interest, unethical, fraudulent, improper or illegal conduct, the failure to fulfill fiduciary obligations, unfair, deceptive, abusive or discriminatory business practices, or violations of policies, procedures or LRRs, including conduct that affects compliance with books and records requirements, have resulted and could result in further litigation and/or government investigations and enforcement actions, and cause significant reputational harm. For example, we are responding to demands and requests relating to our past or current policies and practices for providing, maintaining or discontinuing financial products or services to certain clients or potential clients, including account opening, underwriting, credit, transaction monitoring or account closure, which could result in litigation or regulatory action.

Investigations, regulation, regulatory compliance activities, litigation and regulatory enforcement, have affected and are likely to continue to affect operational and compliance costs and risks, including the adaptation of business strategies, the limitation or cessation of our ability or feasibility to continue providing certain products and services and our employment practices. Lawsuits and regulatory actions are often complex and unpredictable, develop over a long period of time and have resulted in and will likely continue to result in injunctive relief and judgments, orders, settlements, penalties and fines adverse to us, in amounts that may be significant or unpredictable, and in some cases, exceed the amount of our reserves established. Litigation and investigation costs, substantial legal liability or significant regulatory or government action against us could adversely affect our businesses, financial condition, including liquidity, and results of operations, and/or cause significant reputational harm.

U.S. federal banking agencies may require increased capital and liquidity levels, which could adversely impact the Corporation.

We are subject to U.S. capital and liquidity regulations. These rules, among other things, establish minimum ratios relating to capital for different categories of assets and exposures to qualify as a well-capitalized institution. As a G-SIB, we are also required to hold additional capital buffers, including a G-SIB surcharge, an SCB and a countercyclical buffer, which are reassessed at least annually. Also, we are subject to regulatory liquidity requirements, including the Liquidity Coverage Ratio and the Net Stable Funding Ratio. If any of our subsidiary insured depository institutions fail to maintain “well capitalized” status under the applicable regulatory capital rules, the Federal Reserve will require us to agree to bring the insured depository institution back to well-capitalized status, which may include restrictions on our activities (e.g., payment of dividends and/or repurchase of common stock). If we were to fail to enter into or comply with such an agreement, the Federal Reserve may impose more severe restrictions on our activities, including requiring us to cease and desist activities otherwise permitted.

Also, our ability to pay dividends on or repurchase our common stock depends, in part, on our ability to maintain regulatory capital levels above minimum requirements plus buffers. If our SCB, G-SIB surcharge or countercyclical capital buffer requirements increase, our dividends and common stock repurchases could decrease. For example, our G-SIB surcharge is expected to increase to 3.5 percent from 3.0 percent in 2027, and could increase further in the future. The Federal Reserve could also limit or prohibit capital actions (e.g., impacts to dividends and common stock repurchases) as a result of economic disruptions or events.

Regulators may change regulatory capital requirements, including total loss-absorbing capacity (TLAC) and long-term debt requirements, change how regulatory capital, RWA or leverage exposure is calculated, and/or increase liquidity requirements. These components of our capital and liquidity ratios could also be impacted by economic disruptions or other events that may increase our balance sheet, RWA or leverage exposures, which could increase the amounts of regulatory capital or liquidity we are required to hold. Changes to and compliance with regulatory capital and liquidity requirements may impact our operations by requiring the liquidation of assets, increased borrowings, issuance of additional securities, reduced common stock repurchases or dividends, limits to compensation practices, ceased or altered operations, modification of pricing strategies and business activities, and/or holding of highly liquid assets.

Extensive regulatory evaluation of our capital planning practices by the Federal Reserve includes stress testing certain

19 Bank of America

parts of our business using hypothetical economic scenarios prepared by the Federal Reserve. Those scenarios may affect our CCAR stress test results, which could impact our SCB and require us to hold additional capital. Proposed or future Federal Reserve rulemaking, including to the SCB calculation, CCAR stress tests or otherwise, may impact our SCB requirement.

Also, U.S. banking regulators are expected to release proposals in 2026 to revise methodologies for measuring and reporting risk-based capital adequacy, including the calculation of RWA and G-SIB surcharge. The timing and composition of such proposals are uncertain. Final rules issued following those proposals could adversely impact our capital requirements.

Changes in accounting standards or assumptions in applying accounting policies could adversely affect us.

Accounting policies and methods are fundamental to how we record and report our financial condition and results of operations. Some of these policies require the use of estimates and assumptions that may affect the reported value of our assets or liabilities and results of operations and are critical because they require management to make difficult, subjective and complex judgments about matters that are inherently uncertain. If assumptions, estimates or judgments are erroneously applied, we could be required to correct and restate prior-period financial statements. Accounting standard-setters and those who interpret the accounting standards, including the SEC, banking regulators and our independent registered public accounting firm may also amend or even reverse their previous interpretations or positions on how various standards should be applied. These changes may be difficult to predict and could impact the preparation and reporting of our financial statements, including the application of new or revised standards retrospectively, resulting in unexpected losses, revisions to prior-period financial statements and other adverse impacts to us, including legal and regulatory risk.

We may be adversely affected by changes in U.S. and non-U.S. tax laws and regulations.

We could be adversely affected if U.S. and foreign governmental authorities further change tax laws, including changes to the 2025 Budget Reconciliation Act. Also, new guidelines issued by the Organization for Economic Cooperation and Development (OECD), which are currently enacted or being enacted into law in some OECD countries in which we operate, will impose a 15 percent global minimum tax on certain taxpayers on a country-by-country basis. Any implementation of and/or change in U.S. and foreign tax laws and regulations or interpretations of current or future tax laws and regulations could materially adversely affect our effective tax rate, tax liabilities and results of operations. U.S. and foreign tax laws are complex and our judgments, interpretations or applications of such tax laws could differ from that of the relevant governmental authority. This could result in additional tax liabilities and interest, penalties, the reduction of certain tax benefits and/or the requirement to make adjustments to amounts recorded, which could be material.

Also, we have U.K. net deferred tax assets (DTA) which consist primarily of net operating losses that are expected to be realized in a U.K. subsidiary over an extended number of years. Business model changes impacting profitability and/or adverse developments with respect to tax laws or to other material factors, such as prolonged worsening of international capital markets or changes in the ability of our U.K. subsidiary to conduct business in the markets outside the U.K., could lead management to reassess and/or change its current conclusion that no valuation allowance is necessary for our U.K. net DTA.

Reputation

Damage to our reputation could harm our businesses, including our competitive position and business prospects.

Our ability to attract and retain clients, investors and employees is impacted by our reputation. Reputational harm can arise from various sources that affect public trust, including actual or perceived business activities and activities of our officers, directors, employees, other representatives, clients and third parties, including counterparties, such as fraud, misconduct and unethical behavior, our ability to detect, prevent and/or respond to fraud perpetrated against our clients, and the handling of related disputes regarding the use of our products and services, including electronic payments, effectiveness of our internal controls, the fees charged to our clients, including overdraft and non-sufficient funds fees, compensation practices, lending practices, suitability or reasonableness of particular trading or investment strategies, the services offered to our clients, the reliability of our research and models and prohibiting clients from engaging in certain transactions.

Our reputation and business prospects may also be harmed by actual or perceived failure to deliver the products, service standards and quality expected, protect our clients and/or recognize and address client complaints, maintain effective compliance, properly implement technology changes and manage and use of emerging technologies, including AI, maintain effective data management, as well as cybersecurity incidents and information and security breaches affecting us and our employees, clients and third parties, which have occurred and are expected to continue with increasing frequency and severity, prolonged or repeated system outages, our privacy policies, the improper or unintended disclosure of or failure to safeguard personal, proprietary or confidential information, the breach of our fiduciary obligations, employment practices and the handling of widespread health emergencies or pandemics. Our reputation may also be harmed by litigation and/or regulatory matters and their outcomes, and/or criticism or challenges by third parties, relating to the topics discussed above or otherwise. Challenges and/or criticisms to our environmental and social practices, disclosures and benefits of our products, services or transactions, and those of our clients and third parties, including from third parties, who may have diverging views on those practices and disclosures, may also harm our reputation.

Perceptions of our liquidity and financial condition, actions by the financial services industry generally, or by certain members or individuals in the industry may harm our reputation. Adverse publicity or negative information, including social media posts by employees, the media or otherwise, whether or not accurate, may trigger a loss of trust or confidence on the part of clients, counterparties, shareholders, investors, debt holders, market analysts, other relevant parties or regulators, adversely impacting our business prospects and results of operations.

We are subject to complex and evolving LRRs and interpretations, including regarding fair lending activity, UDAAP, electronic funds transfers, know-your-customer requirements, data protection and privacy (e.g., the GDPR and the CCPA), cross-border data movement and data localization, cybersecurity, the use and development of AI, data and technology and other matters, as well as evolving and expansive interpretations of these LRRs. Principles concerning the appropriate scope of consumer and commercial privacy vary considerably across jurisdictions, and regulatory and public expectations regarding the definition and scope of consumer and commercial privacy and data protection remains fluid.

These laws may be interpreted and applied by various jurisdictions inconsistent with our current or future practices, or with one another. If personal, confidential or proprietary information of clients, employees or third parties is mishandled, misused or mismanaged by us, our third parties or financial data aggregators, or if we do not timely or adequately address such information, we may face regulatory, legal and operational risks, which could adversely affect our reputation, financial condition and results of operations.

We could suffer reputational harm if we fail to properly identify and manage potential conflicts of interest, the management of which has become increasingly complex as we expand our business activities through more numerous transactions, obligations and interests with and among our clients. The actual or perceived failure to adequately address conflicts of interest could also affect willingness of clients to use our products and services, or result in litigation or enforcement actions, which could adversely affect our business.

Our actual or perceived failure to address these and other issues, such as operational risks, could give rise to reputational harm and our business prospects, including the attraction and retention of clients and employees, and give rise to additional regulatory restrictions and legal risks which could, among other consequences, increase the size and number of litigation claims and damages asserted or subject us to enforcement actions, fines and penalties, and result in related costs and expenses.

Other

We face significant and increasing competition in the financial services industry.

We operate in a highly competitive environment and experience intense competition from local and global bank and nonbank financial institutions and new market entrants. Increasing pressure to provide products and services on more attractive terms, including lower fees, lower cost investment strategies and higher interest rates on deposits, may impact our ability to effectively compete. Also, we may be disadvantaged by our size, the jurisdictions in which we are organized or operate or from more stringent regulatory requirements applicable to us than to nonbank financial institutions, those obtaining limited bank charters or other actual or perceived competitors.

The growth of and mergers among traditional financial services companies have increased competition. Emerging technologies and the growth of e-commerce have lowered geographic and monetary barriers, made it easier for non-depository institutions to offer traditional banking products and services and allowed non-traditional financial service providers and technology companies to compete with traditional financial service companies in providing electronic and internet-based financial solutions and services, including electronic securities trading with low or no fees and commissions, marketplace lending, financial data aggregation and payment processing services, including real-time payment platforms. Further, clients may choose other market participants who engage in business or offer products in areas we deem speculative or risky rather than traditional products. Increased competition may reduce our market share, net interest margin and fee-based revenue and negatively affect our results of operations, including through pricing pressure, increased investment to improve the quality and delivery of our technology and/or affecting our clients’ willingness to do business with us.

Our inability to adapt our business strategies, products and services could harm our business.

We rely on a diversified mix of businesses that deliver a broad range of financial products and services through multiple

distribution channels. Our success depends on our and our third-party providers’ ability to timely change or adapt our business strategies, products and services and their respective features, including available payment processing services and technology, including AI, to rapidly evolving industry standards and consumer preferences. Our strategies could be further impacted by macroeconomic stress, widespread health emergencies or pandemics, cyberattacks, and military conflicts or other significant geopolitical events.

Widespread adoption and rapid evolution of, as well as developments in the regulatory landscape relating to emerging technologies, including analytic capabilities, AI, automated decision-making, self-service digital trading platforms and automated trading markets, internet services, and digital assets (e.g., cryptocurrencies, stablecoins, tokens and other crypto assets) as well as payment, clearing and settlement processes that use distributed ledger technology, create additional strategic risks, could negatively impact our ability to compete and require substantial expenditures to the extent we were to modify or adapt our existing products and services. Also, our ability to offer certain products and services may be impacted by legal or regulatory considerations. As new technologies evolve and mature, including the further development of the nonbank digital asset ecosystem (e.g., related to nonbank stablecoins or digital asset trading), and new competitors to the payments and trading ecosystems emerge and current competitors adapt, our businesses and results of operations could be adversely impacted, and we could experience increased volatility in deposits and/or significant long-term reduction in deposits (i.e., financial disintermediation).

Also, we may not be timely or successful in assessing competition, developing, introducing or integrating new products and services, responding, managing or adapting to changes in consumer behavior, preferences, spending, investing or saving habits, achieving market acceptance of our products and services, reducing costs of our products and services in response to pricing pressures or developing and maintaining clients. Our businesses may be negatively impacted if we, or our third-party providers, do not timely develop and apply emerging technologies, such as AI and quantum computing, or if our initiatives in these areas are deficient or fail, or do not achieve the financial benefits anticipated. Our third-party providers’ inability or resistance to timely innovate or adapt operations, products and services to evolving regulatory and market environments, industry standards and consumer preferences could result in service disruptions, harm our business and adversely affect our results of operations and reputation.

We could suffer operational, reputational and financial harm if our models fail to properly anticipate and manage risk.

We use models enterprise-wide, including to forecast losses, project revenue and expenses, assess and control our operations and financial condition, assist in capital planning, manage liquidity and measure, forecast and assess capital and liquidity requirements for credit, market, operational and strategic risks. Under our Enterprise Model Risk Policy, Model Risk Management is required to perform end-to-end model oversight, including independent validation before initial use, implementation monitoring, ongoing monitoring reviews through outcomes analysis and benchmarking, and periodic revalidation. However, models are inherently limited by simplifying assumptions, uncertainty in economic and financial outcomes, and emerging risks, including from applications that rely on AI.

Our models may not be sufficiently predictive of future results, including from limited historical patterns, extreme or unanticipated market movements or clients’ behavior and

21 Bank of America

liquidity, especially during severe market downturns or stress events (e.g., geopolitical or pandemic events), which could limit their effectiveness and require timely recalibration. The models that we use to assess and control our market risk exposures also reflect assumptions about the degree of correlation among prices of various asset classes or other market indicators, which may not be representative of future downturns and would magnify the limitations inherent in using historical data to manage risk. Market conditions in recent years have involved unprecedented dislocations and highlight the inherent limitations in using historical data to manage risk. Our models may also be adversely impacted by human error and may be ineffective if we fail to properly oversee, regularly review and detect their flaws during our review and monitoring processes, they contain erroneous data, assumptions, valuations, formulas or algorithms, our applications running the models do not perform as expected or AI applications are not developed and trained properly or contain biases (due to model design or input data). Regardless of steps we take to design effective controls, governance, monitoring and testing, and implement new technology and automated processes, failure of our models to properly anticipate and manage risks could result in operational, reputational and financial harm, including funding or liquidity shortfalls, adverse business decisions and regulatory risk.

Failure to properly manage data may adversely affect our ability to manage compliance risk and business needs, and result in errors in our operations, reporting and decision-making, and compliance with LRRs.

We rely on our ability to manage and process data accurately, timely and completely, including capturing, transporting, aggregating, using, transmitting data externally, and retaining and protecting data appropriately. While we continually update our policies, programs, processes and practices and take steps to leverage emerging technologies, such as automation, AI and robotics, our data management processes may not be effective and are subject to weaknesses and failures, including human error, data limitations, process delays, system failure or failed controls. Failure to effectively manage data accurately, timely and completely may adversely impact its quality and reliability and our ability to manage current and emerging risks, produce accurate financial, nonfinancial, regulatory, operational, environmental and social reporting, detect or surveil potential misconduct or non-compliance with LRRs, and to manage our business needs, strategic decision-making, resolution strategy and operations. The failure to establish and maintain effective, efficient and controlled data management could adversely impact our development of products and client relationships and increase operational losses and regulatory and reputational harm.

Our operations, businesses and clients could be adversely affected by climate-related matters and impacts.

Climate-related matters present short-, medium- and long-term risks. This includes physical risks such as extreme weather events and natural disasters, including floods, wildfires, hurricanes and tornados, and chronic risks such as rising average global temperatures and sea levels. These events could adversely impact our facilities, employees and clients’ ability to repay outstanding loans, disrupt our operations or those of our clients or third parties, disrupt supply chains or distribution networks, damage collateral and/or result in market volatility, cause rapid deposit outflows, drawdowns of credit facilities or insurance shortfalls, or deteriorate the value of collateral.

We also face transition risk associated with the shift to a low-carbon economy. Changes in consumer preferences, market pressures, technology advancements and additional legislation,

regulatory, compliance and legal requirements could alter our strategic planning, limit certain business activities and products and services offered, amplify credit and market risks, negatively impact asset values, insurance availability and cost, require capital expenditures and changes in technology and markets, increase expenses and adversely impact our capital requirements and results of operations. Climate-related regulatory approaches and disclosure continue to evolve and diverge across jurisdictions (including the availability of certain reporting exemptions), including among the U.S. and non-U.S., and within the U.S., which could adversely impact our legal, compliance and public disclosure risks and costs. Availability, quality and disclosure of climate-related data, including from third parties, remain challenging, which may result in legal, compliance and/or reputational harm.

Our climate-related strategies, policies, and disclosures, which may evolve over time, our climate-related goals and targets and/or the environmental or climate impacts attributable to our products, services or transactions may impact legal and compliance risk and could result in reputational harm as a result of negative public sentiment, regulatory scrutiny, litigation and reduced investor and stakeholder confidence. Divergent stakeholder perspectives increase the likelihood that any action or inaction we take regarding climate-related matters will be perceived negatively, which could adversely impact our reputation and businesses. Achieving our climate-related goals and targets, including our goals to achieve net zero greenhouse gas (GHG) emissions before 2050 in our financing activities, operations and supply chain, our interim 2030 GHG targets, including financed emissions, and our sustainable finance goals, are subject to risks and uncertainties, many outside of our control, such as technological advances, clearly defined industry sector roadmaps, public policies, better emissions data reporting and engagement with clients, suppliers, investors, government officials and other stakeholders. Climate-related risks continue to evolve and are difficult to predict, identify, monitor and effectively mitigate, and could adversely affect us.

Our ability to attract, develop and retain qualified employees is critical to our success, business prospects and competitive position.

Our performance and competitive position is heavily dependent on the talents, development and efforts of highly skilled individuals. Competition for qualified personnel is intense from within and outside the financial services industry. Our competitors include global institutions and institutions subject to different compensation and hiring regulations than those imposed on us. Also, our ability to attract, develop and retain employees could be impacted by our reputation, professional and development opportunities, changes in regulation or enforcement practices, changes in workforce concerns, expectations, practices and preferences (e.g. remote work), and increasing labor shortages and competition for labor, which could increase labor costs.

We must provide market-level compensation to attract and retain qualified personnel. As a large financial and banking institution, we are and may become subject to additional limitations on compensation practices by the Federal Reserve, the OCC, the FDIC and other global regulators, which may not affect our competitors. Also, because a substantial portion of compensation paid to many of our employees is equity-based awards based on the value of our common stock, declines in our profitability or outlook could adversely affect the ability to attract and retain employees. If we are unable to continue to attract, develop and retain qualified individuals, our business prospects and competitive position could be adversely affected.